IT Governance: Business in the Driver's Seat

IT governance can be hard to define, but companies increasingly impose policies and use software tools to optimize projects, processes and assets and make sure they can audit them.

It was the late 1990s, in the busy, boom years of high tech. At The Burlington Northern and Santa Fe Railway Co., IT employees were scrambling to tackle a backlog of IT projects that had accumulated during a merger that the railroad had recently completed. The joining of the Burlington Northern and Santa Fe railroads into BNSF had necessitated an all-out effort to merge the two companies' IT systems—a huge project that IT staffers had dubbed jokingly their "mission from God." Now, however, they were playing catch-up with all of the other IT demands of the two companies—an effort that was threatening, they say, to become their "mission from hell."

"We had to ignore the other IT needs of the mere mortals in the business to get the merger done," says Jeff McIntyre, assistant vice president of technology services at Fort Worth, Texas-based BNSF. "But we knew we would have a barrage of demand afterward."

To get a handle on the projects, McIntyre and his staff deployed TeamPlay software from Primavera Software Inc. in Bala Cynwyd, Pa., to catalog all the projects and break them down into steps and required resources. That project management effort was the first stage in BNSF's eventual IT governance program.

Why Governance?

Project management is one of several IT management fields that have come together under the broad umbrella of IT governance. Today, governance includes not only project management but also change management, application life-cycle management, asset and resource management, portfolio management and, often, security management. It's essentially the comprehensive management of every component of IT operations and entails cataloging, tracking and orchestrating IT projects, processes and assets.

The reasons for implementing IT governance are as varied as the category is broad. For some organizations, IT governance is mainly driven by the need to comply with regulations like the Sarbanes-Oxley Act. It means creating audit trails and storing files in a more organized way. For others, IT governance is all about squeezing extra efficiency out of the organization and making sure that IT is supporting the most critical business needs. And for yet others, it means enforcing the company's best practices.

"It's a very broad and fuzzy topic, but basically there are four elements of IT governance," says Rob Dietrich, chief financial officer at MKS Inc. in Waterloo, Ontario. "The first is aligning IT with the strategic goals of the business. The second is effective and efficient use of resources. The third is risk management. The fourth is visibility into the overall IT operation."

Business in the Driver's Seat
Image Credit: Isabelle Cardinal

Like BNSF, many companies took their first steps into IT governance with project management initiatives and software. Over the past several years, the category has grown to incorporate a growing range of management and technology capabilities.

At BNSF, one of the forces driving the adoption of IT governance was the need to comply with Sarbanes-Oxley, which mandates openness and audit trails in financial reporting. A private audit had recommended changes to BNSF's development process, since many of the applications involved financial activities. To ensure compliance, IT managers implemented another type of tool that has become part of the IT governance portfolio—application management software. Application management products provide automated workflows and electronic sign-offs that help to enforce consistent and auditable development processes. BNSF chose tools from MKS.

Sarbanes-Oxley "certainly had an impact on the application development life cycle and the need for it to be crisply documented, with sign-offs and so forth," says McIntyre.

Defining IT Governance Applications

Many IT management applications claim to enable IT governance, mainly because there are so many IT functions that can benefit from governance.

"It is an emerging market, and vendors approach it from different angles," says Jason Bloomberg, an analyst at ZapThink LLC, an IT research and consulting firm in Waltham, Mass. An effective, full-fledged IT governance product must perform four functions, he says. "It must provide a way for management to communicate its policies. It must give rank-and-file employees a way to implement the policies. It must give management visibility into whether the policies are being followed. And it should include mitigation techniques, so if there is a problem, there is a way to fix it," he says.

IT governance applications may also support one of the major IT best practices frameworks, such as the Control Objectives for Information and Related Technology, the Committee of Sponsoring Organizations of the Treadway Commission's internal control and enterprise risk management frameworks, or the Information Technology Infrastructure Library, which publishes best practices guidelines for things such as change management, problem management and security management.

"Don't look at IT governance as just a technology solution, but as a business framework," advises Kris Lovejoy, CTO at Consul Risk Management Inc., a provider of compliance products and services in Herndon, Va.

Gaining Control

As one CIO quipped, the biggest benefit of IT governance at his organization is that "no one's gone to jail yet." There's no doubt that complying with Sarbanes-Oxley and keeping senior executives out of trouble is a key driver behind many IT governance projects. Nevertheless, the greatest operational payback often comes from improving asset and resource management, says Melinda Bailou, an analyst at IDC, an IT research firm in Framingham, Mass.

"There is a lot of politicization around resource allocation, with different groups vying for the same constrained resources," she explains. "Unfortunately, most organizations barely have an inventory of their applications."

Pittsburgh-based Highmark Blue Cross Blue Shield is a case in point. With 121 applications and some 60 million lines of Cobol and Java code, the insurance provider had a large investment in code and a good reason to want to increase component reuse.

Last year, Highmark discovered that despite the existence of a component-reuse strategy for internal software development, programmers weren't recycling code. The reason: They simply didn't know where to find these reusable components. "We have a component strategy, but we weren't getting the level of reuse we expected because people didn't have a place to go to find out what's available," says Mike Kronenwetter, vice president of technology management at Highmark.

To provide a central library of such components, Highmark bought Logidex from LogicLibrary Inc. in Pittsburgh to house and manage its software assets. "Now Logidex will be the system of record for all our development assets," says Kronenwetter.

Integris Health Inc., a not-for-profit health careorganization in Oklahoma City, also needed better oversight of its IT resources. In 1999, Integris' IT staff was stretched thin from handling tasks relating to a recent merger and was caught in a tug of war between competing business managers from the newly merged units. IT couldn't easily prioritize projects because it lacked a standard process for doing so, and IT staffers had no standard place for tracking projects and storing their project files. When someone called in sick, a replacement might spend hours trying to locate needed files and documents.

So the organization decided to consolidate all of its IT data—everything from metadata on applications and hardware to project budgets and employee time sheets—into a single database. The idea was to be able to analyze and report on related data more easily, explains Cynthia Hilterbrand, formerly director of IT business development and planning at Integris. "We wanted to get our arms around things and track and monitor all our resources and projects," she says.

Integris didn't stop with merely cataloging its data, however. Using Compuware Corp.'s Changepoint management software, the organization began tracking IT projects and tasks and defining processes for all sorts of IT activities such as purchasing equipment or handling medical records.

Automating Processes

Like asset management, process management is another area in which IT governance can provide benefits. A corporation can define its guidelines for every IT activity and then code that into the workflow of the IT governance software. Each activity will then be automated so that employees can't easily deviate from the prescribed process. That enables IT to better enforce standards on all employees, regardless of rank.

"Executives wouldn't always follow their own rules," says Hilterbrand. "We needed IT governance, which says, 'OK guys, these are the rules and we all have to play by them.' It makes everything visible."

Governance software can help enforce policies by imposing automated workflows, checklists, status alerts and sign-offs. It can also provide an audit trail to prove whether an organization is following its own stated processes—something that has become particularly important for companies seeking to comply with Sarbanes-Oxley.

The process management aspect of IT governance can also deliver benefits in the management of outsourcers. Processes inevitably differ among organizations, and communication can be difficult when dealing with a remote IT team.

When Tyco Fire and Security in Boca Raton, Fla., decided to install VA Software Corp.'s SourceForge software development management application, the manufacturer of fire protection and security products hoped to standardize processes between its offshore contract programmers and its in-house IT staff. Tyco had problems with projects missing deadlines, processes not being followed and quality goals not always being met.

"We felt it was getting nearly out of control," says Kristine Koneck, director of global technology services at Tyco. "We couldn't keep track of what our outsource partner was doing." Also, developers wasted a lot of time—as much as eight hours a week—searching for work-related documents, she says.

The SourceForge tool provided them with collaborative tools, a repository for storing all project files, and defined workflows to enforce processes and deadlines. Since implementation, the number of projects delivered on deadline has risen by 30%, according to Koneck.

Toward an IT Governance Platform

While many products within the IT governance arena still target only certain functions, such as project management or security management, a growing number are building or buying additional modules to span virtually all IT activities, uniting them under a single dashboard.

For instance, Lovejoy points to BMC Software Inc.'s suite of products, which together cover identity management, asset management, application management, event management and change management. Likewise, vendors such as IBM, Computer Associates International Inc. and Mercury Interactive Corp. also have products that can make up much, or all, of an IT governance suite.

The value of having various governance tools in one suite is that they offer the ability to share data for analysis and reporting and to provide a dashboard view into whatever combination of information a manager wants to see.

The benefits of this suite approach became obvious to Nielsen Media Research Inc. after it implemented Mercury's IT Governance Center software earlier this year. New York-based Nielsen started with the product portfolio management component, then added resource management. It plans to soon add the demand management and program management components.

Because all of these functions are components in the IT Governance Center suite, Nielsen can easily implement them as needed. Moreover, managers can quickly view all data pertaining to a particular product or program via a central dashboard, says Christina Carbone, a director for quality and measurement at Nielsen. The company also uses Mercury's TestDirector and Quality Center tools, which will be integrated with the demand management component for better management of the daily production of products.

As Carbones explains, "Having that single view of your portfolio, resources, demand management, testing requirements and project status—it gives you a single view into the total health of all of your projects."


The Scope of Governance


STRATEGIC ALIGNMENT Aligning business needs with IT efforts.
VALUE DELIVERY Optimizing expenses and proving the value of IT.
RISK MANAGEMENT Safeguarding IT assets and providing for disaster recovery and the continuity of operations.
RESOURCE MANAGEMENT Optimizing the use and understanding of IT infrastructure.
PERFORMANCE MEASUREMENT Tracking project deadlines and monitoring IT services.

Source: ZapThink LLC, Waltham, Mass.

Sue Hildreth is a freelance writer based in Waltham, Mass. She can be reached at

Copyright © 2005 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon