CHAPTER 7:
THE CALDER-MOIR IT GOVERNANCE FRAMEWORK
The Calder-Moir IT Governance Framework21 is a straightforward framework for structuring IT governance within an organization.
21 The IT Governance Framework – Toolkit is a comprehensive set of tools and templates that support the development and deployment of an IT governance framework in an organization. Copies can be purchased from: www.itgovernance.co.uk/products/519.
Most of the IT-related disciplines offer solutions and tools that can help with IT governance, but most of them are very detailed, and have narrow scopes. No single tool provides a full picture of IT governance, and collectively they can give a confusing picture that hinders the purpose of IT governance, which is to equip boards with information and levers for directing, evaluating and monitoring how well IT supports their core business.
The Calder-Moir Framework is not another solution, but a way of organizing IT governance issues and tools to support the board, executives and practitioners. It places IT governance tools in the context of an end-to-end process, and provides a simple reference point for discussing the many aspects of IT direction and performance.
The framework consists of six segments, each of which represents one step in the end-to-end process that starts with business strategy and finishes with IT operational support for delivery of business value against that strategy.
Each segment is divided into three layers:
• The innermost layer represents the board, which directs, evaluates and monitors information technology support for business.
• The middle layer represents executive management, which is responsible for managing the activities that deliver the end-to-end process.
• The outermost layer represents the IT practitioners and IT governance practitioners, who use proven tools and methodologies to plan, design, assess, control and deliver the IT support for business.
Navigating the framework
The top half of the framework covers the processes that establish direction, specify constraints, make decisions and plan.
The bottom half covers the processes that develop new capabilities, manage the capabilities and use IT to deliver business products and services.
Start at the ‘9 o’clock’ position (business strategy ), and follow the segments clockwise through the end-to-end process:
The board decides the organisation’s goals and business strategies. These are analysed and designed by the executive managers and their strategy practitioners. The strategies must operate within one or more corporate governance regimes (the Combined Code, Sarbanes-Oxley, Basel 2 and so on.
They also operate within a risk environment, so it is critical to undertake a thorough risk assessment to decide which controls will be the most appropriate. The first two segments, then, describe the organization’s path and desired outcomes, the constraints within which it must operate, and the controls that will be most appropriate in those contexts.
Once the business strategies, governance regimes, risk assessment and controls have been developed, IT works with the business to develop architectures and plans to deliver on those requirements. The result is a set of proposals and plans that describe what business and IT should look like, the expected performance, the changes required to deliver that performance, and the resource implications. IT governance processes verify that the proposals meet the business strategy and corporate governance requirements (including risk management and controls), and help the board to evaluate the merits of the plans and proposals.
After the board approves the plans and proposals, they can be implemented through a series of change projects – subject to regular monitoring within the IT governance regime, including controls developed by the risk assessment process. The projects create or update the organization’s business and IT capabilities, which should then meet the performance and control criteria established during the planning phases. The capabilities are then deployed into business and IT operations for delivery of products and services – again governed by the performance and control criteria.
Evaluate, direct, monitor
The Australian standard AS8015-2005 (Corporate Governance of Information and Communication Technology) identifies three main IT governance tasks for directors:
• evaluate,
• direct, and
• monitor.
The board evaluates the business conditions, strategies, constraints and IT proposals. It directs by guiding the way IT should be used (IT principles), the appropriate risk and compliance posture, and the investment in IT proposals. And it monitors all processes in the Calder-Moir hexagon – business strategy, the business and risk environment (and constraints), IT strategy, change, capabilities and operations.
If any of these processes fails – that is, doesn’t deliver exactly what is required – then the board intervenes (directs) through the processes in the top half of the framework, refining or reinforcing the guidelines for business and IT.
Similarly, executive managers direct, evaluate, and monitor the processes carried out by practitioners, but are – for obvious reasons – more closely involved than the directors in all activities in both halves of the framework.