The organizational structure of an IT department is usually the result of a series of changes, trials, experiments and political manipulations. It is often adjusted to suit or accommodate individuals. As a result, the organization is sometimes cumbersome and the cause of problems, inefficiency, and excess cost. The process described herein has been developed from experience gained by participating in numerous efforts to redesign and transform IT organizations.<\/p>\n
Step 1: Select the Standards<\/strong> Some organizations may prefer to add more standards, good practices or local regulations, codes or laws. One of the very helpful codes in this regard is King III (soon to be King IV), which is the corporate governance code from South Africa. It can be used anywhere to design a robust IT governance system. Of the 5 previously listed frameworks, standards and good practices, the first 2 cannot be neglected. Senior management may decide not to consider the remaining 3.<\/p>\n Step 2: The First Iteration<\/strong> The accountabilities and responsibilities of these are listed in the various responsible, accountable, consulted and informed (RACI) charts in COBIT 5: Enabling Processes. The accountabilities and responsibilities of the BoD, the strategy committee, the steering committee and all the chief officers (CxOs) can be compiled at this stage from the various RACI charts. The “Activities” listed under the respective processes in the EDM domain spell out the activities in which these entities have to be involved. SFIA V6 can then be used to ensure that all skills needed by these entities have been accounted for and are possessed by various stakeholders. At the conclusion of this step, the accountabilities, responsibilities, and activities of the BoD, the strategy committee, the steering committee and the CxOs have been decided and documented.<\/p>\n Step 3: Design the APO, <\/strong>BAI and DSS Sections<\/strong> In small IT organizations, these processes may be combined further, taking care that some segregation is maintained and all listed activities and all related metrics have been assigned.<\/p>\n Step 4: Design the MEA Section<\/strong> Step 5: Design the Job Descriptions<\/strong> Step 6: Revise the IT Processes<\/strong> The 6-step process described in this article has been used in designing the organization structures in many organizations, big and small, and it works. The activity may take weeks in large organizations and can be as short as a week in small ones. In using this methodology, there is a need for synchronization between the activities listed in COBIT 5 and the skills described in SFIA V6 at different levels of responsibility.Any reorganization deals directly with humans and there is a human factor that may, at times, oppose the recommendations of this methodology. This factor needs to be considered only to the extent that it does not interfere with the requirements of segregation of duties.The final recommendation is that the organization design be done as per theory and then fine-tuned to accommodate the politics.<\/p>\n
\nThe primary objective is to deliver value to stakeholders from IT-enabled investments. The organizational design should follow standards and good practices so that the resulting design is easy to defend and noncontroversial. Start by selecting from the following set of frameworks, standards, and good practices:<\/p>\n\n
\nThe first iteration of the functional organization comes straight from COBIT 5 and consists of the following functional elements:<\/p>\n\n
\nThe APO, BAI and DSS domains consists of many subdomains (called processes in COBIT 5). These COBIT 5 processes may need to be grouped to reduce the number of sections and, therefore, the head count. However, in large organizations, each process may be a section by itself. The following are just logical suggestions for possible groupings:<\/p>\n\n
\nMedium-sized and large IT setups should preferably have an IT assurance section that ensures that IT governance is being done within the IT setup. It should coordinate with internal audit in the planning and conduct of technology audits. It should also coordinate with the corporate compliance department in the planning, implementation and monitoring of laws, codes, standards and good practices.In small IT shops, the MEA section can be either part of internal audit or split between internal audit and corporate compliance.However, in any case, the activities and the related metrics need to be assigned completely.<\/p>\n
\nHaving designed the organization structure, it is necessary to design the respective job descriptions. Job descriptions can be created as a combination of the activities and the related metrics given by COBIT 5 and the activities listed in SFIA V6. The following has to be ensured to finalize the job descriptions:<\/p>\n\n
\nThe job descriptions should be synchronized with the IT processes. Therefore, it is necessary that all IT processes are reviewed and the responsibilities therein reassigned to conform to the new job descriptions. IT organization design and maintenance is best done using proper tools. The capabilities required include:<\/p>\n\n