Bridging SOA and IT Governance

Policy or Peril

Darren Jones
Director, CIO Solutions
Protiviti Canada
Agenda
§Welcome / Intro

§Problem: Service Oriented Architecture & IT Governance

– What’s wrong here?

§Vision of Success: What can it look like?

§Roadmap for Improvement: How do you get there?

§Metrics for Change: How do you measure success?

Background

§A host of issues are placing IT risk in the spotlight and on

the minds of Executive Teams and Board of Directors
§ Increased dependency on IT as a business enabler
§ Open Systems & need for integration
§ Self-Service needs
§ Business continuity concerns
§ Ever changing governance & regulatory environment
§ End user device stability
§ Service Oriented Architecture
Background

§Common Business Misconceptions:

§ Governance will fixed all of our regulatory problems (with or
without technology)
§ Service Oriented Architecture (SOA) will fixed all my end-user, self
service, and consolidation problems

§There is no silver bullet!! The answer lies in the proper

balance and combination of the above solutions.
§Whether it is IT Governance or SOA, one size does not fit
all!
Basic Definitions

§IT Governance has several definitions.

§ IT governance implies a system in which all stakeholders, including the
board, internal customers and related areas such as finance, have the
necessary input into the decision making process.
§ IT Governance is supported by several disciplines including:
§ IT Portfolio Management
§ Business Service Management
§ IT Asset Management
§ Enterprise Architecture
§ Project Governance & Project Management
§ IT Service Management
§ Business Technology Optimization
Basic Definitions
§Service Oriented Architecture
§ Is not a piece of hardware or software.
§ SOA is a software architecture that builds topology of interfaces,
interface implementations and interface calls.
§ SOA is about reuse, encapsulation, interfaces, and ultimately
agility.
§ SOA environment is about reuse, granularity, modularity,
componentization, interoperability, compliance to standards,
service identification, provisioning and delivery, and monitoring /
tracking
SOA – Standard “IT” Definition…

§ A Service-Oriented Architecture is an enterprise-

wide IT architecture for composing, searching Def. linked to
and/or accessing a collection of discrete enabling tech.
interoperable, modular, well encapsulated, loosely
coupled business-aligned reusable services: SOAP/HTTP
q Services have platform independent, self UDDI
describing interfaces (XML)
q Messages are formally defined
q Services can be discovered J2EE/.NET
q Services have quality of
service characteristics defined in policies
q Services can be provided on any platform WSDL
XML based
Basics of SOA

ERP Network
Mainframe J2EE
Application Infrastructur
Application Application e AS/400
Service
Management Application

ERP
.NET SOA Application
Application Security &
TECHNOLOGY Availability

.NET
Mainframe Unix AS/400 Application
Application
ChgProblem Application Application Portfolio
Management Mgmt
Not So Fast – It’s NEVER That Easy
Application
Screen
Scrape

Download Application
Message File
Application Queue Screen
Application Scrape
Sockets Screen Transaction
Transaction Scrape File
File Application
Sockets
Download CICS Gateway RPC
File ORB
APPC
Application
Message
ORB Application
Application Message Transaction
Queue File
Application
Message
Queue
CICS Gateway
Transaction Screen
File Scrape
APPC
Application Message Download RPC
File

Source: Gartner
Anatomy of a Service

New Service
Service Consumer

Wrapped
Legacy

Interface Proxy

Composite
Service
Service Service
Interface Implementation

Source: Oracle
Service Communication

§Communicate with messages

§No knowledge about partner
§Likely heterogeneous

Service Service
Consumers Producers

Source: Oracle
 Service Platform
Service Consumers

Service Delivery Bus

Service Service
Rules Reporting
Change

Control
& Config & Mgmt

Service Interfaces and

Source: Oracle Service Implementations
Source: Oracle
The business is driving SOA

SOA promise SOA risk

Business agility Business disruption

§ Business process flexibility § Inability to change the

implementation
§ Faster time to market
§ No reusable services
§ Lower implementation and
maintenance cost § Duplication of
implementation effort

“SOA necessitates new processes, ranging from governance,

through development, to operations.”
Gartner, Positions 2005: Service-Oriented Architecture Adds Flexibility to Business Processes
Approach to IT Governance & SOA
IT Governance & SOA Correlation

§IT Governance and SOA go hand in hand. It is about:

§ Standardizing and modularizing not only software and
infrastructure; but also processes, metrics, and governance
§ SOA can be as simple as a black box to consolidate interfaces, or
as complex as a software integration infrastructure.
§ To maximize value of IT Governance & SOA, you need to start at
the top and work your way down.
IT Governance & SOA Correlation

§ Bottom line SOA and IT Governance have to be integrated with

the organization’s business and IT strategies in order to deliver
the value to the organization.

§ A new structure has to be implemented in order to deliver quality

services, value to the organization, while at the same time
maximizing the value of IT assets already owned by the
organization.
Approach to Implement Governance/SOA
You need to start at the top:
§ Fix Process & Increase Effectiveness (^ control)
§ Enhance IT Efficiency by consolidating Infrastructure and implementing
SOA (˘ $$$) Approach Focus:
§ Enable Alignment & IT Governance (^ flexibility and ^ strategic impact) Governance

Optimized
Business
Approach Focus: Alignment & IT
Efficiency Governance

Managed Leverage
Approach Focus: IT Process established,
Effectiveness Tuning & optimized processes
Efficiency with financial and
other business
intelligence to align
IT Process Tuning established business and IT and
Defined processes for support business
Integration greater strategy
performance,
efficiency and cost
Individual
savings. Eliminate
Processes Integrating multiple bottlenecks, better
processes within IT allocate resources
Repeatable operations to reduce
risk across the
Implementing organization as a
SOx whole
reliable processes
Compliance and controls
Focus
Initial
 The Journey & its Benefits
Key Value Stages & Benefits:
§ Risk Mitigation
§Provide process effectiveness, increased control
§Foundation at lower levels of maturity
§Reliability of the systems management process, ensure system stability, integrity, and
availability
§Begin integration with IT operational processes
(e.g. Problem, Incident, Service Level, Asset, & Security Management, etc.)

§ Lower Cost of IT Operations

§Enhance process efficiency, at improved maturity levels
§Focus on improving business service levels, and efficiencies, reduce enterprise risk
§Improve overall IT efficiencies by centralizing appropriate functions,
§Eliminate process / project bottlenecks, reduce unplanned work levels, reduce per-unit
IT costs, and improve resource allocation

§ Enable Business Alignment / IT Governance

§Increased flexibility & strategic impact, at the highest levels of process capability
§Provide optimized IT services, allow flexibility without losing effectiveness and efficiency
SOA Implementation
Planning & Solution Solution Operations &
Assessment Roadmap Design Implementation Performance
Measurement

• Develop business case

• Use Internal audit or external parties to support and assessment/review
• Develop a strategy, roadmap and implementation plan
• Develop business processes, best practices, procedure and policies
• Design your solution architecture once processes have been fixed
• Design business and operational system integration
• Develop new organizational structuring and transformation. This includes
communication plan
• Perform systems and user testing
• Measure results through key controls, KPI’s and other metrics
• Train process owner and end users
Areas of Implementation Focus
IT Asset Management: by integrating
asset ownership information with change
management and user support processes,
IT operations will have the right blend of
tools and knowledge to provide the highest
level of support to your users in the most
efficient manner.

IT Strategy: by aligning IT & business

strategies streamlining of process will
enable the development of reusable and
modularize process, software, infrastructure
and services
Areas of Implementation Focus
IT Service Management: addressed from
a business perspective.

ITIL Best Practices: comprehensive

analysis of the quality of your service
management processes as compared to
industry best practices (ITIL).

Technology Change Management: focus

on improving coordination, efficiency, and
control; minimizing the risks to the
availability, integrity, scalability,
performance, and security of your
information systems

We will explore an example of applying

SOA principles to TCM…..
Why Change is the Crux…
…of both the problem and the solution:

BS15000 / ISO20000 Service Management model

§ Technology Change is foundation of all effective IT processes

§ Enables delivery of IT services throughout the enterprise
§ Is ideal for balancing control vs. efficiency…
…and has most direct impact on IT achieving business strategy
Getting the right picture
§ ITIL: BS 15000 / ISO
20000
§ IT Operations / Mgt focused
§ Process-focused standard
§ Gaining acceptance rapidly

§ CobiT
§ IT Audit / Gov. focused
§ Control-focused standard
§ Extensive use for ITA / SOx

§ CMMI
§ Originally for Software, now
integrated for other processes
§ Process maturity model concept
widely known & adapted

The frameworks and standards are converging…

 Relating the Frameworks
Technology Change Lifecycle

TCM Initiate Assess Build,

Impact & Implement Follow-up &
process Change Test & Close
view Approve Approve Change Request
Request Request Change

Incident Change Management

ITIL Management
Service
Support Release Management
process
view Configuration Management
Problem
Management Service Level Management

DS 8 –
AI 6 – Manage Changes ME 1 –
Manage
Service Desk Monitor &
CobiT DS 9 – Manage Configuration Evaluate IT
process AI 2 & 3 – Acquire & Maintain Technology Applications Performance
DS 10 –
view Manage and Infrastructure DS 5 – Ensure Systems Security
Problems PO 10 – Manage Projects / PO 8 – Manage Quality
1. SOA As a Means of Mitigating Risk

Risk mitigation is usually the first benefit sought:

§ Most organizations have high amounts (35%–45%)
of unplanned and / or unscheduled IT work.
§ Some organizations have experienced “big” service outages.
§ Regulations now require some focus on achieving control.

By contrast, some high-performing organizations achieve

5% in unplanned work levels. Further:
§ Operations become more effective quickly.
§ The business experiences fewer service interruptions.
§ Regulatory compliance (e.g. SOx) is a by-product, not the aim.
§ Problems become easier to identify and fix.
2. Deriving IT Operational Efficiency
Lower Cost IT Operations become the next target:
Strong operational change management can deliver significant
benefits to enterprises that care about IT efficiency, quality and
service. These gains include:
• Unplanned downtime reductions by 25 percent to 35 percent
• Planned downtime reductions by as much as 25 percent
• Higher levels of customer service
• Support cost reductions
“Critical Factors Powering Operational Change Management”
Donna Scott / Kris Brittain, Gartner, 4 Mar 2003

High-performing organizations usually experience:

§ Lower / fewer problems, less time troubleshooting and rebuilding
§ Less time on administration (review, approval, tracking, auditing)
§ Economies of scale from standardization & centralization
§ Quicker identification of process constraints & bottlenecks
3. Pick a destination and a direction
Now that you have some ideas, it’s time to identify an
objective and get ready to move:
§ Identify goals aligned with business strategy:
Strategy Measures Methods & Results
Profitability ROI / ROE Leads to process standardization &
modularity
Efficiency ROA / IT Low unit costs & shared services
Unit $
Growth Revenue ^ Local innovation, some later integration
IT Governance, Peter Weill / Jeanne Ross, June 2004
§ Set the “Tone from the Top”
§ Focus on stopping pain first
§ Prioritize other initiatives after that
§ Select meaningful measures for progress
§ Find some baseline measures (even if they’re just stories)
§ Pick some basic metrics aligned with objectives above
4. Start moving toward your objective
Time to get going! The path you take will depend on your
“location” and objectives from earlier steps. But some of
the more effective choices are:
§ Design a Change process and prioritize controls (now & “to be”)
§ Standardizing processes may add value…
§ …but if local (BU) innovation is required, that may not be an option
§ Focus on Preventive / Automated, then Detective / Manual controls
§ Align roles & responsibilities
§ Integrate Change (& Release) process with Problem / Incident,
Availability, and Security Management (BS15000 / ITIL view)
§ Automate process with current tools, and pick new ones
§ Write it down (policy, guidelines, standards, procedures, etc.)

Most critical, integrate process and technology into the

culture of the organization – otherwise failure is inevitable.
5. Measure progress and re-orient

After you’ve been moving (for a little while), it’s time to see
where it’s getting you:
§ Report on short-term results
§ Analyze behaviors for changes and root causes
§ Identify mis-alignment and bottlenecks in process
§ Celebrate successes and reinforce “Tone at the Top”
§ Select priorities for investment of more time & resources

Most progress is measured in short steps – it takes a while

to gather meaningful data. Steady improvement in IT
eventually raises organizational maturity – evolution is
natural, continuous, and purposeful.
How can IT change be efficient?
Achieved by leveraging consistent practices from Stage 1
Centralized enterprise functions
– Change Management and Release Engineering
– IT Service Desk & Incident Response
– Organization leverages lessons learned
Streamlined processes & relationships
– Automated IT change process and controls
– Transparent relationships between applications & infrastructure (CMDB)
– Change impacts understood prior to deployment
Consistent architectures
– Repeatable infrastructure & application builds
Realized Benefits
^ Productivity from skilled IT resources Lower IT unit costs
Integration with other IT processes Faster deployment of projects & services
^ Customer Service
Is efficient IT change really possible?

Consistent functional roles enhance enterprise process:

§ Processes defined across enterprise functions
§ Defined Configuration & Release standards, more consistency
Automated processes, better information:
§ Transparency allows mistakes to be corrected without downtime
§ Metrics captured = bottlenecks identified & resolved
IT Architectures become less fragile & delicate
§ Infrastructures become commoditized, services more important
§ Configuration states & relationships known, not guessed
§ Platforms & applications become simpler to rebuild than to repair

IT focus shifts from reaction to pro-action

 Thank you

For more information, please contact:

Darren Jones

Director, CIO Solutions

Protiviti Canada
647.288.4920
darren.m.jones@protiviti.com
 Questions?
Click on the questions tab on your screen, type in your question
(and name if you wish) and hit submit.