Академический Документы
Профессиональный Документы
Культура Документы
BEST PRACTICES
2018 / 2019
2082 B u s i n e s s C e n t e r D r i v e , S u i t e 2 4 0 | I r v i n e , CA 92612
T elep h o n e ( 9 4 9 ) 8 3 1 - 8 7 0 0 | w w w . c o m p u t e r e c o nomics.com
IT Management Best Practices 2018/2019
Computer Economics provides research and advisory services on the strategic and financial
management of information technology. Our clients include IT end-user organizations and major
consulting firms in North America. Our IT Spending and Staffing Benchmarks study, published annually
since 1990, is the definitive source of IT benchmarking data.
Other annual studies include Technology Trends, an assessment of technology adoption, spending, and
economic experience; IT Outsourcing Statistics, which provides data on the use of and experience with
IT outsourcing; IT Management Best Practices, which measure adoption trends of strategic IT practices;
and IT Staffing Ratios, a series of benchmarking studies with metrics for 16 IT job functions.
Contact Information:
Address: 2082 Business Center Drive, Suite 240, Irvine, CA 92612, USA
Telephone: +1 (949) 831-8700
www.computereconomics.com
ISDN: 0-945052-98-7
Computer Economics disclaims all warranties and conditions with regard to the content, express or
implied, including warranties of merchantability and fitness for a particular purpose, nor assumes any
legal liability for the accuracy, completeness, or usefulness of any information contained herein. Any
reference to a commercial product, process, or service does not imply or constitute an endorsement
of the same by Computer Economics. This publication is designed to provide accurate and
authoritative information in regard to the subject matter covered. It is sold or distributed with the
understanding that Computer Economics is not engaged in rendering legal, accounting, or other
professional service. If legal advice or other expert assistance is required, the services of a competent
professional person should be sought.
Table of Contents for Full Report
IT MANAGEMENT BEST PRACTICES 5
Introduction 5
How We Measure Best Practices 6
Understanding the Best-Practice Profiles 7
Major Findings 8
IT Strategic Planning 14
Executive IT Steering Committee 20
IT Project Portfolio Management 25
Project Management Office 30
IT Change Control Board 35
Organizational Change Management 40
APPENDIX 206
IT as a business function has evolved and matured over a period of decades, and today it is no longer
necessary for IT organizations to reinvent the wheel. Although best practices need to be tailored to
fit the organization, certain disciplines show up again and again in the best-run IT organizations. At
the same time, these disciplines are continually evolving. The movement from waterfall software
development to agile development is one example. The transition from traditional software change
management to DevOps is another. In other cases, new practices are needed to accommodate new
technologies, such as bring-your-own-device policies to respond to the widespread adoption of
mobile technology. IT leaders, therefore, must continually evaluate their internal processes to ensure
they are keeping pace.
In this study, we examine the growth and maturity of 35 IT management practices. Some of these are
well-established disciplines and are widely accepted. Others are gaining traction among early
adopters. Still other practices are being widely promoted by tool vendors and consultants, but they
are only rarely adopted, and it remains uncertain whether they will endure. Our goal in this study is to
provide IT executives with real-world data on how widely each best practice is implemented, a basis
for comparing their organizations with their peers, and a means of identifying emerging best
practices.
This study is now in its 14th year. Each year, we ask IT organizations in our annual survey to what
extent they have adopted a selected list of IT management best practices. Survey participants have
five response choices:
Practicing Formally but Inconsistently: We have formal policies and procedures for
this discipline, but we do not follow them consistently or to the extent that we should.
Practicing Formally and Consistently: We have formal policies and procedures for
this discipline and we follow them consistently.
The responses enable us to determine how widely a discipline has been adopted, how formally and
consistently it is being practiced, and how quickly it is likely to grow. By comparing current-year
responses with those from prior years, we also can assess the growth trajectory of a best practice.
To simplify the presentation, we have grouped the practices into six major categories: IT governance
practices, IT financial management practices, IT operational management practices, IT security and
risk management practices, application development practices, and innovation practices. While the
boundaries between these best-practice categories can overlap, the categories provide an opportunity
to discuss the selected practices within the context of related practices. We present our key study
findings by category at the beginning of each section.
The practice rate is the percentage of organizations that have adopted a practice, even
if just informally. For example, if for a given best practice 20% of the respondents are
practicing it informally, 20% are practicing it formally but inconsistently, and 40% are
practicing it formally and consistently, then the practice rate is 80%. The practice rate
does not include companies that are planning to implement the practice but have not yet
done so. We report the practice rate for the composite sample, by organization size, and
by sector.
The practice level is an indicator of how fully the practitioners have adopted a best
practice. For a given best practice, the practice level is the percentage of adopters that
are practicing it “formally and consistently” (as opposed to informally or inconsistently).
Continuing the previous example, if the best practice has been adopted by 80% of the
sample (the practice rate), but only 40% of the adopters are practicing it formally and
consistently, the practice level is 40%. While some best practices may be widely adopted,
the practice level could still be low because it is only practiced informally or
inconsistently.
The maturity of a practice is simply the percentage of respondents that have adopted
that best practice “formally and consistently.” We report this metric in the adoption
profile for each practice. In addition, we also calculate the relative maturity for each of
them against the others to produce our maturity ratings of low, moderate, or high. The
scale is based on the lowest and highest maturity values in the study. A low rating would
fall in the bottom third of the scale, a moderate rating in the middle third, and a high
rating in the top third. The analysis provides a basis for comparing and contrasting the
practices in the Major Findings section and in the maturity profiles as discussed below.
Maturity Profile: The first chart sets the context for assessing the practice rate, practice
level, and maturity by providing ratings of low, moderate, or high. The ratings are based
on a comparison among all 35 practices in the study.
Practice Rate Trend: Many of the best practices have been included in our annual
study for a number of years. In the practice rate trend chart, we show how the practice
rate has been changing over time. The number of years in the trend charts can vary,
depending on how long the practice has been in the survey.
Adoption Profile: The adoption profile shows the percentage of organizations at each
adoption stage. The stages as previously mentioned are: no activity, implementing,
practicing informally, practicing formally but inconsistently, and practicing formally and
consistently (the maturity level).
Practice Rate and Level by Organization Size: Organization size often influences the
adoption of a particular management practice. This analysis breaks the sample into size
categories: Large organizations have IT operational budgets of at least $20 million,
midsize organizations from $5 million up to $20 million, and small organizations less
than $5 million.
Major Findings
Our top-line findings show that IT organizations continue to embrace many of the key best practices
such as IT strategic planning, IT policies and procedures, security policies, software change
management process, and disaster recovery planning. Many other practices out of our total of 35,
however, remain immature and not fully embraced, including DevOps, ITIL, IT service catalog, and
post-implementation audits.
In this section, we examine the top five most practiced, top five least mature, and the top five most
mature.
Next on the list is software change management process, at 84%. This process is the establishment of
formal controls over how new systems or system changes are introduced into the production
environment.
Rounding out the top five most popular, at 83%, is disaster recovery planning. As each new natural
disaster or widespread power outage hits, organizations are reminded that they need to routinely
update and test their disaster recovery plans or risk business disruption.
As shown in Figure 2, the least mature best practice is post-implementation audits, which has a mere
4% of respondents practicing it formally and consistently. The use of post-implementation audits is
hardly a new practice, but many organizations tend to skip this final step of the implementation
process, particularly when they are struggling with more pressing concerns. Of these top five least-
mature practices, we judge post-implementation audits as the one that is the most obvious as an
opportunity for all IT organizations. It is a low-cost best practice, easy to implement, and has
immediate tangible benefits. It is a shame that it is not more broadly practiced formally and
consistently.
Two practices earn a 6% maturity rating: IT R&D budget and IT service catalog. With the former,
the IT organization has a defined budget for researching, developing, and conducting pilot projects
for new technologies that may or may not ultimately be adopted by the organization. As for the IT
service catalog, it is a foundational element of IT service management, and it plays an important role
in IT financial management. It has garnered attention recently, but the practice to this point is rarely
implemented.
Figure 3 shows that security policies tops our list of the most-mature practices, with 57% saying their
security policies are formal and consistent. The fact that most organizations have IT security policies
is not surprising, since such policies are often mandated by corporate policies or industry regulations.
But it is disappointing that only 57% of them establish them formally and consistently. Perhaps this
is one reason that we continue to see little progress against high-profile cyberattacks.
Security incident management, at 46%, is second on this most-mature list. Security incident
management is a process to record, track, and resolve security breaches. When a security incident
occurs, an organization will have a response team in place and clearly defined procedures for
managing the incident. Security incident management is especially important for companies such as
banks and retailers that hold sensitive customer information. But fewer than half of IT organizations
formally and consistently respond to and manage security incidents.
Disaster recovery planning garners 45% on the maturity ranking. This best practice entails plans and
processes to ensure recovery of systems and data in the event of disruption. It is discouraging that
fewer than half of organizations plan for disaster recovery formally and consistently.
IT security compliance audits are next on the top maturity list, at 42%. Periodically auditing users and
IT staff to ensure that security policies are followed is a mandate for any organization that is serious
about IT security, particularly those managing personal information such as patient healthcare
records and those processing credit card and other financial transactions. Yet again, the fact that only
42% of IT organizations formally and consistently audit security compliance is discouraging.
The fifth most-mature practice is IT policies and procedures, at 41%. The best IT organizations not
only document a complete set of needed policies and procedures, but they also regularly update them
as business conditions or the IT landscape changes. This is a foundational practice for any IT
organization, and it is difficult to imagine why any would not maintain IT policies and procedures
formally and consistently.
IT Governance
Best-Practice Profiles
This section presents trends for IT management best practices in the governance category. IT
governance practices help align the IT organization’s objectives and priorities with those of the
business and ensure that proper controls are established and maintained. Six of the best practices in
the study are in this group, as shown in Figure 4. The practices are ranked by their relative maturity
level, which is determined by comparing them with one another in terms of the percentage of
organizations that are practicing them formally and consistently.
Three of these practices are rated as moderate in maturity: IT change control board, executive IT
steering committee, and IT strategic planning. Year-over-year practice rates and levels are relatively
stable.
Project management office and IT project portfolio management are less-mature practices in this
group, as both have maturity ratings on the high side of low, relative to other best practices overall.
Organizational change management also gets a low maturity rating.
IT Strategic Planning
IT strategic planning is a critical activity for every organization. Typically, the process involves
understanding the organization’s business strategy; assessing the gaps between IT capabilities and
business needs; establishing overall objectives for IT; developing an action plan; monitoring and
reporting the results; and revising the plan on a regular basis. Increasingly, however, alignment
between the business strategy and IT strategy is a two-way street. IT strategy needs to align to the
business, but at the same time IT capabilities can be leveraged to transform the organization’s
business model. “Digital transformation” is a popular term describing an IT-enabled business
strategy.
To be practicing formally and consistently, an organization must have an IT strategic plan that spans
multiple years. A multiyear IT plan takes a three- to five-year view, focuses on what new systems and
IT capabilities need to be implemented, what business and IT processes need to be transformed, and
how the IT organization needs to be developed to better serve the business. Without a multiyear
approach, it is difficult for IT organizations to undertake initiatives that stretch beyond the current
budget cycle or do not offer immediate payback despite supporting a longer-term strategy.
Maturity Profile
IT strategic planning is well-established and enjoying healthy, regular use. Strategic planning earns a
high practice rating and a moderate practice level rating, Figure 5 shows.
This practice, therefore, enjoys a moderate maturity rating relative to other practices in this study. It
is a positive sign that IT organizations today are focused on long-term, strategic initiatives, even if
just informally. However, more formal and consistent practice is warranted.
Adoption Profile
Figure 7 shows the percentage of organizations at each adoption stage this year. The three green bars
make up the practice rate: 24% are practicing IT strategic planning informally, 26% are practicing
formally but inconsistently, and 36% are practicing formally and consistently (the maturity level).
Another 8% are implementing the practice for the first time. The remaining 6% report no activity.
Organization size has only a small influence on the adoption of IT strategic planning. Large
organizations are the practice leaders: 91% of them practice IT strategic planning at least on an
informal basis, compared with 83% of midsize organizations and 85% of small organizations, Figure
8 shows.
When it comes to practice level, the influence of organization size is modest but notable. Midsize
organizations tend to do IT strategic planning more formally and consistently than other
organizations, with a 53% practice level. Thirty-three percent of small organizations and 40% of large
organizations that have adopted IT strategic planning are doing so formally and consistently.
IT strategic planning is least pervasive among the construction/trade services sector, where 67% of
organizations have IT strategic plans. But clearly, the majority of organizations in all sectors have
adopted IT strategic planning.
Appendix
Benchmarking IT Management Best Practices
The analysis of the IT management best practices provided in this study provides one source of
guidance for IT managers in developing their IT organizational disciplines. We recommend the
information provided in this report be used as “best-practice benchmarks.” For each practice listed
in this study, review whether or not the discipline is being practiced and, if so, at what level
(informally or formally, inconsistently or consistently). Then, compare with the benchmark
organizations and ask the following questions:
Are the practices identified as having high practice rates in place within the organization?
If not, it may be appropriate to rank the IT organization as lagging in these widely
adopted practices.
If the organization already is practicing the most highly adopted practices, are they being
practiced formally and consistently? If the practice is informal or inconsistent, ask
whether improving disciplines around the practice would yield further benefits. This
may reveal opportunities for improvement.
Identify where the organization stands in relation to the practices that are showing the
most rapid growth. For those not yet practiced, consider more research or a pilot
program to further understand how they could improve the effectiveness of IT
processes.
Finally, the results presented in our study provide ammunition for justifying an investment in
implementation of these best practices. Use the practice rate and level statistics as evidence of the
direction other organizations are taking to improve the performance of the IT function.
A total of 173 IT organizations in the U.S. and Canada participated in the IT Management Best Practices
study. Figure A-1 displays the key demographics for organizations in the sample.
We also assess the sample by sector. Manufacturers made up 22.3% of the sample; government and
nonprofit organizations, 18.9%; financial services, 13.6%; professional/technical services, 13.1%,
retail and wholesale distributors, 10.1%; hospitals/health systems, 5.8%; construction and trade
services, 5.3%, and other sectors, 10.7%.