ISACA Journal
Volume 4, 2,014 


Leveraging Metrics for Business Innovation: Where Measurement Meets Transformation in IT Governance 

Yo Delmar, CISM, CGEIT 

The title of a blog post on the Harvard Business Review web site made the following claim, “IT governance is killing innovation.”1 This argument raises an important question. If technology is at its best when it is transformative, forging pathways to innovation, how can IT organizations ensure that their governance programs do more than simply manage the performance of their operations environment? How can they foster IT innovation as a means to spurring growth and competitive advantage?

Over the past decade, the global IT industry has undergone a significant transformation. By now this story is familiar. From the proliferation of digital tools and the rise of social media, to the growth in mobile networking and the datafication2 of everyday life, technological advancements have fundamentally altered traditional patterns of work and connectivity. And yet, as IT has become increasingly pervasive, IT departments have faced their own sets of challenges. Not without a sense of irony, in a world in which technology has made nanoseconds the new normal, IT departments have had to battle the perception that they are sluggish and out of touch with larger organizational goals, unable to keep pace with the changing needs of today’s hyperconnected and hypercompetitive business environment.

In response, IT governance frameworks emerged, broadly speaking, to facilitate the proper alignment between the IT department and the larger enterprise as well as to maintain optimal levels of IT investment and performance.3 However, to ensure that the proper foundation is in place for IT to not only support and improve business performance, but also become a source of innovation, organizations cannot put their faith in the blind adoption of abstract metrics. Instead, companies need to thoughtfully design, develop and adapt metrics that are aligned with and support organizational strategy and goals. How can organizations leverage metrics for successful business innovation?

Metrics are Foundational to Creating and Sustaining Competitive Advantage

Metrics4 have become ubiquitous as of late and with good reason. The advancement of data-driven decision making across just about every industry has made metrics integral to demonstrating the value and performance of business programs and their supporting IT processes, within organizational boundaries and through supplier and customer ecosystems. Moreover, an emphasis on metrics and analytics has allowed business and IT to better adapt and refine strategic initiatives, as well as optimize resources with an eye toward sustaining and growing competitive advantages.

To be sure, there are a number of ways in which metrics play a crucial role in maintaining a robust IT governance framework:

  • Tracking metrics is fundamental to developing predictive models and assessing the key factors for future IT success.
  • Metrics are the building blocks of larger analytics.
  • Metrics are needed to ensure sufficient allocation of resources that focus on IT innovations.
  • Metrics help in making specific processes visible, thus enabling organizations to isolate specific aspects of IT operations for tracking, measurement and assessment.

As Peter Weill and Jeanne Ross argue, “Measurement and accountabilities are critical to any good [IT] governance design. Articulating who is responsible for what and how they will be evaluated provides clarity, ownership and tools to assess governance performance.”5 Tracking metrics and the ways in which they change over time are also fundamental to developing predictive models and assessing the key factors for future IT success. For example, as an increasing number of companies migrate critical enterprise applications to the cloud, reaping the benefits of increased agility and efficiencies, IT departments have looked to establish metrics around third-party governance. Specifically, these metrics translate into accountabilities around availability, performance, backup, recovery, archiving and compliance that can be incorporated into service level agreements (SLAs) to ensure that those third parties become effective extensions of IT, and are aligned with the organization’s overall operational requirements.

Most important, metrics play a key role as the building blocks of larger analytics programs. Though often used interchangeably, metrics and analytics are not synonymous. According to COBIT 5, metrics represent specific numerical data that act as operational, day-to-day indicators for goal achievement. In this regard, metrics allow an enterprise to assess the proximity or distance from specific organizational objectives. Analytics, on the other hand, aggregate data from numerous sources and make use of a series of metrics to identify organizational trends, patterns and correlations. By analyzing large volumes of data in real time, or near real time, analytics not only help organizations sustain and improve IT performance, but also provide deeper insights for innovative business strategy. For example, IT may measure mean incident recovery cost, mean time to incident recovery and mean time to patch. Looking at the trends and correlations among these metrics moves one into the realm of analysis and leading indicators, where one can gain insight into root cause and take steps to address potential risk, control failures or inefficiencies. Analytics, however, are only as good as the foundation upon which they are built. The predictive power of analytics actually depends on establishing the right set of metrics.

Each of these examples suggests that the ongoing improvement of IT governance initiatives is simply not possible without appropriate metrics.6 But while IT departments require metrics that measure and enhance operational performance, metrics are also needed to ensure a sufficient allocation of resources that focus solely on cultivating IT innovation. Innovation groups within IT departments can look across industries to gain an understanding of how industry leaders with similar processes are evolving and building an appropriate set of metrics by leveraging industry baselines. For example, a company that distributes goods can adopt aspects of how FedEx, a leader in distribution, uses mobility and social media to enhance the customer experience for its own processes across the supply chain and customer communities. Organizations adopting bring your own device (BYOD) policies might leverage processes and metrics that leaders such as Apple use to manage their own teams’ devices internally. Beyond FedEx and Apple, every business should be asking itself questions such as, “What are the most innovative companies doing to measure the effectiveness of IT in their organizations?,” and, “How can these metrics be used to inform the metrics being developed in our own organization?”

At the core, metrics play an important role in making specific processes visible. By establishing a particular set of metrics, organizations isolate distinct aspects of IT operations for tracking, measurement and assessment. The flipside, of course, is that because metrics highlight certain aspects of the process, while rendering others invisible, focusing on an incomplete or irrelevant set of metrics can actually prove to be detrimental.

Given the speed with which technology changes, IT departments are constantly trying to hit a moving target. Knowing what to measure and how to measure it is no easy task. “Enterprises have struggled to understand the value of IT-related initiatives because value cannot always be readily demonstrated through a traditional discounted cash flow analysis.”7 This speaks to the challenge at the heart of designing metrics that accurately convey the value and performance of an organization’s IT infrastructure. For IT to be a force for innovation and competitive advantage, it is crucial to keep focused on providing the right set of metrics that align with business strategy and performance goals to the right set of stakeholders.

Developing Effective Metrics: Five Things to Consider

Metrics, like the organizations that use and rely on them, are not one-size-fits-all. Metrics that are not tailored to particular enterprise needs and business goals will ultimately prove ineffective. These challenges make clear why the metrics organizations adopt cannot and should not be the result of blind implementation.

Figure 1In fact, the COBIT 5 guidelines speak directly to this point. Although the COBIT 5 framework is equipped with a rich set of built-in metrics that correspond to more than 100 IT-related processes and subprocesses,8 the implementation guide is explicit about the importance of adapting the framework to meet specific enterprise needs. This imperative is perhaps best articulated in the section detailing the COBIT 5 goals cascade, which notes that, “because every enterprise has different objectives, an enterprise can customize COBIT 5 to suit its own context…translating high-level enterprise goals into manageable and specific IT-related goals and mapping these to specific processes and practices.”9 In light of the need to adapt IT governance frameworks to meet specific enterprise objectives, a central question remains: How can organizations ensure the development and adoption of effective IT performance metrics?

There are five things (figure 1) to consider when developing effective metrics:

  1. Enterprise strategy, goals and key performance goals set the tone. The aim of IT governance is to establish synchronicity among IT, business and third parties, as well as to measure the performance of IT in relation to larger business objectives. As a result, it is essential to develop performance metrics that are defined by enterprise goals and not the other way around. Key performance indicators (KPIs) can play a critical role in helping meet this demand because they are specifically designed to measure performance against larger organizational objectives.10 But building an IT framework closely aligned with larger business goals depends not only on understanding the structural needs of the enterprise, but also the innovation that the enterprise requires to retain competitive advantage. Doing this effectively requires a set of metrics that are focused on emerging technologies and the ways in which they can be used strategically to improve organizational efficiency and customer experience. For instance, as social media has become an integral part of corporate practice, IT departments have struggled to understand its impact on the delivery of enterprise products and services. Rather than ceding social media efforts to other parts of the organization, such as corporate communications or marketing, IT departments should proactively partner with these business units to develop solutions and metrics that help leverage the power of social media to support business strategy. This will ensure that IT departments become a partner in creating competitive advantage rather than remaining myopically focused on their own operations.
  2. Develop metrics that are responsive to a dynamic environment. Today’s business environment is anything but static. Companies find themselves engaged in continuous cycles of change, innovation, renewal and reassessment. Given the pace at which technological changes have disrupted traditional workflows, this dynamism is inherent to the situation IT departments face on an ongoing basis. Against this backdrop, performance metrics need to be able to adapt to both organizational and technological change to generate valuable insights and business intelligence. This will empower organizations to make IT decisions that improve efficiency and have the potential to transform core business functions. For example, the rapid influx of mobile devices and the rise of BYOD policies at many organizations have resulted in increasingly porous enterprise boundaries. With the lines now blurred between personal and proprietary data, IT departments find themselves grappling with the need to develop new sets of metrics that assess the business performance of mobile devices, as well as the ability of the enterprise to meet the rigorous security requirements this new mobile environment demands.
  3. Design key metrics that provide value across multiple initiatives. In recent years, shrinking technology budgets and economic uncertainty have forced enterprises to do more with less. In response, organizations should develop metrics that can be deployed in a number of contexts to yield the greatest possible results. To maximize operational resources, metrics should enable organizations to become more efficient by helping identify aspects of legacy infrastructure in the IT ecosystem that have become obsolete or redundant. The true value lies in developing metrics that act as a foundation for larger analytics, which provide insights with the power to inform these types of business decisions. For instance, the rise in distributed denial-of-service (DDoS) attacks over the past few years has demonstrated a shift in the cybersecurity landscape, driving a focus on new types of monitoring systems to ensure the availability of critical web-facing services. Amid this new reality, IT performance metrics that measure the impact of availability from these and similar types of attacks can be leveraged across security, business continuity, disaster recovery and crisis management teams. By developing metrics that give a 360-degree view of processes to a wider group of stakeholders, organizations can more effectively protect critical processes and sensitive data with a defense strategy that is valuable to all.
  4. Emphasize ease of implementation. Strong analytics are only as good as the foundations on which they are built. As previously mentioned, metrics are the building blocks of analytics, which means that it is necessary to adopt metrics that can be easily implemented and understood. Ultimately, metrics will only be effective if, “employees know what is being measured, how it is calculated, what the targets are, how incentives work and, more important, what they can do to affect the outcome in a positive direction.”11 To take this point a step further, when it comes to metrics, organizations cannot allow the perfect to be the enemy of the new. This can happen when IT departments face the formidable task of having to operate in uncharted territory, reacting to rapid and unexpected changes in the external business environment. Take business continuity as an example. Natural disasters, such as Hurricane Sandy in New York City, New York, USA, in 2012, or the tsunami that triggered Japan’s Fukushima’s nuclear disaster in 2011, have caused IT departments to rethink their approaches to business resilience and recovery metrics. Business continuity and disaster recovery teams have typically been contained to a small unit within the enterprise that leads recovery efforts. However, many organizations have experienced the pervasiveness of IT, making business continuity essential to an interconnected web of mobile employees, global customers and third-party vendors. As a result, crisis communication is quickly becoming integrated with business continuity as organizations must now reach a wider range of stakeholders. Guidance and direction must be provided to employees; response teams must be mobilized; and communication must be initiated with media, external partners, suppliers, partners, first responders, public and government officials, and more. Only 14 percent of organizations believe communication was effective in their last invocation of a disaster recovery plan, and 52 percent of organizations do not have a crisis management team.12 IT departments today increasingly require metrics that can be implemented expeditiously, measured easily and incorporated seamlessly into larger analytics to respond to and analyze changing data in real time.
  5. Remain open to change. As important as metrics are, it is crucial to avoid becoming locked into a static set of metrics that no longer measure what really matters. Organizations should never discount the importance of continued analysis and appraisal of performance metrics. Constant reevaluation of metrics and their relevance to changing business goals is ultimately what will ensure the long-term success of a governance program. For example, metrics that measure the remediation of noncritical vulnerabilities on noncritical infrastructure, supporting information that is neither sensitive nor regulated, provide little value in the overall security equation. Metrics that outlive their utility or no longer provide vital data should be reconfigured accordingly.

Measuring IT Performance: From Operations to Centers of Innovation

Certainly, there are many partisans of IT governance who would take issue with the claim that strong governance can stifle innovation. In fact, an effective governance program with the right metrics actually facilitates business innovation and growth. Weill and Ross, for example, note that all top performing organizations share one aspect in common when it comes to their IT governance programs. That is, “their governance made transparent the tensions around IT decisions given as standardization versus innovation.”13 This suggests that a sound metrics program properly assesses and lays bare strategic, practical and operational considerations, which can empower organizations to invest in and support IT-related projects with transformative power.

Surprisingly, a report by A. T. Kearney found that, “most companies dedicate the fewest resources to innovation” despite the fact that it “represents the biggest opportunity to increase shareholder value.”14 Being able to measure the effectiveness of technology investments and expenditures across the various areas of the IT department can serve to not only increase efficiency and reduce operational costs, but also provide valuable insights that stimulate targeted innovation. It is precisely at this intersection that measurement meets transformation head on.

Metrics enable businesses to measure the effectiveness of resource allocations between the various layers that comprise the IT department, from operational maintenance and business enablement functions to those tasked with imagining and inventing truly transformative IT. The right performance metrics also allow organizations to measure the effectiveness of transformative initiatives, as well as evaluate how they align with business goals and industry standards. In turn, this type of measurement can be used to enhance the efficacy of future investments in IT innovation.

Conclusion: A Call to Action

Effective metrics are critical to ensuring that the IT department aligns with the enterprise and increases organizational efficiency. Beyond that, however, metrics can play a central role in repositioning the IT department as a source of innovation and competitive advantage, rather than as a drain on organizational resources. To this end, IT departments must constantly strive to achieve the right balance between standardization and innovation by tying their metrics to a larger organizational analytic framework. This will often mean creating a cultural shift to be proactively attentive to opportunities to partner with business units to further enterprisewide goals. In today’s business environment, technology is crucial to business strategy and offers some of the most exciting opportunities to create disruptive innovation. With the right set of metrics, closely aligned to organization strategy and performance objectives, IT departments can become hubs of innovation that not only support sustained operational effectiveness, but lead the process of creating competitive advantage.


1 Horne, A.; B. Foster; “IT Governance Is Killing Innovation,” Harvard Business Review, HBR Blog Network, 22 August 2013,
2 Elliott, T.; “The Datafication of Daily Life,” Forbes, 23 July 2013,
3 Schwartz, K. D.; “IT Governance Definition and Solutions,” CIO, 22 May 2007,
4 For the purposes of this article, we use the definition for metrics outlined in the COBIT 5 framework: “A quantifiable entity that allows for the measurement of achievement of a process goal. Metrics should be SMART—specific, measurable, actionable, relevant, timely.” ISACA, COBIT 5, USA, 2012. This definition was chosen as a point of departure for two reasons: First, it specifically highlights the fact that metrics represent specific numerical information. Second, and perhaps more important, it emphasizes that metrics should be action-oriented and capable of factoring into larger data aggregations and calculations that can inform strategic decision making.
5 Weill, P.; J. W. Ross; IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, 2004
6 Consulting Portal, “Necessary Frameworks for IT Governance: Clarifying the Tangled Web,” 28 February 2007,
7 Op cit, Weill and Ross
8 Op cit, COBIT 5
9 Ibid.
10 IBM Software, “A Business Risk Approach to IT Governance,” September 2011
11 Eckerson, W.; “12 Characteristics of Effective Metrics,” TDWI Blog, 19 April 2010,
12 Forrester Research, “2012: The State of Crisis Communication & Risk Management,” Disaster Recovery Journal,
13 Op cit, Weill and Ross
14 A. T. Kearney, The 7 Habits of Highly Effective IT Governance: Powerful Lessons in Transforming Business and Information Technology, 2008,

Yo Delmar, CISM, CGEIT, is vice president, GRC Solutions at MetricStream with more than 30 years of experience in IT and management, focusing on governance, risk and compliance (GRC). She has broad experience developing GRC program strategies and security programs for large organizations. Yo can be reached at


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.