Agile IT Governance

IT Governance for Board Members

RSS Feed

Differences between COBIT and Agile IT Governance

0 Comments

After introducing the traditional IT governance frameworks, I would like to point out some differences between them and an agile approach.  I’ll examine the COBIT model:

1. COBIT is a generally applicable and accepted standard for IT governance focused more on control, less on execution. Control, inherently induces the need for documentation and contract negotiation. Agile IT Governance, on the other hand, emphasizes execution and the collaboration between individuals to achieve execution. COBIT could be strengthened further by emphasizing the latter as much as the former.

2. COBIT requires that policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. This comprehensive documentation can be disastrous if the documented process is inherently flawed and cannot adapt to rapid changes in the business environment. Agile IT Governance emphasizes the need for working governance vs. comprehensive documentation on governance processes. COBIT could benefit from a balanced emphasis on just-enough process documentation for legal compliance and baseline business activity.

3. COBIT says to successfully deliver services to support the enterprise’s strategy, there should be a clear ownership of the requirements and deliverables. Of dozens of managers in a business unit, which individuals have the right level of subject matter expertise? Or the organizational relationships to enable clear ownership and direction of the requirements? The answers to these questions can vary widely depending on who you ask. COBIT could benefit from the consideration that identifying the wrong owner can lead to flawed governance. Agile IT governance mitigates this risk by focusing on identifying the right person who fits the role of “the owner” for the right stage of the project.


4. COBIT believes that processes and tools make enterprises quick to adapt. Processes and tools can only be as effective as the people who design them. Plus, they can be effective only for a specific period of time. Processes and tools often lack the ability to adapt to changing business environments. The emphasis on individuals and interactions help overcome these challenges because they allow teams to maneuver with agility, and adapt to the circumstances at that point in time. COBIT could benefit from consideration of Agile principles which emphasize individuals and interactions over tools and processes.


5. To satisfy business objectives, COBIT emphasizes complying with the laws, regulations and contractual arrangements to which the business process is subject. The emphasis is again on contract negotiation, not on collaboration. The word “contract” often awakens adversarial feelings and can lead to counter-productive behavior. While a framework for Agile IT Governance appreciates the value of contracts, it laments the fact that there is no mention of the word “collaboration” in COBIT.


It’s no longer a question of whether organizations should adopt an agile governance framework, but rather, why you think yours doesn’t already. What are your experiences with traditional governance frameworks? What is your opinion about an agile approach to governance?

Filed under Agile IT Governance, Best Practices, IT Governance
May 14, 2012

5 Benefits of Traditional IT Governance Frameworks

0 Comments

   Effective IT governance remains an extremely relevant discussion in boardrooms around the world. While forward-thinking organizations have the alternative to create their own agile governance frameworks, another viable option may be to adopt traditional frameworks developed over time. Adoption of a traditional governance framework may have a few compelling reasons:

1. Efficiency – Time is the most valuable resource today. So why spend so much of it on developing a framework based on limited experience when internationally adopted frameworks exist?

2. Structure – Most frameworks have a pre-defined structure that can be implemented in a fairly precise manner. And structure is helpful to get people on the same page and understand what the expectations are.

3. Best Practices – Most of the widely used governance frameworks have evolved over time, and include best practices from many different organizations. Efforts of a single organization can rarely ever match the cumulative years of experience reflected in these models.

4. Knowledge Sharing – Ideas can be shared between executives from different organizations by following a common vernacular embedded in a governance framework.

5. Auditable – Effective assessment of control becomes more difficult for auditors, especially third party auditors in the absence of standards.

Which is the “right” IT Governance Framework for your organization?

Given choices, decision-makers are faced with the predicament of deciding which framework is right for them. For example, COBIT is strong from the perspective of metrics and controls. IT security is covered very well by ISO 17799 while processes are emphasized by ITIL. If an organization felt these frameworks were applicable to them, they would analyze the three and combine best practices from each and based on the requirements of the organization.
The emphasis for traditional IT Governance is the need for:

  • Governance principles
  •  Strategic direction
  • Organizational structure
  •  Process Discipline
  •  Relationship management functions

As I mentioned before, traditional IT Governance models do not emphasize Agile Principles. All of the traditional frameworks, while robust on their own, could be strengthened further. They could be made more effective by including components of the Agile Principles.

Filed under Best Practices, IT Governance
May 11, 2012

Three Internationally Recognized IT Governance Frameworks

0 Comments

When approaching IT Governance, there are a number of frameworks, maintained by various governing bodies that reflect the experience of hundreds of organizations. However three frameworks appear quite frequently:

COBIT
Recently, ISACA has released COBIT 5 – the latest version of its internationally recognized “Business Framework for the Governance and Management of Enterprise IT.” COBIT, initially an acronym for ‘Control objectives for information and related technology’ defines 34 generic processes to manage IT. Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model.

COBIT 5 provides an end-to-end business view of the governance of enterprise IT. It reflects the central role of information and technology in creating value for enterprises. The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from business, IT and governance experts around the world.

ITIL
The IT Infrastructure Library or ITIL® was maintained until 2010 by the United Kingdom’s Office of Government Commerce (OGC). Since 2010, it is owned by the British Government .

ITIL is a set of practices for IT service management that focuses on aligning IT services with the needs of business. In its current form – ITILv3 and ITIL 2011 edition – the standard is published in a series of five core publications. Each publication covers an IT service management lifecycle stage: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement.

ITIL is a widely accepted approach to IT service management. Providing a cohesive set of best practice guidance drawn from the public and private sectors across the world, it has recently undergone a major and important refresh process.

ISO 17799
ISO 17799’s full title is the “Information Technology – Code of Practice for Information Security Management.” The ISO first released it in December 2000. However, it was originally published by a government department in the United Kingdom, on the basis of British Standard 7799 (BS 7799). The standard was intended to focus on security and assist organizations to create an effective IT security plan. In 2005, ISO 17799 was re-published, to reflect changes in technology.

ISO 17799 lists a number of specific security controls that may be applicable to an IT environment. Selection from these controls is normally performed via risk assessment, and the methods outlined within ISO 27001. ISO 17799 and ISO 27001 are already global standards, with established compliance and certification schemes in place.

COBIT, ITIL and ISO 17799 represent traditional IT Governance frameworks. While traditional IT standards are strong and well respected, they can be strengthened further by leveraging the principles of Agile IT Governance.

Filed under IT Governance
May 9, 2012

How to Facilitate IT Infrastructure Changes

0 Comments

CIOs must always be alert about communicating how their infrastructure investments are aligned with business initiatives.

Agile IT Executives embrace flexibility and agile processes that harness change to foster innovation for the organization’s competitive advantage. I encourage CIOs to respond to changes in their business and technology environments every quarter, over following a plan for the year or longer. Underestimating the importance of effectively managing change inevitably leads to failure. This can have costly results, including missed business objectives and decreased performance. Hence the very high turnover rate of Technology Executives when compared with other Executives of other disciplines such as Marketing or Finance.

IT infrastructure changes must be adopted based on an organization’s personnel capabilities. Before IT changes are adopted, CIOs must deliberate whether there is compatibility between technology and the human resources available. Ensuring that the employees are able to utilize the new technology for improved productivity is essential for reaping benefits. To make sure the change provides the desired benefits, an organization must invest in training and transition periods for implementation and integration.

A transition period is mandatory between implementation and full integration of new systems and technologies as they become available. It should be expected that training and transition periods will not go smoothly every time. People need time to become familiar with new technologies and to effectively utilize them. Typically, organizations aim to keep both time and money costs as low as possible during the transition. This is impractical. Planning for a realistic period of acclimatization is essential. Instead of the supposed benefits, the investment in the new technology could end up wasting both time and money if not used to the best effect.

While there’s no perfect solution, I believe a strong communication plan comes close. CIOs must make sure they are consistent in communicating with all stakeholders. At the same time, they must ensure employees understand what support they will receive during the change.

In this context, organizations should have a formal a procedure for managing change that can help the entire workforce adapt to new priorities. That means creating an agile process addressing change not as a one-time occurrence, but as an on-going activity. Efficient change management should be part of an extensive strategic management approach focusing on improving the overall performance to drive desired business results.

Filed under Agile IT Governance, Best Practices, IT Governance
May 3, 2012

Speaking at The Excellence in Governance, Risk Management, and Compliance (EGRC) Conference

0 Comments

I’m delighted to announce that I will be presenting a class at the EGRC 2012. The Excellence in Governance, Risk Management, and Compliance (EGRC) Conference  is a three-day event in Portland, Maine from June 12-14.


I will be presenting at 8:30 AM & 4:30 PM on the 13th of June. I have submitted a session proposal focused on my forthcoming book, The 12 Principles of Agile IT Governance. It lays out a holistic, approach for board members to follow so that they may help their organizations achieve a sustainable technology advantage.

The EGRC conference is the successor to the eight Excellence in Information Technological Compliance (EITC) and Common Information Security for Banks (CISB) conferences produced by NMI LLC between 2003 and 2011. EGRC-2012 is a three day conference that covers all aspects of security, governance, risk management, and compliance in greater breadth and depth than the EITC or CISB conferences.

Sessions categories are summarized by the abbreviation “SGRC,” as follows:

  • Security — topics related to information security in all its forms, including electronic and non-electronic information, controls, storage, and protection.
  • Governance — topics related to enterprise governance, information technology governance, business planning & management, public relations, etc.
  • Risk Management — topics related to risk assessment & management, including asset valuation, threat assessment, vulnerability assessment, and control evaluation, crossing all areas of risk including financial, legal, reputational, operational, information technology, compliance, and credit risk.
  • Compliance — topics related to legal, regulatory, and standards compliance, including GLBA, SOX, HIPAA, FERPA, FISMA, COBIT, COSO, ITIL, ISO 27001, FFIEC, NERC, CIP, DHS, NIST, and all other legal, regulatory, and standard control targets.

EGRC 2012 offers tracks for specific job levels, including Board Members & Senior Management, SGRC Management, and SGRC Practitioners. EGRC offers outstanding value to financial institutions, insurance companies, healthcare organizations, energy & utility companies, and all industries that are part of Critical Infrastructure Protection (CIP).

The cornerstones of EGRC are user experience sessions presented by people in all job functions and levels who have faced and solved problems in the security, governance, risk management, and compliance. You can find the entire list of instructors here . You will also see their biographies and the detailed abstracts for each class listed in the event schedule.

I’m looking forward to it. Are you coming?

See the EGRC 2012 official website for more information and registration details.

Filed under Agile IT Governance, IT Governance, Upcoming Events
April 25, 2012

What is Agile IT Governance?

0 Comments

 An Agile IT Governance Model is key to achieving success in turbulent business environments since traditional IT Governance does not emphasize Agile principles. Although the need for effective governance is widely acknowledged, the resources organizations invest to make governance models more agile are negligible.

Agile IT Governance is an accountability framework that encourages desirable behavior in both business and IT by emphasizing the principles of the Agile Manifesto.

The Agile IT Governance Model is based on the core beliefs that:

  • serving shareholder interests and creating shareholder value is paramount;
  • collaboration between stakeholders, yields more productive governance processes;
  • flexibility fosters innovation, that creates competitive advantage;
  • self-organizing teams increase the effectiveness of IT governance;
  • board members carry the ultimate responsibility for driving the organization’s IT Governance agenda.

These beliefs are sustained by the understanding that agility requires the ability to integrate and automate business processes quickly. Continuous attention to excellence and good design is also important. To align business and IT, active oversight by board members and executive management is critical. Agile Governance Models enable a consistent overlapping of IT objectives with business objectives. They are based on the Agile Principle that business people and developers must work together daily throughout the project.

The IT environment in enterprises have become exceptionally complex. In this IT –centric world, traditional IT Governance can only to benefit from evolving into a more Agile state. An Agile IT Governance Model is key to achieving this objective, impacting shareholder value positively, and delivering tangible benefits in today’s ultra-competitive environments.

Filed under Agile IT Governance, Best Practices, IT Governance
April 23, 2012

Are Your IT Investments Delivering “Value for Money”?

0 Comments

IT organizations frequently suffer a bad reputation amongst the business units that provide their budgets. One often hears in boardrooms that IT is failing to deliver “value for money”. And there is rarely ever anyone from IT present to counter that opinion. Part of the reason for poor ROI from IT investments comes from organizations focusing on implementing technologies and not on meeting well articulated business benefits.

IT investment is not just about technology. CIOs should focus on identifying and managing the delivery of business benefits. This focus includes engaging business managers and IT professionals in a way that enables them to apply their collective knowledge to creating business value.
To judge the value of an IT-investment is still a complicated and ambiguous task.

How can management ensure that investments made in IT are not a waste of money?

A key principle behind a well know IT Governance framework – Val IT – is to objectively select those IT investments that have the highest potential to create value, and manage all IT investments to maximize value.

Val IT is a suite of publications produced by the IT Governance Institute (ITGI) that provide a framework for the governance of IT investments. It is a formal statement of principles and processes for IT portfolio management. The portfolio approach to managing IT projects means that executives will take action when investments aren’t delivering the desired results, just as mutual fund managers would towards stocks in their investment portfolio.

Val IT describes the concept of value by exploring if an organization has:

  • a clear understanding of benefits
  • clear accountability for benefits
  • relevant metrics
  • an effective benefits realization process

An important issue in understanding the business value of information technology is expressing the benefits of IT in a manner that senior executives and board members can relate to.

Results – are they worth the price paid? Board members often ask if the results are worth the price paid. Fact-based measurement of outstanding scope, work completed, total expenditure and trends are required for accurately answering this question. The more maturity shown by the IT Management team in the ability to answer this question, the more capable in making informed portfolio decisions that influence the prioritization of business imperatives.

Do delivered solutions meet expectations fully? With this, we also ask whether the full range of corporate policies, including security, architecture quality, risk and so forth, are satisfied by the solutions delivered. The ability to answer this question across a portfolio of projects drive delivered results which are consistent. Extending the meaning of this question also has process implications, which provide a leading indicator of the completeness of the solution. These processes enable governance to be more than a guidance exercise.

Just having technology creates limited value. Shareholder value and business benefits result from the effective organizational use of IT assets.

Filed under Agile IT Governance, Best Practices, IT Governance
April 12, 2012

Corporate Governance vs. IT Governance

1 Comment

A business is an organic whole where all business units have an important role to play to achieve success. For the organization to flourish, appropriate direction and control over all business units must be exercised by its Board. Effective Corporate Governance procedures must be deployed.

Traditionally, the Board has had a set of Corporate Governance responsibilities, which include:

  • Setting the company’s strategic goals, creating a long term strategy, taking into account present and future opportunities and threats.
  • Appointing and directing the management of the business to ensure their actions drive the achievement of goals in the best and most appropriate way to benefit the shareholders.
  • Supervising and monitoring performance, to ensure goals are met and corporate officers are properly managing the business.

The main objective is always to represent the interest of shareholders to the best of the board’s abilities.

IT governance has been traditionally defined as specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT. The emphasis for IT governance has been the need for governance principles and strategic directions, as well as the necessary organizational structures, joint processes and relationship management functions. Also IT governance matters have rarely been a priority for a company’s Board.

However, times have changed quite significantly. The nature of contemporary business has made organizations heavily reliant on IT. As a consequence, effective IT Governance is having a greater impact on the overall effectiveness of Corporate Governance, and requires greater attention from the Board. That is why it never ceases to cause wonder in my mind when I think about how few people who serve, or have served, in a CIO or CTO role are represented on a company’s board of directors.

The IT landscape in enterprises have become extraordinarily complex. They have also become more expensive because the complexity of internal and external structures and relationships are also increasing. In this new IT dominated world, traditional Corporate & IT Governance could both benefit from evolving into more Agile models and focusing on prioritizing:

  • Individuals and interactions over governance processes and tools
  • Working governance over comprehensive documentation
  • Collaboration over contract negotiation
  • Responding to changes in the business and technology environment

The ever-increasing necessity to pay attention to IT to increase a company’s competitive advantage when compared to the scarcity of deep IT expertise at Board Level is a cause for concern. The issue has become widely acknowledged. In a recent PWC Survey, company directors have quoted among top Board Governance issues the need to “include directors with some expertise in social media and cloud computing or …hire outside advisors with IT experience. Recent surveys show only 8% of directors have IT expertise and only 15% use outside IT advisors.

In conclusion, today’s business climate requires a paradigm shift: it is not really a matter of Corporate Governance versus IT Governance, but of Organic Organizational Governance, with an increased focus on Information Technology at the board level.

Filed under Agile IT Governance, IT Governance
April 9, 2012

What is IT Governance?

1 Comment

As business conditions become increasingly competitive, the manner in which a company’s board of directors governs its technology initiatives is undergoing increasing scrutiny from shareholders. Executive management is aware of this scrutiny as well. A recent IT Governance Institute study, which polled executives in 21 countries across 10 industries, reveals that the importance of IT in the enterprise is apparent across all levels of an organization. The Global Status Report on the Governance of Enterprise IT study reveals that IT Governance is a priority within most organizations. Only 5% indicated that they do not consider it important. Two-thirds have some IT Governance activities in place. The most common activities are the use of IT policies and standards, the employment of defined and managed IT processes. The main driver for IT Governance related activities is ensuring that IT functionality aligns with business needs. The outcome is better management of IT-related risk but also improved communication and relationships between business and IT.

Relatively obscure few years ago, IT Governance has been brought into light by some major factors such as:

  • an ever growing list of financial regulations
  • pressure from customers and shareholders
  • increased necessity to react in a timely manner to highly competitive business conditions

Simply put, IT governance is a process to ensure the strategic alignment of IT initiatives with business objectives. The goal is to achieve maximum business value through the development and maintenance of an effective IT control model. IT Governance as a set of procedures, best practices and guidelines, increases stakeholder confidence while reducing business risk.

At its core, IT governance is about communicating vision. It is also about verifying that everybody makes decisions in line with that vision.

The purpose of IT governance is to ensure that the performance of an organization’s IT department meets the following objectives:

  • Aligns with business goals
  • Delivers promised results and benefits
  • Maximizes technology advantages to improve the ability of business units to compete
  • Exploits new opportunities
  • Responsibly uses IT resources
  • Appropriately manages IT-related risks

The main objective of IT governance is to understand the strategic importance of IT since it plays an essential role in ensuring a business can sustain its operations with a reasonable degree of capital efficiency. It is through good governance that the business can ascertain its ability to implement the strategies necessary to win in competitive markets.

Weak alignment between business and IT strategy is one of the main reasons why organizations fail to benefit from the full potential of their IT investment. To sustain improvements in company performance, business and IT alignment should be regularly evaluated. An important aspect of this reevaluation is consideration of the role IT Governance plays in the company’s decision making processes. I will address this issue further in future posts.

Filed under Agile IT Governance, IT Governance
April 2, 2012

Welcome to the Agile IT Governance blog!

0 Comments

Hi. I am Chiranjeev Bordoloi. I am deeply passionate about helping organizations maximize their technology advantage to achieve business goals. Agile IT Governance by a company’s board of directors is critical towards achieving this objective. I decided to start blogging to share my observations. I am hoping you will share your thoughts as well.

Who am I

I am a Management Consultant. I have decades of business and IT experience, from having served in senior executive roles at Fortune 500 companies, and innovative start-ups. My experience includes serving as a board member alongside institutional investors and executives from diverse backgrounds. This level of visibility has provided me with the perspective than an Agile IT Governance Model is key to achieving success in competitive business environments. I have researched and consulted board members on the subject of IT Governance for many years and am currently writing a Doctoral Dissertation on the subject.

Why the need for an Agile IT Governance dedicated blog

Although the need for effective governance is widely acknowledged, and agile principles have permeated IT organizations, there is a scarce allocation of resources towards making board governance models more agile at a practical level.

In my future articles, I will write about Agile IT Governance as a framework that encourages desirable behavior in both business and IT organizations by emphasizing the Agile Manifesto. I strongly believe and effective Agile IT Governance model is key to achieving success in today’s ultra-competitive business environments.

As traditional IT Governance models do not overtly emphasize Agile principles, this blog aims to bridge the gap. The intent of this blog is to highlight IT Governance best practices that embrace agility.

Let’s start the discussion

Agile IT Governance model is fundamentally about collaboration. In that spirit, I greatly appreciate your contributions in helping develop this nascent field. Please feel free to invite your friends and business partners to join the conversation.

For all who are looking for a space to share innovative ideas in the field of IT Governance, you have come to the right place. Please add Agile IT Governance to your LinkedIN and Twitter communities to keep track of articles and comments. You can find me on LinkedIN here, and on Twitter @AgileITGov. Tune in shortly for my next post!

Filed under Agile IT Governance, Best Practices, IT Governance
March 27, 2012

Categories

Twitter

  • CIOs gain budget as strategic role increases global survey reveals #CIO #CEO #Boards
    http://t.co/d495VeFV
  • 10 steps to business process transformation #business
    http://t.co/eaV4YMyE

Good Reads