Академический Документы
Профессиональный Документы
Культура Документы
January 1999
CONTENTS
Paragraphs
Preface
Executive Summary................................................................................ 1-5
Key definitions........................................................................................ 6
Why is Information Technology Planning Important?........................... 7-10
What is Information Technology Planning?........................................... 11-14
What are the Key Principles in Developing an Information Technology Plan?
..........................................................................................................15-25
What is the Best Approach for Information Technology Planning?....... 26-44
Appendix:
Key Control Objectives and Assessment Issues for Information Technology
Planning
PREFACE
In a digital world, the management and use of information, information systems and
communications is of critical importance to the success of an organization. The
criticality arises from:
• the increasing dependence on information and the systems and communications that deliver the
information;
• the scale and cost of the current and future investments in information; and
• the potential of technologies to dramatically change organizations and business practices,
create new opportunities and reduce costs.
Many organizations recognize the potential benefits that technology can yield.
Successful organizations, however, understand and manage the risks associated with
implementing new technologies. Executive management needs to have an appreciation
of the benefits, risks and constraints of information technology in order to provide
effective direction and adequate control.
In this guideline series, the International Federation of Accountants, through its
Information Technology Committee, seeks to promote executive understanding of key
issues affecting the management of information and communications. This series of
guidelines is written for management.
This guideline is the second of the series and covers managing information technology
planning. In addition to emphasizing the nature and need for information technology
planning and its impact on business strategy, these guidelines provide an understanding
of the main principles on which plans should be formulated, and a generic approach for
implementing effective planning.
Executives in various capacities — for example, accountants, financial controllers,
auditors, or business managers — are frequently called upon to manage, participate in,
assess, or comment on the information technology planning process. It is, therefore,
essential for executives to have a sound knowledge of the principles and practices of
managing information technology planning.
IFAC’s Information Technology Committee would like to acknowledge the support from
the Information Systems Audit and Control Association and to thank its various
contributors who provided valuable input for this document:
Susan M. Caldwell, ISACA
Michael Donahue, PricewaterhouseCoopers
John W. Lainhart IV, PricewaterhouseCoopers
Akira Matsuo, Chuo Audit Corporation
Robert G. Parker, Deloitte & Touche LLP
Deepak Sarup, ALLTEL International Resource
Patrick Stachtchenko, Deloitte Touche Tohmatsu
Paul A. Williams, Arthur Andersen
EXECUTIVE SUMMARY
WHY?
1. For most organizations, the rapid developments in information technology provide management
with an opportunity to develop and implement new or improved products and services. To take
advantage of this opportunity, management must first recognize the potential represented by
information technologies, and, next, identify and implement information systems which assist in
better meeting the organization’s business objectives. Information technology planning, as
described in these guidelines, is an effective approach to assist management in this process since it
provides:
• a structured basis for evaluating the impact of technologies in the broader context of business
objectives and comparative assessment with similar organizations;
• a framework for scheduling necessary information system projects in an integrated manner
while recognizing available resources and constraints; and
• assurance that investments in the information system projects are justified in terms of
realizable benefits and represent the most appropriate option to the organization.
WHAT?
2. An information technology plan supports the business goals and strategies within the business plan.
The objective of the information technology plan is to provide a road-map of the information
technology required to support the business direction of an organization, outlining the resources that
are required and the benefits that will be realized on implementation of the plan. While each
information technology plan is unique to the needs and circumstances of an organization, it is
generally formulated using the following ten principles:
CORE PRINCIPLES
• ALIGNMENT — The plan should support and complement the business direction of an
organization.
• RELEVANT SCOPE — The scope of the plan should be established to facilitate formulation
of effective strategies.
• RELEVANT TIMEFRAME — A planning horizon should be formulated that provides long-
term direction and short-to-medium term deliverables in a manner consistent with the business
strategy.
• BENEFITS REALIZATION — Costs of implementation should be justified through tangible
and intangible benefits that can be realized.
• ACHIEVABILITY — The planning process should recognize the capability and capacity of
the organization to deliver solutions within the stated planning timeframe.
• MEASURABLE PERFORMANCE — The plan should provide a basis for measuring and
monitoring performance.
• REASSESSMENT — The plan should be reassessed periodically.
• AWARENESS — The plan should be disseminated widely.
• ACCOUNTABILITY — Responsibility for implementing the plan should be explicit.
• COMMITMENT — Management commitment in implementing the plan should be exhibited.
HOW?
3. Although information technology plans are unique, the planning process and the underlying
activities are similar. Usually, the plan will be developed in four phases:
WHO?
5. The information technology plan is usually prepared under the direction of a steering committee that
is headed by the Chief Executive Officer, Chief Information Officer, or another senior business
executive. The steering committee may comprise senior business executives, key business unit
managers, the information technology manager and the information systems audit manager. The
steering committee is supported by a specifically formed project team — which may include
external consultants with expertise in developing information technology plans.
KEY DEFINITIONS
6. Applications means the computer programs, specifications, and procedures for their operation, use
and maintenance that are required to input, store, process, share, transmit, or retrieve data and
information relating to one or more groups of business processes.
Communications is the transmission and reception of messages and includes both
voice and data communications.
Data means a representation of facts, concepts, or instructions in a formalized
manner suitable for communication, interpretation or processing by human beings
or by automatic means.
Information is the meaning assigned to data by means of conventions applied to
that data.
Information Systems means the technology infrastructure and applications
together with the data and information that may be recorded, stored, processed,
shared, retrieved, or transmitted by them.
Information Technology refers to information systems and the organizational
resources required to plan, acquire, implement, deliver and monitor them.
Technology Infrastructure refers to the hardware and software components and
their interconnections required to support the applications.
WHY IS INFORMATION TECHNOLOGY PLANNING IMPORTANT?
7. Effective management of information technology is a business imperative and increasingly a source
of competitive advantage. The rapid pace of technological changes together with the declining unit
costs, are providing organizations with increasing potential for:
• enhancing the value of existing products or services;
• providing new products and services; and
• introducing alternative delivery mechanisms.
To benefit from information technology requires: foresight to prepare for the changes; planning to provide
an economical and effective approach; as well as, effort and commitment in making it happen.
8. Information technology planning provides a structured means of addressing the impact of
technologies, including emerging technologies, on an organization. Through the planning process,
relevant technologies are identified and evaluated in the context of broader business goals and
targets. Based on a comparative assessment of relevant technologies, the direction for the
organization can be established.
9. The implementation of information technologies may be a complex, time consuming and expensive
process for organizations. Information technology planning provides a framework to approach and
schedule, wherever possible, necessary information technology projects in an integrated manner.
Through this process, performance milestones can be agreed upon, scope of specific projects
established, resources mobilized and constraints or limitations identified. Without effective
planning, the implementation of information technologies may be misguided, haphazard, delayed
and more expensive than justified.
10. Good governance requires that all investments be justified — including any information technology
investments. Information technology planning provides a process for not only evaluating alternative
approaches, but also for justifying the selected approach in terms of benefits, both tangible and
intangible, that will be realized by an organization. This is an important dimension when many of
the underlying projects may be difficult to support on an individual basis.
WHAT IS INFORMATION TECHNOLOGY PLANNING?
11. Business planning is an accepted responsibility of management. Plans provide a direction and
framework for action. Plans enunciate business goals and the actions that need to be initiated to
achieve those goals including related benefits, resources and timeframes.
12. Increasingly, information technologies not only supports but, also, may drive or enable business
strategies. In this context information technologies are an integral part of the business planning
process itself. If such potential is evident after the completion of the business plan, then the
business plan must be revisited and, if appropriate, revised.
13. An information technology plan is supportive of the business plan. It is based on the business goals
and strategies. It provides a framework for information technology investments so that the desired
outcome, in terms of benefits, can be obtained with the most effective and efficient use of available
resources.
14. The objective of information technology planning is to “provide a road-map of the information
technology required to support and enhance the business direction of an organization, outlining the
resources that are required and benefits that will be realized on implementation of the plan.”
In this context:
• road-map defines the desired position for the organization’s use of information technology at a
future point in time (strategies) and the manner in which the position will be attained over the
intervening period (tactics);
• resources encompass existing information technology, and on-going expenditures on
information systems, related facilities and personnel, as well as any additional investments
proposed within the plan; and
• benefits to be realized may include incremental revenue or reduced costs of operations or
improved service quality that will arise from the implementation of the plan.
ALIGNMENT — The plan should support and complement the business direction of an
organization.
16. An information technology plan must be integrated to the needs and direction of the organization.
To achieve this alignment, the key drivers of the information technology plan are the desired short-
and long-term business targets as contained in the current business plan. Throughout the planning
process, the focus must remain on the information and services/processes to be provided and the
technology infrastructure required to provide effective and efficient services which meet business
and organizational requirements. A successful information technology plan must be prioritized and
executed within the framework of these business strategies.
Issues to consider include:
• business direction and any changes that are anticipated — for example, new product launches,
emerging delivery channels, or alternate business scenarios;
• legal and regulatory framework and changes thereto — the impact of likely changes must be
factored into the planning process;
• competitive environment and the corresponding challenges and opportunities such as an
alliance with third-parties through inter-organizational systems;
• key business strategies and the related information technology support requirements;
• risks and costs of adopting more flexible information technology plans that are adaptable to
evolving business strategies; and
• service-level requirements of the business in terms of, for example, security (availability,
integrity, and confidentiality), information system response times — particularly during peak
periods — and data storage and archiving requirements.
RELEVANT SCOPE — The scope of the plan should be established to facilitate formulation of
effective strategies.
17. The scope of the information technology plan has a major impact on the effort required to prepare it,
as well as the plans acceptance and ultimate success. An inadequate scope would inhibit the
formulation of effective strategies and an excessively wide scope will mitigate against
implementation of the plan.
Issues to consider include:
• extent to which the plan should address the business needs of geographically dispersed units or
autonomous business units;
• linkages with other business or functional strategies — for example, a business process re-
engineering program may require extensive dovetailing with human resource and workplace
redesign strategies; and
• requirements to incorporate linkages to third parties (customers, suppliers, partners, etc.) and
the manner in which joint plans should be established.
ACHIEVABILITY — The planning process should recognize the capability and capacity of the
organization to deliver solutions within the stated planning timeframe.
20. Information technology related initiatives can require major investments in terms of capital and
people. It is essential that the strategies and tactics in the information technology plan not only offer
a high payback but are also within the means of an organization. At times, this limitation may
necessitate adoption of a less than ideal solution, or a delayed or phased implementation of the ideal
solution.
Issues to consider include:
• availability of additional resources (capital, technology infrastructure, people) required to
implement the plan — for example, if the plan is based on a significant increase in capital
expenditure on information technology, then the source of such capital must be considered
before the plan is fully developed; and
• compatibility of proposed information technology-related initiatives with the organizational
culture — for example, if a given initiative requires a high level of user experience in
information technology, then this requirement must be compared to the user skill level within
the organization.
MEASURABLE PERFORMANCE — The plan should provide a basis for measuring and
monitoring performance.
21. A successful plan must provide a yardstick for measuring progress and serve as a benchmark for
modifying objectives to improve and provide input for corrective action — either to improve
performance or revise the plan. Typically, an information technology plan will provide performance
milestones against which performance can be measured.
Issues to consider include:
• setting realistic and specific performance milestones that facilitate periodic review of
performance against the plan;
• formalizing a process for the periodic review of progress against established milestones;
• assessing benefits realized against benefits anticipated on completion of the projects;
• providing for progress reporting against plans on an on-going basis, including early warning of
any problem areas; and
• linking information technology plan deliverables to business targets and budgets so that the
impact of any delay is apparent and leads to a corresponding revision of the business plan.
REASSESSMENT — The plan should be reassessed periodically.
22. Plans are based on business and information technology assumptions. If these assumptions change,
the existing initiatives and projects may be inappropriate or more effective alternatives may have
emerged. An effective plan must be flexible and provide for periodic reassessment of the validity
and effectiveness of both strategies and tactics.
Issues to consider include:
• establish a check list of business and information technology assumptions on which the plan is
formulated;
• incorporate a mechanism to periodically confirm validity of planning assumptions (against the
above check list) and critical success factors — for example, if a selected information
technology becomes obsolete, then the plan should be immediately evaluated and appropriate
revisions made; and
• volatility of the business environment and its impact on project priorities — for example, if a
new business line is to be launched, then the information technology plan may need to be
changed to reflect this business imperative.
PHASE I: ORIENTATION
27. The first phase is required to establish or confirm the scope of the information technology for the
planning process, the methodology and techniques to be applied, mobilization of the planning team,
and the reporting lines for the planning process. The planning process may have been initiated in
response to a major change in the business strategies, or the implementation of most of the projects
in the tactical plan, or where the business or information technology assumptions of the existing
plan have changed significantly. Major steps in this phase and the key activities are described
below.
28. Establish scope: The scope of the information technology plan normally follows the business plan
of the organization and represents an essential starting point to the planning process. Key activities
include:
• determining if the plan incorporates all business units or that separate plans will be developed
for selected business units;
• assessing the impact, if any, of organizational structure and policies on the scope — for
example, for autonomous business units the practicality of formulating centralized strategies;
• evaluating the extent of third-party involvement in the planning process — for example, to
support inter-organizational systems; and
• establishing an overall timeframe for the strategic and tactical plans.
At the end of this step, the scope and timeframe for the information technology plan will have been
established.
29. Establish methodology/techniques and mobilize resources: Information technology planning can
be a time-consuming process depending on the size of the organization, and the scale of its current
or desired information technology usage. Once the scope has been established, the methodology
and techniques need to be established and the background information and resources necessary for
the planning effort need to be mobilized, including a clear delineation of reporting lines. Key
activities include:
• gathering necessary background information on the organization, its information technology
profile and capabilities and any impending changes that may impact the planning process;
• selecting a proven methodology to support the planning activities. This may be provided by
external consultants, internally developed, or acquired from a third party;
• determining techniques that will be used for collecting and analyzing information, including
questionnaires, interviews, workshops, etc.;
• developing a specific timetable for the completion of the plan, particularly the key phases;
• establishing an information technology project team. Typically, this will be a multidisciplinary
team, comprised of persons with both information technology and business skills. Frequently,
the team is supplemented by external consultants with expertise in information technology
planning; and
• formalizing the reporting mechanism for the project team. Generally, the team reports to a
steering committee which is headed by the Chief Executive Officer, Chief Information Officer,
or another senior business executive and comprises key business unit managers, the
information technology manager, and an information systems audit manager.
At the end of this step, a methodology, approach and timetable will have been established,
background information gathered and an information technology planning team will be in place for
the planning activities remaining.
* abstracted from “Control Objectives for Information and related Technology (COBIT)
2nd Edition” published by the Information Systems Audit and Control Foundation
(ISACF), 1996, 1998
** the term “long-range” is comparable to “strategic” and the term “short-range” is
comparable to “tactical”