Techniques for effectively implementing IT Governance Principles in an organization

Implementation of IT Governance is being one of the key agenda items in the annual plans of most IT Leader around us today. IT Governance implementation is taken in different approaches in different organizations.

For example some organizations will follow a 3 to 5 years roadmap for implementing IT Governance in their organization. To come up with such roadmaps they will undergo a detailed Strategic IT Assessment as a precursor activity. Some organizations will directly take COBIT kind of Integrated IT Governance Framework and will start implementing the principles of COBIT one by one.

The biggest drawback of implementing such ready made frameworks from market is not doing a due diligence on whether COBIT needs to be implemented in full or not. Manier times organizations tend to forget to analyze is it beneficial for their IT Organizations to implement COBIT fully. Lack in having such a due diligence at first will result in wrongly focused IT Governance Implementation wasting efforts and money.

As an IT Governance Subject Matter Expert for me rather of going for implementation of an end to end Integrated IT Governance Framework, we need to select only those strategic & operational IT Controls that are need of the hour for our IT Organization. What is needed can be revealed through a strategic IT Assessment as well a SWOT Analysis of IT Function. Those identified strategic & operational IT Controls need to ensure that they will have a coverage of key IT Governance Principles mentioned below.

• IT & Business Alignment
• IT Value Delivery
• IT Performance Management
• IT Resources Management
• IT Risk Management

Now let us quickly see here on how the above mentioned IT Governance Principles can be implemented in an organization using specific techniques:

IT & Business Alignment

IT objectives need to be aligned with Business Objectives and the Corporate IT Function should fulfill the expectations of business on IT such as improvement of Business Agility through state of the art IT Systems, Agile IT Processes etc.

The following techniques can be used for effectively achieving IT & Business Alignment:

• Development & Implementation of IT Score Cards having well defined KPIs that will link Business & IT Objectives in a seamless manner.
• Implementation of Enterprise Architecture (TOGAF kind of Enterprise Architecture Framework will be of real use) that will lay foundation for all the Strategic & IT Operational Controls to be developed and initiate IT & Business Alignment.
• Implementation of IT Demand Management Practice (IT & Business Relationship Management) that will help in building strong alliances with business users which will help in aligning IT Objectives with Business Objectives.
• Implementation of Goal Cascading Mechanism of COBIT 5.0 which will help in arriving with detailed list of IT Process Goals from high level Business Objectives which will result in a fool proof IT & Business Alignment.

IT Value Delivery

The investments made in IT Systems and various other projects undertaken by Corporate IT Function should deliver the appropriate financial & non financial value expected by Management. This is called as IT Value Delivery.

The following techniques can be used for ensuring an effective IT Value Delivery:

• Implementation of IT Portfolio Management Practice (Help in identifying the right set of IT Projects to be invested which is like Fund Management done by Banks & Financial Services Firms)
• Implementation of Effective IT Budgeting Techniques (Such as Zero based budgeting , Running Budget etc)
• Establishment of IT PMOs (Will monitor the IT Projects start from inception to closure to address any deviations from the goals in place for the IT Projects)
• Implementation of IT Process Improvement Frameworks (Such as Lean IT, CMMI, Agile and DevOps Methods etc that will help in optimizing the IT Processes leading to reduction of quality issues and time taken for delivering the IT Projects)
• Tracking the IT Financial Metrics such as ROI, NPV, IRR, Payback Period, Benefit to Cost Ratio etc in a periodic basis to ensure that IT Investments are delivering the value as expected.

IT Performance Management

Monitoring the IT Performance in a periodic basis and taking course correction activities in a timely manner is the focus of IT Performance Management

The following techniques can be used for ensuring IT Performance is monitored and effective corrective/preventive actions are taken in a timely manner

• Establishing and implementing IT Performance Standards and tracking the same in periodic basis.
• Development & Implementation of IT Scorecards having well defined KPIs (Helps in tracking and monitoring IT performance by having IT Performance specific goals as part of the IT Scorecards)
• Commissioning of Internal IT Audits (IT General & Application Controls Reviews, IT Operational Audits focused on specific IT Processes)
• Commissioning of IT Risk Assessments (Helps in identifying the IT Risks triggered due to poor performance of IT Systems & IT Processes)
• IT Steering Committee Reviews (Periodically conducted IT Steering Committee Reviews will help in identifying the performance issues related to IT Systems and IT Processes)
• IT Customer Satisfaction Surveys (Periodically conducted IT Customer Satisfaction Surveys will help in identifying the customer concerns around the performance of IT Systems and IT Processes).

IT Resource Management

Managing the various IT Resources such as IT People (Staffs and Vendors) and IT Infrastructure and ensuring that they are effectively utilized for the betterment of the organization

The following techniques can be used for managing the IT resources and ensuring their effective utilization

• Implementation of IT Asset Management Practice (Driven by standards such asPAS 55, ISO 55000)
• IT Assets Utilization Reviews
• IT Contracts Reviews
• IT Vendor Performance Reviews
• Technology Refresh done in periodic intervals (At least once in 3 years)

IT Risk Management

Reviewing the threats and vulnerabilities in the information systems that can be exploited by threats and addressing them with the right counter measures are the focused areas of IT Risk Management Practice. Due to dynamically emerging Information Security Threats, Cyber Security Threats and Advanced Persistent Threats (APT) launched on critical infrastructure owned by organizations, IT Risk Management has become a very critical practice which cant be compromised by any organization.

The following techniques can be used for effectively implementing IT Risk Management Practice in an organization

• Information & IT Risk Assessments (Which can be driven by ISO 27001, OCTAVE, FAIR, COSO, ISO 31000, BASEL kind of Risk Management Standards, Models and Guidelines)
• Development of IT Risk Management Framework & Methodologies such as IT Risk Register, IT KRIs, Loss Incident Database etc
• Development & Implementation of Internal IT Controls
• IT Services Continuity & ICT Resilience Arrangements
• Business Impact Analysis of potential IT Systems Failures and development of appropriate recovery strategies
• Development of DR Sites

Selecting and implementing the appropriate controls from an Integrated IT Governance Framework such as COBIT 5 will help organizations in having a head start for IT Governance Principles Implementation in an organization.

The COBIT 5 processes are split into governance and management “areas”.

These 2 areas contain a total of 5 domains and 37 processes:

Governance of Enterprise IT 

1) Evaluate, Direct and Monitor (EDM) – 5 processes

Management of Enterprise IT

2) Align, Plan and Organize (APO) – 13 processes

3) Build, Acquire and Implement (BAI) – 10 processes

4) Deliver, Service and Support (DSS) – 6 processes

5) Monitor, Evaluate and Assess (MEA) – 3 processes

Arrange a Conversation