IT Governance Hands-on: Using COBIT to Implement IT Governance By Luc Kordel, CISA, RE, CISSP, CIA, RFA
n the past, running an IT organization as a support function—a function separate and distinct from the business—was a common practice. Now, most IT infrastructure investments and new IT applications span business lines and functions. Some organizations even integrate partners and customers into their internal processes. Therefore, CEOs and CIOs increasingly feel the need for a tighter relationship between IT and the business. But how should they deal with this strategic challenge? The key questions are: • Is there a framework to guide business and technology management leaders in their efforts to change information technology’s role within the organization and to close the gap between IT and the business that IT is supposed to support and drive? • What are the responsibilities at the board and management levels? • Is this a governance issue?
The Need to Change IT’s Role
This perennial management hot item was discussed in a series of recent articles and studies in leading management journals: • Consultants Dan Lohmeyer, Sofya Pogreb and Scott Robinson examined the question, “Who is accountable for IT?” and concluded that business leaders are.2 To derive full value from their IT investments and use technology as a competitive weapon, organizations should make their business leaders accountable for the return on IT investments by putting them in charge of setting the IT agenda. Moreover, senior executives should have the courage to realign the IT and business organizations to create a partnership between the two sides. • Research into IT management practices at hundreds of companies around the world has shown that most organizations are not generating optimal value from their IT investments. The most important factor distinguishing topperforming from substandard-performing organizations is the level of leadership by business and senior managers in a handful of key IT decisions. This led Jeanne W. Ross and Peter Weill, research scientists at the MIT Sloan School of Management, to formulate a list of six IT decisions in which leadership responsibility by business and senior managers would generate real value for their IT investments while avoiding IT disasters.3 These six IT decisions relate to strategy and execution. Strategic decisions IT managers should not be making are the level of IT funding as a result of the strategic role of IT, the clear and focused allocation of
IT resources, and the balance between companywide centralized IT capabilities and business-unit IT capabilities. The operational decisions IT managers should not be making are decisions about the service level of IT (how good IT services need to be), the trade-off between security/privacy and convenience, and the business manager accountability for IT projects. • Consultants Jürgen Laartz, Eric Monnoyer and Alexander Scherdin reported on successes at leading companies where business and IT managers have been working closely together to change the way information technology supports the business.4 Although business ownership of IT is in its infancy, business leaders can be in charge of IT decisionmaking. Even after projects are well underway, they continue to own these IT decisions. In that way, business leaders gain more control over IT assets that directly affect their business and have a greater insight and understanding of what it takes to manage and invest in technology. As a result, they have cut the costs of IT, made it easier to change the business, avoided the constraints of inflexible support systems and increased the participation of business leaders in the management of IT. • In the highly discussed and criticized article “IT Doesn’t Matter,” in the Harvard Business Review, Nicholas G. Carr, independent author, consultant...