Embed Size (px)
Citation preview
Information and Communication Technology
Governance Strategy and Framework
Version: 1.1
Date: 30 April 2013
APPROVAL PAGE FSPG INFORMATION AND COMMUNICATION TECHNOLOGY
GOVERNANCE STRATEGY AND FRAMEWORK
CHIEF INFORMATION OFFICER
Date:
DIRECTOR-GENERAL
Date:
DOCUMENT VERSION CONTROL
Date Author Version nr. Revision details
March 2011 GJPB Willemse
Tel. 051 4055067
Draft 1.0 Not applicable.
Nov. 2011
March 2012
GJPB Willemse
Tel. 051 4055067
1.1 Amended to comply with DPSA
draft Framework. ISO 38500 and
King III added.
FSPG INFORMATION AND COMMUNICATION TECHNOLOGY
GOVERNANCE STRATEGY AND FRAMEWORK
TABLE OF CONTENTS
Page
1. Introduction 1
2. Various Definitions of IT Governance 2
3. DPSA and IT Governance 3-4
4. PGITOC and IT Governance 5
5. Corporate Governance vs IT Governance 6
5.1 Corporate Governance 6-7
5.2 IT Governance 7
6. Corporate Governance in the Public Service 8-9
7. IT Governance in the Public Service 10
8. Enablement of Government Services through IT 11-12
9. Frameworks and Standards Base: King III, ISO 38500 and COBIT 13
10. Principles for the Governance of IT 14-16
11. IT Governance Framework 17-18
12. What IT Governance will deliver and the five IT Governance focus areas 19-21
13. Five IT Governance Decisions Areas (Domains) 22
14. Decision Model and Governance Style 23-24
15. IT Governance Structure and Mechanisms 25
15.1 Governance Matrix (Input and Decision Rights) 26
15.2 Roles and Responsibilities (Accountability Framework) 26-29
TABLE OF CONTENTS (Cont…)
15.3 Governance Map 29
16. IT Governance Processes 30-33
17. IT Policies, Standards and Procedures 34
18. IT Processes 35
19. IT Governance Performance Metrics 36-37
20. Glossary 38-40
FSPG INFORMATION AND COMMUNICATION TECHNOLOGY
GOVERNANCE STRATEGY AND FRAMEWORK1
1. Introduction
From relative obscurity a few years ago, several factors have come together to make the concept of formal Information and Communication Technology2 (ICT - also referred to as IT) Governance a good idea for virtually every organisation, both public and private. Key motivators include the need to comply with a growing list of regulations related to financial and technological accountability, and pressure from shareholders (e.g. Department of Public Service and Administration (DPSA) and customers.
IT Governance has been described by Gartner3 as an effective and efficient management of IT resources to facilitate the achievement of business goals and objectives. Simply put, it’s putting structure around how organisations align IT strategy with business strategy, ensuring that organisations stay on track to achieve their strategies and goals and implementing good ways to measure IT’s performance. It ensures that all stakeholders’ interests are taken into account and that processes provide measurable results.
IT does not exist for its own sake within an organisation; it is there to ensure that business achieves sustainable success. IT Governance becomes a management practice for governing the processes and decisions related to the use of IT within the organisation. IT Governance has risen in importance because of the widening gulf between what the business expects and what IT is prepared to deliver. IT has grown to be seen as a cost centre with little direct benefits to the organisation it serves. An IT Governance framework is meant to align IT functions to the business, minimise the risk IT introduces and ensure that there is value in the investment made in IT.
Organizations today are subject to many regulations governing data retention, confidential information, financial accountability and recovery from disasters. While none of these regulations requires an IT Governance framework, many have found it to be an excellent way to ensure regulatory compliance. By implementing IT Governance, the organisation will have the internal controls needed to meet the core guidelines of many of these regulations, such as the Public Services Act (PSA), 1994 (Proclamation Nr. 103 of 1994), the Public Financial Management Act (PFMA), 1999 (Act 1 of 1999, as amended by Act 29 of 1999) and the State Information Technology Agency (SITA) Act, 1998 (Act 88 of 1998 as amended by Act 38 of 2002).
1 Provincial Government of the Western Cape (2010). Information Technology Governance Strategy. Pages 1-29 (1st of 2 main sources). 2 Information and Communication Technology (ICT): Commonly known as Information Technology and also referred to as IT. 3 The Gartner Group is an international body that delivers technology research to global technology business leaders to make informed decisions on key initiatives.
2
2. Various Definitions of IT Governance4
1. The structure, oversight and management processes which ensure the delivery of the expected benefits of IT in a controlled way to help enhance the long term sustainable success of the enterprise.
2. IT Governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.
3. A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.
4. Specifying the decision rights and accountability framework to encourage desirable behaviours in the use of IT.
5. Governance is not about what decisions get made – that is management – but it is about who makes the decisions and how they are made.
6. IT Governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied will have an immense impact on whether the entity will attain its vision, mission or strategic goals.
7. The system by which the current and future use of IT is directed and controlled. It involves evaluating and directing the plans for the use of IT to support the organization and monitoring this use to achieve the plans. It includes the strategy and policies for using IT within an organization (ISO 38500).
4 Brisebois R Boyd G & Shadid Z. (2010). What is IT Governance? Available: http://www.intosaiitaudit.org/intoit_articles
/25_p30top35.pdf. Last accessed 28 January 2011.
3
3. DPSA and IT Governance5
The purpose of IT is to enable the Public Service in its service delivery quest. The ICT House of Values6 depicts the values and key focus areas of IT service delivery. These objectives, principles, values and key focus areas inform the acquisition, management and use of IT.
To determine whether IT in the Public Service delivers an enabling service various investigations were done into the shortcomings of IT. The first of these was the Presidential Review Commission (PRC) report of 19987, which stated that all-important decisions on IT should come from senior political and managerial leadership of the state and not be delegated to the technologists. It furthermore advocates a common enabling framework of governance.
In 2002, the Government Information Technology Officers Council (GITOC) and again in November 2010, adopted the implementation of Control Objectives for Information Technology (COBIT) as IT Governance Framework for implementation in the Public Service. Besides COBIT other mechanisms such as ISO 385008 and King III9 are also available that provides guidance and frameworks for the implementation of governance of IT.
Since the publication of the PRC report, little has changed with respect to the governance of IT in the Public Service. This was confirmed during the information systems review of governance of IT in government conducted by the Auditor General (AG) in 2008/09 and again in 2009/10. Some of the AG recommendations were:
1. That a government-wide ICT Governance Framework be put in place for the implementation of a national IT strategy to address IT risks, based on defined processes and standards.
2. That the governance of IT roles and responsibilities are defined and implemented to ensure adequate Public Service IT enablement.
In order to institutionalize the governance of IT as an integral part of corporate governance within the Public Service, the DPSA made an undertaking to the AG to develop and formally approve an ICT Governance Framework. During 2011, the DPSA, in collaboration with the Governance Information Technology Officers Council (GITOC), developed such a framework. Once this Framework is adopted, the DPSA will issue an Implementation Guideline to assist departments with the implementation.
5 Draft Public Service Governance of Information and Communication Technology Framework (2nd of 2 main sources). 6 Elements of IT House of Values: Government architecture; IT Security; IT Interoperability; Reduced IT duplication; Economies of scale
and Digital inclusion (Incl. BEE). 7 Report of the Presidential Review Commission as presented to the President of South Africa 27 February 1998. 8 Corporate governance of information technology standard. 9 King III Report Chapter 5: The Governance of ICT.
4
The following objectives for the governance of IT were adopted by the GITOC:
1. Establish a common or uniform ICT Governance Framework and implementation guideline for the Public Service.
2. Embed governance of IT as a subset of corporate governance.
3. Create business value through IT enablement.
4. Achieve IT service delivery performance by conforming to relevant internal and external frameworks, standards and practices.
5. Implementation of governance of IT in government will be based on COBIT.
5
4. PGITOC and IT Governance
During a high level assessment of IT Governance in the FSPG the following key observations and challenges were inter alia identified:
1. There is recognition on the need for IT Governance; however the understanding of the full requirements for IT Governance was limited.
2. An ICT Governance Strategy and Framework is lacking.
3. The Provincial Government Information Technology Officers Council (PGITOC) for the FSPG adopted COBIT as an ICT Governance Framework but little alignment to COBIT has been done.
The IT Directorate; Department of the Premier is of the opinion that the ICT Governance Framework drafted by the DPSA covers all aspects necessary to enable the development of a cohesive Strategy and Framework in order to institutionalize the governance of IT as an integral part of corporate governance within the FSPG. The Office of the Chief Information Officer (CIO), in collaboration with the Provincial GITOC, drafted an ICT Governance Strategy and Framework for the FSPG based on the guidelines in the draft Framework provided by the DPSA. Once the draft Framework is formally adopted by the DPSA, the ICT Governance Strategy and Framework for the FSPG will be checked and if necessary amended to ensure compliance with the adopted Framework.
6
5. Corporate Governance vs IT Governance10
Corporate Governance is the set of processes, customs, policies, laws, management practices and institutions affecting the way an entity is controlled and managed. It incorporates all the relationships among the many stakeholders involved and aims to organize them to meet the goals of the organization in the most effective and efficient manner possible. An effective corporate governance strategy allows an organization to manage all aspects of its business in order to meet its objectives.
Information Technology Governance (IT Governance), however, is a subset discipline of Corporate Governance. Although it is sometimes mistaken as a field of study on its own, IT Governance is actually a part of the overall Corporate Governance Strategy of an organization. IT Governance and associated governance mechanisms provide the linkage between responsible Corporate Governance and effective IT Management.
• Overall decision making and accountability structure.
• Establish goals, measures and policies. • Ensure shareholders interests are respected.
• Overall IT decision making and accountability.
• Ensures value is delivered to shareholders through IT investments and actions.
• Creates business value through IT.
• Manages IT budgets, resources, projects, operations and vendors.
• Runs IT as a business.
5.1 Corporate Governance
The field of Corporate Governance is a multi-faceted subject that includes several fields of study. These fields include areas such as:
1. Accountability and fiduciary duty. These advocate the implementation of guidelines and mechanisms to ensure management acts in good faith and that the public organization is protected from wrongdoing or fraud.
2. Economic efficiency view. This involves how the corporate governance system intends to optimize results, and meet its objectives.
3. Strategic efficiency view. This involves public policy objectives that are not directly measurable in economic terms such as alleviation of poverty, access to markets, income stabilization, health care and job creation. These are issues that are the main focus of most public sector institutions and are not readily measured in economic terms.
10 Brisebois R Boyd G & Shadid Z. (2010). What is IT Governance? Available: http://www.intosaiitaudit.org/intoit_articles
/25_p30top35.pdf. Last accessed 28 January 2011.
7
4. Stakeholder view. This area of study focuses more attention and accountability on other stakeholders such as citizens, employees, businesses and other levels of government (i.e. national, provincial, or local authorities).
5.2 IT Governance
IT Governance focuses specifically on information technology systems, their performance and risk management.
The primary goals of IT Governance are to assure that the investments in IT generate business value, and to mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications and infrastructure.
IT Governance should be viewed as how IT creates value that fits into the overall Corporate Governance Strategy of the organization, and never be seen as a discipline on its own. In taking this approach, all stakeholders would be required to participate in the decision making process. This creates a shared acceptance of responsibility for critical systems and ensures that IT related decisions are made and driven by the business and not vice versa.
IT Governance is needed to ensure that the investments in IT generate value-reward-and mitigate IT-associated risks, avoiding failure. IT is central to organizational success – effective and efficient delivery of services and goods – especially when the IT is designed to bring about change in an organization. This change process (commonly referred to as ’business transformation’) is now the prime enabler of new business models both in the private and public sectors. Business transformation offers many rewards, but it also has the potential for many risks, which may disrupt operations and have unintended consequences. The dilemma becomes how to balance risk and rewards when using IT to enable organizational change.
8
6. Corporate Governance in the Public Service11
The purpose of Corporate Governance is to create value for the stakeholders of the organization. It consists of a governance system that affects the way the Public Service is managed and controlled. It also defines the relationships between stakeholders and the strategic goals of the Public Service.
Corporate Governance is a vehicle through which value is created within organizational context. Value creation means realizing benefits at an optimal resource cost whilst optimizing risk. This value creation takes place within a governance system that is established through this framework. A governance system refers to all the means and mechanisms that enable multiple stakeholders of an organization to have a structured and organized say in the following:
1. Evaluate internal and external context, strategic direction and risk to conceptualize the Institution’s strategic goals and how it will be measured.
2. Direct the Institution in the execution of the strategic goals to ensure that value is realized and risk is managed.
3. To monitor the execution of the strategic goals within an Institution against the measures identified for attaining the strategic goals.
Corporate Governance is also concerned with individual accountability and responsibilities within an organization; it describes how the organization is directed and controlled. It is in particular concerned with the following:
1. Organization. The organizational structures and coordinating mechanisms established within the organization and in partnership with stakeholders.
2. Management. The individual roles and responsibilities established to manage business change and operational services.
3. Policies. The frameworks established for making decisions and the context and constraints within which decisions are taken.
The diagram on the next page depicts the functioning of the governance system. The Executive Authority, who is accountable, provides the strategic direction of the organization. The strategic direction, together with the external and internal factors, influences the strategic goals. Corporate Governance and the governance of IT are executed on Executive level through the function of evaluation, direction and monitoring. The management of business execution is done through the organizational structure and utilization of the relevant resources. The Executive Authority and Senior Management of an organization are accountable and responsible to implement a governance system.
11
Draft Public Service Governance of Information and Communication Technology Framework.
9
The functioning of the governance system.
10
7. IT Governance in the Public Service12
The governance of IT is a subset of Corporate Governance and is an integral part of the governance system within an organization. The governance of IT is defined as ‘the system by which the current and future use of IT is directed and controlled. It involves evaluating and directing the plans for the use of IT to support the organization and monitoring this use to achieve the plans. It includes the strategy and policies for using IT within an organization.’ (ISO 3850013)
The Executive Authority and Senior Management are accountable and responsible to ensure that governance of IT is implemented in their organization in line with this framework. Effective governance of IT is affected in an organization by inter alia the following:
1. Assigning responsibilities to Senior Managers with decision making authority.
2. Utilizing appropriate governance mechanisms.
3. Aligning IT goals with business goals and ensure that business benefits are realized and risk managed.
4. Investing in IT to enable the organization in the realization of business value.
5. Ensuring that appropriate business ownership of IT projects is established.
6. Providing the necessary capacity and capability in IT to support business.
7. Ensure that IT is monitored and measured.
The implementation of the governance of IT can be achieved through the following that will create the direct, monitor and compliance context for IT’s strategic alignment to the business strategy and goals:
Means and mechanisms Decision making mechanisms
• Frameworks • Roles and responsibilities
• Principles • Processes
• Policies • Practices
• Sponsorship
• Structures
12 Draft Public Service Governance of Information and Communication Technology Framework. 13 Adopted for South Africa as SANS 38500.
11
8. Enablement of Government Service Delivery through IT14
The South African Government adopted twelve (12) strategic performance outcomes to ensure the provision of an efficient and effective Public Service, guided by the Batho Pele principles15 of equal access to services, increased productivity and lowering of cost. The Public Service, via the GITOC and the DPSA, also adopted certain IT values and key focus areas that should be achieved as contained in the ICT House of Values.
All of the 12 strategic performance outcomes and the key focus areas of the ICT House of Values relates to each other. It is, however,
ICT House of Values
performance outcome number 12: ‘…an efficient, effective and development oriented Public Service and empowered, fair and inclusive citizenship’, that directly speaks to IT enablement of Public Service delivery.
The table below shows the relation of the 12 strategic performance outcomes and the benefits that are realized when the governance of IT is effectively implemented and maintained.
Strategic Outcomes Elements of ICT House of Values
Benefits derived from IT Governance
12 Strategic Performance Outcomes for the South African Government.
Outcome 12 is directly related: …an efficient, effective and development oriented Public Service and empowered, fair and inclusive citizenship.
• Government architecture
• ICT Security
• ICT Interoperability
• Reduced ICT duplication
• Economies of scale
• Digital inclusion (Incl. BEE)
• Lower cost
• Improved Public Service delivery
• Increased productivity
• Citizen convenience (Increased access to information and services)
• Improved return on investment
• Improved management of IT related risks
• Improved communication
• Improved delivery of IT
• Improved IT enablement of business
• Improve trust between IT and the business
• Increased alignment of investment with strategic goals
• Lowered IT continuity cost
• Continuous improvement of business and IT alignment
• Improved IT programme and project management
14 Draft Public Service Governance of Information and Communication Technology Framework. 15 Batho Pele means ‘people first’. 8 Principles: Consultation; Service Standards; Access; Courtesy; Information; Openness and
Transparency; Redress/Dealing with complaints; Best Value.
12
To derive full value from IT enablement on a strategic and Institutional level the Executive Authority and Senior Management should ensure the following regarding IT:
1. Collectively position the Public Service to deliver on the 12 outcomes.
2. Enables the organization to deliver service to the citizen.
3. Facilitates the achievement of Public Service-wide and government organization goals
4. Is managed in such a way that it is resilient and agile enough to learn and adapt to changing circumstances.
5. Is executed in line with legislative and regulatory requirements.
6. Performs risk management in line with the risk management priorities and appetite of the institution and that of the wider Public Service.
7. Pro-actively recognizes opportunities and guiding government organizational and Public Service-wide executive authority and management in the timeously adoption of appropriate technology.
8. Providing appropriate security measures to protect the organizational information.
13
9. Frameworks and Standards Base: King III, ISO 38500 and COBIT16
From a governance perspective this Strategy and Framework is based on the following:
1. The King Report (currently in its third iteration, King III) is the most commonly accepted corporate governance framework in South Africa and is also valid for the Public Service. It has also been used to provide the governance of IT principles and establish the relationship between corporate governance and the governance of IT.
2. ISO 38500 is internationally accepted as the standard for governance of IT and provides governance principles and model. This international standard is adopted by South Africa as SANS 38500.
3. COBIT is an internationally accepted process framework for the implementation of governance of IT.
4. The principles and models as explained in the above frameworks and standard has been used to define and describe corporate governance in this Framework and to provide the principles of good governance of IT.
Interrelated Reference Base of this Framework
16 Draft Public Service Governance of Information and Communication Technology Framework.
14
10. Principles for the Governance of IT17
The ICT Governance Strategy and Framework is based on principles as explained in the national and international standards for IT Governance namely King III, ISO 38500 and COBIT. The following table lists the related adopted ISO 38500 and King III principles (please see paragraph 16 for COBIT):
ISO 38500 King III Principle 1: All within the organisation have to understand and accept the responsibility in respect of both supply of, and demand for IT.
Principle 1: Board Responsibility: The board should be responsible for Information Technology (IT) Governance. • The board should assume the responsibility for the governance
of IT and place it on the board agenda. • The board should ensure that an IT charter and policies are
established and implemented. • The board should ensure promotion of an ethical IT
Governance culture and awareness and of a common IT language.
• The board should ensure that an IT internal control framework is adopted and implemented.
• The board should receive independent assurance on the effectiveness of the IT internal controls.
Principle 3: IT Governance Framework: The board should delegate to management the responsibility for the implementation of an IT Governance Framework • Management should be responsible for the implementation of
the structures, processes and mechanisms for the IT Governance Framework.
• The board may appoint an IT steering committee or similar function to assist with its governance of IT.
• The Chief Executive Officer should appoint a Chief Information Officer (CIO) responsible for the management of IT.
• The CIO should be a suitably qualified and experienced person who should have access and interact regularly on strategic IT matters with the board and/or appropriate board committee and executive management.
Principle 2: The organisation’s business strategy takes into account the current and future capabilities of IT.
Principle 2: Performance and Sustainability: IT should be aligned with the performance and sustainability objectives of the company.
• The board should ensure that the IT strategy is integrated with the company’s strategic and business processes.
• The board should ensure that there is a process in place to identify and exploit opportunities to improve the performance and sustainability of the company through the use of IT.
17 Draft Public Service Governance of Information and Communication Technology Framework.
15
ISO 38500 King III Principle 3: All IT acquisitions are made for valid reasons on the basis of the appropriate and ongoing analysis with clear and transparent decision making
Principle 4: IT Investments: The board should monitor and evaluate significant IT investments and expenditure. • The board should oversee the value delivery of IT and monitor
the return on investment from significant IT projects. • The board should ensure that intellectual property contained in
information systems is protected. • The board should obtain independent assurance on the IT
Governance and controls supporting outsourced IT services. Principle 4: IT is fit for purpose in supporting the organisation, providing the services, levels of service and service quality required to meet current and future business requirements
Same as Principle 2 above.
Principle 5: Compliance should form an integral part of the risk management process. The risk of non-compliance should be identified, assessed and responded to in the risk management process.
Principle 5: Risk Management. IT should form an integral part of the company’s risk management. • Management should regularly demonstrate to the board that
the company has adequate business resilience arrangements in place for disaster recovery.
• The board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered.
Principle 6: IT Policies, practices and decisions demonstrate respect for Human Behaviour, including the current and evolving needs of all the ‘people in the process’.
Principle 6: Information Security. The board should ensure that information assets are managed effectively. • The board should ensure that there are systems in place for the
management of information which should include information security, IT and information privacy
• The board should ensure that all personal information is treated by the company as an important business asset and is identified.
• The board should ensure that an Information Security Management System is developed and implemented.
• The board should approve the information security strategy and delegate and empower management to implement the strategy.
16
ISO 38500 King III Principle 7:
Governance Structures. A risk committee and audit committee should assist the board in carrying out its IT responsibilities. • The risk committee should ensure that IT risks are adequately
addressed. • The risk committee should obtain appropriate assurance that
controls are in place and effective in addressing IT risks. • The audit committee should consider IT as it relates to
financial reporting and the going concern of the company. • The audit committee should consider the use of technology to
improve audit coverage and efficiency.
17
11. IT Governance Framework
IT Governance focuses specifically on information technology systems, their performance and risk management. The primary goals of IT Governance are to assure that the investments in IT generate business value, and to mitigate the risks that are associated with IT. This can be done by implementing an organisational structure with well-defined roles for the responsibility of information, business processes, applications and infrastructure.
IT Governance deals with how IT decisions are made and by whom detailing who has decision making rights, who is supposed to provide the input to inform the decisions and who is accountable for implementing the decisions. It is ultimately about making IT decisions the right way. Governance of IT will help the Free State Provincial Government (FSPG) to integrate IT with the business and improve the cost effectiveness of IT.
The IT Governance framework will deal with the following:
1. What key IT decisions are need to be made and by whom.
2. What decision models are to be used in these decisions.
3. What IT Governance structures, processes, strategy, policies, standards and procedures are required for correct decision making.
4. What IT processes and procedures are required to ensure that IT ultimately serves the business.
The IT Governance framework is aligned with the King III Code of Practice for IT Governance as well as best practice control and process frameworks in supporting business-aligned use of and investment in IT.
Depending on the size and complexity of their IT operations, organizations may also elect to adopt related standards and frameworks. The following, of which CMMI and ITIL is the most popular, are recommended:
18
Framework Acronym Description Capability Maturity Model Integration CMMI Process improvement approach used in the
development of applications (software). Information Technology Infra-structure Libraries
ITIL Set of processes for managing IT services.
Information Technology Risk Management ITRM Framework for managing and mitigating risks resultant from IT.
International Organization for Standardization 27000
ISO 2700 Framework for information security.
Minimum Interoperability Standards MIOS Blueprint to guide seamlessness and interopera-bility in the Public Service.
Publicly Available Specifications 56 PAS 56 Guide to Business Continuity Management. Project Management Book of Knowledge PMBOK Set of standard terminology and guidelines for
project management. Projects in Controlled Environments PRINCE2 Managing IT projects and realizing value from IT. Publicly Available Specifications 77 PAS 77 Guide to IT Service Continuity Management. Open Group Architecture Framework TOGAF Framework for developing an enterprise archi-
tecture.
The PGITOC adopted COBIT as the overall IT Governance Framework for the FSPG. The following diagram18 illustrates how the CMMI and ITIL frameworks, with COBIT as the overarching framework, work unitedly to provide guidance in the governance of IT from strategic to process level:
Diagram illustrating how the CMMI and ITIL frameworks, with COBIT overarching, work unitedly.
18 Sun Microsystems Inc. (2010). Positioning of Frameworks. Available: http://www.isaca.org/Groups/Professional-English/frameworks/
GroupDocuments/frameworks_v3_111908.pdf. Last accessed 27 January 2011.
19
12. What IT Governance will deliver and the five IT Governance focus areas
There are two major outcomes from IT Governance:
1. IT value delivery to departments. 2. Mitigating IT related risks. Both the above-mentioned outcomes are achieved through focusing on the five IT Governance areas19 as illustrated on the image to the right and explained below.
IT Governance focus areas Nr Area Description 1. Strategic
Alignment Focuses on ensuring the linkage of business and IT plans, on defining, maintaining and validating the IT value proposition and on aligning IT operations with the organization operations.
2. Value Delivery
Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving value of IT.
3. Risk Management
Requires risk awareness by senior management, a clear understanding of the organization’s appetite for risk, transparency about the significant risks to the organization and embedding of risk management responsibilities into the organization.
4. Resource Management
Is about the optimal investment in, and the proper management of, critical IT resources: Processes, people, applications, infrastructure and information. Key issues related to the optimization of knowledge and infrastructure.
5. Performance Measurement
Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards resource and usage dashboards that translate strategy into action to achieve goals measureable beyond conventional accounting.
Strategic Alignment: • Linking business and IT plan. • Defining, maintaining and validating the IT value proposition.
• Aligning IT operations with the organization operations. • Provide collaborative solutions that contain costs while
improving administrative efficiency and managerial effectiveness.
Best Practices: • Integrated approach to business/IT strategy. • Cascading strategy and objectives down into the organization.
• Co-responsibility of business and IT. • Clearer objectives for IT investments. • IT Strategy and IT Standing Committees.
19 Saull, R. (2006). IT Governance. A Framework for Performance and Compliance. Available: http://itgi.jp/conf200611/ronsaull.pdf.
Last accessed 28 January 2011.
20
Value Delivery:
• Executing the value proposition throughout the delivery cycle. • Ensuring that IT delivers the promised benefits against the
strategy. • Concentrating on optimizing expenses and proving IT’s value.
• Controlling projects and operational processes with practices that increase probability of success (budget, risk, quality etc.).
Best Practices:
• Tracking of business value of IT. • Enabling effective value measurements (ROI, TCO etc.). • Disciplined approach to project management with a larger role
for the business. • Commitment to formal methodologies/processes for application
development and service delivery. • Enterprise architecture planning.
Risk Management: • Requires risk awareness of senior management, a clear
understanding of the organization’, appetite for risk and transparency about the significant risks to the organization.
• Embeds risk management responsibilities in the operation of the organization.
• Addresses the safeguard of IT assets, disaster recovery and continuity of operations.
Best Practices: • Awareness of IT risks based on continuous assessment.
• Transparency to all stakeholders. • Establishing responsibility and embedding risk management into
the organization.
• An integral part of compliance and assurance. • Use of formal IT risk and control frameworks. • Process management disciplines.
Resource Management: • Optimal investment, use and allocation of IT resources and
capabilities (people, applications, infrastructure, data). • Maximizing the efficiency of these assets and optimizing their
costs. • Optimizing knowledge and the IT infrastructure.
• Knowing where, when and how to outsource.
Best Practices: • Supply/demand balancing.
• Practices to train and sustain staff. • Consumption-base chargeback. • Formalized vendor management disciplines.
21
Performance Measurement:
• Using balanced scorecards that translate strategy into action to achieve goals measureable beyond conventional accounting.
• Measuring relationships and assets necessary to compete (customer focus, process efficiency and the ability to learn and grow).
• Tracking project delivery and monitoring IT services.
Best Practices: • IT balanced scorecard as emerging reporting system.
• A management reporting system that feeds back into the strategy.
• Use of benchmarking for performance comparison.
• IT scorecard approval by the key stakeholders for alignment.
22
13. Five IT Governance Decisions Areas (Domains)20
IT Governance necessitates key decisions regarding IT in the FSPG. Some of these decisions must be made in conjunction with the business to get full value from the IT investment. It is important to articulate these key decision areas (domains) in order for IT to perform according to requirements. The following five key IT decision areas exist: Nr. Area (Domain) Description
1. IT Principles This is the area in which organizational principles (policies, standard operating procedures, etc.) are decided upon. The key here is to adopt IT principles that will best satisfy an organizations IT and business needs. Represents high-level statements regarding the utilisation of IT to realise and create business value. These principles must be agreed to and guide how IT is to be utilised to extract maximum value.
2. IT Infrastructure Strategies
Within this area, the rights and responsibilities for deciding what type of infrastructure issues need to be handled to accommodate organizational IT requirements is determined. It represents how the FSPG will build an IT infrastructure to meet business goals. IT strategy decisions are necessary for the long-term success of the organisation.
3. IT Architecture In this area, the type of IT employed to fulfil organizational business requirements is decided upon. It represents policies and standards required for IT to achieve business goals and objectives. It also indicates how applications, data, people, business processes and technology are affected by technical choices.
4. Business IT Appli-cation Needs
This area is for the most part self explanatory. This is where organizational business applications are decided upon. This area is not technical in nature. It represents business applications required to meet the organizations needs.
5. IT Investment and Prioritisation
In this area, the final approval on what IT investments will be made. Decision is made based on justification and feasibility. Represents how the FSPG approve and justify investments in IT.
20 University of West Florida (2009). IT Governance. Available: http://argowiki.com/index.php?title=IT_Governance. Last accessed
01February 2011.
23
14. Decision Model and Governance Style
The FSPG has chosen a decentralised model (IT unit per department) for providing IT goods and services to the various departments. Strategic IT matters are considered by the PGITOC that is chaired by the Chief Information Officer (CIO) (Department of the Premier) with IT Managers of the various departments as members. It is imperative to immerse IT into the business so that its plans are aligned to the business and its decisions and the business decisions are concluded in the right manner that advances the objectives of the departments.
There are generally six governance styles for providing input or making decisions regarding the five key IT decision areas (domains) mentioned in paragraphs 6.1 to 6.5. The styles reflect a mix of shared responsibilities (for input and decision making) between IT and business in governing the five decision areas.
The following six classic styles exist in a typical IT Governance structure:
Nr. Style Description 1. Business
Monarchy This is where the Head of the Department, the Chief Financial Officer (CFO) and the Chief Information Officer (CIO)/ IT Manager (the so called C-level executives) make the decisions. Recently the CIO/IT Manager has been more involved and has a more active role in the decision making within the business monarchy level. At this level, decisions are derived from input from many areas.
2. IT Monarchy The IT monarchy consists of IT executives (CIO and IT Managers). Within this governance archetype, decisions could be made by way of an IT leadership committee (for example the PGITOC). At this level, decision rights for both IT Infrastructure Strategies and IT Architecture are the responsibility of the IT monarchy.
3. Feudal Feudal governance is characterized by delegated or otherwise dispersed governing rights. The exercising of decision-making is highly localized, and central leadership is weak or at least unobtrusive. This model usually arises in organizations with highly independent and incongruent business units.
4. Federal This governance archetype attempt to balance responsibilities in the decision making process. Normally this form of decision making consists of the C-level executives and representatives from one other tier within the organization (for example business leaders tier, business process owners tier, IT leaders tier, etc.). The federal approach is often used for input rights, but less often for decision rights. Given the breadth of opinions under this structure, it is no surprise that there is a propensity for discord.
5. Duopoly This archetype is characterized by a two-party involvement consisting of one IT group and one business group. This archetype could be used by the business side to introduce business objectives and by the IT side to introduce available technologies so both sides can ultimately reach decisions on viable solutions.
6. Anarchy Business process owners and end users have decision rights under this archetype. Surprisingly, most large firms display elements of anarchy. When optimization and customization supersede sharing and standardization, it makes sense to delegate decision rights to end-users.
24
The FSPG IT Governance uses a mix of governance styles across the five decision areas. The variety of styles highlights different required roles for input and decision making in support of business needs. The primary IT Governance styles for the FSPG are the Business and IT Monarchy as well as the Duopoly style.
25
15. IT Governance Structure and Mechanisms
The FSPG has adopted formal governance mechanisms in order to implement the governance styles and decision model. These governance mechanisms and structures are there to ensure joint decision making where necessary, allocating accountability and responsibility for IT decisions. These formal governance mechanisms are the following:
Nr. Mechanism Acronym Description 1. Executive Council EXCO Set the strategic objectives for the Province.
2. Director General DG Ensure that the FSPG has and maintains an appropriate IT procurement and provisioning system which is fair, equitable, transparent, competitive and cost-effective.
3. Chief Financial Officer CFO Ensure that the prescriptions of the Public Finance Management Act (PFMA), 1999, (Act 1of 1999) as amended by Act 29 of 1999 including the Framework for Supply Chain Management (SCM) are being adhered to.
4. Forum of Heads of Department
FoHoD All the accounting officers (Heads of Department) in the FSPG. It acts as a forum responsible for guiding IT and extracting maximum strategic value out of IT.
5. Chief Information Officer CIO Give practical effect to the responsibilities of the Director General and keep departments updated on strategic IT matters and developments.
6. Provincial Government Information Technology Council
PGITOC Plan, coordinate, monitor and share Information Management and Information Technology between the departments. The PGITOC is ultimately responsible for IT Governance.
7. Standing Committees SC Investigate, consider and make recommendations to PGITOC regarding IT matters.
8. Service Level Agreements SLA Specify and measure IT services. SLAs also include Memoranda of Understanding (MOUs).
9. Business Unit Managers BUM Determine business and IT requirements and relaying it to CIO/IT Managers.
26
15.1 Governance Matrix (Input and Decision Rights)
STYLE
DECISION AREA
IT Principles IT Infrastructure
Strategies
IT Architecture Business IT
Application
Needs
IT Investment
and
Prioritization
Rights Rights Rights Rights Rights
Input Decision Input Decision Input Decision Input Decision Input Decision
Business
Monarchy
DG
FoHoD
DG
FoHoD
DG
FoHoD
DG
CFO
IT
Monarchy
PGITOC SC
CIO/IT
Managers
PGITOC
SC
CIO/IT
Managers
PGITOC CIO/IT
Managers
CIO/IT
Managers
Feudal
Federal
Duopoly SC
CIO/IT
Managers
BUM
BUM
BUM
CIO/IT
Managers
Anarchy
The net result from the governance mechanisms over the five key IT decision areas is the following:
1. Collaborative decision making between the departments and IT leadership for IT Principles, IT Investment and Prioritization.
2. IT leadership has the responsibility for finalising IT Infrastructure Strategies and IT Architecture.
3. Departmental input in determining IT Application Needs.
15.2 Roles and Responsibilities (Accountability Framework)
15.2.1 Director General
In terms of Section 38 (1)(a)(iii) of the PFMA (Act 1 of 1999, as amended by Act 29 of 1999) the accounting officer (DG) for a department (FSPG) must ensure that the department has and maintains an appropriate procurement and provisioning system which is fair, equitable, transparent, competitive and cost-effective. Flowing from this the Director General (DG) is accountable for IT Governance at provincial level. This role is dispatched at a departmental level in the FSPG to all the HoDs. The DG has also delegated some of his responsibilities to the CIO, who among other things, ensure that IT Governance is in place and that IT supports FSPG objectives.
27
15.2.2 Heads of Department
Heads of Department (HODs) are accounting officers at departmental level in the FSPG. As accounting officers, the responsibility for the governance of IT within the respective departments lies with them. The HODs are ultimately responsible for cultivating an understanding for the value of IT within their departments.
15.2.3 Chief Information Officer
The Chief Information Officer (CIO), using the structures of the PGITOC, is responsible for giving practical effect to the responsibilities of the DG and for keeping HODs and Provincial IT Managers updated on strategic IT matters and developments. As the head of the IT unit in the Department of the Premier (DoP) the CIO also have oversight of internal governance structures and therefore becomes the bridge between the DoP and other provincial departments. The CIO is also responsible for the following:
1. Represent the FSPG at the Government Information Technology Officers Council (GITOC) on national level.
2. Interact regularly on matters of IT Governance with the PGITOC. 3. Report on a regular basis to Senior Management (SM) in the DoP as well as HoDs in
order to ensure transparency of IT operations and implementation. 4. Implement and monitor an IT Governance framework (CoBIT) to deliver value and
manage risk. 5. Implement IT strategies, policies, standards and procedures. 6. Implement an organisational structure geared for getting value out of IT for
departments. 7. Implement governance structures (e.g. SLAs). 8. Create an awareness of the maturity levels of governance 9. Implement an IT planning process that is integrated with the departmental strategy
development process. 10. Align IT operations with departmental operations. 11. Translate business requirements into efficient and effective IT solutions.
15.2.4 Provincial Government Information Technology Officers Council
The PGITOC champions IT innovations in the FSPG. In so doing, the PGITOC considers crosscutting IT-related solutions proposed by departments for implementation and make recommendations on their approval to FoHoD. The Council thus functions as a gatekeeper for proposed crosscutting IT solutions. The PGITOC also makes recommendations on the adoption of proposed IT strategies, policies, norms and standards.
28
The PGITOC also considers IT architecture variations and reviews IT risk strategy for consistency with the architecture. The PGITOC is also responsible for defining multi-departmental and single-departmental initiatives and approving IT standards. In sum, the PGITOC is the de facto IT Strategy Committee and acts on behalf of FoHoD (to which it is accountable) on how to best use IT within the organisation. The PGITOC operations are regulated by the following:
1. Free State Growth and Development Strategy Plan. 2. Individual department’s strategic and IT plans. 3. Integrated Development Plan (IDP). 4. SITA Act, 1998 and Regulations. 5. Public Service Acts and Regulations 6. Public Finance Management Act, 1999 and Regulations. The PGITOC is governed by a Charter approved by FoHoD and meets at least once every month (and whenever circumstances so determine). The PGITOC is constituted by the following:
1. CIO who is the Chairperson. 2. IT Managers from each department as appointed by the HODs. 3. Managers in the IT unit of the DoP. 5. Provincial representative of the State Information Technology Agency (SITA) as
Associate Members only on the standing committees. 6. Secretary – official from the IT unit, DoP. The following Standing Committees exist within the PGITOC:
1. Procurement and IT Economic Development 2. E-government and –governance. 3. Risk, Audit, Projects and Change Management 4. Security, Architecture and Free and Open Source Software (FOSS). The CIO reports to the Director General. The PGITOC reports to FoHoD through the CIO. Departmental IT Council members (IT Managers) report to their respective HODs, who in turn reports to their Member of EXCO.
15.2.5 Provincial IT Managers
A Provincial IT Manager is responsible for the following:
1. Represent the department at the Government Information Technology Officers Council on provincial level (PGITOC).
2. Interact regularly on matters of IT Governance with the PGITOC. 3. Report on a regular basis to Senior Management (SM) in the department as well as to
the HoD in order to ensure transparency of IT operations and implementation.
29
4. Implement and monitor an IT Governance framework (COBIT) to deliver value and manage risk.
5. Implement IT strategies, policies, standards and procedures. 6. Implement an organisational structure geared for getting value out of IT for
departments. 7. Implement governance structures (e.g. SLAs). 8. Create an awareness of the maturity levels of governance 9. Implement an IT planning process that is integrated with the departmental strategy
development process. 10. Align IT operations with departmental operations. 11. Translate business requirements into efficient and effective IT solutions.
15.3 Governance Map
Premier
EXCO
MEC
DG
FoHoD
HOD
CIO
PGITOC
Prov IT Manager
IT Governance
IT Governance Standing
Committee
IT Governance
30
16. IT Governance Processes (COBIT)
Control Objectives for Information and related Technology (COBIT) provides comprehensive good practices and processes for enforcing successful governance of IT – embedding IT and its value within the FSPG.
COBIT contributes to IT Governance by providing a framework to ensure that - 1. IT is aligned to departments and their
business; 2. IT enables departments and maximises
benefits; 3. IT resources are used responsibly; and 4. IT risks are managed appropriately.
COBIT has four domains that contain control processes to be used in achieving governance (primarily resource utilisation, business alignment of IT, value delivery and the management of IT risk). The four COBIT domains are: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS) and Monitor and Evaluate (ME).
COBIT Framework
Val IT and Risk IT21
COBIT is further complimented by two other IT Governance frameworks that will be used in the FSPGs governance of IT. These complementary frameworks are Val IT and Risk IT. The two frameworks extend COBIT with more detail and processes for the two governance focus areas of Value Delivery and Risk Management.
‘The links between COBIT and Val IT are focussed on programme and portfolio management and investment management, and primarily the COBIT IT processes that deal with strategy and portfolios (PO1), investment and budgets (PO5), solution de-
livery (PO10), service management (DS1) and performance reporting (ME1).The links between COBIT and Risk IT are focussed on risks related to strategic choices (PO1), roles and responsibilities for risk-related functions (PO4), risk-related policies and frameworks
21 Albinowski, G. (2010). (COBIT) IT Governance + Risk IT Practitioner Guide. Available: http://www.goldenline.pl/forum/1318590/
cobit-it-governance-risk-it-practitioner-guide. Last accessed 08 February 2011.
31
(PO6), risk management (PO9), business continuity (DS4) and various other specific risk-related service delivery activities in the DS domain.’22
The diagram23 to the right illustrates how COBIT links the business requirements with the abilities or value of IT.
IT Resources are those resources that were made available by the IT units in the various departments.
IT Processes are activities to organize IT units and to respond to departments' needs.
Business requirements are departmental expectations of IT.
COBIT (Control Objectives for Information and related Technology) cover the following four domains:24 1. Plan and Organize (PO). 2. Acquire and Implement (AI). 3. Deliver and Support (DS). 4. Monitor and Evaluate (ME).
The key to maintaining profitability in a technologically changing environment is how well control is maintained. COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved by implementing the 210 specific and detailed control objectives throughout the 34 high-level IT processes.
Overview of the COBIT’s 34 high-level IT processes (some of this processes can further be enhanced through the use of Val IT and Risk IT):
Plan and Organize (PO)
The Plan and Organization (PO) domain covers the use of IT and how best it can be used in an organization to help achieve the organization’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the
22 ISACA. (2011). Implementing and Continually Improving IT Governance. Available: http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Implementing-and-Continually-Improving-IT-Governance1.aspx. Last accessed 08
February 2011. 23 Albinowski, G. (2010). (COBIT) IT Governance + Risk IT Practitioner Guide. Available: http://www.goldenline.pl/forum/1318590/
cobit-it-governance-risk-it-practitioner-guide. Last accessed 08 February 2011. 24 Palante, JP. (2010). CobiT domains and processes. Available: http://www.qualified-audit-partners.be/index.php?cont=463&lgn=3.
Last accessed 08 February 2011.
32
optimal results and to generate the most benefits from the use of IT. The following table lists the high-level IT processes for the Planning and Organization (PO) domain:
Process Description PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects
Acquire and Implement (AI)
The Acquire and Implement (AI) domain covers identifying IT requirements, acquiring the technology, and implementing it within the organization’s current business processes. This domain also addresses the development of a maintenance plan that an organization should adopt in order to prolong the life of an IT system and its components. The following table lists the high-level IT processes for the Acquisition and Implementation (AI) domain:
Process Description AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes
Delivery and Support (DS)
The Delivery and Support (DS) domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the high-level IT processes for the Delivery and Support (DS) domain:
Process Description DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security
33
DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations
Monitor and Evaluate (ME)
The Monitoring and Evaluation (ME) domain deals with an organization’s strategy in assessing the needs of the organization and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the organization’s control processes by internal and external auditors. The following table lists the high-level IT processes for the Monitoring and Evaluate (ME) domain:
Process Description ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Compliance with External Requirements ME4 Provide IT Governance
COBIT Framework
34
17. IT Policies, Standards and Procedures
IT Policies will be established and enforced to govern the governance process requirements. Policies will have, where necessary, accompanying standards and procedures to guide implementation. Goals will continuously be evaluated to determine possible risks. The impact of risks can be evaluated by considering what might happen if the expectations surrounding that risk are not made clear to everyone in the organization. If an identified risk and its impact stand in the way of achieving a goal, then it will likely need to be addressed by a policy. In this way, management establishes clear guidelines that help ensure desired performance, fitting checks and balances and appropriate workplace interactions. The following activities are involved in this process of identifying areas that require policies:
1. Documenting goals. 2. Assessing current state. 3. Envisioning future state. 4. Performing gap analysis. Other sources to policy content will be some of the IT process specific frameworks that complement COBIT such as ISO 2700 for security, ITIL (Information Technology Infrastructure Library) for service management and CMMI (Capability Maturity Model Integration) for software development. Provincial IT Policies and Standards (impacting on the FSPG) are recommended by the PGITOC and FoHoD and approved by the DG. Departmental IT Policies and Standards are recommended by the CIO/IT Managers and approved by the Heads of Department.
35
18. IT Processes
COBIT provides detailed IT Governance, IT Management and general IT Processes. It is, however, necessary to augment these with some industry recognised and domain specific frameworks and their processes. In the Plan and Organise domain TOGAF (The Open Group Framework) will be used in: PO1: Define an IT strategic plan. PO2: Define the Information Architecture. In the same domain a process methodology based on PRINCE II will be used in: PO10: Manage Projects.
In the Acquire and Implement domain CMMI will be used in conjunction with ITIL in: AI2: Acquire and Maintain Application Software. AI3: Acquire and Maintain technology Infrastructure. AI4: Enable Operation and Use. AI6: Manage Changes. In the Deliver and Support domain ITIL processes will be used in: DS1: Define and Manage Service Levels. DS3: Manage Performance and Capacity. DS6: Identify and Allocate Costs. DS8: Manage Service Desk Incidents. DS9: Manage the Configuration. DS10: Manage Problems. DS13: Manage Operations. Within the same Deliver and Support domain ISO 2700 with its processes will be used as the security standard in: DS5: Ensure System Security. DS7: Educate and train users. In the Monitor and Evaluate domain ISO 9000 with its processes will be used as the quality standard in: ME1: Monitor and Evaluate IT Performance. ME2: Monitor and Evaluate Internal Control. ME3: Ensure Compliance with External Requirements.
36
19 IT Governance Performance Metrics25
IT Governance also means that control mechanisms are to be provided to senior management. The Standard IT balanced scorecard26 (BSC - figure 1) is a good illustration of how this control question can be answered. The scorecard provides accounting officers with crucial control measures on IT expenses, user satisfaction, efficiency of development and operations, expertise of IT staff and may compare these measures with benchmarking figures. This avoids that IT reporting is restricted to technical matters such as the selection of a new voice communication network and assures that inhibitors for new business strategies can be detected and be acted upon. The IT units will use BSCs to give performance reports to accounting officers.
Figure 1 shows a standard IT balanced scorecard. The User Orientation per-spective represents the user evaluation of IT. The Operational Excellence perspective represents the IT processes employed to develop and deliver the applications. The Future Orientation perspective represents the human and technology resources needed by IT to deliver its services. The Business Contribution perspective captures the business value of the IT investments. Each of these perspectives has to be translated into corresponding metrics and measures that assess the current situation. These assessments have to be repeated periodically and have to be
Figure 1
confronted with goals that have to be set beforehand and with benchmarking figures. Very essential is that within an IT BSC the cause-and-effect relation-ships are established and the connections between the two types of measures, outcome measures and performance drivers, are clarified. A well built IT scorecard needs a good mix of these two types of measures. Outcome measures such as developers’ productivity (e.g., number of function points per person per month) without performance drivers such as IT staff education (e.g., number of educational days per person per year) do not communicate how the outcomes
25 Van Grembergen, W. (2010). The Balanced Scorecard and IT Governance. Available: http://www.isaca.org/Certification/CGEIT-
Certified-in-the-Governance-of-Enterprise-IT/Prepare-for-the-Exam/Study-Materials/Documents/The-Balanced-Scorecard-and-IT-
Governance.pdf. Last accessed 09 February 2011. 26 The Balanced Scorecard (BSC) initially developed by Kaplan and Norton, is a performance management system that should allow enterprises to drive their strategies on measurement and follow-up. In recent years the BSC has been applied to IT.
37
are to be achieved. And performance drivers without outcome measures may lead to significant investment without a measurement whether this strategy is effective. These cause-and-effect relationships have to be defined throughout the whole scorecard (Figure 2): More and better education of IT staff (future perspective) is an enabler (performance driver) for a better quality of developed systems (operational excellence perspective) that in turn is an enabler for increased user satisfaction (user perspective) that eventually must lead to a higher business value of IT (business contribution perspective). IT Governance is part of corporate governance and
Figure 2
has to provide the organizational structures to enable the creation of business value
through IT, the assurance that there are no IT investments in bad projects and that there are adequate IT control mechanisms. The methodology of the balanced scorecard is a measurement and management system that is very suitable for supporting the IT Governance process and the IT/business alignment process. It is believed that in the near future many organizations will
use a cascade of a business balanced scorecard and IT balanced scorecards as a way of assuring IT Governance and achieving the integration of business and IT decisions.
38
20. Glossary
Accounting Authority Premier or Member of the Executive Council (MEC). Accounting Officer Director General (DG) and Heads of Departments HoDs). AG Auditor General. AI Acquire and Implement. BSC Balanced Scorecards: Scorecard that provides accounting officers with
crucial control measures on IT expenses, user satisfaction, efficiency of development and operations, expertise of IT staff and may compare these measures with benchmarking figures.
BUM Business Unit Managers. CFO Chief Financial Officer. CIO Chief Information Officer. CMMI Capability Maturity Model Integration: Set of processes for managing IT
services. COBIT Control Objectives for Information Technology: Managing IT projects and
realizing value from IT. Corporate Governance
The set of processes, customs, policies, laws, management practices and institutions affecting the way an entity is controlled and managed.
Governance of IT The system by which the current and future use of IT is directed and controlled. It involves evaluating and directing the plans for the use of IT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organisation. (ISO 38500)
DG Director General. DPSA Department of Public Service and Administration. DS Deliver and Support. EXCO Executive Council. Executive Authority Premier in EXCO FoHoD Forum of Heads of Department. FOSS Free Open Source Software. FSPG Free State Provincial Government. Gartner Group An international body that delivers technology research to global
technology business leaders to make informed decisions on key initiatives.
GITO Government Information Technology Officer. GITOC Government Information Technology Officers Council. Governance Principles
The vehicle to translate the desired behaviour into practical guidance for day-to-day management (e.g. King III, ISO 38500 and COBIT).
HoD Head of Department. ICT Information and Communications Technology. ISACA Information Systems Audit and Control Association. ICT House of Values Main aim is to reduce IT costs for Government, Improve Government’s
efficiency and effectiveness and make it convenient for citizens to access Government services.
IDP Integrated Development Plan.
39
ISO 2700 International Organization for Standardization 27000: Guide to Business Continuity Management.
ISO 38500 International Organization for Standardization 38500: It sets out six principles for good corporate governance of IT: Responsibility; Strategy; Acquisition; Performance; Conformance; Human behaviour.
ISO 9000 International Organization for Standardization 9000: A family of standards related to quality management systems and is designed to help organizations ensure they meet the needs of customers and other stakeholders. ISO 9000 deals with the fundamentals of quality management systems, including the eight management principles on which the family of standards is based. ISO 9001 deals with the requirements that organizations wishing to meet the standard have to meet.
IT Information Technology. IT Governance The structure, oversight and management processes which ensure the
delivery of the expected benefits of IT in a controlled way to help enhance the long term sustainable success of the enterprise.
ITIL Information Technology Infra-structure Libraries: Framework for managing and mitigating risks resultant from IT.
ITRM Information Technology Risk Management: Framework for information security.
King III Code of Practice for IT Governance
IT Governance is a new issue introduced in the King III code. The King III code places IT Governance in the hands of the board and specifically states that the board should be responsible for Information Technology (IT) Governance- ensuring that the business of IT is properly managed in the company. Whereas King I and King II applied to public, listed companies only, King III applies to all entities, regardless of the manner and form of incorporation. The King III Code of Governance became effective on 1st March 2010.
ME Monitor and Evaluate. PAS 56 Publicly Available Specifications 56: Guide to IT Service Continuity
Management PAS 77 Publicly Available Specifications 77: Provides comprehensive IT
Governance Processes, IT alignment and IT controls. Performance Measurement
Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards resource and usage dashboards that translate strategy into action to achieve goals measureable beyond conventional accounting.
PFMA Public Financial Management Act, 1999 (Act 1 of 1999, as amended by Act 29 of 1999).
PGITOC Provincial Government Information Technology Officers Council. PO Plan and Organise. PRC Presidential Review Commission report of 1998. PRINCE2 Projects in Controlled Environments: Process improvement approach
used in the development of applications (software).
40
PSA Public Services Act, 1994 (Proclamation Nr. 103 of 1994). Resource Management
Is about the optimal investment in, and the proper management of, critical IT resources: Processes, people, applications, infrastructure and information. Key issues related to the optimization of knowledge and infrastructure.
Risk Appetite The amount of residual risk that the Institution is willing to accept. Risk IT Provides an end-to-end, comprehensive view of all IT related risks and a
similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.
Risk Management Requires risk awareness by senior management, a clear understanding of the organization’s appetite for risk, transparency about the significant risks to the organization and embedding of risk management responsibilities into the organization.
ROI Return On Investment: A performance measure used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments. To calculate ROI, the benefit (return) of an investment is divided by the cost of the investment; the result is expressed as a percentage or a ratio.
SC Standing Committees. SITA State Information Technology Agency. SITA Act State Information Technology Agency (SITA) Act, 1998 (Act 88 of 1998 as
amended by Act 38 of 2002). SLA Service Level Agreements. Strategic Alignment Focuses on ensuring the linkage of business and IT plans, on defining,
maintaining and validating the IT value proposition and on aligning IT operations with the organization operations.
TCO Total Cost of Ownership: is a financial estimate whose purpose is to help consumers and enterprise managers determine direct and indirect costs of a product or system. It is a management accounting concept that can be used in full cost accounting or even ecological economics where it includes social costs.
TOGAF The Open Group Framework: A framework for enterprise architecture which provides a comprehensive approach to the design, planning, implementation, and governance of enterprise information architecture.
Val IT A governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards at an enterprise level.
Value Delivery Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving value of IT.
