Meet the IT Governors

CBR identifies the latest trends in IT governance, and explains how it can help to solve more than just compliance and legislative challenges.

Recent surveys have shown that IT governance is being driven not only by the latest legislative and compliance-related demands, but also by the ever-present need for IT to get a better handle on the planning, delivery and measurement of its own strategic value.

As analyst house Butler Group puts it: "IT governance is key to implementing the metrics that are instrumental in cost control and measurement of benefits, and particularly portfolio management. Without supporting systems, IT management cannot exercise control and report on the benefits that senior management need. There is also a need to extend thinking beyond the classical cost-saving role for IT, which is now showing diminishing returns."

One might well ask how IT has only just come to realise that it needs to govern its own value creation and delivery more effectively. Butler Group again: "Nothing inhibits IT investment more than an inability to measure benefits and keep control of costs. Senior management in many large organisations has become intolerant of sizeable investments that do not demonstrate a tangible return and where costs have typically overrun. Measurement is the key to restoring faith in IT and only total transparency will satisfy a critical gaze."

But just what is this relatively new discipline, IT governance? Peter Weill and Jeanne W Ross, authors of a 2004 book on the subject, 'IT Governance, How Top Performers Manage IT Decision Rights for Superior Results', give us this definition: "IT governance: Specifying the decision rights and accountability framework to encourage desirable behaviour in the use of IT."

The authors go on to explain that: "In governing IT, we can learn from good financial and corporate governance. For example, the CFO doesn't sign every check or authorise every payment. Instead, he or she sets up financial governance specifying who can make the decisions and how. The CFO then oversees the enterprise's portfolio of investments and manages the required cash flow and risk exposure. The CFO tracks a series of financial metrics to manage the enterprise's financial assets, intervening only if there are problems or unforeseen opportunities. Similar principles apply to who can commit the enterprise to a contract or a partnership. Exactly the same approach should be applied to IT governance."

Analyst house Gartner Group's definition of IT governance resonates well with this view, with perhaps a stronger focus on the importance of IT-business alignment. Gartner's Susan Dallas and Michael Bell define IT governance like so: "IT governance provides a framework in which the decisions made about IT issues are aligned with the overall business strategy and culture of the enterprise."

According to the IT Governance Institute, meanwhile (www.itgi.org), IT governance as a concept has really started to catch on. Everett Johnson, international president of ITGI says, "IT governance can truly transform an enterprise. It is a positive trend to see… prominent organizations give it the priority it deserves."

If proof were needed that IT governance is a hot sector right now, one need only look as far as Hewlett Packard's $4.5bn acquisition of Mercury Interactive. While Mercury's main revenue engine has been software testing, it also has IT governance capabilities thanks to its acquisition of Kintana back way back in 1999.

But Mercury is by no means the only vendor in the space. Compuware bought ChangePoint in April last year, while Computer Associates' acquisition of Niku gave it IT governance capabilities too. As the largest technology vendor you would also expect IBM to have a strategy in this emerging sector and of course, it does.

Indeed IBM's offering has had favourable analyst reviews, too, with research house Forrester in its 'Forrester Wave Vendor Summary, Q1 2006' report stating that, "With its Workplace for Business Controls and Reporting (WBCR) solution, IBM established itself as a Leader in the governance, risk, and compliance (GRC) platform space by demonstrating the product's ability to openly integrate into the broader technology architecture of an organization.

"Customers can augment WBCR with IBM's systems-integration capabilities and an array of additional IBM solutions to meet GRC requirements," the analyst continued. "The WBCR platform has been used to manage a range of risk and compliance requirements but has been predominantly deployed in response to Sarbanes-Oxley (SOX)."

IBM says its Workplace for Business Controls and Reporting product "helps provide a common platform for companies to easily document, evaluate and report the status of controls management across multiple initiatives in your company."

Now on version 2.6, the latest iteration is said to feature customisable self-assessment surveys, more in-depth real-time executive dashboards and an agreement with the ISACA organization to license CoBIT. Announcing that news, Larry Bowden, IBM vice president, software products said: "IBM is increasing the adoption in the market by including the COBIT family of products in IBM software products beginning with the immediate use in IBM Workplace for Business Controls and Reporting, shipping this month.

"IBM will also align future IT governance software offerings from Rational and Tivoli with the COBIT standards," Bowden continued. "IBM's objective is to help reduce a company's time to implement COBIT-based controls for better corporate and IT governance."

Bowden said that IBM Workplace for Business Controls and Reporting simplifies risk assessment and control management by addressing a wide range of regulatory and business control related challenges. But he also stresses that compliance and risk challenges can seldom be solved by one product alone - it is the combination of its Lotus, WebSphere, DB2, Rational and Tivoli software lines that come together to take the headache out of compliance by improving IT and simplifying and reducing integration costs.

But does the term IT governance resonate with IT practitioners, or is it one that has thus far been isolated to academic, analyst and vendor debate? According to Mercury Interactive, which is in the process of being bought by Hewlett Packard, the answer to that question is surprising.

Says Mercury's Roger Gilheany, market development director, IT Governance: "We did some independent research through Vanson Bourne, among 200 companies, 50 of which were in the UK. Amazingly, 90% of UK customers thought they already have IT governance, and 50% thought their IT governance was already mature, having been implemented for two years or more."

However, there are differing degrees of IT governance, and Mercury's Gilheany believes that IT governance is often confused with more stove-piped project management tools. "When asked how they underpin their IT governance initiatives some said they used Excel," says Gilheany. "So it's not altogether surprising that IT still struggles to deliver projects on time, under budget and meeting user expectations.

"IT governance is not just about managing IT projects," Gilheany continues. "It's about the control of IT budgets and resources, yes. But it's also about aligning IT with business goals, and increasing the budget on strategic initiatives that drive business efficiency. It's about being able to show the board how IT will deliver value, and showing the board when that value is delivered. It's focusing on the best possible projects, automating processes and giving visibility from demand right through to value realisation."

Weill and Ross' IT Governance book points out that there is not a right and a wrong way to do IT governance: it depends on the organisation in question and the goals that are being sought. "[IT] governance determines who holds the decision rights for how much the enterprise invests in IT. Management determines the actual amount of money invested in a given year and the areas in which the money is invested.

"The senior management team designs IT decision rights and accountabilities to encourage the enterprise's desirable behaviours," the authors continue. "If desirable behaviour involves independent and entrepreneurial business units, IT investment decisions will be primarily with the business unit heads. In contrast, if desirable behaviour involves an enterprise-wide view of the customer with a single point of customer contact, a more centralised IT investment governance model works better."

There are clearly decisions to be made over exactly how to implement a new IT governance regime or indeed improve existing IT governance processes. There appears to be a consensus, however, on the view that enterprise IT will struggle to continue without IT governance in place.

Compuware is another vendor that has moved strongly into the IT governance space since its acquisition of Changepoint. The company's Dan Schoenbaum, VP of strategy, says, "IT organisations must not only address the needs of the business, but also demonstrate and communicate how technology investments contribute to corporate objectives. A lack of integrated, accurate and timely information about IT performance has historically prevented CIOs from doing so.

"Compuware's vision for comprehensive IT governance and management removes those obstacles by providing process integration and performance management data from across the IT lifecycle," adds Schoenbaum.

Of course, there are also the latest compliance and legislative requirements that are helping to drive the need for better IT governance. While not the sole driver for IT governance, it is certainly a crucial factor. A recent survey by the National Computing Centre, 'Benchmark of IT Strategy 2005', found that 44% of IT decision-makers are not fully aware of IT standards and legal requirements.

The survey, conducted among 300 IT decision-makers, found a lack of awareness of the requirement for the IT function and infrastructure to comply with IT standards and legal requirements. Of the 44%, half were only partly aware of IT standards and legal requirements, while the other half were neither aware of such requirements nor aware of the impact on IT.

Mercury's Elie Kanaan, VP of marketing EMEA, is quick to point out that compliance and regulatory issues are not the only drivers for IT governance. Mercury puts IT governance under its own broader set of technologies, which it calls Business Technology Optimisation. "BTO is about looking at IT in its entirety, and asking how it helps an organisation with its existing and new IT investments," he says. "But crucially BTO is also about ensuring that IT delivers the value that you have identified the organisation is expecting."

As the IT governance trend has taken root, numerous companies have come out with software that can help to underpin IT governance initiatives and help to guide projects and best practices. Mercury has just launched version 6.0 of its Mercury IT Governance Centre, for example, which offers a set of software applications and best practices, an executive dashboard, and an enterprise foundation for IT governance: all aimed at enabling IT organisations to automate and manage IT business processes from demand through to production.

For companies that do not have the appetite or resources to have the software installed onsite, the company has also just announced a software-as-service version, under its Mercury Managed Services banner. The hosted Mercury IT Governance software is delivered over the Internet, and also includes a team of service professionals to help customers rapidly execute IT governance initiatives, according to Mercury.

Meanwhile IBM's Workplace for Business Controls and Reporting is also available as a hosted offering, which Big Blue says offers a faster deployment to help address compliance needs. "Small and mid-market companies in particular are often overwhelmed by the cost and complexity of IT solutions available to address these needs," the company explains. "IBM can simplify deployment and management of this solution by providing the capability as a hosted service in partnership with IBM's eBusiness Hosting Services."

CBR Opinion
IT governance has grown in prominence and seen increasing enthusiasm among corporate IT departments as they continue to struggle with delivering project value in the light of compliance challenges. CBR believes the latest IT governance software suites can help an IT department to regain visibility of their own projects and goals, and even help to better demonstrate IT value to the business. But enterprises should also be aware that genuine IT governance cannot be bought off the shelf, as it also requires cultural and process change.

To find out more about IBM's unique approach please click here.

back to top