Download (direct link):
Adherence to compliance, and meeting service-level agreements and other metrics and performance measurements11
For IT outsourcing, IT governance takes on additional responsibilities:
Deciding what should be outsourced
Weighting criteria to rank various outsourcer candidates
Monitoring sourcing relationships and making adjustments where appropriate
In order for IT governance to be effective and efficient, the subportfolios (discovery, project, and asset portfolios) must have good tracking information. Much the way generally accepted accounting principles (GAAP), generally accepted auditing standards (GAAS), and securities regulations work in harmony to provide predominantly reliable information to make investment management decisions with various types of investments in a portfolio, IT must provide consistent and reliable information for all components within the IT portfolio.
84 CHAPTER 3 PEOPLE AND GOVERNANCE
Policy and Principles: The Foundation of Governance
Policy, a collection of explicit principles, effectively manages the inherent conflicts between the longer-term view of enterprise strategy and the shorter-term view of line-of-business tactics. Principles are statements resulting in consistent actions that a majority of concerned parties have agreed upon, and they form an important foundational element of IT governance. Achieving majority agreement (or consensus agreement) is critical; without it, companies will be dysfunctional. Articulation of principles and the act of attaining agreement should be viewed as a primary means to surface and manage value expectations. There are two important aspects of IT policy relating to IT portfolio management. First, IT policy is a best practice for managing the portfolio of IT investments. Second, the development of IT policy serves as an activity that IT can engage with the business, driving more universal views of the value of information and the technology within the business. Sound IT policies result in time and money savings due to quality and consistency in making decisions (all decision makers judge IT investments on a common set of principles). Characteristics of good policy include:
Establishes solid business practices and promotes company strategy
States preferred (architectural) direction and does not stand in the way of individual business units from achieving their respective tactical objectives, goals, and milestones
Provides simple and direct statements of how a company will use information and technology over both the short term and the long term
Establishes a context for design and operation decisions across the company
Translates operations and mission requirements into fast decision-making parameters
Provides an unambiguous basis for measurement
Supports mandatory compliance requirement and exceptions
Is enforced by process and organization
In order to ensure policies are meaningful and adhered to, executive management must support them. Without the support from top management, policy efforts will languish, causing participants to lose interest and start acting in their own interests, hastening the drift toward information anarchy. In addition, the formation of the policies must include input and directions from stakeholders, executive and business management, process owners, technologists, and users/ customers.
IT GOVERNANCE 85 EXHIBIT 3.2 BUSINESS, INFORMATION, AND IT POLICY
Shareholder Expectations: Stability and Growth
Growth and P e rsiste n ce
Revenues and Profit
B u s i n e s s P o l i c y
T a c t i c s
Inform ation P o l i c y
Organization and People
Infra-stru ctu re and Process Adaptive A rch itectu re
As Exhibit 3.2 shows, there are three types of policies: business policy, information policy, and IT policy (adaptive architecture). Business policy creates information policy, which creates IT policy. An example of how these policies were adopted by an electronic manufacturer is shown below:
Business policy: provide a consistent way of doing business across the company [domain of the lines of business (LOBs)] and with others outside the company (domain of the enterprise).
Information policy: information will only be captured once and validated as close to the source as possible.
Applications will be independent of the technology platforms on which they are implemented.
Data will be independent of the applications.
Access to digital information required to perform ones job is possible via the users workstation regardless of the location of the user.