The CALDER-MOIR IT Governance Framework

IT governance is aligning the IT strategy of an organization with its overall strategy so that it meets its goal and objective (Wallace and Webber, 2009). IT governance inherits characteristic from corporate governance and IT management to ensure transparency of management and control of IT assets through corporate governance and effective management of IT resources and efficiency through the IT management (Carter-Steel, 2009).

For the successful implementation of an IT Governance framework three elements are essential: structures, processes and mechanism. Structure defines roles and responsibilities of committees of IT planning and operation. Process is the strategic planning of IT system and management of monitoring, control and process definition tools such as ITIL. Mechanism defines the relationship between IT and business. The specific combination of structure processes and mechanism is the IT Governance framework (Fernández and Llorens, n.d.).

There are many frameworks and standards for IT governance but none howsoever provides the full set of IT Governance. When these frameworks and standards are used collectively then they become very confusing and this hinder the main purpose of IT governance (Calder, 2008). With many frameworks in existence, none on their own are complete IT governance framework (IT governance, n.d.).

The Calder–Moir IT Governance framework is a Meta model for coordinating frameworks and organizing IT governance (Calder and Moir, 2009) providing structure guidance on approaching IT Governance (IT governance, n.d.). Using this framework, organization can get maximum benefit from all the other frameworks and standards (IT governance, n.d.). It consists of six quadrants. Each of these quadrants represents one step in end to end process which starts with the business strategy and finishes with the operations. The performance being supplied back to business strategy, we can consider the operation as beginning for the new cycle (Calder and Moir, 2009). Each of the quadrants is divided into three layers: inner layer – key issues dealt by board, middle layer – executive management and the outer layer – IT practitioners (Calder, 2008).

Evaluating, directing and monitoring are the three main IT Governance task identified by the ISO/IEC 38500 for the directors (Calder and Moir, 2009). The board directs, evaluates and monitors the IT support. They evaluate the strategy, constraints and IT proposal and then monitors the six processes in the inner layer. If it does not deliver the requirements then the board directs through the processes in the upper part of the framework. The executive member manages the activities which help to deliver the end to end process. They are responsible for directing, evaluating and monitoring the process carried out by the IT practitioners. The IT practitioners make use of the tools and methodologies to plan, design, access, control, and deliver the IT support for business (Calder, 2008; Calder and Moir, 2009).

In this framework, we see that it starts from the business strategy. For a successful business, business strategy is very important (thinkingmanagers, 2006). Looking at the business environment and the business models, organization can make a successful business strategy. Business model helps to extract value from an innovation and converts new technology to economic value (quickmba, n.d.). There are some forces outside the business which influence and impact the business largely and these are the business environments. They are PEST force; Political, Economical, Social and Technological and should be considered while making the business strategy (Kotelnikov, n.d.). While tolls such as business plan, balanced scorecard and green IT helps to make a good business strategy. With environmentalists encouraging and pressurizing technology companies to minimize pollution and save energy, green IT fits just into the strategy (Kaushik, 2009). Super Green Hosting is one of the web hosting companies who have considered green IT for their business strategy (supergreenhosting, n.d.). Stakeholders today are looking for organization to be a good citizen, to act like a responsive citizen (Porter and Kramer, 2006). Social responsibility marketing is a key for business strategy today (Brassington and Pettitt, 1997) and Super Green hosting is doing so. Green dedicated server occupies less space and offer greater bandwidth. Companies using green dedicated server saves 40% of their total energy cost (Kaushik, 2009).

The board should very close look at the risk, conformance and compliance. The board should analyze the potentials risk and also develop a plan to examine compliance (Lee et al., 2009). The board should focus on the risk management practices and in the meantime ensure that the system operate in the accordance with the law (Hoye and Cuskelly, 2007). Enterprise risk management is an approach to risk management and auditors examine how it can be incorporated (D'Arcy, 2001). Auditors ensure that the system is reasonably secure and helps organization address legal security gaps (Linkous, 2008)l This can be met by using the tools available such as PCI/DSS, unified compliance framework etc. TK Maxx was fined in 2007 for failing to protect customer data and this was UK first high profile incident in the relevance of PCI/DSS. We can see the risk of losing reputation, fine and penalties, and risk of closure if organization fails to meet with the standards (Gillespie, 2009). Barclaycard have been using PCI/DSS since 2007 and have been re-validating compliance every year. Barclaycard has the highest level of compliance checking and auditing. Data security has been taken seriously in Barclaycard and they have provided their customers with a secure payment network. They have made sure that all their payment terminals become compliant (Barclaycard, n.d.).

IT strategy defines how the IT resource will be supplied to support the organization strategic plans (Wallace and Webber, 2009). IT strategy examines the way to derive full potential of IS from existing and new IT products (Lamb, n.d.). IT works with the business to develop architecture after the strategy has been created, risk assessed and control developed using tools and frameworks like TOGAF, Zachman Framework or Balanced Scorecard. This results to proposal and plans to explain what business and IT should look like (Calder, 2008). TOGAF is very popular standard for architecting technology which makes connection between business strategy and IT strategy (White, 2009). TOGAF has been used by Westpac, an Australian bank for managing the technology components of a major outsourcing relationship. TOGAF has helped Westpac by providing them with a common reference point internally and for their vendors too. TOGAF has provided the bank with structure for governance and speeded up their ability to implement necessary disciplines (opengroup, n.d.).

The proposal and plans created during the previous phases are looked after by board. Once they approve then it can be implemented through a series of projects like PRINCE2, PMBOK etc. The proposal and plans helps board to know the changes required to deliver the performance (Calder, 2008). Without the use of project management the project will not be able to deliver the required performance. PRINCE2 facilities with greater control over resources and is flexible for different projects (prince2, n.d.). Use of PRINCE2 to introduce, manage and embed change has made significant effect on the organizations (Harpham, 2005). Cheshire Constabulary adopted PRINCE2 which has greatly improved the project delivery. PRINCE2 provided visibility to the approaches to be applied in the change programmes. Robin Crorie has noted that PRINCE2 was the reason for business change and the way they delivered it in Cheshire Constabulary. PRINCE2 helped Cheshire Constabulary to have better understanding on what exactly they wanted to achieve and its implementation had a positive experience in implementing change within the organization (csid, 2002).

The technology balance sheet is to measure organization technology and analyze it’s technology capabilities (Bell and McNamara, 1993). Technology applications are directly/indirectly related to and influence business outcome. (samson, n.d.) AT&T which is a communications services company has adopted balanced scorecard (Letza, 1996). IT balance sheet reveals the investments on infrastructure, software and technologies that do not normally appear on the balance sheet. It capitalizes all the IT equipment, software and data resources. It infrastructure is the first category and it includes all the hardware and software. Second is the IT application which includes the modified and unmodified commercial software package and custom developed software which was designed for the organization. Third category is the data – storage and processing incurred in creating the data resources. As we see IT has become important in every business and IT application comes with a cost. Every business wants to know if they can get the value money from the IT expenditure. Business value of IT can be measured by linking IT cost with business performance using Balanced Scorecard (Zee, 2002).

PRINCE2, PMBOK updates the IT capabilities which are set out into IT operations for the delivery of the product/services (Calder, 2008). ITIL facilitates organization then to deliver high quality IT services. It also facilitates integration across security and business continuity for the organization. Furthermore its best practices outlines management process to support business achieve value in IT operations (Bennett, 2008). Barclay’s Global Investors is using ITIL Version two and some parts of version three. This framework has not only helped the organization to save cost but also improve productivity. Use of ITIL has provided Barclay’s Global Investors IT Transparency besides cost saving and improved service delivery and hence improving IT efficiency (Guglielmo, 2009).

The operation is the last segment or last step of the Calder–Moir IT Governance framework. But the actual performance is fed back to the business strategy. So this completion also acts as the starting point for the next cycle (Calder and Moir, 2009).



Glossary:

Balanced Scorecard: Balanced Scorecard is a strategic planning and management system which is used transform strategic plan into “marching orders” and helps provide performance measurements and identifies what need to be done.
http://www.balancedscorecard.org/BSCResources/AbouttheBalancedScorecard/tabid/55/Default.aspx

BCM/BS25999: BS25999 is the standard for business continuity management (BCM) which helps the organizations mainly operating in high risk environment to minimize the risk. BS25999 has two parts: first part is the code of practice for BCM and second is the specification for BCM.
http://www.bsigroup.com/en/Assessment-and-certification-services/management-systems/Standards-and-Schemes/BS-25999/

Business Plans: A business plan is a written document which has an outline of the structure of the business, its objectives, its product/service, market, finance forecast and other plans which provides them with the vision of how they are reaching their goal.
http://www.startups.co.uk/6678842911547985232/what-is-a-business-plan.html

CMMI: Capability Maturity Model Integration is a set of integrated model that addresses product development and maintenance with importance on both system and software engineering. It is a process improvement approach.
http://www.informit.com/articles/article.aspx?p=98146

COBIT: Control Objectives for Information and Related Technology is an IT governance control framework that bridges the gap between control requirement, technical issues and business risk.
http://www.itgi.org/

COSO: Committee of Sponsoring Organizations framework consists of five components which helps organizations to identify the fundamental and essential objective. In 204 COSO issued Enterprise Risk Management (ERM) which provides clear guidance for ERM.
http://www.sox-online.com/coso_cobit_coso_framework.html

Data Protection: Data Protection ensures that the data organization hold, process or use about every individual is managed properly.
http://www.jisclegal.ac.uk/Portals/12/Documents/PDFs/dataprotection.pdf

Green IT: Green IT provides services to make measurable financial and environmental benefits from programs. The natural resources being finite, green IT helps in sustainability. Green It leads not only to corporate social responsibility but also better resource use and technological innovation.
http://www.greenit.net/

ISO 20000: ISO 20000 is an IT service management standard which integrates set of management processes to ensure the effective delivery of IT services to business and its customers.
http://www.isoiec20000certification.com/about/whatis.asp

ISO 27001: ISO 27001 (or ISO/IEC 27001:2005) is the specification for Information Security Management System which helps in establishing and maintaining an effective information management system.
http://www.27000.org/iso-27001.htm

ISO 38500: ISO 38500 is a corporate governance standard for IT. ISO 38500 defines six principles which helps establish responsibilities and plans to support company IT services.
http://searchcio.techtarget.in/news/article/0,289142,sid205_gci1370718,00.html

ITIL: Information Technology Infrastructure Library is a cohesive set of guidance which provides a systematic and professional approach for the best practice for IT service management.
http://www.itil-officialsite.com/AboutITIL/WhatisITIL.asp

ITPO: Information Technology performance optimization is concerned with extracting optimum performance from IT in broadest sense which covers hardware, software and IT infrastructure.
http://www.butlergroup.com/research/reportHomePages/ITPO.asp

Knowledge Management: Knowledge Management is a discipline that promotes organization to generate value from their intellectual and knowledge based assets.
http://www.cio.com/article/40343/Knowledge_Management_Definition_and_Solutions

MoR: Management of Risk offers general framework for the management of risk from different perspective on all part of an organization. All the activities needed to identify and control the risk is included.
http://www.apmgroup.co.uk/M_o_R/MoR_Home.asp

MSP: Managing Successful Programmes is a best practice guide on programme management which consists of set of principles and processes for managing programme. Although it can be used on different programmes, its main aim is for vision led programmes.
http://www.apmgroup.co.uk/MSP/MSPHome.asp

OPM3: Organizational Project Management Maturity Model is the project management maturity model that helps companies understands their project management process.
http://www.pmi.org/BusinessSolutions/Pages/OPM3.aspx

PCI DSS: Payment Card Industry data security standard (PCI DSS) is a security standard for enhancing payment account data security on a global basis. The information security requirement it created governs all the payment channels.
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

PMBOK: Project Management Body of Knowledge is published by Project Management Institute which is accepted as best practice for project management. It provides fundamentals of project management applicable to wide range of projects.
http://www.projectsmart.co.uk/pmbok.html
PRINCE2: Projects IN Controlled Environments is a non-proprietary project management method which is used various companies to use it for different businesses, environments and project sizes. It helps drive the company through the fundamentals for running a successful project.
http://www.prince-officialsite.com/home/home.asp

Six Sigma: Six sigma is a data driven method for eliminating defects in any process for process improvement and variation reduction. It is a measure of quality and anything outside customer expectation is a six sigma defect.
http://www.isixsigma.com/sixsigma/six_sigma.asp

SOX: Sarbanes-Oxley guidance derived from COBIT creates controls to mitigate financial reporting risk. SOX is one of the main reason of emergence of the IT Governance concept.
http://www.amper.com/services/amper-risk-aicpa-IT-governance.asp

Strategic Plans: Strategic plans determines where an organization is going and how it is going to get there and helps organization to stay in sight with their ultimate objectives. Strategic plans provide the base for business plan.
http://managementhelp.org/plan_dec/str_plan/basics.htm

TCO/ROI: Total cost of ownership includes just cost whereas Return on investment measures both cost and the expected benefits of a given project over time.
http://www.cio.com/article/331763/TCO_versus_ROI

TOGAF: The Open Group Architecture Framework is a standard architecture framework consisting of detailed method and set of supporting tools which can be used by organization to develop IS architecture within them.
http://www.opengroup.org/togaf/

UCF: When organization starts gathering multiple authority documents of different types, they will need to know more information and organize them in certain way. The Unified Compliance Framework tracks authority documents in a very methodical way so that the information can be shared.
http://www.unifiedcompliance.com/webinars/Introduction%20to%20the%20UCF/player.html

Zachman Framework: Zachman Framework is a structure for describing the enterprise helping them collect, organize and structure their intellectual capital.
http://www.zachmaninternational.com/index.php/the-zachman-framework



References


Barclaycard (n.d.) Barclaycard keep pushing me to become PCI DSS compliant but are Barclaycard compliant themselves? [online] Available from:
https://ask.barclaycard.co.uk/business/allfaqs/1_fraud_security/pci_dss3 [Accessed 12th January 2010].

Bell, C. G. and McNamara, J. E. (1993) The Technology Balance Sheet [online] Available from:
http://research.microsoft.com/en-us/um/people/gbell/cgb%20files/technology%20balance%20sheet%20ieee%201993%20c.pdf [Accessed 10th January 2010].

Bennett, J. (2008) Leveraging ITIL to improve business continuity and availability [online] Available from:
http://www.continuitycentral.com/feature0586.htm [Accessed 10th January 2010].

Brassington, F. and Pettitt, S. (1997) Principles of Marketing. London: Pitman Publishing.

Calder, A. (2008) Developing an IT governance framework [online] Available from:
http://www.ncc.co.uk/article/?articleid=13371 [Accessed 28th December 2009].

Calder, A. and Moir, S. (2009) IT Governance: Implementing Framerworks and Standards for the Corporate Governance of IT. Cambridgeshire: IT Governance Publishing.

Carter-Steel, A. (2009) Information Technology Governance and Service Management: Frameworks and Adaptations. London: Information Science Reference.

Csid (2002) PRINCE2 Case Study The Cheshire Constabulary [online] Available from:
http://www.csid.com.cn/UpFile/File268.pdf [Accessed 10th January 2010].

D'Arcy, S. P. (2001) Enterprise Risk Management. Journal of Risk Management of Korea. 12 (1).

Fernández, A. and Llorens, F. (n.d.) An IT Governance Framework for Universities in Spain [online] Available from:
http://rua.ua.es/dspace/bitstream/10045/11216/1/EUNIS%202009%20-%20An%20IT%20Governance%20Framework%20for%20Universities%20in%20Spain%20-%20Fernandez%20y%20Llorens.pdf [Accessed 13th January 2010].

Gillespie, M. (2009) Conforming to PCI DSS [online] Available from:
http://www.infosecurity-magazine.com/view/4963/comment-conforming-to-pci-dss/ [Accessed 8th January 2010].

Guglielmo, K. (ed.) (2009) ITIL case study: ITIL best practices at two financial services firms [online] Available from:
http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1369933,00.html [Accessed on 8th January 2010].

Harpham, A. (2005) Tools to manage continuing change. Development and Learning in Organizations: An International Journal. 19 (1), 15-16.

Hoye, R. and Cuskelly, G. (2007) Defensive game plans: risk, compliance and conformance. Sport Governance. 118-133.

IT governance (n.d.) The CALDER-MOIR IT Governance Framework [online] Available from:
http://www.itgovernance.co.uk/calder_moir.aspx [Accessed 22nd December 2009]

Kaushik, P. (2009) Advantages of Using Green Servers & Eco-Friendly Web Hosting Providers [online] Available from:
http://www.brighthub.com/environment/green-computing/articles/25126.aspx [Accessed on 11th January 2010].

Kotelnikov, V. (n.d.) Business Environment [online] Available from:
http://www.1000ventures.com/business_guide/business_environment.html [Accesed 5th January 2010].

Lamb, J. (n.d.) IT STRATEGY ISSUE SIX [online] Available from:
http://www.opengroup.org/public/arch/p4/cases/case_intro.htm [Accessed 11th January 2010]

Lee, K. M., Herrman, T. J. and Jones, B. (2009) Application of multivariate statistics in a risk-based approach to regulatory compliance. Food Control. 20 (1), 17-26.

Letza, S. R. (1996) The design and implementation of the balanced business scorecard. Business Process Re-engineering & Management Journal. 2 (3), 54-76.

Linkous, J. (2008) Implementing PCI-DSS: The top five issues to consider [online] Available from:
http://www.scmagazineus.com/implementing-pci-dss-the-top-five-issues-to-consider/article/123280/ [Accessed on 9th Jan 2010].

opengroup (n.d.) Case Studies [online] Available from:
http://www.opengroup.org/public/arch/p4/cases/case_intro.htm [Accessed 11th January 2010].

Porter, M. E. and Kramer, M. R. (2006) Strategy and Society: The Link Between Competitive Advantage and Corporate Social Responsibility. Harvard Business Review.

prince2 (n.d.) Why PRINCE2? [online] Available from:
http://www.prince2.com/prince2-benefits.asp [Accessed 8th January 2010].

quickmba (n.d.) The Business Model [online] Available from:
http://www.quickmba.com/entre/business-model/ [Accessed 5th January 2010].

Samson, P. (n.d.) Balanced Scorecard helps IT demonstrate value to the business [online] Available from:
http://www.microsoft.com/business/enterprise/unisys.mspx [Accessed 13th January 2010].

Supergreenhosting (n.d.) Why Super Green Hosting? [online] Available from:
http://www.supergreenhosting.com/ [Accessed 9th January 2010].

thinkingmanagers (2006) Business Strategy [online] Available from:
http://www.thinkingmanagers.com/business-management/business-strategy.php [Accessed 5th January 2010].

Wallace, M. and Webber, L. (2009) IT Governance Policies & Procedures. 2009 ed. USA: Aspen Publisher.

White, K. (2009) Survey shows TOGAF driving business change strategy [online] Available from:
http://www.cbronline.com/news/survey_shows_togaf_driving_business_change_strategy_110309 [Accessed on 9th January 2010].

Zee, H. V. D. (2002) Measuring the Value of Information Technology. London: IRM Press.

Comments

Popular posts from this blog

Service and the Characteristics of Service: Intangibility, Inseparability, Variability and Perishability.

Naruto Volume 1 quotes [Episodes 1 - 7]

Naruto quotes [Volume 52-53: Episodes 484 - 504]