GOVERNANCE OF THE EXTENDED ENTERPRISE Bridging Business and IT Strategies IT Governance Institute John Wiley & Sons GOVERNANCE OF THE EXTENDED ENTERPRISE GOVERNANCE OF THE EXTENDED ENTERPRISE Bridging Business and IT Strategies IT Governance Institute John Wiley & Sons This book is printed on acid-free paper. Copyright © 2005 by the IT Governance Institute. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, e-mail: permcoordinator@wiley.com. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our Web site at www.wiley.com. Disclaimer The IT Governance Institute (ITGI), Information Systems Audit and Control Association and the authors of Governance of the Extended Enterprise have designed the publication primarily as an educational resource for control professionals. ITGI, ISACA, and the authors make no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his/her own professional judgment to the specific control circumstances presented by the particular systems or information technology environment. Library of Congress Cataloging-in-Publication Data: ISBN: 0-471-33443-X Printed in the United States of America 10987654321 About the Author IT Governance Institute ® The IT Governance Institute (ITGI) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages IT-related risks and opportunities. The IT Governance Institute offers symposia, original research, and case studies to assist enter- prise leaders and boards of directors in their IT governance responsibilities. Information Systems Audit and Control Association ® With more than 35,000 members in more than 100 countries, the Infor- mation Systems Audit and Control Association (ISACA ® ) (www. isaca.org) is a recognized worldwide leader in IT governance, control, security, and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal ™ , develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditor ™ (CISA ® ) desig- nation, earned by more than 35,000 professionals since inception, and the Certified Information Security Manager ™ (CISM ™ ) designation, a ground- breaking credential earned by 5,000 professionals in its first two years. v Contents Acknowledgments xi Preface xv Introduction 1 Managing Change as a Business Process 2 How Do We Get There from Here? 3 Vision/Leadership 3 Value Creation and Performance Management 4 Governance Framework and Criteria 4 Governance Officer 6 Enterprise Architecture: Framework and Implementation 6 Reference Works 7 Looking Forward 9 1 Extended Enterprises 11 Change Agents in the Extended Enterprise Environment 11 Paradigm Shift in the Business Environment/Changes in Processes 15 2 Strategy: Challenge for the Extended Enterprise 19 Business Strategy Challenge 19 New Enterprise Risk Management Structures 20 New Regulatory Compliance Challenge 21 Developing Strategy with Value Innovation 23 Transforming Internal Governance Strategy 25 New Internal Governance Challenge 27 Governance Challenge 27 vii . Tools for the Governance of the Extended Enterprise 79 6 Enterprise Architecture: Governance Implementation for the Extended Enterprise 87 What Is Enterprise. Cycle 58 5 Governance Framework for the Extended Enterprise 61 Governance Definition 61 Enterprise Governance Challenge in the Extended Enterprise 64 Governance