Brian G. Barnier, CGEIT
In the movies, there are simple formulas. In an action film, it is good vs. evil fighting each other through action scenes, and (hopefully) good triumphs. Corporations also have simple formulas. These are “business models”—how they grow profit. Finance is the language of that movie script. Business depends on IT. IT assets include hardware, software and people. Through financial processes, funds get allocated to assets. Financial people measure whether IT did a good job of managing the assets. This is not new. What is new is that the finance-IT interaction has changed during these troubling economic times in at least three ways:
To help chief information officers (CIOs) and IT managers better position and relate to finance and other business leaders, an article published in COBIT Focus last year provided guidance on how to use finance-related content in COBIT1 and Val IT: Based on COBIT2 to build a more productive relationship between the CIO and the chief financial officer (CFO) and their organizations.3 It looked first at the basics—the CFO as budget-controller for and internal customer of the CIO. Then, it turned to value creation—the CIO and CFO teaming to help business-line leaders transform through business-IT projects to better grow profitable revenue in troubled economic times. As the economic woes have dragged on and IT leaders have asked more questions—such as “What do I need to do with finance to better prioritize and manage business-IT spending?” and “How do I do this more easily and effectively?”— another article is needed.
To set the stage, this article first looks at two frequently asked questions: “How does IT better relate to the teams within finance?” and “How do IT and finance improve communications?” Then, it moves to the pivotal question: “How can business-IT models be used to drive better benefit?” It closes by reflecting on additional frequently asked questions and suggests three ways to enhance implementation of COBIT, Val IT and/or Risk IT: Based on COBIT.4 The goal is to empower readers with tips to improve funding allocation and to better demonstrate benefit.
Who Stands Where? (Roles and Responsibilities)IT practitioners frequently ask: “Who in finance do I ask about xyz?” “Why didn’t the person I talked to in finance tell me to…?” Or, “Doesn’t anybody in finance really care about…?” The simple fact is that finance, just like IT, is composed of several areas. If a business-line person asked IT a question about a new customer relationship management system, would the architect, service delivery management, disaster recovery and security manager answer the question in exactly the same way? No. Just the same, in finance, one needs to talk to the right person to find the right answer for the situation.
The finance organization is led by the CFO. Organization structures vary by broader organization design (centralized, decentralized, etc.), industry, country (including number and location of countries covered) and business model. Typically, it has these main functions:
Additionally, some organizations have dedicated teams for financial policy or program management.
What Language Is That? (Clear Communications)“Why can’t IT just speak regular business language instead of techie-talk?” is a common complaint from business leaders, including finance leaders. Yet, finance, like IT, has its own language. Weighted average cost of capital (Is that how heavy my new server rack is?), debenture covenants (Is that a place where witches live?), IRR (IT risk response?), NPV (no pay-per view television?). Yes, finance-speak can be as challenging to IT as IT-speak is to finance and other parts of the business. In the May 2010 “A Link, A Laugh and a Look,” a video link was included that illustrates what happens when people of different backgrounds try to play the game Pictionary.5
Clear communication takes effort. Here are some steps to get started:
With these set-the-stage questions covered, the story can turn to what will be played out on the stage—the story that needs to be enabled by IT.
In creating a movie or a play, the nature of the story drives the production equipment needed to tell that story. A blockbuster action movie has much different equipment needs from a weekly situation comedy. In the business-IT world, the distinctive way(s) the business makes money (e.g., variety of offerings, speed and flexibility, low cost, personal service, creative design, broad distribution, marketing demand) drives the business-IT model. It turns out that alignment in models is a crucial piece of overall alignment, as this drives many business-IT governance and management decisions. Several authorities have proposed ways to view such models. Figure 1 illustrates a simple, powerful and practical way to identify the needed model and take the right actions. An enterprise with multiple business lines might use multiple models such as:
With this view of four types of story line, the story turns to the three areas of frequently asked questions regarding IT finance—the action.
Investment Portfolio ManagementIn investment portfolio management, most of the questions are about what goes into the portfolio, relating portfolio to business-IT alignment/engagement, accommodating business models, categories to use and managing risk.
Investment Program ManagementIn investment program management, most questions are related to managing risk, accommodating changing requirements, monitoring investments over time and retiring programs cleanly.
Financial Policies, Implementation, Analysis and ReportingIn the financial policies, implementation, analysis and reporting area, questions arise due to the difficulty in getting enterprise financial policy and reporting designed for functional areas (such as human resources, marketing or finance as a function) to support the more complex nature of IT (with many fixed assets and transformational projects spanning budget cycles). In short, many enterprises make life difficult for the CIO and the CIO’s customers by accounting for IT on a period-expense basis, rather than the way they would for their own manufacturing or asset-intense operational areas. The following are some suggestions:
COBIT, Val IT and Risk IT provide strong guidance and have active user communities.7 A benefit of using open industry frameworks is gaining access to a body of experience-based guidance to extend the core frameworks. This article has provided tips on how to address them. To more easily advance organizations, it is important not to reinvent the wheel, but to draw on and tailor this body of knowledge to drive progress more quickly and easily.
1 COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. For more information, visit www.isaca.org/cobit.2 Val IT: Based on COBIT is a framework that enhances COBIT with additional management guidance on enterprise governance of IT, managing a portfolio of business-IT investments and managing the life cycle of programs created by the investments. For more information, visit www.isaca.org/valit.3 Barnier, Brian; “COBIT for Troubled Times—Unlocking COBIT to Strengthen the CIO-CFO Partnership,” COBIT Focus, vol. 3, 20094 Risk IT: Based on COBIT is a framework that enhances COBIT with additional management guidance on risk governance, risk evaluation and risk response. For more information, see www.isaca.org/riskIT.5 Pictionary is a board game and trademark of Milton Bradley. If you have not seen “A Link, a Laugh and a Look” and/or the video, it is available at www.youtube.com/watch?v=fyO5Kwc3NK8.6 For more information on COBIT Mappings, visit www.isaca.org/cobitmapping.7 In addition to local chapter meetings, it is now easier to learn from peers around the world through the new user groups at www.isaca.org.8 The COBIT 5 concept paper is available at www.isaca.org/cobit5.
This article responds to the questions and concerns of many people with whom the author has spoken in the past year. What is missing? What are your questions? ISACA frameworks are developed with much public comment, drawing on the questions and needs of practitioners like you. Please send your questions and comments to firstname.lastname@example.org.
The author thanks Bob Frelinger, a colleague on the COBIT 5 team,8 for his review, comments and improvements.
With the growing importance of business value and finance to ISACA members, this year’s ISACA IT Governance, Risk and Compliance Conference will include a new session on finance. The conference will focus on delivering business value, beginning with the opening keynote in which the audience will hear from the top of “the business” with an address by a member of the board of directors of a large financial institution.
Brian G. Barnier, CGEITwith ValueBridge Advisors, has a practical and action-oriented perspective as a result of his experience in business lines, IT and risk management. He serves on multiple best practice committees. He conducts professional education courses, was an adjunct professor of finance, is one of the select Open Compliance and Ethics Group (OCEG) Fellows, is widely published, and contributed to Risk Management in Finance(Wiley, 2009). In prior roles, he was with IBM, Lucent and AT&T. For ISACA, he chairs the IT Governance, Risk and Compliance Conference Program Committee. He can be reached at email@example.com.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.