BCE IT Governance Framework
Information ServicesIT Governance Framework
Document Information and Review
Name of Document: / BCE IT Governance FrameworkAuthor: / Brett Auton, Manager Information and Planning
Authorised Officer: / Warren Armitage, CIO
Description of Content: / The Brisbane Catholic Education IT Governance Framework
Approved by:
Date of Approval:
Assigned review period:
Date of next review:
Distribution Details
Version / 0.1 / 0.2 / 0.3 / 0.4 / 1.0 / 1.1 / 2.0 / 2.1Distribution Date / 31/10/08 / 5/11/08 / 5/11/08 / 21/11/08 / 21/11/08 / 2/12/2008 / 23/12/2008 / 23/01/2009
NAME: / Key / Key / Key / Key / Key / Key / Key / Key
Warren Armitage / C / C / C / C / R / A/S / S / E, S
IS Managers / R
Leadership Team / E/S / S / E, S
Key - C For Comment, A For Approval, R For Formal Review, E For Endorsement, S For Sign-off
Version History
Ver. / Date / Author / Comments / Status /0.1 / 31/10/08 / Brett Auton / Incorporated changes from Warren Armitage / Draft
0.2 / 5/11/08 / Brett Auton / Incorporated changes from Warren Armitage / Draft
0.3 / 5/11/08 / Brett Auton / Updated to fix presentation issues with the document / Draft
0.4 / 21/11/08 / Brett Auton / Incorporated changes from Warren Armitage / Draft
1.0 / 21/11/08 / Brett Auton / Incorporated changes from Information Services Managers and Project Managers / Release 1
1.1 / 2/12/2008 / Brett Auton / Incorporated feedback from the Leadership Team / Release 2
2.0 / 8/01/2009 / Brett Auton / Incorporated feedback on Steering Committee Membership and clarification of responsibilities / Release 2.1
2.1 / 30.01.2009 / Brett Auton / Final
Table of Contents
1.0 Introduction 3
2.0 IT Governance 3
3.0 Governance Arrangements 5
3.1 Governance bodies and reporting lines 5
3.2 Key responsibilities of the governance bodies 5
3.3 Roles and Responsibilities 6
3.4 Committee Composition 8
3.5 Proposed Membership for Project Steering Committees 8
3.6 Initiative Identification 8
3.7 Criteria for Assessing Type and Governance Requirements of Initiatives 9
4.0 Appendix A - Information Strategy Committee 10
5.0 Appendix B - Project Steering Committee 12
5.1 Project Steering Committee Roles 14
6.0 Appendix C - Technology and Architecture Committee 18
1.0 Introduction
This document outlines an approach to realign and enhance IT governance at Brisbane Catholic Education (BCE). In particular, this paper will:
· Define IT governance in the context of the Oakton and Ernst Young reports
· Propose an approach to IT governance for BCE
2.0 IT Governance
The purpose of establishing IT governance is to direct IT endeavours and to ensure that IS performance meets the following objectives:
· Alignment of IT with the enterprise and realisation of the promised benefits
· Use of IT to enable the enterprise by exploiting opportunities and maximising benefits
· Responsible use of IT resources
· Appropriate management of information and technology-related risks
To be successful in an organisation, IT governance requires input and direction from the business and IT management functions. Gartner’s IT governance relationship model below depicts the interconnected nature of Business and IT Governance with the various business activities such as the development of business strategies, business planning and budgeting.
The Control Objectives for Information Technology (COBIT) framework, from the Information Systems Audit and Control Association (isaca.org) has five main IT Governance focus areas, all driven by stakeholder value.
Three of the areas are drivers: strategic alignment, resource management and performance management. Two are outcomes: value delivery and risk management. The proceeding sections of this document will address BCE’s approach to governing these five focus areas.
There is also a difference between IT Governance and IT Management. COBIT, the IT Governance Institute and Peterson[1] describe the difference as:
IT Management is the efficient and effective supply of IT services and products, and the management of IT operations whereas IT Governance focuses on contributing to present business operations and performance, and transforming and positioning IT to meet future business challenges.
Figure A below best illustrates the different focus of IT governance and IT management. Figure B below depicts the relationships between the IT governance and IT management functions.
Figure A / Figure BIn terms of IT Management, the Microsoft Operations Framework (MOF) will be used. The framework consists of practices, principles, and activities that guide IT management in the creation, operation, and support of IT management services while ensuring that the investment in IT delivers expected business value at an acceptable level of risk.
The MOF frame has four phases:
· Plan – determining how the IT management services will be delivered
· Deliver – ensuring the services, infrastructure, solutions and projects are appropriately documented, built, stabilised and deployed
· Operate - focuses on what to do after the delivered solutions are in place.
· Manage - integrates the decision making, risk management, and change management processes that occur throughout the three preceding stages.
3.0 Governance Arrangements
3.1 Governance bodies and reporting lines
The following governance structures will be implemented for BCE:
3.2 Key responsibilities of the governance bodies
The governance bodies will have the following responsibilities at a high level.
Title / Purpose/ Responsibility /Information Strategy Committee (ISC) / · Provide strategy direction and the alignment of IT and the business
· Monitoring the implementation of the Information Strategic Plan
· Issue high-level policy guidance (e.g. risk, funding, sourcing, partnering)
· Confirm that the IT/business architecture is designed to drive maximum business value from IT
· Oversee the aggregate funding of IT at the enterprise level
· Review the measurement of IT performance and the contribution of IT to the business (i.e. delivering the targeted business value)
· Ensure management has processes/ practices in place to enable IT to deliver value
· Assess and approve project proposals, business cases and business benefits
· Provide oversight of the IT project portfolio
· Prioritisation and selection of projects for inclusion in the overall portfolio
· Balance resourcing, consider risks and reconcile issues escalated from the project management office
· Remove roadblocks to ensure timely and effective delivery of projects
· Endorse the membership of project steering committees.
Project Steering Committee / · Policy and resourcing decisions essential to delivery of project output
· Attainment of project target outcomes.
· Ensuring appropriate management of the project components outlined in the Project Business Plan
· Accountability for ensuring appropriate risk management processes are applied
Reference Committee / · Provide a forum to enable stakeholders or like minded/skilled groups to reach consensus on a particular set of issues
· Report findings back to the committee that established the reference committee
Title / Purpose/ Responsibility
Technology and Architecture Committee / · Inform BCE’s Information Strategic direction
· Review technologies and architectures that help to guide BCE’s change agenda
Primary and Secondary Principals / · Understand BCE’s IT organisation, services and capabilities
· Identify system requirements and provide input into the development of specifications for new products
· Provide expert advice to the Senior User about new functionality required by schools or feedback about existing systems/functionality used to deliver services to schools
· Organise pilots/prototypes that enable users to try out products on a temporary basis
· Prepare school IT environment and establish arrangements to meet current and emerging IT needs/systems
· Allocate school resources to ensure effective IT governance, delivery of projects and operations at a school level
· Identify and acquire new IT services for the school
· Monitor service levels for current and new IT services and provide priorities for addressing performance problems
3.3 Roles and Responsibilities
An RACI matrix is used to define the roles and responsibilities of various groups or people in delivering a project or operating a process. It achieves it purpose by assigned activities to roles using the following responsibility types:
R - Responsible: Personnel who must ensure that activities are completed successfully;
A - Accountable: Personnel who have authority to approve or accept the execution of an activity;
C - Consulted: Personnel whose opinions are sought on an activity (two-way communication); and
I - Informed: Personnel who are kept up to date on the progress of an activity (one-way communication).
The Executive Director is ultimately accountable and responsible for what work is undertaken, for how it is undertaken and the results of all work at BCE. However, in the discharge of his/her duties, the following RACI matrix has been defined to outline the delegated IT governance responsibilities and accountabilities for BCE:
/ Executive Director / Directors / ISC / CIO / CTO / Project PortfolioManager / Manager
Information & Planning /
Strategic Alignment
· Align and integrate IT strategy with business goals / C / R / A / R / C / C / C
· Identify critical dependencies and current performance / C / R / A / R / C / C / C
· Develop an IT strategic plan / A / C / R / R / C / C / R
· Develop IT tactical plans / C / R / A / C / C / R
· Analyse project and service portfolios and priorities / C / I / R / A / R / R / R
· Create and maintain enterprise architecture/information models and guidelines / I / R / A / R / C / C
· Utilise the information model, data dictionary and classification scheme to plan optimised business systems / C / I / R / A / R / C / C
· Define and monitor performance against the defined quality standards and practices / C / A/R / C / C / C
· Assess and approve major projects / C / A / R / C / C / C
· Assess and approve minor projects, advising the information strategy committee about feasibility / I / I / I / A/R
· Define a portfolio management framework for IT investments / C / C / A / R / C / C / C
· Establish and maintain an IT project management framework / I / I / A / A / C / R / C
· Establish and maintain an IT project monitoring, measurement and management system / I / I / I / A / C / R / C
· Establish project documentation including project brief, schedules, budgets, quality communication and risk management plans / C / C / C / A/R / C
· Ensure the participation and commitment of project stakeholders / I / A / R
· Ensure the effective control of projects and project changes / C / C / C / A/R / C
· Define and implement project assurance and review methods / I / C / I / A/R / I
Value Delivery
· Develop annual IT budget / C / I / A / R / R / R
· Approve annual budget / A / R / R / R / C / C / C
· Monitor IT investment, cost and value to the business / I / C / C / A/R / C / C / C
· Review cost accounting results, review project financial return analysis / A / R / R / R
· Ensure processes / practices are in place to ensure IT delivers value / C / A / R / R / R
Risk Management
· Identifying IT risks for the organisation / C / I / A / R / R / R
· Approving IT risk and action plans / A / R / R
· Implementing action plans / C / A / R / R / R
· Determine, authorise and oversee the implementation of IT policies and procedures / C / C / A / R / C / C / C
IT Resource Management
· Establish IT organisational structure, including committees and linkages to the stakeholders and vendors / C / C / A / R / C / C / C
· Approving HR policies and procedures relevant to IT / A / C / R / C / C / C
· Execute HR policies and procedures relevant to IT (recruit, hire, compensate, train, appraise, retain, promote and dismiss) / A / R / R / C
· Create and maintain a technology infrastructure plan / I / A / R / R / I / I
· Create and maintain technology standards / A / R / I / I
Performance Management
· Establishing and collecting measurable targets that support the business objectives / A / C / R / R / C / C / C
· Reviewing performance against agreed-upon targets and initiating necessary remedial action / A / R / C / C / C
· Establish the service levels, oversee monitoring and reporting / I / A / R / I / I
· Monitor and drive improvement to IT Governance / C / I / A / R / C / C / C
3.4 Committee Composition
Information Strategy Committee (ISC)
Members: Leadership Team and CIO. The Information and Planning will provide executive support for this committee.
Meeting Frequency: 6 times per year (minimum)