Trusted Advisor Report - David Consulting Group

What would be a basic framework or model for establishing an effective
IT Governance function?
February 2013
Scope of this Report
In this report, we will review the role of IT Governance with regard to leadership, management, clients
and users of IT. We will also review effective organization structures to establish governance that seeks
to achieve business goals and the contributions to those structures of the practitioners within IT
Providers. The term “IT Providers” is chosen intentionally in this report to ensure that IT providers
inside and outside the organization are included in the IT Governance framework.
There are broadly two possible views of IT Governance: The first is about control and compliance and is
useful for such concerns as Sarbanes-Oxley audits in the US; the second, is about shared decision making
between the business and IT with Finance as a useful supporter, facilitator and, sometimes, arbiter.
The referenced best practices in this section are based on research from the MIT Sloan School of
Management captured in the book, “IT Governance: How Top Performers Manage IT Decision Rights for
Superior Results,i” by Peter Weill and Jeanne W. Ross. Their work on IT Governance was developed
through their research on 250 enterprises worldwide and research performed by the MIT Sloan School
Center for Information Systems Research (CISR). In this report, we make no apologies for mainly using
what we consider to be the best single source for research and reference information on operational IT
governance. A lot of the work and principles from Weill and Ross’s work are now embodied in the IT
Capability Maturity Framework developed and managed by the Innovation Value Institute consortium
(of which DCG is a member).
What is IT governance?
Effective governance addresses three questions:
– What decisions must be made?
– Who should make these decisions?
– How will we make and monitor these decisions?
The top performing organizations implement IT governance most effectively to support their strategies.
The CISR Research shows that the top performing organizations generate up to 40% higher returns on
their IT investments than their competitors with weak IT governance.
Weill and Ross define IT Governance as “specifying the decision rights and accountability framework to
encourage desirable behavior in using IT.” This ensures compliance with the enterprise’s overall vision
and values. Through their governance research, Weill and Ross have been able to conclude that
©2013 David Consulting Group
Page 1 of 7
v1
effective IT governance is the single most important predictor of the value an organization generates
from IT.
For our purposes here, governance is not about creating bureaucracy but determining what decisions
must be made, by whom and how they will be monitored. Providing clarity to the organization about
the results of governance decisions and, more importantly, the process of decision making streamlines
communications and removes ambiguity. Uncertainty by managers or project teams about how to
proceed when making critical decisions can cause delays and worse, indecisiveness. This translates into
lost time and a loss of passion for the work to be performed. The right governance for IT results in a
clear process for decision making.
Key Elements of IT Governance
Table 1 is a starting point for the IT Governance model because it identifies the key types of IT
Governance decisions. All of these are candidates for inclusion in an IT Governance Model.
Table 1 Key IT Governance Decisions
IT Principles Decisions
High-level statements about how IT is used in the business
IT Architecture Decisions
Organizing logic for data,
applications and
infrastructure captured in a
set of policies, relationships
and technical choices to
achieve desired business and
technical standardization and
integration.
IT Infrastructure Decisions
Centrally coordinated, shared
IT services that provide the
foundation for the enterprise’s
IT capability.
IT Investment and
Prioritization Decisions
Decisions about how much
and where to invest in IT,
including project approvals
and justification techniques.
Business Applications Needs
Specifying the business need
for purchase or internally
developed IT applications.
© 2003 MIT Sloan Center for Information Systems Research (CISR)
IT Principles Decisions
Organizations need to decide which three of four principles (or strategies) will dictate the culture of
their IT Providers. Even when IT Providers are external to the organization, these principles should play
a part in deciding which outsourcing partners are most compatible. By way of example of the type of
principles we are talking about here, Table 2 shows examples of IT principles aggregated from a number
of different organizations (note that no single organization had more than five!):
©2013 David Consulting Group
Page 2 of 7
v1
Table 2 Examples of IT Principles
· Benchmarked lowest total cost of
ownership
· Consistent, flexible infrastructure
· Rapid deployment of new applications
· Enable the business
· Ensure information integrity
· Reuse before buy: Buy before build
·
·
·
·
·
Develop project, process and technical
competence within IT
Build and leverage a standardized environment
Focus on the customer
Provide Business information
Manage IT as an investment
Decision Input and Decision Making Models
To establish models for who will make decisions and who will have input to those decisions, it is useful
to identify a set of archetypical scenarios. Table 3 defines a set of typical models for input to and
making decisions.
Table 3 IT Governance Archetypes
Model
Who has decisions or input rights?
Business
A group of business executives or individuals (CxO’s). Includes committees
Monarchy
of senior business executives. Excludes IT executives acting independently.
IT Monarchy
Individuals or groups of IT executives
Feudal
Business Unit Leaders, key process owners or their delegates
Federal
C-level executives and business groups (e.g. Business units or processes);
may also include IT executives as additional participants. Equivalent of the
central and state governments working together.
IT Duopoly
IT executives and one other group (e.g. CxO or business unit or process
leaders)
Anarchy
Each individual user
© 2003 MIT Sloan Center for Information Systems Research (CISR)
Two separate models are used for duopoly where one IT Provider must consult or make decisions with
many Business Groups. In the first model, the “Bicycle Wheel IT Duopoly” (Figure 1), the IT Provider
interacts with each of the many interested Business Groups separately through Business/IT Relationship
Managers. In the second model, the “T-shaped IT Duopoly” (Figure 2), the IT Provider interacts with all
of the many interested Business Groups together. It is worth noting here that the T-shaped Duopoly is
more scalable in the situation where there are multiple IT Providers. The seat on the Executive
Committee would be taken by the most senior IT Provider (usually the in-house CIO) but all IT Providers
can be represented.
©2013 David Consulting Group
Page 3 of 7
v1
Figure 1 Bicycle Wheel IT Duopoly
Figure 2 T-shaped IT Duopoly
The research conducted by Weill and Ross shows that while there are a wide variety of approaches to
the models used for input and decision making, there are some that are used more commonly than
others as shown in Table 4.
Table 4 How Enterprises Govern
Decisions
Archetypes
IT Principles
IT Architecture
IT Infrastructure
Strategies
Input to
Decisions
Decision
Making.
Input to
Decisions
Decision
Making.
Input to
Decisions
Decision
Making.
Business
Monarchy
IT
Monarchy
Feudal
0
27
0
6
0
7
1
18
20
73
10
0
3
0
0
Federal
Duopoly
83
15
14
36
46
34
Anarchy
No Data or
Don’t know
0
1
0
2
0
0
Business
Application
Needs
Input to
Decisions
IT Investment
Decision
Making.
Input to
Decisions
Decision
Making.
1
12
1
30
59
0
8
0
0
1
2
1
18
0
3
4
15
59
30
6
23
81
17
30
27
93
6
27
30
1
1
0
0
1
2
0
0
3
2
0
0
1
0
© 2003 MIT Sloan Center for Information Systems Research (CISR)
In Table 4, the shaded boxes represent the models most commonly used for input to decisions and the
heavily outlined boxes highlight the models most often used for actually making the decisions. The
numbers in each cell are percentages of the 256 enterprises studied in 23 countries. The columns sum
to 100%.
Of course, simply because most organizations govern IT in a particular way, it does not follow that this is
the most effective way to govern IT. To pursue this thought, Weill & Ross examined the core business
strategies (maximization of profit, growth or return on assets) used by enterprises in the survey and
identified the governance strategies used most often by enterprises with most success against their core
business strategy. The results are shown in Table 5.
©2013 David Consulting Group
Page 4 of 7
v1
Table 5 IT Governance models used by most successful companies
Decisions
IT Principles
IT
IT
Business Application
Architecture
Infrastructure
Needs
Strategies
Archetype
Decision
Decision
Decision
Decision
Business
Profit
Profit
Profit
Growth
Monarchy
Growth
IT Monarchy
Profit
Feudal
Federal
Duopoly
Profit
Anarchy
ROA
ROA
ROA
ROA
© 2003 MIT Sloan Center for Information Systems Research (CISR)
IT
Investment
Decision
Profit
Growth
Growth
ROA
In Table 5, the shaded boxes show the decision making model used most across all organizations
surveyed (successful and unsuccessful). Table 5 has some profound implications for businesses seeking
to build IT governance. It seems clear from this research that organizations seeking to maximize return
of assets should leave IT decision making to the individual business units without imposing any standard
structures. It is equally clear that, generally, for profit and growth maximization decision making, a
business monarchy is the best structure.
All of these inputs contribute to the Governance Design Framework proposed by Weill & Ross to define
an IT Governance Framework (Figure 3).
Figure 3 IT Governance Design Framework
Enterprise Strategy &
Organization
IT Organization &
Desirable IT Goals
IT Governance
Arrangements
(Decision rights via
monarchies, duopolies, etc.)
Business
Performance Goals
IT Metrics &
Accountabilities
IT Governance
Mechanisms
(Committees, budgets, etc.)
IT Decisions:
Principles
Architecture
Infrastructure
Applications
Investment
Harmonize
“What?”
Harmonize
“How?”
© 2003 MIT Sloan Center for Information Systems Research (CISR)
©2013 David Consulting Group
Page 5 of 7
v1
We recommend utilizing these tools for discovery and analysis to define the right IT Governance
Framework for the organization and to ensure alignment with strategic goals.
IT-CMF
Weill and Ross published the book on which most of this report is based in 2003. Of course, their work
in this area has continued and much of it is now embodied in the IT Capability Maturity Framework
developed and managed by the Innovation Value Institute consortium. The IT-CMF seeks to provide
guidance of how to maximize the value of all of those IT functions that a particular organization
prioritizes through its business strategy. Overall, it provides a framework for “managing IT like a
business.” The IT-CMF comprises four macro-capabilities to emphasize their complexity and their
importance in managing IT for business value.
It is a unique end-to-end framework that:
· Maps IT organizations onto a capability maturity curve based on empirically derived
industry best practice across 33 different capabilities of IT management
· Provides practices, outcomes and metrics to improve capability maturity and therefore
consistency of output
· Enables organizations to assess and benchmark performance over time
· Enables creation of roadmaps with actionable metrics to improve maturity with best
practice guidelines
· Provides capability accelerators and building blocks for improvement
Conclusion
The role of IT Governance is “specifying the decision rights and accountability framework to encourage
desirable behavior in using IT”. We reviewed models and research based on the work by Peter Weill and
Jeanne Ross to examine the role of leadership, management, clients and users of IT. We defined the
principles and governance intentions according to three critical questions:
– What decisions must be made?
– Who should make these decisions?
– How will we make and monitor these decisions?
©2013 David Consulting Group
Page 6 of 7
v1
The IT-CMF framework of the Innovation Value Institute provides a living, continuously improving
framework which embodies and extends the principles of Weill and Ross.
Sources
1.
“IT Governance: How Top Performers Manage IT Decision Rights for Superior Results,” Weill,
Peter & Ross, Jeanne W., 2004, Harvard Business School Publishing.
2. http://ivi.nuim.ie/it-cmf
©2013 David Consulting Group
Page 7 of 7
v1