IT Governance Structure Recommendations

5.4.3.1   Office  of  the  CIO  –  Recommendation  21  

The PES IT Governance Framework does not insist on the existence of a CTO role. Rather, it is recommended that either the definition of the CIO role should be broadly defined to incorporate the role of the CTO or the roles of the CTO and CIO should be clearly segregated. The CIO role is rapidly changing and needs to be adjusted continually to keep up with new demands. Each organisation should define the CIO role to meet its strategic requirements of IT. These requirements would determine the value IT should deliver and consequently the role of the individual leading the function.

5.4.3.2   Chief  Technology  Officer  (CTO)  –  Recommendation  22  

It is recommended that the creation of a CTO role should be based on a strategic decision and the nature of the organisation. Not all organisations are able to justify a CTO role. Organisations which have made a significantly higher investment in IT infrastructure than their peers, as well as telecommunications organisations, would probably find it easier to justify a CTO role.

5.4.3.3   Information  Security  Officer  (ISO)  –  Recommendation  23  

The ISO role should be clearly defined and segregated from the implementation and administration of these policies, procedures and standards, as the most senior information security oversight function.

If possible, it should be based outside IT.

5.4.3.4   Chief  Enterprise  Architect  –  Recommendation  24  

It is recommended that organisations’ IT strategies make provision for the creation or maturing of the EA role. Where feasible, this role should not be regarded as an IT function but should rather be based closer to corporate strategy, with its technology-specific roles being resourced from IT.

5.4.3.5   IT  Financial  Manager  –  Recommendation  25  

It is recommended that the IT financial management role be formally assigned in all environments but that the feasibility of creating a full-time position around it be carefully evaluated based on the size and complexity of the environment.

5.4.3.6   IT  Risk  Officer  –  Recommendation  26  

It is recommended that a formal IT risk officer role be created. Depending on the organisation, it could then be decided whether to award this role as an additional responsibility to a senior IT official or to create a new position within IT for an operational risk manager. It is further imperative that all of the IT management team be made aware of their risk management responsibility.

5.4.3.7   Applications  Manager  –  Recommendation  27  

It is recommended that, where feasible, the role of application manager should not be combined with other formal roles in large IT departments.

5.4.3.8   Technical  Manager  –  Recommendation  28  

The proposed IT governance framework recommends that the technical management role be clearly defined and assigned to an individual responsible for all aspects of technical management. The framework does not dictate whether the technical manager or the application manager owns and is responsible for the IT service support (Office of Government Commerce, 2000) and IT service delivery (Office of Government Commerce, 2001) processes, but requires these two roles to take responsibility for service support and service delivery between the two of them.

5.4.3.9   Operations  Manager  –  Recommendation  29  

It is recommended that each organisation evaluate whether or not the size of its IT department justifies the appointment of an operations manager. If not, this role could be combined with that of the technical manager. This paper does not argue for any particular IT operations structure but recommends (i) clear roles and responsibilities for each operational area and (ii) a clear definition of the operations management role.

5.4.3.10  IT  Strategy  Committee  –  Recommendation  30  

It is recommended that all organisations should have an IT Strategy Committee, composed of top executives and the CIO. In some organisations, this committee would also be responsible for areas assigned to the IT Steering Committee below.

5.4.3.11  IT  Steering  Committee  –  Recommendation  31  

It is recommended that each organisation should have at least one IT governance body responsible for setting IT strategy (IT Strategy Committee) and one for overseeing the establishment of mechanisms for delivering the strategy (IT Steering Committee). Where feasible, these should be two different bodies but, provided the body does not involve itself in the actual implementation of strategy, the two

could be one. Where the two bodies are segregated, the IT Strategy Committee membership should be as senior as possible, preferably Board level.

5.4.3.12  Enterprise  Architecture  Forum  –  Recommendation  32  

It is recommended that some kind of governance body be established to oversee the establishment and effectiveness of enterprise architecture in the organisation. Where possible, this function should be situated outside IT, as a corporate strategy implementation enabler.

5.4.3.13  Programme  Management  Office  (PMO)  –  Recommendation  33  

Without being prescriptive as to where the IT PMO should reside, it is recommended that PMO principles be adopted to govern any significant IT projects. It is further recommended that a formal, standardised project management methodology, including a project management maturity model, whether for IT or at an enterprise level, be adopted. The adopted project management methodology should contain a project management maturity model, indicating maturity targets for project management.

5.4.3.14  Summarised  Recommendation  on  IT  Governance  Roles  –  Recommendation  34  

As depicted in Table 4.1, it is recommended that the IT governance major processes are implemented by assigning responsibility to the following IT governance roles: CTO, ISO, applications manager, enterprise architect, technical manager, operations manager, IT financial manager and IT risk officer.

The CIO is assigned accountability for all these roles performing their responsibilities.

5.4.3.15  Summarised  Recommendation  on  IT  Governance  Structures  -­‐  Recommendation  35  

As depicted in Table 4.2, it is recommended that the IT governance major processes are implemented by assigning responsibility to the following IT governance structures: office of the CIO, IT Steering Committee, IT Strategy Committee, Enterprise Architecture Forum and PMO.

The IT Strategy Committee is acountable for ensuring strategic alignment, while accountability for value delivery is assigned to the IT Steering Committee. The office of the CIO is accountable for the remaining three IT governance major processes.

5.5   Conclusion  

Being a proposed IT governance framework, the intention for users of the PES IT Governance Framework is to implement the recommendations relevant to their organisations to achieve effective IT governance. In subsequent chapters, this framework forms the basis for discussion with research participants and the eventual formulation of a generally accepted IT governance framework.