CHAPTER 4: CASELET #1 - GOVERNANCE
IT Issue: An international import/export company is expecting significant growth over the next two years. The Board of Directors recently held a two-day retreat, during which they created an IT Governance Committee. This was in response to the growing reliance on IT systems, their interoperability, and the overall past performance of the IT organization. The IT Governance Committee met for the first time last month and convened with the following areas that needed further study:
- What vital business processes are dependent on IT and what are their requirements?
- How much of the IT effort is spent on fighting fires rather than enabling the business?
- Do we have sufficient IT resources and infrastructure to meet the strategic objectives of the business?
- Have we addressed all non-minor IT-related risks?
The VP of IT has been asked to create a presentation for the next IT Governance Committee meeting to address the above concerns and suggest action plans to address any shortcomings or gaps.
The Five Anchors
| Anchor | Discussion |
I. Strategic Alignment: IT Services to Business Objectives |
|
1. What are the business strategy, goals and objectives? Are there any measures that demonstrate the achievement of the business strategy, goals and objectives? |
• No matter what the business issue or scenario you’re trying to improve, you must always know the business strategy, goals and objectives. If you do not have a process in place that drives IT activity through business strategy, goals and objectives, review: • COBIT5: Goals Cascade • ISO20K: Implied through the fulfillment of service requirements (4.0) • ITIL: SS 4.1, 5.1.1; SD 3.1.6, 3.5; CSI 3.10 |
2. What is the business issue, or activity at risk? |
• In order to meet the projected growth, IT systems must change their philosophy and design parameters to meet the new business requirements not only for the growth but also resilience and security concerns. • COBIT5: Goals Cascade, EDM03 • ISO20K: 4.0, 6.3, 6.5, 6.6 • ITIL: SD 4.4, 4.5, 4.7 |
3. Is the ownership to resolve the issue at the appropriate level of authority? |
• While the VP of IT has been tasked with the reporting, we can assume also tasked with the responsibility and/or accountability that the necessary changes are made. We do not have enough information to confirm this action. • What we do know is that the Board created a Governance Committee who has delegated the responsibility of resolving the situation to the IT leadership which is consistent with the COBIT5 enabler “Organizational Structures.” |
II. Security, Compliance, and Risk Issues |
|
1. Has there been a compromise of the information security policy? |
• N/A |
2. What are the internal and external compliance or regulatory concerns? |
• As an international import/export company, we can assume there are regulatory, legal, and perhaps contractual obligations. As a general rule, we would ensure these constraints would be considered and mitigated in any improvement design. • COBIT5: APO11, MEA03 |
3. What is the cultural appetite for risk? |
• Because there is active executive involvement by the Board, there is an understanding that IT risks be documented and addressed. A specific request for plans around addressing all IT-related risks is an outcome, therefore, even though it is not stated in the caselet, the assumption is low risk tolerance. • COBIT5: EDM03, APO12 • ITIL: SS 5.6.5, D.3, E |
III. Value-based Portfolio |
|
1. Does the current portfolio meet expectations and needs of the stakeholder? |
• Assumed, yes; but will the current portfolio meet the needs of the future business direction? • COBIT5: APO05 • ISO20K: 5.0 • ITIL: SS 4.2 |
2. What is the value of that business activity (VBF)? |
• While there is not a specific service described, the overall activities of IT must meet the future growth, security, and availability needs. • Review “Strategic Alignment”, question #2 above |
3. Does the portfolio have the right mix of resources to deliver business benefit? |
• The assumption is “yes” because outsourcing has not been mentioned by the Governance Committee. That doesn’t mean in the report by the VP of IT, in answering the Committee’s concerns, that outsourcing is not an option for consideration in meeting future requirements. • COBIT5: EDM02, EDM04, APO05 • ITIL: SS 3.7; SD 3.11 |
IV. Design and Architecture |
|
1. Will the current architecture effectively resolve the issue? Is it feasible? |
• This issue must be addressed to meet the utility and warranty needs of the organization. The current architecture appears to effectively meet the needs now, but given the planned growth, a detailed assessment is required to ensure support of future business strategy. Data and information gathered from Technical and Application Management teams provide the necessary input. • COBIT5: APO03 • ITIL: SO 6.4, 6.6 |
2. Can the current architecture accommodate the issue? |
• At this point, no information to the contrary is available. |
3. Do we have the necessary competencies to design the required change(s)? |
• VP of IT is responsible for the response to the Governance Committee. There is no definite indication in the caselet that the necessary competencies are not available. |
V. Planning and Use of Resources |
|
1. What resources are required to resolve the situation (e.g. people, capital, technical…)? |
• Unknown with the information provided. |
2. Can the required resources be acquired? |
• N/A but assuming the support is available if only through the enterprise-based questions from the Governance Committee and recognition of increased reliance on IT systems. |
3. Is the necessary data and information available, collected and managed to resolve the current situation and prevent future occurrence? |
• Unknown with the information provided. |
Improvement Model Application
This scenario can be resolved by following any of the three improvement models but we will focus on just two: ITIL’s CSI Model and COBIT’s Implementation Model. This caselet demands a review of what is currently in place and then an examination of the gap between now and what is needed. If we focus on the first three steps of the CSI Model and COBIT’s Implementation Model, we effectively ensure we address the organization strategies, goals and objectives and capture an unbiased view of “now” and clearly delineate the gap to the “future.”
Solution References:
Primary Solution:
COBIT5: The main source of information will come from the Goals Cascade and two domains: EDM and APO. But, to get to those domains and processes, we strongly encourage you to utilize the Goals Cascade, which can be found in COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (pg. 18). The Goals Cascade directly relates to Principle 1 “Meeting Stakeholder Needs” which is a foremost concern in this caselet. The Business Framework document is not member-only information and can be freely downloaded at www.isaca.org.
To summarize how the goals cascade flows, the general steps to conduct in this exercise include:
- Understanding the stakeholder drivers, and map them to stakeholder needs
- Cascade stakeholder needs to Enterprise Goals
- Cascade Enterprise Goals to IT-Related Goals
- Cascade IT-related Goals to Enabler Goals
- Determine appropriate processes (particularly from the EDM and APO domains).
Secondary Solution
ISO/IEC 20000 and ITIL are underpinned by the need for overall governance and risk management, but neither has defined risk management processes or governance mandates. Both frameworks address these elements at different levels and from different perspectives, therefore directing us to use COBIT5 as the primary solution. Elements from these models should be reviewed and incorporated as needed to resolve the situation based on the culture and environment to the organization. We have listed areas within the Five Anchors discussion that point you to specific references. We will not repeat them here.
