The organizational structure of an IT department is usually the result of a series of changes, trials, experiments and political manipulations. It is often adjusted to suit or accommodate individuals. As a result, the organization is sometimes cumbersome and the cause of problems, inefficiency and excess cost.
The process described herein has been developed from experience gained by participating in numerous efforts to redesign and transform IT organizations.
Step 1: Select the Standards
The primary objective is to deliver value to stakeholders from IT-enabled investments. The organizational design should follow standards and good practices so that the resulting design is easy to defend and noncontroversial. Start by selecting from the following set of frameworks, standards and good practices:
- COBIT 5—Ensures that all aspects of IT are covered in terms of processes as well as tasks. COBIT 5 also provides the structure needed to ensure that alignment exists from stakeholder requirements through the enterprise and IT-related goals to all enablers.
- Skills Framework for the Information Age (SFIA V6)—Ensures that all skills that are required have been included and are reflected in the design of job descriptions
- ISO/IEC 38500:2015—Covers the IT governance aspects in detail
- ISO/IEC 20000:2011—Covers the service management aspects in detail
- ISO/IEC 27001:2013—Covers the information security aspects in detail
Some organizations may prefer to add more standards, good practices or local regulations, codes or laws. One of the very helpful codes in this regard is King III (soon to be King IV), which is the corporate governance code from South Africa. It can be used anywhere to design a robust IT governance system.
Of the 5 previously listed frameworks, standards and good practices, the first 2 cannot be neglected. Senior management may decide not to consider the remaining 3.
Step 2: The First Iteration
The first iteration of the functional organization comes straight from COBIT 5 and consists of the following functional elements:
- Board of directors (BoD)
- Strategy executive committee of the BoD
- Steering committee (reporting to the chief executive officer [CEO])
- CEO
- Chief information officer (CIO)
- Evaluate, Direct and Monitor (EDM) domain
- Align, Plan and Organize (APO) domain
- Build, Acquire and Implement (BAI) domain
- Deliver, Service and Support (DSS) domain
- Monitor, Evaluate and Assess (MEA) domain
The outputs from each of these are listed in figure 1.
Figure 1—Outputs of COBIT 5 Processes
Source: ISACA, COBIT 5: Enabling Processes, figure 11, USA, 2012
The accountabilities and responsibilities of these are listed in the various responsible, accountable, consulted and informed (RACI) charts in COBIT 5: Enabling Processes. The accountabilities and responsibilities of the BoD, the strategy committee, the steering committee and all the chief officers (CxOs) can be compiled at this stage from the various RACI charts. The "Activities" listed under the respective processes in the EDM domain spell out the activities in which these entities have to be involved.
SFIA V6 can then be used to ensure that all skills needed by these entities have been accounted for and are possessed by various stakeholders.
At the conclusion of this step, the accountabilities, responsibilities and activities of the BoD, the strategy committee, the steering committee and the CxOs have been decided and documented.
Step 3: Design the APO, BAI and DSS Sections
The APO, BAI and DSS domains consists of many subdomains (called processes in COBIT 5) and, ideally, may form sections as described in figures 2, 3 and 4.
Figure 2—Align, Plan and Organize Domain
Source: ISACA, COBIT 5, USA, 2012
These COBIT 5 processes may need to be grouped to reduce the number of sections and, therefore, the head count. However, in large organizations, each process may be a section by itself. The following are just logical suggestions for possible groupings:
- APO01 and APO02 may be combined to form a section titled “IT Strategy.”
- APO03 and APO04 can be combined in a section titled “IT Innovation.”
- APO05, APO06 and APO07 can, ideally, form the “IT Project Management Office (PMO)” section.
- APO08, APO09 and APO10 can be combined to form the “Service Level Management” section.
- APO11 and APO12 can be grouped under the “IT Assurance” section.
- APO13 forms the “Information Security” (not “IT Security”) section.
Figure 3—Build, Acquire and Implement Domain
Source: ISACA, COBIT 5, USA, 2012
- BAI01 joins the “IT PMO” section, along with APO05, APO06 and APO07 in a medium-sized IT setup. However, it may be a separate section where in-house development is done on a large scale.
- BAI02, BAI03 and BAI04 should ideally join under a section possibly titled “Application Design.”
- BAI05, BAI06 and BAI07 form the “IT Change Management” section.
- BAI08, BAI09 and BAI10 go under the “Asset and Configuration Management” section.
Figure 4—Deliver, Service and Support Domain
Source: ISACA, COBIT 5, USA, 2012
- DSS01 forms the very important “IT Operations” section.
- DSS02 and DSS03 combine in the “Incident and Problem Management” section.
- DSS04 becomes the “Continuity Management” section.
- DSS05 becomes the “IT Security” (not “Information Security”) section.
- DSS06 forms the “Controls Management” section.
In small IT organizations, these processes may be combined further, taking care that some segregation is maintained and all listed activities and all related metrics have been assigned.
Step 4: Design the MEA Section
Medium-sized and large IT setups should preferably have an IT assurance section that ensures that IT governance is being done within the IT setup. It should coordinate with internal audit in the planning and conduct of technology audits. It should also coordinate with the corporate compliance department in the planning, implementation and monitoring of laws, codes, standards and good practices.
In small IT shops, the MEA section can be either part of internal audit or split between internal audit and corporate compliance.
However, in any case, the activities and the related metrics need to be assigned completely.
Step 5: Design the Job Descriptions
Having designed the organization structure, it is necessary to design the respective job descriptions. Job descriptions can be created as a combination of the activities and the related metrics given by COBIT 5 and the activities listed in SFIA V6.
The following has to be ensured to finalize the job descriptions:
- All activities in COBIT 5 have been assigned.
- All related metrics in COBIT 5 have been assigned.
- All skills at all levels of responsibility listed in SFIA V6 have been assigned.
Any activities, related metrics and skills (at any level of responsibility) that have not been assigned should be listed and their nonassignment justified.
Step 6: Revise the IT Processes
The job descriptions should be synchronized with the IT processes. Therefore, it is necessary that all IT processes are reviewed and the responsibilities therein reassigned to conform to the new job descriptions.
IT organization design and maintenance is best done using proper tools. The capabilities required include:
- Process management
- Enterprise architecture
- Risk management
Many governance, risk management and compliance (GRC) tools have been assessed and analyzed from the perspective of using them for organization design. A GRC tool that has strong process management capabilities integrated with risk management and enterprise architecture is a must. It is ideal if, in addition, that suite of tools supports a maturity assessment.
The 6-step process described in this article has been used in designing the organization structures in many organizations, big and small, and it works. The activity may take weeks in large organizations and can be as short as a week in small ones. In using this methodology, there is a need for synchronization between the activities listed in COBIT 5 and the skills described in SFIA V6 at different levels of responsibility.
Any reorganization deals directly with humans and there is a human factor that may, at times, oppose the recommendations of this methodology. This factor needs to be considered only to the extent that it does not interfere with the requirements of segregation of duties.
The final recommendation is that the organization design be done as per theory and then fine-tuned to accommodate the politics.
Azhar Zia-ur-Rehman, CISA, CRISC, CISM, ISO 27001 LA
Is an experienced auditor and consultant offering services in the domains of corporate governance, IT governance, information security management and enterprise transformation. He specializes in the automation of corporate governance. He is presently writing a book on technology governance. He has used COBIT in numerous projects for auditing IT governance, designing and implementing IT governance structures and processes, and transforming IT. He has worked in many verticals including telecommunications, petroleum, manufacturing, heavy engineering, construction, real estate, health care and government. He can be contacted through his LinkedIn profile.