IT Governance:

The Ultimate IT Weapon

Shashank Mane

Patni White Paper

COPYRIGHT

Copyright © Patni Computer Systems Ltd. All Rights Reserved.

September 2005

Restricted Rights

This document may not, in whole or in part, be copied photocopied, reproduced,

translated, or reduced to any electronic medium or machine readable form without prior
consent, in writing, from Patni Computer Systems Ltd.

Information in this document is subject to change without notice and does not represent a
commitment on the part of Patni. This document is provided "as is" without warranty of any
kind including without limitation, any warranty of merchantability or fitness for a particular
purpose. Further, Patni does not warrant, guarantee, or make any representations
regarding the use, or the results of the use, of the written material in terms of correctness,
accuracy, reliability, or otherwise.

All other brand and product names are trademarks of their respective companies.

Patni Computer Systems Limited

India North America UK & Europe Japan

Akruti, MIDC Cross Road No.21
Andheri (E), Mumbai 400 093
Tel: +91 22 5693 0205
Fax: +91 22 5693 0211
One Broadway Vistacentre, 50 Salisbury Road 4F, Yamaguchikensetsu No.1 Building,
Cambridge MA 02142 Hounslow, Middlesex, UK. TW4 6JQ 2-14-8, Akasaka, Minato-ku, Tokyo
Tel: +1 617-914-8000 Tel: +44 20 8538 0120 107-0052, Japan
Tel: +81-3-5549-2200
Fax: +1 617-914-8200 Fax: +44 20 8538 0276 Fax: +81-3-5549-2261
 Table of Contents

Background ...............................................................................................................................................2
What is IT Governance? ............................................................................................................................2
Where to Start? .........................................................................................................................................3
[I] Understand the Scope of IT Governance ........................................................................................ 4
[II] See Where You Are....................................................................................................................... 8
[III] Define Roles and Responsibilities for Your IT Governance Framework ......................................... 8
[IV] Identify the Right Implementation Spot ......................................................................................... 9
[V] Build a Continuous Improvement Plan........................................................................................... 9
Typical Challenges ....................................................................................................................................9
Proven Frameworks ................................................................................................................................10
Conclusion ..............................................................................................................................................12
References..............................................................................................................................................12
Patni’s IT Governance Practice................................................................................................................12
About the Author .....................................................................................................................................13
About Patni..............................................................................................................................................13

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved. 1

BACKGROUND
Alignment of IT with business goals with control over IT costs has always been a top
priority for CIOs. It has also become important for enterprises to show good results and
strong governance not only from the overall business perspective but from the IT
perspective as well. Today, IT has become an integral part of business and must be
treated like a ‘business within a business’.

But even as IT is evolving to meet demands of enterprises, new governance and

compliance requirements are impacting enterprises. In a regulated environment,
shareholders have become more demanding and are paying more attention to governance
and compliance strategies of an enterprise. Organizations are required to provide an
assurance to the accuracy and integrity of both financial reports and core business
processes.

Not surprisingly, organizations having good governance strategies in place are valued
highly by shareholders and have good market capitalization. Today, good governance is
crucial to drive more business value with less cost and maintain high service levels. With
the vast majority of this information residing in IT systems, effective control and
management of these systems has become essential – hence the current focus on IT
Governance.

IT Governance is a crucial weapon that every organization’s IT force should be armed with
to meet these increasing demands. This paper highlights the best practices for
implementing an effective IT Governance strategy and describes how IT Governance tools
can help organizations streamline their IT strategy and execution with business goals.

WHAT IS IT GOVERNANCE?
IT Governance in simple terms can be said to be a method for CIOs to manage IT strategy
and execution by enabling a consolidated view of key governance functions such as
project management, demand management, resource management, risk management
and performance management. It is an integral part of enterprise governance and
comprises the leadership, organizational structures, and processes that ensure that the IT
strategy sustains and extends the organization’s strategies and objectives.

The overall objective of IT Governance, therefore, is to understand the issues and the
strategic importance of IT, so that the enterprise can sustain its operations and implement
the strategies required to extend its activities into the future. The goal of IT governance is
hence not just to formulate a plan, but to ensure that the policy or plan works as planned,
and resources are used responsibly. It enables enterprises to match their expectations
with reality.

Effective IT Governance ensures that expectations for IT are met and IT risks are
mitigated. It helps organizations in repeating the success and eliminating the failure.

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 2

 According to the IT Governance Institute, the key domains of effective and practical IT
governance are:
§ Strategic Alignment which focuses on ensuring the linkage of business, IT plans
and operations
§ Value Delivery which focuses on executing the value proposition and ensuring
that IT delivers the promised benefits against the strategy
§ Resource Management which ensures optimal investments, and the proper
management of critical IT resources namely processes, people, applications,
infrastructure and information
§ Risk Management which provides transparency about the significant risks to the
enterprise and embeds risk management responsibilities into the organization
§ Performance Measurement which tracks and monitors all other four domains
and provides necessary scorecards for their effective management.

The benefits of IT Governance can be summarized as:

§ Alignment of IT with business needs
§ Transparency and better comprehension of IT activities and performance
§ Clearer understanding of objectives and expectations
§ Clearer visibility of issues and priorities
§ Joint responsibility for planning and executing IS/IT in the business
§ Improved value delivery (operational and project)
§ Optimized costs
§ Management of IT related risks
§ Improved quality of service.

WHERE TO START?
Having understood the benefits of IT Governance, let us look at how organizations can
start adopting IT Governance as a strategy.

The following are the recommended steps that organizations should go through while
planning an IT Governance strategy:
§ Understand the scope of IT Governance
§ See where you are
§ Define roles and responsibilities for your IT Governance framework
§ Identify the right implementation spot
§ Build a continuous improvement plan.

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 3

 [I] UNDERSTAND THE SCOPE OF IT GOVERNANCE
IT governance addresses two main things:
§ IT’s value delivery to the business - Strategic alignment of IT with the business
§ Mitigation of IT risks – Embedding accountability into the enterprise.

These are considered as outcomes of IT Governance. There are three main drivers that
drive these outcomes:
§ Strategic Alignment
§ Resource Management
§ Performance Measurement.

IT Governance focuses on these two outcomes and their growth drivers.

Figure 1: IT Governance Model

Organizations should pay close attention to these five key domains to get the maximum
benefits from an IT Governance implementations. However, to achieve these benefits, the
organization must evaluate vendors and solutions to find the right combination.

The following listing proves an insight into each of these five domains and also gives an
idea of how different IT Governance tools in the market can help manage each one of
these domains.

(i) Strategic Alignment

With enterprises being heavily dependent on IT to meet their core business, it is
extremely important for enterprises to be extremely selective in IT investments.
Every investment needs to be scrutinized, monitored and measured continuously.

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 4

 This is the heart of an IT Governance implementation. “Everything that you do
must contribute to the business objectives set by your organization”. Project
Portfolio Management tools play a critical role in ensuring that IT investments are
aligned to business needs.

These tools allow organizations to make sure that their IT investments:

♦ Fit strategically
♦ Support business functional requirements
♦ Help in identifying opportunities for process improvement or synergies across
the business
♦ Enable the marriage of underlying technology with the enterprise infrastructure
♦ Use existing resources and skills to maximize the chances of success
♦ Generate attractive returns.

IT Governance tools should also enable organizations to build what-if scenarios to

verify investments based on these parameters. Strategic management, financial
planning, budgeting, forecasting and analysis are some of the key features that
organizations should look for while selecting the tool. These tools must help
organizations understand whether they are on the right path.

Further, organizations have to look at the ability of these tools to retrieve financial
data from existing systems and populate the budgeting information automatically
when existing financial systems are updated.

(ii) Value Delivery

Value is delivered when critical projects are successfully completed on-time and
within-budget. The interpretation of value delivery differs from people to people.
For instance, individual business units may measure this in terms of cost involved
in building a new application or time involved in implementing a solution. As
organizations move up the value chain, the value measurement becomes more
and more challenging. Senior management will be more interested in knowing the
revenue growth that new IT systems have brought in or the percentage by which
new IT systems are helping the business in achieving the business objectives set
by an organization. IT should enable organizations to grow by delivering the
expected business value. These tools must also help organizations evaluate and
improve their methods of delivering value.

IT Governance tools should support project, program management and provide

early warnings as soon as exceptions, problems or opportunities are identified and
should allow drilldown to find out the root cause of the issue. They should help you
to spend less time in data collection and more in data analysis. Portfolio
management provides a toolset to monitor new projects that are under
development and assets that are generating returns on your previous investments.
Almost all the tools will help you manage your projects, programs using Earned
Value Analysis (EVA). While selecting the tool, make sure to check if the tool
supports the Project Management framework designed by the Project

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 5

 Management Institute. This framework supports an exhaustive set of processes
that can be used as best-practices while doing Project Management.

(iii) Risk Management

Risk Management plays a very critical role in IT investments especially with
respect to the security, reliability and compliance areas. What is a risk? Everything
and anything that threatens your aim of meeting your business objective is a risk.
How do you deal with risks? To answer this question, enterprises should identify
their appetite for risk management, whether they follow risk-taking or risk-
avoidance policies. Once the risks are defined, enterprises should have clear-cut
strategies to manage risks before these risks get transformed into issues. Risk
management strategies must be embedded in the operation of the enterprise. A
risk management process should go through appropriate levels of management
for making the right decision. It should also have a concrete escalation process to
highlight critical risks. Depending upon the type of risk and its significance to the
business, the management may choose to:
♦ Mitigate - Implement controls (e.g., acquire and deploy security technology to
protect the IT infrastructure)
♦ Transfer - Share risk with partners or seek insurance coverage
♦ Accept - Formally acknowledge that the risk exists and monitor it.

At the minimum, risk should at least be analyzed, because even if no immediate

action is taken, the awareness of risk will influence strategic decisions for the
better. Often, the most damaging IT risks are those that are not well understood.

IT Governance tools allow to attach risks or risk-value factors to new IT initiatives.

These factors are then used to build what-if scenarios to compare new initiatives.
All the risks are completely exposed before making a decision to implement any
new idea or a proposal. However, it is important to understand that not all risks
can be defined before starting a new project. Some risks appear during the
execution of the project. IT Governance tools allow organizations to take care of
such risks by letting them define the risk during the execution and attaching them
to projects. Project dashboards take into account the risks attached to different
projects and determine the health of the project accordingly.

(iv) Resource Management

One of the key elements behind maximizing the business value of IT is to use the
resources responsibly. Resources could be people, applications, technology,
facilities or data.

The senior management needs to address appropriate investments in

infrastructure and capabilities by ensuring that:
♦ The responsibilities with respect to IT systems and services procurement are
understood and applied
♦ Appropriate methods and adequate skills exist to manage and support IT
projects and systems

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 6

 ♦ Improved workforce planning and investments are made to ensure recruitment
and retention of skilled IT staff
♦ IT education, training and development needs are fully identified and
addressed for all staff
♦ Appropriate facilities are provided and time is available for staff to develop the
skills they need.

Most IT Governance tools address human resource management needs

effectively. They provide facilities to:
♦ Create skill sets
♦ Define a resource rate and a skill rate
♦ Attach skill sets to resources
♦ Create resource pools of available resources
♦ Create staffing profiles for future demands
♦ View resource utilization charts
♦ Perform resource comparison between different projects and programs
♦ Perform extensive searches for selecting the right resource.

(v) Performance Measurement

Performance measurement is a cumulative measure of available resources,
processes and outcomes of IT Governance. In other words, Performance
Measurement measures the effectiveness of IT Governance in delivering four key
objectives weighed by their importance to the enterprise. These are:
♦ Cost effective use of IT
♦ Effective use of IT for asset utilization
♦ Effective use of IT for growth
♦ Effective use of IT for business flexibility.

Performance measurement is focused on the following perspectives:

♦ Process Performance
♦ Financial Performance
♦ Organization Health
♦ Customer
♦ Learning.

Most IT Governance tools provide an exhaustive set of balanced scorecards for

performance measurement. Some of the most important ones that organizations
should look out for are project, program and portfolio scorecards. These
scorecards provide visibility into project health, cost health and risks, and issues
against it. Bad project or cost health should enable drill downs to point to the root
cause of bad health. Bifurcation of spending of strategic initiatives against tactical
initiatives, number of incidents, break downs, service level monitoring and
preparedness for meeting the future demands are some of the important
scorecards that IT Governance tools should be equipped with.

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 7

 Some of the benefits of performance measurement are:
♦ Identifying problems before they arise
♦ Communicating the value
♦ Integrating compliance and risk initiatives
♦ Establishing effective alliances and partnerships.

[II] SEE W HERE YOU ARE

To gauge the effectiveness of an organization’s IT Governance strategy in addressing real
problems, organizations need to check their level of readiness by seeking answers to
relevant questions.

Some questions recommended by the IT Governance Institute include:

§ How critical is IT for sustaining the enterprise? How critical is IT for growing the
enterprise?
§ How far should the enterprise go in risk mitigation and is the cost justified by the
benefit?
§ Is IT a regular item on the agenda of the board and is it addressed in a structured
manner?
§ Is the board regularly briefed on IT risks to which the enterprise is exposed?
§ Does the board articulate and communicate the business objectives for IT
alignment?
§ Does the board have a clear view on the major IT investments from a risk and
return perspective? Does the board obtain regular progress reports on major IT
projects?
§ Is the board getting independent assurance on the achievement of IT objectives
and the containment of IT risks?
§ Is the reporting level of the most senior IT manager commensurate with the
importance of IT?

[III] DEFINE ROLES AND RESPONSIBILITIES FOR YOUR IT

GOVERNANCE FRAMEWORK
Define roles and responsibilities for each of the five IT Governance domains.
Organizations have to assign accountability to all participants of the group responsible for
IT Governance implementation. Efforts should also be made to establish committees (E.G.
Steering Committee, Technology Council, IT Architecture Review Board) and define their
responsibilities for every key IT Governance domain.

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 8

 While selecting the IT Governance tool, choose a tool that has the ability to load the
organizational hierarchy data from the existing source. This will lessen the burden to
manage the same data in two different systems and cut down on additional maintenance
activities.

[IV] IDENTIFY THE RIGHT IMPLEMENTATION SPOT

Decide the highest priority projects that will help improve the management and
governance of significant areas. This decision should be based on identifying projects
which promise the most potential benefits, are easy to implement, and have a strong focus
on important IT processes and core competencies.

[V] BUILD A CONTINUOUS IMPROVEMENT PLAN

In order to build a continuous improvement plan, enterprises must continuously assess the
effectiveness of IT Governance in delivering value to the business. IT Governance
implementation should be considered as a closed loop. For example, the business
provides the direction that results in IT initiatives, or, activities that should generate the
desired results to meet the business expectations. These results should be compared with
the desired results to find out the performance. Any delta in the desired and actual results
should drive changes in IT Governance implementation.

TYPICAL CHALLENGES
One of the typical challenges seen in an IT Governance implementation is convincing
people to use the system of accountability. The chances of failure increase when the gap
between promises made by the organization and the results delivered by them increases.
Leaders who fall victim to these gaps have frequently mentioned that the problem lies with
accountability. People aren’t doing the things they’re supposed to do to implement a plan.

The performance measures coming out of an IT Governance system are more evident to
the senior management. It is very important to make people at all levels realize the
importance of IT Governance. Unless this vision is shared, it will be difficult for people at
the operational level to visualize the direction or the objectives that the higher
management wants to achieve.

Before considering IT Governance tools, a CIO must understand that IT Governance

cannot be done in isolation. This is because IT Governance links together people, strategy
and operations. Hence, the involvement of the top management is crucial in ensuring the
success of IT Governance. Equally important is the involvement of every employee.
Organizations will find it difficult to implement a strategic plan when the employees
responsible for executing the day-to-day support activities are unaware of it.

Organizations need people at all levels who ensure that reliability standards are
mandatory and enforceable, with penalties for non-compliance. People driving this

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 9

 initiative should have a clear vision of keeping different things blended nicely under one
umbrella.

One understated factor for ensuring the success of IT Governance is the use of processes
that are simple to execute and understand. Ideally, processes should demand necessary
actions rather than letting system users think or decide on the actions to take.

PROVEN FRAMEWORKS
To ensure an effective IT Governance strategy, organizations can adopt proven
frameworks. One good way to start effortlessly is through understanding of frameworks
such as CobiT (Control Objectives for Information and Related Technology).

CobiT's purpose is to ensure IT resources are aligned with an enterprise's business

objectives so that services and information, when delivered, meet quality, fiduciary and
security needs. It is also intended to provide a mechanism to balance IT risks and returns.
CobiT defines 34 significant processes, links 318 tasks and activities to them, and defines
an internal control framework for all of them. CobiT focuses on what an enterprise needs
to do, not how it needs to do it. This framework addresses the needs of auditors, senior
business management and senior IT management.

Figure 2: CobiT framework

Once CobiT is understood, one will exactly know what to do with one’s IT Governance
implementation. The next big question one will have is how to do it? IT Infrastructure
Library (ITIL) is the answer to this question.

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 10

 ITIL is based on defining best-practice processes for IT service delivery and support,
rather than defining a broad-based control framework. It focuses on the method. ITIL has a
much narrower scope than CobiT because of its focus on IT service management, but it
defines a more comprehensive set of processes within that narrower field of service
delivery and support. ITIL is more-prescriptive about the tasks involved in those processes
and, as such, its primary target audience is IT and service management.

Figure 3: ITIL Framework

CobiT and ITIL are not mutually exclusive and can be combined (as depicted in Figure 4)
to provide a powerful IT Governance, control and best-practice framework in IT service
management. Enterprises that want to put their ITIL program into the context of a wider
control and governance framework should use CobiT.

Figure 4: Combined Framework

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 11

CONCLUSION
The success of an organization in the new economy will depend on its ability to execute
planned strategies accurately. However, no organization can execute strategies
consistently without having their people to follow standard operating processes designed
using an accountability framework. To summarize, IT Governance must be considered as
a core element of an organization’s culture as it can ensure strategic alignment, resource
alignment, quality delivery, and compliance adherence – all factors which are key for
leadership in an increasingly competitive world.

REFERENCES
1. Board Briefing on IT Governance, 2nd Edition
http://www.isaca.org/Content/ContentGroups/ITGI3/Resources1/Board_Briefing_on_IT_Governance/
26904_Board_Briefing_final.pdf

2. The CEO’s Guide to IT Value@Risk

http://www.itgi.org/template_ITGI.cfm?template=/ContentManagement/ContentDisplay.cfm&ContentI
D=20697

PATNI’S IT GOVERNANCE PRACTICE

With its dedicated Center of Excellence in IT Governance, Patni has proven experience in
the arena. Our numerous customer engagements, representing over 150 person-years of
delivered effort, have helped us gain in-depth IT Governance expertise across industry
verticals. Our vast amount of digitization and IT Governance experience, combined with
skilled resources and varied range of service offerings, are our key differentiators.

Patni’s CoE framework is well supported by a comprehensive knowledge base in the

different areas of IT Governance product suites of leading vendors. Based on our
experience in the area, we have devised a unique IT Governance model, which we have
been using successfully for a majority of our customers’ IT Governance implementations.
The model leverages industry-standard best practices and proven frameworks to better
align business objectives with IT capabilities.

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 12

ABOUT THE AUTHOR
Shashank Mane leads the IT Governance focus group at Patni's IT Governance Center of
Excellence. He holds a Bachelor's degree in Electronics Engineering from Mumbai
University and has more than 8 years of IT experience. He has played a pivotal role in
designing and developing for many software projects using various cutting-edge
technologies in the IT industry.

For the past 3 years he has been actively involved in IT Governance Implementations that
have enabled various customers successfully shape their IT Governance Agenda.

ABOUT PATNI
Patni Computer Systems Limited (BSE: PATNI COMPUT, NSE: PATNI) is a global IT
Services provider servicing Global 2000 clients through its industry practices in Insurance,
Financial Services, Manufacturing, Telecom, Retail, Media & Entertainment, Energy &
Utilities, and Logistics & Transportation; and through its technology practices.

With an employee strength of over 10,000; multiple offshore development facilities across
eight cities; and 24 international offices across the Americas, Europe and Asia-Pacific;
Patni has registered revenues of US$ 326.6 million for the year 2004.

Patni's technology focus spans enterprise applications, embedded technologies,

e-business, business intelligence & data warehousing, and RFID. Our service offerings
include: application development, application management, business process outsourcing,
infrastructure management, product engineering, verification & validation, process
consulting, engineering services, and IT governance.

Committed to quality, Patni adds value to its client's businesses through well-established
and structured methodologies, tools and techniques. Patni is an ISO 9001:2000 certified
and SEI-CMMI Level 5 organization, assessed enterprise wide at P-CMM Level 3. In
keeping with its focus on continuous process improvements, Patni adopts Six Sigma
practices as an integral part of its quality and process frameworks.

Copyright  Patni Computer Systems Ltd., 2005. All rights reserved 13