Wednesday, August 17, 2005

Information Technology Governance—what does it Mean?

Has anyone noticed that the term “IT Governance” and its companion buzzword “transparency” seems to be getting a lot of use lately? Many of those using these terms seem to see them as a panacea for solving IT problems. While that is unlikely, the terms carry unique kinds of meaning. IT Governance, as used within the State, has had only limited focus on process and desired results. That likely needs to change.

Information technology governance deals primarily with the alignment between the business focus of agencies and IT management of the State. It highlights the importance of IT related matters in State government and suggests that strategic IT decisions are to be made by governance entities, rather than handled by the chief information officer (CIO) or other IT managers in isolation. This becomes especially important with infrastructure related activities and large IT projects.

The primary goals for information technology governance have usually been to assure that the investments in IT generate business value and the mitigation of risks associated with IT. This is usually done by implementing an organizational structure with clear roles for the responsibility for data and information, business processes, applications, and infrastructure.

There are varying levels of maturity within State government. The need for understanding the State’s business, scope and IT maturity including responsibility for strategic IT matters seems to be a pretty basic requirement. These areas do not seem well understood, let alone defined. Well defined control of IT has been described by many as the key to IT governance success.

Supporting mechanisms have been developed to guide the implementation of IT governance. Among the more important ones are:

* Control Objectives for IT (CoBIT) is an approach to standardize information technology security and control practices. This is done by providing tools to assess and measure the performance of IT processes. The IT Governance Institute (ITGI) at is responsible for CoBIT. It would seem reasonable for the State to begin structuring many of its governance designs around the CoBIT framework.

* IT Infrastructure Library (ITIL) is a detailed framework with hands-on information on how to achieve a successful governance of IT. It was developed as a framework for efficient and financially responsible use of IT resources. ITIL has a lot to offer as we begin redesigning governance structures.

* Balanced Scorecards (BSC) also provides ways to assess the organization’s performance, and have been an initiative sponsored by the Governor. This component addresses the identification and consistent measurement of key performance indicators.

Portfolio Management has been suggested by some as being the same as IT Governance. While I agree that it is an important component. It is not IT Governance. It is interesting to note that broader definitions of “governance” include the associated term “politics”. That is also a significant concern as we begin creating IT governance systems. Expensive tools rarely address political issues. I hope we take a step back as we finalize our Portfolio Management processes and consider them in a broader governance context. Governance processes need to be defined, and then tools, such as Portfolio Management need to enhance and support those processes. Tools should not define governance.

Monday, August 15, 2005

Asset Management Framework
The State maintains a variety of asset management tools that relate to IT (Information Technology) assets. These tools provide limited integration, and in many cases are manually maintained. Visibility into enterprise and agency IT assets is very limited. Little attempt has been made to address life cycle management best practices for IT assets.

An asset management framework could be designed as a comprehensive and customizable suite of application tools, data, and services to help the State integrate and manage multi-vendor and platform distributed systems, mainframes, handheld devices, software, and network and other IT resources.

Asset management includes the following aspects:

* Business Processes including procurement; asset tracking; financial information; IT capital planning; software license management; installs, moves, adds, and changes (IMAC); and ultimately, asset disposal or surplus.

* Assets which includes the ability to track all IT assets across the enterprise.

The illustration that follows illustrates a possible architectural framework for a comprehensive asset management system.

Architecture Framework Components

The framework illustrated incorporates the following technology components:

* Asset Repository provides the primary data store for asset information from a variety of backend data stores.

* User Interface includes the desktop services request component, customer order applications; help desk, and directory and authentication services.

* Directory services provide authentication, identification, and access control for all of the user interfaces and appropriate access to backend data stores as required with a single sign on methodology.

* Business Intelligence and Reporting provides analysis of all of the asset management transactions that feed the asset data repository. Business intelligence facilitates proactive management attention to asset related issues, such as requirements for upgrades, licensing compliance, etc.

* Discovery Tools gather data from DMI compliant assets such as computers and collect data on the device configuration including operating system and patch levels, and installations of licensed software. Utilization levels of software licenses are also gathered.

* Procurement information is gathered from agency systems used for ordering and procurement of IT assets.

* Billing and Chargeback Systems gather necessary license, utilization and compliance information to support accurate billing for network and related billable items.

* HR Employee Profile Data provides information to the directory store and other related data so it is possible to develop an employee profile that details IT assets assigned to any employee.

* IMAC tools address requests from employees for installation, moves, adds, and changes to IT assets.

* Customer Ordering Tools and Service Catalogs contain vendor information for master license agreements and potentially for all services available from internal service providers. This is the principal service provisioning tool for IT services and licensed products.

* Other External Data Sources include specialized agency data stores from asset management and related agency databases that may be locally used to gather asset management information within the agency.

* Financial Systems include access to required components of the financial software system that has been deployed by the enterprise plus and additional specialized financial information pertaining to IT assets that is collected and maintained by the agency.

* Help Desk Tools include help desk systems currently deployed within agencies.

* Portfolio Management (PM) Tools include an interface to the asset management repository for IT assets procured as project components within the (PM) system.

These components largely exist within the State's IT portfolio. If this model is sound it should be possible to build an Asset Management Framework with a combination of well defined business processes and data integration.

Friday, August 05, 2005

Best Practice Implementation

So many opportunities so little time. If we are given a choice where can the State get the most value? What are the “best” best practices that will deliver the greatest business value to the State? CIO Magazine, in the May 1, 2004, issue suggested some possible high value areas in terms of effectiveness and best practice utilization that could apply to the State including:

1. “Regularly use portfolio management or other project prioritization methodology.”
2. “Employ internal relationship managers/account executives to work with the business.”
3. “Regularly use project management methodologies.”
4. “Conduct regular strategic planning meetings to achieve alignment.”
5. “Conduct internal customer satisfaction surveys.”
6. “Create and use performance metrics.”
7. “Perform financial audits.”
8. “Conduct IT staff talent gap analysis.”
9. “Win and showcase IT awards.”
10. “Establish a project management office.”

If this is an effective top 10 list of things that might matter to the State, what are the implications? As an IT organization we need to:

1. Pay serious attention to the organization and implementation of portfolio and project management.

2. Establish a comprehensive strategic planning process with our agency customers.

3. Ensure that our customer relationship, and related communication processes, and supporting infrastructure are capable and well designed.

4. Be sure our financial processes are well defined and that we have appropriate controls, financial reporting, and billing, that meets the needs of customers and stakeholders.

5. Leverage the results of our comprehensive skill inventory to help our employees improve their capabilities.

6. We need to organize so we can effectively showcase our successes.

This is an interesting list of fairly high value opportunities. As we ponder organizational issues with establishing the Department of Technology Services (DTS) we should keep these areas in the forefront and not be distracted by lower value "turf" related issues that will inevitably arise.
Best Practices

There have been numerous suggestions for implementing “best practices” at the State almost as if it were some kind of Holy Grail. So what is a “best practice”?

Among the more common definitions that impact IT are some of the following:

* The processes, practices, and systems identified in public and private organizations that performed exceptionally well and are widely recognized as improving an organization's performance and efficiency in specific areas. Successfully identifying and applying best practices can reduce business expenses and improve organizational efficiency.

* Processes and activities that have been shown in practice to be the most effective.

* The procedures and policies that allow a business to outperform all other in a particular business process.

* Methodologies that provide beneficial results. Some best practices are general in nature and can be applied to almost every industry; other best practices are industry-specific.

The above definitions provide a few common threads that ought not to be overlooked:

1) Best practices are a reflection of defined and capable business processes.

2) Best practices are “best” in the context of the organization and in some cases may be highly specific to a business unit.

3) Best practices are results oriented and are designed to enable practical results.

As we review new “tools” to solve IT governance issues such as Portfolio Management it would seem evident that we need to focus heavily on defining our business processes and our related best practices for the State of Utah.

Business process needs to drive tool selection. A tool by itself cannot guarantee adoption or implementation of best practices in any IT area of endeavor. As someone once observed "... a fool with a tool is still a fool."

Friday, July 29, 2005

Portfolio Management

The State has been engaged in a review of portfolio management tools. While many of these tools are feature rich, few address the real issues of inadequate customer business process definition. The illustration above reflects the complexity any portfolio management tool must address in the context of overall IT service delivery. If business processes are not well defined, how well can any tool be expected to work? Imposing an expensive tool on inadequately defined processes seems to be of questionable value. So how should an organization tie down their business processes so they can benefit from the process discipline such tools provide? Is there a practical and pragmatic approach for incremental improvement without using a "sledgehammer" tool approach?