Upload
tranlien
View
218
Download
0
Embed Size (px)
Citation preview
PINK ELEPHANT
THOUGHT LEADERSHIP WHITE PAPER
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
Authors:
Rob England, The IT Skeptic
Malcolm Ryder, Principal, Archestra Research
Jack Probst, Principal Consultant, Pink Elephant
2
If the world can’t agree on exactly what Governance Of Enterprise IT (GEIT) is, perhaps it is
easier to talk about what governance is not. In this paper we present a profiling model for GEIT
which presents a maturity model. The model starts with the null hypothesis: What does an
organization look like with no governance of IT at all? The Answer: Oblivious. Then it moves up
through two dysfunctional levels – Irresponsible and Lucky – to finally reach a definition of
good GEIT: Trusted.
In the first white paper in this series we explored the idea that Governance Of Enterprise IT Is Missing
In Action. As that paper said:
The great majority of IT organizations today operate within a politically entrenched, silo-based
model where GEIT is a myth and enterprise IT strategies are non-existent.
The term Enterprise IT refers to all groups which manage information technology assets and
data. The scope of GEIT is the governance of the IT resource and is not limited to what may be
considered the IT Function. The IT resource typically includes multiple stakeholder groups,
spanning both internal and external suppliers, across the end-to-end enterprise. There is often
simply no agreement or vision to govern these often interdependent technology assets under
one agreed-upon approach.
The challenge faced today is that many senior IT leaders consider the current fragmented
approach to IT value stream governance and management to be normal, and even positive.
Very few have questioned the cause and effect of silo-based governance and have yet to
acknowledge the cause and effect of this status quo.
There are multiple views of what GEIT means. The second white paper in this series presented
Governance Of Enterprise IT – A Model. That paper illustrated:
The discussion of governance begins with an understanding of what the term means. It was the
collective experience of the PTT panelists that if 10 IT managers were asked to define
governance, 10, 12 or more definitions would be proffered. The confusion seems to spring from
the fact that there isn’t one agreed industry recognized definition for governance.
In fact the definition is further clouded in that the term IT Governance has been applied to Risk, Audit,
Security and Compliance Management activities. So much so, it is the opinion of the Pink Think Tank
(PTT) that the term governance has been claimed by these practices and perhaps is no longer
appropriate in the context of establishing strategic oversight. The second white paper goes on to offer
governance models developed as an outcome of the PTT to help bring clarity to the term.
www.pinkelephant.com
Executive Summary
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
3
In this paper we present a profiling tool for GEIT which produces a maturity model. If we can’t agree on
exactly what GEIT is, perhaps it is easier to talk about what it is not. What does it look like when
governance is not there? The model starts with the null hypothesis: What does it look like with no
governance of IT at all? Then it moves up through two dysfunctional levels – Irresponsible and Lucky –
to finally reach a definition of good GEIT.
The profiling model is intended as a learning tool, to increase understanding of the various aspects and
attributes of governance. The model’s levels will provide organizational insight when planning
improvement of GEIT practices, etc., however, the model is not intended as a scientific, rigorous or
calibrated instrument for assessment of an organization.
www.pinkelephant.com
The profiling model is
intended as a learning
tool, to increase
understanding of the
various aspects and
attributes of
governance.
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
4 www.pinkelephant.com
Table Of Contents
1 INTENTIONALLY COMPETENT ....................................................................... 5
2 MATURITY MODEL ....................................................................................... 6
3 FOUR FACTORS OF GOVERNANCE ............................................................... 7
4 PROFILING TOOL....................................................................................... 8
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
5
1) INTENTIONALLY COMPETENT
Putting governance into identifiable practice requires two broad characteristics: competency and
intentionality.
• Competency – the capability, authority, knowledge and skill of an organization and
organizational bodies to effectively institute and direct, on an ongoing basis, the framework
necessary for organizationally and socially appropriate governance. Competency represents
an organizational ability to execute governance
• Intentionality – an observable attribute of governance activities that reflects the actions,
outcomes, decisions and guidance of an organizations governance framework that results
from either a coordinated prescriptive approach or through well-intentioned but
uncoordinated individual actions. Intentionality represents an explicit goal to govern
The balance of competency and intentionality is an important way to profile an organization.
Intentionality represents having an explicit goal of governing (Culture); competency represents an
actual ability to execute (Capability).
Evaluating these dimensions for an organization provides a mechanism to profile the current state of an
organization’s governance, to establish a desired future state, and to assist in crafting a plan to close
the gap.
We have cross-referenced intentionality (weak to strong) and competency (weak to strong) to identify
four states of governance.
www.pinkelephant.com
Unintentional Intentional
Competent
Incompetent
Lucky Trusted
Oblivious Irresponsible
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
6
2) MATURITY MODEL
These states of governance give us a simple maturity model for GEIT:
1. Oblivious (Low Intention/Low Competence).
Governance is poor or absent. A lack of understanding of its importance results in no
perceived need for governance improvement, even though the symptomatic problems are a
constant burden. Being Oblivious is the result of a failure to understand. “We don’t know any
better”.
2. Irresponsible (High Intention/Low competence).
Governance is going through the motions but without tangible benefit to the organization.
Governance is deemed to be organizationally or socially inappropriate or irresponsible. In
some cases the outcomes of governance generate negative consequences that could be
considered criminal or socially unacceptable in nature. This is a failure of ethics or
alignment. “We don’t believe or care”.
3. Lucky (Low Intention/High Competence).
Governance is a loose paradigm for the organization without strong practices or processes.
Governance is not a priority because the outcomes (so far) are generally favorable but “we
aren’t sure why”. A poor understanding of risk leads to complacency. This is a failure of
discipline or maturity. “We don’t think or worry because we haven’t been hurt yet”.
4. Trusted (High Intention/High Competence).
Governance is trusted by the organization to provide the necessary direction, guidance and
controls to affect and manage the risks facing the organization and behaviors influencing
risk realization. “We know what to do, how to do it and the reasons we are doing it”.
www.pinkelephant.com
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
7
3) FOUR FACTORS OF GOVERNANCE
In order to profile against this maturity model, we need to look at the levels of competency and
intentionality. In the PTT we developed four general factors that account for the strength and impact of
the competency and intentionality:
• Practice – the collection of actions and decisions that are purposefully undertaken, having
an effect on the alignment of resource use to stakeholder value
• Expertise – the type and degree of awareness and capability that is applied by parties
running the business, regarding the ability and opportunity to govern
• Conditions – the current-state effects and outcomes of conducting the business, relevant to
the perspective of governance
• Culture – the behavior norms and belief norms of the environment in which business
conduct is generated
These four factors are generally coupled to each other, for example:
• It is expected that Culture may precondition Expertise as well as be shaped by it
• Conditions are the likely typical effects of current Practices, but they may be inhibitors as
well as effects
• Practices should develop and improve with the support of improving Expertise, but
Practices may also prescribe what kind of Expertise is pursued
Competency and intentionality are each quite variable. If we see them as indicators of success in
governance, then we can use them to profile whether an organization has a sustained behavior that
can be expected to support alignment to stakeholder business needs.
Each of the four maturity states – Oblivious, Irresponsible, Lucky, and Trusted – include characteristics
of Practice, Expertise, Conditions and Culture that meaningfully distinguish an organization’s
governance behavior from that of other entities.
www.pinkelephant.com
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
8
4) PROFILING TOOL
Evaluating the dimensions of Competency and Intentionality is subject to a degree of imprecision and
subjectivity. To provide context to the dimensions we developed a matrix of the four factors that profile
an organization’s governance framework.
Use the following tables to profile your organization. As we stated at the outset, this is not intended to
be a rigorous maturity assessment. It paints a picture for you to help in deciding how much governance
improvement is needed, how urgently, and in what areas.
You may find it interesting and enlightening to check off which of the four maturities best describes your
organization in each row of the tables. The more analytical amongst you will not be able to resist giving
a score instead, and the most enthusiastic amongst you may well assign a weight to each row.
However that level of analysis would be extending this instrument well outside its design parameters: it
is not intended to be that precise a tool, only indicative.
Once you have determined your organizational profile, what then? The next and final white paper in this
series on Governance of Enterprise IT will offer the collected advice of the Pink Think Tank on how to
approach the implementation of IT Governance.
After you have completed your own profile, we would be very interested in your thoughts, comments
and feedback regarding the utility, applicability and contextual nature of the tool. If we get sufficient
feedback on the criteria in this profile, we will publish a revision in future. There is plenty of scope for
more and better descriptors in the profiling tool. So please come to the LinkedIn group and post your
comments at https://www.linkedin.com/grp/home?gid=7473572.
www.pinkelephant.com
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
9
SCOPE: Context: the asset that is at stake, and its scope
www.pinkelephant.com
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
Oblivious Irresponsible Lucky Trusted O I L T
Practice • IT resources and
components are
managed in isolation
from each other
• Always firefighting
• Governance is
focused on managing
the technology asset
without a good
understanding of its
business context
• Unpredictable
responses to same
conditions
• IT Governance is
focused only on the
assets controlled by the
IT Function: it does not
include technology and
information assets
managed by other
business groups
• Governance is based
on technology silos or
domains
• Inconsistent responses
to same conditions
• Resources hoarded
• Post-facto
rationalization: we
justify results after
the fact
• Hate or threatened
by audits
• Cavalier responses
to same conditions
• Well-defined scope – we
know what we are
covering and not
covering:
process/service/technolo
gy
• Governance is
intentional, not reactive
• Strong alignment of
managing IT risk with
business risk
• Defined repeatable
responses to same
conditions
Expertise • Lack of self-
awareness
• Lack of alignment
• No systems
• Limited awareness of
frameworks
• Get better at
firefighting not fixing
• Dismissive of
frameworks
• Governance is
understood in terms of
compliance and risk
• The right tool will fix the
problem. Embed the
rules in the tool
• Over-reliance on past
experience
• Fanatical about a
framework: by the
book
• Always done it that
way
• Gut feelings rule
• Wing it
• Dependencies between
tiers are understood
• Business impact is
understood
• Alignment between IT
strategies and business
strategies is understood
Conditions • Random unexplained
events: things just
happen without
knowing why
• Lots of issues without
knowing why
• Managing aging or
complex infrastructure
• Some services have
been defined but have
not been agreed to
• Results are
inexplicably good –
we don’t know why
• Repeatability not
guaranteed
• Alignment between IT
strategies and business
strategies is good
• Governance is multi-
tiered throughout the
business service
architecture (portfolios of
resources)
Culture • Lack of customer
engagement
• Low morale. Despair,
cynicism
• Passive/aggressive
behavior
• Governance is
subordinate to Finance
• Different rules for
different people, without
justification
• I know better than my
customer
• Believe in governance
until the crisis of the
moment occurs and
then we go back to the
old way
• Value individual effort
over group effort
• Honor heroes,
firefighters
• No sense of need to
comply
• If it ain’t broke don't
fix it
• Cowboys
• The business
understands the
importance of providing
direction for IT and IT
participates
collaboratively in those
decisions
• Professionalism, agility
10
WHY: Optimize return, resources and risk, and ethics
www.pinkelephant.com
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
Oblivious Irresponsible Lucky Trusted O I L T
Practice • Don't understand and
manage resource
requirements
• Poor financial planning
and no actuals
• Non-compliance is
seen as an acceptable
risk
• Evasive behavior used
as a strategy versus
accountability
• Controls reward the
company at the
expense of the
customer
• ROI may be required
up front but is not
tracked and reported
• Technology data
repositories focus only
on assets and data
within specific domains
or silos
• Never got the
company in trouble so
far
• I get the job done
• Less controls means
more efficiency
• Good at balancing risk
against return and
resource
• Plan for unforeseen
consequences
• Risk register
• Investment register
Expertise • Don't know what
governance means
• Don't understand and
control risk
• Not aware of what to
comply with
• Don't understand or
meet stakeholders’
needs
• There is little to no
understanding of IT
value streams which
cross departmental
boundaries
• Awareness is used to
avoid scrutiny
• Know just enough to
be dangerous
• Fanatical adherence to
frameworks
• Blind to consequences
and ignoring risks
• My customers know to
come directly to me if
there is a problem
• Capable of mapping
investments to
outcomes and
mission/vision
Conditions • Undetermined actual
value
• Lack of transparency
of cost
• Can’t get funding
• Other sources
“cheaper”
• Working to avoid being
outsourced
• The business is forced
to use IT
• Deniability is a regular,
popular and accepted
practice
• Risks are often
reported but not
consistently managed
• Meeting SLAs
• Complaints are low;
satisfaction OK
• IT is a preferred
supplier
• IT is a trusted partner.
• Transparency of cost
and risk
Culture • Ignorance is deniability
• Every day is a surprise
• Believe the primary
responsibility is
technology
optimization
• Have a false sense of
separation from the
business partner
organizations
• Business believes it
knows best
• I don't have to comply
• I can get away with
stuff and no one will
know
• You have to break a
few eggs to make an
omelet
• I just do my job right or
wrong
• We can change the
rules of the road to
meet the conditions at
the moment
• Arrogance, swagger.
Captain of the Titanic
• We're successful so
why change
• Believe we have
everything under
control
• Decisions and priorities
are based on
organization’s risk
appetite and tolerance
• Stakeholder values drive
decisions
• Belief that we are doing
what's right for the
organization not just for
one function, role or
group
11
HOW: Evaluate-Direct-Monitor Reference Model and feedback loops
www.pinkelephant.com
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
Oblivious Irresponsible Lucky Trusted O I L T
Practice • Lack of metrics
• Planning cycle is daily
• Reactive, not proactive
• Majority of time is
spent in reactive,
unplanned firefighting
mode without
considering root cause
• There are multiple
technology asset
repositories with
duplicate data and
information with little to
no synchronization or
data standards to
promote consistency
• Authority and
relationships are used
instead of practice
models
• Metrics only technical
and operational, not
strategic or tactical
• Doing minimum you
can get away with
• E-D-M processes are
formalized, known, and
adhered to
• Uses a benefits
realization statement as
a measuring device to
assess value and
alignment
• Tracks and reports the
value of business
decisions as
improvement feedback
• Well outlined and
managed controls and
feedback mechanisms
Expertise • No reference model
• Don't understand or
know the business
strategy
• Avoid change
• "Spin" is readily and
frequently offered and
accepted as
accountability
• Subvert change
• Don’t understand why
(governance by
compliance)
• Assume everything is
okay unless someone
complains
• Change as a whim
• Respect for, and
selective adoption and
adaptation of multiple
frameworks and models
• Continual evaluation of
internal and external
factors: micro and macro
environment
• Situational awareness
• Managed change
Conditions • No feedback loops
• Inconsistent and
unpredictable direction
• Never seem to get
ahead of the last
challenge. Incidents
are always repeating
• Some governance
monitoring exists but
this does not always
lead into Evaluate and
Direct
• Some directing and
monitoring but no
evaluation
• Fix it when it breaks
• Responds and adapts
well to external factors,
events, conditions,
influences etc.
Culture • No shared vision of
“good"
• Bogged down,
immobile
• Procedures conducted
under idea that the
ends justify the means
• Strong belief that if we
tell the group what to
do they will do it. Very
little if no follow-up
• Lurching, destructive
• Bunker mentality
• CYA
• Only as much
governance as I have
to
• Don't need controls or
policies because
typically not at fault.
• Leaping about,
irrational
• Adopt and adapt
• Decisions are made by
and with key
stakeholders and
decision makers from
both the business and IT
• Agile, consistent,
reliable
12
WHO: Owner, governing bodies, management, operation; accountability and authority
www.pinkelephant.com
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
Oblivious Irresponsible Lucky Trusted O I L T
Practice • No governance body
• Urgent trumps
important
• Authority profiles not
defined or understood
• Scope of practices
limited to small group
at top of hierarchy
• Some understanding
of the difference
between Governance
and Management, but
not executed
differently
• Governance at the
technical domain and
operational silo
domain
• Governance by
management fiat
• Governance has a
decidedly financial
focus
• Short planning cycles,
focused on program
and project
management
• Formal governing bodies
appointed by the owners
• People assigned to
govern represent the
stakeholders
• Each governed scope
(e.g. IT) has a
comprehensive
representation amongst
governors
• Governance body
constituency is
determined based on the
focus or scope. Broad
scope (e.g. IT
investments) will engage
multiple business and IT
leadership whereas
limited scope (e.g.
programs) will be limited
to stakeholders
Expertise • IT done by heroes
• Do not understand
expectations
• Working with blinders
on
• Too many bosses
• Every manager has an
opinion that trumps
direction given by
others
• "Following orders"
used to avoid taking
responsibility
• "Need To Know"
mentality discourages
questioning and
assessment
• Governance is
focused on projects;
program portfolio over
service portfolio
• Applications centric;
no systemic view
• Technology Mastery
seen as the primary
skill for business value
enablement
• The charter and roles
and responsibilities are
well-understood
Conditions • Authority does not
match accountability
• Ill-defined roles and
responsibilities
• Job descriptions do
not match reality
• Localized decision
making but more to
enforce management
principles, not making
the right decisions to
support goals and
objectives
• Architecture is run
down, over time
• Technical debt
• Self-appointed
governorship
• Managers have full
authority over the
decisions within the
scope
• All outcomes, benefits
and risks have assigned
owners
Culture • Work is done through
informal networks
• Individual and
personal priorities
dominate
• Squeaky wheel gets
the grease
• No sense of a
collective “we”
• Governance by
dictatorship
• Operations are aimed
at concentrating
benefits instead of
sharing benefits
• Governance is
someone else’s
responsibility/problem
• Operational
sustainability is not
considered
• Builds a culture of
incompetence
• I’m the boss – do as I
say
• Directions and
decisions are very
much technology silo
centric
• Governance extends
across the enterprise
13
WHAT: Policies, Plans, Goals, Controls, Maturity Models, Decision Models, Resources
www.pinkelephant.com
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT
Oblivious Irresponsible Lucky Trusted O I L T
Practice • Governance
instruments are non-
existent
• Bad or misaligned
goals
• Plans are not
followed
• Each technology
domain is considered
separately as
opposed to a
coherent whole or
system
• Contrived controls
• Policies are used as
suggestions instead of
as priorities
• Compliance is treated
as the goal versus
strategic oversight
• Performance targets
trump policy
enforcement
• Decision Model
changes constantly
• Minimal controls to
meet audit/compliance
requirements
• Decisions made by
individuals with little
collaboration
• Just-in-time controls
• Decisions are based
about variances and
standardizations
• Policies are enforced
• Plans are both predictive
and iterative
Expertise • Low process maturity
• Tribal knowledge and
corporate myth
dominate
• Resources are not
aligned to do the right
work
• Documentation not
valued.
• Process maturity is
based on individual
effort (hero culture)
• Enterprise architecture
disregarded or rejected
• The governance intake
process is clear, formal
and used
• Plans are appropriately
evaluated for alignment
• Proactive planning
Conditions • Artifacts are dead,
derelict, or
inconsistent
• No documented
policies
• Smoke and mirrors • Measures are not
balanced (financial
overemphasis)
• Appropriate levels of
instruments are
employed
• Artifacts are active and
used
• Cascading instruments
at each level of the
organization
Culture • No policy
enforcement or
consequences
• Ready-fire-aim
• Accountability is what
happens when I get
caught
• Belief that tools and
workflow solve issues
• Squeezing costs for
results
• Have good people so
that's enough
• Get stuff done so that's
enough
• Results oriented
• Fit for purpose and fit for
use
• Formal governance is
accepted and expected.
Governance practices,
procedures etc. are
documented and
continuously reviewed
and updated
O I L T
Add them up:
© Pink Elephant Inc., 2015. The contents of this case study are protected by copyright and cannot be reproduced in any manner. Pink Elephant and its logo, PinkVERIFY, PinkSCAN, PinkATLAS, PinkSELECT, and PinkREADY are either trademarks or registered trademarks of Pink Elephant Inc. The contents of this document are protected by copyright and cannot be reproduced in any manner. ITIL® is a registered trade mark of AXELOS Limited.
Pink Elephant,
5575 North Service Road,
Suite 200,
Burlington, Ontario,
Canada L7L 6M1
Tel: 1-888-273-PINK
Fax: 905-331-5070
Worldwide
Locations:
Africa
Asia
Australia
New Zealand
Canada
Europe
Mexico
Middle East
USA
ABOUT PINK ELEPHANT
We Lead The Way!
A premier global training, consulting and conference service provider, Pink Elephant has an
undisputed reputation for leading the way. We’re proud of our pioneering and innovative spirit,
which has enabled us to introduce and spearhead many revolutionary concepts and programs
since our inception forty years ago.
ABOUT THE AUTHORS
Rob England, The IT Skeptic
Rob England is a self-employed IT commentator and consultant. He consults in New Zealand
on IT governance, strategy and processes. Internationally, he is best known for his blog The IT
Skeptic and half a dozen books on IT. He speaks widely at conferences and online.
Malcolm Ryder, Principal, Archestra Research
As Principal of Archestra Research, Malcolm blends over 30 years in management consulting,
IT, marketing and the art world. His approach features findings and advisories based on
recurring direct experiences across those domains, about how we identify, design and build
value.
Jack Probst, Principal Consultant, Pink Elephant
Jack Probst has a diverse management, business and technical background, and he delivers
strategic process consulting and advanced ITIL® training and education programs as a
Principal Consultant for Pink Elephant.
Pink Elephant –
Knowledge Translated Into Results
www.pinkelephant.com
PROFILING YOUR ORGANIZATION’S
GOVERNANCE OF ENTERPRISE IT