NUS-ISS Learning Day 2017 - Governance in the Age of Digital

#ISSlearn

#ISSlearn

GOVERNANCE

IN THE AGE OF DIGITAL

11 Aug 2017 / Nicholas Tan

#ISSlearn#ISSlearn

Agenda

What is Digital?

• What is Governance?

• Need for Governance

• Governance by Design

2© 2017 National University of Singapore. All Rights Reserved

#ISSlearn 3

What is Digital? A View


https://www.youtube.com/watch?v=xsWbECkVqgI

https://www.youtube.com/watch?v=xsWbECkVqgI

#ISSlearn 4

What is Digital? Another View


https://www.youtube.com/watch?v=SgLxocWA4JI

https://www.youtube.com/watch?v=SgLxocWA4JI

#ISSlearn 5

What is Digital? A Collision

© 2017 National University of Singapore. All Rights Reserved

#ISSlearn 6

Digital – Compressed Timeline


#ISSlearn#ISSlearn

Agenda

• What is Digital?





#ISSlearn 8

“Academic” Definition

Definition Source

IT governance is the responsibility of the Board of Directors and Executive Management. It is an integral part of

enterprise governance and consists of the leadership and organizational structures and processes that ensure

that the organization’s IT sustains and extends the organization’s strategy and objectives.

[1]

Specifying the decision rights and accountability frameworks to encourage desirable behavior in using IT. [2]

IT governance is the organizational capacity exercised by the board, executive management and IT management

to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT.[3]

IT governance is the definition and implementation of processes, structures, and relational mechanisms in the

organization that enable both business and IT to execute their responsibilities in support of business/IT alignment

and the creation of business value from IT enabled investments.

[4]

IT Governance is the strategic alignment of IT with the business such that maximum business value is achieved

through the development and maintenance of effective IT control and accountability, performance management

and risk management.

[5]

IS/IT governance concentrates on the structure of relationships and processes to develop, direct and control IS/IT

resources in order to achieve the enterprise’s goals through value adding contributions, which account for

balancing risk versus return over IS/IT resources and its processes.

[6]

IT Governance describes the distribution of IT decision-making rights and responsibilities among different

stakeholders in the organization, and the rules and procedures for making and monitoring decisions on

strategic concerns.

[7]

Preparation, development and implementation of decisions on goals, processes, people and technology at

tactical and strategic levels.[8]

The organizational capacity to control the formulation and implementation of IT strategy and guide to proper

direction for the purpose of achieving competitive advantages for the corporation.[9]

8

Source: Mahy, Y., Ouzzif, M., & Bouragba, K. (2016). Toward a shared view of IT governance. International Journal of Innovation, Management and Technology, 7(4), 125-131.


#ISSlearn

Common Elements

9

IT governance is the responsibility of

the Board of Directors and Executive

Management. It is an integral part of

enterprise governance and consists

of the leadership and organizational

structures1 and processes2 that

ensure that the organization’s IT

sustains and extends the

organization’s strategy and

objectives3.

Specifying the

decision rights and

accountability

frameworks4 to

encourage desirable

behavior5 in using IT.

Element ITGI Weill

Structures 1 4

Processes 2 4

Alignment 3 5


#ISSlearn 10

“Practical” Definition

Gartner defines “governance” as the process of:

• Setting decision rights and accountability; establishing policies

aligned to business objectives (preservation and growth of

shareholder value)

• Balancing investments in accordance with policies and in support

of business objectives (coherent strategy realization)

• Establishing measures to monitor adherence to decisions and

policies (compliance and assurance)

• Ensuring that processes, behaviours and procedures are in

accordance with policies and within tolerances to support

decisions (risk management)


#ISSlearn 11

Governance… To What End?

+ Clarity of responsibilities and accountability for

both demand and supply of IT

+ Good practice in relationships with stakeholders

+ Innovation in services, markets and business

+ Efficient allocation of resources

+ Actual realization of expected benefits from each

IT investment

+ Business sustainability

11

Value Creation


#ISSlearn 12

Value Creation? Value Loss?

Organization Function Measure of Value IT Measure?

Procurement Cost savings

TC

O?

SLA

?

Finance Maximize cash flow

Human Resource Employee engagement

Engineering New designs

Sales Revenue

Operations Productivity

Legal Compliance

Manufacturing Quality


#ISSlearn#ISSlearn

Agenda






#ISSlearn 14

Inversion of Control

Collaborate

Digita

lstr

ategy


#ISSlearn 15

Pressure from Digital

Source: https://www.techinasia.com/singapore-press-holdings-media-revenue-declined-4-straight-years

Source: Martin Hirt, Paul Willmott, “Strategic principles for competing in the digital age” in McKinsey Quarterly, May 2014

“Digital capabilities

increasingly will

determine which

companies create or lose

value.”


#ISSlearn 16

“World’s Best” Digital Bank

Winner Shortlisted

https://www.forbes.c

om/sites/jasonbloom

berg/2016/12/23/how

-dbs-bank-became-

the-best-digital-

bank-in-the-world-

by-becoming-

invisible/#2ef169e83

061

Asian-ness ‘Asian service’…

Respectful, Easy to deal with, and Dependable

CEO

COO

Eliminate ‘Waste’

“We took out 250 million customer hours of waste per year.”

“One year later, we had the top customer satisfaction scores in Singapore,”

User-Centered Design

When customers lose wallet or handbag… new call centre script… first, show empathy; then explain the process; and finally, provide phone numbers to help the customer get their lives back together.

Make Banking Invisible

“Digital is all about the business model, enabled by emerging technology and data,”

“Great user experiences based on ecosystem plays to make the banking component invisible.”

Driving Innovation

“I told our innovation team: don’t innovate,”

“Instead, teach the rest of the organization to innovate.”


#ISSlearn 17

Everywhere @digital


#ISSlearn 18

Governance “Miss”


Observation 3: The OEA project was not approved through established IT Governance and did not follow required IT Governance

processes.

Dr. Chin described the OEA project to us as a donor-funded research and innovation project derived from a concept that artificial intelligence could

potentially be applied to the delivery of health care. She clarified that, “because of its high-risk and transformative nature, it was not [an] idea suitable

for extramural grant funding” and “therefore, it was up to philanthropy” to fund the project. As a donor-funded research project “not executed under IT

management,” she did not consider it to be an information technology (IT) project that would have been subject to institutional IT development policies

and processes.

MD Anderson’s Information Technology Project Management and Governance Policy defines an IT project as, “an initiative that provides technology

solutions (e.g., products, services, or results) characterized by well-defined parameters, specific objectives, common benefits, planned activities, a

scheduled completion date, an established budget with a specified source of funding, and requires in excess of 80 hours of work effort to complete.”

…

The OEA project was not proposed to ISET, did not receive formal ISET approval, and did not follow the established IS Governance Project Portfolio

Management process.

We believe OEA meets the definition of an IT project per MD Anderson policy primarily because the objective of the project, from its inception, was to

develop a technology solution to be broadly used in delivering MD Anderson services.

…

We acknowledge that MD Anderson’s policy definition of an IT project could be subjective. Although we believe OEA meets the definition, Dr. Chin told

us that she views OEA only as a “research innovation project” and, as such, IT project procedures should not apply. We view the project as both. She

further stated that ISET leadership “should have suggested or required such action from [her]” if ISET approval and governance was needed. IT staff

reported to us involvement throughout the project, but confirmed that the IT governance process was not followed. Staff told us that Supply Chain

Management would normally confirm ISET approval before processing purchase orders. However, in this case procurement staff stated that this project

was an “outlier” and did not provide further explanation or justification.

OEA – Oncology Expert Advisor

ISET – Information Systems Executive Team

#ISSlearn#ISSlearn

Agenda






#ISSlearn 20

Organizational Demarcation


• Giving directions and oversight

Governance

• Keeping operations aimed at achieving common pre-defined goals

Management

• Running the day-to-day business

Operations

#ISSlearn 21

System of Practice


#ISSlearn 22

Governance Timeline

Unclear

origin…

1998… IT

Governance

Institute was

formed

Late 90’s… articles

start mentioning “IT

Governance” in

their titles

2002… mention of

IT Governance as a

Board function

2003… Gartner

introduced idea of

“Improving IT

governance”

A set of practices to

guide IT people to provide

IT services that meet the

needs of business

formalized as Service

Level Agreements (SLAs).

A framework that “helps

enterprises create optimal

value from IT by

maintaining a balance

between realizing benefits

and optimizing risk levels

and resource use”[10].

An international standard

for corporate governance

of IT that provides

“principles, definitions, and

a model for evaluating,

directing and monitoring

the use of IT.

Common control “processes, procedures and policies”


#ISSlearn 23

‘What’ vs ‘How’

‘What’…

Direct

‘How’…

Manage

Are we Doing the

right things?

Are we Getting

the right

benefits?

Are we Doing

them the right

way?

Are we Getting

them done well?

Create

Retire

Sustain

Discover… Design… Develop… Discover…

Adapted: J. Thorp, The Information Paradox, 2007


#ISSlearn 24

Governance – by any other name

DIRECT

ADVISE

ISO/IEC 38500:2015 COBIT 5.1

COBIT 5.1


#ISSlearn 25

Assign responsibilities for the preparation

and implementation of plans and policies

Assign responsibilities for the

preparation and implementation

of performance management

ISO/IEC 38500:2015

Guiding principles for good corporate governance of IT

Responsibility Employees know their responsibilities both in

terms of demand and supply of IT and have the

authority to meet them

Strategy Business strategies take into account IT

resources & capabilities and IT strategies are

aligned with business strategies

Acquisition IT acquisition decisions are taken in a

reasonable and transparent way, short-term and

long-term costs/risks and benefits are weighed

Performance The purpose of IT is to serve business. It is

ready to meet current and future needs

Conformance IT complies with legislation and regulations.

Policies and practices are clearly defined and

implemented

Human

behaviour

IT policies, practices and decisions show

respect for Human behavior and the needs of all

the ‘people in the process’

Political and

economic

pressures

Business

pressures

Technology

trends

Proposals and

strategy


#ISSlearn 26

Core Capabilities

GovernanceP

ort

foli

o

Man

ag

em

en

t

Perf

orm

an

ce

Man

ag

em

en

t

Ris

k

Man

ag

em

en

t


#ISSlearn 27

Conclusion

By chance

• Sponsor

• Prioritize

• Protect

• Remove hurdles

• Communicate

Leadership

• Capability

• Structure

People

• Policies

• Guidelines

Process

• Fit for purpose

Technology

By design


#ISSlearn 2828© 2017 National University of Singapore. All Rights Reserved

#ISSlearn

APPENDIX


#ISSlearn 30

References

Source Description

[1] IT Governance Institute, Board Briefing on IT Governance, Rolling Meadows, Ill.: IT Governance Institute, 2003.

[2]P. Weill and J. W. Ross, IT Governance How Top Performers Manage IT Decision Rights for Superior Results,

2004.

[3] W. V. Grembergen, Strategies for Information Technology Governance, Hershey: Idea Group Pub, 2004.

[4]S. DeHaes and W. Van Grembergen, Enterprise Governance of Information Technology, Boston, MA: Springer

US, 2009.

[5]P. Webb, C. Pollard, and G. Ridley, “Attempting to define IT governance: wisdom or folly?” in Proc. the 39th

Annual Hawaii International Conference on System Sciences, 2006, vol. 8, p. 194a–194a.

[6]N. Korac-Kakabadse and A. Kakabadse, “IS/IT governance: need for an integrated model,” Corp. Gov. Int. J. Bus.

Soc., vol. 1, no. 4, pp. 9–11, Dec. 2001.

[7]

R. R. Peterson, R. O’Callaghan, and P. Ribbers, “Information technology governance by design: investigating

hybrid configurations and integration mechanisms,” in Proc. the Twenty First International Conference on

Information Systems, 2000, pp. 435–452.

[8]M. arten Simonsson and P. Johnson, “Defining IT governance-a consolidation of literature,” in Proc. the 18th

Conference on Advanced Information Systems Engineering, 2006, vol. 6.

[9] W. V. Grembergen, The Balanced Scorecard and IT Governance, 2000.

[10]Information Systems Audit and Control Association, COBIT 5: A Business Framework for the Governance and

Management of Enterprise IT, Rolling Meadows, Ill: ISACA, 2012.


#ISSlearn 31

THANK YOU

[email protected]


Education

NUS-ISS Learning Day 2017 - Governance in the Age of Digital