Purpose:

Identifies the roles, responsibilities, and processes for governing the portfolio management process.

Objective:

Identifies responsibilities of individuals, specifies processes to follow, and puts down principles and policies to eliminate ambiguity.

Description:

Conflict and competition drive each business unit to its peak performance. However, unrecognized or poorly managed conflict will lead a company into disarray. Governance is foremost a process designed to resolve ambiguity, manage short and long-range goals, and mitigate conflict within a company and between divisions, business units, and corporate. IT governance is a systematic relationship between information policy, processes, and people enacted to enable the freedom of thinking (innovation), decision making, and action (initiative) without compromising the overall objectives of the company. It defines and mandates the parameters (e.g., aligning IT activities to business objectives, setting cost and risk thresholds, and providing IT value goals) within which individual employees are given freedom and autonomy to react to their marketplace and customers while maintaining consistency with the business policies that drive the company.

IT governance serves the primary role of focusing IT efforts and resources on high value-added support of the business, application of best practices, and reuse while keeping the company out of low value-added investments. Enterprise governance must establish policy that articulates guidelines within which expected behaviors occur defining the processes and defining and delegating responsibility and accountability for operating the business accordingly. IT governance has two primary functions:

    1. Policy development (structure): policy must articulate the guidelines within which expected behaviors occur, with the intent of directing the enterprise toward an acceptable level of commonality.
    2. Policy compliance (process): after policy is established (i.e., reviewed and agreed upon in the level of formality warranted for a particular company), governance is responsible for providing the means (controls and checks) to
      ensure compliance with established policy. This includes defining, communicating, gaining agreement upon, and applying the consequences of noncompliance.

There is a strong relationship and dependency between IT governance and IT portfolio management. The criteria used to evaluate IT investments in the IT portfolio are derived from many of the policies and principles created and approved by governance bodies. Conversely, IT portfolio management provides the framework, language, and tools to support IT governance. IT portfolio management provides the analysis and common taxonomy between business and IT so that governance bodies can communicate and mutually understand how investments are aligned, balanced, and managed across the company. Quantification of risks, costs, value, and performance shown in views that speak to important issues of concern to members of the governing bodies dissipate many of the political biases in the decision-making process. Because IT portfolio management ensures consistency in the process of making decisions, clearly delineated criteria to proceed forward or halt an investment are rapidly decided. In addition, IT portfolio management provides the framework for governing bodies to save money by scrutinizing IT investments and eliminating nonstrategic and poorly performing investments.

The increasing requirements on corporate governance brought on by Sarbanes-Oxley and other legislation have a direct impact on both the importance and the specificity of IT governance. This chapter articulates the importance of the role of people, policies, and principles in IT governance. It describes the relationship between IT governance and IT portfolio management.

Entrance Criteria:

  • Create Policy Development
  • Create Policy Compliance

Exit Criteria:

  • Policy Development Implemented
  • Policy Compliance Implemented

Process and Procedures:

Tailoring Guidelines:

  • None

Process Verification Record(s):

  • <?>
    • Stored By: <?>

Measure(s):

Strategic decision-making model for IT is effective and aligned with the enterprise’s internal and external environment and stakeholder requirements.

    • Actual vs. target cycle time for key decisions
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Level of stakeholder satisfaction (measured through surveys)
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

The governance system for IT is embedded in the enterprise.

    • Number of roles, responsibilities and authorities that are defined, assigned and accepted by appropriate business and IT management
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Degree by which agreed-on governance principles for IT are evidenced in processes and practices (percentage of processes and practices with clear traceability to principles)
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Number of instances of non-compliance with ethical and professional behaviour guidelines
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

Assurance is obtained that the governance system for IT is operating effectively.

    • Frequency of independent reviews of governance of IT
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Frequency of governance of IT reporting to the executive committee and board
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Number of governance of IT issues reported
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

The enterprise is securing optimal value from its portfolio of approved IT-enabled initiatives, services and assets.

    • Level of executive management satisfaction with IT’s value delivery and cost
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Deviation between target and actual investment mix
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Level of stakeholder satisfaction with the enterprise’s ability to obtain value from IT-enabled initiatives
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

Optimal value is derived from IT investment through effective value management practices in the enterprise.

    • Number of incidents that occur due to actual or attempted circumvention of established value management principles and practices
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Percent of IT initiatives in the overall portfolio where value is being managed through the full life cycle
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

Individual IT-enabled investments contribute optimal value.

    • Level of stakeholder satisfaction with progress towards identified goals, with value delivery based on surveys
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Percent of expected value realized
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

Risk thresholds are defined and communicated and key IT-related risk is known.

    • Level of alignment between IT risk and enterprise risk
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Number of potential IT risks identified and managed
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Refreshment rate of risk factor evaluation
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

The enterprise is managing critical IT-related enterprise risk effectively and efficiently.

    • Percent of enterprise projects that consider IT risk
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Percent of IT risk action plans executed on time
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Percent of critical risk that has been effectively mitigated
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

IT-related enterprise risk does not exceed risk appetite and the impact of IT risk to enterprise value is identified and managed.

    • Level of unexpected enterprise impact
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Percent of IT risk that exceeds enterprise risk tolerance
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

The resource needs of the enterprise are met with optimal capabilities.

    • Level of stakeholder feedback on resource optimization
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Number of benefits (e.g., cost savings) achieved through optimal utilization of resources
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Number of deviations from the resource plan and enterprise architecture strategies
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

Resources are allocated to best meet enterprise priorities within budget constraints.

    • Number of deviations from, and exceptions to, resource management principles
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Percent of projects with appropriate resource allocations
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

Optimal use of resources is achieved throughout their full economic life cycles.

    • Percent of re-use of architecture components
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Percent of projects and programs with a medium- or high-risk status due to resource management issues
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Number of resource management performance targets realized
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

Stakeholder reporting is in line with stakeholder requirements.

    • Date of last revision to reporting requirements
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Percent of stakeholders covered in reporting requirements
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

Reporting is complete, timely and accurate.

    • Percent of reports that are not delivered on time
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Percent of reports containing inaccuracies
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

Communication is effective and stakeholders are satisfied.

    • Level of stakeholder satisfaction with reporting
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>
    • Number of breaches of mandatory reporting requirements
      • Maintained By: <?>
      • Submitted By: <?>
      • Frequency of Submission: <?>

References & Related Standards:

  • Committee of Sponsoring Organizations of the Treadway Commission (COSO)
  • ISO/IEC 31000, framework for Risk Management
  • ISO/IEC 38500
  • King III
    • 5.1. The board should be responsible for information technology (IT) governance
    • 5.2 IT should be aligned with the performance and sustainability objectives of the company
    • 5.3. The board should delegate to management the responsibility for the implementation of an IT governance framework.
    • 5.4. The board should monitor and evaluate significant IT investments and expenditure.
    • 5.5. IT should form an integral part of the company’s risk management.
    • 5.6. The board should ensure that information assets are managed effectively
    • 5.7. A risk committee and audit committee should assist the board in carrying out its IT responsibilities.
  • Organization for Economic Co-operation and Development  (OECD)
  • The Open Group Architecture Forum (TOGAF) 9, the TOGAF components of an Architecture Board, Architecture Governance and Architecture Maturity Models map to resource optimization.