01_743593 ffirs.qxd 9/13/05 11:55 AM Page iii Making IT Governance Work in a Sarbanes-Oxley World JAAP BLOEM MENNO VAN DOORN PIYUSH MITTAL John Wiley & Sons, Inc. 01_743593 ffirs.qxd 9/13/05 11:55 AM Page ii 01_743593 ffirs.qxd 9/13/05 11:55 AM Page i Making IT Governance Work in a Sarbanes-Oxley World 01_743593 ffirs.qxd 9/13/05 11:55 AM Page ii ‘Man is an animal that overestimates itself’ —John Gray, Professor of European Thought, Government Dept., London School of Economics 01_743593 ffirs.qxd 9/13/05 11:55 AM Page iii Making IT Governance Work in a Sarbanes-Oxley World JAAP BLOEM MENNO VAN DOORN PIYUSH MITTAL John Wiley & Sons, Inc. 01_743593 ffirs.qxd 9/13/05 11:55 AM Page iv This book is printed on acid-free paper. ∞ Copyright © 2006 by Sogeti Nederland B.V. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmit- ted in any form or by any means, electronic, mechanical, photocopying, recording, scan- ning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for per- mission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically dis- claim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, out- side the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our Web site at http://www.wiley.com. Library of Congress Cataloging-in-Publication Data: Bloem, Jaap, 1957- Making IT governance work in a Sarbanes-Oxley world / Jaap Bloem, Menno van Doorn, Piyush Mittal. p. cm. Includes index. ISBN-13: 978-0-471-74359-0 (cloth) ISBN-10: 0-471-74359-3 (cloth) 1. Information technology—Management. 2. Corporate governance —United States. 3. Corporations—Accounting—Law and legislation —United States. I. Doorn, Menno van, 1964- . II. Title. HD30.2.B564 2005 658.4’038—dc22 2005016636 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 02_743593 ftoc.qxd 9/13/05 11:56 AM Page v Contents FOREWORD ix PREFACE xi PART ONE Management: Governance and Its Human Dimension 1 CHAPTER 1 Types of Governance, Business Performance, and Common Sense 3 From the Separation of Powers to Sarbanes-Oxley 4 Corporate Governance Is Good Management 7 Governance in Corporations: All about Business Performance 9 Essentials of IT Governance 10 Plain Common Sense 14 CHAPTER 2 Impact and Challenges of Betrayed Trust 16 Progress and Its Crisis of Faith 17 The Role of IT and the Internet 23 The American President Intervenes 26 Eight Challenges Plus the Millennium Problem 28 Insight as the Basis of Realism 35 PART TWO Accountability: An Economic-Based Business Focus for IT 41 CHAPTER 3 A Basis for IT Management 45 IT Measurement: Turning a Three-Leaf into a Four-Leaf Clover 46 IT Is Infrastructure and E-Business 48 v 02_743593 ftoc.qxd 9/13/05 11:56 AM Page vi vi CONTENTS Where Are We in Terms of the Micro- and Macro-Economics of E-Business? 53 E-Business and the Shift from Decree to Dialogue 57 The IT Democracy 59 Not Dialogue but Babble 61 Limits to the Babble, but Almost Any Governance Structure Will Do 63 exT: Death of IT 68 Keep It Simple, Stupid! 72 Money Makes the World Go Round: Rapid Economic Justification and Total Economic Impact 76 The Strategic Role of the CIO 79 Strategic Focus and Alignment 85 IT Governance: From Structures to Mechanisms and Techniques 87 CHAPTER 4 IT Portfolio Management 91 What Is Involved in a Portfolio Approach? 93 An IT Portfolio Approach in Practice 95 IT Portfolio Management Begins with Outlines, Architecture, and Calculation 98 Maturity and IT Portfolio Management 104 Governance, Projects, Programs, and Performance 108 The Portfolio Approach as an Aggregation of Balanced Scorecard, Activity-Based Costing, and Economic Value Added 111 After 50 Years of Portfolio Thinking, IT’s Turn Has Come 115 Thou Shalt Practice IT Portfolio Management 123 Nine Initial Practical Lessons, Plus One 126 Portfolio Management? By All Means, but... 131 CHAPTER 5 Activity-Based Costing, Economic Value Added, and Applied Information Economics 137 Charting Costs 138 Hence ABC, but How? 143 ABC: The Right Price and IT 150 Real Economic Value and the ROI of IT 153 Some Critical Remarks 158 Applied Information Economics 161 The Human Measure of Ambition and Limitations 164 02_743593 ftoc.qxd 9/13/05 11:56 AM Page vii Contents vii PART THREE Supervision: Stimulating Desirable Behavior 169 CHAPTER 6 Take Action When Necessary 171 Desirable Behavior as a Blind Spot 172 Economics of Governance 174 Supervision: A Lot or a Little? 176 Good Mores or Good Laws? 178 Our Limitations 179 Our Intentions 182 Arguments and Misunderstandings 184 Keep IT Governance Simple and Make Goals Apparent 185 The Balance of Supervision and Intervention 186 CHAPTER 7 Leadership: Overseeing Change 190 IT Governance and Leadership 191 From Control to Distributed Leadership 193 People No Longer Put up with Control 197 Eight Leadership Roles 203 Realists at the Helm 206 Cooperation instead of Coercion 207 No Prospects without Building Trust 210 Management as Institutionalized Mistrust 212 Back to IT Governance and Leadership 214 Leadership and Language 215 The Charisma and Leadership Paradox 216 CHAPTER 8 Issuing Rules Is Maintaining Supervision 220 The Legislator as Supervisor 221 The IT Management Reform Act of 1996 (Clinger-Cohen Act) 223 Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley) 227 European Legislation: Comply or Explain 229 A European Example: Dutch Legislation 231