IT Governance Blog

Reader Vincent asked,”PO1.3 is very high level to me, I wonder if there is any example(s) of acceptable implementation”

I initially starting answering in email but the response turned into a bit of a post so I figured I would post the response here instead:

I’ll try with a simple example. One of the functions we provide in IT is an internal level 1 service desk. This group resolves a lot of issues and then escalates what they can’t resolve. We have a number of SLAs defined for this team including items like first call closure rate, time for initial response based on urgency, etc. Our current SLA for first call closure rate is 70% and we are currently running at 60%. When I built our 2008 strategic plan I used 60% as the assessment of our performance. This team is part of the operations group, or the “keep the lights on” team.

Similarly, we only completed 30% of projects on time. When we consider the projects the business would like us to engage on in 2008 we must be realistic about this number, assess the performance and use that as the baseline on which to build our plan. A key component of our 2008 plan is to improve in this area to 60%, which is still not as high as I would like, but a significant improvement.

Don’t make this more complicated than you need to - PO1.3 means to take an honest assessment of your performance and make sure to account for it in your planning.Bill

CobiT definition:

Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise’s
strategic objectives and related costs and risks. It should include how IT will support IT-enabled investment programmes, IT services
and IT assets. IT should define how the objectives will be met, the measurements to be used and the procedures to obtain formal
sign-off from the stakeholders. The IT strategic plan should cover investment/operational budget, funding sources, sourcing strategy,
acquisition strategy, and legal and regulatory requirements. The strategic plan should be sufficiently detailed to allow for the
definition of tactical IT plans.

Bill says,

This control objective represents the meat of the Define a Strategic IT Plan process. It’s the actual creation of the plan. So far our control objectives have had us ensure we are properly accounting for the value IT is bringing to the business, creating processes that help foster business-IT alignment and to assess IT’s current capabilities and to establish baselines on how IT is performing those capabilities. Now we roll all of that together and create the plan.

You will note that CobiT does not define the form of the plan nor offer many particular details for how you go about actually creating it. That will be business and manager specific. Remember, CobiT is a framework that helps tell you what you should be doing, not how you should be doing it. Creating an IT Strategic Plan is important - how you do it is up to you.

For me, there are a number of very important points captured above. First is that “co-operation with relevant stakeholders”, while extremely important is also very difficult to pull off. Ultimately your stakeholders for your services will be everyone in the company - on a project by project basis they will need to be involved but overall at the level where you are creating a strategic plan you really aren’t involving Stakeholders per se, but instead working with Senior Management of the company. The details will have to be fleshed out in the tactical plans and projects.

Second, it is very important to define the measurements in the Strategic Plan. Good plans do this - bad plans do not, and force project managers or other management later to come up with high level measurements. If baselines are established those should feed directly to measurements within the strategic plan.

Finally, a strategic plan needs to be detailed enough so that specific tactical plans can be created with a degree of accuracy. I have seen strategic plans that are so high-level you really have no idea what they hope to accomplish. Put the details in so that everyone can understand what needs to be done.

So the fourth step in building the Strategic IT Plan is to actually create the strategic plan, ensuring that it is sufficiently detailed so that tactical plans can be derived from it.

CobiT definition:

Assess the current capability and performance of solution and service delivery to establish a baseline against which future
requirements can be compared. Define performance in terms of IT’s contribution to business objectives, functionality, stability,
complexity, costs, strengths and weaknesses.

Bill says,

Baselines are always important. In IT it is particularly important to measure the baseline from the perspective of what it takes to “keep the lights on.” That is the operational aspect of your business, without any of the projects that are driving to push the business forward.

When I measured our baseline we looked at it from three perspectives - the basic “keep the lights on”, the continuous improvement and the new business drivers. It’s important to properly budget for keeping the lights on and continuous improvement - in my mind that is the price of admission. Then you work with the business to get funding for those special projects that help drive the business in some way, either by saving money or increasing revenue.

So the third step in building the Strategic IT Plan is to assess current capability in whatever breakdown makes sense to you and to establish baselines for how you are performing in those areas.

CobiT definition:

Establish processes of bi-directional education and reciprocal involvement in strategic planning to achieve business and IT
alignment and integration. Mediate between business and IT imperatives so priorities can be mutually agreed.

Bill says,

Business-IT alignment is a tough nut to crack. It is very easy to allow yourself to fall into the trap of just being there to service whatever the business wants. It’s critical to get them involved in the planning, if for no other reason that they understand better the impact when the ask for things out of cycle.

Within IT Value Management it was said that we must ensure that each project in our portfolio has a solid business case backed by the business. This control objective is about establishing the processes that ensure that is done correctly.

What is key to remember is that while for IT the concept business-IT alignment is a hot topic that is well understand by senior managers and even line managers and staff, it is not even on the radar screen for the business units. IT is a service organization to them just like HR, for example, and unless you make a continued focus on being viewed as an asset you will never be thought of as more than a service organization.

Ensuring that the processes defined in this control objective are put in place will go a long way to helping you achieve the goal of being a strategic partner to your business.

So the second step in building the Strategic IT Plan is to establish processes that ensure the business understands the importance of alignment and that they are involved, and benefit directly from, the strategic planning process.

CobiT definition:

Work with the business to ensure that the enterprise portfolio of IT-enabled investments contains programmes that have solid
business cases. Recognise that there are mandatory, sustaining and discretionary investments that differ in complexity and degree of
freedom in allocating funds. IT processes should provide effective and efficient delivery of the IT components of programmes and
early warning of any deviations from plan, including cost, schedule or functionality, that might impact the expected outcomes of the
programmes. IT services should be executed against equitable and enforceable service level agreements (SLAs). Accountability for
achieving the benefits and controlling the costs should be clearly assigned and monitored. Establish fair, transparent, repeatable and
comparable evaluation of business cases, including financial worth, the risk of not delivering a capability and the risk of not
realising the expected benefits.

Bill says:

Pretty common sense - they are starting with an assumption that you may want to prove the worth of IT.  So within CobiT IT Governance Framework, IT Value Management is all about establishing that the things IT is working on are important and aligned with the goals of the business.  There are some words I have taken the liberty to bold above (not bold in the original text):

Portfolio - Does Senior management understand what you are working on?  Probably not.  It is critical to maintain a portfolio to keep them aware.

Solid Business Cases - How many of you say “yes” to everything the business asks for?  And regrets it?  Start saying “not yet” and help them craft a business case.

Accountability - Is this the project manager or the appropriate IT manager?  Is it the CIO?  Here, I would say it is the IT Manager.

Monitored - We are not good at monitoring.  We need a strong project portfolio dashboard.  Without it we depend a lot on email and it isn’t working.  Figure out how to properly monitor progress to goals.

So the first step in building the Strategic IT Plan is to properly account for the value IT is bringing to the business.

CobiT definition:

IT strategic planning is required to manage and direct all IT resources in line with the business strategy and priorities. The IT
function and business stakeholders are responsible for ensuring that optimal value is realised from project and service portfolios.
The strategic plan improves key stakeholders’ understanding of IT opportunities and limitations, assesses current performance,
identifies capacity and human resource requirements, and clarifies the level of investment required. The business strategy and
priorities are to be reflected in portfolios and executed by the IT tactical plan(s), which specifies concise objectives, action plans and
tasks that are understood and accepted by both business and IT.

Control over the IT process of
Define a strategic IT plan

that satisfies the business requirement for IT of
sustaining or extending the business strategy and governance requirements whilst being transparent
about benefits, costs and risks

by focusing on
incorporating IT and business management in the translation of business requirements into
service offerings, and the development of strategies to deliver these services in a transparent
and effective manner

is achieved by
• Engaging with business and senior management in aligning IT strategic planning
with current and future business needs
• Understanding current IT capabilities
• Providing for a prioritisation scheme for the business objectives that quantifies
the business requirements

and is measured by
• Percent of IT objectives in the IT strategic plan that support the
strategic business plan
• Percent of IT projects in the IT project portfolio that can be directly
traced back to the IT tactical plans
• Delay between updates of IT strategic plan and updates of IT
tactical plans

Control Objectives:

PO1 Define a Strategic IT Plan

PO1.1 IT Value Management
PO1.2 Business-IT Alignment
PO1.3 Assessment of Current Capability and Performance
PO1.4 IT Strategic Plan
PO1.5 IT Tactical Plans
PO1.6 IT Portfolio Management

Check out the links for details on the control objectives.