global status report geit 10jan2011 research

8/7/2019 Global Status Report GEIT 10Jan2011 Research

1/70

Global Saus Repor

on he

Governance of Enerprise It (GEIt)2011


2/70

G l o b a l S t a t u S R e p o R t o n t h e G o v e R n a n c e o f e n t e R p R i S e i t ( G e i t ) 2 0 1 12

IT Governance Institute (ITGI)

the It Governance Insiue (ItGI) (www.itgi.org) is a non-profi, independen research eniy ha provides

guidance for he global business communiy on issues relaed o he enerprise governance of It asses. ItGI

was esablished by he non-profi membership associaion ISACA in 1998.

Disclaimer

ItGI has designed and creaedGob Sttus Report on the Governnce of IT (CGEIT)2011 (he Work)

primarily as an educaional resource for chief informaion officers (CIOs), senior managemen and It

managemen. ItGI makes no claim ha use of any of he Work will assure a successful oucome. the Work

should no be considered inclusive of all proper informaion, procedures and ess or exclusive of oher

informaion, procedures and ess ha are reasonably direced o obaining he same resuls. In deermining he

propriey of any specific informaion, procedure or es, CIOs, senior managemen and It managemen should

apply heir own professional judgemen o he specific circumsances presened by he paricular sysems or

informaion echnology (It) environmen.

Reservation of Rights

2011 ItGI. All righs reserved. No par of his publicaion may be used, copied, reproduced, modified,disribued, displayed, sored in a rerieval sysem or ransmied in any form by any means (elecronic,

mechanical, phoocopying, recording or oherwise) wihou he prior wrien auhorisaion of ItGI.

Reproducion and use of all porions of his publicaion are permied solely for academic, inernal and

non-commercial use and for consuling/advisory engagemens, and mus include full aribuion of he

maerials source. No oher righ or permission is graned wih respec o his work.

IT Governance Institute

3701 Algonquin Road, Suie 1010

Rolling Meadows, IL 60008 USA

Phone: +1.847.660.5700

Fax: +1.847.253.1443

E-mail: [email protected]

Web sie: www.itgi.org

Gob Sttus Report on the Governnce of Enterprise IT (GEIT)2011

Prined in he Unied Saes of America


3/70

ITGI wishes to recognise:

ITGI Board of Trustees

Emil DAngelo, CISA, CISM, Bank of tokyo-Misubishi UFJ Ld., USA, Inernaional Presiden

Chrisos K. Dimiriadis, Ph.D., CISA, CISM, INtRALOt S.A., Greece, Vice Presiden

Ria Lucas, CISA, CGEIt, telsra Corp. Ld., Ausralia, Vice Presiden

Hioshi Oa, CISA, CISM, CGEIt, CIA, Mizuho Corporae Bank Ld., Japan, Vice Presiden

Jose Angel Pena Ibarra, CGEIt, Alinec S.A., Mexico, Vice Presiden

Rober E. Sroud, CGEIt, CA technologies, USA, Vice Presiden

Kenneh L. Vander Wal, CISA, CPA, Erns & Young LLP (reired), USA, Vice Presiden

Rolf M. von Roessing, CISA, CISM, CGEIt, Forfa AG, Germany, Vice Presiden

Lynn C. Lawon, CISA, FBCS CItP, FCA, FIIA, KPMG Ld., Russian Federaion, Pas Inernaional Presiden

Evere C. Johnson Jr., CPA, Deloie & touche LLP (reired), USA, Pas Inernaional Presiden

Jeff Spivey, CPP, PSP, Securiy Risk Managemen, USA, ItGI trusee

Survey Task Force

Silvia Nocella (Chair), UruguayChrisos K. Dimiriadis, Greece

Ram Marappan, Singapore

Jo Sewar-Raray, Ausralia

Nicky tiesenga, USA

PricewaterhouseCoopers Research Team

Floris Ampe, Belgium

Marc De Pauw, Belgium

Ger du Preez, Canada

Bar Peeers, Belgium

Mark E. Hamilon, Norhern Ireland, UK

Lorna McLernon, Norhern Ireland, UK

Frances McVeigh, Norhern Ireland, UK

ITGI Affiliates and Sponsors

American Insiue of Cerified Public Accounans

ASIS Inernaional

the Cener for Inerne Securiy

Commonwealh Associaion for Corporae Governance Inc.

FIDA Inform

Informaion Securiy Forum

Informaion Sysems Securiy Associaion

Insiu de la Gouvernance des Sysmes dInformaion

Insiue of Managemen Accounans Inc.

ISACA chapers

ItGI JapanNorwich Universiy

Solvay Brussels School of Economics and Managemen

Universiy of Anwerp Managemen School

ASI Sysem Inegraion

Hewle-Packard

IBM

SOAProjecs Inc.

Symanec Corp.

truArx Inc.

3G l o b a l S t a t u S R e p o R t o n t h e G o v e R n a n c e o f e n t e R p R i S e i t ( G e i t ) 2 0 1 1

Acknowledgements


4/70

Page intentionally left blank



5/70


6/70




7/70


1. Executive Summary

Ask 834 business execuives and heads of informaion echnology (It) wha hey hink abou he role of It

in heir enerprise and you migh expec o ge 834 differen answers. Bu ha was no he case in his fourh

ediion of heIt Governance Insiues Gob Sttus Report on the Governnce of Enterprise IT (GEIT). the

survey, covering 21 counries, 10 indusries, and boh large and small enerprises, revealed a significan degreeof accord on he conribuion of It o business success, he challenges and opporuniies conneced wih It, he

impac of he economic crisis and views on It ousourcing, social neworking and he cloud.

Key findings include:

The good and the not-so-goodValue creaion of It invesmens is one of he mos imporan dimensions of

Its conribuion o he business (menioned by more han nine ou of 10 respondens). Bu challenges exis:

increasing It coss and an insufficien number of It saff are he mos common It-relaed issues experienced

by respondens in he pas 12 monhs.

IT leading or followingthere is a correlaion beween he posiion of he head of It in he enerprises

hierarchy and he pro-acive naure of he It deparmen. Overall, 70 percen of respondens noed ha he

head of It is a member of he senior managemen eam, bu his figure increases o 80 percen for hose

enerprises where It has a proacive role.

A focus on governanceGovernance of enerprise It (GEIt) is a prioriy wih mos enerprisesonly fivepercen indicaed ha hey do no consider i imporan. two-hirds of responden enerprises have some GEIt

aciviies in place, he mos common being he use of It policies and sandards, followed by he employmen

of defined and managed It processes. the main driver for aciviies relaed o GEIt is ensuring ha It

funcionaliy aligns wih business needs, and he mos commonly experienced oucomes are improvemens in

managemen of It-relaed risk and communicaion and relaionships beween business and It.

Moving outOusourcing is highly prevalen across he board, bu especially in larger enerprises and hose

where It is considered imporan or very imporan o he delivery of he business sraegy or vision.

Cloudy daysRespondens repored ha heir heads were in he cloud: 60 percen use or are planning o

use cloud compuing for non-mission-criical It services, and more han 40 percen use or are planning o

use i for mission-criical It services. For companies ha do no have plans o use cloud compuing he main

reasons are daa privacy and securiy concerns.

Watching expensesthe global economic downurn has had an effec on It aciviies, he primary response

iniiaives being: (1) a reducion in conracor saff, (2) a reducion in permanen saff and (3) a consolidaionof he infrasrucure.

Social networkingthe use of Facebook or twier a work is no highly prized; only one ou of five

respondens believes ha he benefis of employees using social neworking ouweigh he risks.

1.1 Conclusions and Recommendations

the survey findings lend hemselves o a variey of conclusions and issues o consider.

there are sill significan opporuniies for many enerprises o transition ITs role to a more pro-active one.

this can be done hrough he use of mechanisms such as GEIt boards, an appropriae organisaion srucure

encompassing roles for managing business relaionships, and sandardised processes o effecively bridge he

business demand wih he It supply. It innovaion offers ample opporuniies for It o play a more pro-aciverole. For example, GEIt enablers such as opimal invesmen managemen processes can help ensure a balance

beween It innovaion and run-he-business iniiaives.

the right governance enablers can ensure the transparency of IT supply and demand and faciliae

decision making abou demand and is prioriisaion in pursui of value delivery o he enerprise.

I is a fac of business life ha specific evens, aciviies or even crises will arise ha will require some GEIt

objecives o ake precedence over ohers for a ime. However, i is imporan o noe ha GEIt objecives,

regardless of heir prioriy a a paricular ime, are relaed (e.g., an emphasis on value delivery will impac

resource managemen). therefore, GEIt iniiaives mus ake a balanced and holistic view of the five GEIT

focus areas (sraegic alignmen, risk managemen, value delivery, resource managemen, performance


8/70


1. Executive Summary

measuremen). During an economic crisis, when here is a srong focus on managing cos, effecive GEIt can

ensure ha his focus is balanced wih a view on invesmens ha can generae cos savings and are ulimaely

self-funding.

Governing enterprise IT effectively can help increase project success rates by addressing boh he way

projecs are seleced or approved (e.g., ensuring use of he righ gaing process and assessmen crieria) and he

way hey are governed and overseen, once hey are underway.

Successfully implementing GEIT depends on several factors: change managemen, communicaion, proper

scoping and idenificaion of achievable objecives.1 And he oucomes of a successful implemenaion are

worh i, producing boh shorer-erm, angible benefis such as reduced cos and longer-erm benefis such

as enhanced managemen of It-relaed risk, improved relaionships beween business and It, and increased

business compeiiveness. In fac, he survey resuls as repored in his publicaion can aid enterprises that

need to build a business case for GEIT initiatives.

Outsourcing can create significant benefits, with the proper governance focus. Enerprises using

ousourcing are more likely o have a pro-acive role of It and a beer percepion of It service levels and lesslikely o experience issues relaed o an insufficien number of It saff. Some enerprises have pu in place

dedicaed governance srucures such as an exernal service managemen commiee o repor on, oversee and

co-ordinae hird-pary services and delivery enerprise-wide. the inen is o ensure compliance wih corporae

and regulaory requiremens, preven value leakage and miigae ousourcing risks.

GEIT can help enable the adoption of emerging technologies such as cloud computing. More han

one-hird of he survey respondens repored significan legacy infrasrucure invesmens ha are inhibiing

heir cloud compuing plans. Enerprises will need o plan how legacy infrasrucure invesmens should be

managed and reired over ime. these are complex decisions ha require he involvemen of many sakeholders

from differen areas of he businessa process ha could be faciliaed by having a clear GEIt decision model

ha delineaes he responsibiliies and accounabiliies of hese sakeholders.

the use offrameworks and structures can help improve the governance of enterprise architecture.Frameworks and sandards such as COBIt,2 ItIL,3 ISO 27000 series and tOGAF4 can help improve GEIt,

bringing srucure and clariy o areas such as service managemen, informaion securiy and enerprise

archiecure. COBIt provides an overarching framework wihin which he more focussed frameworks and

sandards can be applied more effecively. Similarly, srucures such as an archiecure review board can

improve he re-use of and synergies beween iniiaives, ensure ha oal cos of ownership is considered, and

help reduce complexiy and increase agiliy over ime.

1.2 Overview of This Report

this repor is srucured as follows:

Section 2 provides an introduction to the research approach and objectives.

Sections 3 through 5 present key findings from the survey and supporting analyses. Section 6 highlights conclusions and provides recommendations to enterprises on the governance of

enerprise It.

the appendices conain he quesionnaire ha was uilised and informaion on he profile of survey

respondens.

1 ISACA,Impementing nd Continuy Improving IT Governnce, USA, 2009, www.isc.org/bookstore; provides excellen guidance onhow o ensure ha hese areas are properly addressed.

2 ISACA, COBIt 4.1, USA, 2007, www.isc.org/cobit3 Office of Governmen Commerce (OGC), It Infrasrucure Library, UK, www.iti-officisite.com4 Inernaional Organizaion for Sandardizaion, tOGAF Version 9, www.iso.org, www.theopengroup.org/togf


9/70


2. Introduction

In 2010, PricewaerhouseCoopers Belgium was commissioned by he It Governance Insiue (ItGI) o

conduc he fourh ediion of a marke research projec on he governance of enerprise It, resuling in his

Gob Sttus Report on the Governnce of Enterprise IT (GEIT)2011. Similar survey repors were issued in

2008, 2006 and 2004. this survey was conduced from June 2010 o Augus 2010 and included more han 800respondens from 21 counries across he globe.

2.1 Survey Approach

A combinaion of elephone and web survey mehods was uilised, employing a sandard quesionnaire for boh.

For he web survey, service providers were uilised ha have esablished panels of enerprises ha are willing

o paricipae in specific ypes of surveys. this had he advanage of improving he qualiy of daa received

(compared o open web surveys) and enabling specific enerprise profiles o be argeed (e.g., represenaion

across geographic locaions and indusries).

A oal of 834 surveys were compleed, of which 704 were received hrough he online survey and 130 were

gahered by elephone. the surveys were conduced in he naive language of he inerviewees, and included

Chinese, Czech, Duch, French, German, Japanese, Polish, Poruguese, Russian and Spanish.

the survey was carried ou under he Marke Research Sociey and Markeing Research Associaion codes

of conduc, guaraneeing complee anonymiy of he paricipans. None of he informaion obained in he

inerviews has been aribued o any individual and all commens have been reaed in he srices confidence.

the quesionnaire used (see appendix A) consised of 39 muliple-choice quesions. the quesions were

grouped as follows:

Seven demographic questions, to define the respondents position within his/her enterprise and the

organisaion iself

11 questions on the current business and IT strategy of the enterprise, the role of IT within the organisation,

issues encounered and iniiaives planned

12 questions on the current application of GEIT within the organisation

Nine questions related to topics of current special interest, such as outsourcing and cloud computing

Some of he more echnical It quesions were asked only of he It respondens.

A number of quesions were carried over from or were similar o hose used in previous surveys, enabling rend

analysis wih he hisorical daa.

2.2 Objectives

the objecives for he survey were:

Survey and analyse the degree to which the concept of GEIT is recognised, established and accepted by the

C-suie (boh business and It). this includes percepions of he imporance of It, he curren conribuion of

It o he business, accounabiliy for he governance of It and inegraion wih overall enerprise governance. Determine the level of GEIT that exists, the frameworks that are recognised and used in the market, and the

cerificaions ha are recognised and required/preferred in he marke.

Determine the impact of topics of current special interest related to GEIT. For this survey, this included the

impac of he economic crisis, innovaion and he governance of enerprise archiecure.

Objecives were also se relaive o argeed respondens:

Geographic representationA arge of 21 counries was se, represening broad geographic coverage.

Brazil, Russia, India and China (he BRIC counries) were included as imporan represenaives of newly

advanced economic growh.

Number of respondentsA arge of 730 paricipans was esablished, represening a leas 20 paricipans

per counry.


10/70

2. Introduction


Industry sectorsAdequae represenaion of a variey of secors

Organisation sizeResponses from boh smaller enerprises and larger enerprises were sough, he

differeniaor beween he wo being number of employees (see Key terms).

Business/ITthe objecive was o obain an equal spli beween business and It audiences.

More informaion on he profile of survey respondens is provided in appendix B.

2.3 Key Terms

throughou he repor a number of key erms are used ha are defined here o faciliae undersanding.

Survey demographic erms include:

Business and IT respondentsBusiness respondens are hose wih a non-It-relaed responsibiliy wihin

he organisaion, such as chief execuive officer (CEO), chief financial officer (CFO) or chief operaing

officer (COO). It respondens are hose wih an It-relaed responsibiliy, such as chief informaion officer

(CIO) or head of It.

Large and small enterprisestwo survey quesions relaed o organisaion size: number of employees andlaes available revenue figure. In his repor, he employee dimension was used o disinguish beween large

and small enerprises, large referring o hose wih 500 or more full-ime equivalen (FtE) saff members and

small o hose wih fewer han 500 FtEs.

Government-owned or private enterprisesA governmen-owned enerprise is one in which more han 50

percen of he shares are owned by a governmen, whereas in privae enerprises a leas half of he shares are

owned by privae companies or persons.

Amongs he It organisaion erms are:

Centralised IT organisationOne cenral It organisaion provides services o all funcions or business unis.

Decentralised IT organisationMuliple It organisaions provide services o various funcions or

business unis.

Federated IT organisationthis describes a hybrid of he cenralised and decenralised models. A cenral

It organisaion provides some It services, bu here are also It organisaions in some or all of he funcions

or business unis.

Reactive or pro-active role of ITIt has a reacive role in he organisaion when It is responding o he

business when he business has a formal reques. In a reacive role It is ypically echnically focussed and

concenraes on keeping exising sysems running and available. It has a pro-acive role in he organisaion

when It is a parner of he business and akes he iniiaive o help in It innovaion and achieving sraegic

objecives.


11/70


3. Perceptions of Enterprise ITand its Governance

this secion deals wih he key findings relaed o he firs objecive for he survey: deermine and analyse

he degree o which he concep of GEIt is recognised, esablished and acceped by he C-suie (boh business

and It). this includes percepions of he imporance of It, he curren conribuion of It o he business,

accounabiliy for he governance of It and inegraion wih overall enerprise governance.

the key findings are:

IT is considered to be important or very important to the delivery of the overall business strategy and vision

by 94 percen of respondens.

The contribution of IT to the business is widely recognised, with value creation of IT investments being one

of he mos imporan dimensions (menioned by more han nine ou of 10 respondens).

Seventy-seven percent of respondents from large enterprises mentioned that the head of IT is a member of the

senior managemen eam, confirming he increasing imporance of It in many enerprises.

More respondents describe the current role of IT in their enterprises as pro-active than reactive (55 percent

vs. 42 percen) bu he percenage wih a pro-acive role is higher (63 percen) in enerprises where some It

services are ousourced compared o hose wih no ousourcing.

The main initiatives planned by respondents in the next 12 months relate to major system implementations or

upgrades, It cos reducion, and daa or informaion. One in four respondents is planning green IT or sustainability initiatives.

Increasing IT costs and an insufficient number of IT staff are the main IT-related issues experienced by

respondens in he pas 12 monhs.

One in five respondents noted ending an IT-related project before it was fully implemented, with the main

reason being he projec did no deliver as promised or he projec exceeded is budge.

The main driver for GEIT activities is ensuring that current IT functionality is aligned with current

business needs.

the deailed findings are presened in he following subsecions. Where appropriae, cerain cross-analyses

have been performed o deermine relevan rends. the facors used for cross-analyses included (amongs

ohers) geographic locaion, company size by revenue and number of employees, indusry secor, It

organisaion model, business sraegy followed, ype of responden (business vs. It), ownership srucure, and

he curren It sourcing siuaion.


12/70



3.1 Importance of IT to the Delivery of the Overall Business Strategy and Vision

It is considered imporan or very imporan o he delivery of he overall business sraegy and vision by

almos all respondens (94 percen). this response has no varied significanly over he years ha he survey hasbeen performed, as indicaed in figure 1.

Cross-analysis

there is no grea variance beween business and It respondens: 54.0 percen of It respondens considered It

o be very imporan vs. 49.7 percen of business respondens, and 40.7 percen of It respondens considered It

o be imporan vs. 43.2 percen of business respondens.

the survey daa indicae ha It is more likely o be considered very imporan o he execuion of business

sraegy in enerprises where i has a pro-acive role (parnering wih he business o help i innovae and

achieve sraegic objecives) as opposed o a reacive role (responding o echnical needs, focussed on keeping

he environmen running and available). this is illusraed in figure 2.

Figure 1Importance of IT to the Delivery of the Business Strategy and Vision

100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

2010 2008 2006 2004

Not important orNot important at all

Neither/norVery importantor Important

231 1

710

65

9187

9394


13/70



3.2 Contribution of IT to the Business

the conribuion of It o he business is widely recognised, wih value creaion of It invesmens being one of

he mos imporan dimensions.

It is generally seen as conribuing significanly o he business, as indicaed in figure 3. Value creaion of It

invesmens is he highes-scoring dimension; Its enablemen of rapid business change is on he oher end of

he specrum. An inabiliy o enable rapid business change can ofen be ascribed o issues wih he companys

enerprise archiecure, an issue ha many enerprises are addressing via he launch of enerprise archiecure

iniiaives wih a specific objecive of increasing It agiliy and an increased focus on he governance of

enerprise archiecure.

Figure 2Importance of IT Related to the Current Role of IT in the Enterprise

70%

60%

50%

40%

30%

20%

10%

0%Very

importantImportant Neither/nor;

Not important;Not important at all;

Dont know

46

58

32 32

50

3636

46

Pro-active Reactive Dont know


14/70



Cross-analysis

Figure 4 liss he percenages of business and It respondens ha seleced Srongly agree or Agree for each

dimension of It conribuion o he business.

Figure 4Perceptions of Business and IT Stakeholders on the Contribution of IT to the Business

Contribution of IT to the Business

Percent ofBusiness

RespondentsPercent of

IT Respondents

IT investments create value for the business. 87.8 92.4

IT service levels meet the business needs. 70.0 83.5

IT supports the business strategy. 71.7 89.5

IT enables rapid business change. 80.8 77.1

IT supports business regulation and compliance. 77.1 82.4

In mos dimensions, he It respondens are generally more posiive han heir business counerpars. the mos

sriking difference can be observed for It suppors he business sraegy, where almos 90 percen of It

respondens agree or srongly agree wih he saemen whereas considerably fewer (72 percen) of he businessrespondens hold a similar view.

I is also ineresing o noe (no refleced in figure 4) ha when i comes o It service levels meeing business

needs, a more posiive view is refleced amongs hose enerprises ha ousource some It services as opposed

o hose ha do no ousourcing.

Figure 3Contribution of IT to the Business

Strongly disagree/

Disagree/Dont know

IT service levels meetthe business needs.

IT investments createvalue for the business.

IT supports thebusiness strategy.

IT enables rapidbusiness change.

IT supports businessregulation and compliance.

Neither/norAgreeStrongly agree

0% 20% 40% 60% 80% 100%

7.3 2.452.338

15.6 755.821.6

10.6 3.453.432.6

18.8 745.728.5

16.5 3.653.826.1


15/70


16/70



Cross-analysis

Survey respondens descripions of he role of It (pro-acive vs. reacive) were compared o heir responses

o he quesion abou he head of Its membership on he senior execuive eam. A clear correlaion was

found beween he wo (figure 6). Of all respondens who menioned ha It has a pro-acive role in heirorganisaions, 80 percen also noed ha he head of It is a member of he senior execuive eam. the

converse was rue as well: a reacive It role ended o correlae wih he head of It no belonging o he senior

managemen eam.

3.4 Role of IT in the Organisation

Respondens were asked o characerise he curren role of It in heir enerprises as eiher pro-acive or

reacive. Overall, he majoriy of respondens described he curren role as pro-acive (54.6 percen vs.

42.4 percen), as indicaed in figure 7.

However, heads of It and business execuives do no necessarily agree. Heads of It are more likely o describehe curren It role as pro-acive (62.4 percen vs. 35.6 of business respondens), whereas business execuives

view he role as reacive (50.5 percen vs. 45.3 percen of It respondens).

this poins o an area in which GEIt could have a significan impacimproving communicaion and

ransparency beween business and It, and puing in place he righ enablers o ensure ha It can play a more

pro-acive role in he enerprise.

Figure 6Correlation Between Position of Head of IT and Role of IT

80.66

60.73

72

19.34

39.27

28

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

Reactive

Member Not a

member

Pro-active Dont know


17/70



3.5 Planned IT Initiatives

the main aciviies planned by respondens in he nex 12 monhs relae o major sysem implemenaions or

upgrades, It cos reducion iniiaives, and daa or informaion iniiaives (figure 8). I is also noeworhy ha

one-quarer of respondens are planning green It or susainabiliy iniiaives.

Figure 7Role of IT in the Enterprise

0% 20% 40% 60% 80%

IT (Base: 450)

Business (Base: 384)

Overall (Base: 834)

45.3

62.4

54.6

50.5

35.6

42.4

Pro-activePartnering with thebusiness to help it innovate and

achieve strategic objectives.

ReactiveResponding to businessneeds. IT is technically focussed

on keeping the environmentrunning and available.

Figure 8Major IT-related Initiatives Planned for Next 12 Months

Green IT/sustainability initiatives

Outsourcing IT services

Changing internal ITcosting arrangements

Data or information initiatives

IT-supported regulatorycompliance initiatives

IT risk managment initiatives

IT cost reduction initativesMajor IT system

implementations or upgrades

Major IT infrastructure initiatives

0% 20% 40% 60%

Business(Base: 384)

22.1%

26.0%

15.4%

45.1%

27.1%

28.9%

42.2%

40.9%

26.3%

IT(Base: 450)

27.8%

26.7%

21.1%

44.0%

31.3%

30.7%

48.0%

49.8%

34.8%

25.2

26.4

44.5

18.5

29.9

29.4

45.3

45.7

30.9


18/70



Cross-analysis

the views of business and It respondens are quie similar, wih he excepions being major It sysem

implemenaions or upgrades (40.9 percen vs. 49.8 percen) and major It infrasrucure iniiaives

(26.3 percen vs. 34.8 percen).

Large enerprises are more likely o be planning iniiaives in he nex 12 monhs han smaller enerprises

across he lis of iniiaives he responses of hose working in large enerprises are a leas 10 percen higher.

Smaller enerprises may be consrained in he iniiaives ha hey can underake by he availabiliy of financial,

human and oher resources.

An ineresing perspecive is revealed by cross-analysing planned iniiaives and he respondens view

on wheher It invesmens creae value for he business. Of hose respondens who expressed a negaive

percepion of he value of It invesmens (disagreed or srongly disagreed wih he saemen ha It

invesmens creae value), a significan porion are planning major It sysem implemenaion or upgrade

iniiaives. I may be ha he curren It sysems are generaing problems ha conribue o hese respondens

negaive percepions of It invesmens.

3.6 IT-related Issues Experienced in the Past 12 Months

Increasing It coss and an insufficien number of It saff were he main It-relaed issues experienced by

respondens in he pas 12 monhs. (Increasing It coss being menioned by almos four ou of 10 respondens

could be due o he emphasis on coss during he global economic crisis.) Oher prevalen issues included

insufficien It skills (possibly, bu no necessarily, relaed o an insufficien number of It saff), difficulies

implemening new It sysems and problems wih exernal It service providers (figure 9).

Comparing hese responses o he major iniiaives planned (discussed in subsecion 3.5), here are some

clear links beween cerain issues and iniiaives. For example, It cos reducion iniiaives are a response o

increasing It coss and major It sysem implemenaions.

Figure 9IT-related Issues Experienced in the Past 12 Months

Increasing IT costs

Return on investment not as expected

Serious opertional IT incidents

IT security or privacy incidents

Problems with externalIT service providers

Insufficient number of IT staff

Insufficient IT skills

Problems implementing new IT systems

IT disaster recovery orbusiness continuity issues

Dont know

None of the above

0% 20% 40% 60%

Business(Base: 384)

41.9%

17.4%

21.1%

18.2%

28.9%

28.9%

32.8%

29.7%

12.2%

2.9%

13.5%

IT(Base: 450)

36.0%

20.2%

14.7%

18.9%

28.2%

39.1%

30.0%

27.8%

14.9%

1.3%

15.1%

1ST

2ND

1

ST

2ND38.7

18.9

17.6

18.6

34.4

28.5

31.3

28.7

14.4

2.0

13.7


19/70



Cross-analysis

the views of business and It respondens do no differ significanly. the only issue ha generaes subsanially

differen responses is he insufficien number of It saff, which was menioned by 28.9 percen of business

respondens, bu by 39.1 percen of It respondens. I was he highes-scoring issue idenified by Itrespondens, whereas increasing It coss was a he op of he lis for business respondens.

Insufficien number of It saff was seleced by a significan number of respondens in he healhcare/

pharmaceuicals and ransporaion secors. Issues relaing o insufficien It skills were especially experienced

in he educaion and healhcare/pharmaceuicals secors.

I is perhaps couner o expecaions ha increasing It coss, It securiy or privacy incidens, insufficien

number of It saff, and problems implemening new It sysems are more prevalen in large enerprises

(figure 10).

Analysing hese It issues in reference o enerprises sance on ousourcing reveals ha ousourcing may parly

address he insufficien number of It saff. tha was menioned as an issue by 23.5 percen of respondenswho do no ousourcing vs.15.6 percen of hose who ousource some It services. On he oher hand, problems

implemening new It sysems are menioned by only 2.9 percen of non-ousourcing respondensonly

one-fifh of hose who ousource some It services (11.6 percen).

Comparing hese resuls o hose repored in he 2008 publicaion shows ha he prevalence of a number of

It issues has significanly decreased during he pas hree years (figure 11). there is a sharp decline in he

issues reurn on It invesmen no as expeced, insufficien number of It saff and It disaser recovery

or business coninuiy issues.

Figure 10IT-related Issues by Enterprise Size

IT disaster recovery or business continuity issues

Problems implementing new IT systems

Insufficient IT skills

Insufficient number of IT staff

Problems with external IT service providers

IT security or privacy incidents

Serious operational IT incidents

Return on investment not as expected

Increasing IT costs

None of the above

Dont know

0% 10%5% 20%15% 30%25% 40%35% 45%

1512.5

35.4

21.8

33.3

29.1

40.927.1

29.227.9

23.5

13.7

19.216.1

21.615.9

41.8

35.5

9.319.8

1.22.9

> 500 FTEs < 500 FTEs


20/70



3.7 Prematurely Ended IT Projects

One-fifh of all respondens noed ending an It-relaed projec premaurelybefore i was fully implemened.

the 21 percen response may be considered high because i perains only o hose projecs no compleed; i

does no include oher projecs ha migh have been candidaes for premaure closureha is, hey were no

wihin ime and/or budge and did no achieve objecivesbu ha were compleed.

Cross-analysis

there were no significan differences beween he views of It and business respondens. More han one-quarer

of larger enerprises indicaed ha an It-relaed projec was ended before being fully implemened compared o

14.7 percen of smaller enerprises.

Cross-referencing his quesion o he quesion on he imporance of It o he successful delivery of he

business sraegy or vision indicaes ha he premaure ending of an It-relaed projec is more prevalen in

hose enerprises ha do no consider It imporan o he achievemen of business sraegy (figure 12).

the main reasons respondens saed for ending an It-relaed projec before i was fully implemened were ha

he projec was no delivering as promised, i was exceeding he budge and/or here was a change in business

needs (figure 13).

Figure 12Premature Project Termination and the Importance of IT to Business Strategy

IT is not important to the delivery ofthe business strategy or vision.

Neither/nor

IT is important to the delivery ofthe business stategy or vision.

IT is very important to the delivery ofthe business strategy or vision.

Percent of respondents mentioning the premature termation of an IT-related project

0% 10% 20% 30% 40%

37.5

15

18.34

23.5

Figure 11Trends in Issues Experienced, 2008 vs. 2010

Issue 2008 2010

Return on IT investment not as expected 41% 19%

Serious operational IT issues 23% 18%

IT security or privacy incidents 21% 19%

Insufficient number of IT staff 58% 34%

Insufficient IT skills 38% 31%

IT disaster recovery or business continuity issues 26% 14%


21/70



I is ineresing o noe he differences beween It and business respondens. the op reason menioned by

business respondens is ha he projec did no deliver as promised (in second place for It respondens),

whereas It respondens poin o he projec exceeding budge as he op reason (in hird place for business

respondens). this may highligh an opporuniy o increase ransparency regarding projecs, heir managemen

and governance, o beer align business and It percepions.

Exceeding budge was more commonly cied as a reason for ending It-relaed projecs early in he energy and

elecommunicaions secors han in oher indusry secors.

Alhough large enerprises erminae projecs premaurely more han small enerprises, when small enerprises

do end a projec early, i is more han wice as likely as a large enerprise o be due o he projec falling behind

schedule (20.0 percen vs. 9.6 percen).

3.8 Drivers for GEIT Activities

Ensuring ha curren It funcionaliy is aligned wih curren business needs is he mos imporan driver for

GEIt aciviies. the second mos frequenly menioned driver was managing cos (figure 14).

Figure 13Reasons for Ending an IT-related Project Prematurely

Exceeded budget

Fell behind schedule

Did not deliver as promised

Business needs changed

No longer a priority

Did not support busness stategy

Other

Dont know

0% 20% 40% 60%

Business(Base: 73)

16.4%

13.7%

32.9%

23.3%

4.1%

2.7%

5.5%

1.4%

IT(Base: 102)

25.5%

12.7%

20.6%

17.6%

13.7%

4.9%

4.9%

0%0.6

1ST

2ND

1ST

2ND

21.7

25.7

20

13.1

9.7

4

5.1


22/70



Cross-analysis

the views of business and It respondens are very similar for his quesion, wih he excepion of compliance

as a driver, which was menioned by more business han It respondens.

Increasing agiliy o suppor fuure changes in he business is more prevalen amongs enerprises ha are

more han 50 percen publicly owned. I is menioned as a driver by 21 percen of hese enerprises compared o

11 percen or less for oher ownership srucures. Complying wih indusry and/or governmenal regulaions is

menioned as a driver by 17 percen of enerprises ha are more han 50 percen governmen owned, compared

o responses of eigh percen or less for oher ownership srucures.

the lis of drivers was cross-referenced o he responses on he imporance of It o he successful delivery

of he business sraegy or vision. the Managing cos driver was menioned by half of he enerprises hado no consider It imporan o delivering he business sraegy, bu was seleced much less frequenly by

enerprises ha do consider It imporan or very imporan o delivery of he business sraegy (figure 15).

If It is considered an unimporan componen in delivering he business sraegy, a primary focus on managing

cos is ofen he consequence.

Figure 15Cross-reference of Managing costs Driver and the Importance of IT to Delivery of the Business Strategy

IT is not important to the delivery ofthe business strategy or vision.

Neither/nor

IT is important to the delivery ofthe business stategy or vision.

IT is very important to the delivery ofthe business strategy or vision.

Percent of respondents mentioning Managing costs as a driverfor their enterprises IT-related activities

0% 20% 40% 60%50%10% 30%

50

15

24.36

16.82

Figure 14Drivers for GEIT Activities

0% 20% 40% 60%

Business

(Base: 384)

8.9%

19.8%

35.4%

12.5%

9.4%

11.2%

IT

(Base: 450)

11.6%

20.4%

40.0%

10.9%

9.6%

6.2%

10.3

20.1

37.9

11.6

9.5

8.5

Avoiding negative incidents

Managing costs

Ensuring that current IT functionality isaligned with current business needs

Increasing agility to support futurechanges in the business

Achieving better balance between innovationand risk avoidance to improve return

Complying with industry and/orgovernmental regulations


23/70


4. The Maturity and State of GEIT

this secion builds on he findings of he previous secion and addresses he second objecive of he survey:

o deermine he level of GEIt ha exiss, he frameworks ha are recognised and used in he marke, and he

cerificaions ha are recognised and/or preferred in he marke.

Key findings relaed o his objecive are:

GEIT frameworks/standards and other IT best practice frameworks/standards are seen to be the most

imporan enablers for effecive GEIt.

Large IT and consultancy firms are deemed to have the highest capability to provide guidance or solutions

in GEIt.

Two-thirds of respondents have some level of GEIT measures in place, and only five percent do not think that

GEIt is imporan. the mauriy level of smaller enerprises is lower overall han larger ones. the overall

mauriy level is also lower in enerprises where It is no considered imporan o he delivery of business

sraegy and in enerprises wih a decenralised organisaion model.

IT policies and standards is the most common GEIT practice, followed by defined and managed IT processes.

The strategy and the culture of the organisation have most influenced the implementation of GEIT practices,

being menioned by half of he respondens.

ITIL or ISO 20000 was most often mentioned by respondents as the framework or standard on which theybase heir GEIt approaches. ISACAs Risk It framework, which was launched in 2009, is already being used

by 10 percen of respondens.

TOGAF 9 and PRINCE2 are the most popular IT-related certifications. ISACAs CGEIT certification,

which was inroduced in 2007, has gained a solid ake-up wih 35.3 percen of respondens reporing a

significan number of It employees holding he cerificaion and a furher 27.6 percen wih some It

employees so cerified.

The improved management of IT-related risk and improved communication and relationships between

business and It are he mos commonly experienced oucomes of GEIt pracices, menioned by four ou

of 10 respondens. Lower It coss are repored as an oucome by 38.0 percen of respondens and improved

business compeiiveness by 28.0 percen.

The main challenges experienced in implementing GEIT mechanisms are communication, change

managemen and rying o do oo much a once.

4.1 Enablers for Effective GEIT

the mos imporan enablers for he effecive GEIt are GEIt-relaed frameworks/sandards and oher It bes

pracice frameworks/sandards. Whie papers or oher GEIt research and GEIt-relaed cerificaions were

deemed he leas imporan enablers (figure 16).

4.2 Providers of GEIT Guidance or Solutions

Large It and consulancy firms are deemed o have he highes capabiliy o provide guidance or soluions

relaive o GEIt. Oher organisaions ha were raed as having high capabiliies include marke analyss

(Garner, Forreser, IDC, ec.), ItGI and he Big 4 firms (PricewaerhouseCoopers, Deloie, KMPG, Erns

& Young), as illusraed in figure 17. I is somewha of an anomaly ha he providers receiving he highesrainglarge It and consulancy firmsalso receive a relaively significan percenage of respondens placing

hem in he poor or very poor end of he specrum.


24/70



4.3 Level of GEIT Measures in Place

two-hirds of respondens enerprises have some degree of GEIt measures in place (figure 18). Only a very

small number (five percen) consider GEIt unimporan.

Cross-analysis

Responses from business and It respondens are very similar, as noed in figure 18.

Figure 16GEIT Enablers

Figure 17Capability of Organisations That Provide or Implement GEIT Guidance or Solutions

Framework/standards related to governance of IT

Other IT best practice framework/standards

Tool kits to support the implementation orimprovement of the governance of IT

Benchmarking capabilities

White papers or other governance of IT research

Certifications related to governance of IT

Face-to-face networking

Electronic networking

Sum of scores

0 8040 160120 240200 320280

284

193

147

295

41

55

102

61

Base: 450 (IT only)

-18% 2%0% 22% 42% 62%

Market analysts

Software vendors

Big 4 firms

ISACA

ITGI

Large IT and consultancy firms

Smaller or niche IT consultancy firms

Universities

Strategy consultancies

Local professional orgovernmental organisations

Very poor

capability

Poor

capability

Good

capability

Very good

capabilityBase: 450 (IT only)

-0.7

-1.8

-0.2

-0.7

-3.8

-1.6

-1.8

-4.9

-2.4

-3.6

-2.7

-2.4

-1.6

-2.4

-8.0

-6.2

-7.3

-12.2

-5.8

-11.1

40.2

40.4

29.8

24.4

40.9

45.3

39.6

24.9

28.4

21.6

13.1

12.9

6.2

8.2

9.3

16.0

11.1

6.0

7.1

5.3


25/70



Comparing hese resuls agains he resuls of a 2009 ItGI survey ha was similar in focus bu argeed owards

business execuives and agains he 2008 version of his survey reveals ha hese resuls are similar o he 2009

findings, excep for he mauriy level We are well aware his is imporan and have a number ofd hoc

measures in place (figure 19). Overall, enerprises repored a slighly higher mauriy profile in he 2008

surveybu i should be noed ha he respondens in he 2008 survey were mosly heads of It.

Figure 18Enterprise Maturity Level for GEIT

Figure 19Comparison of GEIT Maturity Level to Previous Survey Results

We do not think this is important.

We understand this is an issue but are just startingto assess what needs to be done.

We are well aware this is important and we have anumber of ad hocmeasures in place.

We have well-defined governance of IT measuresand processes in place.

We have well-functioning governance of IT processesand a performance measuring system in place.

Our processes relating to governance of IT are continuouslyoptimised based on performance measurement results.

Dont know

0% 20% 40% 60%

Business(Base: 384)

5.2%

24.0%

25.0%

22.1%

9.6%

8.1%

6.0%

IT(Base: 450)

4.7%

21.6%

32.4%

23.1%

7.6%

6.4%

4.2%

22.7

22.7

29

4.9

8.5

7.2

5

We do not think this is important.

We are well aware this is important and we have anumber of ad hocmeasures in place.

We understand this is an issue but are just startingto assess what needs to be done.

We have well-defined governance of IT measuresand processes in place.

We have well-functioning governance of IT processes

and a performance measuring system in place.

Our processes relating to governance of IT are continuouslyoptimised based on performance measurement results.

Dont know

0% 5% 10% 15% 20% 25% 30% 35% 40%

2010 2008 CEO survey

4.9

14

22.7

1320

29

38

22.7

30

30

20

8.5

1611

7.28

7

5


26/70



Figure 20 shows ha smaller enerprises repored a lower mauriy profile han larger enerprises. Eighy-one

percen of large enerprises have a leas d hoc GEIt measures in place, while only 53.5 percen of small

enerprises claim his level of mauriy

Figure 20GEIT Maturity Levels of Large and Small Enterprises

Maturity < 500 FTEs 500FTEs

We do not think this is important. 8.3% 1.7%

We understand this is an issue but are just starting to assess what needs to be done. 30.8% 14.5%

We are well aware this is important and we have a number of ad hocmeasures in place. 25.9% 32.1%

We have well-defined governance of IT measures and processes in place. 15.9% 29.2%

We have well-functioning governance of IT processes and a performance measurementsystem in place.

4.4% 12.6%

Our processes relating to governance of IT are continuously optimised based onperformance measurement results.

7.3% 7.1%

the responses on GEIt mauriy levels were cross-referenced o hose relaing o he imporance of It o he

delivery of he business sraegy or vision. Figure 21 shows ha organisaions ha do no consider It imporan

o he delivery of he business sraegy also generally have a lower GEIt mauriy level.

Figure 21Comparison of GEIT Maturity Level to the Importance of IT to Delivery of the Business Strategy

40%

35%

30%

25%

20%

15%

10%

5%

0%

Very important Important Neither/nor Not important

We do notthink this

is important.

We understandthis is an issue

but are juststarting to assess

what needs tobe done.

We are wellaware this isimportant and

we have anumber of

ad hoc

measures inplace.

We havewell-defined

governance ofIT measures and

procedures in place.

We havewell-functioninggovernance ofIT processes

and aperformancemeasuring

system in place.

Our processesrelating to

governance of ITare continuouslyoptimised basedon performancemeasurement

results.

3

6

8

38

20

26

23

13 13 13 13

30 28 28

25

2118

9

8 8

0

9

5 5


27/70



Cross-referencing he responses on GEIt mauriy levels o he It organisaion model indicaes ha cenralised

and federaed It organisaions have an overall higher mauriy profile han decenralised (figure 22).

4.4 Common GEIT Practices

the mos common GEIt pracice is It policies and sandards, followed by defined and managed It processes.

It governance frameworks, mechanisms o measure progress and he use of seering commiees are less widely

used (figure 23).

Cross-analysis

Business and It respondens have similar views. However, as shown in figure 23, he percenage of business

respondens is consisenly lower han It respondens across all pracices.

Analysing responses by enerprise size, GEIt pracices are more prevalen in larger enerprises han in smaller

enerprises (figure 24). I is also noeworhy ha even amongs larger enerprises, only one-quarer have

mechanisms o measure progress owards improved GEIt.

Figure 22Comparison of GEIT Maturity Level to IT Organisation Model

5

9

1

22

28

21

2931

28

25

17

22

9

4

13

7

5

10

40%

35%

30%

25%

20%

15%

10%

5%

0%

Centralised Decentralised Federated

We do notthink this

is important.

We understandthis is an issue

but are juststarting to assess

what needs tobe done.

We are wellaware this isimportant and

we have anumber of

ad hoc

measures inplace.

We havewell-defined

governance ofIT measures and

procedures in place.

We havewell-functioninggovernance ofIT processes

and aperformancemeasuring

system in place.

Our processesrelating to

governance of ITare continuouslyoptimised basedon performancemeasurement

results.


28/70



Figure 24GEIT Practices by Enterprise Size

GEIT Practice Small Enterprises Large Enterprises

IT governance framework 20.5% 44.7%

IT principles 30.6% 46.1%

IT policies and standards 46.9% 71.7%

Defined and managed IT processes 35.9% 51.1%

Overall IT performance monitoring practices 33% 43.5%

Mechanisms to specifically measure performance/progress towards improvedgovernance of IT

16.1% 25.4%

Governance of IT structures 13.4% 34%

4.5 Factors That Influence the Implementation of GEIT Practices

Business objecives or sraegy is he facor mos heavily influencing he implemenaion of GEIt pracices,

followed by he culure of he organisaion, is way of working and human facors (figure 25).

Cross-analysis

Figure 25 shows ha he responses of business and It respondens are fairly similar, wih he excepion of

the regulaory environmen and specific compliance requiremens, which is menioned by more by It han

business respondens.

Comparing responses by organisaion size, he facor relaing o regulaory environmen and compliance

requiremens is more influenial in larger enerprises (42.3 percen vs. 24.7 percen for smaller enerprises)

while he indusry or marke forces facor is slighly more prevalen in smaller enerprises (28.1 percen

vs. 20.4 percen).

Figure 23GEIT Practices

IT governance framework

IT principles

IT policies and standards

Defined and managed IT processes

Overall IT performancemonitoring practices

Mechanisms to specifically measure performance/progress towards improved governance of IT

Governance of IT structures, suchas relevant steering committees

0% 20% 40% 60%

Business(Base: 384)

28.9%

34.4%

56.8%

43.8%

35.4%

19.5%

21.6%

IT(Base: 450)

36.2%

41.8%

62.0%

43.8%

40.9%

22.2%

25.6%

3RD

2ND

1ST 3RD

2ND

1ST32.9

38.4

59.6

43.8

38.4

21.0

23.7


29/70



4.6 Basis for an Enterprises GEIT Approach

ISO 20000 is he exernal framework mos frequenly menioned as a basis for an enerprises GEIt approach.

the second mos commonly cied exernal framework or sandard on which an enerprise bases is GEIt

approach is ISO 17799/ISO 27000, he Informaion Securiy Framework or oher securiy sandards

(figure 26). I is also ineresing o noe ha ISACAs Risk It framework,5 released in 2009, is already being

used by 12 percen of he responden enerprises.

Figure 25Factors Influencing the Implementation of GEIT Practices

Figure 26External Frameworks and Standards Used as Basis for GEIT Approach

The culture of the organisation,its ways of working and human factors

The regulatory environment andspecific compliance requirements

The business objectives or strategy

Industry or market forces

0% 20% 40% 60%

Business(Base: 384)

46.9%

28.9%

58.9%

26.8%

IT(Base: 450)

52.0%

37.8%

55.3%

22.0%

33.7

49.6

57.0

24.2

TOGAF

ITIL or ISO 20000

ISO 17799, ISO 27000, Information Security Frameworkor other security standards

Six Sigma

COBIT (ISACA)

PMI/PMBOK

Risk IT (ISACA)

IT Assurance Framework (ISACA)

CMM or CMMI

ISO 38500

BMIS (Business Model for Information Security [ISACA])

PRINCE2

Val IT (ISACA)

COSO ERM

Base: 450 (IT only) 0% 5% 10% 15% 20% 25% 30%

1.6

2.9

4.9

6.4

7.8

8.2

9.3

9.8

12

12.7

12.9

15.1

21.1

28

5 ISACA, The Risk IT Frmework, USA, 2009, www.isc.org/riskit


30/70



Overall i can be saed here is no single framework recognised as he marke leader and organisaions

end o look a muliple sources for guidance. I should be noed ha his quesion was posed only o he It

respondens.

Cross-analysis

Larger enerprises end o use mos of he exernal frameworks or sandards more han smaller enerprises.

Uncovering rends in he use of some of hese GEIt frameworks by comparing hese resuls o resuls from

previous ItGI surveys reveals an increase in he use of he securiy frameworks (ISO 27000, Informaion

Securiy Framework, ec.), PMI/PMBOK, Six Sigma and CMM/CMMI (figure 27). (Hisorical daa are no

available for all of he frameworks.) In general, figure 27 shows an increase in accepance of frameworks and

sandards as a ool for achieving GEIt.

4.7 Popular IT-related Certifications

tOGAF 9 and PRINCE2 are he mos frequenly cied It-relaed cerificaions, followed by ISACAs Cerified

in he Governance of Enerprise It (CGEIt) cerificaion (figure 28). the Projec Managemen Professional

(PMP) cerificaion was he leas known by respondens, bu his could be due o he PMP cerificaion being

more popular in some regions and PRINCE2 being more popular in ohers.

Figure 27Trends in Usage of External Frameworks and Standards

COBIT

ISO 27000 and other security standards

Val IT

ITIL/ISO 20000

PRINCE2

PMI/PMBOK

Six Sigma

COSO ERM

CMM or CMMI

0% 5% 10% 15% 20% 25% 30%

2010 2008 2006

109

21.1

4.9

914

12.9

2824

12.7

13

6.4

3

15.12

2

5

1.61

1

4

44

9.3


31/70



Cross-analysis

Figure 26 illusraes ha ItIL is one of he frameworks mos commonly used by respondens as a basis for

a GEIt approach. However, is populariy as a framework apparenly does no ransfer o ItIL cerificaions,

as can be seen in figure 28.

Figure 28Awareness and Uptake of IT-related Certifications

A significant number of ouremployees have this certification.

Certified in the Governance of Enterprise IT (CGEIT)

Certified Information Systems Auditor (CISA)

Certified Information Security Manager (CISM)

ITIL Foundation

ITIL Service Manager

PRINCE2 Foundation

PRINCE2 Practitioner

TOGAF 9 Foundation

TOGAF 9 Certification

Certified Associate in Project Managment

Project Management Professional (PMP)

Certified Information Systems Security Professional (CISSP)

0%

24 31 29 16

19 28 33 19

25 33 27 15

43 28 11 18

43 28 12 18

37 32 14 17

37 29 18 16

23 34 28 14

24 28 30 18

24 34 27 15

25 35 25 15

35 28 25 12

50% 100%

Some of our IT employeeshave this certification.

Aware but no one in ourorganisation is certified.

Not aware ofthe certification.


32/70



4.8 Outcomes of GEIT Practices

the mos commonly experienced oucomes of GEIt pracices are improvemens in wo key areas:

managemen of It-relaed risk and communicaion and relaionships beween business and It. Lower Itcoss, improved It delivery of business objecives, and enhanced ransparency of It and is aciviies are also

frequenly experienced (figure 29).

the oucomes idenified cover boh angible and shorer-erm aspecs, such as lower It coss, and more

inangible and longer-erm benefis, such as improved communicaion and ransparency.

Almos four ou of 10 respondens cied lower cos as an oucome of GEIt pracices and almos hree of 10

respondens cied improved business compeiiveness. these resuls can be useful o enerprises looking o

build a business case for implemening or improving GEIt pracices.

Cross-analysis

It respondens poined o improved managemen of It-relaed risk as he mos prevalen oucome of GEIt

pracices, whereas business respondens seleced improved communicaion and relaionships beween business

and It. All of he oucomes lised generally received more responses from It han business respondens, wih

he excepion of increased business compeiiveness, favoured by business respondens.

Large enerprises repored improved managemen of risk as he leading oucome of GEIt pracices, while small

enerprises seleced lower It coss. Boh large and small enerprises placed improved communicaion and

co-operaion beween business and It in he second spo.

Figure 29Outcomes of GEIT Practices

Improved management of IT-related risk

Improved return on IT investments

Lower IT costs

Improved transparency of IT and its activities

Improved communication and relationshipsbetween business and IT

Improved tracking and monitoring of IT performance

Improved IT innovation

Improved IT delivery of business objectives

Improved business competitiveness

None of the above

0% 20% 40% 60%

42.2

Business(Base: 384)

37.2%

23.4%

35.2%

31.5%

38.8%

27.3%

18.5%

34.9%

34.4%

8.9%

IT(Base: 450)

46.4%

30.2%

40.4%

37.1%

40.2%

30.0%

25.3%

39.3%

22.7%

6.7%

27.1

38

34.5

28.8

39.6

22.2

37.3

7.7

28.1


33/70



4.9 Challenges Implementing GEIT

the main challenges experienced in implemening GEIt mechanisms are communicaion, change managemen

and rying o do oo much a once. On he oher hand, ineffecive curren enerprise governance is noexperienced as a challenge by many of he respondens enerprises and around hree-quarers of enerprises are

no experiencing a challenge obaining required business paricipaion (figure 30).

the findings relaed o communicaion and change managemen are in line wih he resuls repored in secion 4.5,

where half of he respondens seleced the culure of he organisaion, is way of working and human facors

as a facor in influencing GEIt implemenaions.

Cross-analysis

the responses of business and It respondens are fairly similar, wih wo excepions: lack of senior

managemen commimen and suppor and change managemen are menioned more frequenly by It

respondens. the visible commimen and suppor of senior managemen is frequenly menioned in It-relaed

publicaions as a criical success facor for GEIt implemenaions.6

All challenges are ypically experienced more frequenly in larger han in smaller enerprises, wih he

excepion of trying o do oo much a once, which is equally prevalen in boh. the High levels oforganisaional complexiy (operaing model, organisaional) challenge is cied by only 14 percen of smaller

enerprises, bu 39 percen of larger ones.

Figure 30Challenges in Implementing GEIT Mechanisms

Change mangement

Communications issues

Lack of senior management commitment and support

Difficulty demonstrating value and benefits

Getting required business participation

Ineffective current enterprise governance

High levels of organisation complexity(operating model, organisational)

Trying to do too much at once

Dont know

None of the above

0% 20% 40% 60%

Business(Base: 384)

34.1%

40.4%

24.0%

29.9%

23.7%

14.1%

26.8%

40.1%

6.0%

8.1%

IT(Base: 450)

41.6%

42.0%

36.7%

30.7%

24.9%

14.2%

26.7%

36.9%

2.7%

4.9%

38.1

41.2

30.8

30.3

14.1

24.3

26.7

38.4

6.4

4.2

6 ISACAsImpementing nd Continuy Improving IT Governnce is one such publicaion, amongs many ohers.


34/70




35/70


5. Topics of Special Interest

this secion focuses on findings relaed o he hird objecive for he survey: deermine he impacs of opics of

curren special ineres relaed o GEIt. For purposes of his survey, his included he impac of he economic

crisis, innovaion, and he governance of enerprise archiecure.

Key findings relaed o his objecive are:

Outsourcing is widely utilised: 73 percent of respondents have fully outsourced some of their IT activities

and anoher 20 percen use parial ousourcing. Full ousourcing of some It aciviies is more prevalen in

larger enerprises, enerprises wih a cenralised organisaion model, and hose in which It is considered

imporan or very imporan o he delivery of he business sraegy or vision.

Sixty percent of respondents enterprises use or are planning to use cloud computing for non-mission-critical

It services, and more han 40 percen use or are planning o use i for mission-criical It services. Daa

privacy and securiy concerns are he main reasons enerprises give for no planning o use cloud compuing.

The primary initiatives implemented in response to the economic downturn are a reduction in contractor and

permanen saff numbers and infrasrucure consolidaion.

Almost half of the business respondents report that their enterprises have implemented or are planning

iniiaives o promoe It innovaion. the It respondens idenify he primary iniiaives as monioring

emerging echnologies and working collaboraively wih business saff. The measure most commonly used to govern enterprise architecture is defined technology standards.

Measures o govern enerprise archiecure are mos prevalen in enerprises in which It has a pro-acive role

and in enerprises ha consider growh hrough mergers or acquisiion as he mos imporan driver of he

business sraegy.

Four out of 10 respondents believe that the risks of employees using social networking outweigh the benefits.

5.1 Outsourcing of IT Activities

Ousourcing of It aciviies is widely prevalen, wih 73 percen of respondens fully ousourcing some of heir

It aciviies and a furher 20 percen ousourcing parially (figure 31).

End-user suppor and It help desk aciviies are more likely o be fully ousourced han infrasrucure-relaed

aciviies or applicaion developmen and mainenance, as illusraed in figure 32.

Cross-analysis

Small enerprises fully ousource he It aciviies lised in figure 32 10 percen more ofen han do large

enerprises.

Figure 31Outsourcing of IT Activities

Fully outsourced

Partially outsourced

Not outsourced

Dont know

20%

5%2%

73%


36/70


37/70



5.2 Current and Planned Use of Cloud Computing

Six ou of 10 respondens currenly use or plan o use cloud compuing for non-mission-criical It services,

compared o four ou of 10 who use i or plan o use i for mission-criical It services (figure 34).

those respondens no planning o use cloud compuing cied daa privacy and securiy concerns as hemain reasons (figure 35). I is also noeworhy ha a significan number of respondens have concerns abou

reliabiliy and one-hird have significan legacy infrasrucure invesmens ha are influencing heir cloud

compuing plans.

Cross-analysis

the curren use of cloud compuing is very similar amongs small and large enerprises for boh mission-criical

and non-mission-criical It services. However, more large enerprises are planning o use cloud compuing in

he fuure.

Cross-referencing he planned and curren usage of cloud compuing o respondens views on he imporance

of It o he successful delivery of he business sraegy and vision reveals ha cloud compuing is more likely

o be currenly used or planned in enerprises where It is considered imporan or very imporan o business

sraegy delivery.

While Its role as reacive vs. pro-acive does no seem o affec he level of curren usage of cloud compuing,

more enerprises wih a pro-acive model are planning o use cloud compuing in he fuure.

Figure 34Use of Cloud Computing

Currently using

For mission-criticalIT services

For non-mission-critical IT services

0% 20% 40% 60% 80% 100%

12.4 30.1 57.5

19.4 40.6 40

Planning to use Not planning to use


38/70



Amongs all respondens who indicaed ha hey are or fully or parly ousourcing a leas one of heir It

aciviies, more han 60 percen are planning o use cloud compuing for non-mission-criical It sysems

(figure 36). More han 40 percen plan o use i for mission-criical It sysems.

Cloud compuing-relaed concerns abou securiy, daa privacy and legacy infrasrucure invesmens are

generally higher in large enerprises han in small ones.

Figure 35Reasons for Not Using Cloud Computing

Figure 36Use of Cloud Computing Amongst Outsourcing Enterprises

Security concerns

Data privacy concerns

Compliance concerns

Reliability concerns

Legacy infrastructureinvestments

Other

0% 20% 40% 60% 80% 100%

47.2

49.6

15.7

41.7

34.6

25.2

60%

50%

40%

30%

20%

10%

0%

18.18 19.35

27.27

41.35 39.30

54.55

Mission-critical IT systems Non-mission-critical IT systems

Currentlyusing

Planningto use

Not planningto use


39/70



5.3 Initiatives Implemented in Response to the Economic Downturn

Reducing conracor and permanen saff numbers and consolidaing infrasrucure were he main iniiaives he

survey respondens repored implemening in 2009 and 2010 o comba he economic downurn (figure 37).Almos a quarer of respondens also invesed in echnologies ha can reduce process or business cos, and

approximaely one in eigh changed heir GEIt approach.

Cross-analysis

In general, more It respondens indicaed ha a specific iniiaive had been implemened in heir enerprises

han did business respondens. the excepions were Implemening sricer invesmen evaluaion measuresand Cenralised It procuremen, seleced by more business respondens. the greaes difference beween It

and business respondens was refleced in Reduced conracor saff numbers, which was menioned by

34.2 percen of It respondens bu only 24.0 percen of business respondens.

An analysis of he responses by enerprise size indicaes ha he following iniiaives were more prevalen

amongs large enerprises han small ones (differences in response rae of 10 percen or higher):

Reduction in permanent staff numbers

Reduction in contractor staff numbers

Consolidation of sites/data centres

Consolidation of infrastructure (servers, networks, etc.)

Optimisation of the project portfolio

Figure 37Initiatives Implemented in Response to the Economic Downturn

Reduced permanent staff numbers

Consolidated sites/data centres

Reduced application licences

Reduced contractor staff numbers

Consolidated infrastructure (servers, networks, etc.)

Consolidated the application portfolio

Optimised the project portfolio

Implemented stricter investment evaluation measures

Redefined service level agreements (SLAs) with external service providers

Invested in technologies that can reduce process or business cost

Centralised IT procurement

Redefined service level agreements (SLAs) with the business to better manage demand

Changed sourcing arrangements

Changed approach to governance of IT

Dont know

None of the above

28.3

29.5

17.4

27.2

18.7

13.7

21.1

19.8

19.1

15.2

10.9

23.4

16.4

12.4

17.1

4.0

0% 5% 10% 15% 20% 25% 30% 35%


40/70



Cross-referencing he iniiaives implemened in response o he economic downurn and he imporance of

It o he delivery of he overall business sraegy or vision reveals ha he following iniiaives were more

frequenly menioned by respondens in whose enerprise It is no considered imporan o delivery of he

business sraegy or who gave an ambivalen response (neiher/nor) o he quesion han by respondens inwhose enerprise It is considered imporan or very imporan o business sraegy delivery:

Reduction in application licences (22.5 percent vs. 12.2 percent)

Redefinition of service level agreements (SLAs) with the business to better manage business demand

(15.4 percen vs. 7.2 percen)

Change in the GEIT approach (17.4 percent vs. 7.9 percent)

Conversely, he following iniiaives are menioned by more respondens in whose enerprise It is considered

imporan or very imporan o delivery of business sraegy han by respondens in whose enerprise It is no

considered imporan or who gave an ambivalen response (neiher/nor):

Optimisation of the project portfolio (14.9 percent vs. 3.1 percent)

Investment in technologies that can reduce process or business cost (16.0 percent vs. 4.1 percent)

Consolidation of sites/data centres (12.2 percent vs. 3.1 percent)

Consolidation of infrastructure, e.g., servers, networks (18.9 percent vs. 8.2 percent)

An analysis of iniiaives implemened o respond o he economic downurn by curren sourcing siuaion

showed ha a reducion in permanen saff numbers, opimisaion of he projec porfolio and he

implemenaion of sricer invesmen evaluaion measures were menioned more frequenly by respondens in

enerprises no currenly ousourcing any It services (including boh parial and full ousourcing). Conversely,

a reducion in conracor saff numbers, consolidaion of sies/daa cenres, consolidaion of he applicaion

porfolio, redefiniion of SLAs wih he business, and an invesmen in echnologies ha can reduce process

or business cos were menioned more frequenly by respondens whose enerprises are currenly ousourcing

some It services (figure 38).

5.4 Mechanisms to Promote IT Innovation

Only he It respondens were asked he quesion abou mechanisms heir enerprises had already implemened

or planned o implemen o promoe It innovaion. Monioring emerging echnologies and working

collaboraively wih business saff o explore innovaion were he mos frequenly idenified planned or

implemened mechanisms. Beween one-fourh and one-hird of respondens enerprises have implemened or

plan o implemen a broad range of mechanisms and he percenages do no vary widely amongs he differen

responses (figure 39).

Cross-analysis

Wih he excepion of Allocaion of ime o spend working on experimens or rying ou ideas, all responses

were cied by more It respondens from large enerprises han small enerprises (response rae of 10 percen

or higher).

the responses on planned or implemened mechanisms o promoe It innovaion were cross-referenced o heresponses on he imporance of It o he delivery of he overall business sraegy or vision. the resuls show

ha training for It managers o beer undersand how It innovaions can creae business opporuniies

is menioned by more respondens in enerprises ha consider It imporan or very imporan o delivery of

business sraegy han respondens in enerprises ha do no consider It imporan in delivering business

sraegy or who gave an ambivalen response (neiher/nor)35.6 percen vs. 6.7 percen. Conversely, Special

invesmen appraisal and funding mechanisms o perform pilos wih emerging echnologies was cied by

more respondens whose enerprises do no consider It imporan in delivering business sraegy or who gave

an ambivalen response han by respondens in enerprises ha consider It imporan or very imporan o he

delivery of business sraegy (66.2 percen vs. 26.5 percen).


41/70



Figure 38Initiatives Implemented in Response to the Economic Downturn by Current IT Sourcing Situation

Reduced permanent staff numbers

Reduced contractor staff numbers

Consolidated sites/data centres

Consolidated infrastructure (servers, networks, etc.)

Reduced application licences

Consolidated the application portfolio

Optimised the project portfolio

Implemented stricter investment evaluation measures

Centralised IT procurement

Redefined service level agreements (SLAs) with external service providers

Redefined service level agreements (SLAs) with the business to better manage demand

Invested in technologies that can reduce process or business cost

Changed sourcing arrangements

Changed approach to governance of IT

None of the above

Dont know

0% 5% 10% 15% 20%

No outsourcing Some elements outsourced No answer

18.189.6

9.46

15.15

6.557.51

9.095.95

7.68

6.065.88

7.3

3.03 5.065.43

4.542.81

3.037.968.15

9.095.435.71

3.034.244.12

12.124.76

6.74

3.030.45

2.15

11.316.06

8.61

05.956.09

6.069.159.46

6.066.99

5.62

0

0

5.214.12

Figure 39Planned or Implemented Mechanisms to Promote IT Innovation

Training for IT managers to better understand howIT innovations can create business opportunities

Assigned responsibilities for monitoring emergingtechnologies and their potential business application

Special investment appraisal and funding mechanismsto perform pilots with emerging technologies

Allocation of time to spend working on

experiments or trying out ideas

Collaborative programmers where IT and business staffcan work together on exploring innovation

Other

Dont know

None of the above

Base: 450 (IT only) 0% 20% 40% 60% 80% 100%

30.2

24.9

34

33.3

28.9

4.7

4.7

16


42/70



5.5 Business Respondents Views on IT Innovation

Business respondens were asked wheher heir enerprises had implemened or were planning o implemen

iniiaives o promoe It innovaion (wihou specifying he naure of he iniiaives). Fory-five percenindicaed ha heir enerprises had implemened or were planning o implemen such measures, while a similar

proporion indicaed no plans o implemen any such iniiaives (figure 40).

Cross-analysis

Slighly more han half of large enerprises have implemened or plan o implemen iniiaives o promoe It

innovaion, compared wih 40.3 percen of small enerprises.

By cross-referencing he responses o he It innovaion quesion o he mos imporan drivers of respondensbusiness sraegy, i can be noed ha It innovaion iniiaives have been implemened or are planned by

more respondens ha indicae growh hrough mergers or acquisiions or innovaion as imporan drivers for

business sraegy (figure 41).

Figure 40Business Respondents Whose Enterprises Have Implemented or

Are Planning to Implement Initiatives to Promote IT Innovation

Figure 41IT Innovation Initiatives and Drivers for Business Strategy

Yes

No

Dont know41.7%

13%

45.3%

Operational effectiveness/cost reduction

Quality

Customer service

Innovation

Market expansion

Growth through mergers oracquisitions

No

Yes

0% 10% 20% 30% 40% 50% 60% 70%

45.1

40.91

39.46

29.76

50.54

17.65

42.16

45.45

47.57

55.95

38.71

64.71


43/70



Comparing he responses o he It innovaion quesion o he responses on he imporance of It o he delivery

of he overall business sraegy or vision, i is perhaps no surprise o noe ha none of he respondens

enerprises ha consider It no imporan a all o delivery of business sraegy have implemened or are

global status report geit 10jan2011 research

Documents