IT Governance Institute, USA
Copyright 2004, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.
Board oversight of information technology has not kept pace with the rapid growth of IT as a critical driver of business success. However, this is shortsighted, since effective governance over IT Governance protects shareholder value; makes clear that IT risks are quantified and understood; directs and controls IT investment, opportunity, benefits and risks; aligns IT with the business while accepting IT as a critical input to and component of the strategic plan; sustains current operations and prepares for the future; and is an integral part of a global governance structure.
Like most other governance activities, IT Governance engages both board and executive management. Among the board's responsibilities are reviewing and guiding corporate strategy, setting and monitoring achievement of management's performance objectives, and ensuring the integrity of the organisation's systems. Management's focus is generally on cost-efficiency, revenue enhancement and building capabilities, all of which are enabled by information, knowledge and the IT infrastructure.
The four main focus areas for IT Governance are driven by stakeholder value. Two are outcomes: value delivery and risk mitigation. Two are drivers: strategic alignment and performance measurement.
Action plans for implementing effective IT Governance, from both a board and an executive management point of view, consist of activities, outcome measures, best practices, critical success factors and performance drivers. In addition, organisations must assess how well they are currently performing and be able to identify where and how improvements can be made. The use of maturity models simplifies this task and provides a pragmatic, structured approach for measurement.
Control Objectives for Information and related Technology (COBIT), a third edition of which was issued by the IT Governance Institute in 2000, incorporates material on IT Governance and a Management Guidelines component. COBIT presents an international and generally accepted IT control framework enabling organisations to implement an IT Governance structure throughout the enterprise.
The Management Guidelines consist of maturity models, critical success factors, key goal indicators and key performance indicators. This structure delivers a significantly improved framework responding to management's need for control and measurability of IT by providing tools to assess and measure the organisation's IT environment against COBIT's 34 IT processes.
The information in this chapter is based primarily on Control Objectives for Information and Related Technology (COBIT), published by the IT Governance Institute. Control Objectives for Information and Related Technology (COBIT) 3rd Edition, IT Governance Institute, 2000. Reprinted by permission.
As information technology has become a critical driver of business success, boards of directors have not kept pace. IT demands thorough and thoughtful board governance, yet such oversight has often been lacking because IT has been seen as an operations matter best left to management, and board members lacked interest or expertise in technology issues.
While boards have always scrutinized business strategy and strategic risks, IT has tended to be overlooked, despite the fact that it involves large investments and huge risks. Reasons include:
Closing the IT Governance gap has become imperative as it becomes more difficult to separate an organisation's overall strategic mission from the underlying IT strategy that enables that mission to be fulfilled.
IT Governance is ultimately important because expectations and reality often do not match. Boards expect management to juggle a myriad of responsibilities: deliver quality IT solutions on time and on budget, harness and exploit IT to return business value and leverage IT to increase efficiency and productivity while managing IT risks. However, boards frequently see business losses, damaged reputations or weakened competitive positions, unmet deadlines, higher-than-expected costs, lower-than-expected quality and failures of IT initiatives to deliver promised benefits.
IT Governance extends the board's mission of defining strategic direction and ensuring that objectives are met, risks are managed and resources are used responsibly. Pervasive use of technology has created a critical dependency on IT that calls for a specific focus on IT Governance. Such governance should ensure that an organization's IT sustains and extends its strategies and objectives.
Effective IT Governance:
Like most other governance activities, IT Governance intensively engages both board and executive management in a cooperative manner. However, due to complexity and specialisation, this governance layer must rely heavily on the lower layers in the enterprise to provide the information needed in its decision-making and evaluation activities. To have effective IT Governance in the enterprise, the lower layers need to apply the same principles of setting objectives, providing and getting direction, and providing and evaluating performance measures. As a result, good practices in IT Governance need to be applied throughout the enterprise.
Among the board's responsibilities are reviewing and guiding corporate strategy, setting and monitoring achievement of management's performance objectives, and ensuring the integrity of the organisation's systems.
The board should drive enterprise alignment by:
The board should direct management to deliver measurable value through IT by:
The board should also measure performance by:
The board should manage enterprise risk by:
The executive's focus is generally on cost-efficiency, revenue enhancement and building capabilities, all of which are enabled by information, knowledge and the IT infrastructure. Because IT is an integral part of the enterprise, and as its solutions become more and more complex (outsourcing, third-party contracts, networking, etc.), adequate governance becomes a critical factor for success. To this end, management should:
In this document, "stakeholder" is used to indicate anyone who has either a responsibility for or an expectation from the enterprise's IT, e.g., shareholders, directors, executives, business and technology management, users, employees, governments, suppliers, customers and the public.
In this document, "board of directors" and "board" are used to indicate the body that is ultimately accountable to the stakeholders of the enterprise.
The COBIT control framework refers to key goal indicators (KGIs) and key performance indicators (KPIs) for the Balanced Business Scorecard concepts of outcome measures and performance drivers.
Fundamentally, IT Governance is concerned about two things: that IT delivers value to the business and that IT risks are mitigated. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise. Both need measurement, for example, by a Balanced Scorecard. This leads to the four main focus areas for IT Governance, all driven by stakeholder value. Two of them are outcomes: value delivery and risk mitigation. Two of them are drivers: strategic alignment and performance measurement.
The key question is whether a firm's investment in IT is in harmony with its strategic objectives (intent, current strategy and enterprise goals) and thus building the capabilities necessary to deliver business value. This state of harmony is referred to as "alignment". It is complex, multifaceted and never completely achieved. It is about continuing to move in the right direction and being better aligned than competitors. This may not be attainable for many enterprises because enterprise goals change too quickly, but is nevertheless a worthwhile ambition because there is real concern about the value of IT investment.
Alignment of IT has been synonymous with IT strategy, i.e., does the IT strategy support the enterprise strategy? For IT Governance, alignment encompasses more than strategic integration between the (future) IT organisation and the (future) enterprise organisation. It is also about whether IT operations are aligned with the current enterprise operations. Of course, it is difficult to achieve IT alignment when enterprise units are misaligned.
The basic principles of IT value are delivery on time, within budget and with the benefits that were promised. In business terms, this is often translated into: competitive advantage, elapsed time for order/service fulfillment, customer satisfaction, customer wait time, employee productivity and profitability. Several of these elements are either subjective or difficult to measure, something all stakeholders need to be aware of.
The value that IT adds to the business is a function of the degree to which the IT organisation is aligned with the business and meets the expectations of the business. The business has expectations relative to the contents of the IT deliverable:
The business also has expectations regarding the method of working:
To manage these expectations, IT and the business should use a common language for value which translates business and IT terminology and is based wholly on fact.
Strategy has taken on a new urgency as enterprises mobilise intangible and hidden assets to compete in an information-based global economy. Balanced Scorecards translate strategy into action to achieve goals with a performance measurement system that goes beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow. At the heart of these scorecards is management information supplied by the IT infrastructure. IT also enables and sustains solutions for the actual goals set in the financial (enterprise resource management), customer (customer relationship management), process (intranet and workflow tools) and learning (Knowledge Management) dimensions of the scorecard.
IT needs its own scorecard. Defining clear goals and good measures that unequivocally reflect the business impact of the IT goals is a challenge and needs to be resolved in co-operation among the different governance layers within the enterprise. The linkage between the Business Balanced Scorecard and the IT Balanced Scorecard is a strong method of alignment.
Enterprise risk comes in many varieties, not only financial risk. Regulators are specifically concerned about operational and systemic risk, within which technology risk and information security issues are prominent. Infrastructure protection initiatives in the U.S. and the UK point to the utter dependence of all enterprises on IT infrastructures and the vulnerability to new technology risks. The first recommendation these initiatives make is for risk awareness of senior corporate officers.
Therefore, the board should manage enterprise risk by:
While it is not the most efficient IT Governance process, asking tough questions is an effective way to get started. Of course, those responsible for governance want good answers to these questions. Then they want action. Then they need follow-up. It is essential to determine, along with the action, who is responsible to deliver what by when.
An extensive checklist of questions is provided in Board Briefing on IT Governance. The questions focus on three objectives: questions asked to discover IT issues, to find out what management is doing about them, and to self-assess the board's governance over them. For example:
Action plans for implementing effective IT Governance, from both a board and an executive management point of view, are provided in detail in Board Briefing on IT Governance. These plans consist of the following elements:
The plans list IT Governance activities and link a set of subjects and practices to them. Practices are classified to reflect the IT Governance area(s) to which they provide the greatest contribution: value delivery, strategic alignment, risk management and/or performance (V, A, R, P). A list of critical success factors is provided in support of the practices. Finally, two sets of measures are listed: outcome measures that relate to the IT Governance subjects and performance drivers that relate to how activities are performed and the associated practices and critical success factors.
For effective governance of IT to be implemented, organisations need to assess how well they are currently performing and be able to identify where and how improvements can be made. This applies to both the IT Governance process itself and to all the processes that need to be managed within IT.
The use of maturity models greatly simplifies this task and provides a pragmatic and structured approach for measuring how well developed your processes are against a consistent and easy-to-understand scale:
(For a complete description of the various maturity levels, see Board Briefing on IT Governance.)
Using this technique the organisation can:
Control Objectives for Information and related Technology (COBIT) was initially published by the Information Systems Audit and Control Foundation™ (ISACF™ in 1996, and was followed by a second edition in 1998. The third edition, which incorporates all-new material on IT Governance and Management Guidelines, was issued by the IT Governance Institute in 2000. COBIT presents an international and generally accepted IT control framework enabling organisations to implement an IT Governance structure throughout the enterprise.
Since its first issuance, COBIT has been adopted in corporations and by governmental entities throughout the world.
All portions of COBIT, except the Audit Guidelines, are considered an open standard and may be downloaded on a complimentary basis from the Information Systems Audit and Control Association's web site, www.isaca.org/cobit.htm. The Audit Guidelines are available on a downloadable basis to ISACA members only.
Business orientation is the main theme of COBIT. It begins from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. It is designed to be employed as comprehensive guidance for management and business process owners. Increasingly, business practice involves the full empowerment of business process owners so they have total responsibility for all aspects of the business process. In particular, this includes providing adequate controls. COBIT promotes a process focus and process ownership.
The COBIT Framework provides a tool for the business process owner that facilitates the discharge of this responsibility. The Framework starts from a simple and pragmatic premise:
In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.
The Framework continues with a set of 34 high-level Control Objectives, one for each of the IT processes, grouped into four domains:
Corresponding to each of the 34 high-level control objectives is an Audit Guideline to enable the review of IT processes against COBIT's 318 recommended detailed control objectives to provide management assurance and/or advice for improvement.
The Management Guidelines further enhance and enable enterprise management to deal more effectively with the needs and requirements of IT Governance. The guidelines are action-oriented and generic and provide management direction for getting the enterprise's information and related processes under control, for monitoring achievement of organisational goals, for monitoring performance within each IT process and for benchmarking organisational achievement.
COBIT also contains an Implementation Tool Setthat provides lessons learned from those organisations that quickly and successfully applied COBIT in their work environments. It has two particularly useful tools — Management Awareness Diagnostic and IT Control Diagnostic — to assist in analyzing an organisation's IT control environment.
Over the next few years, the management of organisations will need to demonstrably attain increased levels of security and control. COBIT is a tool that allows managers to bridge the gap with respect to control requirements, technical issues and business risks and communicate that level of control to stakeholders. COBIT enables the development of clear policy and good practice for IT control throughout organisations worldwide. Thus, COBIT is designed to be the break-through IT Governance tool that helps in understanding and managing the risks and benefits associated with information and related IT.
For the purposes of COBIT, the following definitions are provided. "Control" is adapted from the COSO Report (Internal Control — Integrated Framework, Committee of Sponsoring Organisations of the Treadway Commission, 1992) and "IT Control Objective" is adapted from the SAC Report (Systems Auditability and Control Report, The Institute of Internal Auditors Research Foundation, 1991 and 1994).
Control is defined as the policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.
IT Control Objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.
To satisfy business objectives, information needs to conform to certain criteria, which COBIT refers to as business requirements for information. In establishing the list of requirements, COBIT combines the principles embedded in existing and known reference models:
Starting the analysis from the broader Quality, Fiduciary and Security requirements, seven distinct, certainly overlapping, categories were extracted. COBIT's working definitions are as follows:
The IT resources identified in COBIT can be explained/defined as follows:
COBIT consists of high-level control objectives for each process which identify which information criteria are most important in that IT process, state which resources will usually be leveraged and provide considerations on what is important for controlling that IT process. The underlying theory for the classification of the control objectives is that there are, in essence, three levels of IT efforts when considering the management of IT resources. Starting at the bottom, there are the activities and tasks needed to achieve a measurable result. Activities have a lifecycle concept while tasks are more discrete. The lifecycle concept has typical control requirements different from discrete activities. Processes are then defined one layer up as a series of joined activities or tasks with natural (control) breaks. At the highest level, processes are naturally grouped together into domains. Their natural grouping is often confirmed as responsibility domains in an organisational structure and is in line with the management cycle or lifecycle applicable to IT processes.
Thus, the conceptual framework can be approached from three vantage points: (1) information criteria, (2) IT resources and (3) IT processes.
It is clear that all control measures will not necessarily satisfy the different business requirements for information to the same degree.
Similarly, all control measures will not necessarily impact the different IT resources to the same degree. Therefore, the COBIT Framework specifically indicates the applicability of the IT resources that are specifically managed by the process under consideration (not those that merely take part in the process). This classification is made within the COBIT Framework, based on a rigorous process of input from researchers, experts and reviewers, using the strict definitions previously indicated.
Each high-level control objective is accompanied by detailed control objectives, 318 in all, providing additional detail on how control should be exercised over that particular process. In addition, extensive audit guidelines are included for building on the objectives.
Sample high-level control objectives, with their related detailed control objectives, are provided at the end of the chapter for PO9, the Assess Risks process in the Planning and Organisation domain, and DS5, the Ensure System Security process in the Delivery and Support domain.
COBIT's Management Guidelines consist of maturity models, critical success factors (CSFs), key goal indicators (KGIs) and key performance indicators (KPIs). This structure delivers a significantly improved framework responding to management's need for control and measurability of IT by providing management with tools to assess and measure their organisation's IT environment against COBIT's 34 IT processes.
COBIT's Management Guidelines are generic and action-oriented for the purpose of addressing the following types of management concerns:
An answer to these requirements of determining and monitoring the appropriate IT security and control level is the definition of specific:
The Management Guidelines are consistent with and build upon the principles of the Balanced Business Scorecard.  In "simple terms", these measures will assist management in monitoring their IT organisation by answering the following questions:
Make sure that the enterprise needs are fulfilled.
On the Balanced Business Scorecard as a key goal indicator, representing an outcome of the business process.
That the IT processes deliver on a timely basis the right information to the enterprise, enabling the business needs to be fulfilled. This is a critical success factor for the enterprise.
On the IT Balanced Scorecard, as a key goal indicator representing the outcome for IT, which is that information is delivered with the right criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability).
Whether the outcome is positively influenced by a number of critical success factors that need to be measured as key performance indicators of how well IT is doing.
Each element of the Management Guidelines will be examined in further detail.
IT management is constantly on the lookout for benchmarking and self-assessment tools in response to the need to know what to do in an efficient manner. Starting from COBIT's processes and high-level control objectives, the process owner should be able to incrementally benchmark against that control objective. This creates three needs:
The approach to maturity models for control over IT processes consists of developing a method of scoring so that an organisation can grade itself from non-existent to optimised (from 0 to 5). This approach is based on the maturity model that the Software Engineering Institute defined for the maturity of the software development capability.  Whatever the model, the scales should not be too granular, as that would render the system difficult to use and suggest a precision that is not justifiable.
In contrast, one should concentrate on maturity levels based on a set of conditions that can be unambiguously met. Against levels developed for each of COBIT's 34 IT processes, management can map:
For each of the 34 IT processes, there is an incremental measurement scale, based on a rating of 0 through 5. The scale is associated with generic qualitative maturity model descriptions ranging from Non-existent to Optimised as follows:
The maturity model scales help professionals explain to managers where IT management shortcomings exist and set targets for where they need to be by comparing their organisation's control practices to the best practice examples. The right maturity level will be influenced by the enterprise's business objectives and operating environment. Specifically, the level of control maturity depends on the enterprise's dependence on IT, its technology sophistication and, most importantly, the value of its information.
A strategic reference point for an organisation to improve security and control could also consist of looking at emerging international standards and best-in-class practices. The emerging practices of today may become the expected level of performance of tomorrow and are therefore useful for planning where an organisation wants to be over time.
In summary, maturity models:
Critical success factors provide management with guidance for implementing control over IT and its processes. They are the most important things to do that contribute to the IT process achieving its goals. They are activities that can be of a strategic, technical, organisational, process or procedural nature. They are usually dealing with capabilities and skills and have to be short, focused and action-oriented, leveraging the resources that are of primary importance in the process under consideration.
A number of critical success factors can be deduced that apply to most IT processes:
Applying to IT in General
Applying to Most IT Processes
Applying to IT Governance
In summary, critical success factors are:
A key goal indicator, representing the process goal, is a measure of what has to be accomplished. It is a measurable indicator of the process achieving its goals, often defined as a target to achieve. By comparison, a key performance indicator is a measure of how well the process is performing.
How are business and IT goals and measures linked? The COBIT Framework expresses the objectives for IT in terms of the information criteria that the business needs in order to achieve the business objectives, which will usually be expressed in terms of:
The goal for IT can then be expressed as delivering the information that the business needs in line with these criteria. These information criteria are provided in the Management Guidelines with an indication whether they have primary or secondary importance for the process under review. In practice, the information criteria profile of an enterprise would be more specific. The degree of importance of each of the information criteria is a function of the business and the environment in which the enterprise operates.
Key goal indicators are lag indicators, as they can be measured only after the fact, as opposed to key performance indicators, which are lead indicators, giving an indication of success before the fact. They also can be expressed negatively, i.e., in terms of the impact of not reaching the goal.
Key goal indicators should be measurable as a number or percentage. These measures should show that information and technology are contributing to the mission and strategy of the organisation. Because goals and targets are specific to the enterprise and its environment, many key goal indicators have been expressed with a direction, e.g., increased availability, decreased cost. In practice, management has to set specific targets which need to be met, taking into account past performance and future goals.
In summary, key goal indicators are:
Key performance indicators are measures that tell management that an IT process is achieving its business requirements by monitoring the performance of the enablers of that IT process. Building on Balanced Business Scorecard principles, the relationship between key performance indicators and key goal indicators is as follows: key performance indicators are short, focused and measurable indicators of performance of the enabling factors of the IT processes, indicating how well the process enables the goal to be reached. While key goal indicators focus on what, the key performance indicators are concerned with how. They often are a measure of a critical success factor and, when monitored and acted upon, identify opportunities for the improvement of the process. These improvements should positively influence the outcome and, as such, key performance indicators have a cause-effect relationship with the key goal indicators of the process.
While key goal indicators are business-driven, key performance indicators are process-oriented and often express how well the processes and the organisation leverage and manage the needed resources. Similar to key goal indicators, they often are expressed as a number or percentage. A good test of a key performance indicator is to see whether it really does predict success or failure of the process goal and whether or not it assists management in improving the process.
Some generic key performance indicators follow that usually are applicable to all IT processes:
Applying to IT in General
Applying to most IT Processes
Applying to IT Governance
In summary, key performance indicators:
"The Balanced Business Scorecard — Measurements that Drive Performance," Robert S. Kaplan and David P. Norton, Harvard Business Review, January–February 1992.
"Capability Maturity Model SM for Software," Version 1.1. Technical Report CMU/SEI-93-TR-024, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, February 1993.
Although COBIT consists of 34 high-level IT control practices, through extensive testing and surveying, the 15 most important have been identified. At the end of the chapter, COBIT's Management Guideline for seven of these 15 processes is included, outlining critical success factors, key goal indicators, key performance indicators and a maturity model for each.
Control Objectives for Information and related Technology (COBIT) 3rd Edition, IT Governance Institute, 1998, www.isaca.org/cobit.htm. (All sections of COBIT, except the Audit Guidelines, can be downloaded on a complimentary basis.)
Board Briefing on IT Governance, IT Governance Institute, 2001, www.ITgovernance.org/resources.htm.
Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2001, www.ITgovernance.org/resources.htm.
1 In this document, "stakeholder" is used to indicate anyone who has either a responsibility for or an expectation from the enterprise's IT, e.g., shareholders, directors, executives, business and technology management, users, employees, governments, suppliers, customers and the public.
2 In this document, "board of directors" and "board" are used to indicate the body that is ultimately accountable to the stakeholders of the enterprise.
3 The COBIT control framework refers to key goal indicators (KGIs) and key performance indicators (KPIs) for the Balanced Business Scorecard concepts of outcome measures and performance drivers.
4 "The Balanced Business Scorecard — Measurements that Drive Performance," Robert S. Kaplan and David P. Norton, Harvard Business Review, January–February 1992.
5 "Capability Maturity Model SM for Software," Version 1.1. Technical Report CMU/SEI-93-TR-024, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, February 1993.
* The information in this chapter is based primarily on Control Objectives for Information and Related Technology (COBIT), published by the IT Governance Institute. Control Objectives for Information and Related Technology (COBIT) 3rd Edition, IT Governance Institute, 2000. Reprinted by permission.
Section I - IT Governance Frameworks
Section II - Performance Management as IT Governance Mechanism
Section III - Other IT Governance Mechanisms
Section IV - IT Governance in Action