In the movies, there are simple formulas. In an action film, it is good vs. evil fighting each other through action scenes, and (hopefully) good triumphs. Corporations also have simple formulas. These are “business models”—how they grow profit. Finance is the language of that movie script. Business depends on IT. IT assets include hardware, software and people. Through financial processes, funds get allocated to assets. Financial people measure whether IT did a good job of managing the assets. This is not new. What is new is that the finance-IT interaction has changed during these troubling economic times in at least three ways:

• Dramatic budget cuts and a “new normal” with more scrutiny of business benefit
• Increased focus on cash management (when and how money is spent, not just what is spent)
• More concern about the risk of the wrong decision and less patience for implementation problems

This suggests three growing needs for IT:

• Learning to think in more financial terms in requests for funds and demonstration of results
• Partnering deeply (not just casually) with finance in jointly going to “the business” to demonstrate how IT can build capabilities needed to seize more opportunity
• Partnering with finance in evaluating business-IT projects in terms of both risk and return, to avoid wasting precious resources

To help chief information officers (CIOs) and IT managers better position and relate to finance and other business leaders, an article published in COBIT Focus last year provided guidance on how to use finance-related content in COBIT¹ and Val IT:  Based on COBIT² to build a more productive relationship between the CIO and the chief financial officer (CFO) and their organizations.³ It looked first at the basics—the CFO as budget-controller for and internal customer of the CIO. Then, it turned to value creation—the CIO and CFO teaming to help business-line leaders transform through business-IT projects to better grow profitable revenue in troubled economic times. As the economic woes have dragged on and IT leaders have asked more questions—such as “What do I need to do with finance to better prioritize and manage business-IT spending?” and “How do I do this more easily and effectively?”— another article is needed.

To set the stage, this article first looks at two frequently asked questions: “How does IT better relate to the teams within finance?” and “How do IT and finance improve communications?” Then, it moves to the pivotal question: “How can business-IT models be used to drive better benefit?” It closes by reflecting on additional frequently asked questions and suggests three ways to enhance implementation of COBIT, Val IT and/or Risk IT: Based on COBIT.⁴ The goal is to empower readers with tips to improve funding allocation and to better demonstrate benefit.

Setting the Stage

Who Stands Where? (Roles and Responsibilities)
IT practitioners frequently ask:  “Who in finance do I ask about xyz?” “Why didn’t the person I talked to in finance tell me to…?” Or, “Doesn’t anybody in finance really care about…?” The simple fact is that finance, just like IT, is composed of several areas. If a business-line person asked IT a question about a new customer relationship management system, would the architect, service delivery management, disaster recovery and security manager answer the question in exactly the same way? No. Just the same, in finance, one needs to talk to the right person to find the right answer for the situation.

The finance organization is led by the CFO. Organization structures vary by broader organization design (centralized, decentralized, etc.), industry, country (including number and location of countries covered) and business model. Typically, it has these main functions:

• Planning and budgeting—Conducts analysis of past spending and projections of future spending. This manages the budget cycle for people, expenses and capital. Some organizations have a separate team for capital budgeting or investment portfolio management for activities needing more focus than routine budgeting. IT works closely with these groups in the budget cycle.
• Accounting—Usually in six areas: financial accounting (external reporting for investors and others), managerial/ cost accounting (more detail for internal analysis, often handles internal cross-charges and a principal contact for IT), accounts payable (A/P), accounts receivable (A/R), billing (collecting from external customers) and payroll. IT spending is tracked by the managerial accounting team. A/P is engaged by IT to pay service and product providers. This is also the area to ask about how accounting principles apply to IT spending categories.
• Treasury and tax—Manages cash availability, return and risk on cash and investments, equity (stock) and debt (loan instruments), and many taxes. IT touches this group when acquiring new hardware and software.
• Procurement (might also be in operations)—IT touches for supplier selection, contract management and ongoing vendor risk management.
• Risk management (might also be in operations)—Manages financial market risks (e.g., interest rate or foreign exchange rate risks), credit risks or buying insurance. Today, it is broadening into enterprisewide risk management. ISACA’s Risk IT would be of most interest to this group.
• Internal audit—Usually reports to the CFO for administrative purposes, reporting formally to the audit committee of the board of directors for independence purposes. IT audit reports here in many organizations.

Additionally, some organizations have dedicated teams for financial policy or program management.

The following steps can be helpful when beginning to navigate finance:

• Get a copy of the finance organization chart.
• When creating permanent or temporary teams in IT, be sure to invite the appropriate person(s). Do not expect a single finance contact to know everything in finance.
• Be aware of the different roles in finance. For example, if one is looking to find a better way to finance the acquisition of new hardware or software, ask treasury, rather than accounting or budgeting.

What Language Is That? (Clear Communications)
“Why can’t IT just speak regular business language instead of techie-talk?” is a common complaint from business leaders, including finance leaders. Yet, finance, like IT, has its own language. Weighted average cost of capital (Is that how heavy my new server rack is?), debenture covenants (Is that a place where witches live?), IRR (IT risk response?), NPV (no pay-per view television?). Yes, finance-speak can be as challenging to IT as IT-speak is to finance and other parts of the business. In the May 2010 “A Link, A Laugh and a Look,” a video link was included that illustrates what happens when people of different backgrounds try to play the game Pictionary.⁵

Clear communication takes effort. Here are some steps to get started:

• Remove abbreviations or IT shorthand from documents. Try to get materials to pass the “spouse test” (i.e., ensure that your non-IT spouse understands what you are saying).
• Express benefits in business terms. “Business terms” means market share, sales, costs, expenses, quality, customer satisfaction measures and terms that business leaders understand.
• Use presentation formats that are widely used in the enterprise. Familiar tables and graphs make it easier for others to understand the point.

With these set-the-stage questions covered, the story can turn to what will be played out on the stage—the story that needs to be enabled by IT.

The Story

In creating a movie or a play, the nature of the story drives the production equipment needed to tell that story. A blockbuster action movie has much different equipment needs from a weekly situation comedy. In the business-IT world, the distinctive way(s) the business makes money (e.g., variety of offerings, speed and flexibility, low cost, personal service, creative design, broad distribution, marketing demand) drives the business-IT model. It turns out that alignment in models is a crucial piece of overall alignment, as this drives many business-IT governance and management decisions. Several authorities have proposed ways to view such models. Figure 1 illustrates a simple, powerful and practical way to identify the needed model and take the right actions. An enterprise with multiple business lines might use multiple models such as:

• Commodity efficiency—An undifferentiated utility with low impact to the business. Generic software and hardware are used. Temporary outages can be worked around. It can be easily outsourced on a cost basis.
• Reliability business—Sometimes also termed “business of IT.” Reliability is far more important than in the commodity model, but services have low differentiation. It can be provided as an insourced or outsourced model. A “service catalog” of standardized offerings and service levels is a typical feature.
• Competitive weapon—Adds high differentiation as a driver in the business-IT model. The CIO and IT team are deeply involved in the business. IT improvements are tightly coupled to business process improvements. Speed and flexibility are key. It is very difficult to outsource without significant damage to the business.
• Niche enhancement—When differentiation is key to only certain business lines or as product enhancements, the niche model is appropriate. This is seen when a special team is used to enable a growth business area while the rest of the business operates on a commodity efficiency or reliable business model.

With this view of four types of story line, the story turns to the three areas of frequently asked questions regarding IT finance—the action.

Lights, Camera, Action

Investment Portfolio Management
In investment portfolio management, most of the questions are about what goes into the portfolio, relating portfolio to business-IT alignment/engagement, accommodating business models, categories to use and managing risk.

In short, the following are some suggestions:

• The portfolio contains everything—programs, projects, services (business and IT), operations and other assets. For convenience, some organizations further distribute portfolios into subportfolios or super-/meta-portfolios. T his is acceptable, as long as there is a complete view to balance resource allocation across the entire portfolio based on risk and return.
• Portfolio categories depend on business-IT alignment/ engagement working because business-IT investment portfolio categories should flow from business investment portfolio categories. If the chief executive officer (CEO) and CFO talk to investors in categories such as acquisition, expansion into new countries and cost efficiencies in mature businesses, then those business categories should flow to IT portfolio categories such as building flexibility for new expansion or building efficient scale in mature businesses. If the business is investing in cross-selling products to customers, then the business-IT portfolio might include a data integration category. Spending can be tagged with other labels such as “maintenance” or “compliance,” but the leading thought should be about the business.
• The business model used by an enterprise is a prime driver of investment portfolio design, categories and management. Guidance from ISACA and other organizations is often written in view of a single business model. Yet, there are many models, such as the four mentioned previously. The selection of one of the four models drives investment, project management and the operations approach to ensure that the business meets its objectives.
• Managing risk in the investment portfolio and programs is important (rather than just seeking return no matter how risky). Some industry analysts suggest that far more IT value is lost in the “what to do” decision than in the “how to do it” implementation. The guidance from Risk IT related to this area can help to address this.

Investment Program Management
In investment program management, most questions are related to managing risk, accommodating changing requirements, monitoring investments over time and retiring programs cleanly.

In short, the following are some suggestions:

• Managing risk in the investment programs and projects is extended by pointing to the guidance from Risk IT. Through mappings, COBIT users can also embrace the guidance of PRINCE and PMBOK.⁶
• In monitoring, many organizations state that they use a “fire and forget” approach to investment monitoring. Thus, the “what to do” is to improve life-cycle monitoring of an investment—from development progress reviews to retirement (as advocated in COBIT and Val IT).
• Changing requirements is a significant concern in implementation. Some organizations respond by “locking” requirements in an excessive way, which damages business flexibility to pursue revenue. Others try to accommodate too many changes, delaying deliverables and leaving users willing to take anything that exists. While beyond the scope of COBIT, there are approaches that can be adapted from project management, architecture, system development and product management to manage requirements in layers and components that promote a balance of stability and timely delivery and enable profitable revenue.

Financial Policies, Implementation, Analysis and Reporting
In the financial policies, implementation, analysis and reporting area, questions arise due to the difficulty in getting enterprise financial policy and reporting designed for functional areas (such as human resources, marketing or finance as a function) to support the more complex nature of IT (with many fixed assets and transformational projects spanning budget cycles). In short, many enterprises make life difficult for the CIO and the CIO’s customers by accounting for IT on a period-expense basis, rather than the way they would for their own manufacturing or asset-intense operational areas. The following are some suggestions:

• In planning and budgeting policy, the earlier points on business models also apply. For example, applying policies appropriate for the commodity efficiency model when the business needs the competitive weapon model defeats the good work of business alignment/engagement/relationship teams that are forging a tightly coupled business-IT to drive product growth.
• In cost accounting policy, a key is to monitor IT costs at the appropriate unit of analysis to make better business decisions. This way, that unit can be rolled up to provide the insight needed for the business model used. For example, some organizations measure server utilization in units and charge it back; other organizations need to roll that up to a business view of IT cost structure to illustrate how IT costs vary if an acquisition is made, new products are launched or business is expanded into a new country. Cost structure and strategy are crucial to clear communication, alignment and architecture.
• In acquisition policy, organizations can benefit by: 1) placing more emphasis on financing IT assets (cash purchase, lease [operating or capital] or loan), 2) engaging treasury to preplan the year’s activity, and 3) evaluating risk in third-party suppliers (such as applying the content of Risk IT to the supply chain).
• To help reporting, provide more actionable insight, provide explicit coverage of each policy area, organizations should use measures tied to the individual objectives of members of the enterprise IT governance committee and link to project postimplementation reviews. Finally, they should use this information to improve both management and the governance process.

Conclusion

COBIT, Val IT and Risk IT provide strong guidance and have active user communities.⁷ A benefit of using open industry frameworks is gaining access to a body of experience-based guidance to extend the core frameworks. This article has provided tips on how to address them. To more easily advance organizations, it is important not to reinvent the wheel, but to draw on and tailor this body of knowledge to drive progress more quickly and easily.

Endnotes

¹ COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. For more information, visit www.isaca.org/cobit.
² Val IT:  Based on COBIT is a framework that enhances COBIT with additional management guidance on enterprise governance of IT, managing a portfolio of business-IT investments and managing the life cycle of programs created by the investments. For more information, visit www.isaca.org/valit.
³ Barnier, Brian; “COBIT for Troubled Times—Unlocking COBIT to Strengthen the CIO-CFO Partnership,” COBIT Focus, vol. 3, 2009
⁴ Risk IT: Based on COBIT is a framework that enhances COBIT with additional management guidance on risk governance, risk evaluation and risk response. For more information, see www.isaca.org/riskIT.
⁵ Pictionary is a board game and trademark of Milton Bradley. If you have not seen “A Link, a Laugh and a Look” and/or the video, it is available at www.youtube.com/watch?v=fyO5Kwc3NK8.
⁶ For more information on COBIT Mappings, visit www.isaca.org/cobitmapping.
⁷ In addition to local chapter meetings, it is now easier to learn from peers around the world through the new user groups at www.isaca.org.
⁸ The COBIT 5 concept paper is available at www.isaca.org/cobit5.

Author’s Note

This article responds to the questions and concerns of many people with whom the author has spoken in the past year. What is missing? What are your questions? ISACA frameworks are developed with much public comment, drawing on the questions and needs of practitioners like you. Please send your questions and comments to brian@valuebridgeadvisors.com.

The author thanks Bob Frelinger, a colleague on the COBIT 5 team,⁸ for his review, comments and improvements.

Editor’s Note

With the growing importance of business value and finance to ISACA members, this year’s ISACA IT Governance, Risk and Compliance Conference will include a new session on finance. The conference will focus on delivering business value, beginning with the opening keynote in which the audience will hear from the top of “the business” with an address by a member of the board of directors of a large financial institution. For more information on the ISACA IT Governance, Risk and Compliance Conference, visit www.isaca.org/itgrc.

Brian G. Barnier, CGEIT
with ValueBridge Advisors, has a practical and action-oriented perspective as a result of his experience in business lines, IT and risk management. He serves on multiple best practice committees. He conducts professional education courses, was an adjunct professor of finance, is one of the select Open Compliance and Ethics Group (OCEG) Fellows, is widely published, and contributed to Risk Management in Finance(Wiley, 2009). In prior roles, he was with IBM, Lucent and AT&T. For ISACA, he chairs the IT Governance, Risk and Compliance Conference Program Committee. He can be reached at brian@valuebridgeadvisors.com.

---

Enjoying this article? To read the most current ISACA^® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute^® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.