Adapting IT Governance for Today’s IT Solutions Kerry Litten, Senior Consultant

March 2011

White Paper

Contents Page

1. Adapting IT Governance for Today’s IT Solutions 3

2. Why IT governance needs to change 5

3. Making decisions about external services 6

3.1 Performance Measurement 7

3.2 Resource Management 7

3.3 Value Delivery 7

3.4 Strategic Alignment 7

3.5 Risk Management 8

4. How to adapt the IT governance framework 9

5. Conclusion 12

Adapting IT Governance for today’s IT solutions 2

Introduction Effective IT governance plays a vital role in enabling organisations to maximise the business value delivered by IT, improving alignment between IT services and business needs, and ensuring that IT-related risks are visible and effectively managed. The IT solutions that underpin the delivery of business services are changing, with increasing reliance on external service providers to supplement the capabilities of the in-house IT function. This is a trend that looks set to continue, as the growing interest in cloud computing services shows. Organisations are recognising the advantages of such services and naturally want to get the benefits of using them. However, governance presents a new challenge that needs to be overcome before the benefits can be fully realised.

This paper explores the differences between in-house provision and the use of external services from a governance perspective, and suggests ways in which IT governance structures and activities need to be adapted in order to remain effective.

Definition of IT GovernanceIT governance can be defined as:*

• The process of deciding what IT should do in terms of prioritisation of requirements for new or changed.

- IT infrastructure (includes physical infrastructure, staff and services from external providers)

- Business applications

• Maintaining the context in which these decisions are made.

- IT principles, e.g. information security, regulatory compliance

- IT architecture (organising logic for data, applications and infrastructure)

• Allocating resources (primarily money and staff time, but also assets and facilities) to achieve the selected goals.

1. Adapting IT Governance for Today’s IT Solutions

3 *Adapted from IT governance, Peter Weill & Jeanne W. Ross, 2004, Page 27

Decisions about:

• IT Principles

• IT Architecture

• IT Infrastructure

• Business Applications

IT Governance

• Processes needed to maintain committed service levels

IT Service Management Processes

• Operational activities

IT Operations

4

At the lowest level are the regular operational activities, such as backups and database maintenance that are needed to deliver IT services.

At the level above IT operations are the IT Service Management (ITSM) processes such as Incident Management. These processes are needed in order to maintain the service quality that is specified in Service Level Agreements (SLAs) and matched to business requirements. These are frequently referred to as ITIL (IT Infrastructure Library) processes because an increasing number of organisations make use of the ITIL framework of good practice for IT service management.

The role of IT governance in relation to the ITSM processes is to make the decisions which cannot be made at the individual process level, either because they require additional resources beyond those already budgeted or they affect more than one service management process.

Something that is not always recognised is that having ITIL processes is a requirement for effective IT governance, but ITIL does not provide an IT governance framework in its own right. A governance layer containing a decision-making process, structures and accountabilities is also needed, sitting above the ITSM layer.

Figure 1: Hierarchy of IT activities

The role of IT governance in relation to the other activities that need to be performed for the delivery of IT services is shown in the following diagram:

5

IT governance also receives information about the performance of service management processes performed by the IT function. Reports of Key Performance Indicators (KPIs) can be used to show which processes are working well and those that may need additional resources in order to be more effective.

The combination of process performance information and proposals for change, works for activities that are performed in-house by the IT function. However a different approach is needed when services also come from an external provider. In this case it is the provider that is

performing nearly all of the service management (or ITIL) processes. The only ITIL processes that an organisation needs to perform in relation to external services are Supplier Management and Service Level Management; proposals for change and process performance information are now addressed by the IT governance process of the service provider, not the organisation using the services. In some respects this doesn’t matter. One of the main reasons for using an external service is to remove the need to perform and manage the activities involved in delivering it, but this does not mean the organisation acquiring the service

Decisions about:

• IT Principles

• IT Architecture

• IT Infrastructure

• Business Applications

IT Governance

• Processes needed to maintain committed service levels

IT Service Management Processes

• Operational activities

IT Operations

Figure 2: In-life governance of IT services

IT governance decisions concerning changes to the infrastructure, new or changed business applications and proposals for process improvement are for the most part, made in response to proposals coming from the ITSM processes. For example, the Capacity Plan produced by the Capacity Management process contains proposals for changes to the IT infrastructure in order to respond to a need for increased (or reduced) capacity or to provide improved price/ performance. Similarly proposals for new or changed business applications come from the Service Portfolio Management process. This is shown in the following diagram:

Capacity Plan Availability & Continuity Plans Security Plan New Application Request KPI Reports

2. Why IT governance needs to change

can abdicate its responsibility for its governance. It is needed to ensure that services deliver good value; that they’re aligned with business needs; and that the risks involved in using them are properly managed. IT governance needs to be able govern external services as effectively as those that are delivered in-house.

In order to decide how best to adapt IT governance to cope with external service provision, it is first necessary to understand what information about these services is required to enable organisations to make good governance decisions about their use.

6

The IT Governance Institute defines five focus areas for the governance process. These are:

3. Making decisions about external services

PerformanceMeasurement

ResourceManagement

ValueDelivery

StrategicAlignment

RiskManagement

Figure 3: IT governance focus areas

Performance Measurement provides information which is used by the governance process in its prioritisation and decision-making, as shown in the previous section. Resource Management is the activity that takes account of the resource requirements for proposed changes and allocates these resources once the decision has been made about

which ones will be prioritised and approved. The other three focus areas provide the generic criteria for the decisions that the governance process must make. Let’s look at what this means in practical terms so that we can identify the information needed for externally delivered services.

3.1 Performance Measurement

Committed service levels, documented in Service Level Agreements (SLAs) should be available for external services. Reports of actual achievement against these when the service is in operation will normally be delivered by the service supplier. These provide useful information for the governance process. For example, if committed service levels are constantly missed, and the supplier does not rectify the problem, a governance decision may be taken to replace the supplier or bring that particular service back in-house.

3.2 Resource Management

The resources required for external services are usually financial in nature. However there may be costs in addition to the price of the service, for instance the need for training to provide new skills for staff. Any such costs need to be identified and included in the business case to be considered by the governance process.

3.3 Value Delivery

The two main value criteria are cost and service quality. As discussed, information on both of these should be readily available from the supplier of an external service.

3.4 Strategic Alignment

Generally speaking, the most important criteria for assessing the alignment of services with business strategy are those concerning the capability to cope with change – agility (how quickly), scalability (up and down), flexibility (change in any direction) and elasticity (changes can be easily reversed). So it is necessary to have information about these characteristics for external services.

It is also critical that this should be reviewed prior to making the decision to use a particular service. This review should include not only the capability of the supplier to change the service itself but also the flexibility of the contract with the supplier. Ideally, the contract should be designed to permit the types of changes that may be anticipated, and any costs associated with this (e.g. a price change triggered by a change in volume) should be clearly stated and agreed.

7

8

3.5 Risk Management

Risk management is an activity that is performed at two levels within the hierarchy of IT activities - within the IT Service Management processes and as part of IT governance. At the Service Management level its main focus is on operational risks, things that could cause degradation or interruption to the services delivered to end users. The two service management processes that address this are Availability Management and IT Service Continuity Management.

Risk Management at the governance level should provide oversight of the Operational Risk Management and ensure that risks are being managed in accordance with the risk appetite of the organisation. It should also address additional categories of risk, primarily Technology Risk (ensuring that new technology is deployed appropriately, neither too early nor too late) and Service Development Risk (ensuring that the capability exists to develop new and existing services in response to changing business needs). So what about risk management of externally-delivered services? Let’s look at the different risk categories in turn:

Operational Risk:

Management of operational risk to the service itself is the concern of the supplier. But how does the

organisation know that the supplier is doing this effectively? Information is needed from the supplier to provide assurance that this is being done. This could include information about the operational availability of the service in the past and details of the resilience built into the service.

Technology Risk:

The risks to the external service caused by technology changes are also primarily the concern of the supplier. The choice of technology is under their control. However, the adoption of new technology by the supplier may provide the opportunity to improve the service (e.g. improved performance of storage). Therefore the attitude of the supplier to the use of new technology is something that the organisation may be interested in. This is related to the characteristic of flexibility discussed above.

Service Development Risk:

The capability to develop the existing service or to create new services in response to changing business requirements is under the control of the supplier, but it is a valid concern for the organisation. Therefore information about this is needed, for example the supplier’s track record in doing this in the past and their service development plans for the future.

In addition to these three categories of risk, the use of an external service introduces a number of completely new risks that governance needs to be aware of. These are:

• Maturity of service

• Stability of the supplier

• Service integration risk (how easy or difficult is it to integrate into the operational environment)

• Security of information

Information about all of these additional risks also needs to be obtained before the IT governance process can make an informed decision about using a particular service.

From the preceding discussion it’s clear that for many of the criteria used in making IT governance decisions, additional information is required for externally delivered services. The next question to address is how best to ensure that this information is available. What’s needed is a way to ensure that obtaining it is done as an integral part of the governance process itself. Colt proposes that this can be achieved by directly involving external service suppliers in the IT governance activities of the organisation.

9

We use the term “IT governance framework” to refer to the IT governance process, roles and responsibilities of individuals in relation to this and the specialised organisational structures that it requires. A typical IT governance structure is shown in the diagram in Figure 4. Please note that not all organisations will have something called an Enterprise Architecture Committee or an IT Investment Committee. What they will have though will be ways of making decisions about what the enterprise architecture should be (the business processes and the IT systems and services that support them) and what IT investments should be made. In some cases these decisions may be made by single individuals but it is likely that there will be some involvement of a defined group of individuals and in some organisations this will be formalised as a structure. Whether it is a formal structure or not however, the decisions still need to be informed by additional information when they concern external services.

4. How to adapt the IT governance framework

IT InvestmentCommittee

Enterprise Architecture Committee

- Capacity Plan - Availability & Continuity Plans - Security Plan - Internal Service Improvement Plans

Resource Allocation Decisions

- Request for Exceptions or Changes to IT or Business Process Architecture

- Approved Exceptions or Changes to IT or Business Process Architecture

Figure 4: A typical IT governance structure

Enterprise Architecture Committee

Internal & service provider members

The Enterprise Architecture Committee (EAC) is accountable for documenting the architecture and reviewing requests for changes and any exceptions (non-compliant changes to the infrastructure without changing the architecture itself). The enterprise architecture comprises the IT architecture (data, applications and infrastructure) and the business process architecture. The committee is ideally made up of representatives from both IT and the business.

The IT Investment Committee is accountable for making resource allocation decisions. Decisions by the EAC to approve architecture exceptions or changes will normally go to the Investment Committee to enable them to review the resource implications before giving final approval. The Investment Committee also receives and reviews requests for resource changes from the IT service management processes in the form of the Capacity Plan, Availability Plan etc.

This structure works well for governing IT activities that are performed in-house, using IT assets that are owned by the organisation.

10

The following diagram shows the proposed adaptation of the structure and roles designed to effectively handle externally-delivered services in addition to work done in-house:

IT InvestmentCommittee

Service provider invited to attend specific meetings

- Approved New/Changed External Services - Approved Exceptions or Changes to IT or Business Process Architecture

- New/Changed External Service Requests - Request for Exceptions or Changes to IT or Business Process Architecture

Figure 5: Adapted IT governance framework

1

2

3

- Capacity Plan - Availability & Continuity Plans - Security Plan - Internal Service Improvement Plans

Resource Allocation Decisions

11

There are three significant changes:

Requests for all new or changed external services go to the EAC

Services delivered by an external provider need to be governed. As we have seen, additional information needs to be gathered in order to enable the effect of new or changed services on strategic alignment and risk to be assessed to support governance decisions. We propose that the EAC is ideally placed to do this assessment. Its members include specialists who understand the IT architecture and the way that external services could/should interact with it. The EAC already assesses the other types of requests that it receives and passes its recommendations to the Investment Committee. Requests for new or changed external services would be handled in exactly the same way.

Service provider (supplier) members on the EAC

Individuals with in-depth knowledge of external services will need to be involved in the assessment process in order for it to be effective. It is therefore proposed that technical

specialists from the suppliers of external services should be requested to join the EAC. This will enable the representatives to be made responsible for providing all of the additional information required for a proper assessment. Instead of technical staff having to devote time and effort to gathering the information it will now be automatically available, together with a specialist from the supplier who can debate its implications with other members.

If your organisation doesn’t have an Enterprise Architecture Committee or similar structure, Colt can help you set this up to ensure you have the capability to fully assess the interaction between Colt services and the other components of your architecture. If you also use IT services from other providers, we would be more than happy to invite their participation too. Our goal is to help you get the best value from the services that we deliver, and we can only do this in a forum that takes the whole of your architecture into account.

Service provider (supplier) representatives attend meetings of the Investment Committee

There are certain types of external service for which it would be beneficial to have representation from the service provider at meetings of the Investment Committee. These are when IT governance decisions taken by the organisation could also have a cost or resource impact on the supplier and vice versa. This situation exists with services provided by an external supplier which depend on assets such as IT infrastructure owned by the organisation. For example new technology might become available that if deployed would provide operational benefits to the service provider by reducing the staff time they would need to deliver the service. In this case there are inter-dependent resource management decisions to be made by the organisation and the service provider. Having an appropriately empowered representative from the service provider attend the meeting of the Investment Committee would enable these types of decisions to be made quickly and efficiently.

1

2

3

With IT solutions increasingly comprising a combination of in-house capabilities and services delivered by external providers, it is necessary to explore ways to make sure that IT governance is still effective. If this is not done, the use of external services could have unexpected and undesirable effects such as a reduction in the flexibility of IT services delivered to users and an increase in risk.

This paper proposes a simple approach which would result in no increase in the cost or effort of running the IT governance process. Where significant components of IT solutions are provided by external suppliers, the effectiveness of governance can be maintained by directly involving the suppliers themselves. All that is needed are some simple adjustments to the governance framework and the willingness of the suppliers to participate. In fact, if this approach is followed, willingness to participate should become one of the criteria for selecting an external service provider to work with.

At Colt, we are always seeking ways to help our customers get the best value possible value from the services that we provide. As a result, we are very keen to support their IT governance processes in the ways that we have described.

Today, 35,000+ customers benefit from Colt’s solutions and services. As a Colt customer you too will have a trusted advisor to help you master the complexity of your IT environment. You’ll be able to migrate to affordable, adaptable solutions at your own pace without losing control over your business assets and processes. We’ll give you all the visibility you need to optimise IT, control costs and manage risk effectively. You’ll be able to respond rapidly to changing business needs, helping your business take advantage of market opportunities as they develop.

To arrange a consultation or discuss what Colt’s IT Managed Services can do for your business, email us at ITManagedServices@colt.net, call us on +44 (0)20 7863 5917 or visit our website: www.colt.net/managedservices

5. Conclusion

About ColtColt is Europe’s information delivery platform, enabling its customers to share, process and store their vital business information. Colt provides major organisations, midsize businesses and wholesale customers with a powerful resource that combines network and IT infrastructure with expertise in IT managed services, networking and communication solutions. Colt operates a 13-country, 25,000km network that includes metropolitan area networks in 34 major European cities with direct fibre connections into 17,000 buildings and 19 Colt data centres.

For more information about Colt’s IT Managed Services please visit www.colt.net/managedservices or email ITManagedSevices@colt.net

© 2011 Colt Technology Services Group Limited. The Colt name and logos are trade marks. All rights reserved. March 2011