Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

3
IS Governance in Practice

The phenomenon of globalization of the economy has brought with it a rise in the power of multinationals, with a sphere of activity covering every continent. The strategic and managerial steering of these global players has been made possible via the territorial coverage provided by extended information systems. Given the operational significance of these tools and the expansion of their fields of action, a strong need for standardization and norms emerged. This led IS management to multiply its own objectives: a better evaluation of operational performance and of the value added by the information system, more effective management of resources and skills, improved service value, greater visibility, optimization of sales activity, a better fit between the information system and the business strategy, compliance with the laws and regulations in each country, management of information systems risk and security, etc. To achieve all this, there was a need to document best practices and define standard requirements. Two working perspectives are necessary for this. The first stems from the internal reflection which leads organizations to look for the IS governance organizational model best suited to their own needs. The second involves the adoption of external benchmarks that will determine the organization’s capacity to engage in a process of international compliance. After addressing these two aspects, we will conclude this chapter with a reflection on how they link together.

3.1. IS governance organizational models

IS governance is strongly correlated to the governance model implemented by the company directors in relation to their strategic business units, regional offices and subsidiaries. Therefore, one question takes on full significance: Who steers and monitors the information system between the group and the subsidiaries? There are several possible answers to this question.

3.1.1. Centralized governance

In large, centralized organizations, the IS management committee plays a key role. Attached to the executive, the group IS management committee is usually seen as a bloated governance structure responsible for information systems strategy, steering and monitoring. Governance is decided upon and monitored by the group information systems management committee, which manages the majority of computer resources centrally: development teams, production teams, the technical infrastructure (servers, networks, workstations, etc.), the applications portfolio used by all subsidiaries, norms and standards, budget, projects, HR, security, urbanization and also external service provider relationships. The subsidiaries’ IS management committees manage the local technical infrastructure (workstations, servers, LANs, printers), a few applications such as VAT management, accounting and reporting to administration. The subsidiaries’ IS management committees implement head office strategy and steering on a devolved basis.

Box 3.1. Example of centralized governance in a major automotive group

The information systems management committee has set up a centralized organization, with designated contact persons for business departments and regional branch offices (shared service centers vs. localized IT teams) for greater proximity with users.

During project implementation, the project manager/project owner responsibilities are shared out by activity, adjusted according to project size. When projects are relatively small, a simplified roadmap is proposed.

For certain major projects, all the teams are brought together at a single site (organized along the lines of a project team). This allows greater responsiveness, particularly at critical phases of a project such as defining needs, feasibility studies, revenue and monitoring.

Special attention is paid to defining the requirements and commitments shared between business departments and the information systems management committee and to reducing the complexity of the solutions.

images — **Figure 3.1.** *IS management committee/subsidiary IS management committee*

3.1.2. Decentralized governance

In large, decentralized organizations, the role played by the information systems management committee is just as critical as in the previous case, but in a completely different form. Responsibility for the strategy and steering of the information system belongs to the subsidiaries. The group information systems management committee’s governance is weak at the operational level, because it manages only a very small proportion of IT resources. At its own level, it is responsible for controlling applications required to consolidate the accounts and produce statistics for the dashboard. Its external activity is focused on recommending shared norms and standards.

Meanwhile, the subsidiaries’ IS management committees locally manage most of the computing resources they need, in compliance with the norms and standards determined by head office. Specifically, this concerns the application portfolio, development teams, production teams, technical infrastructure (servers, networks, workstations, etc.), budget, HR, security and urbanization. Strategy and steering of local information systems fall within the area of responsibility of the directors of the subsidiaries.

3.1.3. Federal governance

A third type of major organization refuses to choose between centralization and decentralization. In these organizations, there is an explicit wish to use a matrix organizational structure. In this configuration, the responsibility for IS strategy and steering is shared between the information systems management committee of the group and those of the subsidiaries. The group information systems management committee centrally manages the shared part of IT, hardware and human resources. In particular, this covers norms, standards, technical infrastructure components (servers, networks, workstations, Internet access), the architecture and benchmarks for business and other resources and skills (strategic information systems management, business information systems expertise, project management). Pooling can thus be as much an operational as a strategic objective. The subsidiaries’ IS management committees locally manage the unshared IT resources that they need, the application portfolio, development teams, production teams and the technical infrastructure: servers, networks, workstations, etc.

3.1.4. Internal software and computing services-type governance

A variant of federal governance may consist of taking care of the information systems strategy, choice of business architecture and management of transversal projects for the group information systems management committee. It centrally manages the bulk of the IT infrastructure resources: development teams, production teams, technical infrastructures, application portfolio used by all subsidiaries, and also the norms and standards.

The subsidiaries’ information systems management committees manage the local technical infrastructures and local applications. The primary objective of the group information systems management committee is to meet internal customer requirements contractually, through identifying customer needs and interests. The group information systems management committee positions itself as a profit center and a service contract provider. The group information systems management committee has a duty to be proactive and competitive towards the subsidiaries’ information systems management committee to compete with external software and computing services companies.

3.2. IS governance benchmarks

The need for standards, norms, certifications and other benchmarks is strong in the field of information systems and their governance. There are two main reasons for this. On the one hand, ICTs are vectors of major policy issues.

Furthermore, dialog between business stakeholders (initiators of needs) and programmers (providers of application solutions) is difficult. In fact, business stakeholders may have problems in defining their overall needs in a technical specification. Programmers, on their side, have to provide application solutions in business departments where they often know very little about the practical issues. Since project owners and project managers do not speak the same language, the need for norms is all the stronger. Benchmarks and good practice guides thus appear as unifying tools that can establish a common language. In this sense, they are much needed.

Raising the issue of information systems governance standards also raises the issue of audits. In fact, when norms are adopted, this at the same time authorizes a certain degree of deviation from the norm. This is not a simple matter, in that the information systems audit considered as a governance tool again refers back to a multitude of stakeholders and national and international organizations: the Institute of Internal Auditors (IIAs), the Information Systems Audit and Control Association (ISACA), the Public Company Accounting Oversight Board (PCAOB), the Institut français de l’audit et du contrôle internes (IFACI), the Association française de l’audit et du conseil informatiques (AFAI) and the Haut conseil du commissariat aux comptes (H3C).

These various actors sometimes have different interpretations of the audit concept and in each case are referring to different standards: Global Technology Audit Guides (GTAGs), Control Objectives for Information and related Technology (COBIT) and Auditing Standard 2 (AS2). To contextualize this work on analysis and its associated missions, audits have for many years been based on professional standards and best practice. As with most management activities, the various stages of the information systems audit can involve the use of computer-assisted audit techniques (CAATs).

However, the proposed standards are to a large extent concurrent, in part complementary and sometimes redundant. Therefore, the auditor has to be capable of seeing the bigger picture, and this will help him to use them wisely. He also has to be able to apply them so as to meet the legal and organizational requirements for information systems governance.

In this section, we will look at the difference between:

– generalist benchmarks, aimed at covering all the issues related to information systems management;
– more specific benchmarks, focused on one particular issue.

3.2.1. Control Objectives for Information and related Technology (COBIT)

COBIT sets the objectives for auditing information and associated technologies through the creation of a common language. It was developed in 1994 by a group of American experts specialized in information systems audits, as part of the ISACA. The benchmark is based on a process-type approach. It seeks to position itself as the benchmark for information systems governance and audit. It also seeks to provide key indicators for the success of the alignment of the information systems strategy to that of the company by the optimal use of resources. Its objective is to meet the needs of stakeholders, cover the business end to end, apply a single frame of reference, separate governance and management and promote a global approach.

COBIT Version 5 defines 37 processes split into five areas:

– evaluate, direct and monitor:
- - ensure governance framework setting and maintenance;
- - ensure benefits delivery;
- - ensure risk optimization;
- - ensure optimization of resources;
- - ensure stakeholder transparency;
– align, plan and organize:
1. - manage the IT management framework;
2. - manage strategy;
3. - manage enterprise architecture;
4. - manage innovation;
5. - manage portfolio;
6. - manage budget and costs;
7. - manage human resources;
8. - manage relationships;
9. - manage service agreements;
10. - manage suppliers;
11. - manage quality;
12. - manage risk;
13. - manage security;
– build, acquire and implement:
- - manage programs and projects;
- - manage requirement definition;
- - manage solution identification and building;
- - manage availability and capacity;
- - manage organizational change enablement;
- - manage changes;
- - manage change acceptance and transitioning;
- - manage knowledge;
- - manage assets;
- - manage configuration;
– deliver, service and support:
- - manage operations;
- - manage service requests and incidents;
- - manage problems;
- - manage continuity;
- - manage security services;
- - manage business process controls;
– monitor, evaluate and assess:
- - monitor, evaluate and assess performance and conformance;
- - monitor, evaluate and assess the system of internal control;
- - monitor, evaluate and assess compliance with external requirements.

COBIT Version 5 incorporates the benchmarks ValIT and RiskIT presented in sections 3.2.2 and 3.2.3.

3.2.2. Enterprise Value, Governance of IT Investments (ValIT)

ValIT was developed by the ISACA and the IT Governance Institute (ITGI) to complement COBIT as regards analyzing the quality of the processes of decision-making and governance of investments linked to IS projects. ValIT provides a frame of reference for value creation and management that identifies three areas or axes of governance of IS investment projects and 40 good practices.

The first area relates to value governance. It looks at how the decisionmaking process is organized for IS projects, at the definition of criteria that facilitate arbitration between projects, and at confirmation that the objectives have been achieved. Eleven good practices are used to support and organize this area, with the objectives of ensuring informed and committed leadership, defining and implementing processes, defining roles and responsibilities, ensuring an appropriate and agreed final responsibility, defining information requirements, identifying reporting requirements, creating organizational structures, setting strategic direction, defining investment categories, determining the composition of the target portfolio and defining the assessment criteria by category.

The second area covers portfolio management. It focuses on understanding the dependencies between projects, resource management, the definition of common criteria for arbitration and monitoring of portfolio performance. Portfolio management is based on 14 practices: keeping an inventory of human resources, identifying resource requirements, conducting a gap analysis, drawing up a resource plan, monitoring resource requirements and utilization, setting an investment threshold, evaluating the profitability analysis of the initial program concept, evaluating and scoring the program profitability analysis, creating a general view of the portfolio, making and communicating the investment decision, progressing the selected programs through the stages and funding them, optimizing portfolio performance, reorganizing portfolio priorities and monitoring and reporting on portfolio performance.

Finally, the third area is concerned with investment management. It addresses the identification of business requirements, knowledge of investment programs and analysis of alternatives, profitability analysis and program management throughout its economic life cycle. This area falls into 15 key processes: establishing a general definition of the investment opportunity; developing a profitability analysis of the initial program concept; promoting a clear understanding of program projects; analyzing alternatives; developing a program; developing a benefit achievement plan; identifying full life cycle costs and benefits; developing a detailed profitability analysis of the program; clearly assigning final responsibility and ownership; initiating, scheduling and launching the program; managing the program; managing and monitoring benefits; updating the profitability analysis; auditing and reporting on the execution of the program and closing the program.

All in all, ValIT claims to answer five big questions that arise regularly with respect to current IS governance: (the strategic question) Are we doing the right thing? (the architecture question) Are we doing it properly? (the implementation question) Are we having it done properly? (the value question) Will we obtain benefits?

3.2.3. IT Framework for Management of IT-Related Business Risks (RiskIT)

RiskIT was developed by the ISACA to complement COBIT and ValIT. While COBIT identifies good practice regarding ways to control risks, RiskIT is concerned with the governance of IT risk management. Based on a process approach similar to COBIT and ValIT, RiskIT covers three areas, nine processes and 47 monitoring activities. The first area is risk governance, and the aim is to establish and maintain a common view of risks, integrate IS risks into the risk strategy at the corporate level and make business decisions that take the risks into account. The second area addresses risk assessment and consists of collecting data, analyzing risk and maintaining a risk profile. The third and final area is risk response, which covers handling the situation as regards risks, managing IS risks and reacting to events.

3.2.4. Global Technology Audit Guide (GTAG)

The GTAG is a practical guide to ICT auditing and is issued by the IIAs. Since the early 2000s, the IIA has produced 17 GTAGs, practical ICT audit guides that describe best practice covering internal IS audits. The various GTAGs focus on IS auditing, patch and change management auditing, continuous auditing and its implications for insurance, risk control and assessment, managing information systems audits, managing and auditing risk of privacy violations, managing and auditing ICT vulnerabilities, facilities management, auditing application controls, identity and access management, managing business continuity, developing an audit plan, auditing IT projects, fraud management, auditing applications, security governance, data analysis technologies and ICT governance.

3.2.5. Information Technology Infrastructure Library (ITIL)

The ITIL focuses on satisfaction with delivered IS services. This benchmark, which originated in Great Britain, provides in its Version 3 a set of good practices on IS organization at the operational level, on improving its efficiency, risk reduction and improving the quality of services delivered, by being attentive to the service life cycle. The adoption of ITIL by an organization authorizes it to implement a quality-driven approach to the information systems management committee’s internal and external customers.

This focus on the service life cycle enables the management of IS services to be structured around the five stages in their life. Services design leads to the creation of the expected architectures and processes. Service transition schedules the move from planned services to exploitation. Exploitation of the services puts the operational plans into implementation. Continual service improvement makes it possible to analyze the functioning of the solutions put in place and improve them. ITIL is based on the creation of a service center and a process approach built upon two central ideas: service support as close as possible to the users, on a day-to-day basis, and the quest for a service provision as close as possible to business needs, over time. An application guide for ITIL in small- and medium-sized enterprises completes this benchmark.

Implementation of ITIL processes calls for the creation of a new operational unit, the Service Center, which ensures the interface with service support processes for the services at the heart of IT production on a daily basis. It is also the single point of contact for users of delivered services.

3.2.6. International Organization for Standardization/International Electrotechnical

ISO 27000 (International Organization for Standardization/International Electrotechnical Commission) is a series of norms that deals with information security governance. It introduces the concept of the information security management system (ISMS). The field covered by this suite extends from physical intervention on a website to software attacks, and from managing one simple process to complex processes calling for specific equipment and resources. ISO 27001 is the most important standard in this series, because it relates to security requirements. ISO 27002 provides a good practice guide. ISO 27005 enables the carrying out of a risk analysis.

3.2.7. Specific benchmarks

We will mention here the existence of particular benchmarks for the management of good IS practice on specific themes: a classification of job titles in France, The Open Group Architecture Framework (TOGAF), e-Sourcing Capability Model (e-SCM), Capability Maturity Model Integration (CMMI), Project Management Body of Knowledge (PMBOK), Projects In Controlled Environments 2 (PRINCE 2), Intellectual Capital dynamic Value (IC-dVAL) and IT Scorecard.

Cigref’s classification of job titles gives a description of the roles that exist within information systems management committees. It can be used as a basis for an information systems skills audit and more generally for structuring the information systems management in line with the strategies implemented.

TOGAF is an open benchmark that gathers together good practices with regard to urbanization. It provides an approach to the design and governance of enterprise architecture and proposes a framework for IS architecture. Recognized as concurrent industrial standard for engineering, it establishes close cooperation between business and technology, a nodal point of IS governance.

The e-SCM is a benchmark developed to improve relationship management between customers and IS service providers, and we have shown how this has become widespread with the development of outsourcing and cloud computing. Its objective is a mutual appraisal of the stakeholders in the IS service provision.

CMMI is a good practice benchmark, kept up to date by the Software Engineering Institute (SEI). It sets out to define, evaluate and improve the management of IT projects and the development processes, in other words, to assess capacity to manage an IS project and bring it to a proper conclusion. What is different about this benchmark is that it proposes a scale of maturity in approach by defining five levels:

– level 1, the initial level, indicates that development processes and projects are not stable;
– level 2 looks at the reproducability of the processes and builds on learning;
– level 3 presupposes standardization, making it possible to precisely define all processes such that improvements will be seen in all projects;
– level 4 validates the controlled processes for which the measures taken and the associated forecasting make it possible to adapt certain projects without interfering with the rollout of others;
– level 5 is attained when the capacity to adapt reaches the point where processes are optimized and improvement has become incremental, anticipated and managed. We are now in a perspective of continuous improvement.

PMBOK and PRINCE 2 are project management benchmarks. They are built on a process-based approach to project management and are complementary with approaches to process improvement such as CMMI.

IC-dVAL is a benchmark that sets a framework for the steering and valorization of intangible capital generated by the information system.

IT Scorecard is a tool that can be used to organize benchmark management and gives concise feedback on indicators of maturity relating to governance. IT Scorecard proposes the building of a dashboard composed of five perspectives: business contribution, financial profitability, user-friendliness, operational performance and future proofing. This benchmark contributes to a foundation upon which the IT director and manager can together build a balanced positioning of the IT function.

Reading this presentation of specific benchmarks reinforces the idea of overlap, not to say entanglement, between the range of standards. This raises the issue of the quest for an adaptive framework that would enable the understanding and implementation of benchmark coherence and their development through regular updates.

3.3. Implement a best practice benchmark

Faced with the multitude of standards, good practices and benchmarks, IS professionals have to make difficult choices. Implementing a benchmark is long and costly. Since the benchmarks on the market differentiate themselves from each other in their profile and emphasis, it is not unusual for a large company to use a number of benchmarks. This being the case, the implementation of benchmarks can be linked to a support contract with service providers (consultancies, software and computing services companies, etc.) and the rollout of a training and certification program.

In addition, every benchmark adopted paves the way for a reorganization of processes (often complex) and changes in stakeholders’ working practices and IS governance models.

Box 3.3. Six Sigma

Six Sigma is a structured management method aimed at improved quality and efficiency of processes, which can be applied to the management of an information systems management committee. The methodology is based on:

– measurable customer expectations;
– reliable measures to measure the performance of the business departments relative to these expectations;
– statistical tools to analyze the root courses that affect performance;
– solutions to address these root causes;
– tools to monitor whether the solutions are in fact having the expected impact on performance.

The method is thus based on five steps that can be shortened to the acronym “DMAIC”: Define, Measure, Analyze, Improve, Control.

Each stage has different tools that are grouped together in a coherent approach. Typically, the range of tools used in each phase is (this list is not exhaustive):

– define: the project, the process to be improved, identify operational and financial gains, understand customer expectations, also called “Yi”, map the process and identify factors that have an impact on the process, known as “Xi”;
– measure: monitor the process to simultaneously measure Yi and Xi, having verified the quality of the measurement process;
– analyze: carry out a data analysis to identify the Xi factors that have the most influence on Yi, and conduct a detailed process mapping;
– improve: identify improvement actions in relation to the most influential Xi factors;
– control: put in place tools to steer the process.

With these impacts in mind, the information systems management committee must consider the issue of productivity versus counterproductivity of benchmarks. The implementation of standards must be thought through and planned. However, all benchmarks can be seen as following their own particular logic, linked to their history: governance, production, development, security, urbanization, skills, project management and even in other words, quality. It is these unique features that in fact give strategic, organizational and operational value to the benchmarks.

For instance, ITIL can be seen as the ideal method for managing operational control of an information system and the management of delivered IS services; COBIT can be seen as the ultimate audit and external consultancy tool, thus covering the vast field of governance, steering, control, risks, investments and audit in its strict sense; the GTAG is the international benchmark for external audit; CMMI is the appropriate vector for gaining maturity in process approaches, etc. However, at the same time, the best-known and most popular benchmarks at the international level are seeking to expand their spheres of competence – top-down for COBIT and bottom-up for ITIL – and to position themselves as essential tools.

Against a background of strong pressures in terms of standards and best practice, the implementation of a benchmark must be able to ensure the information system’s institutional and regulatory compliance, ensure a high standard of security, allow added value to be unlocked, and foster an audit and continuous improvement approach.

3.4. Exercise: GreenNRJ

GreenNRJ is a group specializing in renewable energies at the global level. Its mission is defined around principles such as the answer to energy needs, optimization and security of supply and the fight against global warming. Its sphere of activity is organized around a number of energy sources: hydropower, solar, wind and geothermal. The group invests heavily in research and development (R&D) to maintain a competitive advantage over its competitors. The group is structured into branches: GreenNRJ Europe, GreenNRJ International (outside Europe), GreenNRJ Infrastructure and GreenNRJ Cross Disciplinary. Within each branch, the activity is organized around business units (BUs). For example, the GreenNRJ Europe branch has four BUs. In the GreenNRJ Cross Disciplinary branch, one BU is exclusively geared towards R&D and works for other branches’ BUs. The Infrastructure branch includes an information systems management committee and the unit in charge of audits.

The distinctive feature of the group is that it must coordinate traditional energy production units (hydraulic and geothermal) with far more modern energy production units (solar and wind). This differentiation poses problems in terms of optimization and steering of the overall energy production and distribution network. In practice, each sector’s dedicated information systems are not of the same generation, which makes interoperability and reporting difficult. It was therefore decided at the executive level to launch a massive restructuring program via a general digitization program within the group. The aim was to harmonize all IT within the organization. This program had two goals: to improve the performance of the energy production network and to drive the company’s digital transformation, with its key being innovations with the potential of offering new services to customers.

The information systems management committee took the project over. In dialog initiated on its own initiative with the Infrastructure branch, the IS management committee defined a strategy based on four tasks to be conducted as projects in the following chronological order:

– task 1: standardization project. A broad process of industrialization was initiated within Infrastructure to promote outsourcing of applications maintenance to a single service provider;
– task 2: intelligent network project. This was to develop a smart energy production and distribution network, to make it easier to better predict, or control, energy consumption with the rollout of smart meters, in order to better regulate flow, leveling out peak consumption and decreasing production capacity at off-peak times;
– task 3: virtual office project. This was to promote flexibility and remote working with workstations. Virtualization would permit unification and globalization of access offered to business departments, improved security and network optimization;
– task 4: data warehouse project. The objective of this project was to improve GreenNRJ’s data hosting capacity by rationalizing and also reducing the number of data warehouses. This task focused on the setting up of a private cloud and providing the BUs with a shared architecture on the Infrastructure as a Service and Software as a Service model. This would be an opportunity to reduce fixed costs and simplify the exploitation processes.

In the Cross Disciplinary branch, the internal audit and quality business unit produced a report on information systems bugs which it passed to the BU’s IS management committee. This report showed up many existing problems in the architecture. It underlined in particular the heterogeneity of applications and infrastructure, and showed that it acted as a brake on establishing dialog between various energy production units. The report highlighted the cost of this failure: the group was in effect driven to buy energy from its competitors when it was unable to manage the balance between production and customer demand. The report concluded by recommending a Six Sigma approach combined with a lean management strategy: a Lean Six Sigma. The recommendation defined five stages with the acronym “DMAIC”: Define, Measure, Analyze, Improve, Control. It sets out to answer the following questions:

– define: what is the objective? How do we understand the problem?
– measure: what is the nature and scale of the problem?
– analyze: what are the underlying causes of this problem?
– improve: what must be done to resolve the problem?
– control: how can we ensure sustainable performance?

The digital strategy proposal was put to the Executive. The Executive approved it, but did, however, change the order of priorities: the Data Warehouse project was now put in the second place (instead of fourth), after the Standardization project. The Virtual Office project therefore moved to the last place in terms of priority. The Executive then asked for these tasks to be turned into a blueprint with a target information system and levels of achievement. The Executive also ordered a specific governance provision to be implemented to supervise this major digitization program. It proposed that:

– the Steering Committee should be composed of one board member and one representative from each branch;
– the technical monitoring committee should be chaired by the Infrastructure branch with members of the information systems management committee, the internal audit and quality business unit, and representatives of the subcontractors involved in the project;
– the Leading Change committee should be steered by the information systems management committee, in partnership with the internal audit and quality business unit, and should bring in a young firm of consultants keen to form an ongoing relationship with the information systems management committee and work for the company.

Test your skills

1) How can GreenNRJ’s digital transformation project potentially create sustainable value for the group?
2) Why did the executive change the order of priority of the tasks set by the branches? What might have motivated its decision? Do you feel it was justified? Will this have an impact on the target information system? If yes, in what way?
3) The governance structure proposed by the executive has not yet been approved. How could it be improved to better meet expectations for this major project for the group?

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.