CIO Canada –
The journey began in 2005, when the Ontario Municipal Employees Retirement System (OMERS) engaged us as an adviser to assist them in defining their governance model. This included the roles and responsibilities of IT staff as well as the outsourcing vendor for key ITIL (Information Technology Infrastructure Library) service support processes.
They were trying to address some operational process gaps between IT and the outsourcing vendor. Concurrently, OMERS was implementing other initiatives, such as CMMI (Capability Maturity Model Integration), for the application development team and the PMO (Project Management Office), to evolve their current process maturity and efficiency. In 2007, a subsequent need to implement IT controls and enhance the IT governance framework was identified to address corporate governance needs as well as provide a common language for internal and external audit groups. COBIT was selected to address this latest need, as it provided a generally accepted internal control framework for IT governance.
COBIT (Control Objectives for Information and Related Technology) is an IT governance and control framework that provides leading practices across four domains and 34 processes. IT governance "consists of the leadership, organisational structures and processes that ensure that the enterprise's IT sustains and extends the organisation's strategies and objectives."
The COBIT implementation at OMERS not only defined the organizational structures, processes, and controls, but it provided a management tool for IT to monitor performance against targets (enforcing the framework) and executive reporting to the board and C-level suite.
Renga Ramasawmy, vice-president, information technology operations at OMERS, oversaw the project from the beginning and was there to reap the benefits.
"The biggest impact was the efficiency gains achieved on internal and external audits, and IT controls reviews," says Ramasawmy. "We have also achieved better clarity of roles and responsibilities, and efficient executive reporting to provide greater transparency to IT performance."
This project spanned three phases:
* Enhancement of the governance framework using the COBIT Plan, and Organize, Acquire, and Implement domain processes. This included defining roles and responsibilities using RACI charts (Responsible/Accountable/Consulted/Informed). In addition, processes were further defined in detail through the use of SOPs (Standard Operating Procedures).
* Documentation of the IT internal controls in the following areas: Change Management, Problem Management, Ensuring System Security, and Service Desk and Incident Management. Test scripts were developed and used for self-tests. Any deficiencies found were remediated. As a result of using the test scripts, the external audit review of IT controls ran much more efficiently and IT passed with no findings.
* Enhancement of the governance framework with the remaining domain processes-- Monitor and Evaluate, and Deliver and Support.
Action plans were put in place to close any gaps noted between the current state and the framework, as part of the governance framework enhancement process, as well as the results generated from the tests of the new control framework.
Once the governance framework and internal controls were in place, OMERS embarked on an exercise to define their performance measures and KPIs--as stated in the COBIT 4.1 Executive Summary and Framework, "Performance measurement is essential for IT governance." An IT Balanced Scorecard was designed to measure IT performance against strategic initiatives and targets. The measurements were based on their IT strategy, management's view, COBIT measurements, and the Norton/Kaplan Balanced Scorecard approach. The IT Balanced Scorecard covers seven perspectives: Employee Engagement; Operational Excellence (operations, asset, change, and problem management); Financial; Client Satisfaction; and Security, Project, and Enterprise Initiatives. There is an average of three measurements within each category. For example, under the Financial category, there is a measure to track the distribution of project budgeted costs in the IT portfolio in three classifications: Run the business, Grow the business, and Transform the business.
Targets were assigned to most of the measurements, where applicable. Some measurements did not have a target assigned because they are used for trending. In addition, red, yellow, and green ranges were defined.
Strategic initiatives are tracked in the Enterprise Initiatives. The latter highlights IT's contribution to strategic initiatives; for example, the portal initiative would track the number of users accessing the portal, functionalities offered, and availability. The IT Balanced Scorecard has a drill down capability in order for management and executives to see the broader picture and look more deeply into any specific areas.
Ramasawmy expects the IT Balanced Scorecard to evolve over the years, especially when strategies are updated: "I think we need to keep our governance framework current and when the time comes to plan our new strategy, we will enhance the linkage to the scorecard," he said. "We have already discussed increasing the level of automation related to the performance measures and have them tracked dynamically with limited manual intervention."
Since the IT strategy existed before the Scorecard, it was challenging to directly link IT goals to metrics. As a result, a bottom-up approach was used to choose some common measurements linked to the IT goals; more measurements were added on as the picture started getting clearer and then rolled up into either an index or a higher level measurement.
There are many benefits to having a sound IT governance and control framework in place, as well as a measurement system. These benefits include executive reporting to demonstrate IT performance against goals and strategy, business alignment and greater transparency, clear ownership and responsibilities, efficient processes and use of resources, risk management, and reduced compliance cost.
"Once the IT Balanced Scorecard is published, the metrics will be transparent, highlighting the priorities, and IT staff reporting on these metrics will become more accountable. This will focus everyone's energy in the same direction and steer the ship towards the destination." says Ramasawmy.
Keeping the framework up to date, especially after organizational changes can be time consuming.
Lessons learned for CIOs
There are so many frameworks available to IT organizations and it is very difficult to select the appropriate one for your organization. COBIT is a good governance umbrella framework that integrates with other good practices, such as ITIL, CMMI, and PMBOK. There is mapping documentation that links COBIT to these frameworks, making it easier to integrate.
Ramasawmy recognizes that framework implementation projects take time for the organization to absorb: "I would caution CIOs to take practical steps in order to achieve outcomes early on in the implementation of process frameworks and plan for the appropriate amount of time required for the changes to be adopted as you undertake your journey. Bite the modules in small chunks as we did. As you begin with implementation, you will need to be diligent in remediating gaps that are identified or making changes to processes that are required."