upgrade, vol. ix, issue no. 1, february 2008 - cepis.org i-2008-full.pdf · 37 iso20000 – an...

http://www.cepis.org

CEPIS, Council of European Professional Informatics

Societies, is a non-profit organisation seeking to improve and promote high standards among informatics professionals in

recognition of the impact that informatics has on employment, business and society.

CEPIS unites 37 professional informatics societies over 33 European countries, representing more than 400,000

ICT professionals.

CEPIS promotes

http://www.eucip.com http://www.ecdl.com

http://www.upgrade-cepis.org

* This monograph will be also published in Spanish (full version printed; summary, abstracts, and somearticles online) by Novática, journal of the Spanish CEPIS society ATI (Asociación de Técnicos deInformática) at <http://www.ati.es/novatica/>.

UPGRADE is the European Journal for theInformatics Professional, published bimonthlyat <http://www.upgrade-cepis.org/>

PublisherUPGRADE is published on behalf of CEPIS (Council of EuropeanProfessional Informatics Societies, <http://www.cepis.org/>) byNovática <http://www.ati.es/novatica/>, journal of the SpanishCEPIS society ATI (Asociación de Técnicos de Informática, <http://www.ati.es/>)

UPGRADE monographs are also published in Spanish (full versionprinted; summary, abstracts and some articles online) by Novática

UPGRADE was created in October 2000 by CEPIS and was firstpublished by Novática and INFORMATIK/INFORMATIQUE, bi-monthly journal of SVI/FSI (Swiss Federation of ProfessionalInformatics Societies, <http://www.svifsi.ch/>)

UPGRADE is the anchor point for UPENET (UPGRADE EuropeanNETwork), the network of CEPIS member societies’ publications,that currently includes the following ones:• Informatik-Spektrum, journal published by Springer Verlag onbehalf of the CEPIS societies GI, Germany, and SI, Switzerland

• ITNOW, magazine published by Oxford University Press on behalfof the British CEPIS society BCS

• Mondo Digitale, digital journal from the Italian CEPIS society AICA• Novática, journal from the Spanish CEPIS society ATI• OCG Journal, journal from the Austrian CEPIS society OCG• Pliroforiki, journal from the Cyprus CEPIS society CCS• Pro Dialog, journal from the Polish CEPIS society PTI-PIPS

Editorial TeamChief Editor: Llorenç Pagés-Casas, Spain, <[email protected]>Associate Editor: Rafael Fernández-Calvo, Spain, <[email protected]>

Editorial BoardProf. Wolffried Stucky, CEPIS Former PresidentProf. Nello Scarabottolo, CEPIS Vice PresidentFernando Piera Gómez and Llorenç Pagés-Casas, ATI (Spain)François Louis Nicolet, SI (Switzerland)Roberto Carniel, ALSI – Tecnoteca (Italy)

UPENET Advisory BoardHermann Engesser (Informatik-Spektrum, Germany and Switzerland)Brian Runciman (ITNOW, United Kingdom)Franco Filippazzi (Mondo Digitale, Italy)Llorenç Pagés-Casas (Novática, Spain)Veith Risak (OCG Journal, Austria)Panicos Masouras (Pliroforiki, Cyprus)Andrzej Marciniak (Pro Dialog, Poland)Rafael Fernández Calvo (Coordination)

English Language Editors: Mike Andersson, David Cash, ArthurCook, Tracey Darch, Laura Davies, Nick Dunn, Rodney Fennemore,Hilary Green, Roger Harris, Jim Holder, Pat Moody, Brian Robson

Cover page designed by Concha Arias Pérez"Strategos" / © ATI 2008Layout Design: François Louis NicoletComposition: Jorge Llácer-Gil de Ramales

Editorial correspondence: Llorenç Pagés-Casas <[email protected]>Advertising correspondence: <[email protected]>

UPGRADE Newslist available at<http://www.upgrade-cepis.org/pages/editinfo.html#newslist>

Copyright© Novática 2008 (for the monograph)© CEPIS 2008 (for the sections UPENET and CEPIS News)All rights reserved under otherwise stated. Abstracting is permittedwith credit to the source. For copying, reprint, or republication per-mission, contact the Editorial Team

The opinions expressed by the authors are their exclusive responsibility

ISSN 1684-5285

Monograph of next issue (April 2008)

"Model-Driven Software Development"

(The full schedule of UPGRADE is available at our website)

Vol. IX, issue No. 1, February 2008

2 Presentation. IT Governance: Fundamentals and Drivers — DídacLópez-Viñas, Antonio Valle-Salas, Aleix Palau-Escursell, andWillem-Joep Spauwen

5 This is NOT IT Governance — Jan van Bon

14 ITIL V3: The Past and The Future. The Evolution Of Service Man-agement Philosophy — Troy DuMoulin

16 PMBOK and PRINCE 2 for the Management of ITIL Implementa-tion Projects — Grupo de Metodologías de Gestión de Proyectos ofthe itSMF Spain under the coordination of Javier García-Arcal

23 Business Intelligence Governance, Closing the IT/Business Gap —Jorge Fernández-González

31 IT Project Portfolio Management: The Strategic Vision of IT Projects— Albert Cubeles-Márquez

37 ISO20000 – An Introduction — Lynda Cooper

40 COBIT as a Tool for IT Governance: between Auditing and ITGovernance — Juan-Ignacio Rouyet-Ruiz

44 Implementing IT Governance Ad@pting CobiT, ITIL and Val IT: ARespectful Caricature — Ricardo Bría-Menéndez and Manuel PalaoGarcía-Suelto

48 What Governance Isn’t — Rob England

52 From Pro Dialog (PTI-PIPS, Poland)Software EngineeringA View on Aspect Oriented Programming — Konrad Billewicz

57 CEPIS Working GroupsAuthentication Approaches for Online Banking — CEPIS Legaland Security Special Interest Network

CEPIS NEWS

UPENET (UPGRADE European NETwork)

Monograph: IT Governance (published jointly with Novática*)Guest Editors: Dídac López-Viñas, Antonio Valle-Salas, Aleix Palau-Escursell, andWillem-Joep Spauwen

2 UPGRADE Vol. IX, No. 1, February 2008 © Novática

IT Governance

Presentation

IT Governance: Fundamentals and DriversDídac López-Viñas, Antonio Valle-Salas, Aleix Palau-Escursell, and Willem-Joep Spauwen

The Guest Editors

Dídac López-Viñas is the Director of IT Services at the GironaUniversity (Universitat de Girona –UdG-, Spain), Director ofICT at the Science and Technology Park of the UdG, andconsultant at UOC (Universitat Oberta de Catalunya) forpostgraduate courses in technology services management. He isa graduate in Computer Science from UPC (UniversitatPolitècnica de Catalunya), holds a postgraduate degree in ITManagement from ICT (Institut Català de Tecnologia), anotherin Enterprise Information Management (Infonomía, UPF), andan MBA from Las Heures (UB). Before working in university ITservices he was a systems engineer at Hewlett Packard andIECISA. He has played an active role on various boards ofgovernors of the ATI (the Spanish Association of ComputerTechnicians) and has collaborated with the COEIC (Col·legi Ofi-cial d’Enginyeria en Informàtica de Catalunya) serving on theDean’s Council. He has been president of ATI Catalunya sinceJanuary 2005. <[email protected]>.

Antonio Valle-Salas is Project Manager at Abast Systems and isa specialist consultant in ITSM (Information Technology ServiceManagement) and IT Governance. He graduated as a TechnicalEngineer in Management Informatics from UPC (UniversitatPolitécnica de Catalunya) and holds a number of methodologycertifications such as ITIL Service Manager from EXIN(Examination Institute for Information Science), CertifiedInformation Systems Auditor (CISA) from ISACA, and COBITBased IT Governance Foundations from IT Governance Network,plus more technical certifications in the HP Openview family ofmanagement tools. He is a regular collaborator with itSMF (ITService Management Forum) Spain and its Catalan chapter, andcombines consulting and project implementation activities withfrequent collaborations in educational activities in a universitysetting (such as UPC or the Universitat Pompeu Fabra) and in

In recent years there has been much talk about IT Gov-ernance and the management of organizations in general,which has captured the interest of all those involved in ICTmanagement.

After a number of decades during which ICT has beenapplied in organizations in an non-harmonized manner, withdifferent aims in each organization, there was a growingrealization that, while such technologies should be at theservice of business, that is not always the case.

If we were talking about another functional area, suchas Human Resources or Accounting, rather than ICT, we

would take it for granted that the activities undertaken bythose departments were aligned with the goals of the or-ganization they belonged to, and we would not feel the need,although such a need may exist, to create reference modelsand methodologies to ensure that they were aligned. How-ever, in many organizations ICT is not adequately alignedwith the organization’s goals, which may lead to projectdeviations (negative return on investment, uncontrolledexpenses, etc.), or unmanaged risks. This is what has givenrise to the concept we know today as IT Governance.

Organizations may be thought of as a coordinated set of

the world of publishing in which he has collaborated on suchpublications as IT Governance: a Pocket Guide, Metrics in ITService Organizations, Gestión de Servicios TI. Una introduccióna ITIL, and the translations into Spanish of the books ITIL V2 ServiceSupport and ITIL V2 Service Delivery. <[email protected]>.

Aleix Palau-Escursell is a partner and Commercial Director ofNETMIND, a company engaged in IT training, consultancy, andmanagement. Aleix holds a Higher Diploma in ManagementInformatics, a Master in Sales Management from EADA, and aMaster in ICT Management from La Salle (Universitat PompeuFabra). His entire professional career to date has been in NETMINDwhere he has led the company’s commercial expansion andestablished it as one of the pioneers in the provision of training andconsultancy services for Project Management, ITIL, and ISO 20000.In recent years he has played an active role in disseminating bestpractices and methodologies for Project Management and IT ServiceManagement, collaborating with organizations such as PMI (ProjectManagement Institute), itSMF (IT Service Management Forum),ATI, and La Salle, among others. <[email protected]>.

Willem-Joep Spauwen is a senior consultant at Quint WellingtonRedwood Iberia. He graduated in Business Administration at theUniversity of Groningen, Netherlands. He has specialized in ICTGovernance and added value provided by business managementand organization related Information Systems. His career began inthe IT Department of Royal Dutch Airlines KLM, where he playedan active role in the field of IT-Business alignment. At QuintWellington Redwood he works as an international consultant in thefield of IT management. He has taken part in several projectsundertaken by multinationals in the Netherlands, the USA, Mexico,and Spain. He also participates regularly in a number of internationalforums. <[email protected]>.

UPGRADE Vol. IX, No. 1, February 2008 3© Novática

IT Governance

information systems in which human and material resourcesparticipate, but the key to successful organizations residesin the information per se and the way it is automated. Hereis where the managers of organizations may question themanner in which that information is processed and the risksthey are taking, both as a result of mistakes that may bemade and in terms of the cost of not having that informa-tion.

Meanwhile, the strategic opportunities afforded to or-ganizations by ICT have given rise to difficulties concern-ing the management of those technologies. Many compa-nies do not hesitate to describe their ICT departments asstrategic or critical to their core activities while at the sametime recognizing that ICT causes problems that they hesi-tate to describe as unmanageable.

Thus ICT departments are often perceived as a pure ex-pense rather than a value-adding resource. They are seldomconsidered as an opportunity, and investment in ICT is of-ten seen as a technologists’ whim, always to be questioned.

Part of the problem lies in the difficulty that managershave in seeing ICT in the company as part of their responsi-bility and in acquiring the basic knowledge required to takeon that responsibility. But the CIOs are also to blame fornot understanding organizations and their business objec-tives, for not taking managerial language on board, for notlistening to the real problems of functional managers, andfor focusing their goals on technology and not on the prac-tical exploitation of that technology.

We can sum up this general problem as being a diffi-culty to integrate and align ICT departments’ operations andinternal organization within the greater organization and itstechnological goals. The problem also stems from the mis-conception that general managers have of ICT departmentsas separate and almost unrelated units due to the techno-logical nature of their role.

Companies and organizations in general need to closethis gap between general management and ICT departmentsby applying management methodologies that will integrateICT departments within the greater organization and aligntheir operations with corporate goals.

If this gap is to be closed, the managers of organizationsneed to understand that the ICT department must be man-aged within the context of business objectives as an insepa-rable part of the business, and that they need to learn ICTmanagement methodologies. Meanwhile the managers ofthe ICT department should understand their mission withinthe context of the company’s corporate goals. ICT manage-ment should not be seen as a separate goal or discipline, butrather as a cross-functional process affecting the entire or-ganization, one in which everyone should play an activerole.

Many organizations are now getting the most out of ICTby understanding and managing the benefits and risks in-volved, by successfully aligning their ICT strategy withcorporate strategy to form a single integrated strategy, byputting in place mechanisms and processes to implementthat strategy, including mechanisms to monitor and controlICT systems, and by using metrics to measure ICT manage-

ment performance. The set of methodologies that allows usto achieve the above objectives is what we now call ITGovernance.

IT Governance draws on a number of different fields(monitoring and control, audit, metrics, service management,and quality management) to create models identified by suchtrendy terms as ITIL, Cobit, Val IT, ISO 20.000, etc., andtheir pertinent certifications. This same trend has also givenrise to a great deal of confusion and management by fadwith regard to the concepts involved.

The aim of the ensuing monograph is to bring readersup to speed with the latest trends, to show how such trendsmay be reasonably applied, and to try and explain just whatIT Governance is, and what it is not.


IT Governance

The following references, along with those included inthe articles this monograph consists of, will help our read-ers to dig deeper into this field.

BooksKoen Brand, Harry Boonen. IT Governance basedon CobiT 4.0. A management guide. ITSM Library.Van Haren Publishing, 2007. ISBN: 9087530218.Jan Van Bon et al. IT Service Management – AnIntroduction. Van Haren Publishing. ISBN:9789087530518.Office of Government Commerce. Best practice forService Support. ITIL the key to managing IT Serv-ices. TSO Books, 2001. ISBN: 9780113300150 /0113300158.Office of Government Commerce. Best practice forService Delivery. ITIL the key to managing IT Serv-ices. TSO Books, 2001. ISBN: 9780113300174 /0113300174.Office of Government Commerce. ITIL Small-scaleImplementation. TSO Books, 2005. ISBN: 9780113309801/0113309805.Mark D. Lutchen. Managing IT as a Business: A Sur-vival Guide for CEOs. McGraw-Hill, 2006. ISBN:0471471046.Gary Case, Troy DuMoulin, George Spalding, Anil C.Dissanayake. Service Management Strategies that Work.Van Haren Publishing, 2007. ISBN: 9789087530488.Peter Brooks. Metrics for IT Service Management. VanHaren Publishing, 2006. ISBN: 9789077212691.IT Governance Institute. IT Governance Implemen-tation Guide: Using COBIT and Val IT. 2nd Edi-tion. ISACA, 2007. ISBN: 9781933284750.IT Governance Institute. Cobit 4.1. ISACA, 2007.ISBN: 9781933284729.Office of Government Commerce. ITIL Version 3Core Titles: The Official Introduction to the ITILService Lifecycle; Continual Service Improvement(CSI); Service Design (SD); Service Operation(SO); Service Strategy (SS); Service Transition (ST).<http://www.itsmf.es/books.asp?Class=3411>.

Useful References on IT Governance

AssociationsIT Governance Institute <http://www.itgi.org>.Information Systems Audit and Control Association<http://www.isaca.org>.IT Infrastructure Library <http://www.itil.co.uk>.Information Technology Service Management Forum<http://www.itsmf.es>.ITSM Portal <http://en.itsmportal.net>.

ArticlesISACA. Val IT Overview <http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=21569& SECTION=COBIT6&TEMPLATE=/ContentManagement/ContentDisplay.cfm>.Mark Toomey. AS8015 – Corporate Governance ofICT Practical Application <http://www.usq.edu.au/resources/as8015corporategovernanceofict.pdf>.Pink Elephant. ITIL v3: What You Need To Know<https://www.pinkelephant.com/NR/rdonlyres/94D620D8-0351-4F9E-82D8-CF033200E8DA/765/ITILv3WhatYouNeedToKnowNA1.pdf>.ITIL.org. ITIL V3-V2 Mapping <http://www.itil. org/en/itilv3-servicelifecycle/itilv3-v2mapping.php>.

Web SitesThe Val IT framework <http://itgovernance.pbwiki.com/ValIT>, <http://www.isaca.org/valit/>.COBIT 4.1 news <http://www.isaca.org/cobit>.Enabling IT Governance <http://erp4it.typepad.com/erp4it>.History of ITIL <http://www.itilv3launch.com/pages/index.html>.ITSMWatch <http://www.itsmwatch.com>.ITIL Training Zone <http://www.itiltrainingzone.com>.Troy DuMoulin’s blog <http://blogs.pinkelephant.com/troy>.The IT Skeptic <http://www.itskeptic.org>.Serge Thorn’s blog <http://sergethorn. blogspot.com>.ICT Governance <http://www.gobiernotic.es> (in Span-ish).


IT Governance

Keywords: Decision Making, Executive, Frameworks,Information Management, IT, ITIL, IT Governance, Man-agement, Model Enhanced, Organization, Planning andControl, Strategic Alignment.

1 Introduction

IT Governance is important to CEO’s and to CIO’s -but what is it, and what is it NOT? This article providessome insight into that question, using a number of mod-ern management frameworks

2 What is IT Governance about?With the ever growing role of information in the Busi-

ness, it is hard to deny that this world has become totallydependent upon information management. Many organiza-tions wouldn’t even survive for more than a few days iftheir information systems would discontinue. This is thefirst and main reason for the existence of IT Governance;you need to be in control of your information supportingsystems. But there are other significant reasons as well.

First of all: organizations need to make sure they com-ply to external regulatory requirements. We all know theexamples of what happens if this is not taken care of. Enronand Worldcom have shown the consequences of bad gov-ernance and each country will have had its own local finan-cial disasters as well. Sarbanes-Oxley1 , Basel II2 , IFRS3 ,and many local regulations were the answer to this. All theseregulations are aimed at ensuring that organizations are in

control of decision making processes and have transparentadministrations.

A second crucial sponsor of IT Governance is the factthat organizations are more and more managed from theperspective of the shareholder and other stakeholders. Or-ganizations need to provide added value in terms of finan-cial revenues or other values. Hedge funds are taking overmany companies and splitting them up for better financial re-turns. Individual shareholders are getting organized and theirinfluence is growing. Other stakeholders like employees andsociety are gaining recognition and extending their influenceon the decisions and performance of an organization.

These aspects illustrate some of the core elements of agenerally accepted view on corporate governance, as illus-trated in the CIMA (Chartered Institute of ManagementAccountants) Enterprise Governance Framework (see Fig-ure 1). This framework emphasizes the role of two key is-sues in governance: "Conformance" and "Performance".

This is NOT IT GovernanceJan van Bon

IT is a business like any other line of business, so why don’t we run it as a business? If we look at other disciplines, we can findexcellent examples of the application of governance principles. In the IT market, however, we seem to have forgotten to applysome of the most elementary business policies. Recent developments have shown the catastrophical effects that may follow fromthis. So let’s have a closer look at this, and take the first elementary step by answering “What is IT Governance and what is itNOT?” The answer may come as a surprise. And IT Governance may be less difficult than it seemed.

Author

Jan van Bon (Inform-IT.org) has been involved with thedevelopment and publication of a large number of ITManagement frameworks. After a decade of academic researchhe started his work in IT in the late 1980’s, in the Netherlands.He launched the Dutch itSMF (IT Service Management Forum)in 1994 and was involved in itSMF projects ever since. He hasproduced more than 50 books, in 14 languages, with expertauthors from all over the world, on a broad range of ITmanagement topics <[email protected]>.

Figure 1: The CIMA Enterprise Governance Framework.

1 "The Sarbanes-Oxley Act of 2002… is a United States federallaw enacted on July 30, 2002 in response to a number of majorcorporate and accounting scandals including those affectingEnron, Tyco International, Adelphia, Peregrine Systems andWorldCom". <http://en.wikipedia.org/wiki/Sarbanes-oxley>.2 "Basel II is the second of the Basel Accords, which are recom-mendations on banking laws and regulations issued by the BaselCommittee on Banking Supervision. The purpose of Basel II, whichwas initially published in June 2004, is to create an internationalstandard that banking regulators can use when creating regula-tions about how much capital banks need to put aside to guardagainst the types of financial and operational risks banks face"<http://en.wikipedia.org/wiki/Basel_ii>.3 "International Financial Reporting Standards (IFRS) are stand-ards and interpretations adopted by the International AccountingStandards Board (IASB)" <http://en.wikipedia.org/wiki/Ifrs>.


IT Governance

Table 1: Some Definitions of IT Governance (based on [1]).

3 Definition(s) of IT GovernanceA Google search for the meaning of IT Governance will

easily show over 50 different definitions. There still is nosingle authorative source that has gained the power to setany of these as the universal and official definition. Table1presents some of the most familiar definitions.

Lately, experts in the field show some convergence towardscommon elements in the definitions they use. Key elements inthe governance definitions are the organization and the distri-bution of rights. Governance tends to deal with organizationalelements that are accountable for decision making, in a trans-parent way. This immediately points out the second importantelement, which always is about decisions.

However, governance is mostly restricted to only pro-viding the infrastructure for making these decisions, andthe decision making process itself is not included. Making

decisions is generally accepted to be an aspect of manage-ment, which is separated from governance. Sohal andFitzpatrick [2] have illustrated that in their research on gov-ernance in Australian government (see Figure 2).

So there is a clear distinction between governance andmanagement, suggesting that governance enables the crea-tion of a setting in which others can manage their tasks ef-fectively. Which makes IT Governance and IT Managementtwo separated entities. Although many frameworks such asCOBIT (Control Objectives for Information and relatedTechnology) and ITIL (Information Technology Infrastruc-ture Library) are characterized as "IT Governance frame-works", most of them are in fact management frameworks.

4 What Is Not IT GovernanceTo be able to understand what IT Governance is all about,

Researchers IT Governance Definition Brown and Magill (1994)

IT governance describes the locus of responsibility for IT functions.

Luftman (1996)

IT governance is the degree to which the authority for making IT decisions is defined and shared among management, and the processes managers in both IT and Business organizations apply in setting IT priorities and the allocation of IT resources.

Sambamurthy and Zmud (1999)

IT governance refers to the patterns of authority for key IT activities.

Van Grembergen (2002)

IT governance is the organizational capacity by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of Business and IT.

Weill and Vitale (2002)

IT governance describes a firm’s overall process for sharing decision rights about IT and monitoring the performance of IT investments.

Schwarz and Hirschheim (2003)

IT governance consists of IT-related structures or architectures (and associated authority patterns), implemented to successfully accomplish (IT-imperative) activities in response to an enterprise’s environment and strategic imperatives.

IT Governance Institute (2004)

IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

Weill and Ross (2004) [5]

IT governance is specifying the decision rights and accountability framework to encourage desirable behavior in using IT.

AS8015:2005

The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation.


IT Governance

Figure 2: IT Governance versus IT Management (Sohal & Fitzpatrick [2]).

it would be very helpful to understand what it is not. E.g.,as we saw in the previous paragraph, management is notgovernance. To be able to understand what is excluded fromthe field of IT Governance, it therefore is useful to under-stand what IT Management is.

We are discussing IT Governance and not corporategovernance, which automatically means that we have toinvolve the discipline of Information Support in this. Infor-mation Support is widely recognized as a supporting disci-pline for the other Business processes.

The best way to manage a domain properly, accordingto the principle of Separation of Concerns, is by dividingthat domain into a control subdomain and a realizationsubdomain. That way, the realization domain does not con-trol itself. Once applied to Information Support, this pro-vides us with two separate responsibility domains: Infor-mation Management (IM), where information support sys-tems are designed and controlled, and Information Tech-nology (IT), where the information systems are built andrun (see Figure 3).

Two opposite forces make this interactive system work:1) Pull. The organization controls the quality of the In-

formation Support, based upon requirements that followdirectly from the information demand of the primary Busi-ness activities. In addition, other supporting (Business) ac-tivities also influence the demand for information. The IMdomain acts as the next link in the chain from the Businessdomain perspective.

2) Push. Based on both possibilities and impossibilities,and problems from the IT domain, the organization adjuststhe set-up of the Information Support.

Another widely used management paradigm (Planningand Control) explains that in each domain we should al-

ways have Strategic, Tactical and Operational levels ofmanagement (see Figure 4).

This also supports an interactive system based upon twoopposite forces:

1) Pull (top-down). Strategic plans and goals are speci-fied at a tactical level and realized at an operational level.But plans and goals can be adjusted, market forces can re-quire adjustments, new partnerships can lead to new goals,new ruling can require new preconditions, and each of thesewill have its effect downstream towards the operational level.

2) Push (bottom-up). The organization adjusts objectivesand goals by evaluating the realization processes, adding op-erational experiences to the decision processes. Again this willshow both the new possibilities as well as the impossibilitiesand problems that an organization will run into.

Combining the views described above results in a 3x3model for managing Business, Information and Technol-ogy, as expressed in the SAME Model (see Figure 5).

The SAME model can be used as the "basic pattern" formanaging Information Support issues in organizations. Itstill describes the responsibility and process elements, butonce we understand the structure of this 3x3 matrix, we canuse it to tackle organizational issues. Issues that can be ad-dressed include:

The organization of the Information Support. Thisdeals with effectivity and efficiency:

- Setting up responsibilities, role descriptions andRACI (Responsible, Accountable, Consulted, Informed)matrices in the Information Management domain, and allo-cating these to the various cells of the 3x3 matrix.

- Decisions on outsourcing of one or more activitiesor functions, once they are understood and positioned inthe 3x3 matrix.


IT Governance

- Setting up the control organization for the managementof outsourced activities or functions, managing external sup-pliers, setting up agreements, creating reporting policies.

- Auditing the organization.Cross-references. Positioning and scoping of exist-

ing management frameworks, finding white spots in themanagement system.

Process models. Allocating processes to specific man-agement levels or domains, setting up process models basedon the given interactions between cells in the 3x3 model, com-pleting process models based on the 3x3 model interactions.

Although the model can be used to tackle lots of man-agement issues, it is quite useful as a base for discussing

governance issues. After all, if IT Governance is about theorganization of rights and decisions, we could now focuson the allocation of these in the 3x3 matrix. The matrix pro-vides us with a structured model of responsibilities and ac-tivities. Allocating these to a specific organization actuallycomes down to determining your IT Governance system.

Example 1: Organizing the IM DomainNote that the dimension in the SAME Model is process

(managing Information Support activities, responsibilities,tasks) and not organization. If we want to apply the com-mon factors of the above definitions of IT Governance, wewill thus have to allocate the process domains of the SAME

Figure 3: Separation of Concerns in the Information Support Discipline (Van Bon & Hoving [3]).

Figure 4: The Planning and Control Paradigm for Strategy, Tactics and Operations (Van Bon & Hoving [3]).


IT Governance

model to an organizational structure. We can do this by tak-ing the organizational dimension as an overlay over the proc-ess dimension in the SAME model. And since organiza-tions tend to differ in their organizational models, we canfind many different solutions for that. A few simple exam-ples for the organizational allocation of Information Sup-port responsibilities are described in Figure 6.

This highlights the question of where the responsibilityfor IM and IT is positioned in the organization, which typi-cally is an IT governance issue. Basically this comes downto a question of where the IM domain is positioned:

a) Stuck-in-the-middle. IM is positioned at equal distancefrom the Business and the IT domain, in many instances em-blematic for organizations trying to implement IM as a liaison

function. The result is fairly often an IM function "stuck in themiddle": missionaries talking to a brick wall at the Businessside, renegades for the Technology side, and peacekeepingtroops in the middle, missing a clear identity in their ownmindset. In this scenario, IM will be an independent DemandOrganization, loosely coupled with the Business.

b) As an extension of the IT function. The IM respon-sibilities of the organization have largely been delegated tothe Technology domain, where the IT services are produced.Although still often found in practice, this approach is notrecommended: management tends to be expressing itself interms of technology, not in terms of Business values. Andthe information service provider is now controlling itself,which leaves the Business vulnerable in its relationships

Figure 5: The Strategic Alignment Model Enhanced (Van Bon & Hoving [3]).

Figure 6: The Position of the Information Management Domain, between Business and InformationTechnology in the SAME Model (Akker [4]).


IT Governance

with suppliers. The organization has set IM at a distance,making it highly vulnerable to misalignment between Tech-nology and the Business.

c) As an extension of the Business function. Here,information is considered to be a Business asset, and therelationship with Technology can be a contractual one: ITis a supportive function, to be managed as such, and con-ceivably governed via outsourcing. Moreover, IM is a sharedBusiness responsibility, while IM as a separate function isonly accommodating and stimulating, but never leading. IMand Business responsibilities are tightly bound and IT canbe regarded as a replaceable commodity, to be provided byany adequate supplier.

Example 2: Service ContractingIf the Business wants to contract specific information

support, it will contract the IM domain for the provision ofinformation services. This agreement can be called an In-formation Services Agreement (ISA).

The IM domain will then have to contract an IT serviceproviding function, to provide the technology elements ofthe information services. That agreement will be betweenIM and IT, and can be called an IT Services Agreement(ITSA), also known as the Service Level Agreement (SLA)in ITIL (see Figure 7).

Example 3: Organizing a Service DeskThe IM domain will have to provide operational support

for the user in the Business domain. This refers to the func-tionality and the actual delivery of the agreed information serv-ices and is aimed at supporting the use of these informationservices by the Business. The IT domain will have to provide

Figure 7: Service Contracting in the SAME Model.

Figure 8: Example of an Integrated Service Desk, as an Organizational Layer over the SAME Framework.


IT Governance

the operational support for the user, under the control of theIM domain, but the IM domain itself will have to provide thesupport for functionality and specification issues.

For both types of support activities a Service Desk unitmay be installed. Instead of creating two separate ServiceDesks, an organization may decide to create just one inte-grated Service Desk (see Figure 8). This Integrated ServiceDesk should then be prepared and educated to solve bothinformation issues as well as IT service issues.

Example 4: Position of FrameworksAn organization wants to use widely accepted frame-

works for its management approach. It already has ITIL V2largely in place. The organization now considers the adop-tion of ITIL V3, and wonders whether this will cover theentire Information Support domain.

The answer is "no". Both ITIL V2 and V3 are largely

located in the Technology domain and cover only someminor aspects of the IM domain. The organization will haveto adopt additional frameworks to cover the entire Informa-tion Support domain (see Figure 9).

5 So What Is IT GovernanceBased on the previous considerations, a recommendable

definition for IT Governance would be:

"IT Governance is the assigning of accountability andresponsibility and the design of the IT organization, aimedat an efficient and effective use of IT within the Businessprocesses, and conforming to internal and external rules."

This definition is built on the following terms:Accountability: the principle that individuals, organi-

sations and the community are responsible for their actions

Table 2: Examples of Organizational Decision Making Structures (based on [1]).

Decision Making Roles, Groups Description Executive Board Decision making board of managers Executive Manager Single decision making person Business Board Decision making board of managers,

managing a single Business domain Business Manager Single decision making person, managing

a single Business domain Unit manager Single decision making person, managing

a single unit, e.g. of an expert domain IT Board Decision making board of IT involved

managers, usually reinforced with experts Committee Permanent decision making board of

experts, handling a single expertise, knowledge domain, area, process of shared interest

Advisory Board Delivery of input to support decision making

Task force Temporarily decision making board of experts, handling a single task usually of shared interest

Chief Information Officer Highest ranking decision making manager in the Information Support domain

IT Manager Highest ranking decision making manager in the IT domain

Service Manager Decision making representative, managing a service or service domain on behalf of the IT department

Employee Empowered employee that is authorized to take certain (usually process related) decisions


IT Governance

and may be required to explain them to others.Responsibility: to be entrusted with or assigned a

duty or charge.Organizational design: the structure and relations

between departments, the grouping of tasks, and the flowof work in organizations.

Business Processes: the workflows within a companyand the processes involved in inter-company transactions.

Rules: policies and principles guiding action.And a recommendable definition of management would be:

"Management is making decisions within a set of as-signed accountabilities and responsibilities and for aclearly defined organizational area."

Allocating the responsibilities and rights to an organi-zational management system, as explained in the above

examples, is typically the kind of issue that is handled in ITGovernance. Other issues that IT Governance is concernedwith could be:

Ensure authority and responsibility in IT: Howdo I stay in control? Which (in)formal planning and report-ing shall be required? Who shall determine budgets? Shallwe have a centralized or a distributed organization?

Ensure IT complies with regulatory authorities:Which body shall consider the relevant and required regu-lations and certifications? How shall risks be managed?

Ensure IT is organized and ready for change: Howshall the IM and the IT organizations be organized? Hierar-chy, project-based, flat, team-based, etc? Which remunera-tion policies shall be applied? Bonus rules, performancerelated salaries, variable salaries, annual raise, etc? Howshall competences be managed and developed?

Ensure IT is aligned to fit Business/organizational

Figure 9: An Example of Positioning Management Frameworks in the SAME Framework.

Govern

Direct Monitor

Business Pressure

Business Needs

Plans

Policies

Accountability

Responsibility

Performance of ICT

Conformance of ICT

“Conformance” “Performance”

IT Projects IT Operations

Business

IT

Govern

Direct Monitor

Business Pressure

Business Needs

Plans

Policies

Accountability

Responsibility

Performance of ICT

Conformance of ICT

“Conformance” “Performance”

IT Projects IT Operations

Business

IT

Figure 10: AS8015, Corporate Governance of Information and Communication Technology.


IT Governance

needs: How shall an optimal fit between IT and Businessbe realized? How do we deal with SLAs and service cata-logues? Who decides on Service Levels?

Ensure IT delivers value for money: How shallperformance be measured? Shall IT performance bebenchmarked? Which cost model shall be applied?

IT Governance can also be concerned with issues likeLeadership, Culture, Risk management, Policies and pro-cedures, Financial management, IT architecture, Procure-ment and Sourcing.

6 The Organizational Aspects of IT GovernanceIf IT Governance is about organizing the decision mak-

ing structures, and the Information Support activities shouldthen be managed in these structures, the last question wouldbe: "what organizational structures could be applied in ITGovernance?"

These organizational structures can vary from organi-zation to organization. Table 2 shows a number of possibledecision making roles or groups:

The elements from Table 2 can now be used to build anorganization’s governance structure. A number of controlloops should then be designed to make sure that the frame-work is a comprehensive system that controls itself. Thismeans that reporting mechanisms should be added, as wellas communication protocols, policies and standards. Whenbuilding this governance framework for your organization,both aspects of good governance (conformance and per-formance) should continually be addressed, to make surethat the system will realize its primary goals. Once com-pleted, the relevant regulations and standards can be usedto test the system and continual improvement programs canbe planned to enhance the organization’s performance.

7 A Standard for IT GovernanceAs explained before, frameworks like COBIT and ITIL

are management frameworks, not IT Governance frame-works. This also means that ISO/IEC 20000 also is a man-agement standard and not a governance standard. There isonly one standard available for IT Governance, which isthe Australian standard AS8015 (see Figure 10). This stand-ard is currently under investigation by the ISO organizationto see whether it can be adopted or embedded in the ISO/IEC 20000 standard. If that would happen, the resultingstandard would be a mix of governance and managementelements.

The AS8015 indeed contains a number of control loops,as required. It also emphasizes the basic structures of Con-formance and Performance. However, it is short on specifi-cations of the organizational issues that IT Governanceshould be about, and instead it deals with quite a fewstraightforward management issues.

8 ConclusionIT Governance basically comes down to the question

"who rules what". Management should then work withinthe agreed space. If Management does that correctly, this

will create the desired result: conformance to internal andexternal regulations and standards, and optimized perform-ance for adding value to the stakeholders of the organiza-tion. The frameworks that are availlable to support this arelargely limited to the Management domain. Even the onlyavailable local standard for IT Governance is largely deal-ing with Management issues instead of IT Governance is-sues. It may take a while before a true IT Governance frame-work will become available.

References[1] ITGA. Work from the IT Governance Association, The

Netherlands, not published, 2005.[2] A.S. Sohal, P. Fitzpatrick. IT governance and manage-

ment in large Australian organizations. InternationalJournal of Production Economics, 75, 94-112, 2002.

[3] J. van Bon, W. Hoving. Strategic Alignment Model En-hanced. BHVB white paper, 2007.

[4] R. Akker. In J. van Bon (ed.). Frameworks for IT Man-agement, Van Haren Publishing for itSMF, 2006.

[5] P. Weill, J. Ross. IT Governance: How Top PerformersManage IT for Superior Results, Harvard BusinessSchool Press, 2004. ISBN: 1591392535.


IT Governance

ITIL V3: The Past and The Future.The Evolution Of Service Management Philosophy

Troy DuMoulin

Although the contribution made to ITIL (Information Technology Infrastructure Library) by version 3 over version 2cannot be considered as a radical change in direction, it does represent a step forward towards making ITIL not only aframe of reference for operational matters but also a valuable IT Governance tool. Rather than rendering the previousrecommendations obsolete, the new version places them within a broader context. This article stresses the importance ofthis step forward and describes its most significant implications.

Keywords: Governance, ITIL, Process Integration,Product Lifecycle, Value Chain.

1 IntroductionIt has often been said that the only constant is change!

In the dynamic world we live in, this is true of all organicthings and ITIL® (Information Technology InfrastructureLibrary) is no different. From its humble beginnings as aninternal UK government initiative, to its growth and adop-tion as a global best practice and standard for Service Man-agement, ITIL has taken many steps along the road ofprogress and maturity.

The ITIL Refresh Publications & Newsletters publishedby the TSO (The Stationery Office) have given us someinteresting insight into the future of IT Service Manage-ment (ITSM) as documented by ITIL. You will find links tothese documents on Pink Elephant’s ITIL v3 - InformationCentral webpage <https://www.pinkelephant.com/en-GB/>.

It is my view that ITIL v3 is definitely taking a majorstep in the right direction. We can observe a glimpse of thisfrom Table 1 that was published as part of the ITIL RefreshNewsletter, 1st Edition, Autumn 2006. I would like to callyour attention to that table.

2 Key Evolutions in ITSM

From Table 1, we can identify and interpret some keyevolutions in ITSM Philosophy.

2.1 Alignment vs. IntegrationFor many years, we have been discussing the topic of

how to align Business and IT objectives. We have done thisfrom the assumption that while they (business and IT) sharedthe same corporate brand, they were somehow two sepa-rate and very distinct functions.

However, when does the line between the business proc-ess and its supporting technology begin to fade to a pointwhere there is no longer a true ability to separate or revertback to manual options? If you consider banking as an ex-

ample, Financial Management business processes and theirsupporting technologies are now so inter-dependent that theyare inseparable. It is due to this growing realization that theterm alignment is being replaced with the concept of inte-gration.

2.2 Value Chain Management vs. Value ServiceNetwork Integration

When reading ITIL v2, you get the perception that thebusiness and IT relationship is primarily about a businesscustomer being supported by a single internal IT ServiceProvider (Value Chain Management). Little acknowledge-ment or guidance is provided about the reality of life neverbeing quite that simple. Today’s business and IT relation-ship for service provision is much more complicated andcomplex than the concept of a single provider meeting allbusiness needs.

We need to consider that yes, there are internal IT func-tions, but some are found within a business unit structurewhere others are providing a shared service model to multi-ple business units. Add to this the option of using differentexternal outsourcing options or leveraging software as aservice model and what you end up with is what ITIL v3refers to as an Integrated Value Service Network.

Author

Troy DuMoulin is Director of Product Strategy and ExecutiveConsultant at Pink Elephant. He is an experienced ExecutiveConsultant with a solid and rich background in business processre-engineering. Troy holds the Management Certificate in ITILand has extensive experience in leading Service Managementprograms with a regional and global scope. His main focus atPink Elephant is to deliver strategic and tactical level consultingservices to clients based upon a demonstrated knowledge oforganizational transformation issues. Troy is a frequent speaker atITSM events and is a contributing Author for the ITIL "Planningto Implement IT Service Management Book." He also works withISACA on COBIT v4 development <http://www.linkedin.com/pub/0/235/148>.


IT Governance

2.3 Linear Service Catalogues vs. Dynamic ServicePortfolios

While ITIL has always been referred to as an IT ServiceManagement Framework, the primary focus up until nowhas been on the ten Service Support and Delivery processes.In previous versions of ITIL, the concept of a ‘service’ hasalmost been an afterthought or at least something you wouldget to later. Consider that in ITIL v2 the process of ServiceLevel Management has, as one of its many deliverables, aService Catalogue which can be summarized from the theoryas a brochure of IT Services where IT publishes the serv-ices it provides with their default characteristics and at-tributes or Linear Service Catalogue.

In contrast to this, a Dynamic Service Portfolio can beinterpreted as the product of a strategic process where serv-ice strategy and design conceive of and create services thatare built and transitioned into the production environmentbased on business value. From this point, an actionable serv-ice catalogue represents the published services and is thestarting point or basis for service operations and ongoingbusiness engagement. The services documented in this cata-logue are bundled together into fit-for-purpose offeringswhich are then subscribed to as a collection and consumedby business units.

2.4 Collection Of Integrated Processes vs. ServiceManagement Lifecycle

Based on publicly available information, we know thatthe ITIL v3 core books are structured around a ServiceLifecycle. This new structure organizes the processes weunderstand from ITIL v2 with additional content and proc-esses we are waiting to hear more about within the contextof the life span of IT Services. From this observation, wecan see that the primary focus is shifting from process to ITService. While processes are important, they are secondaryand only exist to plan for, deliver and support services. Thismoves the importance and profile of the Service Cataloguefrom being an accessory of the Service Level Managementprocess to being the corner stone of ITSM.

As organizations evolve from a technology focus to aservice orientation focus, these core changes to ITIL pro-vide the context and ability to support this emerging reality.

Table 1: Key Evolutions in ITSM Philosophy.

ITIL v2 ITIL v3

Business & IT Alignment Business & IT Integration

Value Chain Management Value Service Network Integration

Linear Service Catalogues Dynamic Service Portfolios

Collection of Integrated Processes Service Management Lifecycle

2007. © Pink Elephant. All rights reserved. ITIL® is a Regis-tered Trade Mark and a Registered Community Trade Mark of theOffice of Government Commerce, and is Registered in the US Pat-ent and Trademark Office.


IT Governance

PMBOK and PRINCE 2 for the Management ofITIL Implementation Projects

Grupo de Metodologías de Gestión de Proyectos of theitSMF Spain under the coordination of Javier García-Arcal

In this article we analyse a compilation of tools and techniques produced by a working group coordinated by itSMF Spainwith a view to providing professionals involved in projects implementing ITIL best practices with a range of projectmanagement tools and techniques (based on PMBOK and PRINCE2 methodologies) to facilitate project management andensure a successful implementation of ITIL.

Keywords: Best Practices, CSF, Implementation, ITIL,ITSMF, PMBOK, PRINCE2, Project Management, SuccessFactor, Tools.

1 IntroductionThe purpose of this article is to develop and dissemi-

nate tools that will ensure the successful execution of ITILimplementation projects and help the parties involved meetthe challenge of implementing ITIL.

First we will give a brief explanation of the acronymsused to refer to these methodologies:

ITIL (Information Technologies Infrastructure Library) isa set of best practices for the administration and managementof IT services in terms of the people, processes and technol-ogy employed, developed by the UK government agency, theOGC (Office of Government Commerce). ITIL provides rec-ommendations and guidelines for IT management aimed atachieving alignment between technology and business.

The Project Management Body of Knowledge (PMBOK®)is a compilation of knowledge acquired in project manage-ment. It belongs to the PMI, Project Management Institute,whose members are professionals from various fields, such aslaw, finance, etc. The PMI encompasses both traditional andmore innovative practices.

PRINCE2, on the other hand, is a structured method ofproject management which seeks to develop the organiza-tion, administration, and control of projects based on projectmanagement best practices.

In order to implement ITIL in an organization or depart-ment we first need to make a study of potential advantages andhow those advantages can be gained by the end of the project.The work performed by our group has resulted in an eminentlypractical approach for ITIL implementation projects.

2 Work MethodologyA work methodology based on brainstorming was de-

signed and it was decided to apply decomposition techniquesto the analysis of information sources.

In addition to brainstorming, we used information fromPMBOK, PRINCE2, and the ITIL V2 and V3 books, as wellas the know-how of each member of the group.

In the first stage of the work we established the critical

success factors for an ITIL implementation, while in thesecond stage we analysed each of the tools and techniquesproposed by PMBOK and PRINCE2 with a view to seeingjust how useful these tools and techniques were for imple-menting ITIL. In the third stage of our work we consideredhow to maximize the usefulness of the results for those in-volved in ITIL implementations. It was decided to use agraphical method based on hierarchical relationships simi-lar to the one used by the metrics group of itSMF Spain [1].

3 ResultsWe go on to show some of the results obtained from this

study for both PMBOK and PRINCE2. We have explainedthe methodology used to obtain results; now we will ex-plain the content of each "tree" in which these results arerepresented, and show how to use these trees to extract prac-tical and useful information for the management of ITILimplementation projects.

Authors

Grupo de Metodologías de Gestión de Proyectos (ProjectManagement Methodologies Group) of the itSMF (IT ServiceManagement Forum) is a multidisciplinary working group whichwas convened following a directive from the standardscommittee of itSMF Spain to create a line of research into projectmanagement methodologies applied to the management of ITILimplementation projects. It is coordinated by Javier García-Arcal.

Javier García-Arcal is a Doctor of Engineering by the Univer-sidad Politécnica de Madrid. He works as a consulting mana-ger at IT Deusto and as a lecturer in Project Management at theEscuela Técnica de Ingeniería Informática and at the Escuelade Ingeniería Técnica Industrial of the Universidad Antonio deNebrija. He has collaborated in the review of the books ITIL V3Service Operation and Fundamentos en ITIL V2. Javier haspursued his career in process consulting, defining ITIL processesfor major multinationals in the Consulting, Retail, Telephony,and Public Administrations sectors. He has worked in twelvecountries in IT Governance coordination, administration, andproject management, in software development in IT departmentsof various consulting firms (Secuenzia, Citi Technologies, etc.),and in service companies such as Sermicro, and multinationalssuch as Chep and Telefónica I+D <[email protected]>.


IT Governance

The analysis of the trees can be performed bottom-up,from the tool to be used to the CSF (Critical Success Fac-tor) on which it impacts, or top-down, from the CSF thatwe want to improve/reach to the tools. The top-down methodwill be used to give greater emphasis to the tools used andto make it easier to trace the process through the tree. As wecan see, level 1 is the CSF itself which in turn is related toall the PMBOK stages forming level 2 of the tree.

Each PMBOK stage has a number of activities which

may have or suffer from some degree of dependence withthe CSF which it is evaluating. Only those activities which,in the course of our work, have been seen to contribute addedvalue in the achievement of the CSF in question will appearon the tree. These activities comprise level 3 of the tree.Finally, on level 4 will be all the tools, techniques, inputsand/or outputs related to a PMBOK activity which is usefulto the CSF and may also contribute to the success of theCSF.

Figure 1: Tree for PMBOK-CSF 10 Having the necessary resources and budget.

Figure 2: RACI Matrix.


IT Governance

Figure 3: Work Breakdown Structure.

Figure 4: Pareto Diagram.

Therefore, if we wish a certain CSF to be achieved, wecan use the tools that figure in the tree, concentrating onthose that are easier to use in our project or those that mostbenefit our project.

If we apply this analysis to CSF 10, "Having the neces-sary resources and budget", the purpose of which is to en-sure that the team carrying out the project has all the re-sources necessary to complete it successfully, we get thetree shown in Figure 1. To achieve this CSF the followingtools can be used, among others: RACI, WBS, and Paretodiagrams.

The horizontal rows of the RACI matrix set out in Fig-ure 2 show project activities while the vertical columns rep-resent all the people involved in the project. The idea is to

obtain detailed knowledge of each person’s degree of in-volvement in each activity and this is done by assigningeach person a role in each task he or she is involved in. Theroles defined for a RACI matrix are:

The WBS or Work Breakdown Structure shows howproject outcomes are subdivided into work packages (seeFigure 3). This representation provides us with a clear ideaof what outcomes the project will produce.

The last tool that can be used to achieve this CSF is thePareto Diagram, which is designed to show any defects thathave been produced by grouping them together according totheir origin/cause (see Figure 4). This technique allows us toidentify potential deviations in the success of the project be-fore they occur, or as soon as possible after they appear.


IT Governance

Figure 5: Tree for PMBOK-CSF 5 Project closeout and transfer.

Figure 6: RBS, Risk Breakdown Structure.


IT Governance

Figure 7: Diagram SWOT.

In Figure 5 shows the tree for the PMBOK correspond-ing to CSF5, "Project closeout and transfer", which is aboutclosing the project in the best possible manner. To increasethe effectiveness of this CSF the following tools can be used,among others: Communications Management Plan, RBS,SWOT, and even the Pareto diagrams mentioned earlier.

The Communications Management Plan contains allthe information deemed necessary to ensure that the projectstakeholders can perform their functions efficiently. Thisinformation includes: distribution frequency, format, respon-

sibility, purpose of information, etc. Meanwhile RBS (RiskBreakdown Structure), an example of which can be seen inFigure 6, is a hierarchical description of project risks of theproject, identified and organized by risk category andsubcategory, which pinpoints various areas of risk and po-tential causes.

The SWOT (Strengths, Weaknesses, Opportunities, andThreats) diagram helps us analyse these factors by provid-ing the answers to the questions posed in Figure 7.

We go on to describe two CSFs and how they relate to

Figure 8. Tree for PRINCE2-CSF 2 Highlight, communicate and maintaining business alignment.


IT Governance

Figure 9: Gantt Diagram.

PRINCE2 methodology.Figure 8 shows the tree for PRINCE2 corresponding to

CSF 2, "Highlight, communicate and maintaining businessalignment", which is about adopting a number of measuresto deliver value to business through ITIL implementation.This tree focuses on the following tools/techniques: ProjectInitiation Document or PID, Gantt diagrams, baseline, les-sons learned file, and configuration item report.

The Project Initiation Document, or PID, establishesthe reference terms of the project, project role definitions,and a communication plan in order to ensure that the ap-proach, work plan, functions, and scope are clear. A wellput together PID lends visibility to the project while main-taining business alignment.

The Gantt diagram (see Figure 9) is a graphical toolfor showing expected time dedication for the different tasksor activities over a given total time period. In spite of thefact that, in principle, a Gantt diagram does not show rela-tionships between activities, the position of each task overtime makes it possible to identify these relationships andinterdependencies.

A baseline is a way to store project-related informationsuch as starting dates, costs or resources so as to be able tocompare interim adjustments with the initial schedule orbudget and so measure the degree of progress of the project.

The lessons learned file contains previous project man-agement resolutions while configuration item reports keepversion control of the elements and processes being imple-mented so as to be able to align them with business andkeep track of which versions are current.

Finally we will take a look at CSF 10, "Having the nec-essary resources and budget" as it relates to PRINCE2 meth-odology.

As can be seen in Figure 10, to achieve this CSF thefollowing tools may be used: business case, matrix role-responsibility and matrix role-competency.

Business case consists of ensuring that there is an ap-propriate balance between revenues and resource costs,based on expected return on project parameters for eachcompany or entity. This will include the following content,

among other: information on revenues such as invoicingand collection schedule, all sources of expected income,etc., and information on costs; for example, contingencyrisks, internal and external costs.

The purpose of the role-responsibility matrix is to en-sure that the responsibilities and competencies needed forthe proper performance of each role in the project are ap-propriately defined. In order to build this matrix we need ageneral list of applicable roles, responsibilities for each role,and competencies for each role. By using the matrix we canobtain a detailed definition of responsibilities and compe-tencies, with the expected degree of competency requiredby each role, which provides the organization with a cata-logue of the resources required by the project.

The role-competency matrix provides the organizationwith information on project resource requirements in termsof responsibilities and competencies, and on how appropri-ate those resources are to the needs of the project. Based ona project-specific role-responsibility matrix we can buildother matrices with the following information:

Role-candidate resource matrix, with the candi-date resources for each role and a comparison of require-ment compliance for each candidate.

Role-allocated resource matrix, containing thename of the resource for each role and the degree of re-quirement compliance for each role.

General gap between roles-responsibilities-com-petencies and the baseline resource evolution plan.

4 ConclusionsIn the journey from a theoretical model of ITIL best

practices to the proper integration of that model into theprocesses and culture of the business organization, theimplementation stage is all important. This is why we needproject management to control and coordinate project ac-tivities within the pre-established constraints of time, costand resources. We can consider each ITIL process as aproject or, conversely, all ITIL processes as a single project.

Our research into Critical Success Factors (CSF) forITIL implementation and how they relate to the processesand tools of the two methodologies we have compared,PRINCE2 and PMBOK, defines a number of specific proc-esses and techniques in each methodology for the achieve-ment of those CSF and, therefore, for the successful imple-mentation of ITIL processes. An inappropriate approach toproject management is one of the main reasons for the fail-ure of ITIL implementations in organizations.

AcknowledgementsI would like to thank Luis Morán, Mona Biegstraaten and

Marlon Molina (coordinators of the standards, marketing, andpublications committees of itSMF Spain) for their support andencouragement during this work, and thanks also go to themembers of the Grupo de Metodologías de Gestión deProyectos (Project Management Methodologies Group):

Juan Carlos Vigo, ATI <[email protected]>.Eduardo Prida, AUSAPE <[email protected]>.


IT Governance

David Aguilera, SERMICRO <[email protected]>.Nicoletta Calamita, MORSE <[email protected]>.Eva Linares Pileno, STERIA <[email protected]>.Rafael de la Torre, QINT <[email protected]>.Julio Cesar Alvarez, STERIA <[email protected]>.Ramón Batista Berroteran, SERMICRO <[email protected]>.Rafael Pastor, ACCENTURE<[email protected]>.Inés López Alvarez, SERMICRO <[email protected]>.Ana Rengel Baralo, IT DEUSTO <[email protected]>.

References[1] A. García-Almuzara, J. García-Arcal, F. Alcedo. Estudios

de métricas ITIL-COBIT para Gestión de Configuracióny Gestión de Cambios. In: ITSMF. 1st Annual itSMF SpainCongress, Madrid, November 26, 2006.

BibliographyR. Bovee, M. Ruwaard. Operations Management, a newprocess. Second edition, April 2004. Nederland.Mansystems, 2004. 89 pages. ISBN 90-440-0201-5.J. García-Arcal, O. Ruano, J.A. Maestro. "PRINCE2 vs.PMBOK". In: Universidad Antonio Nebrija. LS5168Gestión de Proyectos Tecnológicos, Madrid, June 21,2005.IT Governance Institute. COBIT 4.1. Rolling Meadows,USA: IT Governance Institute, 2007.196 pages. ISBN 1-933284-72-2.Office of Government Commerce. ITIL Service Deliv-

ery. 2nd Version. United Kingdom: The Stationery Of-fice Books, 2001. 300 pages. ISBN 978-011-330017-4.Office of Government Commerce. ITIL Service Support.2nd Version. United Kingdom: The Stationery OfficeBooks, 2001. 300 pages. ISBN 978-011-330017-4.Office of Government Commerce. Managing SuccessfulProjects with PRINCE2. 4th edition. United Kingdom:TheStationery Office, 2005. 456 pages. ISBN 0113309465.Project Management Institute. A Guide to the ProjectManagement Body of Knowledge (PMBoK Guide, 3rdEdition). PMI, 2004. ISBN: 1-930699-50-6.S. Taylor, D. Cannon, D. Whelldon. ITIL Service Opera-tion. 3rd Version. United Kingdom: The Stationery Of-fice, 2007. 263 pages. ISBN 978-0-11-331046-3.S. Taylor, G. Case, G. Spalding. ITIL Continual ServiceImprovement. 3rd. Version. United Kingdom: The Sta-tionery Office Books, 2007. 221 pages. ISBN 978-0-11-331049-4.S. Taylor, S. Lacy, I. Macfarlane. ITIL Service Transi-tion. 3rd. Version. United Kingdom: The Stationery Of-fice Books, 2007. 261 pages. ISBN 978-0-11-331048-7.S. Taylor, V. Lloyd, C. Rudd. ITIL Service Design. 3rd.Version. United Kingdom: The Stationery Office Books,2007. 334 pages. ISBN 978-0-11-331047-0.S. Taylor, M. Lobal, M. Nieves. ITIL Service Strategy.3rd. Version. United Kingdom: The Stationery OfficeBooks, 2007. 264 pages. ISBN 978-0-11-331045-6.

Figure 10: Tree for PRINCE2-CSF 10 Having the necessary resources and budget.


IT Governance

Business Intelligence Governance, Closing the IT/Business GapJorge Fernández-González

The need of IT departments to create value for their organization’s business has given rise to a large number of tools (ITGovernance), which to a greater or lesser extent have been closing the gap between IT and Business, but have failed whenapplied to Business Intelligence systems. This article demonstrates the need to create a dedicated BI Governance struc-ture over and above IT Governance, a structure based on agility, versatility, and human relations which is specificallydesigned to provide information to decision makers.

Keywords: Business Intelligence, Decision-making, IT/Business Gap, IT Governance, Value.

1 IntroductionWhen I was in my teens people used to ask me about

whether I intended to study "science" or "arts". The ques-tion always irritated me, so I would put on my most seriousexpression and answer that I did not understand the ques-tion because the "love of knowledge" (i.e. philosophy) hadnever made any such distinction. I am similarly irritatedwhen people ask me whether I am an IT or a business con-sultant. Once again, I cannot see the difference.

In this article I will be looking into how we can governour decision-making support systems, and we will also seehow it is impossible to separate "Business" from "IT" inthis context.

2 Defining ConceptsFigure 1, adapted from Webb, Pollard & Ridley [2],

shows how the BI Governance concept has evolved.BI Governance is rooted in corporate governance, which

established the first practices of strategic management, riskmanagement, performance management, plans and controls,

and in the strategic plans of information systems, whileExecutive Information Systems (EIS) and Decision Sup-port Systems provided the basis for the creation of Busi-ness Intelligence as we know it today.

Controlling the organization and controlling informa-tion systems are two sides of the same coin which convergein BI Governance.

But before going on, we should first define the two keyareas of influence that converge to produce Business Intel-ligence Governance: Business Intelligence, and IT Govern-ance.

2.1 What is Business Intelligence?Business Intelligence (BI) is a somewhat ambiguous term

encompassing a number of different acronyms, tools, anddisciplines: OLAP, Datawarehousing, Datamarts,

Author

Jorge Fernández-González graduated as an InformaticsEngineer from the Facultad de Informática de Barcelona (UPC)and is currently pursuing his doctorate in Software, specializingin Information Systems, at the same university. He divides hisprofessional time between three activities. First and foremosthe works as an information systems professional as Director ofBusiness Intelligence Consulting at Abast Solutions, a companyoperating nationwide. Here he has worked in several differentareas of consulting in the company’s ERP, CRM, and R&Ddepartments while helping with the implementation of tailoredsolutions. The second of his activities is university lecturing.He is currently lecturing in the LSI department (Department ofLanguages and Informatics Systems) of UPC (UniversitatPolitècnica de Catalunya) and he is responsible for the subject"Information Systems for Organizations" offered by the Facul-tad de Informática de Barcelona. He has also been acollaborating lecturer at UOC (Universitat Oberta de Catalunya),a lecturer for master and postgraduate studies at the FundaciónPolitécnica, and delivers lectures as a guest lecturer at businessschools such as ESADE and EAE. He combines the above twoactivities with his work as a disseminator. He forms part of theeditorial team of the journal Gestión del Rendimiento (PerformanceManagement), he writes articles for the journal DATA.TI (formerlyDatamation), he delivers conferences and seminars, and he writesin various Internet portals and thematic blogs, including his ownblog <http://sistemasdecisionales.blogspot.com> dedicated todecisional systems <[email protected]>.

Figure 1: Evolution of BI Governance.


IT Governance

Datamining, Executive Information Systems, Decision Sup-port Systems, Neural Networks, Expert Systems, BalancedScorecards, and many others. It is impossible to give anexact definition of all the terms under the Business Intelli-gence. Some authors [1] have gone as far as calling it ajungle.

The multifaceted and diverse fauna inhabiting this jun-gle have three characteristics in common.

The first is that they provide information for controllingthe business process, regardless of where the information isstored.

Obviously, BI forms part of a company’s informationsystem, which is what controls the proper functioning ofthe processes performed in the company.

In a classical organization such as the one shown inFigure 2, we can see that transformation processes are af-fected by external perturbations, such as changes in themarket, replacement products, new legislation, etc., whichmust be controlled and corrected. And we all know that overtime systems tend toward disorganization and chaos. Thisis why the measurement of performance indicators and theircomparison against the organizations’ objectives is the bestway to find out if something is going wrong in our organi-zation.

Processes generate and consume information as they arebeing performed. Part of that information (what we calloperational information) is consumed in the short term, buta large proportion is stored in various transactional systems(ERP, CRM, SCM, etc.) until it can be used for tactical (me-dium-term) and/or strategic (long-term) decision-making.

Grouping this information and putting it at the disposalof the process control system in a timely manner, regard-

less of which operational system it may have originated in,will help us optimize our processes, whether they are of anoperational, tactical, or strategic nature. Obviously the levelof aggregation and standardization of heterogeneous datasources will be higher for processes of a decisional nature,and it is precisely this decisional nature that gives a newdimension to the definition of Business Intelligence: deci-sion-making support is the second and most important ofthe three characteristics that all components of BusinessIntelligence have in common.

BI does not only present information but it makes itpossible for that information to be managed and browsed toenable us to analyse causes. Analysis is fundamental to de-cision-making. Decisions are not made on the basis of asingle source of information. Various sources of informa-tion are weighed up, interrelated; you might say that theinformation is "alive". The analysability of information iswhat enables us to make better business decisions.

We cannot make business decisions if we do not talk thelanguage of business. Regardless of where the informationis stored and how it may have been transformed or aggre-gated, the important thing is to deliver this information tobusiness users in a language that they understand, are com-fortable with, and which needs no interpretation for them tounderstand it. And this is the third characteristic of BI: in-formation oriented towards the language of business users.In this way their work is made easier and the decision-mak-ing required to improve processes and gain a competitiveedge in the market is speeded up.

We might therefore define Business Intelligence as thesystem which provides us with the information required tocontrol processes, and the information used by business

Figure 2: Organization as a System.


IT Governance

users for the purpose of decision-making.Perhaps the most important characteristic of BI, one

which will shape the need for BI Governance in the future,is that it is focused on enabling business users to make de-cisions with semantically appropriate information. We arenot talking about either data or IT; we are talking aboutbusiness and information users.

2.2 What is IT Governance?Once again the definition of IT Governance is by no means

clear. Some authors[2] define it as a subset of Corporate Gov-ernance focused on the alignment of IT objectives with busi-ness objectives. The IT Governance Institute[3] agrees withthis definition and expands on it by including the relevant proc-esses and organizational structures and appropriate leadershipas additional requisites. This definition is complemented byGrembergen et al. [4] who focus their definition on the fourkey issues of IT Governance:

Strategic alignment between IT and Business.Delivery of value to business through IT.Risk management.Performance management.

These four issues are sometimes complemented by a fifth[2]:

Control of accounts.Finally, we might define IT Governance as the strategic

alignment of IT with business in such a way as to deliverthe maximum business value through the development andmaintenance of effective IT controls aimed at controllingaccounts, performance management, and risk management.

IT Governance builds a great many bridges betweenbusiness processes and IT processes in an attempt to achieve

this objective. The mishmash of standards is growing innumber and scope as they try to cover more processes, moreindicators, more operations until their full application wouldtake a lifetime to complete.

Figure 3 from Larsen et al [5] shows 17 types of currentstandards and best practice systems for aligning IT and busi-ness objectives.

Here is not the place to discuss the success of these toolsand the improvement that they have brought to support proc-esses and the core business of our organizations, but in termsof helping the decision-making process, when applied toBusiness Intelligence systems these IT Governance toolssuffer from a number of shortcomings. When it comes tosupporting decisional processes, these tools narrow, but failto close, the IT/Business gap. The gap is so wide that initia-tives of this nature, which are focused on and aimed at IT,do not achieve their objective. Let us see why not.

3 Why IT Governance Tools Fail when Applied toBusiness Intelligence

One of the main shortcomings that we who have spentour professional lives in IT departments have is that recentlywe have spent too much time contemplating our navels. Wehave gone from being managers of IT departments that per-formed a kind of troubleshooting service to finding our-selves in a state of functional maturity in which we are ex-pected to be service oriented (see Figure 4). But that last,vital step to delivering value to the company, in which theIT department must embrace decisional systems and Busi-ness Intelligence, is precisely the one we have been unableto take, perhaps because now we think we are so very im-portant to the business.

Figure 3: Classification of IT Governance Tools.


IT Governance

We look at ourselves and say: Look how well we’reperforming! Look how many standards we have, how manybest practices! And we stare at our navels as if we are goingto get business value from there. We have become a kind of"enlightened despotism"; everything for business but with-out the business.

3.1 IT-focusedThe first mistake we make is to model our IT Govern-

ance tools from our IT point of view; we talk IT, our start-ing point is IT, and we design for IT. In fact the semanticsare wrong from the outset.

We talk about IT (Information Technologies) instead oftalking about IS (Information Systems). Business never talkstechno-speak, it talks the language of business, and the onlything we should be providing is information so that manag-ers can make better decisions. We are their InformationSystem, from a transactional or decisional point of view,and from an operational, tactical, or strategic perspective.We only provide information to make better decisions thatwill give the company a competitive edge and so createenterprise value (see Figure 5).

If we look at decision-making processes and one of theIT Governance tools, we continue to combine informationwith technology as if they were one and the same thing, asif the technology were important. Technology changes con-stantly; it is a means of delivering information to business,never an end in itself.

Fortunately some authors are beginning to coin newterms. Charlie Betzya has begun to speak of BISM [7] (Busi-ness Information Services Management), rendering the termIT Services obsolete and replacing it with Business Infor-mation Services. Top professionals [8] are already adopt-ing this new terminology, which is definitely a step in theright direction.

3.2 Structure-focusedIT departments are used to structuring information. Since

the beginning of IT we have worked at improving produc-tivity and systems of an operational, day-to-day, short-termnature. This, together with our scientific training, makes usvery structured; we want to define all processes and controlthem as much as we can. The problem arises when we haveto deal with decisional systems which are, by definition,

Figure 4: Evolution of the Management of IT Departments (adapted from A. Valle [6]).

Figure 5: Creation of Value from Information Systems.


IT Governance

semi-structured systems that enable us to analyse infor-mation. There is extensive literature on EIS (Executive In-formation Systems) and DSS (Decision Support Systems)which explains how we should semi-structure informationto make it a versatile decision-making tool.

In short, the focus is on creating roles and responsibili-ties, rigid hierarchical structures, definitions of processesand system plans, all under level of service agreements. Sucha bureaucracy is valid for operational systems but is notappropriate for decisional systems, which need to providean agile response to the ever changing questions raised bybusiness.

So what happens when we try to structure a semi-struc-tured system? We end up straight-jacketing it and making itrigid, and therefore useless.

3.3 Based on General HypothesesThe various IT Governance tools are structured around

a great many hypotheses which we never consider. For ex-ample, if we look at COBIT, which is one of the most widelyimplemented and decision-making oriented tools, we findthat it features "34 control objectives that have been devel-oped from 41 international source documents and have beenvalidated to balance IT risk against investment in IT con-trols"[9].

What does this mean? That when it was designed, a largenumber of decisions were made about cases of an entirelyinternational nature, with very little in common with, say, aSpanish or Russian SME. Control objectives were definedbased on a series of hypotheses that are not always applica-ble. Are those 34 objectives really applicable to my enter-prise? Would some of the objectives that were left out havebeen really useful to me in a smaller and more competitivebusiness environment? Who can know? Obviously the an-swer to these questions is not only to be found on the ITside; it also lies on the business side of each particular or-ganization.

3.4Not People-focusedIt is people who make the decisions in an organization.

It is people who actually perform, control, and decide onprocesses, and it is businesspeople who deliver value to thecompany with their decisions. However, all current IT Gov-

ernance tools maintain the IT/Business gap. They are fo-cused on continuing to manage structures and processes,and this alone will not close the gap. We need effectivemechanisms to foster relations between people in the or-ganization. We need to focus on people.

There are authors who are already aware of this fact. DeHaes and Van Grember [10] are convinced that if IT Gov-ernance is to be a success, we need to add a third compo-nent to our old friends, "structures" and "processes"; thiscomponent is none other than "relational mechanisms" (seeTable 1).

The mechanisms that will ensure the active participa-tion and collaboration of key users and mixed Business andIT interdisciplinary teams are those that will ensure that theBusiness/IT gap is finally closed. And they are the founda-tions on which we will build BI Governance.

3.5 CIO LedThe following example of organizational structure (see

Figure 6) shows the present day situation of CIOs (ChiefInformation Officers) within organizations.

The CIO has always had a hard time rising above theFinancial Director or Director of Organization and Systemsin a company’s organizational hierarchy. And for many yearsthis position has become the "champion of the cause of ITdepartments". We need to be where the decisions are madeso we can help provide information. This is why we havefought so hard to get our "white knight" (half technologist,half businessman, and always a great public relations pro-fessional) onto the management committee, reporting di-rectly to the CEO (Chief Executive Officer or ManagingDirector) and to no one else. And we are happy with whatwe have achieved.

And we have structured all our IT Governance aroundthis champion who, when we address the need to governour decision-making systems, becomes a real bottleneckwhich prevents us from narrowing the IT/Business gap.Everything must go through him/her, and (s)he is responsi-ble for converting business objectives into specific IT ob-jectives which once set are controlled exclusively by the ITmanagers.

Another crass mistake: we should not be happy withmerely having a representative at the top level management

Table 1: Structures, Process and Relational Mechanisms for Implementing IT Governance (De Haes andVan Grembergen [10] based on Peterson [11]).


IT Governance

committee so that decisions are made top-down. If we aregoing to close this gap, the next step is to have a representa-tive at all levels at which decisions are made; not only at thetop but also at tactical and operational levels, until IT struc-ture is efficiently interlinked with business structure. At thatmoment, when we can no longer tell the difference betweenthe two structures, we will have bridged the IT/Businessgap once and for all.

4 Definition of BI GovernanceThere have been few attempts to define BI Governance.

Most of the time it has been left to readers to interpret what-ever they saw fit, while the benefits of BI Governance havebeen talked up from a commercial point of view.

In the white paper "Top 10 Trends in Business Intelli-gence for 2007"[12], the number one trend is precisely "BIGovernance" However, it is half-heartedly defined as thestructure which ensures the effectiveness of BI programmesand investment.

Noé Gutierrez [13] describes it as being based on threepillars:

Prioritization of projects.Guidelines, rules, and recommendations.Roles and responsibilities.

Beth Leonard [14] goes a step further and delivers aclear message that we should not stop at simply setting upcontrol mechanisms, but rather we should extend BI Gov-ernance by means of partnerships in the immediate envi-ronment. BI Governance should have a clear strategic vi-sion (such as the one that led to COBIT), but it should alsohave common tactical boundaries of responsibility sharedbetween IT and business units.

But in my opinion, Larson and Matney [15] are the au-thors who best define the concept of BI Governance:

BI Governance is the process of defining and imple-menting infrastructure that will support enterprise goals. Itis the joint property of information technologies and thevarious business units, and is responsible for steering thestrategic process of delivering the value of Business Intelli-gence in the enterprise.

The mention of joint property and delivery of valuemakes this the best definition of BI Governance.

All the authors [12][13][14][15] are working on defin-ing the components that should make up a BI Governanceframework, but first we need to define the values on whichthat framework should be built, to avoid making the samemistakes as we made with IT Governance.

5 Basic Values of BI GovernanceAs Brousseau et al. say [16]: «The job of a manager is,

above all, to make decisions. At any moment in any day,most executives are engaged in some aspect of decision-making: exchanging information, reviewing data, comingup with ideas, evaluating alternatives, implementing direc-tives, following up».

However, there are different types of decision-making.How much information do we need to consult before

making a decision? All there is? Only some of it just to getan idea? Exhaustive and corroborated or just enough to makea hypothesis? Do you only keep one objective in mind whenmaking a decision? A single straight path, with a clear ob-jective? Can your decision be valid for meeting several dif-ferent objectives? Or do you explore a number of paths thatare not entirely clear but which may still meet your needs?

The answers to all these questions vary according to eachindividual and his or her experience in decision-making

The four values that a BI Governance system must haveto be able to meet these challenges are:

1) Ongoing adaptability. Decisional processes are con-stantly changing; they are not clearly defined as operationalprocesses are. Once defined, the way an invoice is proc-essed will always be the same, but the process of decidingwhether that invoice is to be paid or not will change con-stantly. We must therefore be capable of adapting speedilyand easily to the information requirements defined for thoseprocesses.

2) Teamwork. The IT/Business gap can be bridged byputting IT and business people into working groups. Thedecisional user must play an active role within the IT groupsdeveloping BI systems. The initiatives generated by team-work, the interdisciplinary process monitoring groups, andthe joint BI system review sessions, must be a routine partof work if we want to achieve BI Governance.

3) Flexible hierarchies. BI Governance working groupsmust be structured with flexible hierarchies to encourageinformation exchange. Working groups will be structuredaccording to each function and will take on different rolesdepending on the project involved. The aim is for hierar-chies already existing in organizations to be constantly bro-ken down and restructured under BI Governance, to avoidthe CIO bottleneck.

Figure 6: IT Governance Structure (Park et al[12]).


IT Governance

4) People before processes. People make decisions; proc-esses are controlled. We need to focus on providing infor-mation to the people who control processes, and pay lessattention to defining the processes needed to control thepeople, since in Business Intelligence systems thesedecisional processes are so variable it is not viable to fullymodel them.

6 BI Governance FrameworkNow we have defined the values underlying BI Gov-

ernance, we can go on to structure the 4 components thatwill make up our framework [14] (see Figure 7).

6.1 Guiding PrinciplesThe guiding principles of BI Governance are the pillars

upon which the entire structure rests. They define the over-all vision of the programme and the approval criteria for BIinitiatives and projects. Each organization should defineits own principles, but always based on the 4 values of BIGovernance.

Examples of principles are:BI must make users self-sufficient in terms of infor-

mation acquisitionBI must ensure that data is managed as a business

asset, in an integrated, standardized, and shared manner,and that it must be reused across the various business func-tions

BI must ensure that there is a single version of cor-porate "truth"

6.2 Decision-Making BodiesDecision-making bodies identify who make decisions

within the scope of BI. The members of decision-makingbodies should consider individual functional areas and theorganization as a whole in order to provide a balanced andongoing vision of the real needs of the enterprise. These

bodies should provide communication and feedback chan-nels. BI Governance decision-making bodies should alwaysbe made up of a mixture of business and IT people.

Examples of decision-making bodies are:BI Governance Committee. Responsible for project

management, prioritization, and BI/Business alignment.Business Intelligence Competency Centre. A perma-

nent interdisciplinary team to safeguard the effective use ofBI tools.

The names and functions will vary according to the needsof each organization. However, these decision-making bod-ies must be structured in such a way as to encourage flex-ible hierarchies and teamwork.

6.3 Decision AreasThese are responsible for identifying how decisions are

to be made and by whom, who has the right to make them,and who is to be responsible for their management.

Examples of decision areas are:Investment in BI.Portfolio of BI applications.Status of BI implementations.Adoption of BI.Delivery of value.

Generally speaking the agenda of the Decision-Makingbodies is decided by the Decision Areas.

6.4 Governance MechanismsThese are the processes and procedures required for

applying BI Governance.Examples of governance mechanisms are:

Definition of the life-cycle of BI projects.Applications portfolio management.Business cases and budgets.Development processes for the various types of BI

projects.Tracking and measurement.Communication programmes.Training programmes.

7 ConclusionsWe are taking the first faltering steps towards BI Gov-

ernance; there is still a long way to go from the viewpointof both researchers and professionals. But before we putstructures of this type in place, the organizations themselvesneed to mature.

Any attempt to implement BI Governance in organiza-tions that are not oriented towards measurement and serv-ice, that do not have a team spirit, or suffer from communi-cation barriers, are doomed to failure.

The question is: Can we allow ourselves to fail? Obvi-ously not. The success of an enterprise depends on its com-petitive edge, and BI Governance provides us with a fasttrack to that edge by closing the gap between IT and Busi-ness once and for all.

And as a final thought: There must be a reason why theacronym of Business Intelligence Governance is BIG…

Figure 7: BI Governance Framework [14].


IT Governance

References[1] David Selby. Jottings from the business intelligence

jungle. Proceedings of the 2002 conference on APL.pp.190-197.

[2] P. Webb, C. Pollard, G. Ridley. Attempting to DefineIT Governance: Wisdom or Folly? HICSS’06 Volume:8; pp. 194a.

[3] IT Governance Institute. Board Briefing on IT Gov-ernance, 2nd edition. Consulted at <www.ITgovernance.org> and <www.isaca.org> on Nov 8,2007.

[4] W. Van Grembergen, S. De Haes, E. Guldentops. Struc-tures, Processes and Relational Mechanisms for ITGovernance (2004). W. (Ed.) Strategies for Informa-tion Technology Governance, Idea Group Publishing,Hershey PA.

[5] M. H. Larsen, M. K. Pedersen, K. Andersen. IT Gov-ernance: Reviewing 17 IT Governance Tools and Ana-lysing the Case of Novozymes A/S. HICSS’06.

[6] A. Valle. Introducción a ITIL. Seminar Sistemas deinformación para organizaciones. FIB-UPC 2007.

[7] C. Betzya. BISM - you (probably) heard it here first.Consulted at <http://erp4it.typepad.com/erp4it/2007/10/bism—you-prob.html> on Nov 10, 2007.

[8] A. Valle. Aquí huele a futuro… Consulted at <http://www.gobiernotic.es/2007/10/aqu-huele-futuro.html>on Nov 10, 2007.

[9] G. Ridley et al. COBIT and its Utilization: A frame-work from the literature. HICSS’04.

[10] S. De Haes, W. Van Grembergen. IT Governance Struc-tures, Processes and Relational Mechanisms: Achiev-ing IT/Business Alignment in a Major Belgian Finan-cial Group. HICSS’05.

[11] R. Peterson. Information strategies and tactics for in-formation technology governance. In Strategies for in-formation technology governance, a book edited byWim Van Grembergen, Idea Group Publ., 2003. ISBN:1591401402.

[12] HP- Knightsbridge. Top 10 trends in Business Intelligencefor 2007. Consulted at <http://h71028.www7.hp.com/ERC/downloads/4AA1-2492ENA.pdf > on Nov 10,2007.

[13] N. Gutierrez. White paper: Business Intelligence (BI)Governance. Consulted at <http://www.infosys.com/industries/retail-distribution/white-papers/bi-governance.pdf> on Nov 10, 2007.

[14] B. Leonard. Framing BI Governance. Consulted at<http://www.bi-bestpractices.com/view/4686> on Nov10, 2007.

[15] D. Larson, D. Matney. The four components of BIGovernance. Consulted at <http://www.bi-bestpractices.com/view/4681> on Nov 10, 2007.

[16] Kenneth R. Brousseau, Michael J. Driver, GaryHourihan, Rikard Larsson. El estilo de toma dedecisiones de los directivos experimentados. HarvardDeusto Business Review, May 2006.


IT Governance

Keywords: Information Technology, IT Strategy, ProjectManagement, Project Portfolio Management.

1 IntroductionIn recent years the management of information technol-

ogy projects has become an important piece of puzzle thatIT directors have to solve as part of their daily activities.

In order to respond to business activity and to marketneeds, projects are continually added to, modified on oreliminated from the list of technology projects to be carriedout. In many cases the increasing number and variety ofprojects exceeds the capacity of IT areas to provide re-sources, shift priorities or adapt infrastructure to changes.

Since the mid 90s the role played by project managementin information technology has grown year after year in responseto this problem. A study by the University of Bremen and thePMI [1] details how the use of project management has ex-tended to 86% of IT activities. Another indication of this growthis the increase in the number of members of project directorassociations. Of the 250,000 members represented at high lev-els in the Project Management Institute (PMI), a large percent-age come from IT areas.

This increase in the use of project management in IT hasundoubtedly and substantially improved project results. AStandish Group [2] report that studied 30,000 IT projects showsthere was an evolution between 1994 and 2003, a period inwhich it can be seen that the deviations from schedule wentfrom 222% in 1994 to 63% in 2003 and the cost deviationsfrom 189% to 49% during the same period. In light of theseresults we can conclude that project management has meantthat individual projects and the work associated with them haveimproved and that the deviations decrease, even though thereis still much room for improvement.

Despite this relevance, project management has oftenbeen traditionally studied and implemented from an opera-tional point of view, the unit of analysis being the projectand its measures of success restricted to the classic elementsof scope, time and costs.

In addition to the management of individual projects,those responsible for IT are faced with the problem of im-plementing the Information Technology strategy without

carrying out a single project with dedicated resources, butrather having to manage a set of projects with resourcesworking in multitask environments. In this they are facedwith three difficulties: managing resources assigned toprojects, managing the interrelations between projects andthe contribution of the projects to the IT strategy.

To resolve these difficulties it is necessary to managethe set of projects carried out by an organisation as a whole.With this intention, in recent years, the concept of ProjectPortfolio Management (PPM) is being minted. In a recentlypublished poll [3] taken among 130 people in charge of ITin the United States, 25% of those surveyed apply in anoptimal way portfolio management techniques, 45% applythem or are adopting them and 78% apply them, are adopt-ing them or have plans to adopt them.

A project portfolio is a set of projects that share andcompete for a series of resources and are directed fromwithin the same organisation. We can consider portfolio man-agement as a dynamic decision making process in which theset of projects are evaluated, selected, prioritised and reviewedin accordance with the contribution to the strategy. In accord-ance with the principals of PPM, the resources must be as-signed to the projects in accordance with the strategy.

This movement of project direction towards project port-folios led the PMI to issue its standard for portfolio man-agement in 2006. This standard represents a compendiumof the best practices in project portfolio management [4].

An organisation effectively manages its project portfo-lio when the projects that make up the portfolio fulfil threeconditions:

IT Project Portfolio Management:The Strategic Vision of IT Projects

Albert Cubeles-Márquez

Changes in market demand and in technology have meant that managing IT projects has recently become an authenticchallenge for those responsible for information technologies. This difficulty lies in managing individual as well as groupprojects. This last area includes the concept of a project portfolio, a set of projects carried out within an organization andsharing resources. In recent years portfolio management has proven to be a discipline that allows the value generated byIT to increase and helps implement strategy through the projects.

Author

Albert Cubeles-Márquez is currently a tenured professor in theproject area of the Business Engineering School of La Salle (Bar-celona, Spain) where he is also Director of the Master in ProjectManagement and Director of the area of the Master in Engineering,Construction and New Technologies. Since 2005 he has beenSecretary of the Barcelona Chapter of the PMI and he has hadPMP® accreditation since 2006 <[email protected]>.


IT Governance

They are strategically aligned.Maximisation of value.The set of projects is balanced.

2 The Management of Multiple Projects andProject Portfolio Management

A distinction must be made between managing a set ofprojects and managing a portfolio of projects. In many or-ganisations it is considered that a group of projects makeup a portfolio without taking into account their strategiccontribution.

In fact, an independent group of projects does not makeup a portfolio, it is only a group of projects that consumestime and resources. We can manage them as efficiently aspossible, optimising the allocation of resources andprioritising accordingly.

The project portfolio has a clear strategic focus, the se-lection and prioritisation must be carried out with a clearstrategic vision. Within the portfolio efficiency is desiredso that each project contributes to the strategy in the bestpossible way.

In Table 1 we compare the differences between portfoliomanagement and the management of multiple projects [5].

Frequently, short term planning of a group of projects isa response to the inability of management to define strate-gic vision and objectives or to its ability to fall into politicalor organisational disputes (see Figure 1).

Through the creation of project portfolios (see Figure2) a shared vision is established between all those involvedin managing the projects.

The primary advantages of project portfolio manage-ment are:

Dynamically aligning IT projects with business ob-jectives.

Maximising the return on IT investments.Making the process of selecting and prioritising

projects transparent for the entire organisation.Achieving that management, the functional areas and

the IT area speak a common language, share the same viewof the risk and collaborate in the decision making process.

Consolidating and reducing the number of redun-dant projects and making it easier to avoid unsuitableprojects.

Redirecting IT investments from low value projectsto higher value projects.

Allowing those in charge of resources to plan theirallocation more efficiently.

The projects must be prioritized based on their relativeimportance and contribution to the strategy. Each projectmust also be prioritized relative to other projects evaluatedand to the projects under development. In addition, as thetechnical and business environments change, the priorityof one or more projects must also change.

Once the priorities have been clearly defined, those in

Portfolio Management Management of Multiple Projects

Purpose Selection and prioritisation of projects

Allocation of resources

Focus Strategic Tactical Planning Medium/Long term Short term Responsibility Management Those in charge of projects

and resources

Table 1: Comparison between Portfolio Management and Management of Multiple Projects.

Management

Proyectos Áreas de Negocio Proyectos Proyectos Projects Áreas de Negocio Áreas de Negocio Business Areas

Figure 1: Multi Project Management.


IT Governance

charge of the projects and those who are responsible forresources must continually ask themselves several criticalquestions:

(1) Are the resources being allotted to the highest prior-ity projects?

(2) Is resource use maximized?(3) Are projects finished on time and under budget and

do they meet quality standards?

3 Management of Project Portfolios and Manage-ment of Projects

A CIO council report about better practices [6] lists aseries of lessons learned about IT portfolio management.The first one is "Understand the differences and relation-ship between portfolio management andproject management and manage each ina suitable way".

Within the projects and initiatives un-dertaken by an IT department, IT projectportfolio management is focused on thelevel added and on the goals and objec-tives of the organization. Project manage-ment focuses on a specific initiative, de-fining and attaining its objectives undercost, in time, and over planned perform-ance.

As can be seen in Figure 3 projectmanagement creates value by efficientlycarrying out individual projects, attainingobjectives in the established time and un-der the established cost. Project direction,on the other hand, creates value through theidentification, selection and prioritization ofprojects. We could say that while project

management is focused on the projects, on"doing things right", portfolio managementis focused on the whole and on doing theright thing.

Creating value in the IT departmentincreases through the appropriate man-agement of the project as well as the port-folio.

The information in the portfolio isobtained at the project level and, in addi-tion to taking into consideration the stateof the whole, their priorities, risk level,resource consumption and trade-offs be-tween projects, it is also concerned forthe health and the best practices of indi-vidual projects.

Along the same lines, improvementsin project management always have posi-tive repercussions on the portfolio. Withinproject management the elements thatcontribute most at the portfolio level arethe availability of the information for de-

cision making and efficiency in project management.

4 A Process Model for Portfolio ManagementIn the PMI standard for portfolio management [4] we find

a very detailed process model that takes us from the strategy tothe portfolio ad form there to the programmes and projects. Asimpler model, adapted from Archer y Ghasemzadeh [7], ap-pears in Figure 4. This diagram of processes connects the threelevels: strategy, portfolio and project.

The model begins with the project proposal and its indi-vidual analysis. This analysis, which is usually accompa-nied by a business case, aims to make an individual assess-ment of the risk and the reward associated with achieve-ment of the project where financial criteria such as VAN,TIR and ROI, and assessment criteria of the strategic align-

Portfolio

Proyectos Áreas de Negocio Proyectos Proyectos Projects Áreas de Negocio Áreas de Negocio Business Areas

Management

Figure 2: Project Portfolio.

Figure 3: Portfolio Management and Project Management.


IT Governance

ment are used. Some projects are already ruled out at thisstage.

Projects that meet the individual criteria enter the projectselection process where the projects, both those being car-ried out and recently proposed projects, are compared. Theselection is based on the simultaneous evaluation of vari-ous criteria through weighted or bubble diagrams. Thesecriteria, just as in the individual project analysis measurerisk, benefits and strategic alignment. In Figure 5 we cansee a bubble diagram representing four criteria, for exam-ple risk and benefit on the axes and size of the project andalignment in the size and colour, respectively, of the bub-bles.

Once the projects are selected a balancing andprioritization of the projects is done. Based on the availableresources and the prior assessment the projects are catego-rized and prioritized and resources are allotted to them. Theprojects are monitored according to this prioritization andcategorization. The result of this process means an updat-ing of the plans of individual projects, adjusting them to thenew priorities (see Figure 6).

At this point the process becomes iterative, the projectsare carried out according to the updated plan and, as certainstages are developed, the project is continuously assessedindividually and with respect to the rest of the portfolio untilits conclusion or cancellation.

Figure 4: Process Model.

Figure 5: Risk/Benefit Bubble Diagram.


IT Governance

Figure 6: Prioritization of the Portfolio.

In the individual analysis, the selection, balancing andprioritization of projects require a defined IT strategy thatallows an adequate assessment in each of the steps.

5 Need for an IT Strategy for Portfolio ManagementAs seen in the previous process diagram, having an IT

strategy for a business is the only way to balance the projectsin the portfolio. This strategy is necessary to ensure a bal-ance between the short term (short and urgent projects) andlong term or important projects. If the project portfolio hastoo many small projects that consume too many products,this is usually due to not having defined the strategy or nothaving made it operational in the right way.

We must take into account that the strategy becomesreality at the moment of investing, in the case of IT throughthe projects. For this reason, the IT strategy helps assignresources to different projects, between short term and longterm ones, between those of high risk and those of low risk,between new and existing technologies.

6 The Implementation of a Project PortfolioImplementing IT portfolio management from the begin-

ning is not an easy task, just as implementing project manage-ment is not when the organization is not accustomed to it.

When dealing with its implementation it must be kept inmind that it is a continual process of improvement and it isrecommendable to follow a maturity model, like the matu-rity model of Kerzner [8]. Although initially conceived forthe improvement of the project management, it is perfectlyapplicable in the implementation of the project portfolio.

The five stages of the Kerzner model (Figure 7) are:1) Common language.Recognition of the importance of managing the project

portfolio and the need for good comprehension of the termsand concepts associated with it management.

2) Common processes.

In this stage the basic processes of portfolio manage-ment are defined so that the process is repeatable. The prin-ciples and techniques of portfolio management are applied.

3) Singular methodology.The process and all the criteria for project portfolio

management (including selection, prioritization and evalu-ation) are the same for all the areas for which the decisionprocess is unique and objective.

4) Benchmarking.Recognition that the portfolio management process needs

to improve and the evaluation should be carried out con-tinuously. We will decide which area to improve and whatto improve.

5) Continuous improvement.Evaluation of the information from the previous stage

and decision to include it in the existing methodology.Once implemented our project portfolio must respond

to a series of basic characteristics in order to work:Centralized view of the projects.Financial analysis and risk analysis.Interdependencies between projects.Prioritization, alignment and selection.Dynamic evaluation of the portfolio.Restrictions: resource limitation, capacities of staff,

of the budget or of the infrastructure.

7 Prerequisites for the Implementation of Port-folio Management

Before beginning to implement PPM in an organizationsome preconditions must be taken into account:

Existence of a business strategy and an IT strategy.An organization that is going to implement a PPM musthave defined business and IT strategies, and have commu-nicated them to all the departments involved. The PPM ob-jectives are adjusted to this strategy. The initiatives to im-plement a portfolio will be unsuccessful if there are not


IT Governance

existing business and IT strategies and we are simply leftwith multi-project management.

Involvement of the management. The managementhas to be involved to have a comprehensive view of theportfolio and its projects. Without the support and the totalunderstanding on the part of the management, the constantcompetition for resources and the changes in priority willnever be effective.

Competence Abilities of the team. Another relevantaspect is the importance of having a project team with rel-evant financial and strategic knowledge and abilities.

8 Software for Portfolio ManagementThe growth in interest on the part of IT departments in

project portfolio management has been accompanied by aproliferation of software applications for project and port-folio management.

The appearance of these software applications is helpingthe most administrative work of gathering data and preparingthe information for analysis. In spite of that the software forportfolio management tends to provide a more operative vi-sion of the portfolio. They are a great help for the collection ofdata that exist in the scheduling of the project and add them atthe portfolio level, which improves the management of re-sources significantly. However, an adaptation is needed toanalyze the project from the most strategic viewpoint.

In this adaptation we will have to add information to theprojects that is not in their scheduling component: the classifi-cation of clients, the financial calculations, the stages withinthe portfolio and the assessments of risk, among others. Theselast ones provide a classification of the projects based on stra-tegic elements, maximizing the value and balancing the projectsand using techniques related with portfolio management.

9 ConclusionsIn recent years portfolio management has been demon-

strated to be a discipline that increases the value created by ITand helps implement the strategy through the projects. Its im-plementation in businesses requires a series of stages that fol-low a maturity model and that need the implication of the man-agement and the existence of an IT strategy that the portfoliomust fulfil as key factors for its effective operation.

References[1] University of Bremen, PMI et al. Project Management

World Study, 2003.[2] Standish Group International. CHAOS Chronicles,

2003.[3] M. Jeffery, I. Leliveld. Best practices in IT portfolio

management. Sloan Manag Rev 2003; 45.[4] Project Management Institute. The standard of Portfo-

lio Management, 2006[5] D. Lowell, J. Pennypacker. Project Portfolio Manage-

ment and Managing Multiple Projects:Two Sides ofthe Same Coin? Proceedings of the Project Manage-ment Institute Annual Seminars & Symposium Sep-tember 7–16, 2000, Houston,Texas, USA.

[6] CIO Council. A summary of first practices and lessonslearned in IT Portfolio Management, 2002.

[7] N.P. Archer, F. Ghasemzadeh. An integrated frameworkfor project portfolio selection. International Journal ofProject Management Vol. 17, No. 4, pp. 207-216, 1999.

[8] Harold Kerzner. Strategic planning for project man-agement using a project management maturity model.John Wiley & Sons, 2001. ISBN: 0471400394.

Figure 7: Kerzner Maturity Model.


IT Governance

ISO20000 – An IntroductionLynda Cooper

ISO20000 is the International Standard for IT Service Management. This article provides an overview covering the his-tory of the standard, the scope and relationship to other standards and frameworks as well as benefits realised. The articlealso recommends additional sources of information.

Keywords: Benefits, BS15000, Drivers, InternationalStandard, IT Service management, ISO20000, Scope.

1 HistoryISO 200001 has a long pedigree being underpinned by

ITIL service management best practices. The first versionwas a British Standard, BS15000, published in 2000. Fol-lowing an early adopters’ trial, various recommendationsfor improvement were made and the standard was updatedin 2002. This was then fast tracked to become an interna-tional standard, ISO20000 which was published in 2005.

The first certification scheme for organisations to becertified was launched in November 2003 by the ITSMF(IT Service Management Forum) and is entirely in line withthe ISO9000 certification scheme. External auditors mustbe approved by ITSMF and are known as Registered Certi-fication Bodies (RCBs) who are listed on the ISO20000 website, <www.isoiec20000certification.com>.

2 FrameworkThe framework of service management guidance is rep-

resented in Figure 1. Although the framework shows themost commonly used best practice framework of ITIL, it isnot mandatory to implement ITIL best practice in order tosatisfy the requirements of the standard. Use of other frame-works such as eTOM will be equally valid.

3 Individual QualificationsIn addition to corporate certifications, there are several

qualifications available for individuals. These are:ITSMF - ISO20000 consultant certificate aimed at

those who will consult, either internally or externally, ormanage an ISO20000 programme.

ITSMF - ISO20000 auditor qualification is aimed atinternal and external auditors who will be auditing againstISO20000.

EXIN – Service Quality Management Foundationaimed at individuals working in an ISO20000 organisation.

EXIN – Service Quality Management Advanced aimedat consultants or managers.

ISEB – ISO20000 Essentials course to be released early2008.

4 Scope of the StandardThe standard requires an IT Service provider, either in-

ternal or external, to satisfy requirements for all processesas shown in the process model depicted in Figure 2. Theprocesses cover the ITIL processes and bring in additionalareas to provide a complete view of IT Service Manage-ment. There can be no processes excluded for certification.

The scope does allow for some of the processes to beoutsourced as long as management control can be shownover those outsourced processes.

The standard aligns with ISO9001 in the ManagementSystem requirements and the Plan-Do-Check-Act cycle inPlanning and Implementing Service Management. Indeedthose companies with ISO9001 certification should alreadyfind that they satisfy some of the requirements of ISO20000.ISO20000 can be achieved either in conjunction withISO9001 or stand alone.

ISO20000 also links with ISO27001. The requirementsfor information security management within ISO20000 area sub set of those in ISO27001. Those companies alreadycertified to ISO27001 level for the same scope should havealready satisfied all the information security requirementsin ISO20000. The standard can be attained for varyingscopes within a service provider:

All or some IT Services, e.g. financial services, sup-ply chain services.

All or some Technology, e.g. application manage-ment, infrastructure management, desktop support.

All or some customers, e.g. one specified customeror all customers.

All or some locations, e.g. one location or all locations.

Author

Lynda Cooper, International Director of Consulting of Fox IT<http://www.foxit.net/>, has industry recognition as a thoughtleader in Service Management working as a strategic consultantand trainer. Her work culminated in the publication of the BritishStandard for IT Service Management BS15000, and then theInternational Standard, ISO/IEC 20000. A keen advocate of thepragmatic use of best practice, Lynda is active in industry forumsand on conference platforms. She represents the UK on theISO committee for IT Service Management as the Principal UKExpert. She has the ITIL Managers Certificate and has beeninvolved in ITIL3 as a reviewer. <[email protected]>.

1 ISO20000 is the commonly used abbreviation for the InternationalStandard for IT Service Management whose full title is ISO/IEC 20000.


IT Governance

Figure 1: Framework of Service Management Guidance.

Figure 2: ISO20000 Process Model.

5 Why Achieve ISO20000There are various drivers for wanting to gain ISO20000:

An independent certification offers an industry rec-ognised benchmark of quality.

The certification proves that the provider can offerbest practice in service management and service delivery.

More importantly, the certificate ensures that an or-

ganisation gains all the benefits of utilising best practice inservice management. Many companies claim to implementITIL best practice but these are often selective implementa-tions which are not independently checked. With ISO20000as with any other standard, the use of best practice will beassessed annually ensuring that all the benefits often prom-ised are truly gained. These benefits will cover improved


IT Governance

quality of service, cost savings, reduced risk and continu-ous improvement.

Even if the service provider does not go for formalcertification, the 13 pages of mandatory requirements in thestandard provide a focus for what to do to implement bestpractice service management. This can then be supplementedwith the use of ITIL or other frameworks for the detail ofhow to implement each process.

For many external service providers, the benefits arein demonstrating a competitive edge or in being able to re-spond to proposal requests that demand ISO20000 certifi-cation.

6 Future of the StandardThe standard is already being updated by the Interna-

tional Standards Committee responsible for service man-agement. This committee has representatives from manycountries including Spain. The standard will remain stablefor some years which is important in the marketplace. Thenext update is likely to be published in 2009 or 2010. Up-dates will cover:

Removal of ambiguity from some wording.Improvement and updating of some requirements

based on feedback.Some alignment to ITIL3.

7 Further InformationThere are various publications available to support the

standard including:- ISO/IEC 20000 - part 1 and part 2.- ISO/IEC 20000 Self assessment workbook - BSI publication<www.bsi-global.com>.- A Manager’s guide to service management - BSI publication.- Achieving ISO/IEC 20000 series - BSI publications.- ISO/IEC 20000 pocket guide - ITSMF publication.

The web site also points to useful information aboutauditors and certified companies <www.isoiec20000certification.com>.


IT Governance

COBIT as a Tool for IT Governance:between Auditing and IT Governance

Juan-Ignacio Rouyet-Ruiz

Cobit is establishing itself as an effective tool to set up IT Governance that will help IT departments convert themselvesinto technological partners of businesses. When analysing the suitability of Cobit for IT Governance we must be aware ofits origins in auditing, and of its strengths and weaknesses resulting from such an origin. In this article we analyse Cobit’sstrengths and weaknesses as a framework for IT Governance, using as a reference another IT Governance model, that ofPeterson.

Keywords: Alignment, Auditing, Cobit, IT Governance,Management of IT Services, Strategic Process Orientation.

1 IntroductionIn recent decades IT departments have been forced to

evolve towards a necessary strategic alignment between theIT function and the business needs of the organization. Underthis paradigm, IT departments have faced the situation ofhaving to make a value proposition of their activity whichis in line with the interests of the corporate management[1]. To that end the IT function is managed in three phases:it begins as a management model focused on the reductionof operational costs (technology provider); it then becomesa service organization, that seeks to satisfy the necessitiesof its clients (service provider); and it ends up as a businesspartner offering valuable solutions and seeking the interestof stakeholders as well as growth in market turnover or pen-etration (technology partner) [2].

In this article we focus on management in terms of the lastIT function. From a theoretical perspective, such an alignmentis achieved with Henderson and Venkatraman’s SAM model[3]. The next step consists of being capable of carrying out thisstrategic alignment from a practical point of view, for whichelements such as IT Governance are necessary.

Currently one of the main models for IT Governance isCobit, a model rooted in auditing. This origin in auditinggives Cobit characteristic strengths and weaknesses. In thisarticle we will analyse the suitability of Cobit for IT Gov-ernance. To do that, we will study in some detail what isunderstood by IT Governance, and we will compare Cobitwith Peterson’s IT Governance model.

2 The Concept of IT GovernanceIn order to clearly define and understand the concept of

IT Governance, we must first be aware that it fits within thepractices and regulations of corporate governance. Accord-ing to the OECD (Organization of Economic Co-operationand Development) corporate governance aims to establishresponsibilities to assure objectives and measure perform-ance [4]. Such performance is related with the creation of

Autor

Juan-Ignacio Rouyet-Ruiz has a degree in TelecommunicationsEngineering from the Technical University of Madrid (1997).He began his professional activity in the field of trainingconsultancy in 1998. Since 2002 he has been involved innumerous ITIL implementation consultancy projects within keyaccounts, primarily in the Industrial and telecommunicationssectors. In 2005 he joined Quint Wellington Redwood as anITIL consultant, where he has been carrying out strategicconsultancy activities in IT service management. As the personresponsible for the quality of the training department in amultinational company he has successfully been through severalAENOR audits. He has participated in IT service managementcongresses and conferences, and has published articles in thatfield. He is currently writing his doctoral thesis in the field of ITGovernance. <[email protected]>.

value for the organization and the management of its re-sources in an efficient and transparent way. This leads us tothe four elements that make up corporate governance: re-sponsibility, guaranteeing objectives, creating value andresource management.

These same four elements must be applied to the IT func-tion, especially taking into account the direct implicationsthat technology and its management currently have on busi-ness processes. From under these basic assumptions, there-fore, the concept of IT Governance emerges as a subset ofcorporate governance. There is currently no consensus aboutexactly how to define IT Governance, although it is truethat the various definitions have common elements.

We can begin with the definition provided by MIT (Mas-sachusetts Institute of Technology), through its Sloan Schoolof Management’s Center for Information Systems Research(CISR), which points out that IT Governance specifies thedecision making rights and the framework of responsibili-ties to promote desirable behaviour in the use of IT [5].Notice that this definition is clearly focused on decisionmaking, but does not define what to decide, calling it sim-ply desirable behaviour in the use of IT.


IT Governance

Responsibilities of Corporate Governance Responsibilities of IT Governance

How do shareholders get executives to return some profit?

How do shareholders make sure executives do not waste the capital lent in loss-making investments or projects?

How do shareholders control executives?

How does advanced management get the IT director and the IT to return value from the business?

How does advanced management make sure the IT director and the IT do not waste capital in loss-making investments or projects?

How does advanced management control the IT director and the IT?

Another definition is taken from Wim Van Grembergen,according to whom IT Governance is the capacity to or-ganize, executed by the board of directors, executive man-agement and IT managers, to control the formulation andimplementation of the IT strategy and, in this way, ensurethe fusion of business and IT function [6]. As can be seen,this definition is focused on defining who is primarily re-sponsible for IT Governance, and pays special attention tosearching for alignment between the IT function and thebusiness.

Finally we provide the definition offered by the IT Gov-ernance Institute (ITGI), the body that created Cobit: ITGovernance is the responsibility of the board of directorsand executive management, and consists in leadership andorganizational structures and processes that ensure that theIT function of the company sustains and extends the organi-zation’s objectives and strategies [7]. As can be seen, thisdefinition is also focused on who must assume the respon-sibility for IT Governance, at the same time that it indicatesin greater detail the activities and structures that make it up.It also defines more precisely what Van Grembergem calledthe fusion of business and the IT function, which, accordingto ITGI, consists in the IT function sustaining and extend-ing the organization’s objectives.

These definitions make it apparent that there are vari-ous points of view of IT Governance, and it may thereforebe that we do not have a clear idea of what it is exactly. Toobtain an overall view we can refer to Table 1, in which ITGovernance is compared to corporate governance.

Just as there are different definitions of IT Governance,there are just as many practical models for its implementa-tion because the concept of IT Governance is difficult toclassify in a simple collection of processes or mechanisms.The lack of a single model means we need, at least, a frame-work to indicate what should be considered, leaving howsuch considerations should be taken into account to the pri-vate interpretation of each model. To arrive at some con-sensus on the common objectives of IT Governance we canrefer to Forrester, an independent IT consultancy of recog-nised prestige. According to that organization, the objec-tives of IT Governance are: IT function value and align-ment, risk management, performance measurement, and

responsibility [9], which are all aligned in some way withpreviously indicated objectives established by the OECD.

We will analyse Cobit based on these objectives andusing the IT Governance model of Peterson as a reference.

3 Peterson’s IT Governance ModelPeterson [10] establishes a framework that indicates what

aspects must be taken into account to implement IT Gov-ernance, leaving to the choice of each company exactly howto implement it. In search of a performance framework, thisauthor establishes that IT Governance must be implementedaccording to a set of structures, processes and relationalmechanisms. Structures are understood as the existence ofa set of responsibilities; processes refer to decision makingand performance measuring activities; finally, relationalmechanisms make clear the need for the IT function to par-ticipate in the business and favour communication (see Ta-ble 2).

Achieving Forrester’s previously listed IT Governanceobjectives, Peterson’s model focuses on the definition ofresponsibilities and on risk management, achieved mainlythrough the definition of the structures and the relationalmechanisms. The measurement of performance would ap-pertain more to the field of processes. However, it does notestablish clear mechanisms to define the IT function’s valueand alignment with the business.

4 Cobit as a Model of IT GovernanceCobit was developed by the Information Systems Audit

and Control Association (ISACA), through the IT Govern-ance Institute (ITGI), as a management auditing mechanismfor IT departments, and over time has become a standardfor IT Governance. The Cobit acronym stands for ControlObjectives for Information and Related Technology, whichindicates the way Cobit should be considered: as a systemthat facilitates IT management controls.

According to ITGI [7], Cobit supports IT Governanceby creating a framework that covers the following five ar-eas: strategic alignment, value delivery, resource manage-ment, risk management and performance measurement. Tothat end, it establishes four courses of action: focused onthe business, directed towards processes, based on controls

Table 1: Corporate Governance and IT Governance [8].


IT Governance

and guided by metrics.The main idea of Cobit is to make available a series of

processes that will help manage and control the IT functionresources, and make sure the business receives the infor-mation it needs to achieve its objectives. To define how theinformation should be, Cobit establishes a series of require-ments the information must meet to be satisfactory for thebusiness, which it calls information control criteria: effec-tiveness, efficiency, confidentiality, integrity, availability,compliance (of laws, regulations, etc.) and reliability.

With regard to its process direction, Cobit offers a set ofprocesses grouped into four blocks of activities: planningand organization (PO), acquisition and implementation (AI),delivery and support (DS) and monitoring and evaluation(ME).

Finally, in order to be based on controls and guided bymetrics, Cobit defines the IT control objectives as a decla-ration of the desired result or of the objective to attainthrough the implementation of control procedures in a par-ticular IT activity. The Cobit metrics feature three measure-ment elements: maturity models, performance metrics andactivity objectives, of which, the performance metrics arethe best known.

The performance metrics are established in two groups:the key goal indicators (KGI) and the key performance in-dicators (KPI). Along these lines, the diagram of perform-ance metrics grouped on three graduated levels is wellknown: those that measure if the goals of the IT function

have been fulfilled (IT KGI), those that measure the fulfil-ment of the IT process goals (process KGI), and finally thosethat measure the performance of such processes (processKPI). This chain of measurements makes Cobit more busi-ness oriented, since that the impact that a process has on thebusiness can be monitored from the lowest to the highestlevel.

5 ConclusionsAccording to the OECD, corporate governance should

focus on four elements: establishing responsibilities, attain-ing goals, creating value and managing resources. Adapt-ing these goals to the IT environment, Forrester proposesthe following five elements: IT function value, alignment,risk management, performance measurement and responsi-bility definition. In terms of these principles, Cobit showsgreat strength with regard to performance measurement,value creation and risk management.

To be sure, due to its metrics structure, grouped in ITKGI, process KGI and process KPI, the performance meas-urement of the IT activity is kept totally under control. Tothe degree that the IT function is able to demonstrate itsperformance, it also shows its value to the business, giventhat value demonstration is currently and unfailingly con-nected to quantitative terms. In the same way, the strongmeasurement control makes sure the risks of diversion fromobjectives are also controlled, which is why Cobit also fea-tures great strength in risk management.

Table 2: Structures, Processes and Mechanisms of Relation for the Implementation of IT Governance [10].

Structures Processes Relational mechanisms

Tactics

IT board of directors

Committees

Making strategic IT decisions

Monitoring the IT strategy

Participation of all concerned (stakeholders)

Business-IT association

Strategic dialogue

Shared learning

Mechanisms

Roles and responsibilities

Organizational structure of the IT

IT director on the Management Council

IT strategic committee

IT management committees

Strategic planning of Information Systems

IT balanced scorecard (IT BSC)

Economic information

Service level agreements

COBIT and the ITIL

IT Governance maturity models

Active participation of those primarily concerned

Collaboration between those primarily concerned

Compensation and incentives for business-IT association

Joint business-IT siting

Shared understanding of the business and the IT objectives

Active conflict resolution (not avoided)

Inter functional business-IT training

Inter functional business-IT job rotation


IT Governance

These three strengths are sustained in two characteristicaspects of Cobit: its origins in consultancy and its orienta-tion towards process. Its origins in consultancy are the re-sult of having the so-called control objectives of the proc-esses and control criteria of the information. The first guar-antees the minimum requirements each process must meet;the second guarantees that the information is that which thebusiness needs. Notice that both cases deal with control, asthis is the foundation for measuring performance and man-aging risks. And we must not forget the very meaning ofCobit (Control Objectives for Information and Related Tech-nology), which indicates how Cobit should be considered:as a system that facilitates information and technology con-trols. The orientation towards processes structures the en-tire set well.

The system of nesting metrics, which makes a KGI fromone level become a KPI from a higher level, provides thenecessary mechanism for a correct alignment of the IT func-tion. Through the Cobit metrics it is possible to “see” theimportance of a performance measurement (KPI) in the ITgoals. That is, a relationship is seen between process activi-ties and their influence over IT goals, which leads to align-ment.

But it is here, in this point, where the weaknesses ofCobit also begin to appear. We talk about alignment, but wemust point out that such an alignment remains within theIT. Indeed, as we have seen, Cobit shows great strength inestablishing suitable controls so that the IT activities areattuned to IT goals. The weak point lies in the link betweenIT and business goals. As can be seen in Appendix I [7] ofCobit, once the goals of the business are known, the rela-tion with the IT goals is achieved by selecting a series ofprocesses. This can produce indetermination as well as ofrigidity.

Rigidity comes from having to establish some processesaccording to the strategy, when it is known that stable proc-esses should be established over time, and be sufficientlyflexible in their goals and performance measurement to beadapted to any strategy. The indetermination originates inthe fact that Cobit neglects aspects related to taking respon-sibilities and the relational mechanisms that guarantee thealignment with the corporate strategy. These structures ofresponsibility and relational mechanisms go beyond theRACI matrixes defined by Cobit and focused on the inte-rior of the IT, but they do not establish mechanisms so thatthe IT is one more element in the Management Committee,a true governing element.

Thus, Cobit’s origins in auditing makes it a perfect frameof reference for the internal control of IT, guaranteeing per-formance measurement, value creation and risk manage-ment. These fields are defined in Cobit’s process orienta-tion and in the structured metrics system that measures thoseprocesses. From our point of view, the aspects that must beimproved revolve around the establishment of responsibili-ties and alignment with the business strategy. For those as-pects we consider most difficult to grasp, we could refer toPeterson’s IT Governance framework, which establishes

elements for governance structures and relational mecha-nisms, the elements that finally control the formulation andimplementation of the IT strategy based on the business strat-egy.

References[1] N. Kriebel, P. Matzke. Building Meaningful Business

Value Propositions. Forrester, August, 2006.[2] O. Le Gendre. IT Departments and IT Governance.

Gartner, IT Governance Forum-June, 2001.[3] J.C. Henderson, N. Venkatraman. Strategic Aligment:

Leveraging information technology for transformingorganizations. IBM System Journal, Vol 38 - Nº 2&3,1993.

[4] OCDE. Principles of Corporate Governance. OECD,París, 2004.

[5] P. Weill, J.W. Ross. IT Governance: How top perform-ers manage IT decision rights for superior results.Harvard Business School Press, Boston, Massachusetts,2004. ISBN: 1591392535.

[6] W. Van Grembergen. Structures, processes and rela-tional mechanisms for Information Technology Gov-ernance: Theories and practices en Strategies for In-formation Technologies Governance. Hershey: IdeaGroup Publishing, 2003. ISBN: 1591401402.

[7] IT Governance Institute. Cobit 4.0. Rolling Meadows:IT Governance Institute, 2005.

[8] T. Sheleifer, W. Vishny. A survey on Corporate Gov-ernance. The Journal of Finance, 52(2), 1997.

[9] C. Symons. IT governance framework. Forrester,March, 2005.

[10] R. Peterson. Information strategies and tactics for In-formation Technology governance, en W. VanGrembergen (Ed.), Strategies for Information Technol-ogy Governance. Hershey, PA: Idea Group Publish-ing., 2003. ISBN: 1591401402.


IT Governance

Keywords: CobiT, Governance, IT Governance, ITIL,Val IT.

1. It is our intention to respond to UPgrade’s kind invi-tation to write "an article explaining how to put to work, ona joint basis, CobiT and VAL IT, and maybe ITIL".

2. The title chosen addresses the invitation, highlightsthe objective (Implementing Good IT Governance), andintroduces a neologism, ad@pting, as a healthy mix of adopt-ing and adapting. We hope the article will honour the titleand explain, if not justify, our ad@ption of the neologism.

3. Good IT Governance is a topic of utmost importance,one which is getting hotter by the day and has increasingbut still lagging interest for businesses, professionals, con-sultants, and society as a whole.

4. It should concern society, as ICT’s pervasiveness isever expanding in enterprises, institutions, and society andbecause in Good Corporate or IT Governance we all have avoice (or will end up having one)1 .

5. It has been said that the adequate restatement of anissue is more than halfway to solving it. It is the purpose ofthe authors to help our readers with an honest and modestattempt at restatement.

6. The usual length limitation set for this article but,above all, the intrinsic communicational limitations of theauthors may lead the reader to a hasty impression that thewhole subject is just a matter of grandiose caricature state-ments, when the authors (from their professional training,experience and principles) know and preach the opposite:the subtleties, the greys, and the maybes.

7. As a first example of "caricature statement": we donot believe that CobiT, Val IT or ITIL can be implementedin organizations.

Implementing IT Governance Ad@pting CobiT,ITIL and Val IT: A Respectful Caricature

Ricardo Bría-Menéndez and Manuel Palao García-Suelto

In this article we present some guidelines for the combined use of three reference models and a series of points and criteriato be considered in respect of their complementarity.

Authors

Ricardo Bría-Menéndez has specialized in the areas of con-sulting and auditing and, for the last 10 years, in the emergingtopic of IT Governance, which he puts as a top priority in theagenda of enterprises and organizations across the world. Since1982, he has been an active member of ISACA (InformationSystems Audit and Control Association). ISACA is a professionalorganization recognized as a world leader in Governance,Assurance and Security where Ricardo has sat on numerousboards and committees, and was elected as International VicePresident. Mr. Bría’s professional career has been developed inthe United States, Latin America and Europe. For many yearshe worked for a large international auditing and consulting firmand was also Organization and Process Improvement Managerfor a major international Bank. He is CISA (Certified InformationSystems Auditor) and ACT (Accredited CobiT Trainer) certifiedby ISACA, and graduated in Business Administration at theUniversity of Texas at Dallas <[email protected]>.

Manuel Palao García-Suelto holds an ABD in ComputerSciences and Civil Engineering and has Bachelor Degrees inStatistics and Operations Research, and Sociology. He is CISA(Certified Information Systems Auditor), CISM (CertifiedInformation Security Manager) and ACT (Accredited CobiTTrainer) certified. He has been an ATI (the Spanish Associationof Computer Technicians) Senior Member since 1975 and Co-coordinator of Novática’s (the journal of ATI) Technical Section"IT Audit" for the past six years. He has been Managing Partnerof Personas & Técnicas: Soluciones, SLU, and Partner and CTOof The Model Company, Modelco SL. He served as President ofISACA’s Madrid Chapter for two terms. Professor at UCLM’sMaster Program on IT Security and UPM+ALI’s MasterProgram on IT Security and Audit; Professor and AreaCoordinator at Deusto University’s Master Program on ITGovernance. He has authored a book on MIS, and has alsowritten several chapters for books and more than 200 articles<[email protected]>.

8. This "non-implementability" requires a prior reflec-tion on regarding frameworks (such as CobiT, Val IT andITIL), their needs, characteristics, and differences with manyother standards. This exercise of reflection is much neededand of considerable importance as there appears to be con-siderable confusion (fuelled by some spurious interests)regarding standards and frameworks and their certifiability,compatibility and profitability.

1 Good IT Governance is meant to serve stakeholders’ interests.The AS/NZS 4360:2004 Risk Management standard definesstakeholders as those "who may affect, be affected by, or perceivethemselves to be affected by a decision, activity or risk."


IT Governance

9. The following characteristics are being proposed ingeneral, tentative terms as we are unaware of a more rigor-ous taxonomy or definitions. Frameworks, generally, areoriented towards "best practices", while standards are ori-ented towards "minimum requisites". Frameworks deal morewith "what" and standards with "how". Frameworks have abroader scope, are more flexible and compatible; standardsare more stringent, rigid and self-contained, when they arenot actually exclusive.

10. Good frameworks are needed to ensure, in the broad-est possible way, that IT resources are aligned with the busi-ness/service objectives of the enterprise/institution, and thatservices rendered and information provided comply withthe minimum requirements of quality (cost, distribution,quality), security (confidentiality, integrity, availability) andtrust. They are a code of good (or best) practices.

11. According to COSO2 , which we familiarly call "theMother of all Control Frameworks", fiduciary or trust-re-lated requirements are intended to ensure the effectivenessand efficiency of operations, the reliability of financial re-porting, and compliance with laws and regulations.

12. In our global and highly interrelated world, theremust be and there must be seen to be significant conver-gence between the various efforts to produce and maintainframeworks and standards. If such convergence does nothappen or if it is not seen to be happening at a reasonablespeed, one may suspect the existence of hidden interestsand artificial barriers which (as a result of being driven byhidden agendas) may pose serious risks for those not suffi-ciently well informed.

13. This same general convergence can be seen in thehistory of art (romanticism in music, cubism in painting)and - due to its particular nature - in the history of science(Boyle-Mariotte in the XVII century, with their ‘ideal gas’;Watson-Venter, the day before yesterday, with the humangenome; or the counterexample in Spain in the mid-20th

century, under Franco’s dictatorship, when Professor JulioPalacios maintained, in front of important audiences, theradical falseness of Einstein’s Theory of Relativity3 . Thislatter example of divergence is not trivial. Sadly, unscrupu-lous visionaries and liars often speak louder than those who,by trial and error, seek the right path.

14. A similar trend towards convergence can be seen inthe specific case of the frameworks and standards that in-terest us. Here are a couple, by way of example:

15. One: ISO 9001:2000 (as opposed to ISO 9000:1996)introduces and highlights the consideration of "customersatisfaction" in convergence, for example, with EFQM (in-troduced in 1992), in turn converging with the US "MalcolmBaldrige National Quality Improvement Act" of 1987 (100-107).

16. Another: ITIL (a product created in 1986 by the UKGovernment (CCTA) for the UK Government) in 1991 de-cided to try and expand its approach to private enterprise,in convergence with ISACA’s Control Objectives (1976),the forerunner of CobiT (1996).

17. Where the general convergence of standards andframeworks stands out is in their preference for improve-ment process over the milestone. In this respect, probablythe most widely known reference is Deming’s PDCA wheel:Plan-Do-Check-Act.

18. A good framework, according to generally acceptedprinciples, must meet the following four requirements:

19. First of all: process orientation. This basically meansthat all activities are organized into processes (that are moreor less repeatable, documented and traceable, among otherproperties described by most ‘maturity models’) which havea "process owner" with clearly defined responsibilities. Forthe purpose of this article, the focus is on good IT Govern-ance, as a means of meeting business needs while narrow-ing the gap between risks and control requirements and help-ing to optimize IT-related investments by providing themeans for measuring and evaluating them.

20. Secondly, it has to be based on commonly acceptedpractices such as technical standards (ISO, EDIFACT, etc),codes of ethics (Council of Europe, OECD, ISACA, etc.),systems, and IT process qualification criteria (ITSEC,TCSEC, ISO9000, SPICE, TickIT, Common Criteria, etc.),internal audit and control professional standards (COSO,CICA, IFAC, IIA, AICPA, GAO, PCIE, ISACA, etc.), in-dustry and governmental requirements and practices (ESF,IBAG, NIST, DTI, BS7799, etc.).

21. Thirdly, common language. The use of commonterms (provided by a framework) enables and encouragescommunication between members at different levels and indifferent departments of the enterprise, and with consult-ants, customers, vendors, and third parties in general, whileavoiding misunderstandings resulting from different – evenopposite - interpretations of the same word. It also helps tobridge the traditional communications gap between busi-ness and technology and to establish objective, intelligible,and shared metrics and indicators.

22. Lastly, good frameworks take into account the pro-motion and adoption of regulatory requirements. Regula-tory compliance is a complex and costly task. The adoption

2 Copyright © 1985-2006 The Committee of Sponsoring Organi-zations of the Treadway Commission.

3 Thomas F. Glick: "Ciencia, política y discurso civil en la Españade Alfonso XIII". Espacio, Tiempo y Forma, Serie V, f-i."Contemporánea, t. 6, 1993, pp. 81. <http://62.204.194.45:8080/fe-dora/get/bibliuned:ETFSerie5-657A3C0B-A3E9-D95C-E289-6D65020EC50E/PDF>.


IT Governance

of a framework based on generally accepted standards fa-cilitates compliance and helps demonstrate compliance tothird parties.

23. Good frameworks are not radical or fundamentalist;rather, they are tolerant. They facilitate and even promote acooperative promiscuity between different standards andframeworks. It is a shame though, that some people, out ofignorance or vested interest, try to misuse a good frame-work!

24. An outstanding example of positive framework hy-bridization is provided by ISO "management systems" (con-sidered here as a single framework). ISO 9001:2000 (Qual-ity Management), ISO 14000:2004 (Environmental Man-agement), and ISO 27001:2005 (Information Security Man-agement). Three standards on quite different subjects, shar-ing a common framework (the "management system"). Inthe recent words of a prominent AENOR (Spanish Associa-tion for Standardization and Certification, the Spanish mem-ber of ISO) executive: "the same engine [or framework, touse our word] with different data". The three standards (andothers that will presumably be joining them soon) sharestructure, documentation and procedures, which enables,simplifies and increases the benefit of their everyday jointuse (not just their joint certification or re-certification).

25. But the most paradigmatic example in our area ofconcern is perhaps CobiT mapping to other frameworks andstandards. To date (December, 2007) ISACA, in addition toits general mapping to "good international practices", haspublished 9 CobiT maps to specific frameworks or stand-ards (CMMI for Development, ISO/IEC 17799:2000, ISO/IES 17799:2005, ITIL, NIST SP800-53, PMBOK,PRINCE2, SEI’s CMM for Software, TOGAF 8.1). We alsoknow that CobiT mapping with ISC2 CBK, the frameworkunderlying CISSP, is currently in the pipeline.

26. In addition to all the above, good frameworks aredemocratizing. We use the term here to mean that their fea-tures make them applicable (ad@ptable) to any organiza-tion, regardless of industry and/or size, due to the fact thatgood frameworks consider the whole picture in a holisticmanner, but divided into manageable and independent, al-beit interrelated, parts with well-defined and responsiblelimits and relationships, and with a clear and precise as-signment of rights and obligations.

27. Successfully ad@pting a good framework (or anumber of them as they are not mutually exclusive), alsohave a "revolutionary" and distinguishing quality: small/immature organizations can take a leap forward and posi-

tion themselves in the best-of-breed category (where onewould normally only expect to see FortuneTM 1000 compa-nies). This (fortunately, since it represents a window of op-portunity) clashes with the rigid ideology of ‘maturity mod-els’ interested in selling a supposedly inexorable "phase byphase" (or fascist goose stepping) approach.

28. Going back to where we were a few paragraphs ago,we claim that CobiT, ITIL or Val IT cannot be implementedin the sense of implanted "to fix or set securely or deeply4 ",as in the case of a pine tree in the backyard, a dovetail jointin the carpenter’s shop, or a kidney in the operating theatre.Those are events or, to be more precise, they are the finalconcrete, permanent and tangible outcome of a project.

29. Frameworks are "adopted" and "adapted" (ad@pted)in a living and continuous process in which an enterprise/institution, starting from any stage, sets sail towards everhigher levels of excellence (the journey being more impor-tant than the destination).

30. To arrive at the destination it is of utmost impor-tance to choose the right vehicle for the journey. However,apart from selecting which framework or frameworks (sincenobody today is at risk of dying from a lack of frameworks,standards and best practices), maybe the most critical suc-cess factor for the trip is who makes the decision and whosponsors the journey.

31. This is a process that cannot flow upstream, againstgravity.

32. If the project is driven and sponsored by Top Manage-ment (TM), its success is not totally guaranteed beforehand.

33. But its failure is assured if that condition is lacking.

34. The factotum then must be (note the imperative form)TM, an issue which is often ignored (more or less blatantly).The main reason being that, among its responsibilities forcorporate governance, it also has a responsibility for ITgovernance and an obligation to, implicitly or explicitly,select the components and choose the framework "cock-tail" of its liking.

35. One cannot but hope that in the not so distant future, ina more informed and cultured arena, the current could, as itdoes in estuaries, allow the passage of certain amount of up-stream traffic, i.e., well founded and documented suggestionstaken up to the Top Management (TM) by second/third linemanagement or staff personnel. But, while such a sensibility/culture does not become generalized (thanks mainly to profes-sional associations, universities, consultants, etc.), all the powerand potential for success lies with the TM.

36. The "implementation"/ad@ption is then a process (anendless one!; Deming’s virtuous circle). A process of par-

4 Merry Webster Dictionary <http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=implanted >.


IT Governance

tial ad@ption, of cutting, pasting and ad@pting what suitsus; a process of hybridization or crossbreeding.

37. As previously stated, good frameworks are not radi-cal. Quite the contrary, they are tolerant: they accept andeven foster promiscuity, cutting and pasting while remain-ing faithful to their essence and remaining compatible withother good frameworks, which is another of their intrinsiccharacteristics. In a way, it is like medieval Toledo whereframeworks as different as the ones introduced by the Jew-ish, the Christians, and the Arabs caused culture and pros-perity to flourish in synergy.

38. Another "caricature statement" deals not with thewhat but with the how.

39. As frustrating as it might seem for most consultingfirms (and even more for their major clients) whose busi-ness model is to sell many "junior" and inexperienced hours(pyramidal model) instead of fewer "senior" expert hoursof consultancy (not just PR), the critical issue here is notthe product (e.g., the ITIL version), or the what. Rather it isthe how, the process; the project; how it is managed, howand how rapidly it is expanding, who is involved and whois committed (remember the fable of the pig and the hen,and their attitude in the face of the consequences for eachof them of not providing us with ham and eggs).

40. A good simile to describe the 'how' could be that ofcultivating, agriculture and culture (same etymology). GoodGovernance is not about implementation but about culti-vating, about work through the generations, about a con-tinuous and sustainable process, relying more on the essen-tials and on workmanship than on fashion.

41. Sustainability also assumes a number of prerequi-sites that are so self-evident and naive that it seems absurdto mention them. But we have to mention them due to thenumerous and widely documented blunders made by im-portant corporations, assisted by major consulting firms,while attempting to ensure that projects designed to meetthe requirements of the Sarbanes-Oxley Act delivered sus-tainable structures and procedures.

42. Good IT Governance cannot be a patch or an ortho-paedic limb. It has to be rooted in the organization’s mostimportant, genuine, and healthy fibres.

43. Paraphrasing the famous quote by Lord Kelvin "Ifyou cannot measure it, you cannot improve it", we wouldlike to introduce another of our own "What is not continu-ously evaluated and improved becomes obsolete before leav-ing the drawing board".

44. Having mentioned more than once promiscuity andtolerance, it might seem that frameworks and standards donot ultimately contribute anything - that they are unneces-sary or mere divertissement. A hasty and mistaken conclu-sion! Frameworks are not only necessary, but are a manda-tory prerequisite to pave the way towards good IT govern-ance.

45. Frameworks are the crystallization of a "body ofknowledge" and "guidelines" that summarize the hands-onexperience of hundreds of international and multi-industryIT practitioners in working groups and committees of pro-fessional organizations and associations. The end result oftheir contributions is objectively overwhelming, particularlyfor those who, in this day and age, may still be trying toreinvent the wheel.

46. Fortunately, thousands of the best professionals, frommany different areas, countries, and cultures have put intheir time as volunteers and helped to develop and keepCobiT (Control Objectives for Information and related Tech-nologies) current. CobiT has already become the interna-tionally accepted reference IT Governance framework, re-fining practices that have proved successful after numerousimplementation cycles.

47. The fact that frameworks are not intended to/cannotbe applied by themselves as a master recipe should not mis-lead us into undervaluing them, but rather the opposite.Competitive and surviving organizations stopped thinkingthat the isolated self-sustaining Robinson Crusoe approachwas the way to go a long time ago

48. In Forrester’s opinion, "first use CobiT for IT con-trol and governance, ITIL for service delivery and support,and finally use ISO 17799 for Security" 5 .

49. To which, humbly, in view of the authority of thequoted sentence, we dare add, as a cherry on top of thecream: "Use Val IT to realize the benefits and the value gen-erated by the process".

50. By way of a conclusion: if you seriously want toimplement good IT governance in your company/institu-tion, just do it, using your own customized recipe, ad@ptingCobiT, ITIL, and Val IT. If you feel like it, drop a greenolive into the bowl.

51. If you do it right, you’ll be embarking on an endlessprocess (just like all successful projects).

52. If you see fit to request assistance from a consultingfirm, make sure they do not offer/deliver ‘snake oil’. Themore product-related or radical/exclusive the proposed so-lution is, the more suspicious you should be.

5 January 5, 2006,COBIT Versus Other Frameworks: A Road MapTo Comprehensive IT Governance by Craig Symons.


IT Governance

Keywords: Governance, IT Governance, IT Manage-ment, Management.

1 IntroductionOne of the less endearing behaviours of the IT industry

is to take terms that once had a meaning and then misuseand overuse the word until the original meaning is all butlost. Vendors are the main culprits, eager to redefine aterm to fit their offering, but the analysts are at it too, tryingto find creative new meanings for formerly well-understoodterms. Some authors, commentators and journalists con-tribute simply by not understanding the proper meaning ofthe term and so taking it to places it was never meant to goto.

"Management", "consultant", "solution", "knowl-edge"… there is a long list of victims. One of the latest is"governance". In an attempt to stop the rot before this wordloses all usefulness, we should define what governance isnot.

2 What Governance IsOften the easiest way to understand something, is to first

define what it is not. However in the case of "governance,"it is not difficult to define what it is, or rather what it wasback when the word had a clear agreed meaning. So let usbegin by defining the term.

The Concise Oxford Dictionary (Sixth Edition 1976)defines "to govern" as "…regulate proceedings of (corpo-ration etc.)". Despite all that has been done to the wordsince 1976, this is still the essence of governance: regula-tion. And "regulate" is defined by the same source as "Con-trol by rule, subject to restrictions; moderate, adapt to re-quirements…".

Governance is the practice of controlling behaviour/ac-tivity/process/practice by

Creating a controlling mechanism by defining roles,responsibilities, decision rights, and accountability.

Setting the rules (the trendy word is "policy").Defining the bounds to restrict behaviour.Reacting to excess to bring it back within bounds.Moving the bounds in response to changing require-

ments.So there are two main functions to governance:

Directing. Setting and adjusting policy and boundsin response to external stimulus: the behaviour the businessrequires to survive, compete and comply.

Controlling. Enforcing the bounds in response tointernal stimulus: demanding metric reports and compar-ing against the thresholds defined by the bounds; requiringcorrection where metrics go over thresholds.

Governance is actually very simple in definition andexecution. Governors are not highly paid because what theydo is clever or complex. They are highly paid because theycarry the risk through their accountability for non-compli-ance.

They say you can’t manage what you can’t measure. Inthe same way you can’t govern what you can’t measure.This is often interpreted to say that if we cannot measuresomething we should not manage or govern it. This is in-correct. If business requirements dictate a certain policyand we cannot currently measure compliance with thatpolicy, then we have two options: (a) implement processand tools to measure it or (b) accept the risk of an unregu-lated policy. Better to make the risk transparent than toleave the policy off.

In particular, changing technology means that the capa-bility to measure is a lot more volatile than organisationalpolicy. If new metrics become available, it is easier to en-force an existing policy than to introduce a new one.

One of the most powerful and widely applicable modelsin IT is "people process things". (Often this is said as "peo-ple process technology" but that is far too narrow. Peopleand process are underpinned by many artefacts such asforms, books, files, even whiteboards and sticky notes).Governance is first and foremost a state of mind, then anactivity, then the tools to enable and assist that activity. Ameasurement tool on its own is not governance, despite whatthe vendors claim, without the organisational attitude andthe repeatable processes to make it useful.

3 What Governance Isn’tWhich brings us to our topic: what governance isn’t.

The philosophers among us will remind that "what some-

What Governance Isn’tRob England

This article makes a quixotic attempt to stem the corruption of the word governance. Governance is policy making andpolicy policing. Anything else is management.

Author

Rob England is a writer, entrepreneur and consultant. Robalso writes under the pseudonym of The IT Skeptic <www.itskeptic.org>. Rob lives with his family in a little house in alittle village in a little country far away <[email protected]>.


IT Governance

thing is not" is an infinite topic. We will restrict ourselvesto "what governance isn’t but people sometimes try to makeit". Here are seven interrelated areas often confused withgovernance:

Measurement, reporting and audit.Management.Optimisation.Financial control.Policy enforcement.Vision and strategy.Rule.

3.1 Measurement, Reporting and AuditGovernance is not measurement or reporting or audit,

though it may employ these tools. As is the way of mosttools, these can be used for multiple purposes, one of whichis to report back to governors. Real governors seldom usetools themselves: they require governance feedback infor-mation from employees.

Doing the reporting or audit is not governance: it is ex-ecuting the requirements of the governor. Don’t let toolvendors tell you otherwise. And "people process things": ifthe activity of reporting is not governance then even moreso the tools are not governance. Nor do they enable or im-prove governance. If you improve your culture and proc-ess you might identify how tools could assist that improve-ment, but implementing tools in a vacuum will not make adifference.

3.2 ManagementGovernance is not management, at least not the opera-

tional activity that is the core meaning of management (orwas before the word lost all meaning). Just because some-one is making a decision does not make it governance. Mostdecisions are not governance, they are management. Onlypolicy decisions are governance.

The government and the Governor do not operate a coun-try: the civil service does that. The governors set policy,rules, guidelines; they delegate the power to enforce them;and they demand information and tribute.

Governance is one function of senior management, butonly as it is delegated. The ultimate responsibility for gov-ernance rests with the owner, board of directors, or govern-ment, depending on the type of organisation. The execu-tion of governance can be delegated to executive manage-ment: the accountability can not. In recent times, theSarbanes Oxley1 Act has made that quite clear in the USA;so too have various OECD, EC and national Acts and regu-lations.

3.3 OptimisationGovernance is not optimisationGovernance asks "are we doing…?" but not "how are

we doing it?" Profitability, ROI and other such operationalmetrics are of interest to governors only in so much as theyhave set policy to say "We must be profitable". How weachieve this or why we are failing to achieve it are manage-ment functions not governance ones. Executive manage-ment is responsible of optimising the performance of theorganisation; governance is responsible only for ensuring itremains within bounds.

3.4 Financial ControlFinancial processes are not governance, not even con-

trolling processes. All financial management is part of theoperations of the organisation. Some financial metrics willbe required by governors to ensure operations remainswithin financial policy bounds, but this is a small part ofwhat finance does and even then getting the data is not ofitself governance.

This includes many activities often tagged as govern-ance: Project Portfolio Management (PPM), asset manage-ment, budgeting, annual reporting… Even fraud detectionis not governance: it is an operational security process.

Governance sets financial policy; financial managementexecutes it.

3.5 Policy EnforcementGovernance is not enforcement of policy. This is per-

haps the most common misuse of the word "governance".Governors mandate that policy shall be complied with. Theymeasure to ensure the organisation remains within thebounds of policy. But the day-to-day operational activityof keeping the organisation within the bounds is manage-ment not governance. Governors are watching not doing.

So bounds functions like risk management, change man-agement, financial management, security and audit are notgovernance. They are the means by which the organisationsatisfies governance requirements by keeping the organisa-tion within the bounds of policy.

3.6 Vision and StrategyGovernance is not setting vision or strategy. Another

area that is often confused with governance is creating thevision, setting the direction of the organisation, and devis-ing strategy. Governors appoint an executive to do this,and give them a framework and policy within which to doit. In some organisations, the governors get actively in-volved in the process and don’t fully delegate it. But thismeans that the governors are involved in high-level opera-tions, not that the activity is part of governance.

3.7 RuleGovernance is not always rule. A king may rule but in

the modern model he/she does not govern. Equally in manylarge organisations the nominal figure-head has little to dowith governance. A government minister or secretary hasonly nominal control over his civil servants (watch "Yes

1 "The Sarbanes-Oxley Act of 2002… is a United States federallaw enacted on July 30, 2002 in response to a number of majorcorporate and accounting scandals including those affecting Enron,Tyco International, Adelphia, Peregrine Systems and WorldCom".<http://en.wikipedia.org/wiki/Sarbanes-oxley>.

50 UPGRADE Vol. IX, No. 1, February 2008 © CEPIS

UPENET

Minister" on TV). The Chairman of the Board may do nomore than occupy the chair. Note that this is not a conse-quence of simple delegation. The British people constitu-tionally removed their monarchy’s right to govern at sword-point. In theory the US president is answerable to the Sen-ate (though in practice some would say the republic has anemperor). The civil service in every nation evades control.The Chairman may simply be ineffective.

4 IT GovernanceSo far we have talked about governance in general. This

magazine is about IT in particular, so what of IT governance.If we focus on IT, does it change this discussion any?

The principles of IT governance remain exactly the same:direct and control. The practices of IT governance are ofcourse more specific. IT governance is very well definedby Val IT [1], that excellent product of the IT GovernanceInstitute [2]. Val IT starts slowly and looks deceptively lightafter you have read it, but it is a nice comprehensive frame-work for governing and managing value from IT.

Val IT defines IT governance as:Ensure informed and committed leadership.Define and implement processes.Define roles and responsibilities.Ensure appropriate and accepted accountability.Define information requirements.Establish reporting requirements.Establish organisational structures.Establish strategic direction.Define investment categories.Determine a target portfolio mix.Define evaluation criteria by category.

Val IT also helps define what IT governance is not. Itdescribes Project and Portfolio management as:

Maintain a human resource inventory.…Establish an investment threshold.Evaluate the initial programme concept business case.…Make and communicate the investment decision.Stage-gate (and fund) selected programmes.…Monitor and report on portfolio performance.

…and Investment Management as:Develop a high-level definition of investment op-

portunity.Develop an initial programme concept business case.Develop a clear understanding of candidate pro-

grammes.Perform alternatives analysis.…Assign clear accountability and ownership.Initiate, plan and launch the programme.…Monitor and report on programme performance.Retire the programme.

As we discussed already, governance is not operationalmanagement, even where that management is the imple-mentation of governance policy. Val IT agrees.

If we revisit our list of seven examples of areas that getshoehorned into the definition of governance, we can seehow they have a different context within IT but they are notchanged.

4.1 Measurement, Reporting and AuditIn IT, we are blessed with the COBIT framework as a

useful definition of practices and metrics for measuring,reporting and auditing IT. In addition there are of courseITIL and CMMI and other frameworks that extend and com-plement COBIT too. IT is something of a thought leader inthis area: try to find good KPIs for HR or marketing. We inturn take our lead from manufacturing where TQM and SixSigma have pioneered many of IT’s concepts.

4.2 ManagementIn the last decade or so we have moved from IT people

managing to managers managing IT: the understanding be-ing that management is a skill that many IT people do notgrow into, and that effective management can be brought infrom outside IT. The rise of ITIL is a sign of that maturingas non-IT managers look for effective frameworks to im-pose. But IT managers do not govern. They serve their gov-ernor masters like all managers do.

Most importantly, there is no such thing as IT govern-ance in the sense that nobody within IT governs, except asdelegated from the governors. When we narrow our focusto IT Governance, one thing does not change: the gover-nors of the organisation own it. Accountability for IT Gov-ernance rests with the Board, or owner, or minister/secre-tary, just like any other governance. IT is governed just asManufacturing, Distribution, Finance, HR and so on aregoverned: from the centre.

4.3 OptimisationAgain nothing changes. ITIL is not governance. Doing

things better within IT is part of the operational manage-ment of IT. We do it to stay within governance’s policybounds, but we do it outside of governance.

4.4 Financial ControlIT does a lot to facilitate financial management and fi-

nancial governance by providing the software to make theprocesses effective, but the tools are not governance anymore than a hammer is carpentry.

4.5 Policy EnforcementIT plays a pivotal role in modern organisational policy en-

forcement in areas like audit and security, but we merely de-liver to the operational processes that respond to policy: this isa long way removed from calling what we do governance.

4.6 Vision and StrategyIt has been well argued of late that there should be no IT

strategy: IT is one aspect of the organisational strategy.

UPGRADE Vol. IX, No. 1, February 2008 51© CEPIS

UPENET

Certainly IT’s emergence as a function more aligned withthe business with outward facing management means wepush for a seat at the top table, but that does not mean CIOstake a governance role. It means they take an executivemanagement role.

4.7 RuleThere is no distinct IT governance role so there is no

distinct ruler of IT, but try telling that to some CIOs.In theory the practice of governance is simple, though

in practice not so. The definition of governance is simple:policy making and monitoring. But the vendors will makegovernance mean what they sell; the analysts will make itmean something new and oh so clever; and many writerswill make it whatever they think it means. This article’squest is probably futile: the word "governance" is doomedjust like "partner" and "paradigm" and "legacy" and "vir-tual" before it. Maybe there is still a chance. You will makethis writer happy if just once you say "that’s not govern-ance" (see Table 1).

Table 1: Governance Keywords.

Governance is Governance isn’t

Policy Strategy

Direction Execution

Assurance Audit

Rules Instructions

Making the owner accountable Ownership

Empowering Approving

Consider information Analyse data

Check a dashboard Measure and monitor

Require behaviour Modify behaviour

Process requirement Process execution

Reporting on compliance Reporting on performance

References[1] IT Governance Institute®. "Enterprise Value: Govern-

ance of IT Investments, The Val IT Framework", 2006.Available for download at <http://www.itgi.org/AMTemplate.cfm?Section=Deliverables&Template=/ContentManagement/ContentDisplay.cfm& ContentID=24259>.

[2] IT Governance Institute. <http://www.itgi.org>.

AbbreviationsCMMI: Capability Maturity Model Integration.COBIT: Control OBjectives for Information and related

Technology.ITIL: Information Technology Infrastructure Library.KPI: Key Performance Indicator.Six Sigma: A set of practices to systematically improve proc-

esses by eliminating defects.TQM: Total Quality Management.


UPENET

Software Engineering

A View on Aspect Oriented ProgrammingKonrad Billewicz

© Pro Dialog, 2007This paper was first published, in English, by Pro Dialog (issue no. 23, 2007, pp. 13-20). Pro Dialog, <http://www.pti.poznan.pl/prodial/prodialEn.html>, a founding member of UPENET, is a biannual journal published jointly, in English or Polish, by the PolishCEPIS society PTI-PIPS (Polskie Towarzystwo Informatyczne – Polish Information Processing Society) and the Poznan University ofTechnology, Institute of Computing Science.

In this paper a wide view on aspect oriented programming is shown. The correlation with object oriented programming ispresented. The strengths of aspect oriented design over object oriented design are pointed out. The typical usage ofaspects is outlined. Several research and industry examples of aspect usage are provided.

Keywords: Aspect Oriented Pro-gramming, Java, Object Oriented Pro-gramming.

1 IntroductionAspect oriented programming

(AOP) is a different way of thinkingabout software development. Thisparadigm has been researched for sev-eral years since the publication of "As-pect-Oriented Programming" [8] in1997. The advancement of AOP is notas fast as object oriented programming(OOP) was. AOP is a popular subjectof AOSD (Aspect Oriented SoftwareDevelopment) conferences [3], butgenerally conference papers about thisparadigm rarely appear. Solutionsbased on AOP slowly enter the marketand are rarely recognised as an AOP.

More often usage of AOP is hid-den. In this paper we will describe whatAOP is, try to present the main advan-tages of AOP, show how AOP and OOPcan complement one another and howthe AOP is currently used.

In Section 2 we will introduce thebasics of AOP. In Section 3 we will

Author

Konrad Billewicz, Warsaw University of Technology, Institute of Computer Science.<[email protected]>

look at AOP in comparison with OOP.Some advantages of AOP over OOPwill be given. The typical usage of AOPwill be presented in Section 4. Thecurrent research of AOP will be out-lined in Section 5. In Section 6 we willbriefly describe several real-world im-plementations of AOP based on Javatechnology. Section 7 contains someconclusions.

2 Basics of Aspect OrientedProgramming

Briefly speaking, AOP allows us toapply new code into the existing one,and this operation is performed com-pletely transparently. Using traditionalapproaches would make a similar goaldifficult or even impossible to achieve.

In order to describe AOP more pre-cisely, we will focus on showing AOPprimitives and interactions between

them. An example of a simple AOPprogram will be provided. With thisknowledge, the basics of AOP shouldbe clear.

AOP is based on several primitives:crosscutting concern, joinpoint, ad-vice, pointcut, introduction, weavingand aspect, all of which are describedbelow.

Crosscutting concern – thoughmost classes in an object orientedmodel perform a single task, they of-ten share a common, secondary func-tionality. While the primary functio-nality of each class is different, thecode responsible for performing thesecondary functionality is typicallyidentical. This identical code we callthe crosscutting concern.

Joinpoint – is a location in the ex-isting code where the new code is ap-plied. Generally it can be any part of


UPENET

the code such as method execution startor end, class field read or write, loop,variable assignment or read. In popu-lar Java AOP implementations (brieflydescribed in section 6) only methodexecution and field access are avail-able.

Advice – is the new code that willbe applied into the existing code.

Pointcut – is a construction thatselects joinpoints to which advice willbe applied. We rarely want to apply theadvice to every possible joinpoint, sowe need to select only some of thejoinpoints.

Introduction – is a new (intro-duced) functionality of the class. Forexample it can be method, field orthrown exception. Introduction is dy-namically added to the existing code

by AOP.Aspect – is a collection of advices,

pointcuts and introductions.Weaving – is a process of apply-

ing aspect to the existing code.AOP separates crosscutting con-

cerns into single units – the aspects.The process of applying aspects intoexisting code is called weaving. Itgives us the ability to apply new codeinto the existing one.

When using AOP we start by im-plementing the System using object anoriented language (such as Java). Af-ter that we deal with crosscutting con-cerns by implementing Core concernsand Weaving rules (grouped into as-pects) using an aspect language (such

as AspectJ [2]). The process of apply-ing an crosscutting concern to theobject oriented System is presented inFigure 1. After compilation we have asingle program.

Examples of using AOP in typicalimplementations are given in section4. A more detailed description of AOPprimitives can be found in [10].

For a better understanding of termsintroduced above we will consider anexample Java class presented in Fig-ure 2 and an example AspectJ aspectpresented in Figure 3. Output from theprogram that was compiled and run isshown in Figure 4.

The simple Java class in Figure 2contains three methods including twostarting with "say". One takes no pa-rameter and the other takes a string pa-rameter. Every method prints some-thing to the console. The main methodcalls both.

In Figure 3 an example aspect ispresented. It contains one pointcutdefinition say-Pointcut. This definitionpoints to method calls in the program(the call keywold), which have anyaccess scope and returns anything (thefirst *), their class has any name (sec-ond *), their name begins with "say"(say* after the coma) and takes any (orno) parameters (.. in the brackets) (forfull description of AspectJ syntax re-fer to [10]).

We have two advices inside theaspect. One of them executes beforedeclared pointcut (the before key-

word) and another after it (the afterkeyword).

The output of example AOP pro-gram created by weavingExampleAspect into Example-Class ispresented in Figure 4. Both adviceshave been invoked twice: before andafter two methods with name startingwith "say". The aspect has not beenwoven before or after the methodwhich starts with "print", so advice isnot executed before or after the execu-tion of this method.

3 Aspect and Object OrientedProgramming

AOP is a paradigm completely dif-ferent from the one presented by OOP.OOP is built upon primitives, such asobjects and relations between them,while AOP is focused on aspectsweaved into objects. At the first sightthese two paradigms seem to be thealternate but this is not true. OOP andAOP can live together in one programand supplement one another.

OOP is a paradigm which allowsus to build an information system rep-resenting the real world or an imaginedenvironment. Objects represent entitiesfrom the domain, while relations be-tween objects represent the relationsbetween these entities.

This idea is straightforward andpowerful. On the other hand, some-times it can be very difficult to imple-ment such an environment due to itscomplexity.

Figure 1: Compilation of AspectJ Program [10].


UPENET

Figure 2: Example Java Class.

The solution to the problem men-tioned is the AOP. It is suitable to han-dle crosscutting concerns in an ob-ject oriented model. By handling theseconcerns we are able to remove somerelations between objects from themodel.

By doing this, we are reducing modelcomplexity and simultaneously preserv-ing information which has been con-tained in these relations. When usingAOP, information about removed rela-tions is stored in the aspects. In this ap-proach aspect is preferred over relation.

Replacing relations with aspectsmakes objects less coupled and de-creases the object oriented model com-plexity. This approach is presented indetail in [13].

The usage of AOP does not rule outfrom using OOP. These two paradigmscan exist in the project together andcomplement each other. Object ori-ented elements of the environment –objects – are superior to AOP elements– aspects. Objects are connected withrelations and interact with one anotherwhile aspects handle crosscuttingconcerns. In this approach the usageof aspects is transparent for objects.That is the reason why objects can beless coupled – they do not need toknow about the logic nested inside as-pects and do not depend on them.

4 Typical Usage of Aspect Ori-ented Programming

In this section we will focus ontypical usage of AOP. We will consider:

aspect oriented logging,aspect oriented authentication,aspect oriented cache,aspect oriented transaction

management.The most representative and the

most frequently used AOP implemen-tation is aspect oriented logging. Log-ging is an excellent example of cross-cutting concern. A logging should becompletely transparent for the rest ofthe system and none of the system com-ponents should depend on it. Besides,a logging should be a separate modulewhich can be easily plugged in and outof the system. It is an ideal candidatefor an aspect implementation. An ex-ample of such an implementation canbe found in [12]. In the paper the mi-gration of a Java program logging ar-chitecture from object oriented to as-pect and object oriented is presented.The effectiveness of this modificationis validated with a technique based onDSM (Design Structure Matrix). An-other example of AOP-based logging,implemented in COBOL, can be foundin [11]. Usage of aspect oriented log-ging in advanced, real-world systemsis presented and discussed in [1]. An

implementation of a logging module inthe AspectJ language can be found in[10].

Another typical usage of AOP isauthentication. If a user wants to ac-cess a resource that is not allowed tobe retrieved by all users, authentica-tion should be performed. Secured re-source access can be needed anywherein the program. The other modules ofthe program should not be aware of thefact that a user has to authenticate andhow this authentication is performed.

Besides, no part of the programshould depend on the authenticationmodule. This is an example of cross-cutting concern. A migration to thisAOP-based approach can be found in[12]. Guidelines about AOP authenti-cation implementation in the AspectJlanguage can be found in [10].

Cache management is anotherpopular application of AOP. Objectsinteracting with each other do not needto know about caching. It is an idealcandidate to be implemented usingAOP. We can assign aspects to inter-cept request to the objects we wouldlike to cache. During this interceptionaspect checks if the object currentlyrequested is in the cache (cache can be,for example, a memory). If it is, we aresimply returning it. High cost operationsuch as retrieving data from a database


UPENET

can be skipped. If the object is not inthe cache, we are simply performingthe original request. In both scenarios,the main program in not aware of thecache presence. Implementation ofcaching in the AspectJ language can befound in [10].

A more advanced but still typicalusage of AOP is transaction manage-ment. Transaction management is afunctionally behind the main logic ofthe program. Handling it inside thelogic often results in a very compli-cated and hard-to-understand code.Using aspects which guard transac-tions instead of the objects makes thecode easier to understand. Guidelinesabout handling transaction manage-ment with AspectJ can be found in [10].A discussion about implementingtransactions using AOP can be foundin [9].

5 Research on Aspect Ori-ented Programming

More advanced ways of using AOPare being researched. Aspects are notfully explored and their potential is notcompletely understood nowadays. In-teresting areas where AOP can be use-ful are:

AOP based program architecture,OOP patterns incorporation,refactoring existing programs

with no source code available.These three issues will be discussed

in this section.Researchers try to base the archi-

tecture of their programs on AOP. It isa challenge because the usage of as-pects in this manner in not as straight-forward as in basic usages (presentedin section 4), such as logging. An in-teresting example of implementingprogram logic using AOP can be foundin [15]. The paper presents a conceptof an AOP design where a complexobject oriented environment is builtusing a very simple model which han-dles only the simplest use cases. Themore advanced use cases are handledusing AOP. Aspects are weaven intoobjects responsible for complex ac-tions. When an action is going to beperformed, the aspect recognizes it andperforms the action instead of the ob-ject (but can execute the object logicas well). This approach makes objectssimple and easy to understand whilethe complexity is held inside separateaspects. A similar attempt is presentedin [10]. In the book the concept of di-

viding business rules into two groupsis presented.

Core and constant business rulesare programmed typically, while vari-able business rules are implementedusing AOP.

Another subject of AOP researchthat is advanced but still popularamong researchers is an attempt to in-corporate OOP patterns (such as thesedescribed in the book Gang of Four[5]) using AOP. Some papers presentmigration techniques that allow imple-menting object oriented patterns usingAOP [6]. Other concentrate on per-formance and the improvement ofseparation of concerns [7].

Some of the AOP implementations(such as AspectJ [2]) have another use-ful functionality – an ability to weaveaspects into the existing bytecode. Thisallows us to modify or add new func-tionality to the existing programs or li-braries with no source code available. Astudy and examples of using this veryinteresting functionality can be found in[4].

6 Aspect Oriented Program-ming in the Industry

The most popular implementation

Figure 3: Example AspectJ Aspect.

Figure 4: Output from Example AOP Program.


UPENET

of AOP for Java is AspectJ [2]. Wewrite aspects in a specialized language,somewhat similar to Java, extendedwith structures used for defining anaspect such as pointcut or advice.

Aspects written in AspectJ lan-guage have to be compiled by anAspectJ compiler. This compiler iscompatible with the standard Javacompiler and produces class files thatcan be run on any Java-compatible vir-tual machine.

The AspectJ compiler offers anoption to weave aspects not only intoJava source code but also into com-piled Java classes (more about researchin this area can be found in Section 5).

Another implementation of AOPfor Java is proposed by Spring Frame-work [14]. This framework is based onDependency Injection paradigm closelyconnected with AOP (for more informa-tion about Dependency Injection refer toSpring Framework documentation at[14]).

Spring AOP framework has uniquefunctionality that allows us to use AOPfeatures without recompiling the pro-gram. This is possible due to the inte-gration with the entire Spring Frame-work which handles the lifecycle ofobjects in the program.

On the other hand, this approachhas its disadvantages. Firstly, SpringAOP is only able to handle methodexecution joinpoints. Secondly, thisapproach can cause significant per-formance issues.

7 ConclusionsThe main advantage of AOP is that

it can complement OOP. These two canexist in the project together and sup-plement each other. It gives us a chanceto improve areas where the object ori-ented paradigm is not suitable.

Another AOP advantage is the abil-ity to solve problems impossible tosolve using OOP such as crosscuttingconcerns, effective pattern implemen-tation or bytecode refactoring.

AOP has a huge undiscovered po-tential. Several areas where this prom-ising technology can be suitable arebeing exploited by industry or re-searched. But many areas still wait fortheir explorers.

References[1] Akkawi, F., Akkawi, K., Bader,

A., Fletcher, D., Duncavage, D.,Using Aspect-Oriented Technol-ogy in the Design of AdvancedDiagnostic Systems, IASTED In-ternational Conference on Soft-ware Engineering, Innsbruck2004.

[2] AspectJ, <http://www.eclipse.org/aspectj/>.

[3] Aspect-Oriented Software Devel-opment, <http://www.aosd.net>.

[4] Cheng, L.-T., Patterson, J., Rohall,S. L., Hupfer, S., Ross, S., Weav-ing a Social Fabric into ExistingSoftware, AOSD’05, Chicago2005.

[5] Gamma, E., Helm, R., Johnson,R., Vlissides, J., Design Patterns:Elements of Reusable Object-Ori-ented Software, Addison-Wesley,1994.

[6] Garcia, A., Sant’Anna, C.,Figueiredo, E., Kulesza, U.,Lucena, C., von Staa, A.,Modularizing Design Patternswith Aspects: A QuantitativeStudy, AOSD’05, Chicago 2005.

[7] Hannemann, J., Kiczales, G., De-sign Pattern Implementation inJava and AspectJ, OOPSLA’02,Seattle 2002.

[8] Kiczales, G., Lamping, J.,Mendhekar, A., Maeda, Ch., Lopes,C. V., Loingtier, J.-M., Irwin, J., As-pect-Oriented Programming, in:Proceedings of the European Con-ference on Object-Oriented Pro-gramming (ECOOP), LectureNotes in Computer Science 1241,Springer-Verlag, 1997.

[9] Kienzle, J., Gélineau, S., AOChallenge – Implementing theACID Properties for Transac-tional Objects, AOSD’06, Bonn2006.

[10] Laddad, R., AspectJ in Action,Manning Publications Co., 2003.

[11] Lämmel, R., De Schutter, K., Whatdoes Aspect Oriented ProgrammingMean to Cobol?, AOSD’05, Chi-cago 2005.

[12] Lopes, C. V., Bajracharya, S. K.,An Analysis of Modularity in As-pect Oriented Design, AOSD’05,Chicago 2005.

[13] Pearce, D. J., Noble, J., Relation-ship Aspects, AOSD’06, Bonn2006.

[14] Spring Framework, http://www.springframework.org.

[15] Zhang, Ch., Jacobsen, H.-A., Re-solving Feature Convolution inMiddleware Systems,OOPSLA’04, Vancouver 2004.


CEPIS NEWS

CEPIS Working Groups

Authentication Approaches for Online Banking

CEPIS Legal and Security Special Interest Network

Authentication is essential part of modern e-commerce, particularly in online-banking. Owing to the popularity and wideuse of on-line banking unwanted side effects aroused; i.e. abuses, activities by malicious and criminal users and rise oforganized criminal attempts (e.g. phishing). This paper surveys contemporary authentication approaches taken by Euro-pean banks and further argues that complex and error prone security measures do not provide any security improvement,but rather discourage or prevent users easily entering the electronic market place. Additionally, recommendations aregiven, which are targeted at different parties; i.e. banks and other financial institutions and organizations, governmentsand regulators, professionals and customers. For every group specific recommendations are suggested.

Keywords: Authentication, Certificate, Online Bank-ing, Password, Phishing, Security, Smart Card.

1 IntroductionPerforming financial transactions via an online connec-

tion to a bank or other financial institution is cheaper andfaster than conventional means of conducting business. Yetdespite the obvious advantages, there is still a reluctance touse it as the primary method of conducting business be-cause of the risks associated with it. Consequently, banksare introducing new safety mechanisms to prevent attacksand increase trust. Besides the usual methods, additionalones are applied for authentication. As the voice of Euro-pean IT practitioners, the CEPIS Legal and Security Ex-perts Group is concerned that the use of security technol-ogy does not increase security but makes services less ap-pealing to use. On the other hand, alternative approaches,which could raise security for users, are rarely employed ifat all. Based on these findings, CEPIS strongly recommendsthat unnecessarily complex or cumbersome security tech-nologies should not be applied. A cost-benefit analysisshould be performed to assess the effectiveness of protec-tion and the trade-offs for all parties involved.

2 Authentication ApproachesThe supply of online banking is increasing. Because

banking activities are highly sensitive, higher security stand-ards are required. In order to increase security, banks em-ploy two-factor authentication, which involves somethingthe user knows (e.g. password, PIN) and something the userhas (e.g. smart card, other hardware token). Although theactual application may vary, most banks use the second au-thentication factor (a token that the user possesses).

The types of authentication schemes can be classifiedas follows:

a one-time password approach;a certificate-based approach;a timer-based (short) password approach;a certificate - smart card based approach.

Authors

The CEPIS Legal and Security Special Interest Network (LSISIN) is an experts group within CEPIS comprising of individualsfrom several Computer Societies across Europe. It is chaired byProfessor Kai Rannenberg, from the Institute of BusinessInformatics at the Goethe University, Frankfurt (Germany). Thegroup’s Secretary and main editor of this statement is MarkoHölbl from the Faculty of Electrical Engineering and ComputerScience, University of Maribor (Slovenia). For more informationplease contact: Fiona Fanning, Policy and CommunicationExecutive <[email protected]>.

The above approaches have their advantages and disad-vantages. The trade-offs are often in the following areas:

resistance against attacks;costs for the bank and/or the customer;ease of use;flexibility.

The approaches and their advantages are discussed inthe CEPIS background paper. While the goal is to find asolution that is best in all dimensions, in most situations aprudent way to deal with the trade-offs is needed.

3 Trade-offs and How to Deal with ThemA typical trade-off is between the one-time password

approach and the smart card approach. The one-time pass-word approach is cheaper and less demanding, while thesmart card approach is more robust against attacks. In thissituation, a risk analysis must be carried out and a choiceoffered so that users can select the method that fits theirpreferences for potential risk and other factors.

4 ConcernsWe recognise the dangers related to online banking.

While some degree of imperfection will always exist, weare more concerned about the use of methods that do not


CEPIS NEWS

improve security but make services harder to use. Somesecurity measures do not raise the security level and onlygive an erroneous impression of security, while alternativeapproaches that could increase security are rarely used ornot at all.

Consequently, we have serious concerns:1. The tendency to use complex and error-prone secu-

rity measures that do not provide any security improvementis an unnecessary burden that will discourage or preventusers from easily adopting electronic business in general;this conflicts with the European Union’s goals for a com-mon electronic marketplace.

2. Unfavourable media coverage of security measuresmay damage the reputation of all security endeavours, re-sulting in consumers’ loss of confidence and trust in secu-rity technologies. Such distrust is damaging as it makes itmore difficult to react efficiently to new security threats.

3. We are concerned about unprofessional behaviourdemonstrated by not fixing evident shortcomings. We areworried about the damage that such behaviour might causeto the public’s view of the ICT profession’s reputation.

5 RecommendationsRecognising the importance of online access as one of

the vehicles for the development of cheaper, faster and morereliable services, we have identified areas of improvementwhere all parties involved should endeavour to deploy serv-ices without unnecessary or excessive risks. Based on thefindings of our professional working party, CEPIS has for-mulated recommendations to four groups of stakeholders,namely:

1. Banks and other financial institutions and organisations;2. governments and regulators;3. professionals;4. customers.

5.1 Recommendations to Banks and OtherFinancial Institutions and Organisations

We strongly recommend that unnecessarily complex orforbidding security technologies should not be used. In-stead, a cost-benefit analysis, covering primarily the fol-lowing points should be carried out:

1. An assessment of the effectiveness of a planned pro-tection compared to the existing one;

2. An assessment of burdens for all the involved parties.Customers should be informed of the risks, existing se-

curity measures and of their rights in case of fraud. Banksshould inform their customers of their rights and of the helpavailable to compensate for their loss in an easy-to-under-stand manner such as e.g. air travellers have in all EU air-ports. Customers should also be given the choice of differ-ent methods for authentication and be able to select a sys-tem that matches their approach to risk and their prefer-ences.

Financial institutions and organizations should informtheir customers that security measures on their computersare vital for secure online banking and that security must beconstantly maintained.

In case of fraud, the bank should offer all possible as-sistance to the affected party, especially as the capabilitiesof a bank considerably exceed those of a citizen.

No practitioner should be considered as qualified to workfor a bank or to provide services to a bank without being amember of a professional association that has adopted a codeof ethics.

5.2 Recommendations to GovernmentsWhere existing laws are not sufficient, legislation should

be put in place to protect customers in cases of online bank-ing frauds and to compensate for customers’ losses in pro-portion to the adequacy of the bank security measures.

Customers should not be the only ones to carry the bur-den of the consequences of criminal acts related to onlinebanking, especially if such acts are facilitated by (insuffi-cient) bank security measures.

Legal obligations should be put in place to inform cus-tomers of existing security measures and of their rights incases of fraud.

5.3 Recommendations to ProfessionalsWe encourage professionals to uncover the problems of

inadequate security technologies and work towards fixingthese problems.

Professionals should decline to provide their services tobanks in certain cases, for example when the cost of banktransactions is not transparent, transactions are vulnerableand when there is a possibility of personal data being dis-closed.

5.4 Recommendations to CustomersCustomers are encouraged to enquire about security

measures and to read the small print of the conditions ofservices. They are encouraged to consider the security oftheir electronic transactions when choosing the bank, notsimply to opt for the cheapest offer or for the most aggres-sive marketing campaign.

Customers should continuously maintain the security oftheir computers in order to support secure online banking.

upgrade, vol. ix, issue no. 1, february 2008 - cepis.org i-2008-full.pdf · 37 iso20000 – an...

Documents