MIS 5202 IT Governance

Temple University

Richard Flanagan

Week 6: Reading Questions & Case

by 131 Comments

Readings

  1. What is the importance of having a target mix before starting to approve projects?
  2. Why would you want all projects to be proposed in a uniform way?  What would you suggest as information that must be available for all projects?
  3. Do you think most organizations compare their projects’ performance to that which was proposed by the project?  Why or why not?
  4. How would you justify a project that shortens a company’s sales cycle or improves the yield of an production process.  What assumptions would you have to make?
  5. How does your company make project funding decisions? How well does it work?

The MDCM Case

Work with your team to prepare project recommendations for the MDCM board.  Please come (in class or on the Webex) ready to present what you think MDCM’s strategic, business and IT goals ought to be.  Here is your assignment:

You are a member of the MDCM executive team. Use the information given in this case to help solve this management crisis with the other executive team members in your group. Your team should define the overall corporate strategy for MDCM, the business goals matched to this strategy, and the related high-level IT objectives. Be prepared to present your recommendation to the MDCM corporate board.

You don’t need to post anything on the case this week.

Politics and IT Archetypes

by 9 Comments

I’m seeing lots of good posts on archetypes, well done.  Being a Political Scientist by training, its important to me that you understand that these archetypes represent the politics of organizational decision making around IT.  By defining who is making these decisions I can affect what decisions are being made.

So, think about a company with multiple lines of business (LOB).  How powerful is the center vs the heads of each LOB?  If the LOB heads are very powerful (think “we make all the profits you center guys just cost money”) then you will likely have a Feudal archetype.  If there is a strong center (CEO,CFO,CIO) then you probably have a Duopoly or Federal  archetype.

While you will never get a CISA or CISSP question on archetypes, they can help you in your work.  If you are in security and proposing a significant spend to the CFO and CIO and all the decision making power is in the hand of the LOB’s, you are barking up the wrong tree.  If you are auditing enterprise architecture and see all the right plans and documents but everyone is allowed ti do their own thing (Anarchy), then you have the same problem.

Lyndon Johnson, former US President, once said of politics  “Before I enter a bar, I like to know where my friends and enemies are sitting.”  You need to understand how decision making is being done and who is involved (and who isn’t) to really understand how IT governance is done and influence the decisions.

Comments please.

 

Week 4 Wrap-up: Enterprise Architecture

by Leave a Comment

Several excellent threads on this week’s discussion, good job.   There are  three concepts that we think are worthy of highlighting:

  • EA is about both business and technology.  It aims to drive the technology decisions from its business findings but its end result are things like application and infrastructure standards.
  • EA can become very bureaucratic.  If you are spending time charting and documenting things without providing the output needed to guide the enterprise’s decisions, its likely a waste of time.  EA is  difficult to do well.
  • Best-of-breed vs packaged ERP is a classic EA question. A well reasoned case for either, communicated throughout the company, would be an excellent outcome for an EA project.

I hope you see the difference between the topics of the first two week and EA.  Week 2 and 3 were about defining the IT organization, its mission (to produce value for, and manage the risk of, the enterprise) and the internal administrative controls needed to run it effectively and efficiently.  All good, necessary stuff but kind of generic.  You could apply any of it to any organization.

EA, at least its output, is different. This is the first time we are talking about what the IT organization should do, what it might focus on to add that value we talked about generically earlier.  It starts with understanding the business and its processes.  What is important? What isn’t?  A manufacturing firm will have very different needs than a consulting firm.  Just because some type of system is very effective in one industry, doesn’t mean it will work for the other.  EA goes beyond this, however, to look at a future state that has all the right applications and infrastructure in place to ensure the continued success of the company.  You might sum it up as saying EA strives to make the right IT decisions today, with an eye always on tomorrow.

Considering best-of-breed vs ERP type package.  Our view is: it depends.  If I am a traditional manufacturer I am apt to go ERP.  My requirements are very well known and expertly supported by several great software companies.  Their tools have been proven to make manufacturers much more efficient.  Efficiency is king in my organization (manufacturers must keep SAR costs under control to be profitable) so this all sounds very good to me.  EA for such a firm will probably set some standards around infrastructure but say for applications “Use SAP (or whatever) first or explain why not.”

On the other hand, if I am an internet investment company, everything I do is IT.  I reach out to my customers through the web, I take their orders through the web, I deliver my work product to them via the web.  IT is my company’s life.  Here I may not want anyone else calling the shots. I want to bring in whatever will do the best job possible for my most important needs and I will hook it all together.  Thats what I do anyway, hook stuff together, so its no big deal.  Here EA is apt to be all about infrastructure and middleware.  So long as an application can live on our servers and communicate with our middleware, we will be fine.

So each firm will have a different EA for their organization and both will be correct in what they choose.

 

Week 5: Reading Questions and Activity

by 159 Comments

Readings

  1. Describe the five IT questions that Weill & Ross (see Figure 3-4) see all organizations making?
  2. How do the Weill & Ross questions line up to the McKinsey questions? What’s changed in the last 15 years?
  3. Which archetype do you think is the most rare? Most common? Why?
  4. What is the difference between and IT Strategy committee and an IT Steering Committee?
  5. What archetypes do you see in your company? How well do they work?

 

No case this week

Both Sections: Guest Speaker Tom Smith, Dow Chemicals, 10/4 at 5:30

by Leave a Comment

Jan and I are happy to announce that Tom Smith of Dow Chemical will be joining us on Tuesday evening October 4th to talk about the hard work of aligning IT to the business.  Tom is the IT Director for several of Dow Chemicals’ businesses.  Please join the regularly scheduled Webex for my section of IT Governance on the Training Center at webex.temple.edu.

Here’s Tom bio:

tom-smith-professional-shotThomas G Smith (Tom) joined The Dow Chemical Company in 1993 as an Information Analyst in their Coating Materials business.  Fascinated with the business’s technologies and markets, he became a sales trainee and enjoyed positions of increasing responsibility becoming a National Accounts Manager in the Sales team in Coatings.  During the 2000-2009 period, Tom used his combined experiences in the commercial team and in information technology to lead strategic programs for the business before moving into the corporate Selling Excellence team.  Tom is now the Business IT Director for several Dow businesses, including Building & Construction, as well as for Coatings, Monomers, and Plastics Additives.  Tom graduated from Amherst College with honors in Economics and English; and prior to joining Dow he worked as an information analyst at an international economic forecasting and consulting firm.  Outside of Dow, Tom has had a 25-year career as a semi-professional race car driver, and placed 15th in the nation in 2015.  He also is a musician and writer.

Please plan on attending this presentation,

Jan & Rich

 

Week 4: Readings Questions & Activity

by 161 Comments

Reading Questions

  1. What is the goal of having an enterprise architecture?
  2. If a firm decides to add a new line of business, how might it affect its enterprise architecture? Explain?
  3. Explain five possible ways that an enterprise architecture effort could fail?
  4. Of the four levels of the Federal EA model which do you think is most important?  Which is most addressed?  Does this make sense to you?
  5. Does your firm have an EA?  How does it affect your day-today decisions?

The Strategic IT Transformation at Accenture Case

Think about the following questions as you prepare for our discussion this week in class or on Webex:

  1. What is Accenture’s core IT philosophy?
  2. Identify three key IT projects from the 2001 – 2008 period and explain how  each strengthened Accenture’s enterprise architecture?
  3. What measures of success did Accenture use for this effort? Why?

Jan & Rich

 

 

 

 

Week 3 Wrap-up: General IT Administrative Controls

by Leave a Comment

Another great discussion full of good analysis and some great examples from the real world.  Those of you who work, please continue to bring such good examples to each of our discussions. You illustrate the learnings for all of us since we each have a different point of view.   We will give you our experiences, but that’s only two people who worked primarily in two companies.  The more views we have the better.

IT organizations are usually the largest administrative expense in a company.  In manufacturing companies, they may be only 1% or 2% of revenue but still be the most expensive support service.  In banks and trading companies IT can get to 50% of revenue.  For this reason the IT organization is always a target for cost cutting.  It must be incredibly well run with all of its administrative processes very tight or it will constantly be second guessed.

Some CIO’s and business writers lament that CIO’s should have a greater say in the strategy of the company.  While IT may be a strong strategic enabler, CIO’s need to prove themselves first to the business.  If IT’s budgeting, procurement or HR practices are a mess why should senior management trust the CIO’s opinion about strategic business matters?   It really goes beyond this.  If IT’s projects are not being done on time, on budget and  producing significant business value for the corporation, why trust IT? It may be unfair, but by being big and expensive IT puts a spot light on itself and needs to act accordingly.

Running an administratively strong organization are the table stakes for playing in the game of business leadership.

 

Jan & Rich

 

 

Week 2 Wrap-up: Control Environment

by Leave a Comment

Great job on the discussion, this is what we want to see every week.   I think you raised all the salient points but let me summarize.

To be effective any organization needs to establish a certain structure, responsibilities and a strong sense of how they will operate.  A company’s board of directors is there to hold its most senior management accountable in terms of performance, compliance and managing risk.  They represent the shareholders and are there to ensure the continued success of the company.  They are not there to directly manage it.  Thus, the tone for how the corporation will behave starts at the top with the board of directors and flows down through senior management.

Companies need information systems to operate, so they create an IT organization.  To be effective, that sub-organization (IT) needs certain things:

  • Terms of Reference or a Charter – What is its mission? Why is it there?  What is it trying to achieve?  On this last point, the COSO list of objectives for an IT organization (Confidentiality, Integrity, Availability and so on) is a good list.  You should learn it.
  • A basic organizational structure, arranged to insure that the work required to satisfy the Terms of Reference will get done.  This implies that resources are allocated to different tasks and that someone is responsible for leading each area of work.
  • Monitoring – there needs to be a “culture” of monitoring, each leader should be monitoring his/her people and each level should be monitoring the work of the level below in order to make sure the required work is being done.  Monitoring also implies that when problems arise, they are addressed.
  • Performance Metrics – You can only monitor if you can tell a good job from a bad job and you can only tell that if you have some way of measuring success.

If you have these things, you are off to a good start.  This coming week we will look at another level of administrative controls that all organizations have, not just IT organizations (things like budgets, HR policies, etc.)

As for DentDel, I hope you all got the point.  Even the most basic governance controls like assigning responsibilities and monitoring were missing.  Yes the CIO picked a technology without doing due diligence, but why?  Because there was no expectation set that due diligence should be done on every project being initiated.  Note that they didn’t ask the client (in this case Sales) what they needed.  There was a much better project out there, but it never got visibility because there was no process to check.  Its all too easy to assume that governance at this level is being done correctly, but it often isn’t.  Always ask the basic questions first and then follow where they lead.

Jan and Rich

Week 3: Reading Questions & Activity

by 191 Comments

Readings

  1. What is a compensating control?  When would you use one? Why? Can you give an example?
  2. If you had to rank the importance of the basic IT controls, how would you do it?  Which is most important, which least?
  3. What is segregation of duties and how does it play into basic administrative controls?  Give an example of two IT roles that should be segregated?
  4. What do you consider to be the most important personnel hiring controls for an organization?
  5. How are budgets handled (ie created monitored,re-forecast, etc.) in your organization?

Your Neighborhood Grocer Case

Consider the following questions about the YNG case.  Ignore the questions at the end of the case.

  1. YNG has grown through acquisition resulting in a mess of systems.  Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
  2. Business application procurement seems to be a big problem.  IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures.  Why?  What controls can Larry put into place to ensure that it doesn’t continue into the future?
  3. The most recent IT Audit will produce a finding about the sorry state of access control in the company.  What controls should Larry be ready to recommend to reduce the impact of this finding?