Enterprise Governance of Information Technology (Achieving Strategic Alignment and Value).pdf

Unformatted text preview: Advance Praise ‘‘At last we have a solidly research-based text on the Enterprise Governance of IT that successfully fuses business and IT perspectives. With its emphasis on the creation of business value, and on the use of relevant metrics, this book offers a distinctive view of these key processes. The authors, whose reputation and experience in the field is second to none, have created a guide to the strategic management of IT that will be an essential source for managers.’’ Professor James W. Bryant Centre for Individual & Organisational Development Sheffield Hallam University United Kingdom ‘‘IT governance is a hot topic today and this book provides a wealth of practical and useful information. Regardless of whether you are concerned about compliance issues, or worried about the alignment of your IT investment with the corporate goals, this book will provide guidance to assist your efforts. As well as academic models and practice oriented frameworks such as CobiT, Val-IT and balanced scorecard, the volume includes recent case studies illustrating how the concepts and frameworks are applied in real life companies. I strongly recommend this book to Corporate and IT Managers as well as MBA and IT Graduate students.’’ Aileen Cater-Steel, PhD Senior Lecturer (Information Systems) School of Information Systems University of Southern Queensland Australia ‘‘The control of IT within enterprise systems has an ambiguous pattern of mismanagement and associated horror stories for new players. This book confronts the most serious problem facing enterprise managers today with instruction, case studies and solutions. It is a must read and a must use for those seeking to extract top value from the IT investment in a control challenged work place.’’ Brian O. Cusack, PhD Director CRISM Security School of Mathematics & Computer Sciences University of Auckland New Zealand ‘‘This text is a commendable exposition of Enterprise Governance of IT by one of the pioneers of the field, Wim Van Grembergen, together with one of its rising stars, Steven De Haes. The important theoretical insights presented by the authors are skillfully balanced with practical application in the form of several highly informative case studies. Anyone interested in the governance of IT, the alignment between the business and IT, and the business value of IT would benefit greatly from this exceptional volume.’’ Pontus Johnson, PhD Industrial Information and Control Systems KTH – Royal Institute of Technology Sweden ‘‘This book quite appropriately moves the attention from the technology-confined to the enterprise-driven governance of IT. It offers a very complete overview of current thinking about effective IT governance.’’ Prof. dr ir R. Maes Dean of the Information Management Program PrimaVera Program Director Universiteit van Amsterdam Business School Sweden ‘‘The shift from IT governance to Enterprise Governance of IT is not just playing with words – it represents a significant cultural change – a change that is essential if enterprises are to realize value from their increasingly significant and complex investments in IT-enabled change. This book provides a valuable resource to anyone who believes that we can and must do better.’’ John Thorp President of The Thorp Network Inc. Author, ‘‘The Information Paradox’’ Wim Van Grembergen l Steven De Haes Enterprise Governance of Information Technology Achieving Strategic Alignment and Value 13 Wim Van Grembergen University of Antwerp University of Antwerp Management School Sint Pauwels, Belgium [email protected] Steven De Haes University of Antwerp University of Antwerp Management School Malle, Belgium [email protected] ISBN 978-0-387-84881-5 e-ISBN 978-0-387-84882-2 DOI 10.1007/978-0-387-84882-2 Library of Congress Control Number: 2008936215 # Springer ScienceþBusiness Media, LLC 2009 All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer ScienceþBusiness Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. Printed on acid-free paper springer.com Preface ‘‘Enterprise Governance of IT’’ is a relatively new concept in literature and is gaining more and more interest in the academic and practitioner’s world. ‘‘Enterprise Governance of IT’’ is about defining and embedding processes and structures in the organizations that enable both business and IT people to execute their responsibilities in creating value from IT-enabled business investments. As an example of its growing importance, the standardization organization ISO issued in 2008 a new worldwide ISO standard in this domain. Within the UAMS – ITAG Research Institute (University of Antwerp Management School – IT Alignment and Governance Research Institute), we have been executing applied research in this domain for many years now. With this book, we want to provide a complete and comprehensive overview of what Enterprise Governance of IT entails and how it can be applied in practice. Our conclusions in this book are based on our knowledge obtained in applied research projects, our many years of involvement in the development of COBIT and Val IT, our own hands-on experience in many industries in governance and alignment projects, and international state-of-the art literature. In this way, this manuscript encompasses both academic models and concepts, but also includes practice-oriented frameworks such as COBIT and Val IT and discusses and analyzes many practical case studies in different industries. The target audience for this book is threefold: Master students, for whom this textbook can be used in courses typical on IT strategy, Enterprise Governance of IT, IT management, IT processes, IT and business architecture, IT assurance/audit, information systems management, etc.  Executive students in business schools, for MBA type of courses where IT strategy or IT management modules are addressed.  Practitioners in the field, both business and IT managers, who are seeking research-based fundamentals and practical implementation issues related to it in the domain of Enterprise Governance of IT.  This book is organized around eight main chapters. Chapter 1 defines the core concepts around Enterprise Governance of IT as a means to enable business/IT alignment and business value from IT. This chapter also includes v vi Preface detailed research results on how business goals can be translated into/aligned with IT goals and vice versa. Chapter 2 builds on the first chapter and provides an overview of best practices that organizations can leverage to implement Enterprise Governance of IT. A lot of case studies are described in this chapter, as each individual governance implementation will be different depending on the organization’s size, sector, geography, etc. Finally, detailed discussions are laid out regarding the effectiveness, ease of implementation and importance of each of the presented practices for Enterprise Governance of IT. In Chapter 3, the impact of Enterprise Governance of IT implementations on business/IT alignment will be discussed. The first question is how an organization can measure and evaluate its current status of business/IT alignment. This discussion is supplemented with a benchmarking case, where business/IT alignment was measured for the Belgian financial services sector. Next, the impact of Enterprise Governance of IT practices on business/IT alignment is analyzed and illustrated with cases. Chapter 4 introduces the IT balanced scorecard as a framework for Enterprise Governance of IT. This chapter discusses the core concepts of the IT BSC and explains how the IT BSC can be used as an instrument for Enterprise Governance of IT. Chapter 4 also includes a detailed case study of a working IT balanced scorecard implementation. Chapter 5 positions COBIT in the field of Enterprise Governance of IT. This chapter discusses in detail all the core elements of the COBIT framework and explains how organizations should leverage them for the purpose of Enterprise Governance of IT. In relation, Chapter 6 continues by discussing how COBIT can also be leveraged as a framework to execute IT assurance/audit assignments. This chapter also offers a lot of hands-on templates that can be used in practice. Where COBIT addresses the IT processes, Val IT covers the IT-related business processes. This Val IT framework is addressed in Chapter 7, against explaining all core concepts and implementation issues. Chapter 8 finally provides some guidelines to get started with Enterprise Governance of IT and outlines a balanced scorecard for Enterprise Governance of IT, to manage and measure the outcome of the governance project. To support the reader in understanding and absorbing the material provided, each chapter provides (short and long) ‘‘assignment boxes’’ where readers can apply the concepts explained in comprehensive exercises. Also, at the end of each chapter, a summary and study questions are available enabling the reader to cross-check the insights obtained in a chapter. For people who want more information, each chapter provides hooks to more detailed background material by way of literature references and website links. This textbook is heavily based on research executed within the UAMS – ITAG Research Institute. For readers with research interest, ‘‘research boxes’’ are inserted in the text each time giving some background on research methodologies and strategies used in executing the different research assignments. We hope that with this book, we can contribute to further developing the emerging knowledge domain of Enterprise Governance of IT. This book is one of the outcomes of our activities within the UAMS – ITAG Research Institute. We Preface vii do invite the readers to visit our website , for more information on our research activities and publications. Also, we welcome reactions to this book or sharing experiences in the domain of Enterprise Governance of IT via [email protected] and [email protected] Wim Van Grembergen Sint Pauwels, Belgium Steven De Haes Malle, Belgium Acknowledgments We would like to thank all involved in participating in our research and teaching activities and in writing this book. Without the support of these people, the development of this book could not have been satisfactorily completed. We gratefully acknowledge the business and IT managers who shared their insights and practices on Enterprise Governance of IT and participated in one or more of our research projects. We appreciate the support provided for this project by the Business Faculty of the University of Antwerp (UA) and the University of Antwerp Management School (UAMS) and by our colleagues in these institutions. A special word of appreciation goes to our colleague researcher in the UAMS – ITAG Research Institute, Hilde Van Brempt, who contributed in a very constructive way in the execution of many of our research projects. We would also like to thank our master and executive students and the members of the UAMS IT Management Advisory Board who provided us with many ideas on the subject of Enterprise Governance of IT and its related mechanisms. We would also like to express our gratitude toward the board of directors, the management committee and all the staff and volunteers of the IT Governance Institute (ITGI). Our involvement in the COBIT and Val IT development activities has been of great value in further progressing our ideas. We would also like to thank our publisher Springer who showed great interest in our research and book project, and from whom we received magnificent support in managing this project. Last but not least, we would like to thank our families. Wim would like to extend his gratitude to Hilde, Astrid and Helen who always supported and helped him with every project including this book. Steven wishes to thank Brenda for her loving support and patience and wants to dedicate this book to his children Ruben, Charlotte and Michiel. ix Contents 1 2 Concepts of Enterprise Governance of IT. . . . . . . . . . . . . . . . . . . . . . 1.1 Enterprise Governance of IT . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1 Why Governance of IT? . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2 From IT Governance to Enterprise Governance of IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Enterprise Governance of IT and Business/IT Alignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 Business/IT Alignment . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2 Aligning Business Goals and IT Goals . . . . . . . . . . . . . 1.3 Business/IT Alignment and Business Value from IT . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enterprise Governance of IT in Practice . . . . . . . . . . . . . . . . . . . . . . 2.1 Best Practices for Enterprise Governance of IT. . . . . . . . . . . . 2.2 Case Studies on Enterprise Governance of IT . . . . . . . . . . . . . 2.2.1 Short Case on Structures – Vanbreda (Insurance). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2 Short Case on Processes – Sidmar/Arcelor (Steel) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.3 Short Case on Relational Mechanisms – Huntsman (Chemicals) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.4 In-depth Case – KBC (Finance) . . . . . . . . . . . . . . . . . . 2.3 Customizing the Framework for Enterprise Governance of IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1 Effectiveness and Ease of Implementation . . . . . . . . . . 2.3.2 Minimum Baseline Practices . . . . . . . . . . . . . . . . . . . . . 2.3.3 Looking for Highly Effective Practices That Are Easy to Implement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 1 2 6 6 9 16 18 19 19 20 21 21 24 24 33 38 40 53 55 67 69 72 73 xi xii Contents Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4 5 The Impact of Enterprise Governance of IT on Business/IT Alignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Measuring Business/IT Alignment . . . . . . . . . . . . . . . . . . . . . . 3.1.1 The Matching and Moderation Approach . . . . . . . . . . 3.1.2 The Profile Deviation Approach . . . . . . . . . . . . . . . . . . 3.1.3 The Scoring Approach . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.4 The Maturity Model Approach. . . . . . . . . . . . . . . . . . . 3.2 Business/IT Alignment Benchmark . . . . . . . . . . . . . . . . . . . . . 3.3 The Relationship between Enterprise Governance of IT and Business/IT Alignment. . . . . . . . . . . . . . . . . . . . . . . 3.3.1 Extreme Cases on Business/IT Alignment . . . . . . . . . . 3.3.2 Short Case – Enterprise Governance of IT in a Poorly Aligned organization . . . . . . . . . . . . . . . . . 3.3.3 Short Case – Enterprise Governance of IT in a Highly Aligned Organization . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The IT Balanced Scorecard as a Framework for Enterprise Governance of IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 IT BSC Core Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Maturity Model for IT BSC Implementation . . . . . . . . . . . . . 4.4 In-depth Case – IT BSC at a Major Canadian Financial Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.1 Company Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.2 IT BSC Project and its Organization. . . . . . . . . . . . . . . 4.4.3 Building the IT BSC . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.4 Maturity of the Developed IT BSC . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . COBIT as a Framework for Enterprise Governance of IT . . . . . . . . . 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 The COBIT Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.1 Business Goals/IT Goals and Information Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.2 IT Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 75 77 77 77 79 80 82 84 88 88 96 101 107 108 109 110 111 111 111 116 117 119 121 121 131 134 135 135 136 137 137 138 138 141 Contents xiii 5.2.3 IT Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.4 Overall COBIT Framework . . . . . . . . . . . . . . . . . . . . . 5.3 COBIT Control Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3.1 Control Objectives and Control Practices . . . . . . . . . . . 5.3.2 Generic Process Controls and Application Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 COBIT Management Guidelines . . . . . . . . . . . . . . . . . . . . . . . 5.4.1 Inputs/Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4.2 RACI Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4.3 Goals and Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5 COBIT Maturity Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.6 COBIT and Other Frameworks . . . . . . . . . . . . . . . . . . . . . . . . 5.7 COBIT and Compliancy for Sarbanes-Oxley. . . . . . . . . . . . . . 5.8 Adapting COBIT to Your Needs . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....
View Full Document