Tài liệu GOVERNANCE OF THE EXTENDED ENTERPRISE docx

GOVERNANCE OF THE

EXTENDED ENTERPRISE

Bridging Business and IT Strategies

IT Governance Institute

John Wiley & Sons

GOVERNANCE OF THE

EXTENDED ENTERPRISE

GOVERNANCE OF THE

EXTENDED ENTERPRISE

Bridging Business and IT Strategies

IT Governance Institute

John Wiley & Sons

This book is printed on acid-free paper.

Copyright © 2005 by the IT Governance Institute. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or

transmitted in any form or by any means, electronic, mechanical, photocopying,

recording, scanning, or otherwise, except as permitted under Section 107 or 108 of

the 1976 United States Copyright Act, without either the prior written permission

of the Publisher, or authorization through payment of the appropriate per-copy fee

to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923,

978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to

the Publisher for permission should be addressed to the Permissions Department,

John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax

201-748-6008, e-mail: [email protected].

Limit of Liability/Disclaimer of Warranty: While the publisher and author have

used their best efforts in preparing this book, they make no representations or

warranties with respect to the accuracy or completeness of the contents of this book

and specifically disclaim any implied warranties of merchantability or fitness for a

particular purpose. No warranty may be created or extended by sales representatives

or written sales materials. The advice and strategies contained herein may not be

suitable for your situation. You should consult with a professional where appropriate.

Neither the publisher nor author shall be liable for any loss of profit or any other

commercial damages, including but not limited to special, incidental, consequential,

or other damages.

For general information on our other products and services, or technical support,

please contact our Customer Care Department within the United States at

800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that

appears in print may not be available in electronic books.

For more information about Wiley products, visit our Web site at www.wiley.com.

Disclaimer

The IT Governance Institute (ITGI), Information Systems Audit and Control

Association and the authors of Governance of the Extended Enterprise have designed

the publication primarily as an educational resource for control professionals. ITGI,

ISACA, and the authors make no claim that use of this product will assure a successful

outcome. The publication should not be considered inclusive of any proper procedures

and tests or exclusive of other procedures and tests that are reasonably directed to

obtaining the same results. In determining the propriety of any specific procedure

or test, the controls professional should apply his/her own professional judgment to

the specific control circumstances presented by the particular systems or information

technology environment.

Library of Congress Cataloging-in-Publication Data:

ISBN: 0-471-33443-X

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

About the Author

IT Governance Institute®

The IT Governance Institute (ITGI) (www.itgi.org) was established in 1998

to advance international thinking and standards in directing and controlling

an enterprise’s information technology. Effective IT governance helps ensure

that IT supports business goals, optimizes business investment in IT, and

appropriately manages IT-related risks and opportunities. The IT Governance

Institute offers symposia, original research, and case studies to assist enter￾prise leaders and boards of directors in their IT governance responsibilities.

Information Systems Audit

and Control Association®

With more than 35,000 members in more than 100 countries, the Infor￾mation Systems Audit and Control Association (ISACA®

) (www. isaca.org)

is a recognized worldwide leader in IT governance, control, security, and

assurance. Founded in 1969, ISACA sponsors international conferences,

publishes the Information Systems Control Journal™, develops international

information systems auditing and control standards, and administers the

globally respected Certified Information Systems Auditor™ (CISA®

) desig￾nation, earned by more than 35,000 professionals since inception, and the

Certified Information Security Manager™ (CISM™) designation, a ground￾breaking credential earned by 5,000 professionals in its first two years.

v

Contents

Acknowledgments xi

Preface xv

Introduction 1

Managing Change as a Business Process 2

How Do We Get There from Here? 3

Vision/Leadership 3

Value Creation and Performance Management 4

Governance Framework and Criteria 4

Governance Officer 6

Enterprise Architecture: Framework and Implementation 6

Reference Works 7

Looking Forward 9

1 Extended Enterprises 11

Change Agents in the Extended Enterprise Environment 11

Paradigm Shift in the Business Environment/Changes in

Processes 15

2 Strategy: Challenge for the Extended Enterprise 19

Business Strategy Challenge 19

New Enterprise Risk Management Structures 20

New Regulatory Compliance Challenge 21

Developing Strategy with Value Innovation 23

Transforming Internal Governance Strategy 25

New Internal Governance Challenge 27

Governance Challenge 27

vii

Bridging the Gap between the Information Technology

Organization and Internal Clients 28

Making Strategy a Continual Process: Coevolving

and Patching 29

Managing Knowledge for Better Communication:

Knowledge Management 30

Sharing Knowledge through a Knowledge Portal 32

3 Value Creation and Management of Performance in the

Extended Enterprise 35

Vision and Mission 35

Value Creation and Strategy Implications 36

Necessity of a Core Repository of Knowledge Portal 37

Suggested Architecture for Performance Measurement 37

Delegate and Empower through Performance Management 39

Framework for Measurement 40

Control Objectives for Information and Related Technology 43

Monitoring: Measuring and Comparing Outcomes for

Improvements 44

Ongoing Strategy Process: Operational Performance

Monitoring 45

4 Operational Business Activities: Value Realization

for the Extended Enterprise 49

Value Realization 49

Blueprint for Knowledge Sharing in an Extended Enterprise 52

Objectives, Goals, and Expectations 54

Information and Knowledge Resources

(Intangible Business Resources) 54

Information Sharing Activities (Two-way Communication) 57

Operational Business Activities 58

Tangible Business Resources 58

Value Creation Cycle 58

5 Governance Framework for the Extended Enterprise 61

Governance Definition 61

Enterprise Governance Challenge in the Extended Enterprise 64

Governance Structure for the Extended Enterprise 67

viii Contents

Governance Objectives for the Extended Enterprise 70

Comparison with Excellence Models 74

Leadership: Driver for Values and Governance Implementation 76

Maturity Levels of Leadership 77

Maturity Model for Evaluating the Level of Governance of the

Extended Enterprise 78

Tools for the Governance of the Extended Enterprise 79

6 Enterprise Architecture: Governance Implementation

for the Extended Enterprise 87

What Is Enterprise Architecture? 87

Enterprise Architecture: New Focus for

Chief Information Officers 87

Architecture Layers Interrelationships 93

Implementing and Maintaining the Enterprise Architecture 94

Information Technology Governance in the

Extended Enterprise 95

Strategic Alignment of IT Strategies with the Business 96

IT Infrastructure to Enable Business 97

Maturity Model of the Enterprise Architecture/IT Architecture 98

Partner Ability for Networking/Information Flows and

Relationships 100

Maturity Model for IT Governance 101

Establish Information Model and Data Model for

Quick Implementation of a Knowledge Base 102

Appendices

A Questions for the Board and Senior Management 105

B Performance Reference Model 113

C Organizational Structure Evolution: Core versus Central 123

D Framework and Quality Awards 127

E Business Reference Model 137

F Knowledge Work, Knowledge Management, and

Knowledge Portal 143

G Enterprise Architecture Processes at Different

Maturity Levels 151

H Maturity Model for Business Activities in the

Extended Enterprise 161

Contents ix

I IT Governance 167

J IT Governance Maturity Model 179

K COBIT Information Processes 185

Glossary 187

References 191

Other ITGI Publications 197

Index 201

x Contents

Acknowledgments

IT Governance Institute wishes to recognize:

The Ministry of International Trade and Industry, Japan, for its

sponsorship of the project.

The Board of Trustees, for its support of the project:

Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP,

United States, International President

Abdul Hamid Bin Abdullah, CISA, CPA, FIIA, Auditor General’s

Office, Singapore, Vice President

William C. Boni, CISM, Motorola, United States, Vice President

Ricardo Bria, CISA, SAFE Consulting Group, Spain,

Vice President

Everett C. Johnson, CPA, Deloitte & Touche LLP, United States,

Vice President

Howard Nicholson, CISA Mortgage Choice, Australia, Vice

President

Bent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice

President

Frank Yam, CISA, CIA, CCP, CFE, Focus Strategic Group Inc.,

Hong Kong, Vice President

Robert S. Roussey, CPA, University of Southern California, United

States, Past International President

Paul A.Williams, FCA, Paul Williams Consulting, United Kingdom,

Past International President

Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi, United

States, Trustee

xi

Ronald Saull, CSP, Great-West Life and IGM Financial, Canada,

Trustee

Erik Guldentops, CISA, CISM, Belgium, Advisor, IT Governance

Institute

The GIEE project committee:

Akira Matsuo, CISA, CPA, ChoAoyama Audit Corp., Japan, Chair

Lily M. Shue, CISA, CISM, CCP, CITC, LMS Associates LLC,

United States, Chair

Kiyoshi Endo, CISA, ChoAoyama Audit Corporation, Japan

John W. Lainhart IV, CISA, CISM, IBM, United States

Hugh A. Parkes, CISA, FCA, Stanton Consulting Partners, Australia

Deepak Sarup, CISA, FCA, Siam Commercial Bank, Thailand

Singapore

Patrick Stachtchenko, CISA, CA, Deloitte & Touche Solutions,

France

Hitoshi Takase, SAP, Japan

Thomas C. Lamm, Information Systems Audit and Control

Association, United States

Linda S. Wogelius, Information Systems Audit and Control

Association, United States

The authors wish to acknowledge the contributions of:

Susan Caldwell, Information Systems Audit and Control

Association, United States

Tomoyasu Eto, CISA, Computer Engineering & Consulting, Japan

Erik Guldentops, CISA, CISM, Belgium

Nobuko Kogori, INES, Japan

Lynn C. Lawton, CISA, BA, FCA, FIIA, PIIA, KMPG,

United Kingdom

J. Kristopher Lonborg, Ernst & Young, United States

Toru Maki, INES, Japan

Shuji Miyazawa, ITEC, Japan

Robert G. Parker, CISA, CA, FCA, CMC, Deloitte & Touche,

Canada

Tsutomu Suzuki, Cambridge Technology Partners, Japan

xii Acknowledgments