INTRODUCTION TO IT GOVERNANCE (STUDY OBJECTIVE 1)

In the business environment of today, IT systems are critical to the success of the organizations that use them. IT systems can improve efficiency and effectiveness, and reduce costs. Companies that fail to take proper advantage of the potential benefits of IT systems can lose market share to competitors or in some cases, become bankrupt. To ensure that a company is using IT to its competitive advantage, it must continually investigate and assess the viability of using newer information technologies. The company must ensure that its long-term strategies, and its ongoing operations, properly utilize appropriate IT systems. But how does a company decide which IT systems are appropriate to its operations? Moreover, how does a company decide, for example,

• which accounting software package to buy?
• when the company has outgrown its accounting software or when to upgrade that accounting software?
• whether to use IT systems to sell products on the Web?
• whether to establish a data warehouse for analyzing data such as sales trends?
• whether to use ERP systems or customer relationship management (CRM) software?

Each of these decisions is likely to have a long-run strategic impact on the company. Decisions the company makes about the IT systems it will use will affect the efficiency and effectiveness of the organization in achieving strategic goals. IT systems must be chosen that support management's strategic goals and the daily operational management. IT systems must be strategically managed. Strategic management is the process of determining the strategic vision for the organization, developing the long-term objectives, creating the strategies that will achieve the vision and objectives, and implementing those strategies. Strategic management requires continuous evaluation of, and refinements to, the vision, objectives, strategy, and implementation. To achieve the purposes of strategic management, an organization must also properly manage, control, and use IT systems that enable the organization to achieve its strategies and objectives. The proper management, control, and use of IT systems is IT governance. The IT Governance Institute defines IT governance as follows:

A summary of this definition is that the board of directors and top-level executive managers must take responsibility to ensure that the organization has processes that align IT systems to the strategies and objectives of the organization. IT systems should be chosen and implemented that support attainment of strategies and objectives. To fulfill the management obligations that are inherent in IT governance, management must focus on the following activities:

• Aligning IT strategy with the business strategy
• Cascading strategy and goals down into the enterprise
• Providing organizational structures that facilitate the implementation of strategy and goals
• Insisting that an IT control framework be adopted and implemented
• Measuring IT's performance

There is no single method of achieving each of these management obligations. Different companies may choose different approaches. There are, however, three popular models of an IT control framework:

1. Information Systems Audit and Control Association (ISACA) control objectives for IT (COBIT)
2. The International Organization for Standardization (ISO) 27002, Code of Practice for Information Security Management
3. The Information Technology Infrastructure Library (ITIL)

These three are very comprehensive models of an IT control framework, and their details are beyond the scope of this book. The Appendix to Chapter 3 briefly described the components of COBIT. The major focus of this chapter is to highlight the first three of the preceding objectives: aligning IT strategy with business strategy; cascading strategy down into the enterprise; and providing organizational structures to facilitate implementation. Therefore, this chapter will focus only on three selected aspects of IT governance: the definition of IT governance, the role of the IT governance committee, and the system development life cycle.

IT governance must be an important issue for all management levels, from the board of directors to lower level managers. To meet its obligation of corporate governance, the board must oversee IT. IT systems are critical to the long-term success of the organization, and board involvement in IT oversight is therefore necessary. The board should do the following:

• Articulate and communicate the business direction to which IT should be aligned. The board should set and communicate long-term company strategy and objectives.
• Make sure it is aware of the latest developments in IT, from a business perspective.
• Insist that IT be a regular item on the agenda of the board and that it be addressed in a structured manner.
• Be informed about how and how much the enterprise invests in IT compared with its competitors' investments.
• Ensure that the reporting level of the most senior information technology manager is commensurate with the importance of IT. For example, the chief information officer (CIO) may need to report directly to the CEO.
• Ensure that it has a clear view of the major IT investments, from a risk-and-return perspective. Each IT investment will have risks—for example, increased security risks. However, each IT investment will also generate return in the form of cost savings, such as increased efficiency. The board members should be informed about the risks and returns.
• Receive regular progress reports on major IT projects.
• Receive IT performance reports illustrating the value of IT.
• Ensure that suitable IT resources, infrastructures, and skills are available to meet the required enterprise strategic objectives.³

To ensure that IT systems support long-term strategic objectives as well as daily operations, management must constantly assess its current situation, where it plans to go, and which IT systems will help it get there. To be effective, this assessment should be part of an ongoing process to evaluate organizational direction and the fit of IT to that direction. The board and top management must ensure that the organization has processes to accomplish the following tasks:

1. Continually evaluate the match of strategic goals to the IT systems in use.
2. Identify changes or improvements to the IT system that will enhance the ability to meet strategic organizational objectives.
3. Prioritize the necessary changes to IT systems.
4. Develop the plan to design and implement those IT changes that are of high priority.
5. Implement and maintain the IT systems.
6. Continually loop back to Step 1.

The managerial obligation to evaluate strategic match and to implement IT systems begins with the board of directors and must cascade down into the organization. This means that the board, top executive management, and lower-level managers all must work toward the same goal of ensuring IT systems and strategy align with the organization's strategic goals. To match company strategy to IT systems, the company should have an IT governance committee and a formal process to select, design, and implement IT systems. The IT governance committee is a group of senior managers selected to oversee the strategic management of IT. The formal process that many organizations use to select, design, and implement IT systems is the system development life cycle, or SDLC. Both of these management tools, the IT governance committee and the SDLC, are necessary in the strategic management of IT systems.

By analyzing similar management situations, we may find it easier to see the importance of the IT governance committee and the SDLC. Professional sports teams can be used as an analogy to IT management. For a professional football team to be a consistent winner over many seasons, two kinds of important management processes must occur. First, the general manager, scouts, and coaches must draft and trade for players who fit into the organization. When drafting and trading players, these team managers must be considering their long-term strategy. They must assess the strengths and weaknesses of the team, the style of offense and defense they will play in the future, and the types of players that will best fit those playing styles and the coaching structure. In addition to this long-term management of team strategy and player choices, the coaches must make shorter-term decisions to develop and use the players of the team. Coaches must decide which players are starters and which serve as backup players. They must decide which players play which positions and which types of offensive and defensive plays most effectively use the skills of their players. In other words, to consistently be successful in winning games, team managers must not only have a proper long-term strategy, but, within any sports season, must manage the players in a way that takes best advantage of team strengths and weaknesses. They must fit all the pieces of the team together in a way that maximizes team success. That is, they must implement the best mix of players and plays to maximize the effectiveness of the team in achieving the objective: winning games. The managers and coaches have systematic, regular steps that they consistently apply to manage the long-term and short-term success of the team. Without these systematic, regular steps, the team would not be successful when playing against other well-managed teams. The team play would be too chaotic and unorganized to play successfully. For example, a playground, pick-up basketball team could never hope to succeed against a professional NBA basketball team.

These two processes of long-term development and short-term management are similar to the functions of the IT governance committee and the SDLC. The IT governance committee should constantly assess the long-term strategy of the company and determine the type of IT systems to purchase, develop, and use that will help the organization achieve its objectives. Once the IT governance committee has determined the priority it places on various IT systems, the SDLC is the process that manages the development, implementation, and use of those IT systems. Much like players on a team, the various parts of the IT system must fit together in a way that maximizes the overall effectiveness and efficiency of the company operations. In addition, much like the salary caps in professional sports, there is a limit to the funds that a company can spend to purchase, develop, and implement IT systems. With limited funds available, the proper long-term and short-term management of IT systems becomes very critical. The organization must strategically manage IT systems to achieve maximum effectiveness of the systems at a cost that matches the IT budget. Similar to the sports team example, the lack of systematic, regular steps to strategically manage the IT systems leads to chaotic and unorganized IT systems. In such an unorganized environment, the company is less likely to be successful in competing against other companies and may struggle to survive.