MIS 5202 IT Governance

Temple University

Richard Flanagan

Week 6 Wrap-up: Portfolio Management

by Leave a Comment

For me, IT Portfolio Management is the most important topic of the year.  Why?  Because this is where the organization turns from strategy to execution.   Up to this point, the business and IT have been able to talk about purpose and alignment, what an architecture should look like, how they are going to help the company.  Now its time to actually do something.  As Yogi Berra once said,

In theory there is no difference between theory and practice. In practice there is.

Portfolio management is where theory meets reality.

If a business is using portfolio management, it is probably being done by an IT Steering committee or similar body.  Senior business representives serving on the committee are essential. They must be able to examine projects from a corporate perspective so that decision are made on what is best for the company, not any particular interest.

Pennypacker and Retna’s  five questions can serve as your guide to portfolio management.  Our discussion focused mainly on question #1 but the other four are also important.

  1. Are we investing in the right things? – Key techniques here include value orientation,business alignment, standardized business cases, reviewing multiple projects at each meeting, etc.
  2. Are we optimizing our capacity? – Key questions might be, do we have the right resources? Could we increase our capacity with selected outsourcing? Should we cancel an existing project to fund something new?
  3. How well are we executing? – This same group needs to be monitoring how existing projects are running.  Are they on time? On scope? On budget? Quality good?
  4. Can we absorb all the changes? – This is about the culture of the organization.  How much change can it handle?  Will people burn out?  Will we be confusing them with too many objectives?
  5. Are we realizing the promised benefits? – This is the least answered of the five questions.  Remember that ISACA sees two types of benefits:
    1. Business benefits – which contribute directly to value for the business
    2. Intermediate benefits – which do not directly create value for the business but may be of value to some stakeholders in the business.

Usually IT has so much to do that it never stops to see if completed projects actually produce the anticipated value.  Unless a steering committee or senior executive is forcing the issue, value evaluation is not apt to happen.  This is where tone comes in.

 

Rich

Week 6: Readings and Case Questions

by 133 Comments

Readings (remember please, one post per question to make sure I give you the appropriate credit)

  1. What is the importance of having a target mix before starting to approve projects?
  2. Why would you want all projects to be proposed in a uniform way?  What would you suggest as information that must be available for all projects?
  3. Do you think most organizations compare their projects’ performance to that which was proposed by the project?  Why or why not?
  4. How would you justify a project that shortens a company’s sales cycle or improves the yield of an production process.  What assumptions would you have to make?
  5. How does your company make project funding decisions? How well does it work?

The MDCM Case

Work with your team to prepare project recommendations for the MDCM board.  Please come (in class or on the Webex) ready to present what you think MDCM’s strategic, business and IT goals ought to be.  Here is your assignment:

You are a member of the MDCM executive team. Use the information given in this case to help solve this management crisis with the other executive team members in your group. Your team should define the overall corporate strategy for MDCM, the business goals matched to this strategy, and the related high-level IT objectives. Be prepared to present your recommendation to the MDCM corporate board.

You don’t need to post anything on the case this week.

Rich

Week 5 Wrap-up: IT Strategy

by Leave a Comment

Very interesting and diverse set of comments this week.  Did you notice how quickly the nice orderly world of ISACA  (basic and admin controls, enterprise architecture, strategy and steering teams and RACI  charts) became chaotic? There is an important point here, its called POLITICS.  Not the nation-state kind, nor necessarily the back stabbing kind.  The best definition I know of politics is “Who gets what, when, where, why and how.”   You can go into any organization, find its IT strategy, find a steering team and apparently they are doing the right things.  But, until you understand who the committee members are, what interests they represent, which groups have more power than others, you will not really know what is going on.  The Weill and Rose article should open your eyes to some of the possibilities.

The thing I want you to take away from this discussion is that implementing an IT strategy is also a political exercise.  Yes, having a great plan based on an excellent enterprise architecture is important, but you need to get it accepted throughout the organization.  This means you need to communicate and get buy in from anyone who is in a position to slow you up or shut you down.  You need to get all the other players to understand, buy in, and support you when things go wrong. This will involve a lot of skills that IT people are not usually known for.  There are likely to be difficult negotiations, private lobbying, dramatic speeches, and lots of grass roots communicating.  Good CIO’s have these skills and have probably used them to define a comfortable status quo with the rest of the organization.   Technological change may necessitate upending that status quo.  This is when you need real leadership.

Rich

Getting Management on your side without Scare Tactics

by Leave a Comment

I’m at the ISC2  Congress this week and this morning I went to a panel discussion with this name.  Much of what was said was related to our course so I thought I would share some notes:

  1. For IT and security leadership a key success factor is building relationships with business leaders before critical questions come to the fore.
  2. Heavy use of risk-acceptance forms is a sign of a failure of security to develop the needed relationships with the business.
  3. Security architecture should be an important part of a company’s Enterprise Architecture.
  4. To sell senior executives you need to speak in the business terms and have data.  This CISO suggests that you really need a robust honey-pot environment so that you can collect data on what would happen without security’s efforts.
  5. Framing issues in business terms involves knowing the business processes and impacts of security threats.  Starbucks security architect talked about not framing stolen identity authentications but rather fraudulent sales.  He also noted that the rational decision of the business was to not implement a solution that cost more than the total of the fraudulent sales.
  6. CISO from health care suggested that you always need to respond to the business with a qualified yes, not a no.  As in, “Yes, we can do that, but it will cost $x and would take precedence over these other n projects.  Does that make sense?”
  7. First 90 days after a major incident is a critical time period.  Security can get whatever they want, but how should they use such a time period.  First, of course, is to correct the problem, identify and close the holes that allowed it.  Beyond that, the security team should have a strategy ready to go for how to improve the company’s security position long term and act on it.  Many firms buy various point solutions while they have budget approval.  Panel thought this was a bad idea. These panelists suggested that it would be better to engage the organization and change behaviors.  The healthcare CISO noted that after their breach they implemented their entire 5 year plan in a month with senior management support.
  8. Final note on building relationships with the business.  You must bring something to the table.  Having a well reasoned position on some business process issue will earn you credits.  Its good to bank as many credits as you can because someday you will need the business to trust you.  Without enough credits, they won’t.

Week 5: Readings and Case Questions

by 120 Comments

Readings

  1. Describe the five IT questions that Weill & Ross (see Figure 3-4) see all organizations making?
  2. How do the Weill & Ross questions line up to the McKinsey questions? What’s changed in the last 15 years?
  3. What is the difference between EA and IT strategy?  Do you need both?
  4. What is the difference between and IT Strategy committee and an IT Steering Committee?
  5. What archetypes do you see in your company? How well do they work?

 

Steve Praino Presentation

Steve Praino of Dow Chemical spoke to an earlier section of this class on IT Strategy.  Please watch the video and post your takeaways in response to this post.

Rich

Week 4 Wrap-up: Enterprise Architecture

by Leave a Comment

Several excellent threads on this week’s discussion, good job.  I also want to thank everyone who is posting other on-topic articles .  You’ve found some excellent readings about which I was unaware.  Keep up the good work.

There are  three concepts that I think are worthy of highlighting:

  • EA is about both business and technology.  It aims to drive the technology decisions from its business findings but its end result are things like application and infrastructure standards.
  • EA can become very bureaucratic.  If you are spending time charting and documenting things without providing the output needed to guide the enterprise’s decisions, its likely a waste of time.  EA is  difficult to do well.
  • Best-of-breed vs packaged ERP is a classic EA question. A well reasoned case for either, communicated throughout the company, would be an excellent outcome for an EA project.

I hope you appreciate the difference between the topics of the first two week and EA.  Week 2 and 3 were about defining the IT organization, its mission (to produce value for, and manage the risk of, the enterprise) and the internal administrative controls needed to run it effectively and efficiently.  All good, necessary stuff but kind of generic.  You could apply any of it to any organization.

EA, at least its output, is different. This is the first time we are talking about what the IT organization should do, what it might focus on to add value to the organization.  It starts with understanding the business and its processes.  What is important? What isn’t?  A manufacturing firm will have very different needs than a consulting firm.  Just because some type of system is very effective in one industry, doesn’t mean it will work for the other.  EA goes beyond this, however, to look at a future state that has all the right applications and infrastructure in place to ensure the continued success of the company.  You might sum it up as saying EA strives to make the right IT decisions today, with an eye always on tomorrow.

Considering best-of-breed vs ERP type package.  My view is: it depends.  If I am a traditional manufacturer I am apt to go ERP.  My requirements are very well known and expertly supported by several great software companies.  Their tools have been proven to make manufacturers much more efficient.  Efficiency is king in my organization (manufacturers must keep SAR costs under control to be profitable) so this all sounds very good to me.  EA for such a firm will probably set some standards around infrastructure but say for applications “Use SAP (or whatever) first or explain why not.”

On the other hand, if I am an internet investment company, everything I do is IT.  I reach out to my customers through the web, I take their orders through the web, I deliver my work product to them via the web.  IT is my company’s life.  Here I may not want anyone else calling the shots. I want to bring in whatever will do the best job possible for my most important needs and I will hook it all together.  Thats what I do anyway, hook stuff together, so its no big deal.  Here EA is apt to be all about infrastructure and middleware.  So long as an application can live on our servers and communicate with our middleware, we will be fine.

So each firm will have a different EA for their organization and both will be correct in what they choose.

Rich

Week 4: Readings and Case Questions

by 117 Comments

Reading Questions

  1. What is the goal of having an enterprise architecture?
  2. If a firm decides to add a new line of business, how might it affect its enterprise architecture? Explain?
  3. Explain five possible ways that an enterprise architecture effort could fail?
  4. Of the six levels of the Federal EA model which do you think is most important?  Which is most addressed?  Does this make sense to you?
  5. Does your firm have an EA?  How does it affect your day-to-day decisions?

The Strategic IT Transformation at Accenture Case

Think about the following questions as you prepare for our Webex discussion this week:`

  1. What is Accenture’s core IT philosophy?
  2. Identify three key IT projects from the 2001 – 2008 period and explain how  each strengthened Accenture’s enterprise architecture?
  3. What measures of success did Accenture use for this effort? Why?

Don’t forget to join our Webex this coming Wednesday at 5:30 with your camera on and your microphone muted.

Rich

 

 

 

 

Week 3 Wrap-up: General IT Administrative Controls

by Leave a Comment

A great discussion full of good analysis and some great examples from the real world and two great suggestions for new readings.  Those of you who work, please continue to bring such good examples to each of our discussions. You illustrate the learnings for all of us since we each have a different point of view.   I will give you my experiences, but that’s only one person who worked primarily for one companies.  The more views we have the better.

IT organizations are usually the largest administrative expense in a company.  In manufacturing companies, they may be only 1% or 2% of revenue but still be the most expensive support service.  In banks and trading companies IT can get to 50% of revenue.  For this reason the IT organization is always a target for cost cutting.  It must be incredibly well run with all of its administrative processes very tight or it will constantly be second guessed.

Some CIO’s and business writers lament that CIO’s should have a greater say in the strategy of the company.  While IT may be a strong strategic enabler, CIO’s need to prove themselves first to the business.  If IT’s budgeting, procurement or HR practices are a mess why should senior management trust the CIO’s opinion about strategic business matters?   It really goes beyond this.  If IT’s projects are not being done on time, on budget and  producing significant business value for the corporation, why trust IT? It may be unfair, but by being big and expensive IT puts a spot light on itself and needs to act accordingly.

Running an administratively strong organization are the table stakes for playing in the game of business leadership.

Rich