IS BALANCING BUSINESS DEMAND AND IT RESOURCE SUPPLY A GOVERNANCE CONCERN?

Of course, it is an IT Governance issue

If I asked a hundred IT leaders if they needed additional resources, none of them would reply, “No thanks, we’re good on resources.” We see it all the time. IT departments are traditionally short on resources—or are they? If I added 10 FTEs to your budget today, you would most likely need another 10 shortly after, then another 10 after that.

I have talked with countless clients who, in our conversations, will sooner or later ask me to help them understand how to manage their resources optimally to meet the growing demands of the business. Now, I’ll admit that some IT organizations need help there, but guess what? It is just as important to manage demand, and that is a business responsibility. I’ll also admit that IT should become more agile in its delivery techniques as many do with the adoption of Agile and DevOps techniques. I’m a big supporter of these techniques. Yet, if you cannot figure out your waterfall delivery approach, be careful in thinking that a faster-paced technique is going to work for your organization anytime soon.

I recently worked with a client who asked me and a collection of other consultants to help them develop their IT Governance program by providing training and advice on the latest trends we’re seeing in today’s complex fast-moving environments. I consider myself pretty knowledgeable in IT Governance and I was surprised that their view of IT Governance was all about fixing the imbalance between the needs of the business and the capacity of the IT organization to deliver on those needs. I quickly realized that to them, this was IT Governance, and a part of me agrees.

If you aren’t convinced that this is a governance issue, let’s take a closer look at the relationship between governance and management. Governance ensures that stakeholder needs are evaluated, direction is set through prioritization and performance and compliance are monitored. Management then plans, builds, runs and monitors activities in alignment with the governing direction. The resource and demand issue is clearly an area that must be both governed and managed. There are multiple altitudes of governance. These range from the board of directors, to executive and steering committees, and change boards. Each of them has their own governance models guiding them on how they provide direction to the areas within their scope.

The demand avenues

As illustrated in the figure below, typical IT organizations struggle with multiple, non-governed demand intake streams and are constantly under pressure to prioritize work on behalf of the business. Don’t get me wrong, I’m not placing blame on the business here because the business exists to create value for stakeholders and therefore must continuously respond to internal and external factors as well as strive to foster innovation to stay ahead of competition. I see the majority of these demand avenues are generally ungoverned by the business. IT is then painted into the corner of having to prioritize work that the business needs delivered without clear guidance and prioritization.

Figure 1, Sources of Demand

There are multiple avenues of demand. I won’t go through and describe each one of these, as each of you has your own, but I can say with confidence that you recognize most of these.

Here’s where the issues start, and I can guarantee most of you have been in this situation. The typical scenario looks like this: You are the Director of IT for a company and one of the business executives has just approached you with a new “high priority” project that needs to be accomplished to meet new regulatory requirements in the industry. The conversation goes like this:

Have you ever been in a situation like this? I’ll bet the answer is yes, countless times. The primary issue here is that enterprise IT governance doesn’t understand that IT is not in a position to prioritize work. The business needs to do this, but with IT’s help, of course. We can balance these demands with our supply if we know 1) the business priorities, and 2) our capacity to support those priorities.

Sources of Supply (Capacity)

Resources include many areas and are consumed during the delivery of a service. They are finite and should be allocated based on creating value for stakeholders and business priorities. Within the context of this blog post, assume that supply is directly linked to resource capacity. The resources IT depends on typically include:

  • Time
  • People and skills
  • Services
  • Infrastructure
  • Applications
  • Information
  • Suppliers
  • Funding

IT generally struggles when it comes to understanding 1) what resources they have, 2) where resources are engaged, 3) what work they are doing, 4) what technical skills are over/under utilized, and finally 4) the priority of the work they are performing. The first reaction is to purchase a tool to do this, but as many of us know, “a fool with a tool is still a fool.”

Balancing Demand with Supply

Now that we understand the avenues of demand and sources of supply, let’s look at the next issue: how to balance demand and supply. There are multiple frameworks in our industry today that can help, but one of my favorite “go-to” frameworks is COBIT. ISACA’s latest release of the framework, COBIT 2019, has the answers we are looking for. By using Governance and Management Objectives, COBIT identifies the key areas that must be accomplished for Information and Technology (I&T) to contribute to enterprise goals. There are 40 of these objectives, and each one relates to one process. The following figure identifies these 40 processes.

Figure 2, COBIT2019 Processes

We could spend hours looking through each of these processes and determine which ones directly relate to this balance, but I’ve boiled it down to the following key processes.  This blog post will not go through all the practices and activities of each process. Rather, it identifies how organizations can determine how processes support the overall goal of creating value for stakeholders.  

Do yourself a favor and look into the practices, activities and reference the COBIT framework offers.  In addition to COBIT, the ITIL framework also provides some advice here.  To download the COBIT 2019 guides, visit www.isaca.org.  

Although referencing these processes helps, you need to map out the activities required to actually balance this.  Here are some ideas that might help:  

Figure 3, Balancing Demand and Supply

Suggested methodology

There is no silver bullet to solving this issue.  Many factors must be considered, such as organizational structures, culture, risk profiles, governance posture, and of course skills and competencies.  Below is a suggested methodology that is applicable to any organization that is struggling with its supply/demand imbalance.  

Figure 4, Suggested Methodology.

Top 5 Tips to balancing demand and supply

I’ve covered a lot of ground in a very short blog post.  To summarize, here are my top 5 tips to balance your demand and supply processes: 

  1. Document services in an IT service catalog and create Service Level Agreements (SLAs). This is key. If you don’t have your services documented and agreed on, then you are simply providing ‘favors’ with no expectations set. Make sure you analyze the underpinning vendor contracts and internal agreements that support the SLAs.  
  2. Consolidate your demand avenues to a manageable number.  Reduce the exposure to a few intake mechanisms that can prioritize work across fewer streams.  For example:  The Service Desk, Business Relationship Management and Portfolio/Program Management.  
  3. Create a governing body that focuses on IT work prioritization for all demand avenues.  This body should have representation from all sources of demand as well as IT delivery organizations. 
  4. Understand all resources available.  Document all capacity requirements and analyze their unique attributes. If you have 4,000 hours available, that doesn’t mean those 4,000 hours are the right resources for the work required.
  5. Mature the business relationship management (BRM) process. This will be one of the most significant demand avenues since BRM is translating business needs into IT requirements.  

I hope this helps, and as always, your reactions and feedback are appreciated.  

COBIT 2019 Governance and Management Objectives Domains

Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.

COBIT Governance and Management Objectives link to Processes.

This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.

Getting from the COBIT “Core” to a tailored governance system

One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.

As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.

What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.

Linking the COBIT2019 Core to a tailored system.

Design Factors and Focus Areas

In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.

Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:

  • Enterprise strategy
  • Enterprise goals
  • Risk profile
  • I&T-related issues
  • Threat landscape
  • Compliance requirements
  • Role of IT
  • Sourcing model for IT
  • IT implementation methods
  • Technology adoption strategy
  • Enterprise size
  • Future factors

If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.

Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.

Impact of Design Factors.

A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:

  • Small and medium enterprises
  • Cybersecurity
  • Digital transformation
  • Cloud computing
  • Privacy
  • DevOps

As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.

Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.

Workflow for designing a tailored governance system

COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.

Steps to creating a tailored governance system using the COBIT Design Guide.

By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.

Linking the Design Guide and Implementation Guides

The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.

In case you are not familiar with this, the COBIT implementation roadmap looks like this:

The Seven Phases of the COBIT Implementation Roadmap. 2018 ©Information Systems Audit and Control Association, Inc. (ISACA).

The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.

COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.

The Design Guide and Implementation Guide have a very distinct relationship and specific uses.

Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:

COBIT Design and Implementation Guide Relationships.

You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.

Using tools to assist in designing your new governance system

Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:

  • Introduction and instructions
  • A canvas tab that consolidates results including target capability levels
  • One tab for each design factor
  • Summary tabs that graphically represent the outcomes of steps 2 and 3
  • Mapping tables for design factors

I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.

Closing and suggestions

We’ve covered a lot of ground in this post. I hope it has been valuable in helping you understand how leverage COBIT 2019 to truly create a governance and management framework that is customized to meet your specific enterprise needs.

As always, your thoughts and comments are appreciated on this post, as well as my Twitter posts @escoute1.

Skip to content