IT governance defines a structure of relationships processes and measures to direct and control IT in order to achieve the enterprises goals
IT governance is currently a key topic for many IT functions. Its definition varies very often, but key themes remain essential for all companies: effectiveness, efficiency and reliability. Business value and risk mitigation are also at the centre of this domain. It represents a significant part of enterprise governance, and due to the horizontal nature of IT, wherein almost everyone in the enterprise uses IT assets to complete their responsibilities, the impact of effective IT governance is most visible.
IT governance defines a structure of relationships, processes and measures to direct and control IT assets (e.g. people, finance, infrastructure) in order to achieve the enterprise's goals by adding value while balancing risk with return. It helps to define roles and responsibilities and specify accountability framework to encourage desirable behaviour in IT and accountability for the use of IT assets. IT governance also helps to standardise best practices and define monitoring methods.
For Merck Serono International SA, IT governance has always been the responsibility of the IT management team, being an integral part of Merck Serono’s governance, and consists of the leadership and organisational structures and processes that ensure that the IT function sustains and extends the company’s strategies and objectives to deliver value. IT does this within acceptable risk boundaries while taking into account culture, organisational structure and maturity.
For the Merck Serono IT function, IT governance ensures that delivery expectations are fulfilled, IT resource deployment is continuously planned, targeted and optimised while IT performance is measurable and that the risks are minimised.
Among the various components of an IT governance framework, the following domains were retained as being key themes to reach a high level of quality and excellence through continuous improvement:
Quality management was initially the main focus for IT, and since 1999, has been certified worldwide in ISO 9001. For the last two years, quality management has also included risk management (identifying risks from strategy down to operations and providing mitigation) as well as skills management (ensuring that the staff in the IT function have the appropriate skills in line with the strategy). Since 2001, IT measures its business alignment, which is highly integrated within the business strategy, using the IT balance scorecard tool.
For more than three years, service management and IT Infrastructure Library (ITIL) have been the drivers to improve the quality of services for the end users. Merck Serono’s IT function deployed the ITIL processes covering both service support and service delivery. The purpose of this initiative was to:
These processes are mostly supported by tools from HP-Peregrine and IBM Tivoli. Project management has always been a key practice for IT people. Based on a traditional System Development Life Cycle (SDLC), the methodology has been widely used by the IT function for many years. All projects have to comply with documentation, templates and checkpoints where project progress is monitored. Committees validate the various steps of the methodology and give their approval to move to the next phase.
Portfolio management is known internally as the “Funnel”. The portfolio governance process starts when a business user requests or suggests a new capability. The request is automatically routed to an information manager (internal relationship manager), then to a business analyst or team for an initial business case before being routed to the IT management committee for review and scoring. The IT management team then evaluates the prioritised, ranked projects to determine the proper portfolio mix and whether to accept the recent request.
Solutions from HP-Mercury help Merck Serono to support both project and portfolio management. An Enterprise Architecture (EA) consists of the vision, principles, standards and processes that guide the purchase, design and deployment of technology within an enterprise. EA describes the interrelationships between business processes, information, applications and underlying infrastructure for that enterprise, and provides best practices for technology purchase, design and deployment. EA structures and processes govern adherence to an organisation’s technology strategy and provide a managed environment for the use of new technology.
Architecture governance is essentially a control or series of controls in the development process which is efficient when supported by good documentation (principles, guidelines, standards) and communicated effectively. To build such an Enterprise Architecture, Merck Serono considered the use of both the Zachman and the Open Group TOGAF’s frameworks. Such a programme requires solid processes with ownership and accountability.
Enterprise Architecture is a component of IT governance which interacts with most of the other frameworks such as project and portfolio management, quality, maturity and security management. To manage EA, the company decided to use the Metis-Troux technologies solution.
Security management is another component of the IT governance programme, covering both information security and technical security. The BS 7799 certification was obtained in 2005 for Geneva HQ and ISO 27001 obtained on a worldwide basis in 2006. At the beginning of 2006, a new position reporting directly to the CIO was created to further develop IT performance and value management. Key drivers for this are: optimising IT value, demonstrating IT value as a critical component of business processes, improving the quality of IT value measurement and reporting and becoming a potential source of innovation.
Performance management is not a stand-alone initiative; it is a process that needs to be established and fully integrated in strategic alignment with the business, value delivery and company performance management. This performance framework consistently ensures that IT:
Control Objectives for Information and related Technology (COBIT) provides a set of best practices and tools for auditing IT processes and assessing standards compliance, maturity and associated risks. COBIT can be associated to other frameworks, as architecture can be audited with certain KPIs.
In the frame of an IT research and innovation initiative, CMMi has been under evaluation. It is the Capability Maturity Model Integration which has been developed by the Carnegie Mellon University – Software Engineering Institute, a suite of products used for process improvement. It consists of best practices that address the development and maintenance of products and services covering the product life cycle from conception through delivery and maintenance.
CCMi models could be used in conjunction with all Merck Serono’s IT processes found in service management (ITIL), COBIT, project management (SDLC/Prince), Enterprise Architecture (Zachman-TOGAF), quality (ISO 9001), security management (ISO 27001), but the programme has not yet been considered.
IT governance at Merck Serono encompasses many disciplines within the organisation including IT strategy, risk management, IT service management and compliance management to name a few. Understandably, this presents a significant challenge for companies seeking to identify a starting point for their IT governance initiative. Fortunately, best practice governance guidelines and procedures do exist within the industry. Firms, moving ahead with the adoption of a standard will be well served to utilise a phased implementation project approach and start with elements of the standard that will yield their organisation the most benefits—
In 2005, a benchmark with KPMG positioned Merck Serono’s IT as number one among 119 other companies in the life sciences industry. In 2006, the number one position was maintained while the number of organisations increased to 125. This recognition states that the IT function is using IT best practices to support the business and that Merck Serono IT controls can now be classed as “excellent”. This was driven by major improvements in the areas of IT operations (incident, problem, operation, and configuration management), security (ISO27001), control assurance (risk, audit, planning management) and Sarbanes Oxley (SOX).