ICT Governance and Control12Te

chPro

Dece

mber

2014

O’Loughlin, service management principal in the IT Alliance Group. “Itgives you more control in small stages so that you can correct thingsas you learn and understand more about the project. You are alsobringing in the business and the key stakeholders earlier in theconversation to advise and protect what you are doing. It works withsmaller changes and so less risk.”Agile also has value in relation to budget management because

unforeseen issues and requirements for change are identified earlier inthe process. The implications for the rest of the project and the costscan be examined and decided on in a more timely way than traditionalproject management — in large part because the business side isrepresented on the project team. “But you have to watch the flip side as well,” says O’Loughlin, “and I

think people miss this sometimes with Agile — it is all too easy to addon costs, precisely because you can be flexible and adaptable. That ispart of the reason why it is a good idea — even essential — to have a

discretionary element in the budget, say 10%, forchanges where the value is clearly seen. But you couldburn through that in the first few months. So it isimportant to have clear governance structures aroundthe Agile approach, ensuring that each stepcontributes to value in the project outcome.”O’Loughlin emphasises that ICT project flexibility is

not the prerogative of Agile. “PRINCE 2 can be agileand in fact there is a version specifically for Agilecoming to the market. It will mean you are still usingthe disciplines of that methodology but with smaller,incremental ‘chunks’ and in fact defining very smallpieces of work — ‘sprints,’ in Agile terminology, whichare reviewed immediately.” The trend towards an Agile approach is taking place

in a skills environment where there has been asignificant increase in PMI and PRINCE 2 certificationin recent years in Ireland, he says. “During therecession, with clients being very cautious, certificationbecame and still is an essential client requirement aspart of quality assurance. Now that things are pickingup, there is — if not a skills shortage — some indicationthat the skills supply at project manager level is beingstretched. Which is of course a positive sign for healthof the ICT sector.”

Persistent misconceptionPhilip Hearsum currently heads up the ITIL portfolio ofAxelos, the UK joint venture set up earlier this yearbetween the UK government and Capita plc tomanage and provide training in best practice, inmethodologies formerly owned by the Office ofGovernment Commerce. “There is a persistent

e live in a world of rising risk — or it certainlyseems so — across business actions andperformance and especially in ICT where externalmalware and criminal threats are added to internalproblems such as loss of control in any area. There isanother kind of malware, in the sense of softwareand hardware systems that are either not fit forpurpose or actually faulty. ICT governance aims tocounter that risk by ensuring the quality and fit of allsystems. By and large that brings the focus on IT

projects and change management. All of this has received a new impetus this century, driven by an

unholy combination of financial mismanagement and downrightscandals, recession and the inexorable rise of those cyberthreats.Clearly, an additional factor has been the barely controlled explosion ofpersonal devices — and that cloud thing. We all recognise that Parkinson’s Law or some

variation of it applies to all IT projects whethersmall or global, private or public, managed in-house or by expert consultants: any given projectwill tend to expand to fill the time and resourcesavailable. There are cynical old IT warhorses whowill assert that in fact all projects tend to go evenfurther, expanding to test any elasticity of timeand budgetary resources to the snapping point.They will typically instance some of our bestknown multi-million euro project failures on thisisland although the inner island and the USA haveoften outclassed us in terms of years taken towaste even more millions before projects wereeuthanised.At this stage, with several business generations

of experience, we understand broadly thecommon causes and mechanisms of runawayprojects or simple scope creep, time and budgetoverruns and failure to deliver project objectives.There are more than adequate libraries of caseexamples, root cause analysis and other hindsightmetrics. But really the object of all such exercisestoday is to keep projects on track, literally fromthe first concept stage, using the wide range ofproject management methodologies and toolsthat are available.

Adaptability and flexibility“We have been using the traditional structuredand waterfall methodologies for some time. Whatis driving the Agile approach, as the name implies,is its adaptability and flexibility,” says Mark >>

CLEAR AND PRESENT GOVERNANCELESLIE FAUGHNAN finds there is still plenty of room for more traditional

governance frameworks, along with the new upstarts

With Agile it is all too easy toadd on costs, preciselybecause you can be flexibleand adaptable. It is a good ideato have a discretionaryelement in the budget, say 10%,for changes where the value isclearly seen. It is important tohave clear governancestructures around the Agileapproach, ensuring that eachstep contributes to value in theproject outcome, MarkO’Loughlin, IT Alliance

12_13_14�Governance�&�Ctrl�Dec14�_Layout�1��04/12/2014��16:42��Page�3

13ICT Governance and ControlTechPro Decemberr 2014

>>

misconception that both ITIL and PRINCE are quite rigid structures.They are not and the philosophy behind both has always been to adoptand adapt to the situation, taking in risk management. We are nowproducing in our project and programme management portfolio thePRINCE 2 and Agile best practice guide and qualification specifically toshow how they can cohabit and work together.” He points out that Axelos has retained the award-winning Agile guru

Keith Richards of agileKRC as lead author. “Richards pointed out at therecent ITSMF conference that he always knew that they fitted togetherbut was surprised at how easily the two approaches combined inpractice. In some degreethat is because PRINCE 2 isnot a waterfall but more aset of stages. So if youadapt those stages tobecome Agile ‘scrums’ itactually fits together quitenicely.”“ITIL is in fact similar in

that it is a set of BestPractices. There is a sort ofdouble misconceptionaround that ITIL isdocumentation top heavyand Agile is documentationlite — and neither is true. Ithink the philosophy ofboth is that you need tounderstand your risks tohave proper governance. Soyou do not need to becometop heavy with stuff thatwill be of no use in thefuture. But neither do youwant to become anarchic,producing stuff thatnobody understands.”

Faster innovationAll of this is increasinglyimportant, Hearsum says,because there is now ademand for change andinnovation at a much fasterrate than in the past. “Idon’t think that necessarilymeans that methodologieschange necessarily just thatthey need to be adapted tothe current ways ofworking. You can do thingswith ITIL in an Agile way.” He goes on to suggest

that change managementand project managementand governance and riskare in many respectsconverging. “Even today Ithink that almost everyonein ICT needs to understandproject management tosome degree. In a decadeor two, I suspect everythingwill be delivered as aservice and all of thesedisciplines will cometogether in servicemanagement and abusiness value chain. “The relationship

between business and IThas changed — in fact wereally should not be talkingof them as separate thingsbecause IT is now firmlypart of the business,”Hearsum says. “Enterpriseservice management is arole that has to combine allof the strands because it isbecoming totally pervasiveacross all area of theorganisation and itsactivities.”

Video collaboration that adapts to your business.

(Not the other way around.)

Video collaboration for all, only from Polycom.

Secure, enterprise-grade video collaboration with anyone, anywhere, on any deviceVideo is changing the way the world does business - and it’s about more than saving travel costs. Learn why 100 percent of the US Fortune 100 use Polycom solutions to securely conduct business, both inside and outside their companies.

www.videnda.ie/polycom

To arrange a demonstration, or for more information, please contact Videnda Distribution on 01 461 1970, or sales@videnda.ie

>>

Governance a barrierThe advent of Agile in software projects is significant in recentyears in Ireland, according to Richard Power, head of consultancyservices in software testing specialists SQS. “There is still, however,something of a myth that good governance is a barrier to Agilewhere you are trying to get into a fluid state with everybodyinvolved. So governance is seen as bringing in gateways andrestrictions and silos. Yet what we see and believe is that when youintroduce Agile in a structured and mature way it has real value

12_13_14�Governance�&�Ctrl�Dec14�_Layout�1��04/12/2014��16:42��Page�4

ICT Governance and Control14

>>

Tech

Pro De

cemb

er 20

14

because you do integrate business and technology.Your stakeholders are comfortable because theyunderstand what is going on. Certainly ourexperience over many years is that the mostsuccessful projects have clients who are thoroughlyinvolved.”That is one of the things that Agile proponents

would point to as well, Power says. “Then you canhave that quick pivot, change of direction, becausethere is agreement within the project team and theoverall is within the parameters. Another angle onthat suggests that an Agile team can only be trulyeffective when there is a business decision makeron the team. If the client representative is notempowered or not capable of making a decisionthe Agile approach can actually fail.”

More challengingContrasting at a high levelwith PRINCE 2 and othertraditional methodologies,Power points out thatthey tend to have veryobvious gates and

governance becomes very easy becausethere are very clear steps. “Governance in theAgile space becomes a good deal morechallenging, I think. You just don’t have thoseobvious gates between one phase andanother and so the various models are moredifficult to implement while at the same timefollowing appropriate disciplines.” “Agile is really from a different culture.

What was the project manager becomes the‘scrum master’ type of leader, even referredto as ‘servant leadership’ — the role is toremove all the barriers, distractions andpolitics from the work of the team. That isreally a different mind-set. That is whereperhaps I am sceptical,” Power says.“Experience suggests that quite often in aproject there comes a time when the leaderhas to crack a whip, lay down the law orhowever you might put it.”In the current software market there is a

renewed emphasis on Governance, Risk andCompliance (GRC) and ever more regulatorycompliance to be built into projects andchange management. “At a high level, it is fairto say that is becoming more challengingthan ever because of differingmethodologies,” Power says, “I think that isgoing to continue, particularly in largerprojects with multiple vendors.”

Data value and assetsAsystec is a specialist datamanagement solutions company,founded in Limerick in 2011 which nowhas offices also in Cork, Dublin andBelfast. Director Brendan McPhillips,perhaps unsurprisingly, says that allICT governance ultimately stems from the organisation’s data. “You haveto understand what our data assets are in the first place. Not all data isequally valuable or sensitive, not all data is treated the same. So allgovernance, risk and compliance solutions have to be designed to matchthe different kinds of data appropriately. Historically, organisations didnot often categorise or organise their data from a GRC point of view.”That was and still is a challenge, McPhillips says, now combined with a

much broader threat landscape with multiple devices, external channelsand categories of data access and permissions. “The move today istowards intelligence-driven security, understanding what is ‘normal’ andseeking and monitoring for anomalies. We are more and more seeing

smart analytics producing actionable intelligence in thesecurity sphere as elsewhere.”“We deal a lot with clients that have to prove their

compliance to external parties, in handling credit cardinformation, for example, or health information or personaldata,” says McPhillips. “Another field is extremely valuableintellectual property, whether the organisation’s own or theproperty of its clients. All of these are drivers of governanceand security. Yet another sensitive area we come across isenterprises that have a lot of customers which arecompetitors of each other, especially in outsourcing andmanaged services. So you have to have, and prove you have,the electronic equivalent of Chinese walls to separate andinsulate the different data and access to it in multi-tenantedICT infrastructure.”

Data contextBut in the organisation, it is only the business owners whocan give the context, the value and the sensitivity for anydata. “So once again, that is where the governance and thesecurity brief have to begin. Then the technologyspecification kicks in. For example anomalous behaviour in auser’s data might be treated very differently from anomaliesshowing up in a database,” McPhillips said. “This is all in a context of rapid change and necessarily

agile organisations plus the accelerating generation of moredata. In today’s world many organisations have increasinglyporous infrastructures, in the sense that there are multipleinformation channels in and out because of links withsuppliers, customers and partners,” he says. “It has becomemore difficult for any risk officer or other executive to sign offon compliance? How do you put all of the necessary controlsin place? How do you know they are effective? Like thesecurity threat, the challenges to ICT governance arecontinuing to multiply.” 8

There is a persistentmisconception that ITIL andPRINCE are quite rigidstructures. They are not andthe philosophy behind bothhas always been to adopt andadapt to the situation, takingin risk management, Philip Hearsum, AxelosWhat we see and believe is

that when you introduceAgile in a structured andmature way it has real valuebecause you do integratebusiness and technology.Your stakeholders arecomfortable because theyunderstand what is going on.Certainly our experienceover many years is that themost successful projectshave clients who arethoroughly involved,Richard Power, SQS

A sensitive area we comeacross is enterprises thathave a lot of customerswhich are competitors ofeach other, especially inoutsourcing and managedservices. So you have tohave, and prove you have,the electronic equivalent ofChinese walls to separateand insulate the differentdata and access to it in multi-tenanted ICT infrastructure,Brendan McPhillips,Asystec

Agile has value in relation to budgetmanagement because unforeseen issues and

requirements for change are identified earlier inthe process. The implications for the rest of the projectand the costs can be examined and decided on in amore timely way than traditional project management’

12_13_14�Governance�&�Ctrl�Dec14�_Layout�1��04/12/2014��16:42��Page�5