Dominique has more than 10 years’ experience in strategic and operational consulting. He has led numerous missions for large companies and public agencies.
Since 2004, he is Bull representative within the eCots (Components off-the-shelf) consortium, the objective of which is to accelerate the adoption of off-the-shelf components.
Information systems governance is an increasingly hot topic for IT Directors faced with constant demands to achieve tighter control and better performance. But putting aside the theory, implementing ‘best practices’, the cornerstone of any governance initiative, is a very real, practical issue. Experience gained from a number of early projects has helped us identify a number of golden rules. Measuring the gaps between existing and target scenarios, moving forward step by step, bringing together everyone involved, communicating, and keeping everyday operations going are some of the practices essential to optimize and align IT with the company’s business needs and strategy.
Over the last few years, much has been said and written on the subject of information systems governance. And IT managers have become more aware of how important it is to take IT governance into consideration. With mounting pressure from regulatory bodies and shareholders to ensure greater control and increased transparency, notably so as to be able to assess whether strategy is adequately backed by appropriate resources and risk management, IT Directors must also increasingly be able to demonstrate good management practice, and justify the value of information systems by showing how they contribute to creating value for the organization.
The answer to this emerging issue is, of course, governance; underpinned by close adherence to best practices libraries such as COBIT, ITIL, CMMI, ISO 17799 and others. There are plenty of tools and methodologies, each of them being adapted to different areas of the information system (for example IT production (ITIL), the development lifecycle (CMMI) or IT security (ISO 17799), or to particular sectorial domains. However, while they are today widely known, they do not explain how to implement good practices (often internal to IT management) in a more global governance project involving all the organization, the IS department of course, but also users, the finance department, and business units. Even before they embark on a governance initiative, IT managers are faced with a complex set of questions: Which of the various libraries to choose? Should you consider deploying more than one solution or try to adapt one of them to ‘fit’ your particular configuration? How do they interact? How can they be adapted to the organization’s existing culture and practices? Where do you start, and then where do you go next?
Learning points from the experiences of some early IT governance projects do provide some concrete answers to some of these questions. Of course, the most successful projects have highlighted areas of best practice that others can follow; but other projects that proved less successful also provide equally useful pointers.
Looking, for example, at the case of a governance project for an organization that had to merge two different information systems: the first phase was dedicated to establishing a CMMI (Capability Maturity Model® Integration) repository. The contracting authority allocated a budget for implementing the chosen repository, and then when the budget was not renewed the second year, the users naturally reverted to their old habits and practices. Why? The project’s objective was essentially theoretical, without any adaptation to the precise context of the merger, and without any precise objective in terms of the value to be attained.
This highlights four key points which could be seen as determining factors for the success of any governance project: measuring the gap between existing practices and good practices you want to introduce, moving forward step-by-step, bringing all those involved in the project together, and ensuring operational continuity throughout the deployment.
1. Measuring the gap between existing and good practices
Once an organization has decided to implement a program of good practices, they rarely start with a blank sheet of paper. Sometimes teams have been operating for years following their own methods, habits and culture, and have more often than not already proved their effectiveness and their competence. So, before overturning existing practices, it is vital to start by evaluating the differences between the current and the new ones you want to put in place. Doing this allows the implementer to identify any areas of sensitivity before they start, and to gauge how fast the project can proceed, as well as to identify the areas that stand to benefit the most from the implementation, so they can be treated as a priority.
A good example is an organization that asked a round-the-clock maintenance service, with a one-hour guarantee of system recovery. Before agreeing to this level of service, the supplier in turn requested an assurance that the customer would make available the necessary resources: for example, appropriate service contracts with the contracting authority and quality guarantees. In this instance, by assessing what was lacking in terms of good practice, the IT Department was then able to deploy ITIL, establish the relevant performance indicators, and so to allocate the resources needed to improve performance.
2. Progressing step-by-step
The idea that one can completely overhaul all practices in one go is illusory. In any software development project, nobody would ever launch straight into years of writing specifications in order to create a single, giant system capable of meeting every possible requirement. The same goes for instigating best practice: you have to start with precise points of interest, not be too ambitious, and so gradually demonstrate that the initiative is well founded and create momentum around the project.
For example, the deployment of CMMI for the team responsible for preliminary analyses or project proposals must clearly cover the crucial steps of qualification, pre-production and production, and must also involve the production teams themselves. The delicate pre-production phases can be monitored much more effectively in this way. This in itself can prove to be a real revolution in some organizations, but is also just the kind of concrete action that is likely to demonstrate to all concerned the real difference good practice can make, acting as a precedent that can be built on in the future.
3. Bringing everyone involved together
Another example: a new IT Director seeking to implement COBIT requested a group of consultants defining their project to comply with COBIT, but without affiliating the other parts of the organization. Six months later, this approach had provoked an internal revolt, and the project was ultimately abandoned.
This example underlines just how vital it is for any IT governance initiative to involve all the players, drawing on their experience to find ways of optimizing what they are doing to fit the context of the enterprise, and with reference to experiences achieved in similar organizations. This desire to mobilize everybody around the project should also result in a more effective integration of the human dimension as part of the overall transformation. Valorizing both experiences and know-how enables better control for the change, and an indispensable adhesion to the project.
Another essential requirement for any successful governance project is a sponsor. All IT governance projects definitely require a high-level sponsor, often from the organization’s senior executive team, notably to arbitrate in the event of disputes. Meanwhile, the IT Director remains responsible for leading the project and convincing potential sponsors, using business-oriented arguments, of the project’s relevance.
4. Ensuring operational continuity during the transformation
In the United States, we’re hearing more and more about ‘sustainable governance’. A pleonasm? Not really, because far too many governance projects have delimiting timescales. However, there are at least three good reasons for governance programs to run in parallel with an ongoing business activity.
In the first place, implementing good practices must be done iteratively. Indeed, it is only by making continuous refinements that the enterprise – its people, culture and organization – and the new methods that one is trying to instigate can finally be perfectly aligned. This optimization of processes not only takes time, but must be anticipated, organized and resourced. In the case of CMMI, for example, skipping a level is simply not on, and each successive stage has to be accomplished before you can access the following one.
The second reason for continuous working throughout is the point used to illustrate our very first example: any change brought about by new practices must not simply be accepted, it must be fully integrated. This demands time and support, training and information, and in particular explanations backed by figures. Which brings us to the third reason…
A best practice can clearly only be established over a period of time, but its constituent phases need sign posting along the way. While the tangible benefits of shorter development cycles or the putting in place of performance indicators can only really be measured with the passage of time, the project must also enable rapid and concrete progress. A consistent focus and an open-minded attitude are essential if the virtuous circle of governance can finally be established.
Measuring the discrepancy between proposed and existing practices, moving forward step-by-step, involving all players, and continuity throughout the initiative are some of the key practices for a successful governance project. Because governance is really a practical undertaking that needs to be managed like any other project, while at the same time keeping an eye firmly on the organization’s strategic objectives. There are no perfect tools for the job, nor any universally applicable rules, because above all it is vital to respect and align with the specific context of the enterprise involved. It is on this one condition that methodologies can be the drivers for real optimization of processes and will facilitate the implementation of good IT governance practices in the enterprise.