Documentos de Académico
Documentos de Profesional
Documentos de Cultura
GOVERNANCE
OF IT INVESTMENTS
Getting Started With
Value Management
BASED
ON
C O B I T
ISBN 978-1-60420-067-6
Enterprise Value: Governance of IT Investments, Getting Started With Value Management
Printed in the United States of America
IT G
O V E RN ANCE
NSTI TUTE
ACKNOWLEDGEMENTS
ACKNOWLEDGEMENTS
ITGI wishes to recognise:
Development Team
John Thorp, CMC, ISP, The Thorp Network Inc., Canada, Chair
Sushil Chatterji, Edutech, Singapore
Steven De Haes, Ph.D., University of Antwerp Management School, and IT Alignment and Governance (ITAG) Research
Institute, Belgium
Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium
Peter Harrison, FCPA, Fujitsu Consulting, Australia
Chris Tiernan, FBCS CITP, FIMIS, Grosvenor Consultancy Services LLP, United Kingdom
Ragnar van der Valk, Ph.D., PricewaterhouseCoopers, The Netherlands
Expert Reviewers
Dirk Gemke, KLM Royal Dutch Airlines, The Netherlands
Gary Hardy, IT Winners, South Africa
Lucio Molina Focazzio, CISA, Colombia
Anil Jogani, CISA, FCA, Avon Consulting Ltd., UK
John W. Lainhart IV, CISA, CISM, CGEIT, IBM, USA
Wim Van Grembergen, Ph.D., University of Antwerp Management School, and IT Alignment and Governance (ITAG)
Research Institute, Belgium
ITGI Board of Trustees
Lynn Lawton, CISA, FBCS CITP, FCA, FIIA, PIIA, KPMG LLP, UK, International President
Georges Ataya, CISA, CISM, CGEIT, CISSP, ICT Control sa-nv, Belgium, Vice President
Avinash Kadam, CISA, CISM, CBCP, CISSP, Miel e-Security Pvt. Ltd., India, Vice President
Howard Nicholson, CISA, CGEIT, City of Salisbury, Australia, Vice President
Jose Angel Pena Ibarra, Consultoria en Comunicaciones e Info., SA & CV, Mexico, Vice President
Robert E. Stroud, CA Inc., USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President
Frank Yam, CISA, FHKCS, FHKIoD, CIA, CCP, CFE, CFSA, FFA, Focus Strategic Group, Hong Kong, Vice President
Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President
Everett C. Johnson, CPA, Deloitte & Touche LLP (retired), USA, Past International President
Ronald Saull, CSP, Great-West Life Assurance and IGM Financial, Canada, Trustee
Tony Hayes, FCPA, Queensland Government, Australia, Trustee
IT Governance Committee
Tony Hayes, FCPA, Queensland Government, Australia, Chair
Max Blecher, Virtual Alliance, South Africa
Sushil Chatterji, Edutech, Singapore
Anil Jogani, CISA, FCA, Avon Consulting Ltd., UK
John W. Lainhart IV, CISA, CISM, CGEIT, IBM, USA
Lucio Molina Focazzio, CISA, Colombia
Ronald Saull, CSP, Great-West Life Assurance and IGM Financial, Canada
Michael Schirmbrand, Ph.D., CISA, CISM, CPA, KPMG, Austria
Robert E. Stroud, CA Inc., USA
John Thorp, CMC, ISP, The Thorp Network Inc., Canada
Wim Van Grembergen, Ph.D., University of Antwerp Management School, and IT Alignment and Governance (ITAG)
Research Institute, Belgium
IT G
O V E RN ANCE
NSTI TUTE
IT G
O V E RN ANCE
NSTI TUTE
TABLE OF CONTENTS
TABLE OF CONTENTS
ForewordA Brief Overview of ITGIs Val IT Initiative....................................................................................................6
1.
2.
Recognising Pain Points, Trigger Events and Other Symptoms of Need ..................................................................10
Six Typical Challenges in Creating Value.....................................................................................................................10
Trigger Events and Other Drivers of Change ...............................................................................................................10
3.
4.
5.
6.
IT G
O V E RN ANCE
NSTI TUTE
Em
An piric
aly al
sis
ing
ark
hm
nc
Co
m
Inf mun
lue ity
nc
e
Be
Val IT
Framework
Research
Framework
Supporting Publications
Services
se
pri
ter ge
En chan
Ex
Cases
As the core publication in the Val IT series, Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0,
presents processes and key management practices for three domains:
Value governance
Portfolio management
Investment management
This companion publication is intended to provide business and IT executives and organisational leaders with an easy-tofollow guide to getting a value management initiative started using the value management processes and practices contained
in the Val IT framework.
Other documents in the series are available from the ISACA Bookstore, www.isaca.org/bookstore.
IT Governance Institute, COBIT (Control Objectives for Information and related Technology) 4.1, USA, 2007
IT G
O V E RN ANCE
NSTI TUTE
Very few enterprises actively manage for value. Research carried out by the Cranfield School of Management suggests that
less than 30 percent of the largest UK companies actually have a formal benefits management process.7 Anecdotal evidence
suggests that similar figures are to be found among European and US companies as well.
What does it take to get IT right? One of the single most important factors is a clear understanding on the part of both the
board and executive management that IT is not an end in itself, but a means of enabling business outcomes. IT is no longer
about implementing technology. It is about unlocking IT-enabled organisational change. Just as important is a strategic,
leadership-sponsored commitment to establishing a comprehensive IT governance capability.
IT G
O V E RN ANCE
NSTI TUTE
The Knowing-Doing Gap is the title of a book by Stanford professors Jeffrey Pfeffer and Robert Sutton, published by Harvard Business School
Press in 2000 (ISBN 978-1578511242). The authors wondered why companies spend billions of US dollars annually on training programmes and
consultancy services, yet produce so few actual changes in management practice. Their investigation into why knowledge of what needs to be
done frequently fails to result in action or behaviour consistent with that knowledge, identified common obstacles to action, such as fear and
inertia, and they profiled successful companies that overcame the obstacles.
IT G
O V E RN ANCE
NSTI TUTE
ITGI, IT Governance Implementation Guide Using COBIT and Val IT, 2nd Edition, USA, 2007
IT G
O V E RN ANCE
NSTI TUTE
Huber, N.; Gartner: Firms Waste 351bn Each Year on Ill-conceived IT Projects, ComputerWeekly.com (UK), 21 March 2002
10
IT G
O V E RN ANCE
NSTI TUTE
IT G
O V E RN ANCE
NSTI TUTE
11
A programme (as distinct from a project) is a structured grouping of projects designed to produce clearly identified business value.
For a description of the role of the investment and services board, and its accountabilities and responsibilities, refer to the Val IT Framework 2.0.
12
IT G
O V E RN ANCE
NSTI TUTE
13
14
O V E RN ANCE
NSTI TUTE
13
14
IT G
O V E RN ANCE
NSTI TUTE
Value Management
Quick Assessment
Management
is unaware of
the need for
the practice.
0
Management
is aware and
committed
to adopt
the practice.
1
Implementation
of the practice
has begun.
2
Implementation
of the
practice is
well underway.
3
The practice is
adopted and its
achievement
monitored.
4
The practice
is embedded
in the
enterprises
way of working.
5
IT-enabled
investments are
managed as a
portfolio of
investments.
IT-enabled
investments include
the full scope of
activities required to
achieve business
value.
IT-enabled
investments are
managed through
their full economic
life cycle.
Value delivery
practices recognise
that there are
different categories
of investments that
are evaluated and
managed differently.
Value delivery
practices define and
monitor key metrics
and respond quickly
to any changes or
deviations.
Value delivery
practices engage all
stakeholders and
assign appropriate
accountability for
the delivery of
capabilities and
the realisation of
business benefits.
Value delivery
practices are
continually
monitored,
evaluated and
improved.
IT G
O V E RN ANCE
NSTI TUTE
15
16
IT G
O V E RN ANCE
NSTI TUTE
IT G
O V E RN ANCE
NSTI TUTE
17
18
IT G
O V E RN ANCE
NSTI TUTE
O V E RN ANCE
NSTI TUTE
19
2. Implement or
improve governance.
Primary
domain
VG
See COBIT (AI1-7, DS1-13)
PM
VG1, VG2,
VG3
Trigger events
Changing in funding
VG
VG
VG, IM
IM
VG1, VG2,
VG3, VG4,
VG5, VG6
VG1, VG2,
VG3, VG4,
VG5, VG6
VG1
PM
VG1, VG2,
VG3
VG, PM
VG1, VG2,
VG3, VG4,
VG5, VG6
PM
IM
IM3, IM4,
IM5, IM6,
IM8, IM9,
IM10
IM3, IM4,
IM5, IM6,
IM8, IM9,
IM10
PM1, PM2, IM1, IM2,
PM3, PM4 IM3, IM4,
IM5
PM1, PM2, IM1, IM2,
PM3, PM4 IM3, IM4,
IM5
For more detail on the Val IT framework, see the companion document in the Val IT series, Enterprise Value: Governance of IT Investments, The
Val IT Framework 2.0, at www.itgi.org.
20
ITG
o v ern a n ce
n s TI Tu Te
IT Governance Institute, Control Objectives for Information and related Technology (COBIT) 4.1, 2007, USA
IT G
O V E RN ANCE
NSTI TUTE
21
22
IT G
O V E RN ANCE
NSTI TUTE
IT G
O V E RN ANCE
NSTI TUTE
23
Adapted from The Information ParadoxRealizing the Business Benefits of Information Technology, John Thorp jointly with Fujitsu, first
published by McGraw-Hill in 1998 and revised in 2003, Canada
18
Results ChainTM is a proprietary technique of Fujitsu Consulting, and the term and descriptions of the technique are provided here with
permission of Fujitsu Consulting.
19
Bridges, W.; Managing Transitions: Making the Most of Change, Addison-Wesley, USA, 1991
24
IT G
O V E RN ANCE
NSTI TUTE
20
Pfeffer, J.; R. Sutton; The Knowing-Doing Gap: How Smart Companies Turn Knowledge Into Action, Harvard Business School Press, 2000, USA
IT G
O V E RN ANCE
NSTI TUTE
25
VG Maturity Model
0 Non-existent when
The enterprise sees the IT function as a supplier and a cost to be minimised. There is limited communication between the
business and the IT function.
1 Initial when
The enterprise recognises that IT is both a cost and an investment. There is increasing communication between IT and the
other business functions about the need to demonstrate return on IT investments. Accountabilities are not defined beyond
the level of delivering technical capabilities. Reporting is budget- and cost-driven. Business cases are defined on a projectby-project basis and often are incomplete. Skills and tools exist on an individual, ad hoc basis.
2 Repeatable when
There is increasing awareness amongst business and IT management of the need for a more formalised governance
framework. The business and IT functions are working more collaboratively on the need to demonstrate the return on ITenabled investments. Some individuals take ownership for the realisation of benefits, but there is no formal commitment
from the business. Business cases and investment status reports are required for most investments, and there is some limited
reporting on benefits. On-the-job training is provided in business case development on an as-needed basis. Tools are
increasingly used in response to ad hoc needs, but are not standardised across the enterprise.
3 Defined when
The business and IT functions understand the governance requirements to select and execute new investments, deliver the
resulting IT services efficiently, and ensure optimal allocation of IT resources. Business cases, including benefits
realisation plans, and status reporting are required for all investments. The IT function and business users share the
accountability for implementing programmes, and for benefits realisation, but roles and responsibilities are unclear. Formal
training plans exist but are not consistently executed. Tools are increasingly used to support comparable evaluation of
investments, but are still not standardised across the enterprise.
26
IT G
O V E RN ANCE
NSTI TUTE
PM Maturity Model
0 Non-existent when
There is no awareness that IT-enabled investments should be managed as a portfolio.
1 Initial when
Some business functions apply portfolio management practices in isolation within their scope of activities. Responsibilities
and accountabilities for portfolio management are not defined. The IT function is accountable for use of IT resources.
There is limited adoption of the programme view. Business cases may be needed, but are considered in isolation, and
evaluation and selection of programmes are largely subjective and political. Simple financial metrics are applied on an
individual basis. Skills and tools are available on an individual or ad hoc basis.
2 Repeatable when
There is increasing awareness of the need to manage IT-enabled investments as a portfolio. The programme view is broadly
adopted, and business cases are needed for most programmes. Business cases are evaluated primarily on financial measures.
IT and business management are involved in evaluating and selecting programmes but responsibilities and accountabilities
are not always clear and depend on individuals. An investment life cycle is established and followed, but there is no
consistent definition and tracking of benefits. Limited skills are available to support portfolio management. Training is ad
hoc. A number of different tools exist.
IT G
O V E RN ANCE
NSTI TUTE
27
IM Maturity Model
0 Non-existent when
The enterprise sees IT as an end in itself and the focus is on delivery of technology. There is no recognition of the strategic
need for a benefits focus or to establish clear linkage between technology investments and expected business benefits.
1 Initial when
There is some recognition of the need to improve the governance of technology investments but the focus is usually on
costs of technology. IT holds the budgets and there is little business involvement in the investment management process.
Investment processes are ad hoc and business cases are rarely required. Simple financial metrics may exist, primarily
related to IT solution delivery costs. Skills and tools depend on individuals.
28
IT G
O V E RN ANCE
NSTI TUTE
O V E RN ANCE
NSTI TUTE
29
30
IT G
O V E RN ANCE
NSTI TUTE
IT G
O V E RN ANCE
NSTI TUTE
31
32
IT G
O V E RN ANCE
NSTI TUTE
IT G
O V E RN ANCE
NSTI TUTE
33
34
IT G
O V E RN ANCE
NSTI TUTE
Fundamentals
Fujitsu Consulting defines a Results Chain as a comprehensive reasoning whereby outcomes can be associated with one
or many initiatives that specify what is required to realise these outcomes in a given organisational context and the Results
ChainTM Diagram is the graphical representation of a Results ChainTM: an integrated network of initiatives, outcomes,
contributions and assumptions21.
The Results Chain technique is based on the idea that a line of reasoning can provide a basis for associating a range of
outcomes with investments. The Results Chain diagram or model is the representation of a shared understanding of how
outcomes will be achieved in a particular contextan understanding shared by those responsible for achieving the
outcomes. In this sense, a Results Chain is a cognitive map, or mind map, as shown in figure 5.
21
O V E RN ANCE
NSTI TUTE
35
Assumption
Tracking
Ultimate
Outcomes/Business
Benefits
Individual
Initiatives
Contribution
Analysis
Intermediate
Outcomes/Benefits
Results ChainTM Components
A Results Chain is composed of only four types of components: outcomes, initiatives, contributions and assumptions, as
shown in figure 6.
1. OutcomesThe results sought, including either intermediate outcomes in the chain (outcomes or intermediate benefits
that are necessary but not sufficient to achieve the business benefits) or ultimate outcomes (the business benefits to be
harvested). An outcome is represented by a circle.
2. InitiativesThe actions that contribute to one or more outcomes. An initiative is a projectwhere money is spent. An
initiative is represented by a square.
3. ContributionsThe roles played by elements of the Results ChainTM, either initiatives or intermediate outcomes, in
contributing to other initiatives or outcomes. A contribution is represented by an arrow between initiatives and outcomes.
4. AssumptionsAn indication of uncertainty about a component in a Results ChainTM. An assumption is represented by a
hexagon. Assumptions represent risks that must be managed or mitigated, e.g., by undertaking another initiative.
36
IT G
O V E RN ANCE
NSTI TUTE
Intermediate
Ultimate
Outcomes
Represent results associated with initiatives
Initiatives
Represent the actions that contribute to the realisation
of outcomes
Contributions
Represent the role one component plays in the realisation
of another
Assumptions
Represent conditions for the realisation of outcomes
over which the organisation has no control or on which
it lacks information
IT G
O V E RN ANCE
NSTI TUTE
37
Increased
understanding of
the contribution to
business value that is
made by IT
(addresses pain
point 5)
Commitment to
value management
created
Awareness and
understanding of
value management
created
Develop and
undertake
communications
programme with IT and
business executives on
value management
(its purpose, approach,
etc.)includes
Val IT process VG1
Acceptance
(and buy-in) by
IT and business
executives of their
responsibilities
in value
management
created
Assumption:
The most
senior management
support the
value management
journey
Funds and
resources
committed
to value
management
implementation
Increased
communication and
interaction between
the IT function and
business (addresses
pain point 4)
Increased
business
acceptance that
governance of the
IT-enabled portfolio
is a business (not IT)
issue (addresses
pain point 3)
Environment
where value
management
can be successfully
introduced and
sustained
created
Legend
Initiative
Outcome
Assumption/Risk
Contribution
38
IT G
O V E RN ANCE
NSTI TUTE
Establish informed
and committed
leadershipincludes
Val IT process
VG1
Business
engagement for
value governance
created
Linkage of
value governance
within the
enterprise
created
Define and
implement value
governance framework:
processes and roles
and responsibilities
includes Val IT
processes
VG2 and VG3
Increased
business acceptance
that governance of
the IT-enabled portfolio
is a business issue
not an IT issue
(addresses
pain point 3)
Increased visibility
and transparency of
investment portfolio
Effective value
governance
created
Operationalise and
sustain value
governance framework:
portfolio characteristics
and information
requirements
includes Val IT
process VG5, VG6
Framework
within which value
governance will
operate created
Define and implement
value governance
framework: portfolio
characteristics and
monitoring information
requirements
includes Val IT
process VG5
Quality of the
enterprises portfolio
investment
decisions increased
Assumption:
The most
senior management
support the
value management
journey
Knowledge and
understanding of
the value and
delivery
perspectives of the
investments
increased
Increased
responsiveness
to significant
market and
economic shifts
(addresses trigger
point 8)
Increased
communication and
interaction between
the IT function and
business (addresses
pain point 4)
Legend
Initiative
Outcome
Assumption/Risk
Contribution
O V E RN ANCE
NSTI TUTE
39
Increased
business acceptance
that governance of
the IT-enabled
portfolio is a
business, not IT,
issue (addresses
pain point 3)
Understanding of
how investment
decisions
are made created
Increased ability to
respond to changes
in funding
(addresses
trigger point 7)
Increased
knowledge of the
portfolio (the
inventory) from a
business value
perspective
Understanding of
the parameters to
review the
portfolio created
Establish portfolio
management
frameworkincludes
Val IT processes
PM1, PM2, PM3
Prioritised
list of investments
based on business
value created
Increased
understanding of the
expenditure and
business value of IT
portfolios, assets and
investments (addresses
pain point 2)
Understanding of
the investments
within the
portfolio created
Undertake assessment
and scoring of the
current and candidate
investments of the:
organisationincludes
Val IT processes IM1, IM2,
IM3, IM4, IM5 (depending
on stage of life cycle)
Recommended
list of prioritised
investments created
Undertake evaluation
and selection of
investments based
on business value
includes Val IT
process PM4
Assumption:
Relevant and
accurate
information on
investment is
available
Increased
responsiveness
to significant
market and
economic shifts
(addresses trigger
point 8)
Legend
Initiative
Outcome
Assumption/Risk
Contribution
40
IT G
O V E RN ANCE
NSTI TUTE
Undertake benefit
assessment of the
in flight investments:
track the benefits,
update the business
case and report on the
programmeincludes
Val IT process IM6
Undertake delivery
assessment of the
in flight investments:
update the business
case and report on the
programmeincludes
Val IT processes
IM8, IM9, IM10
Assumption:
Relevant and
accurate
information on
investments is
avaialble
Understanding of
the value aspects
of investments at
business case
stage created
Level of business
and IT risk
decreased
Decreaded
likelihood of
investments failure
(addresses pain
point 6)
Increased
knowledge of the
business value
of the individual
investments
Increased visibility
and transparency
of individual
investments
Opportunity and
timeliness of taking
corrective action on
investments
increased
Understanding
of the value and
delivery aspects of
in flight
investments
created
Increased
understanding of
the contribution to
business value that is
made by IT
(addresses pain
point 5)
Legend
Initiative
Outcome
Assumption/Risk
Contribution
IT G
O V E RN ANCE
NSTI TUTE
41
Assurance
ITAFTM: A Professional Practices Framework for IT Assurance, 2008
Stepping Through the IS Audit, 2nd Edition, 2004
ERP Series:
Security, Audit and Control Features Oracle E-Business Suite: A Technical and Risk Management Reference Guide,
2nd Edition, 2006
Security, Audit and Control Features PeopleSoft: A Technical and Risk Management Reference Guide, 2nd Edition, 2006
Security, Audit and Control Features SAPR/3: A Technical and Risk Management Reference Guide, 2nd Edition, 2005
Specific Environments:
Electronic and Digital Signatures: A Global Status Report, 2002
Enterprise Identity Management: Managing Secure and Controllable Access in the Extended Enterprise Environment, 2004
Linux: Security, Audit and Control Features, 2005
Managing Risk in the Wireless LAN Environment: Security, Audit and Control Issues, 2005
Oracle Database Security, Audit and Control Features, 2004
OS/390z/OS: Security, Control and Audit Features, 2003
Risks of Customer Relationship Management: A Security, Control and Audit Approach, 2003
Security Provisioning: Managing Access in Extended Enterprises, 2002
Virtual Private NetworkNew Issues for Network Security, 2001
IT Governance
Board Briefing on IT Governance, 2nd Edition, 2003
IT Governance Global Status Report2008
COBIT and Related Publications:
COBIT 4.1, 2007
COBIT Control Practices, Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition, 2007
COBIT Security BaselineTM, 2nd Edition, 2007
COBIT QuickstartTM, 2nd Edition, 2007
IT Assurance Guide: Using COBIT, 2007
IT Control Objectives for Basel II: The Importance of Governance and Risk Management for Compliance, 2007
IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over
Financial Reporting, 2nd Edition, 2006
IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition, 2007
42
IT GOVERNANCE INSTITUTE
OTHER PUBLICATIONS
COBIT MAPPING SERIES:
ALIGNing COBIT, ITIL and ISO/IEC 17799 for Business Benefit, 2005
COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT 4.0, 2007
COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT 4.0, 2nd Edition, 2006
COBIT Mapping: Mapping of ISO/IEC 17799:2005 With COBIT 4.0, 2006
COBIT Mapping: Mapping of ITIL With COBIT 4.0, 2007
COBIT Mapping: Mapping of NIST SP800-53 With COBIT 4.1, 2007
COBIT Mapping: Mapping of PMBOK With COBIT 4.0, 2006
COBIT Mapping: Mapping of PRINCE2 With COBIT 4.0, 2007
COBIT Mapping: Mapping of SEIs CMM for Software With COBIT 4.0, 2006
COBIT Mapping: Mapping of TOGAF 8.1 With COBIT 4.0, 2007
COBIT Mapping: Overview of International IT Guidance, 2nd Edition, 2006
IT Governance Domain Practices and Competencies:
Information Risks: Whose Business Are They?, 2005
Optimising Value Creation From IT Investments, 2005
Measuring and Demonstrating the Value of IT, 2005
Governance of Outsourcing, 2005
IT Alignment: Who Is in Charge?, 2005
Val IT:
Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0, 2008
Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0 Extract, 2008
Enterprise Value: Governance of IT Investments, The Business Case, 2006
Security
Cybercrime: Incident Response and Digital Forensics, 2005
Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, 2006
Information Security Governance: Guidance for Information Security Managers, 2008
Information Security HarmonisationClassification of Global Guidance, 2005
Managing Enterprise Information Integrity: Security, Control and Audit Issues, 2004
Security Awareness: Best Practices to Serve Your Enterprise, 2005
Stepping Through the InfoSec Program
IT G
O V E RN ANCE
NSTI TUTE
43
BASED
ON
C O B I T