In July ISACA released the new and updated version of their flagship governance framework, CGEIT, and the timing couldn’t be better.
This is a certification you might want to check out. ISACA’s Certified in the Governance of Enterprise IT® (CGEIT®) professional certification is the only IT governance certification that can give you the mindset to assess, design, implement and manage enterprise IT governance systems aligned with overall business goals.
CGEIT addresses and overarching Governance of Enterprise Information and Technology (GEIT) posture that associates with multiple relevant frameworks, standards, bodies of knowledge and models that are valuable to your overall governance system.
The new CGEIT exam offers concise job practice areas addressing new trends, technologies and changing business needs, designed to keep you at the top of your game and improve business performance. These statements and domains are the results of extensive research and feedback from IT governance subject matter experts from around the world. Numerous reference sources were also utilized including ISACA’s COBIT framework.
This update can not only help you in your career, but can also assist you in enabling you to:
• Think strategically, plan proactively, and optimize resources
• Deliver business value
• Mitigate risk and streamline operations including – and especially during times of crisis
Check out this short video for more of my thoughts, comments and suggestions.
Over the last several months I’ve been asked by many organizations, companies and industry experts about my opinion on what the perfect governance structure looks like. I have good and bad news for you.
The bad news first. There’s no single blueprint that can be copied and pasted into your organization. I believe this expectation is the result of a misconception that industry frameworks, models and best practices can literally be applied directly to an organization and somehow governance magically appears.
Now for the good news. Governance structures are a key component to any governance system. Most guidance you see today makes it very clear that the board of directors (or its equivalent in your organization) is THE governing body, and everything below that structure is management. I couldn’t disagree more. There are multiple governing bodies in an organization. The challenge is figuring out where they are, why they exist, what they do, and what value they provide to your organization.
Organizations consist of multiple governing bodies. These start at the top and work their way down to what I call the street view. They can include formal chartered bodies or temporary groups charged with a specific focus area for a specified amount of time. Of course, the board receives and disseminates information through committees, but there are more to a governance structure than just committees that report to the board. Enterprises have a huge collection of committees, boards and groups who are charged with governing something. The problem I see is that all of these assemblies are governing bodies, but do not behave as governing bodies and do not understand the distinction between governance and management. Governance sets the rules and boundaries for the scope in which they are chartered to govern. Management, on the other hand, plans, builds, runs and monitors the processes, practices and activities required to implement the governing bodies’ guidance.
There are many examples of these governing bodies: executive committees, architecture boards, risk and audit committees, steering (IT, program, project) committees, change advisory boards, the list goes on. Each of these governing bodies sets the rules and direction for the management charged with implementing their decisions. Here is where I see the confusion: I can be a member of one (or several) governing bodies where I participate in determining rules and boundaries. Outside of that governing body, I am considered management and have to implement and abide by the rules that I just endorsed. This means that as an executive I am part of multiple governing bodies and in some cases they contradict each other. Therefore, when I do my “day job” I have to determine which guidance I’m supposed to be following.
Let’s take a recent example. I worked with a global organization who asked me to assess and provide feedback on their governance structures. My first goal was to look into their fractured governing bodies. Here’s a snapshot of what I found:
37 global committees, a 31% increase in the last 12 months
81% of these governing bodies had no charters
43% created policies that violated policies from other committees
37% were deemed no longer required by the members
23% were “ad hoc” and have been for over 2 years
19% are no longer addressing the issues they were originally designed to address
51% were considered a “waste of my time” to the members
23% of committee members claimed that they did not follow the rules they endorsed in the committees they sat on
Here’s the best part…this organization assessed their governance practices at maturity level 4
Now that you’ve listened to me rant about the issues, let’s get to my suggestions.
Wherever you are in an organization, there is always a governing body (or several) that guide your actions.
No organization or individual can manage their operations without rules. What governing bodies guide your decisions? For example, as a CIO of a very large organization there were essentially two governing bodies that guided my management decisions: the board of directors and the executive steering committee. Now, let’s say you are a new project manager in the same organization. Who are your governing bodies? The board? The executive steering committee? Likely not. As a new project manager, your governing bodies would likely be along the lines of a project steering committee or review board.
Get an inventory of all your governing bodies and understand their relationships with other governing bodies.
Look at the statistics above about my recent client. Committees, boards and decision-making bodies are routinely created that go undocumented, unchecked and ungoverned. Do your enterprise a favor and identify all these bodies. You might find that you have redundancies, misuse of resources, or worse, a waste of valuable resource, time and effort. I was talking this week with a colleague and mentor of mine on this subject, and he gave me some great advice, “Ideally, board and committee groups, roles and members should be managed in a system in a manner similar to assignment groups in leading service platforms. Using a common system provides opportunities to inventory groups, relationships, manage charters, meetings agendas and minutes. And, cascade objectives, decisions and hierarchical escalations when needed.” -John E. Jasinski https://www.linkedin.com/in/johnejasinski/
Charter EVERY decision-making body in your organization so its members understand their role in governance.
The goals for the organizational structures include having proper mandates, well-defined operating principles and application of good practices. The outcome of proper organizational structures should include a number of good activities and decisions. At a minimum, each of your governing bodies should identify:
Name, purpose statement and goals
Operating principles—The practical arrangements regarding how the structure will operate, such as frequency of meetings, documentation and housekeeping rules
Composition/membership—Structures have members, who are internal or external stakeholders and their roles
Span of control—The boundaries of the organizational structure’s decision rights
Level of authority/decision rights—The decisions that the structure is authorized to take
Delegation of authority—The structure can delegate (a subset of) its decision rights to other structures reporting to it
Escalation procedures—The escalation path for a structure describes the required actions in case of problems in making decisions.
Periodically assess the value contribution to each governing body.
Ad hoc committees are OK, but you should be clear on their charters. There is a lifecycle to a committee and the charter should clearly identify when their value contribution is complete. An organizational structure has a life cycle. It is created, exists, is adjusted, and finally can be disbanded when its value is no longer demonstrated.
Assess the maturity level of your organizational structures.
Don’t get into the antiquated thinking that only processes can be assessed. Organizational structures are key components of your governance components and can be assessed. If you don’t buy that, check out my blog on assessing policy frameworks here. Stay tuned. I have some examples on how to do this in an upcoming blog.
As always, your thoughts and opinions are welcome.
Back in November I posted about how excited I was to see ISACA’s update to the COBIT framework and provided some thoughts about navigating through the first two guides. Click here to take a look if you didn’t catch it, as it might help you with my comments in this post. Since that post, ISACA has launched two additional publications that take COBIT to a new level.
I asked a good colleague of mine, Tichaona Zororo, a well-known IT Governance Thought Leader and ISACA Board Member, about his thoughts on the new update and his response comes as no surprise. “The COBIT 2019 Framework is the first Governance and Management framework in our industry that allows an enterprise to design a fit for purpose Information and Technology governance solution. COBIT 2019 recognizes that enterprises are unique. There is no one-size-fits-all governance system for I&T. Every organization has its own distinct character and profile. In (the) future ISACA will call upon its global community to contribute content updates on a continuous basis, not only to ensure that COBIT remains relevant, but to keep it in line with latest insights on enterprise governance of I&T and the continuously evolving business models .” You can follow Tichaona on Twitter @TichaonaZororo.
Historically, a challenge with using frameworks to adopt good governance practices is that they are often difficult to customize to meet specific needs of an enterprise. Even though frameworks are designed to be flexible and non-prescriptive, many governance initiatives lose steam because implementers are often looking for the easy “copy-paste” solution and those simply don’t work.
Enter COBIT 2019. This latest version of the framework has taken feedback from the industry and created a flexible and truly customizable solution that can address the unique needs of any enterprise. It also assists in creating a tailored governance system for Information and Technology, or what I will refer to in this post as I&T.
There are four key publications in this release (available on the ISACA site here):
COBIT 2019 Framework: Introduction and Methodology which lays out the structure of the overall framework.
COBIT 2019 Framework: Governance and Management Objectives which contains a detailed description of the COBIT Core Model and its 40 governance and management objectives.
COBIT 2019 Design Guide which offers guidance on how to put COBIT to practical use.
COBIT 2019 Implementation Guide which is an updated and more relevant version of the COBIT 5 Implementation Guide.
This post will focus on the last two publications, but first let’s review some critical areas that should be understood about COBIT before we start designing our system.
The COBIT Core
One of the key areas of COBIT 2019 is the COBIT Core. This outlines the 40 Governance and Management Objectives in the COBIT framework. These are organized into 5 domains as illustrated here.
COBIT 2019 Governance and Management Objectives Domains
Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.
COBIT Governance and Management Objectives link to Processes.
This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.
Getting from the COBIT “Core” to a tailored governance system
One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.
As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.
What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.
Linking the COBIT2019 Core to a tailored system.
Design Factors and Focus Areas
In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.
Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:
Enterprise strategy
Enterprise goals
Risk profile
I&T-related issues
Threat landscape
Compliance requirements
Role of IT
Sourcing model for IT
IT implementation methods
Technology adoption strategy
Enterprise size
Future factors
If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.
Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.
Impact of Design Factors.
A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:
Small and medium enterprises
Cybersecurity
Digital transformation
Cloud computing
Privacy
DevOps
As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.
Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.
Workflow for designing a tailored governance system
COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.
Steps to creating a tailored governance system using the COBIT Design Guide.
By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.
Linking the Design Guide and Implementation Guides
The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.
In case you are not familiar with this, the COBIT implementation roadmap looks like this:
The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.
COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.
The Design Guide and Implementation Guide have a very distinct relationship and specific uses.
Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:
COBIT Design and Implementation Guide Relationships.
You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.
Using tools to assist in designing your new governance system
Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:
Introduction and instructions
A canvas tab that consolidates results including target capability levels
One tab for each design factor
Summary tabs that graphically represent the outcomes of steps 2 and 3
Mapping tables for design factors
I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.
Closing and suggestions
We’ve covered a lot of ground in this post. I hope it has been valuable in helping you understand how leverage COBIT 2019 to truly create a governance and management framework that is customized to meet your specific enterprise needs.
As always, your thoughts and comments are appreciated on this post, as well as my Twitter posts @escoute1.
If I asked a hundred IT leaders if they needed additional resources, none of them would reply, “No thanks, we’re good on resources.” We see it all the time. IT departments are traditionally short on resources—or are they? If I added 10 FTEs to your budget today, you would most likely need another 10 shortly after, then another 10 after that.
I have talked with countless clients who, in our conversations, will sooner or later ask me to help them understand how to manage their resources optimally to meet the growing demands of the business. Now, I’ll admit that some IT organizations need help there, but guess what? It is just as important to manage demand, and that is a business responsibility. I’ll also admit that IT should become more agile in its delivery techniques as many do with the adoption of Agile and DevOps techniques. I’m a big supporter of these techniques. Yet, if you cannot figure out your waterfall delivery approach, be careful in thinking that a faster-paced technique is going to work for your organization anytime soon.
I recently worked with a client who asked me and a collection of other consultants to help them develop their IT Governance program by providing training and advice on the latest trends we’re seeing in today’s complex fast-moving environments. I consider myself pretty knowledgeable in IT Governance and I was surprised that their view of IT Governance was all about fixing the imbalance between the needs of the business and the capacity of the IT organization to deliver on those needs. I quickly realized that to them, this was IT Governance, and a part of me agrees.
If you aren’t convinced that this is a governance issue, let’s take a closer look at the relationship between governance and management. Governance ensures that stakeholder needs are evaluated, direction is set through prioritization and performance and compliance are monitored. Management then plans, builds, runs and monitors activities in alignment with the governing direction. The resource and demand issue is clearly an area that must be both governed and managed. There are multiple altitudes of governance. These range from the board of directors, to executive and steering committees, and change boards. Each of them has their own governance models guiding them on how they provide direction to the areas within their scope.
The demand avenues
As illustrated in the figure below, typical IT organizations struggle with multiple, non-governed demand intake streams and are constantly under pressure to prioritize work on behalf of the business. Don’t get me wrong, I’m not placing blame on the business here because the business exists to create value for stakeholders and therefore must continuously respond to internal and external factors as well as strive to foster innovation to stay ahead of competition. I see the majority of these demand avenues are generally ungoverned by the business. IT is then painted into the corner of having to prioritize work that the business needs delivered without clear guidance and prioritization.
Figure 1, Sources of Demand
There are multiple avenues of demand. I won’t go through and describe each one of these, as each of you has your own, but I can say with confidence that you recognize most of these.
Here’s where the issues start, and I can guarantee most of you have been in this situation. The typical scenario looks like this: You are the Director of IT for a company and one of the business executives has just approached you with a new “high priority” project that needs to be accomplished to meet new regulatory requirements in the industry. The conversation goes like this:
Have you ever been in a situation like this? I’ll bet the answer is yes, countless times. The primary issue here is that enterprise IT governance doesn’t understand that IT is not in a position to prioritize work. The business needs to do this, but with IT’s help, of course. We can balance these demands with our supply if we know 1) the business priorities, and 2) our capacity to support those priorities.
Sources of Supply (Capacity)
Resources include many areas and are consumed during the delivery of a service. They are finite and should be allocated based on creating value for stakeholders and business priorities. Within the context of this blog post, assume that supply is directly linked to resource capacity. The resources IT depends on typically include:
Time
People and skills
Services
Infrastructure
Applications
Information
Suppliers
Funding
IT generally struggles when it comes to understanding 1) what resources they have, 2) where resources are engaged, 3) what work they are doing, 4) what technical skills are over/under utilized, and finally 4) the priority of the work they are performing. The first reaction is to purchase a tool to do this, but as many of us know, “a fool with a tool is still a fool.”
Balancing Demand with Supply
Now that we understand the avenues of demand and sources of supply, let’s look at the next issue: how to balance demand and supply. There are multiple frameworks in our industry today that can help, but one of my favorite “go-to” frameworks is COBIT. ISACA’s latest release of the framework, COBIT 2019, has the answers we are looking for. By using Governance and Management Objectives, COBIT identifies the key areas that must be accomplished for Information and Technology (I&T) to contribute to enterprise goals. There are 40 of these objectives, and each one relates to one process. The following figure identifies these 40 processes.
Figure 2, COBIT2019 Processes
We could spend hours looking through each of these processes and determine which ones directly relate to this balance, but I’ve boiled it down to the following key processes. This blog post will not go through all the practices and activities of each process. Rather, it identifies how organizations can determine how processes support the overall goal of creating value for stakeholders.
Do yourself a favor and look into the practices, activities and reference the COBIT framework offers. In addition to COBIT, the ITIL framework also provides some advice here. To download the COBIT 2019 guides, visit www.isaca.org.
Although referencing these processes helps, you need to map out the activities required to actually balance this. Here are some ideas that might help:
Figure 3, Balancing Demand and Supply
Suggested methodology
There is no silver bullet to solving this issue. Many factors must be considered, such as organizational structures, culture, risk profiles, governance posture, and of course skills and competencies. Below is a suggested methodology that is applicable to any organization that is struggling with its supply/demand imbalance.
Figure 4, Suggested Methodology.
Top 5 Tips to balancing demand and supply
I’ve covered a lot of ground in a very short blog post. To summarize, here are my top 5 tips to balance your demand and supply processes:
Document services in an IT service catalog and create Service Level Agreements (SLAs). This is key. If you don’t have your services documented and agreed on, then you are simply providing ‘favors’ with no expectations set. Make sure you analyze the underpinning vendor contracts and internal agreements that support the SLAs.
Consolidate your demand avenues to a manageable number. Reduce the exposure to a few intake mechanisms that can prioritize work across fewer streams. For example: The Service Desk, Business Relationship Management and Portfolio/Program Management.
Create a governing body that focuses on IT work prioritization for all demand avenues. This body should have representation from all sources of demand as well as IT delivery organizations.
Understand all resources available. Document all capacity requirements and analyze their unique attributes. If you have 4,000 hours available, that doesn’t mean those 4,000 hours are the right resources for the work required.
Mature the business relationship management (BRM) process. This will be one of the most significant demand avenues since BRM is translating business needs into IT requirements.
I hope this helps, and as always, your reactions and feedback are appreciated.
I’ve been known to tell a story about when my CEO rounded up the executive management team (I was the CIO at the time) and pounded us with the question: “Why are we going out of business as the most secured company in the world?” We couldn’t believe it. There must be some mistake – we were passing audits, we were compliant, and we were secure. It was impossible to us that our balanced scorecard results were dismal. We were experiencing decreasing satisfaction scores, losing customers, and failing to meet our enterprise objectives around growth.
We were focusing our efforts on compliance, and our performance was struggling. The balance between performance and conformance were heavily tilted toward one side of the pendulum. Technical requirements were driving the business, rather than the business determining how to respond to those requirements in a manner that best served our stakeholders. Of course, compliance is crucial for business survival, but it’s not always the only guidance system to use for value creation. Compliance does not dictate security and security is not a guarantee that vulnerabilities will not be exploited. It is a matter of managing risk to an acceptable level of tolerance commensurate with business objectives.
Organizations should leverage multiple perspectives when determining how to prioritize efforts towards creating value. As in travel, you need to have a good fix on your coordinates: location, altitude, heading and speed before you determine your future moves. Where most companies go wrong is in choosing only one of these variables which gives you one perspective. Just like using a GPS to help you navigate, here’s how you should use more than one guidance system to help you focus efforts.
First, how does GPS work?
GPS satellites help you find your position on the ground based on time and position of satellites. A GPS receiver monitors multiple satellites and determines a precise position. At a minimum, four satellites must be in view of the receiver. This is called trilateration. The first satellite locates you, the second narrows your location, the third reduces the choice to two possible points, and the forth calculates a timing and location correction and selects one of the remaining two points as your position. Knowing the satellites’ locations and the distances to them allows the receiver to pinpoint its position on the Earth’s surface. It is possible to find your position from 3 satellites. However, there is an advantage in using 4 satellites to determine your three dimensional position with no ambiguity.
Develop pinpoint accuracy
A fine balance between performance and conformance are important in any organization. However, most enterprises that I encounter have a tendency to lean towards the conformance side to the point where it actually affects business performance. This is similar to finding your precise location on the ground by using only one satellite. Having tools available that offer pinpoint accuracy to where you need to focus efforts in an organization is crucial, hence, the GPS analogy. Decision making around efforts such as funding, assurance, improvements and compliance are all areas within an enterprise that require resources, and should not be determined with only one signal. The more ‘GPS’ signals you have looking into your ecosystem, the more accurate you can be at focusing your efforts.
I suggest using the GPS strategy where you have multiple perspectives, or guidance systems to determine the current status of your business. This will drastically improve your chances of NOT being like us: going out of business as the most secured company in the world. These four GPS signals include 1) Goals Cascading, 2) Risk Scenarios, 3) Pain Points, and 4) Regulatory & Compliance (see Figure 1.)
Figure 1, Using Multiple Satellites to Prioritize Efforts
The four satellites
One. Cascading goals.
One of the best-kept secrets in our industry today is the goals cascade. The cascade, as depicted in Figure 2 below, illustrates how an enterprise can select and prioritize practices that are the most applicable to meeting enterprise goals, and ultimately stakeholder needs. The model begins with stakeholder drivers that influence stakeholder needs. Stakeholder needs can be literally mapped to enterprise goals, IT-related goals, and finally enabler goals. Sounds like a daunting task? Here’s a bit of advice: the model is already done for you in COBIT. You’ll find a generic set of tables that map each of these levels. Although they are generic, they are adaptable and surprisingly relevant.
Figure 2, The COBIT Goals Cascade. Information from COBIT5, ISACA
This is not just an academic reference, but a really helpful tool. Once you’ve seen how this works, you will most certainly be hooked. At the enabler level is a more holistic view of the ingredients required to govern and manage enterprise IT. For example, if you know that a particular enterprise goal is the most important goal for the next year, then you can literally map that goal through the cascade and determine exactly which processes are critical to its success. This will result in a list of areas that you can use to compare to the other satellites, but remember, this is only one of four guidance systems.
Two. Risk scenarios.
The use of scenarios is key to risk management and is applicable to any enterprise. An IT risk scenario describes IT-related events that could lead to a business impact if it occurs. Luckily, COBIT5 for Riskcontains a set of generic IT risk scenarios and can serve as inputs to risk analysis activities, and their effects on overall business objectives. Although the generic scenarios in COBIT do not replace the creative and reflective phase that every exercise should contain, it is not wise to assume that no other risk scenarios are possible or applicable.
After you define a set of scenarios, use this for analysis, where you can assess frequency and likelihood analysis while considering all of the risk factors involved. Risk factors are the conditions that influence the frequency and/or business impact of risk scenarios. Part of this analysis can be in the form of a risk map as illustrated in Figure 3. The numbers in the map represent the various risk scenarios.
Figure 3, Risk Map
This process results in the risk register, which records each scenario’s specific events, actors, threat types, asset or resource at risk, response, and mitigation. This process gives you valuable information for informed decision making, as well as a substrate to all of the other guidance systems. Use the results of this “GPS signal” to come up with the most critical risk scenarios that could hinder enterprise objectives, determine pain points, or guide compliance mitigation responses.
Three. Pain points
We all have them. Whether they are the “elephant in the room” that nobody wants to talk about or well known throughout the enterprise, pain points are those areas that need little effort to identify. Use pain points as additional drivers from which efforts towards the Governance of Enterprise IT initiatives are chartered. This can have a positive effect on the buy-in of your business case and creates a sense of urgency and support as well.
In the COBIT5 product family, the COBIT5 Implementation Guide does a superb job of identifying some of the most common pain points associated with enterprise IT. It also maps these pain points to specific processes in COBIT. For example, let’s assume that outsourcing service delivery problems such as agreed–on service levels consistently not being met is an identified pain point. Go to Figure 45 of the publication, and it identifies the following processes that could be selected for guidance corresponding to that pain point:
EDM04, Ensure Resourced Optimization
APO09, Manage Service Agreements
APO10, Manage Suppliers
To take this a step further, refer to the COBIT5 Enabling Processes publication for more information on definitions, goals, practices, activities, inputs/outputs, and roles/responsibilities for each of those processes.
There you have it, your third GPS signal to help identify your priorities. Now, we move on to the last of our four required guidance systems.
Four. Legal/Regulatory/Compliance requirements
If you’ve been in the assurance space for any amount of time, you are aware that no organization can be 100% compliant to everything that is out there. You have to synchronize this with your risk management process to determine the right response to each requirement. Some requirements; however, are legally required and must be adhered to, but as stated earlier: what level of adherence is the most appropriate?
The point of the above story is this: if you put steel plates over every opening, you may not have the funds to pay the mortgage, so you have to link this with the risk analysis and management processes in the enterprise (see our earlier guidance system regarding risk) to help determine the right investment of resources. In any case, with the volumes of legal and compliance requirements facing most organizations, it is best to determine the level of response based on what is best for the organization by balancing performance and conformance. The results from analyzing this GPS signal will help you determine what you may be legally required to do, and the level of response required in order to create value.
Aligning your satellites
Each of these guidance systems should result in a very clear list of high interest areas that would be the most appropriate from that perspective. Now, compare the lists. Are there any recurring areas? Certainly, there are, but if not, you can devise a prioritization scheme for each of these lists and normalize them into a single list. Now that the most important areas have been identified, compared and analyzed, more focused efforts can be identified.
Up to this point, I’ve been referring to focus areas, but now that we’ve walked through the concept of having multiple perspectives, what does this mean exactly? Let’s do a review of what focus areas might be:
Assurance activities. Audit scoping, prioritization, frequency and level of effort of audits that ensure the service providers are focused on providing value for the enterprise.
Resource allocation and prioritization. Portfolio, program, and project funding that support alignment with the real objectives of the enterprise.
Quality and improvement. Initiatives focused on the overall improvement of services, functions, performance indicators, goal attainment and compliance.
IT and business alignment. The BIG ONE! Ensuring that service providers are focused on what the higher level goals are, up to the stakeholder needs of creating value.
Conclusion
The enterprise exists to create value for its stakeholders: realizing benefits while optimizing risks and resources. This requires more than one perspective, or ‘guidance system’ to fully understand what is required to do this. This blog has only identified four potential perspectives that worked for one organization. Yours might have more, but should never have less.
To link this strategy back to the original problem, how did my company prevent going out of business? We implemented a cohesive and consistent approach, using the four satellites, to determine those processes, practices and activities that really focused on creating value.
Give it a try, you might find that the business case is hard to challenge. As always, this is my perspective, and I welcome your comments or suggestions.
The hardest question I get as an IT governance advisor is, “how do I get executive level support for our IT governance program?” Surprisingly, this question, which comes from operations as well as executives, is not an isolated issue. As you might expect, the answer usually starts with “it depends.” As in, “It depends on what?” Adopting good governance practices does not occur in a vacuum. There are different conditions and circumstances in the internal and external environment that include a range of factors such as culture, mission, vision, management style, business plans, and the like.
All too often, I see a common communication error in organizations that are trying to adopt or improve their IT governance practices. When I talk to the senior leadership they insist that they are supporting and driving good governance practices and they don’t understand why the initiatives are not getting support from the ground. When I talk to the operations teams, they insist that they are feverishly trying to adopt some holistic governance approaches but aren’t getting the upper level support they need. See the gap?
With that perspective, let’s get back to the original question – how do you get executive level support for your governance initiatives? Here’s my advice:
Know where your company is going.
Know the vision, mission and strategy of your organization. You would think that after years of hearing about this, we would finally understand how important this is. Many I’ve talked to have some real challenges finding this information. My advice: if you’re lost, go to the annual report to find this, specifically the goals and high level strategy.
Understand what IT governance really means.
Employees must share a common understanding of what IT governance is and what the benefits are by focusing more on the WHY as opposed to the HOW. Knowing the why helps create a picture of the future that is easy to communicate and appeals to all of the various stakeholders. Also, the why will be the foundation for a clear business case that focuses on the business drivers with clear and measurable goals/objectives for your IT governance effort that identifies gaps between the as is and to be.
Understand who your stakeholders are.
Know your audience by researching their perceptions, concerns and challenges as well as their existing levels of commitment or resistance to the concept of IT governance. Address their concerns by identifying any benefits each stakeholder may need from the initiative and estimate a value for each benefit.
Create a powerful message and develop a marketing plan
Your messages should be planned, comprehensive and concise. Deliver your message using multiple platforms to ensure it is heard, and then be prepared to deliver the message multiple times to multiple stakeholders. Remember to modify the message based on the specific stakeholder by thinking, “What’s in it for them?” However, your marketing program should have a primary focus towards executives as the audience. This is because their focus is typically on financial and business issues that result in allowing the organization to do more with less, provide benefits realization, optimizing risks and resources.
Know the applicable Industry frameworks.
If you are suffering from framework exhaustion, you’re not alone. Many organizations are adopting portions of multiple “silver bullet” frameworks and not realizing their real value. Leveraging multiple frameworks is a must, but have to be adopted correctly. My top pick is COBIT since it is the only framework that I’m aware of that separates governance from management, provides a holistic approach, and references multiple standards and frameworks commonly used today.
Find the right time.
Let’s be realistic, most of us don’t have the luxury of having senior management, or the board for that matter, available to hear what we have to say when we need to say it. Therefore, look for that small window of time at either a pain point or trigger event that can get you the face time you need to deliver your message. Don’t forget that the longer you wait after one of these events, the less powerful your message will be.
Final thoughts.
It’s difficult to really get support if you are in an organization that supports an “open door, closed-minded” culture – support cannot be passive, but must be active. Leaders cannot just say they support the effort, and it will be your responsibility to help them understand their roles and expectations. As I mentioned before, the most informative and complete body of knowledge that I know of is the COBIT5 product family. COBIT is the only end to end framework that focuses on the Governance of Enterprise IT, so it seems to be the best starting point for any IT governance initiative.
Recent Comments