Governance Issues:  Checklist for Application Management

The purpose of application planning is to determine how to automate enterprise business processes. To assure that the application plan represents the business reality, it is a good idea to adopt the following governance practices: 

Governance Checklist (Detailed)

1. Plan Application Management

§         Establish an application management process. The main idea is to make  one or more staff members (depending on the size of the organization)  responsible for the following:

§         Application planning

§         Application acquisition

§         Application deployment

§         Application Planning(identifying and prioritization the applications) is needed for every organization and should include the following activities:    

§         Identify core (commonly used apps such as office productivity applications) and supplemental (such as computer aided design -- CAD) applications.

§         Inventory applications, i.e., identify all applications that must be deployed to support the business. 

§         Prioritize applications, i.e., identify the applications that are more urgent.  

§         Identify application subject matter experts (SMEs), i.e., the experts who know about the applications and can help in application deployment and migration. 

§         Understand packaging techniques, i.e., how the applications can be packaged for deployment. 

 

2. Define, in Detail,  the Application Management Approach 

Application acquisition (e.g., buying, developing) and application deployment (e.g., test, run and support) depend on the type of automation strategy used, i.e., buy-rent-outsource-develop-extend (BRODE).

§         For buying:   

o        Choose vendors, product demos, etc.

o        test and deploy the application, allowing a pilot phase for critical applications 

§         For renting through an ASP (application service provider):   

o        Choose application service providers, demos, service level agreements (SLA), etc.

o        test the application at the ASP site, allow a pilot phase for critical applications 

§         For outsourcing development:   

o        Choose software development houses, background checks of development houses, development contracts, etc.

o        test the application at your company site, allow a pilot phase for critical applications 

§         For developing in-house:   

o        assign software development tasks to developers, hire new staff and/or train the existing staff

o        test the application after completion, allow a pilot phase for critical applications 

§         For extending:   

o        assign software development tasks to developers, hire new staff and/or train the existing staff

o        test the application after completion, allow a pilot phase for critical applications 

§                     Include critical applications in a disaster recovery plan

 

4. Monitor and Evaluate
the Governance Processes

§         Monitor compliance with policies

§         Monitor compliance with governance arrangements

§         Monitor effectiveness metrics

§         For Advanced Users;  Use application management tools to monitor application faults, performance, security and change management 

 

3. Enable the Application Management Process

§         Deploy application management  mechanisms and polices

§         Communicate with and educate the staff on application management  

§         Deploy procedures for application FCAPS (fault, change, accounting,  performance, and security) management  

§         For advanced users: Use application management tools and platforms such as IBM Tivoli.  

 

 

 

Additional Considerations:  

·         COBIT (www.isaca.org/cobit/) has a section on “Acquire and Implement” domain that covers IT requirements, acquiring the technology, and implementing it in an organization.  Specifically, this domain includes the following control objectives that are relevant for application management: Identify Automated Solutions, Acquire and Maintain Application Software, Acquire and Maintain Technology infrastructure, Enable Operation and Use, Procure IT Resources, Manage Changes, Install and Accredit Solutions and Changes.

§         CMM (the Capability Maturity Model), developed by Software Engineering Institute at Carnegie Mellon University concentrates on application development processes. The following maturity levels are defined for processes (see the CMM website - www.sei.cmu.edu/cmmi/  for details): 

Level 1 - Ad hoc (Chaotic): undocumented and even unknown  

Level 2 – Repeatable: some processes are documented and repeatable

Level 3 – Defined: well defined and documented standard processes

Level 4 – Managed: management can control, adjust & adapt processes

Level 5 – Optimized: continual improvement of process performance

§         SPICE is also an emerging standard for software process assessment that is more oriented towards smaller organizations. While CMM is very popular in the united states, and Bootstrap (a European equivalent of CMM) is popular in Europe, SPICE has gained ground in Australia and Japan. SPICE is an Australian initiative (www.sqi.gu.edu.au/spice/what.html)

 

Our Suggestion: Please start with the simple checklist because it provides a good initial application management approach. The COBIT “Acquire and Implement” domain should be reviewed for guidelines. Later take a look at the CMM maturity levels and try to operate at level 3 or above. Although CMM maturity levels are primarily intended for software development, the concept of maturity levels can be used for software renting and software buying.  You may want to take a look at SPICE and/or Bootstrap if needed. However, CMM is the most widely accepted and used standard.