In fact, most enterprises already have one, many, or all of these practices in place. But the crucial difference between governance and good governance is the active participation of business in demand management, prioritizing IT investments, and application-portfolio management. A good framework makes IT a true enabler of business processes.
Demand management. This step identifies and manages the demand for new IT services in the enterprise as a whole. Business units and the IT organization collectively identify modifications and additions to business processes and changes in IT systems that translate into an investment. In a mature demand-management practice, the IT organization has good insight into this process. Even so, IT seldom has input. It merely accepts new demands for IT services and, at best, augments the scope of IT services needed in building a business case.
In dynamic synchronization, identifying demand involves a rigorous, business-case-driven collaboration between the business-process owners and their IT counterparts. Their efforts should be reviewed by business heads.
At Cisco Systems, for example, business units bring a demand chart for IT investments on a pure business-case basis, with details on the potential business outcomes from the new IT investments, together with the responsibilities of the business units and IT organization, respectively. The IT organization is responsible for the on-time delivery, quality, and service-level performance of the new IT systems, whereas the business managers are held accountable for the business-process metrics outcomes. This clarity in roles and expectations helps in assessing the true impact of IT investments and in bringing out the relative business relevance of current IT commitments, as discussed in the next process in our governance framework.
Segmenting and prioritizing IT investments. Usually, the prioritization of IT investments is implicit and not transparent to the organization. In some companies, this prioritization can result in battling tactical fires, or it becomes a contest won by business managers who are louder than others in making their claims.
We believe that transparency is a prerequisite for good governance of business and IT. The three dimensions in segmenting and prioritizing IT investments are: its alignment with business strategy, the scope of the investment, and the nature of the investment—discretionary or nondiscretionary.
A business/IT council consisting of business-process owners and their IT counterparts should be responsible for segmenting and prioritizing. Often, it's the council members who get the risk capital to invest in IT for the future.
An advisory committee consisting of C-level executives should give final approval for major IT investments. However, IT or the business/IT council can make final decisions regarding smaller maintenance investments.
How should segmenting and prioritizing IT investments work in practice? The IT infrastructure—that is, the provisioning of hardware and network equipment and the associated operating systems—is the base layer on which IT platform services like E-mail, databases, and ERP systems are provided. We believe that new investments in, and changes to, the IT infrastructure and platforms are the foundation required to build sophisticated IT applications and fall under the nondiscretionary category of IT investment. However, in large organizations plagued with aging legacy applications, incremental changes demanded on these applications are also nondiscretionary. In contrast, the IT applications built on the platform to support or even define new business processes—such as new channels to enhance customer experience—exemplify discretionary IT investment.
An important decision the advisory committee needs to make is how much to spend on the discretionary and nondiscretionary segments. Several surveys on IT investments have revealed that enterprises spend more than 73% on nondiscretionary items. The reasons for this are both organizational and technical. First, as noted earlier, companies seldom have a well-defined process to proactively evaluate their IT spending. Second, the underlying IT architecture in a company burdened with legacy systems often drains the IT budget in bits of nondiscretionary changes to the legacy applications.
Forward-thinking organizations should aim to control their nondiscretionary spending to an ideal mix of 50% of the total IT investments to start with. This can be achieved by SLA-driven outsourcing of the IT infrastructure provisioning and supporting the IT platforms through third-party vendors.
But simply controlling nondiscretionary spending isn't sufficient. Prioritization of discretionary spending should be clearly linked to business strategy in terms of the business-growth areas, new business models, and the respective business processes. For example, if the business strategy articulates a new emphasis on connecting with customers, or on networking with specific suppliers on a needs basis, the proportion of discretionary investments in IT should reflect the changes in these business processes.
In prioritizing IT investments, input from the existing portfolio of applications that support operational efficiency and business innovation is important. This information needs to be captured in an application-portfolio scorecard, as we'll discuss below.
IT application-portfolio management. Although all IT resources, including infrastructure and people, can be analyzed from a portfolio perspective, we believe that the portfolio of IT applications is most important from the business/IT governance perspective because applications are the central nervous system of an enterprise.
A best practice for application-portfolio management is to develop and maintain a scorecard of applications that support innovation and efficiency mapped to current and future strategies. The applications portfolio should capture the nature of business value—that is, operational efficiency versus innovation, quality and performance of applications, sourcing choices, and the domain of business processes supported by each application—and whether the processes are core to the business strategy.
At an operational level, this scorecard should describe the health, degree of flexibility, and scalability of applications for identifying potential upgrading and phaseout opportunities. The IT portfolio should be managed and updated by the business/IT council.
A summary report of the enterprise applications should be sent to the advisory committee for review. This application scorecard can become the shared agenda for IT and business leaders to discuss how the current IT architecture is tuned to the demands of the business strategy and the performance of basic IT-infrastructure performance. In some cases, this information can also be presented to the senior business and IT managers through real-time dashboards that link to the corporate balanced scorecard.
At one large auto manufacturer, for example, business units and the IT organization identify applications portfolios based on the business functions they service—that is, HR, marketing, and so forth. Each portfolio is periodically assessed for companywide risks related to business alignment, cost of operations, and robustness of the technology platform to help make decisions on issues such as re-engineering, retiring, rehosting on different technologies, and offshoring.
The portfolio is also analyzed from time to time at the regional level. For example, an analysis of the application portfolio in a high-growth market led the automaker to move toward a consolidation of disparate CRM applications on a common ERP platform, to be supported on a shared service basis across the region. However, the HR and payroll application portfolio was left unchanged, since consolidation would have made it unwieldy to support the vastly different country regulations in the region.
Supply management. There are two distinct process components to our business/IT governance strategy. First, there's the basic process that ensures delivery of IT services once the investments are approved by the advisory committee. Second, there's the process of continuously searching for emerging technologies and evaluating how they can produce new experiences for customers and partners through novel business processes.
Once the requests for IT services are prioritized and approvals for IT investments are given, there's a need for a distinct supply-management process that includes identifying the right sourcing mechanism, technologies, and partners to ensure on-time delivery of quality systems—for example, whether to keep things in-house or outsource. This decision should be based on the strategic nature of the systems, together with time, quality, and cost considerations. If the company chooses to outsource, it must have mechanisms for evaluating, selecting, and managing vendors. Monitoring quality and service-level agreements is essential to good supply-management practice. We believe that supply management should be left to a specialist group within IT and then reviewed by the CIO.
The second aspect of educating the business on the potential opportunities of new technologies should fall to a team under the CTO. This team, with the help of other IT staffers who are knowledgeable about how the various business processes are supported, is best positioned to explore proof of concepts with new technologies for the business units.
In the case of HIP Health Plan of New York, the CTO and the IT team in the supply-management function go beyond just providing IT services in sync with business demands. Indeed, the health insurer's IT team proactively takes the lead in experimenting with new technologies and services. HIP invests 30% of its IT budget on experimentation such as introducing new customer services based on innovative use of IT.
An example of this experimentation is the development of a device to remotely monitor vital signs of high-risk patients based on a few rules-based metrics. HIP faced significant and frequent claims from patients who had to be kept in the hospital just in case they experienced symptoms of deterioration. The nurses at the hospital did routine screening of certain body-fluid measures to check on the status of the patients. If these metrics crossed the predefined safety bands, doctors on duty would attend to the patients.
In the course of scanning for new technologies, the CTO and technology team at HIP identified a small company that had piloted remote monitoring of body-fluid statistics over the wireless data networks. This technology was integrated with the customer interface business process of HIP and piloted for a few patients. The pilot proved successful and was finally adopted for several low-risk patients, reducing their hospital stays. This IT-driven innovation increased the effectiveness of service while lowering costs.
Like HIP New York, financial-services firm Charles Schwab—which serves more than 6.7 million client brokerage accounts, 541,000 corporate retirement-plan participants, and 146,000 bank accounts, for a grand total of $1.2 trillion in client assets—maintains an internal IT group that scans new technologies for their relevance to the company's business processes. This aspect of IT supply management is critical for the IT organization to proactively inform business units on new possibilities through experimentation.
Internal compliance with enterprise IT architecture and security standards. The role of business/IT governance is also to see that in searching for new business value, the team doesn't pose a risk to the organization. As noted earlier, while new technologies such as SOA may offer new degrees of flexibility, the sanctity of the architecture and security must be guarded.
The architecture and security group should offer guidance by assessing the deviations from enterprise architecture and security standards at each round of new IT investments or major changes to existing systems.
Architecture and security standards are best defined at an enterprise level and communicated to all business units to ensure compliance. The important aspects of setting and maintaining standards are planning and definition, communication, enforcement, and audits and reviews. Architecture and security standards should be the responsibility of a specialist group of architects within IT and reviewed by the CIO.
The role of IT architecture and its link with business processes is becoming increasingly important as more enterprises implement SOA and Web 2.0 technologies such as internal blogs and wikis. The IT architecture group must understand the needs of business-process owners before they define the SOA architecture. Often, we find that the granularity of services is either a level higher or a level lower than what business users want. Another issue we observe is that services are often defined either by one dominant business group or a group of IT architects, resulting in a complex fabrication of services that are narrowly defined. This often defeats the reuse objective that enterprises want to achieve using SOA.
A robust IT-governance mechanism needs to address such issues and ensure that services are at the right level of granularity and transparent in a way that permits reuse. SOA and Web 2.0 initiatives can quickly turn into freedom at the cost of chaos. However, strong IT governance, spearheaded by the IT architecture group, can help restore order. For example, at one bank using SOA to drive cross-channel integration, the IT architecture group mediates between different business-process teams to ensure internal compliance. Similarly while wikis on the enterprise intranet can be a very useful medium for collaboration, guarding this infrastructure through a sound security policy becomes critical.
Armed with a tightly crafted governance framework, IT will be best positioned to receive the leadership baton.
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
