Saturday, May 23, 2009

Book Review: IT Governance Domain Practices and Competencies Series

This is a review of five executive briefings that make up the “IT Governance Domain Practices and Competencies Series” from the IT Governance Institute® (ITGI®). Each briefing is a short book of about 25 pages. The series is available as a single purchase from the ISACA® Bookstore, or as a free download to ISACA members for personal use.

The briefings in this series are:

  1. Governance of Outsourcing

  2. Information Risks: Whose Business Are They?

  3. Measuring and Demonstrating the Value of IT

  4. IT Alignment – Who is in Charge?

  5. Optimising Value Creation from IT Investments


1. Governance of Outsourcing

Authors: Alan Simmonds, David Gilmour, Lighthouse Global and ITGI

Reviewer: Mike Howard, CPA, CISA, MBA

This pamphlet provides an overview of how to govern an organization’s outsourcing efforts. The authors make the point that organizations should view outsourcing as a strategic resource, not merely as a procurement decision. Outsourcing provides the opportunity for a business to focus on its core competencies, leaving its non-core activities as candidates for outsourcing. However, regardless of whether a company owns its resources, it needs to control them and make the most of its capabilities. Governance of outsourcing is described by the authors as the set of responsibilities, objectives, interfaces, and controls required to anticipate change and manage third-party services.

The authors discuss the importance of outsourcing governance, current approaches and best practices, future trends, and recommended generic steps. They make a solid case for the need to govern the outsourcing process and provide detailed information on designing and establishing a governance organization and process. In particular:

  • Stakeholders: In the outsourcing process, there are typically many relationships between the organization and external stakeholders. The document graphically presents these relationships, effectively framing the parties involved the process.

  • Life Cycle: Like other processes, outsourcing has its own life cycle. The document lays out this process, including those steps that occur before and after the outsourcing contact is signed.

  • Roles and Responsibilities: The authors provide a list of positions and their responsibilities, which should be present in both the client and the supplier.

  • Recommended Generic Steps: To quote the authors, “there is not a single set of activities that will ensure governance success.” However, the document provides a common-sense best practice approach that will help organizations start their governance process.

One area where I would have liked more detail is the discussion of service level agreements (SLA) and outsourcing level agreements (OLA). SLAs define the support relationship between a service provider and a client, while OLAs define the interdependent relationships between the internal groups supporting an SLA. The document points out the importance of these agreements in measuring a supplier’s performance; however, it does not provide instructions for writing these agreements or the types of metrics to include.

In summary, the Governance of Outsourcing provides a good starting point for those organizations building an outsourcing governance process as well as those who are looking to refine an existing process.

 

2. Information Risks: Whose Business Are They?

Authors: Gary Hardy, Lighthouse Global and ITGI

Reviewer: Mike Howard, CPA, CISA, MBA

The central theme of Information Risks: Whose Business Are They? is that information technology risks should be managed not just by the IT organization, but by the business side as well, since such risks can ultimately impact the achievement of business objectives. IT risks are increasingly becoming a board-level issue since the impact of an IT failure can have devastating consequences. Therefore, executives need guidance at a business level of the effects of IT risks.

The pamphlet provides this guidance by discussing the areas where IT risk can occur, practical and real business impacts, best practices for risk management, the role senior management should play, and a suggested action plan for managing IT risk. The author effectively incorporates industry research, from a 2004 survey by the IT Governance
Institute (ITGI) and Lighthouse Global, and practices from numerous international sources. This gives the document a practical perspective for IT risk management, while also providing solid references for additional information.

The suggested action plan for governing IT risk included in the document is its strongest feature, providing detailed practices and steps from several international sources. Topics discussed include setting the scope, implementation steps, and critical success factors. However, the author also includes guidance on defining and categorizing
risk, setting a framework for managing risk, and risk management roles and responsibilities.

In summary, Information Risks: Whose Business Are They? effectively makes the case that business executives need to become more involved in managing IT risks and provides good techniques and practices for doing so.

 

3. Measuring and Demonstrating the Value of IT

Authors: Wim Van Grembergen, Sten De Hass, Lighthouse Global and ITGI

Reviewer: Nils Kandelin, CISA, PHD

The booklet reports on a 2004 survey of IT managers about how they measure value of IT and use to monitor IT performance. Most of the survey results are not surprising, such as the fact that most respondents use financial metrics, such as return on investment (ROI), payback period and net present value (NPV) to measure IT projects and investments. Some of the survey results appear to be contradictory (something that is often encountered with surveys), but the authors propose reasonable explanations.

The booklet states that it proposes a two-way approach to IT performance measurement based on IT portfolio management and balanced scorecard concepts. It does discuss results of survey questions about balanced scorecards and gives a high level description of a generic IT balanced scorecard. With respect to IT portfolio management, it makes only passing references to it, leaving one to wonder what it is and if it is used in practice.

This booklet can be used to raise awareness of some of the issues related to IT performance and value measurement and as a start for development of an IT performance measurement system. It contains numerous diagrams and graphs that are useful, but it does not contain a glossary of terms or provide implementation details

Another booklet in this series, Optimising Value Creation from IT Investments, provides more background and defines many of the terms used in this booklet. The Val IT framework series, which uses a balanced score card approach with a combination of financial and value metrics, provides implementation details.

 

4. IT Alignment – Who is in Charge?

Authors: Paul A. Williams, FCA, CITP, Lighthouse Global and ITGI

Reviewer: Nils Kandelin, CISA, PHD

The booklet discusses governance structures that help ensure that the IT strategy supports achievement of an organization’s overall business strategy. It uses survey results to describe the need for business-IT alignment and how it is accomplished in practice.

Overall, the booklet adopts a nicely balanced approach by offering survey results to motivate the need for IT and business strategy alignment followed by suggestions for how it can be implemented.

The booklet describes the role that the key stakeholders, the CEO, Board of Directors and CIO, have in ensuring IT-business strategic alignment. It also makes some helpful suggestions about how the Boards participation can be optimized.

The governance structure proposed in the booklet is comprised of three committees: IT strategy, IT steering and IT investment. Current practices (based on survey results) as well as recommended best practices are described. In addition, useful references to other ISACA materials are included.

The booklet concludes with a governance case study, which is taken from the Val IT booklet, The ING Case Study, and an appendix listing “Top Tips for Maximizing Alignment”. There is no explanation of the source of these top tips, so it is not possible to assess their value, but it appears that some of them come from the discussion in the booklet.

Overall this booklet succeeds in demonstrating the importance of IT and business strategic alignment and explaining governance structures that help ensure alignment is achieved. It is very readable and could even be distributed to senior management to raise their awareness of this issue and explain potential governance solutions.

 

5. Optimising Value Creation from IT Investments

Authors: Paul A. Williams, FCA, CITP, Lighthouse Global and ITGI

Reviewer: Nils Kandelin, CISA, PHD

The booklet explains basics issues, processes and techniques for value measurement of IT investments. A short glossary of terms is also provided.
The booklet focuses mostly on financial oriented measures and its section on investment portfolios is relatively good.

The two weakest sections were on defining and quantifying expected benefits, and risk-adjusted returns. Each of these sections was too general and lacked examples. There are many, much better discussions of how to quantify expected benefits available in articles in the professional literature. A good explanation of risk adjusted returns is contained in The Business Case from the Val IT framework.

While the booklet material seems relatively up to date, it does not mention some of the more current topics, such as metrics based on CMMI or ITIL.

The booklet could be used to raise awareness of IT value issues among key executives, IT, and business unit staff at the beginning of a measurement methodology development effort. The combination of theory, current practice and examples makes most of the booklet interesting to read. The booklet also contains some practical advice, such as common problems and mistakes that an experienced person could find useful.

Most of this booklet is repeated in the article, “Optimising Returns from IT-related Business Investments,” by the lead author, which appeared in the Information Systems Control Journal, Volume 5, 2005.

 

© Copyright 2007 - National Capital Area Chapter

http://www.isaca-washdc.org/pages/articles/book-nov2006-print.htm

No comments:

 
hit counter
unique hit counter