IT Governance Support for the US Agency for International Development Clinger-Cohen Act, Sarbanes-Oxley Act, the need to do more information technology (IT) projects with less IT funding, and the shift in IT from a support service to a source of competitive advantage have all contributed to the growing importance of IT governance.
A recent GAO report highlighted how most private and public sector CIO’s have governance-related responsibilities as top priorities.
The importance of IT governance has not escaped the U.S.
Agency for International Development (USAID), as the agency looks to respond to the Office of Inspector General’s request to improve its own IT governance.
Improving IT governance will help USAID manage their investments better, remain compliant, and better link investments to business requirements.
However, improving IT governance starts with understanding the meaning and scope of IT governance, along with the prevailing governance models and frameworks.
IT Governance (noun) : the decision rights, accountability framework, and processes that ensure an organization’s IT strategies and objectives are achieved compliance.
Furthermore, the processes can be measured for performance and outcome by key performance indicators and key goal indicators.
Lastly, the 34 process areas are measured through five levels of maturity, 0-Nonexistent to 5-Optimized.
Through consideration of the business requirements, IT resources, and the supporting information processes, COBIT provides an encompassing view of IT and the decisions to support IT.
What is IT Governance? IT governance is a natural extension of enterprise governance.
As enterprise governance and Sarbanes-Oxley seek to increase transparency of risk and improve value, IT governance attempts to do the same for technology.
IT governance can be defined as the decision rights, accountability framework, and processes that ensure an organization’s IT strategies and objectives are achieved.
Establishing strong IT governance answers the following questions: How does this project support the business need? Who is responsible for these decisions? How are projects and risk being managed? Are we creating value? And Are we measuring performance? Although IT governance is ultimately the responsibility of executives and leadership, the activities and processes that support IT governance must cascade throughout the organization.
Adoption of IT governance depends on clearly defined organizational roles and responsibilities are process metrics.
COBIT, ITIL, and OPM3 are three frameworks which provide guidance on how to assess and implement IT governance.
ITIL The Information Technology Infrastructure Library (ITIL) is a customizable framework of best practices that was originally developed in 1980.
ITIL has undergone multiple iterations, but is considered a comprehensive view of data center and service operations management.
Principally, ITIL is concerned with IT service managers taking a holistic, customer-centric view of requirements and service delivery.
The ITIL framework is divided into a series of eight documents/books, which are known commonly as ‘sets’.
The sets themselves are sub-divided into what are termed ‘disciplines’, which each cover individual subjects.
The two most commonly used sets are Service Support and Service Delivery.
The remaining six are: Planning to Implement Service Management, Software Asset Management, Application Management, Security Management, The Business Perspective and ICT Infrastructure Management.
The ITIL framework defines how to organize the system and network management departments within individual organizations.
OPM 3 The Organizational Project Management Maturity Model (OPM3) was developed by the Project Management Institute (PMI) in 2004.
OPM3 is directly linked to the knowledge areas defined within the Project Management Body of Knowledge (PMBOK).
The OPM3 standard purports that there is a strong correlation among project, program, portfolio management and the successful implementation of the organization’s strategy.
Within the framework, organizational maturity is measured by the application and adoption of nearly 600 best practices.
Best practices are associated with the five project management process groups: Planning, Initiating, Executing Controlling, and Closing.
Organizational maturity improves as these best practices are implemented within the project, program, and portfolio.
Organizational maturity also improves as the adoption of best practices migrates from COBIT Control Objectives for Information and Related Technology (COBIT) is released in its 4th edition since being developed in 1992 by the Information Systems Audit and Control Foundation, (ISACF).
The COBIT model is the internationally accepted framework for governance and control.
COBIT is based on the premise that IT resources translate business requirements into the information that an organization needs to support its objectives.
These resources can be managed and/or organized by a holistic set of grouped processes.
COBIT defines 34 processes that are grouped within four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor.
Each of the 34 grouped processes has multiple, detailed control objectives that ensure process control and IT Governance Support for the US Agency for International Development simple standardization to measurement and control, and ultimately to continuous improvement.
Model Comparison COBIT • Widely adopted and accepted by including the Office of Inspector General • Compliant with ISO 17799, ISACA/ITGI • Compliments ITIL • Provides comprehensive view of IT processes • Provides maturity and performance evaluation metrics • Easily modified and adapted to the IT environment • 34 processes and 318 control objectives makes the framework highly complex • Process flows and procedures are either non-existent or unproven • Unproven implementation history ITIL • Well established and mature • Extensive listing of industry wide time-tested best practices • Provides a common vocabulary for IT • Provides maturity level metrics • Easily modified and adapted to the IT environment OPM3 • Provides a organizational and portfolio framework for the creation of policies, governance, tools and techniques • Derived from the widely accepted PMBOK approach Strengths Weaknesses • Very extensive and complex • More of a framework to asset of reference books sess portfolio, program and • Implementations have proven project management than a to be extremely difficult mechanism to measure IT • Service focused and does not governance cover the full scale of IT • No detail regarding specific management IT process areas, KPIs, or • Processes do not all contain process level maturity measmetrics, KPIs, or descriptions ures of roles and responsibilities Framework Integration The process-based, best practice principles behind the COBIT and ITIL frameworks are quite consistent.
Many of COBIT processes, particularly those in the delivery and support domain map well onto one or more of ITIL processes, including Service Level, Configuration Problem, Incident or Financial Management.
In fact, of the 34 process areas within COBIT, ITIL addresses 22.
COBIT can be considered the high-level implementation guide for ITIL since its KPIs and maturity levels define the metrics that the ITIL processes must deliver against.
The integration of the models is further supported by the sponsoring organizations.
Both COBIT and ITIL are committed to aligning terminology and content to promote greater integration in coming iterations of their respective frameworks.
Since OPM3 is project management-based and not process-based, OPM3 currently does not fully integrate into the two other models.
However, the principles and guidelines supporting OPM3 are embedded within the Planning and Organization domain of COBIT and specifically the Manage Programs/Projects process area.
OPM3’s objective remains consistent with the other frameworks– strengthen the link between strategy and execution and implementation of industry wide best practices.
For More Information COBIT: http://www.isaca.org/ ITIL: http://www.itil.org.uk/ OPM3: http://www.pmi.org/info/PP_OPM3.asp
Read more about ITIL: