Critical Success Factors
Critical Success Factors provide management with guidance for implementing control over IT and its processes. They are the
most important things to do that contribute to the IT process achieving its goals. They are activities that can be of a strategic,
technical, organizational, process or procedural nature. They are usually dealing with capabilities and skills and have to be short,
focussed and action oriented, leveraging the resources that are of primary importance in the process under consideration.
A number of Critical Success Factors usually apply to all IT processes. They deal with what is the standard, who
sets it, who controls or needs to act, etc.:
- Applying to IT in general
- IT processes are defined and aligned with the IT strategy and the business goals
- The customers of the process and their expectations are known
- Processes are scalable and their resources are appropriately managed and leveraged
- The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, retrain) exist.
- IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability. IT management is rewarded based on these measures.
- A continuous quality improvement effort is applied.
- Applying to most IT processes
- All process stakeholders (users, management, etc.) are aware of the risks, of the importance of IT and the opportunities it can offer, and provide strong commitment and support
- Goals and objectives are communicated across all disciplines and understood; it is known how processes implement and monitor objectives, and who is accountable for process performance
- People are goal-focused and have the right information on customers, on internal processes and on the consequences of their decisions
- A business culture is established, encouraging cross-divisional co-operation, teamwork and continuous process improvement
- There is integration and alignment of major processes, e.g., change, problem and configuration management
- Control practices are applied to increase efficient and optimal use of resources and improve the effectiveness of processes.
- Applying to IT governance
- Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and scalability, and avoid breakdowns in internal control and oversight
- The application of practices that enable sound oversight: a control environment and culture; a code of conduct; risk assessment as a standard practice; self-assessments; formal compliance on adherence to established standards; monitoring and follow up of control deficiencies and risk
- IT governance is recognized and defined, and its activities are integrated into the enterprise governance process, giving clear direction for IT strategy, a risk management framework, a system of controls and a security policy
- IT governance focuses on major IT projects, change initiatives and quality efforts, with awareness of major IT processes, the responsibilities and the required resources and capabilities
- An audit committee is established to appoint and oversee an independent auditor, drive the IT audit plan and review the results of audits and 3rd party opinions.