Embarking on a governance of enterprise IT (GEIT) implementation can be intimidating. There is plenty of anecdotal evidence describing failed GEIT projects and the problems associated with GEIT implementations. In my experience, common elements in failed GEIT implementations include a failure to obtain key executive commitment and not performing adequate analyses of the enterprise prior to embarking on the GEIT implementation itself. Those are planning activities.
Planning a GEIT implementation can be made easier by utilizing ISACA’s guidance on implementation. Two helpful sources are available: the newly released Getting Started With Governance of Enterprise IT (GEIT) and COBIT 5 Implementation. Getting Started With GEIT is intended for those who are new to GEIT or have recently been tasked with implementing a GEIT structure. It presents an overview of GEIT and demonstrates what can be accomplished with the output from a GEIT framework. COBIT 5 Implementation, which is also available from ISACA and is free to ISACA members, describes the essential elements needed to complete a successful GEIT implementation. It outlines 7 phases that can be used to guide a GEIT implementation. The first 5 phases move the enterprise from the initial analysis—looking at why a GEIT structure might be needed—to the execution of a project plan to implement a governance structure. The remaining 2 phases review the project and look for future improvement opportunities.
A GEIT implementation creates whole-scale changes across the enterprise, and this requires commitment from enterprise executives and the board of directors. Additionally, the environment must be ready for significant change. A GEIT implementation can be as significant, and disruptive, as a complete change in company culture. COBIT 5 Implementation discusses getting the environment ready and identifying the trigger points that prompt the need for a GEIT implementation.
A GEIT implementation creates whole-scale changes across the enterprise, and this requires commitment from enterprise executives and the board of directors.
There can be a spectrum in scope of the desired change. If an enterprise has an established governance structure and has been using COBIT, it might be initiating a new project to implement a newly identified improvement opportunity. In other words, a GEIT implementation can be an incremental evolution in governance and management.
There are several elements that are critical to a successful implementation. One of the most important elements is to have qualified personnel available to lead the implementation. There are many experienced professionals around the world who have the skills and experience to lead enterprises through this if the enterprises lack in-house expertise. Employing an experienced governance practitioner for the implementation can greatly assist in the planning of the project.
Determining how ready the enterprise is for change can provide valuable insight to the implementation team. Conducting a change readiness assessment can be a great early activity in planning the overall GEIT structure. The outcome of the assessment can guide the GEIT implementation team in designing what approach will best serve the enterprise.
Another very beneficial activity to support GEIT planning is a risk assessment. A comprehensive risk assessment can provide valuable insight into how the enterprise will make use of existing resources, acquire new resources, respond to opportunities and provide for security. All these elements can influence the design of a governance structure and should be considered part of the overall GEIT structure planning.
Once the GEIT implementation team has all the background information from risk assessments and change readiness testing, it can begin the process of analyzing and documenting the enterprise’s need for a new or changed governance structure and documenting the extent to which a governance structure already exists. The next planning step is to carefully analyze the stakeholder requirements and fully describe the desired state of the enterprise. These 2 analyses make up the analytical foundation of all implementation efforts that follow.
What follows after the analyses is a formal documenting of the differences between them. This gap defines the scope of the implementation project itself and is used to formalize a project plan. Effective GEIT implementation teams make use of demonstrated good practices in project management in preparing the project plan. Several items must be developed to create an effective project plan. There must be authorization to carry out the project (i.e., a project charter). An initial listing of tasks and work product descriptions must be generated (e.g., work breakdown structure [WBS], project schedule, communication plan, procurement plan).
Once a completed project plan is in place, the implementation team can begin its work of building the governance structure. Formal project management demands that work activities are well documented along the way, milestones are confirmed and stage-gates exercised, and model testing be appropriately designed and executed to ensure the model will function as required. Last, a project closure process will confirm that all previously defined requirements have been addressed, all change requests fully processed, and the project owners have reviewed and approved the newly built governance structure.
A successful GEIT project can easily be accomplished if the tried and true practices are followed.
Peter Tessin, CISA, CRISC, CGEIT
Is a technical research manager at ISACA where he has been project manager for COBIT 5 and has led the development of other COBIT 5-related publications, white papers and articles. He also played a central role in the design of the COBIT online web site. Prior to joining ISACA, Tessin was a senior manager at an internal audit firm where he led client engagements and was responsible for IT and financial audit teams. Previously, he worked in various industry roles including staff accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and auditor. He has worked in many countries outside his native United States, including Canada, Mexico, Germany, Italy, France, UK and Australia.