establishing a framework for it governance by dave cunningham 2007

© 2007 Baker Robbins & Company

Establishing a Framework for IT Governance

Perspective of Law Firm Business Leaders

Background on Published Frameworks

Lessons Learned from Law Firm Technology Scorecards

Dave Cunningham, Managing DirectorBaker Robbins & Company

© 2007 Baker Robbins & Company | 2

Basic Questions from Firm Management

What are other firms doing? Are we prepared for disasters? Are we spending the right amount of money for what we are getting? Is my CIO doing a good job? Should we outsource more? Why are people complaining about….


Evolving Questions from Firm Management

What are the indicators of good performance? What are the critical success factors? What are the risks of not achieving our objectives? How do we measure and compare to others? What is the business case for this change? How much would alternative service models and levels cost? How can technology affect lawyer productivity? How do we define

lawyer productivity? How can IT use relevant information to deliver business intelligence?


Using a Published Framework

For: Provides perspective Provides a common language Training available and consistent Most frameworks advocate “adopt

and adapt” not certification Frameworks promote short cuts and

combining best of other frameworks Increases ability to benchmark Software increasingly builds in ITIL

processes and measures Larger outsourcers use ITIL

Against: Too complex for a law firm; too

procedural; too much bureaucracy Hinders creativity and agility SLAs don’t work in a law firm Personal experience is more relevant Law firms deal with exceptions, not rules Too many standards to choose from I have good people so don’t need

someone telling me processes


“All models are wrong, but some are useful.”

George Box, co-founder of the Center for Quality and Productivity Improvement


Comparison of IT Frameworks

Source: CobiT Mapping, Overview of International IT Guidance, 2nd Edition


Components of IT Governance (CObIT v4.1)

Strategic Alignment

Information technology must be in alignment with the evolving strategic objectives of the organization. As organizations evaluate their future strategies and new opportunities present themselves, it is critical that the IT function’s ability to address and deliver these opportunities is considered.

Value Proposition

IT must be able to respond to strategic objectives of adding value to the organization’s processes while at the same time maintaining fiscal responsibility and adhering to implementation time frames including measuring and achieving the expected return on the IT investment.

Risk Management

The IT function must effectively identify threats and vulnerabilities to the organization's IT infrastructure and then take steps to effectively mitigate the impact of those items.

Resource Management

One of the responsibilities of management is to ensure that the IT department has adequate resources to evaluate and implement new technologies as well as determining when to abandon obsolete technologies. This requires educating IT personnel and keeping their skills current to ensure they have the capabilities to do so.

Performance Measurement

To ensure that the previous four objectives can be managed, the organization must have a methodology to evaluate and track progress of the firm's IT governance. This includes the use of tools such as ROI measurement, IT performance benchmarks and balanced scorecards.

Source: Control Objectives for Information and related Technology (CObIT)


IT Supporting Strategic Objectives

Source: Board Briefing on IT Governance, IT Governance Institute


Components of ITIL Service Management (v3)

Service Strategy Focuses on the identification of market opportunities for which services could be developed in order to meet a requirement on the part of internal or external customers. The output is a strategy for the design, implementation, maintenance and continual improvement of the service as an organizational capability and a strategic asset. Key areas of this volume are Service Portfolio Management and Financial Management.

Service Design

Focuses on the activities that take place in order to develop the strategy into a design document which addresses all aspects of the proposed service, as well as the processes intended to support it. Key areas of this volume are Availability Management, Capacity Management, Continuity Management and Security Management.

Service Transition

Focuses on the implementation of the output of the service design activities and the creation of a production service or modification of an existing service. There is an area of overlap between Service Transition and Service Operation. Key areas of this volume are Change Management, Release Management, Configuration Management and Service Knowledge Management.

Service Operation

Focuses on the activities required to operate the services and maintain their functionality as defined in the Service Level Agreements with the customers. Key areas of this volume are Incident Management, Problem Management and Request Fulfillment.

Continual Service Improvement

Focuses on the ability to deliver continual improvement to the quality of the services that the IT organization delivers to the business. Key areas of this volume are Service Reporting, Service Measurement and Service Level Management.

Source: OGC


Process Ratings on Spider Chart (example, 1 of 4)


CONFLICTS & ETHICS Conflicts & Ethics and Securities

Transaction Committees Information Services and Records

Department Outside Counsel

EMPLOYMENT &PERSONNEL MATTERS

Professional Personnel and Admin HR Outside Counsel

PARTNERSHIP ELECTIONS Policy Committee Executive Group Finance Department IT

PARTNERSHIP ELECTIONS(Governance, Departures, Disputes) Executive Group Policy Committee Pension Committee Finance Department Professional Personnel Outside Counsel

LITIGATION & SUBPOENA MATTERS

Litigation Attorneys Managing Attorney’s Office Outside Counsel

DATA PRIVACY, SECURITY MATTERS

Finance Department IT Professional Personnel and Admin HR

MARKETING & COMMUNICATIONS (Website, Branding, Copyright, Reviewing Marketing Materials, etc.)

Marketing/Communications Department

PROFESSIONAL DEVELOPMENT Professional Development Department Professional Personnel

VENDOR CONTRACTS Applicable Departments (IT, Finance, HR,

M/C, etc.)

AUDIT Audit Committee Finance Department

INSURANCE

Professional Indemnity Professional Insurance Committee Executive Group Finance Department

Employment/Worker’s Compensation

Administrative HR Finance Department

Other Insurance Finance Department Executive Group

FIRM MANUALS AND GUIDANCE Executive Group (and delegates) Applicable Practice Groups & Departments

INFORMATION RETENTION IR Project Team Steering Group Outside Consultants All Practice Groups and Departments

FIRM INVESTMENTS Investment Committee

Areas of a Firm Addressing Risk (Example)


Enterprise Risk Management: Business Impact

Gartner research shows that 60% of large enterprises without best practice risk management implemented consistently across the enterprise will significantly under-perform their peers.

Impact on insurable losses has not been measured. ERM helps you look better to the insurance company and establish a sense of awareness. - Lead of law firm insurance group, Aon


Technology Scorecard Assessments - What Have We Learned?

Firms most often in 2+ range (scale of 5) for process and organizational maturity

Staffing and cost levels– When apples-to-apples, highest firms are double the lowest firms without

double the value

– Firms struggle to provide same service/risk level as outsourcers for the same cost

– IT Departments are largely still geared toward operational and support responsibilities

Wide penetration of ITIL programs and selective outsourcing Use of Service Level Objectives / Agreements still minimal External surveys not taken seriously Lack of transparency of IT’s cost, value and risks is one of the most

important drivers for IT governance


Thank you.

Dave Cunningham

Managing Director, Strategic Technology Services

Baker Robbins & Company