A well-written piece in the IIA's IT Audit by Dwayne Melancon outlines the results of a research study conducted by the IT Process Institute. The ITPI went looking for characteristics of the controls infrastructure that distinguish high- from low-performing IT departments. The researchers picked out IT process controls from COBIT and ITIL/ISO 20000 frameworks and measured 98 organizations - not a huge sample but statistically significant and adequate given the depth of study.
The headline is that they found a clear link between the quality of an organization's change management controls and its performance. Since top/medium/low performers were determined by the "number of controls for which respondents scored in the top 50th percentile if all respondents" across controls for access, change, release, configuration, service level and resolution (presumably of problems/incidents), it is inevitable that high performers scored well on the selected 6 control areas. The study indicates that the strongest link occurs in the change management domain.
The report picks out some interesting correlations between specific controls and high performers e.g.:
- monitoring for authorized/unauthorized and successful/unsuccessful changes;
- firm consequences for those who intentionally make unauthorized changes;
- formal processes and automation of configuration management.
These in turn suggest potential metrics e.g.:
- percentages of changes that are authorized and successful (the proportion of unplanned work that an IT department undertakes has been previously identified as a worthwhile metric; the "proportion of problems that are fixed first time" is another good one);
- percentage of unauthorized change incidents that lead to disciplinary action (measuring management's commitment to enforcing change management controls);
- percentage of configuration information that is accurate and complete.
The full study report costs $1,695 and may be hard to justify but the free executive summary is worth reading if you have an interest in the relationship between IT governance, risk, control and security.
More IT governance and change management links