IT governance is not as complicated and confusing as imagined. We don't need to painstakingly find a model that suits us among hundreds of IT governance models. Accenture has created an IT governance model that provides a roadmap for organizations to establish effective IT governance.
It has been more than three years since the concept of IT governance was introduced into the country. Although the media, IT companies and some experts and scholars are constantly calling for the importance of IT governance, it is still difficult to advance IT governance from theory to practice. cases are rarely heard of. The reason why this is so is that the organization's lack of operational guidelines for IT governance should be an important reason.
We cannot stop at pondering and exploring the concept of IT governance. To some extent, the abstract and obscure definition of IT governance has affected organizations’ acceptance of IT governance and directly harmed IT. Regarding the practical operability of governance, it is now time to find a practical operational path for IT governance.
In fact, IT governance is not as complicated and confusing as imagined. We don't need to painstakingly find a model that suits us among hundreds of IT governance models. Accenture has created an IT governance model that provides a roadmap for organizations to establish effective IT governance. This article will give an introduction to this model.
To put it simply, IT governance focuses on two aspects, namely the "what" and "who" of IT governance. The "what" of IT governance refers to what decisions should be made in IT governance, and the "who" of IT governance refers to who should make these decisions.
So, what decisions should be made in IT governance? To find the answer to this question, we must first figure out what role the organization needs IT to play. Don’t assume this is a question with an easy answer. In fact, different organizations have different needs for IT. What exactly an organization needs IT to do depends largely on what kind of business environment it is in.
Business characteristics determine IT needs
The first step towards IT governance is to conduct a correct analysis of what kind of business environment the organization is in.
Accenture's IT governance model analyzes an organization's business environment through two indicators: the speed of change and the basis of competition.
The speed of change. Some companies are in a rapidly changing industry, such as semiconductor companies and telecommunications companies. In such an industry, consumer needs and preferences often change, and industrial policies are often introduced. New technologies emerging from time to time will suddenly change the entire industry value chain; while the development status of other industries is relatively stable and will not be so fast. changes in the aviation industry. In such an industry, changes in consumer demand, competitive landscape, government regulations, technology and suppliers occur slowly.
The basis of competition. From the basis of competition, enterprises can be divided into two categories. One category of businesses competes on the basis of operational efficiency. For this type of organization, the focus is on reducing costs and optimizing existing business models to cope with competition; other types of companies rely on the differentiation of products and services as the basis for competition. Such companies strive to provide new business capabilities or create new business models before their competitors, in order to gain competitive advantages.
Based on the above two indicators, organizations can be divided into four categories.
Type A organizations are in industries that are not changing rapidly, and competition is based on operational efficiency;
Type B organizations are in industries that are not changing rapidly, and competition is based on differentiation of products and services;< /p>
Type C organizations are in a fast-changing industry and compete based on operational efficiency;
Type D organizations are in a fast-changing industry and compete on the basis of differentiation of products and services.
These four different types of organizations have different needs for IT due to their different business characteristics.
The key to the development of Type A organizations is to strictly control costs. Therefore, such companies hope to use IT to maintain low costs and provide mature capabilities through cost-saving methods such as outsourcing.
The management of Type B organizations expects to use information to improve decision-making capabilities and develop new products and services to offset growing IT expenditures with high revenue.
C-type organizations formulate IT investment plans and long-term capability roadmaps in order of priority. While effectively managing costs, they use IT to implement planned new capabilities according to the roadmap to meet their needs. The changing needs of the market.
Type D organizations expect IT to be highly flexible to meet rapidly changing business strategies and requirements. Such companies tend to provide innovative IT solutions to gain first-mover advantages, so their IT investments focus on creating new capabilities.
The decision-making scope of IT governance
Once the organization has clarified its needs for IT, the next step is to solve the problem of what decisions to make in IT governance, which is the IT mentioned above The “what” of governance. The decision-making scope of IT governance generally includes the following five aspects.
Organizational model: Will the organization adopt a centralized, decentralized, or hybrid model?
Investment: What will the organization invest in? How much will it invest in?
Structure: Organization Is the emphasis on stability or flexibility? To what extent are the two different? Should the application system be purchased externally or developed internally? Should a comprehensive ERP system or multiple systems be established?
Standard: Organization What technologies need to be standardized and to what standards?
Resources: What types of resources will the IT organization utilize? What are the sources of these resources?
For Type A organizations, their preferred The organizational model should be centralized governance, with IT responsible for budgeting and decision-making. This is the approach taken by Canada Post, which adheres to a simplistic organizational model with a centralized department to prioritize corporate actions and do so through a single IT resource.
In terms of standard decision-making, Type A organizations seek to strengthen the standardization of architecture, technology, and suppliers throughout the organization, and only allow deviations under some justified exceptions. A large French insurance company is an example of this. The company standardized its IT architecture across the group so it could optimize its core IT processes, integrate systems to support its non-life insurance business, migrate data and configure new systems to support its health insurance business.
In terms of resource decision-making, Type A organizations are good at utilizing a combination of internal and external resources, and usually reach service agreements with a small number of preferred service providers. When a global chemical company decided that IT was not its core business, it outsourced its entire IT operations, including the global implementation and support of its ERP system.
IT Governance
Corporate governance focuses on stakeholder rights and management, including a set of responsibilities and regulations, implemented by top management (board of directors) and executive management, with the purpose of providing Strategic direction ensures that goals can be achieved, risks are appropriately managed, and corporate resources are used rationally.
Corporate governance drives and adjusts IT governance. At the same time, IT can provide key input and form an important part of the strategic plan, which is considered an important function of corporate governance - IT affects the strategic competitive opportunities of the enterprise.
Relationship diagram between IT governance and corporate governance
A key issue in IT governance is: whether the company's IT investment is consistent with strategic goals, thereby building the necessary core competitiveness. Because corporate goals change so fast, it is difficult to ensure that IT and business goals are always consistent. Therefore, multi-faceted coordination is needed to ensure that IT governance continues to move in the right direction. This is also a real concern for IT investors. For IT governance, it must be able to reflect the strategic integration of future information technology and future enterprise organizations. It is necessary to maintain openness and long-term as much as possible to ensure the stability and continuity of the system; at the same time, because planning cannot keep up with changes, no matter how long-term planning is, it is difficult to guarantee that it can keep up with changes in the corporate environment. A relatively effective approach in IT governance is to carefully analyze the impact between the enterprise's strategy and IT support during informatization planning, and reasonably predict the deviation that environmental changes may bring to the enterprise's strategy, and leave some considerations during planning. Appropriate leeway, from business strategy to information strategy, should be pragmatic and do not pursue big and comprehensive strategies.
IT governance helps build a flexible, adaptable enterprise. IT governance can influence information and instructions: enterprises can sense what is happening in the market, use and learn from knowledge assets, innovate new products, services, channels, and processes; change rapidly, bring innovation to the market, and measure performance. IT governance should reflect the idea of ??"centering on the strategic goals of the organization" and create value through the rational allocation of IT resources. Enterprise governance focuses on the overall planning of the enterprise, and IT governance focuses on the effective utilization and management of information resources in the enterprise.
The enterprise goal lies in the vision and business model, and the IT goal lies in the implementation of the business model.
The relationship between enterprise goals and IT goals is shown in the figure below:
IT governance mainly involves two aspects: IT must deliver value to the enterprise, and IT risks must be reduced. The former is driven by the strategic consistency between IT and the enterprise, while the latter is driven by the implementation of responsibilities and obligations to the enterprise. Both need to be measured, such as using a balanced scorecard. This shows that the four core areas of IT governance are all driven by stakeholder value, two of which are outcomes: value delivery and risk reduction, and the other two are driving forces: strategic alignment and performance measurement.
In summary, corporate governance and IT governance are both mechanisms of market (including government) heteronomy. They are mechanisms of how to "manage managers well". Their goals are also the same: to achieve sustainable business operations. , and increase the organization’s long-term profit opportunities. Regardless of whether the general environment is good or bad, the top management (board of directors) should be responsible for achieving its goals, and management must have the ability to assist it in achieving its goals. Therefore, the top management (board of directors) must often supervise the management department's decision-making judgment and Performance of policy implementation.
The "Star Model" is known as an innovative model for state-owned enterprises to get out of trouble and reform and develop. It illustrates the importance and interactive relationship between corporate governance and IT governance.
"Black Paper" took advantage of the joint venture opportunity to reform the property rights system, and in accordance with the requirements of modern enterprise systems, established a corporate governance mechanism that is compatible with market competition, clarified corporate property rights, optimized the allocation of production factors, changed employees' concepts, and provided Star's vigorous information transformation has created strong conditions. In turn, informatization also promotes the company's modern management.
IT governance and IT management
IT management is the operation of the company's information and information systems, determining IT goals and the actions taken to achieve this goal; IT governance refers to top management The Board of Directors uses it to oversee management's processes, structures, and connections on IT strategy to ensure that such operations are on the right track. These are two sides of the same coin, and neither can exist without the other. It can be seen that IT management is the actions taken by management to achieve the company's goals under the established IT governance model.
IT governance stipulates the basic framework for the entire enterprise's IT operations, and IT management drives the enterprise towards its goals within this established framework. A company that lacks a good IT governance model, even if it has a "very good" IT management system (which is actually impossible), is like a building with a weak foundation; similarly, without a smooth company IT management system, a simple The governance model can only be a beautiful blueprint but lacks actual content. As far as the current status of my country's information construction is concerned, both IT governance and IT management are what we urgently need to solve.
A brief analysis of the three pillars of the IT governance framework
Once IT leaders understand the three pillars of the IT governance framework, they have a clear understanding of why IT governance is so important and which approach can There will be a better understanding that best helps them achieve their governance goals.
IT governance is a topic that many people are talking about currently. Indeed, some technology vendors and consultants have made IT governance a hot new sales category. However, various definitions of IT governance have emerged based on the range of products and services they sell, which has brought confusion to the market to a certain extent.
So where can business and IT leaders get a single, comprehensive definition of today’s hottest corporate governance concept?
Based on ITGI, emerging industry standards, customer best practices and the work of thought leaders, leading analysts are now emphasizing the three-pillar model of the IT governance framework. This framework emphasizes the importance of ensuring that IT supports business objectives, optimizes business technology investments, and properly manages IT-related risks and opportunities.
In the eyes of CIOs and IT leaders, the three-pillar model and The corresponding IT governance maturity model is rapidly gaining momentum.
With the framework of IT governance, the value brought by IT investments can be understood, and there is a clear way to connect technology investments with business goal requirements. Amid growing pressure from management and boards, IT organizations can't rely on theory alone—they need governance that works.
The Three Pillars of an IT Governance Framework
For any organization that wants to seize the benefits of this forward-looking approach to IT, this shaping IT governance framework All are applicable. This framework includes three main components, specifically represented as the three life cycles of "planning/construction/management". Through an ongoing feedback loop connecting these three elements, IT transformation is made possible. The three pillars are:
Enterprise architecture planning, including:
Enterprise architecture modeling and management
Strategic IT plans and roadmaps
Standard management
Portfolio rationalization, including:
Rationalization of application systems and infrastructure
Project-investment analysis
Mergers and acquisitions operational integration
Service integration, including:
Service delivery management
Business relationship management
Supplier and outsourcer management
IT Financial Management IT
Sarbanes-Oxley and other regulatory compliance issues
Business Continuity Planning
Once IT leaders understand these three pillars, they will have a better understanding of why IT governance is important and which approach can best help them achieve their governance goals. For example, in the fields of project investment management and system management, typical vendors will only work on part of the entire framework. The need for a comprehensive solution to IT governance issues has become increasingly evident.
IT management solutions
Troux is the only company that can provide effective IT management systems. At the same time, it can also provide comprehensive solutions that can connect business and automated workflows, and automate Policy management system. To solve the most challenging IT governance issues CIOs face today, Troux's solutions provide the foundation and span the three areas of the IT governance framework.
Enterprise Architecture: Allows enterprise architects to fully model the architecture that meets future needs, and provides the ability to create and manage standards and roadmaps that are consistent with the architecture.
Investment Rationalization: Provides IT executives with the visibility and tools to ensure investments in applications, infrastructure, services and projects are aligned with business and cost optimization.
Service Management: Enables IT organizations to automate the definition and management of business services and ensure alignment of key business, compliance and business continuity goals.
With these solutions, Troux brings the deep expertise, best practices and proven models needed to help CIOs and IT executives achieve IT governance.
Conclusion
Just as IT governance has moved to the forefront of CIOs' agendas, managers have discovered that standards for best practices and methodologies have not been accurately defined—yet. Only when the situation changes.
Troux's technology provides CIOs and IT managers with the best practices and methods they need to effectively plan, build and manage their IT operations.
Link
How to view the role of IT governance
“For CIOs, IT governance means organizational structure, decision-making processes and a way to strengthen The information base of control," said Val Sribar, an analyst at Stanford-based Meta Group.
The most important step toward IT governance is “developing an information foundation upon which critical asset, financial, and compliance decisions can be made with confidence.” Sribar added, “Visibility into business and technology architecture is critical to enterprise management. and growth are critical.”
Fortunately, IT managers can get help in achieving their governance goals. "Vendors like Troux have emerged and filled the gap between governance processes and IT operations." Sribar said.
Standards for IT governance
The current internationally accepted standards There are four main IT governance standards: ITIL, COBIT, ISO/IEC17799 and PRINCE2.
(1) ITIL
ITIL (Information Technology Infrastructure Library): Information technology infrastructure library, a widely recognized set of practice guidelines for effective IT service management. Since 1980, in order to solve the problem of "poor IT service quality", the British Government Commerce Office (GOC, formerly known as the Government Computer and Communications Center) has gradually proposed and improved a set of methodological systems for evaluating the quality of IT services, called ITIL. In 2001, the British Standards Institution officially released the British national standard BS15000 with ITIL as the core at the International IT Service Management Forum (itSMF). This has become a major event of historical significance in the field of IT service management.
(2) COBIT
COBIT (Control Objectives for Information and related Technology): Information system and technology control objectives. The American Information Systems Auditing and Control Association ISACA, founded in 1969, launched COBIT, a knowledge system for "IT auditing" in 1996. "IT audit" has become an industry standard for comprehensive assessment and recognition by government departments and enterprises in many countries on IT planning and organization, procurement and implementation, service provision and service support, supervision and control, etc. Accordingly, "Certified Information Systems Auditor" (CISA) has increasingly become an emerging profession and field that countries around the world are competing for development in the process of developing informatization. As the core model of IT governance, COBIT contains 34 information technology process controls, which are grouped into four control areas: IT Planning and Organization (Planning and Organization), System Acquisition and Implementation (Acquisition and Implementation), and Delivery and Support (Delivery). and Support) and information system operation performance monitoring (Monitoring). COBIT has now become an internationally recognized IT management and control standard.
(3) BS 7799
BS 7799 (ISO/IEC17799): The international information security management standard system. In December 2000, the International Organization for Standardization ISO officially released the relevant information security The international standard ISO17799, which includes two parts: information system security management and security certification, is based on the British national standard BS7799. It is a detailed safety standard that includes all guidelines for safety content and consists of ten separate sections, each covering a different topic and area.
The information security management system standards BS 7799-Part 1 (ISO 17799) and BS 7799-Part 2 prepared by the British Standards Institute (BSI) provide a complete information security management system for various institutions and enterprises. management framework.
This set of 'sister pair' standards guides institutions and enterprises to establish a complete information security management system to conduct a dynamic and comprehensive analysis of information security risks starting from analyzing the security risks faced by institutions and enterprises. It emphasizes that the purpose of information security management is to maintain the continuity of the organization and enterprise's business from being destroyed by information security incidents. It should start from the existing resources and management foundation of the institution or enterprise and establish Information Security Management System (ISMS) continuously improves the level of information security management so that the information security of an organization or enterprise reaches the required level at the minimum cost. Protecting information security and establishing an information security management system is one of the important tasks for the operation of an organization or enterprise. In particular, BS 7799-2: 2002 is the most complete reference basis at present. It is based on "Plan (Plan), Implementation (Do), Inspection (Check), Action (Action)” model introduces management system specifications into institutions or enterprises to achieve the purpose of “continuous improvement”.
(4) PRINCE2
PRINCE2 (Projects In Controlled Environments) is a method that provides support for certain specific aspects of project management. PRINCE2 describes how a project can be divided into manageable phases to efficiently control the use of resources and implement regular monitoring processes throughout the project cycle. The vision of PRINCE2 is not limited to the management of specific projects, but also covers the management of projects within the organization.
Here, we focus on introducing COBIT:
The full name of COBIT is "Control Objectives for Information and related Technology", which was proposed by the IT Governance Association in the early 1990s. (2005) is the third edition. COBIT has now become an internationally recognized IT management and control framework. It has been used in important organizations and enterprises in more than 100 countries around the world to guide these organizations to effectively utilize information resources and effectively effectively manage information-related risks.
COBIT has 6 components:
- Executive Summary
- Management Guidelines
- Framework
- Control Objectives
- Implementation Toolset
- Audit Guidelines
COBIT is a bridge between corporate strategic goals and information technology strategic goals, making information technology goals and corporate strategies Interaction between goals.
The significance of this framework is that COBIT serves as a bridge between enterprise goals and IT governance goals.
First of all, COBIT considers the company's own strategic planning, analyzes and positions the business environment and the company's overall business strategy, and uses the goals, policies, and action plans generated by the strategic plan as the key environment for information technology , and thereby determine IT guidelines.
IT provides technology-based solutions for corporate strategies and provides technologies and tools to meet business strategic needs. Under the guidance of IT principles, the control objective model is used to control and manage information resources from processes such as planning and organization, acquisition and implementation, delivery and support, and monitoring. At the same time as IT management, audit guidelines are introduced to ensure the security, reliability and effectiveness of IT resource management.
COBIT achieves trackable performance measurement. Through the balanced scorecard, it can be used in finance (enterprise resource management), customers (customer relationship management), process (intranet, workflow tools), and learning (knowledge management). Maintain a balance in other aspects, evaluate the realization of corporate goals and IT performance, adjust business goals and IT strategies, and conduct continuous IT management.
COBIT adopts a maturity model, which can determine the current position of your company's IT management in the industry and the direction of future efforts. In layman's terms, it is to "score" IT management.
COBIT also provides current best cases and critical success factors (CSF) for enterprises and organizations to learn from.
In terms of content, COBIT covers the entire process from analysis & design to development & implementation to operation and maintenance. For analysis & design, the focus is on IT and business needs. IT strategies are refined based on business goals, IT systems to be opened are determined, and corresponding system analysis and design are performed. The scope of the process of analysis and design is much broader than what we traditionally call the analysis and design of information systems. It emphasizes that IT strategy must be in line with business strategy, and the development of any information system should be consistent with business strategy. Maintain precise calibration. Analyze and design information systems from a business strategy perspective. Providing this stage mainly examines the needs of the organization, and at the same time designs a reasonable resource combination based on these needs, sets reasonable service levels and goals, and provides IT services that meet customer needs. At this stage, IT applications have risen to the stage of IT service management.
It mainly solves the following problems: what resources are provided to meet the needs of customers, what is the cost between these resources, and how to achieve an appropriate balance between service costs and service benefits. At this level of support, it is mainly about how to meet the IT needs put forward by customers to support service needs. The upper layer of COBIT is to conduct external control and internal audit of IT operations to ensure accurate alignment between IT and business, while achieving continuous application and improvement of IT applications. COBIT covers the entire life cycle of the entire information system, and its vision is the broadest.
In summary, the main advantages of COBIT are as follows:
COBIT is a very useful tool and is very easy to understand and implement. It can help enterprises to coordinate between management, IT and audit. Build bridges across the communication gap and provide a common language for communicating with each other. Nearly every organization can benefit from COBIT to determine appropriate controls over IT processes and the business functions they support. When we know what these business functions are and to what extent they impact the business, we can classify these events well. All information systems audit, control and security professionals should consider adopting COBIT principles.
Through the implementation of COBIT, management's perception and support for control are increased. COBIT helps management understand how to control impacts and business functions. The implementation toolset provided by COBIT includes excellent case materials (providing template business processes so that excellent examples can be quickly transplanted), which helps to express IT management concepts to management. Management's ability to make sound decisions based on best control practices has also improved.
COBIT simplifies and quantifies IT management work, reducing the difficulty of managing complex information systems. For those without extensive IT knowledge, it is a valuable tool for understanding information technology. It also allows information systems auditors to have the same breadth of expertise as IT professionals and can ask IT engineering-related questions.
COBIT provides an internationally accepted IT management and problem solution that is universally applicable to a variety of business projects and audits, and not only accommodates the current situation, but also provides solutions that may be used in the future. Guidelines.
COBIT helps to increase the influence of information system auditors. Based on the information system audit report issued by COBIT, it is easier to obtain recognition from management.
The COBIT framework can help determine process responsibilities and improve IT governance levels. By applying this framework for responsibility analysis, role-based IT management can be achieved, process measures can be defined, and customer interests can be ensured.
In short, the COBIT model realizes the interaction between enterprise strategy and IT strategy, and forms a virtuous cycle mechanism of continuous improvement, providing enterprises with solutions with certain reference value. Therefore, in view of the problems existing in my country's informatization, it is very important to learn from the IT governance ideas and framework of COBIT, manage information and related technologies scientifically and systematically, and gradually establish an IT governance mechanism on a trial basis, which is very important to promote the development and application of information technology in our country. practical significance.