A Roadmap for Implementing and Improving IT Governance
As previously discussed, all Federal departments/agencies were charged with establishing an IT Governance program per OMB Memorandum M-09-02.
Optimal value can be realized from leveraging IT Governance only if it is effectively adopted and adapted to suit each enterprise’s unique environment. Each implementation approach will need to address specific challenges, including managing changes to culture and behavior. In addition, implementation must be based on a continual improvement life cycle.
This blog highlights two critical implementation aspects – adapted from COBIT5®(COBIT5®, ISACA, 2012):
- Making a business case for the implementation and improvement of IT Governance
- Creating the appropriate environment for successful adoption of IT Governance
IT Governance does not occur in a vacuum. Every enterprise needs to design its own implementation plan depending on factors in the enterprise’s specific internal and external environment, including:
- Ethics and culture
- Applicable laws, regulations and policies
- Mission, vision and values
- Enterprise-wide governance policies and practices
- Business plans and strategic intentions
- Operating model and level of maturity
- Management style
- Risk appetite
- Capabilities and available resources
It is critically important to leverage and build on existing enterprise governance initiatives. The optimal approach for implementing IT Governance will be different for every enterprise, and the context needs to be understood and considered. Key success factors for successful implementation include:
- Top executive providing the direction and mandate for the initiative on an ongoing basis
- Visible ongoing commitment and support from key leadership executives
- All parties supporting the processes to understand the business and IT objectives
- Ensuring effective communication and enablement of the necessary changes
- Tailoring good practices and standards to fit the unique context of the enterprise
- Focusing on quick wins and prioritizing the most beneficial improvements that are easiest to implement
IT Governance implementation initiatives must be properly and adequately managed. Support and direction from key leadership executives can ensure that improvements are adopted and sustained. Requirements based on current challenges should be identified by management as areas that need to be addressed, supported by early commitment and buy-in of relevant key leadership executive and enabled objectives and benefits that are clearly expressed in a business case. Following leadership commitment, ensuring adequate resources and assigning key program roles and responsibilities will ensure sound implementation for the IT governance program –with care taken on an ongoing basis to maintain commitment from all affected executives. Indeed, appropriate structures and processes for oversight and direction will also ensure ongoing alignment with enterprise-wide governance and risk management approaches. Leadership should provide visible support to set the ‘tone at the top’ and ensure commitment for the program at all levels.
Successful implementation depends on implementing the appropriate change in the appropriate way. In many enterprises, there is a significant focus on the first aspect—core IT Governance—but not enough emphasis on managing the human, behavioral and cultural aspects of change and motivating key leadership executives to buy in to change. Indeed, various key leadership executives involved in, or impacted by, new or revised IT Governance enablers may not readily accept and adopt change, making it necessary to address resistance through a structured and proactive approach. Also, a communication plan can optimize awareness of the implementation program – such a plan defines what will be communicated, in what way and by whom, throughout the various phases of the program. Human, behavioral and cultural barriers can be overcome to properly adopt change, instill a will to adopt change, and ensure the ability to adopt change.
The implementation life cycle provides a way for enterprises to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are:
1. Core continual improvement life cycle—as opposed to a one-off project
2. Change enablement—addressing the behavioral and cultural aspects
3. Program management—following generally accepted project management principles
The implementation life cycle and its seven phases are illustrated below from figure 17 of COBIT 5.
Phase 1: recognition and agreement on the need for an implementation or improvement initiative. It identifies the current pain points and creates a desire to change at executive management levels.
Phase 2: focus on defining the scope of the implementation or improvement initiative, considering how risk scenarios could also highlight key processes on which to focus. An assessment of the current state will need to be performed to identify issues or deficiencies by carrying out a process capability assessment. (Large-scale initiatives should be structured as multiple iterations of the life cycle in order to achieve visible successes and keep key leadership interest.)
Phase 3: improvement target set, including a more detailed analysis to identify gaps and potential solutions. (Some solutions may be quick wins and others more challenging and longer-term activities – priority should be given to initiatives that are easier to achieve and those likely to yield the greatest benefits.)
Phase 4: practical solutions with defined projects supported by justifiable business cases and a change plan for implementation is developed. (Well-developed business cases help to ensure that project benefits are identified and monitored.)
Phase 5: proposed solutions implemented into day-to-day practices, measurements are defined and monitoring established, ensuring that business alignment is measured, achieved and maintained.
Phase 6: sustainable operation of the new or improved IT Governance initiatives and the monitoring of the achievement of expected benefits.
Phase 7: overall success of the initiative reviewed, further requirements for IT Governance are identified, and need for continual improvement is reinforced.
Over time, the life cycle should be followed iteratively while building a sustainable approach to the IT Governance of the enterprise.
To ensure the success of the IT Governance implementation initiative, a sponsor should take ownership, involve all key leadership executives, and provide for a business case. Initially, the business case can be at a high level from a strategic perspective—from the top down—starting with a clear understanding of the desired business outcomes and progressing to a detailed description of critical tasks and milestones as well as key roles and responsibilities; the business case is a valuable tool available to management in guiding the creation of business value. At a minimum, the business case should include the following:
- Business benefits, their alignment with business strategy and the associated benefit owners.
- Business changes needed to create the envisioned value. This could be based on health checks and capability gap analyses and should clearly state both what is in scope and what is out of scope.
- Investments needed to make the IT Governance changes (based on estimates of projects required)
- Ongoing IT and business costs.
- Expected benefits of operating in the changed way.
- Roles, responsibilities and accountabilities related to the initiative.
- How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and results).
- The risk inherent in the change, including any constraints or dependencies (based on challenges and success factors).
It can be difficult to quantify the benefits of implementation or improvement initiatives as part of a business case, and care should be taken to commit only to benefits that are realistic and achievable. Finally, it must be recognized that the business case is not a one-time static document, but a dynamic operational tool that must be continually updated to reflect the view of the future and viability of the program.
Taking these steps can ensure that IT Governance properly addresses key agency challenges, obtains support from agency leaders, and sustains change to improve agency performance.