Tuesday, November 30, 2010

Study notes on Cobit: Defining the IT organization and relationships

The CIO job position and relationships

Recall the IT strategic planning process involving the CEO, CIO and etc.? What if the company has no CIO (or any job position assuming such responsibilities), then all deals are off. It means that CIO is a important job position for the success of IT governance.
Consider the CIO position, in the process we implicitly assumed that the CIO reported to the CEO. But what if he reports just to the CFO (IT considered part of finance)? Then, IT may not play as a strategic role as when the CIO is reporting directly to the CEO. That is, in addition to the responsibilities of the position, the relationship (here, reporting relationship) between this position and others will have high impact on the significance of IT.
In addition to the reporting relationship, there are some other important relationships. For example, as described in the process for strategic IT planning, the executive-level collaborators (CEO, CIO, executives) also form a working relationship to steer IT. To highlight and formalize this relationship, we can give it a name like "IT steering committee" or "IT strategy committee". In Cobit, the former refers to the case we described before (up to the CEO level), and the latter refers to the case when the board of directors are involved (typically for major IT strategies involving a large investment).

Other strategic positions in IT and relationships

If we assume that CIO will take care of the business value alignment, then we will next see who will take care of quality and risk (other main elements of IT governance):

  • For quality, we should have a QA manager. If the CIO really values IT quality, he should have the QA manager reporting to him directly. In addition, the QA manager should have a working relationship with the enterprise wide quality director (or a similar position).

  • For risk, it can be divided into information security and legal compliance. For information security, we should have a chief information security officer (CISO). He may report to the CIO or even the CEO (if information security is considered very important by the enterprise).

  • For legal compliance, we should have a position in IT who reports to the CIO and has a working relationship with the chief compliance office in the enterprise.

Protecting from the loss or malfunctioning of key individuals

What if the CIO quits to work for another company? What if the CIO is the only one making purchase decisions but he is bribed? In order to limit the damages from the loss or malfunctioning of a key individual, you should design the IT organization so that there are backup positions (e.g., assistant CIO or a senior IT manager acting in that role) and important decisions are approved or reviewed by more than one person (duty segregation) (e.g., bid evaluation committee).