ND EDITION. Framework. Baseline

Transcription

1 ND EDION 2 Framework Baseline

2 ND EDION 2 quickstart \ kwik stärt\ adj [ME quik, fr. OE cwic] + vb [ME sterten]: That which is essential, light and easy to use; a baseline if you are a beginner and a jumpstart when you have bigger aspirations Framework Baseline 2007 Governance Institute. All rights reserved.

3 COB QUICKSTART,2 ND EDION Governance Institute The Governance Institute (GI) ( was established in 1998 to advance international thinking and standards in directing and controlling an enterprise s information technology. Effective governance helps ensure that supports business goals, optimises business investment in, and appropriately manages -related risks and opportunities. GI offers electronic resources, original research and case studies to assist enterprise leaders and boards of directors in their governance responsibilities. Disclaimer GI (the Owner ) and the author have designed and created this publication, titled COB, 2 nd Edition (the Work ), primarily as an educational resource for control professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or information technology environment. Disclosure 2007 Governance Institute. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of GI. Reproduction of selections of this publication for internal and noncommercial or academic use only is permitted and must include full attribution of the material s source. No other right or permission is granted with respect to this work. Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL USA Phone: Fax: info@itgi.org Web site: ISBN COB, 2 nd Edition Printed in the United States of America GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

4 ACKNOWLEDGEMENTS ACKNOWLEDGEMENTS Governance Institute wishes to recognise: Project s and Thought Leaders Steven De Haes, University of Antwerp Management School, Belgium Bart Peeters, PricewaterhouseCoopers, Belgium Dirk Steuperaert, CISA, PricewaterhouseCoopers, Belgium Francois Van Hees, PricewaterhouseCoopers, Belgium Workshop Participants and Expert Reviewers Roger Stephen Debreceny, Ph.D., FCPA, University of Hawaii, USA Jan Devos, Associatie Universiteit Gent, Belgium Rafael Eduardo Fabius, CISA, Republica AFAP, S.A., Uruguay Gary Hardy, Winners Ltd., South Africa Jimmy Heschl, CISA, CISM, KPMG, Austria John W. Lainhart IV, CISA, CISM, IBM, USA Robert E. Stroud, CA Inc., USA Greet Volders, Voquals NV, Belgium GI Board of Trustees Lynn Lawton, CISA, FCA, FIIA, PIIA, KPMG LLP, UK, International President Georges Ataya, CISA, CISM, CISSP, ICT sa-nv, Belgium, Vice President Avinash Kadam, CISA, CISM, CBCP, CISSP, Miel e-security Pvt. Ltd., India, Vice President Howard Nicholson, CISA, City of Salisbury, Australia, Vice President Jose Angel Pena Ibarra, Consultoria en Comunicaciones e Info., SA & CV, Mexico, Vice President Robert E. Stroud, CA Inc., USA, Vice President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP, USA, Vice President Frank Yam, CISA, FHKCS, FH KIoD, CIA, CCP, CFE, CFSA, FFA, Focus Strategic Group, Hong Kong, Vice President Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President Everett C. Johnson, CPA Deloitte & Touche LLP (retired), USA, Past International President Ronald Saull, CSP, Great-West Life Assurance and IGM Financial, Canada, Trustee Tony Hayes, FCPA, Queensland Government, Australia, Trustee Governance Tony Hayes, FCPA, Queensland Government, Australia, Chair Max Blecher, Virtual Alliance, South Africa Sushil Chatterji, Edutech, Singapore Anil Jogani, CISA, FCA, Avon Consulting Ltd., UK John W. Lainhart IV, CISA, CISM, IBM, USA Lucio Molina Focazzio, CISA, Colombia Ronald Saull, CSP, Great-West Life Assurance and IGM Financial, Canada Michael Schirmbrand, Ph. D., CISA, CISM, CPA, KPMG, Austria Robert E. Stroud, CA Inc., USA John Thorp, The Thorp Network Inc., Canada Wim Van Grembergen, Ph.D., University of Antwerp, University of Antwerp Management School, and Alignment and Governance Research Institute (AG), Belgium 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 3

5 COB QUICKSTART,2 ND EDION COB Steering Robert E. Stroud, CA Inc., USA, Chair Gary S. Baker, CA, Deloitte & Touche, Canada Rafael Eduardo Fabius, CISA, Republica AFAP SA, Uruguay Urs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, Switzerland Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium Jimmy Heschl, CISM, CISA, KPMG, Austria Debbie A. Lew, CISA, Ernst & Young LLP, USA Maxwell J. Shanahan, CISA, FCPA, Max Shanahan & Associates, Australia Dirk E. Steuperaert, CISA, PricewaterhouseCoopers, Belgium GI Affiliates and Sponsors ISACA chapters American Institute for Certified Public Accountants ASIS International The Center for Internet Security Commonwealth Association of Corporate Governance Inc. FIDA Inform Information Security Forum Information Systems Security Association Institut de la Gouvernance des Systèmes d Information Institute of Management Accountants ISACA GI Japan Solvay School University of Antwerp Management School Aldion Consulting Pte. Ltd. Analytix Holdings Pty. Ltd. CA Hewlett-Packard IBM LogLogic Inc. Phoenix and Systems Inc. Symantec Corporation Wolcott Group LLC World Pass Solutions GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

6 TABLE OF CONTENTS TABLE OF CONTENTS utive Summary...6 Introduction to the COB Framework...7 COB Framework...13 Why Do We Need?...14 What Does Provide?...14 What Is the Approach?...16 Who Can Use?...16 How Do I Know Whether Is Suitable for My Organisation?...16 How Is It Presented?...19 How Is It Implemented?...20 Migration Strategies to Move From to Full COB...21 COB Baseline...23 COB and Related Products GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 5

7 COB QUICKSTART,2 ND EDION EXECUTIVE SUMMARY A baseline for many small and medium enterprises (SMEs) and other entities where is less strategic or not absolutely critical for survival, and a starting point for larger enterprises in their first moves towards an appropriate level of control and governance of s for Information and related Technology (COB ) is a comprehensive set of resources that contains all the information that organisations need to adopt an governance and control framework. Implementation is based on a number of factors, including the size of the organisation. COB provides a selection from the components of the complete COB framework. can be used as a baseline and a set of smart things to do for many small- and medium-sized enterprises (SMEs) and other entities where is not strategic or absolutely critical for survival. can also be a starting point for larger enterprises in their first move towards an appropriate level of control and governance of. This selection was made using the top-down philosophy from the Governance Implementation Guide: Using COB and Val TM, 2 nd Edition ( Governance Institute, 2007). This scoping method performs a top-down value and risk analysis starting with business goals, then identifying the supporting goals, defining the processes that need improvement, ending with the control practices that need to be implemented or enhanced. COB provides tools to help the organisation carry out a self-assessment to determine whether is appropriate for its use. However, it is always important to keep in mind that is generic, and if specific areas or processes are considered more important, then extra guidance should be obtained from the full COB material. Moreover, in certain circumstances such as when the organisation operates and manages open (as opposed to closed) systems, i.e., interconnects with customers and suppliers the need to go beyond COB should be at least reviewed as a risk management measure. In support of this, pragmatic migration strategies to move from to a broader COB implementation are provided in this publication. is useful for all types of COB users in appropriate organisations: auditors, managers and implementers of governance who are likely to be dealing with governance and COB for the first time and who wish for a light and easy-to-use approach to get started. Care needs to be taken when using to ensure that it is applied intelligently, given the specific needs and conditions of the enterprise. In addition, while is powerful as a starting point, providing the smart things to do, additional controls will be required in many cases to provide an ongoing basis for effective governance of all processes GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

8 INTRODUCTION TO THE COB FRAMEWORK I NTRODUCTION TO THE C OB F RAMEWORK 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 7

9 COB QUICKSTART,2 ND EDION INTRODUCTION TO THE COB FRAMEWORK For many enterprises, information and the technology that supports it represent their most valuable, but often least understood, assets. Successful enterprises recognise the contribution and benefits of information technology () and use to drive their stakeholders value. These enterprises also understand and manage the associated risks such as increasing regulatory compliance and critical dependence of many business processes on. The need for assurance about the value of, the management of -related risks and increased requirements for control over information are now understood as key elements of enterprise governance. Value, risk and control constitute the core of governance. governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise s sustains and extends the organisation s strategies and objectives. Furthermore, governance integrates and institutionalises good practices to ensure that the enterprise s supports the business objectives. governance enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage. These outcomes require a framework for control over that fits with and supports the of Sponsoring Organisations of the Treadway Commission s (COSO s) Internal Integrated Framework, the widely accepted control framework for enterprise governance and risk management, and similar compliant frameworks. Organisations should satisfy the quality, fiduciary and security requirements for their information, as for all assets. Management should also optimise the use of available resources, including applications, information, infrastructure and people. To discharge these responsibilities, as well as to achieve its objectives, management should understand the status of its enterprise architecture for and decide what governance and control it should provide. COB provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COB s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimise -enabled investments, ensure service delivery and provide a measure to judge against when things do go wrong. For to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COB control framework contributes to these needs by: Making a link to the business requirements Organising activities into a generally accepted process model Identifying the major resources to be leveraged Defining the management control objectives to be considered The business orientation of COB consists of linking business goals to goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and process owners. The process focus of COB is illustrated by a process model that subdivides into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of. Enterprise architecture concepts help to identify the resources essential for process success, i.e., applications, information, infrastructure and people GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

10 INTRODUCTION TO THE COB FRAMEWORK In summary, to provide the information that the enterprise needs to achieve its objectives, resources need to be managed by a set of naturally grouped processes. Management needs to ensure that an internal control system or framework is in place such that supports the business processes. This implies that information, from the business s perspective, is: Effective Efficient Confidential Accurate, useful and timely Available Compliant Reliable The right resources are: Applications Information Infrastructure People The right resources should be available and properly used in the processes of the different domains, which COB defines as: Plan and organise (Plan) Acquire and implement (Build) Deliver and support (Run) Monitor and evaluate (Learn) To this end, COB 4.1 provides 34 processes (shown in figure 1) and 210 control objectives that contain policies, procedures, practices and organisational responsibilities. In addition, the COB management guidelines provide a link between control and governance. They are action-oriented and generic, and provide management direction for getting the enterprise s information and related processes under control by providing inputs and outputs amongst processes, roles and responsibilities for key activities within processes, and goals and metrics for, processes and process activities. COB also provides maturity models to allow for benchmarking and continuous improvement. All these elements help provide answers to typical management questions: How far should the enterprise go in controlling, and is the cost justified by the benefit? What are the indicators of good performance? Who is responsible and accountable for specific processes? What are the risks of not achieving our objectives? What do others do? How does our enterprise measure and compare? A new element introduced in COB 4.0 is the cascade of business goals goals processes. COB 4.1 provides a list of 17 generic business goals and 28 generic goals. The 17 generic business goals are organised according the four perspectives of the business balanced scorecard: Financial Customer Internal Learning and growth 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 9

11 COB QUICKSTART,2 ND EDION Figure 1 Overall COB Framework BUSINESS OBJECTIVES GOVERNANCE OBJECTIVES COB ME1 Monitor and evaluate performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide governance. MONOR AND EVALUATE INFORMATION CRERIA Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability RESOURCES PO1 Define a strategic plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the processes, organisation and relationships. PO5 Manage the investment. PO6 Communicate management aims and direction. PO7 Manage human resources. PO8 Manage quality. PO9 Assess and manage risks. PO10 Manage projects. PLAN AND ORGANISE Applications Information Infrastructure People DELIVER AND SUPPORT ACQUIRE AND IMPLEMENT DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure resources. AI6 Manage changes. AI7 Install and accredit solutions and changes GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

12 INTRODUCTION TO THE COB FRAMEWORK Each business goal is linked to one or more goals which, in turn, are linked to one or more processes. In this way, a full cascade is built up showing how processes enable the achievement of goals which, in turn, enable the achievement of business goals. All the components of COB are accessible via COB Online, a web-based, interactive knowledge base. Furthermore, the Governance Implementation Guide provides users with a method for implementing governance using COB. The Assurance Guide: Using COB provides assurance professionals with detailed guidance and testing steps to plan, scope and execute their assurance activities based on the COB framework. The complete COB family of products is shown in figure 2. The top part provides practices at the board and executive levels. The middle portion focuses on management and its typical needs for measurement and benchmarking. The bottom section provides the detailed support for implementing and assuring adequate control and governance over. (For more information about COB, see the section in this publication on COB and Related Products and/or visit Figure 2 COB Family of Products How does the board exercise its responsibilities? Board Briefing on Governance, 2 nd Edition utives and Boards How do we measure performance? How do we compare to others? And how do we improve over time? and Technology Management Management guidelines Maturity models What is the governance framework? How do we implement it in the enterprise? How do we assess the governance framework? Governance, Assurance, and Security Professionals COB and Val frameworks objectives Key management practices Governance Implementation Guide, 2 nd Edition COB Practices, 2 nd Edition Assurance Guide This COB-based product diagram presents the generally applicable products and their primary audience. There are also derived products for specific purposes ( s for Sarbanes-Oxley, 2 nd Edition), for domains such as security (COB Security Baseline, 2 nd Edition and Information Security Governance: Guidance for Boards of Directors and utive Management), or for specific enterprises (COB, 2 nd Edition for small and medium-sized enterprises or for large enterprises wishing to ramp up to a more extensive governance implementation) GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 11

13 COB QUICKSTART,2 ND EDION GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

14 COB QUICKSTART FRAMEWORK C OB Q UICKSTART F RAMEWORK 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 13

15 COB QUICKSTART,2 ND EDION COB QUICKSTART FRAMEWORK WHY DO WE NEED QUICKSTART? COB is a comprehensive set of resources that contains the information that organisations require to adopt an governance and control framework. However, the breadth and depth of the guidance provided by all of COB s resources may be too detailed and overwhelming for smaller organisations. Or, for some larger organisations, COB may require too much time to analyse and focus on when taking the first steps towards governance. The driver behind COB is the need of managers of smaller organisations for a simple-to-use tool that will speed up the implementation of key control objectives. Equally, managers of larger organisations can leverage the tool to quickstart the initial phases of a broader governance implementation. In these circumstances, COB users need out-of-the-box, customised and simplified materials that are consistent with the full COB resources, but are immediately usable as is. COB was not designed as an audit tool; however, it provides a reference for audit and assurance purposes. WHAT DOES QUICKSTART PROVIDE? is based on a selection of the processes and control objectives of COB 4.1. The result is a simplified version including a limited set of processes and management practices (see figure 3). also provides simplified versions of Responsible, Accountable, Consulted and Informed (RACI) charts for each of the retained processes and captures key outcome metrics at the level of the individual control objectives and the processes as a whole. All these elements represent a baseline and the smart things to do. Enterprises can use the baseline as is, without modification, or use it as a starting point to build more detailed management practices and measurement techniques. Figure 3 COB as Compared to COB Domains es s COB This selection from the COB material was made using the same philosophy as that presented in the Governance Implementation Guide: a top-down value and risk analysis starting with business goals, then moving to supporting goals, then to processes that need improvement, and finally arriving at control objectives that need to be implemented or enhanced GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

16 COB QUICKSTART FRAMEWORK The selection was also driven by the following assumptions: The infrastructure is not complex. More complex tasks are outsourced. The goal is less build, more buy. Limited in-house skills exist. Risk tolerance is relatively high. The enterprise is very cost-conscious. A simple command structure is in place. A short span of control exists. These assumptions are representative of the control culture and environment of most SMEs and possibly also of some small subsidiary or autonomous entities of larger organisations. This implies that the resulting set of processes and control objectives is likely to be suitable for an SME environment. It also implies that it can be a starting point for larger organisations wanting to use to launch an governance programme. These organisations need to extend their governance framework depending on their specific business and governance requirements. A road map to plan this implementation is provided later in this document. In addition, when implementing the entire COB framework, the Governance Implementation Guide can be used for guidance. The above assumptions were kept in mind when developing COB and should be considered by any enterprise using to develop its governance and control framework. Why? Because the control culture associated with these assumptions implies that certain controls, formally defined in COB, are exercised informally but effectively. For example, the control and direction that are enabled by close supervision, typical for these types of organisations, are not retained in. Consistent with the full COB 4.1 publication, overarching process controls and applications controls are not addressed in the detailed COB contents. However, it is critical that these controls be considered while implementing, as they are needed by management to have a complete view of all the business control requirements of the enterprise. Figure 4 provides a short summary of these controls; a full list is provided at the end of the baseline. Figure 4 Overarching s and Application s Generic s In addition to the control objectives, each COB process has generic control requirements that are identified by generic process controls (PCn). They should be considered together with the process control objectives to have a complete view of control requirements. The generic process controls are: PC1 Goals and s PC2 Ownership PC3 Repeatability PC4 Roles and PC5 Policy, Plans and Procedures PC6 Performance Improvement Application s COB also addresses the controls embedded in business process applications, commonly referred to as application controls, to achieve accurate, complete and reliable information for management decision making and reporting. COB assumes the design and implementation of automated application controls to be the responsibility of, covered in the Acquire and Implement domain. The operational management and control responsibility for application controls is not with, but with the business process owner. Hence, the responsibility for application controls is an end-to-end joint responsibility between business and. The recommended application control objectives are: AC1 Source Data Preparation and Authorisation AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks AC4 ing Integrity and Validity AC5 Output Review, Reconciliation and Error Handling AC6 Transaction Authentication and Integrity 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 15

17 COB QUICKSTART,2 ND EDION WHAT IS THE QUICKSTART APPROACH? COB provides a baseline for control over in SMEs and other entities where is less strategic and not as critical for survival. also provides a starting point to quickstart a broader governance implementation in a larger environment. The baseline consists of 32 pages of material providing processes, control objectives, RACI charts and key metrics, presented in easy-to-read, tabular fashion and in nontechnical language, to encourage rapid adoption and reduced debates and discussion. Because it is a baseline, is viewed generally as common sense and acts as a powerful reminder and checklist of those things that ought to be directed and controlled in, as a minimum. From a top management perspective, it helps organisations focus scarce resources on the basics the potentially easier-to-tackle areas thus providing an efficient tool for initiating governance, without committing large amounts of resource or significant investments. The first reflection when considering is to decide whether it is suitable for the specific organisation. helps the enterprise to make this decision by including tools that enable the organisation to carry out a self-assessment of factors dealing with management and complexity. For larger organisations, it should be acknowledged that can only be a starting point to move towards a broader governance framework. WHO CAN USE QUICKSTART? is aimed at small and medium-sized organisations. However, it also is suitable for any organisation with an appropriate control environment, which is considered to be one that has: A simple command structure Short communications path Limited span of control Not much segregation of responsibilities In addition, it is suitable for organisations in which: The environment is not particularly complex The expenditure is not very significant is not that strategically important The use of is not leading-edge can be used in larger organisations, but as a first step towards implementing governance using COB. is useful for all kinds of users in its targeted types of organisations: auditors, managers and implementers of governance who are likely to be dealing with governance and COB for the first time and who wish for a light and easy-touse approach to get started. HOW DO I KNOW IF QUICKSTART IS SUABLE FOR MY ORGANISATION? COB provides two tests to assess an enterprise s suitability for implementing control over based on the set of controls. They are provided with this publication in the form of an electronic tool GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

18 COB QUICKSTART FRAMEWORK Test 1 Stay in the Blue Zone The first test (Stay in the Blue Zone), as shown in figure 5, helps the organisation determine whether it is appropriate for implementation to manage its risks or it should consider using the full COB guidance. If the results from the assessment are mainly contained in the blue zone, the organisation most likely is suited for using COB. If the results are not in the blue zone, it nevertheless remains management s decision to use the approach anyway. However, management should remain conscious of the control assumptions described previously, as certain controls are not retained in. Figure 5 Suitability Assessment (1) Suitability Assessment (1) <<Stay in the Blue Zone>> Simple Command Structure (SCS) 1. CS is informal and verbal, only short-term and tactical. 2. CS is primarily informal and verbal, somewhat short-term but largely medium-term-oriented, and still primarily tactical. 3. CS is primarily formal and documented, begins looking at the long-term but is more medium-term-oriented, somewhat tactical with strategic views emerging. 4. CS is strictly formal and documented, covers short-, medium- and long-term and is strategy-oriented. Segregation (SEG) 1. Those who monitor have at least two other functions (build, operate or influence). 2. Those who monitor have at most building or operating as other functions. Those who influence also can have building and operating functions. 3. Monitoring is totally segregated, but building and operating can be executed by the same person. Those who influence have at most operating or building as other functions. 4. At most, influencing and monitoring is executed by one person. E SEG I SCS S SCP SOC Short Communications Path (SCP) 1. HE ( of the entity) knows everyone s -related responsibilities. 2. HE knows most people s -related responsibilities. 3. HE knows -related responsibilities only for key personnel. 4. HE does not know all -related responsibilities of key personnel. Span of (SOC) 1. HE directs and monitors everyone s -related responsibilities. 2. HE directs and monitors most people s -related responsibilities. 3. HE directs and monitors only key personnel s -related responsibilities. 4. HE does not direct and monitor all -related responsibilities of key personnel. Expenditure (E) 1. expenditure is not more than profits and not much different from peers. 2. expenditure is different from peers and only marginally increasing every year. 3. expenditure is more than profits or significantly different from peers and is showing an annual increasing trend. 4. expenditure is significantly more than the entity s profits. Strategic Importance (I) 1. Reliable is not critical to the functioning of the enterprise and is not likely to become strategically important. 2. Reliable support is critical to the enterprise s current operation, but the application development portfolio is not fundamental to the enterprise s ability to compete. 3. Uninterrupted functioning of is not absolutely critical to achieving current objectives but applications and technology under development will be critical to future competitive success. 4. Reliable support is critical to the enterprise s current operation, and applications and technology under development are critical to future competitive success. Sophistication (S) 1. Laggard, well behind in technology adoption, with a simple infrastructure 2. Follower, adopting technology after peers, using more, but still standard, components 3. Leader, adopting technology before peers, customising and integrating solutions 4. Pioneer, early adopter of new emerging technology well ahead of the industry, highly complex environment The different dimensions of this suitability test are as follows: Simple command structure This dimension measures the degree to which authority, rules and control are institutionalised in the organisation. This command structure varies from very informal and verbal to strictly formal and documented. Moreover, long-term/short-term orientation and the strategic/tactical direction imposed by the command structure are evaluated. The presence of more formal and documented structures and longer-term strategic views suggests that higher levels of control are needed. Short communication path The communication path component indicates how many layers are situated between the head of the entity (HE) and the staff. This illustrates how directly, quickly and efficiently the HE can communicate with the staff, and is measured by determining how well the HE knows the staff s -related responsibilities. This assumes that the more direct the communication path, the better the -related responsibilities are known. The organisation may need to look for control requirements beyond if the HE does not know most people s responsibilities GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 17

19 COB QUICKSTART,2 ND EDION Span of control Whilst the previous step assessed the degree to which the HE knows everyone s -related responsibilities, this dimension measures the influence the HE has on those responsibilities. This influence is rated by indicating which related responsibilities the HE effectively directs and monitors, varying from directing and monitoring no -related responsibilities at all, to directing and monitoring every -related responsibility. Not knowing responsibilities of at least key personnel is an indicator that a larger control framework is required. sophistication The sophistication component refers to the profile of the organisation with regard to the adoption of new technologies and the complexity of the environment relative to industry and peers. This profile ranges from being a pioneer, adopting new technologies well before industry in a complex environment, to being a laggard, adopting new technologies well behind peers and industry while keeping the infrastructure simple. Taking a technology leadership position and working in a complex environment evoke the possibility of larger risks and wider control requirements. strategic importance This dimension evaluates how dependent the organisation is on to operate and function, and to achieve competitive advantage and success. This dimension is the equivalent of the traditional McFarlan quadrant 1, which positions organisations based on current and future dependency on. From the moment is critical to support current operations, additional controls may be needed to manage that criticality. expenditure The expenditure component is closely linked to the sophistication and strategic importance dimensions, and ranks the organisation based on its expenditure relative to profit and compared to peers. Furthermore, the increasing trend of the total expenditure is taken into account. If expenditure increases yearly, surpasses profits or differs significantly from industry peers, it is prudent to consider stronger controls. Not-for-profit enterprises usually can avoid referring to profits and, instead, judge expenditure based on peer expenditures and their own expenditure trends. Segregation The segregation dimension checks whether the responsibilities for building, operating and influencing solutions and monitoring same are overly concentrated in one person or, instead, are distributed properly over more people. There is insufficient segregation when a single person executes too many of these functions. The fact that management has implemented a certain degree of segregation indicates a level of concern and risk that is more consistent with a larger control framework. If the results from the assessment are contained mainly in the blue zone, the organisation most likely is suited for using COB. However, there may still be specific circumstances that create the need to go beyond (i.e., to use the full COB or to obtain specific extra material from the full COB). This is the case in environments characterised by: Open, as opposed to closed, systems (extended enterprise), i.e., connecting with customers and suppliers The presence of -related regulations, contractual requirements or need to provide outside assurance about Management awareness of issues and questioning whether a minimum baseline is right for the enterprise Management belief that a need exists to improve skills and capabilities A need to define, standardise and document processes in a sustainable manner Management awareness that technology needs to be used to automate some processes to make them more effective and efficient A significant degree of integration within business processes These specific situations imply that, even though the organisation may appear to be suited for COB based on the first suitability test, it should consider looking at the complete set of control objectives from COB to address its governance and control needs beyond. The opposite argumentation can also be made: if an organisation appears to be not suitable for COB, it can still decide to use the model as a way to launch a governance initiative in the organisation GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

20 COB QUICKSTART FRAMEWORK Test 2 Watch the Heat The second test of the suitability tool (Watch the Heat), as shown in figure 6 and also supplied with this publication, can help assess the exception situations described previously. The more the enterprise is in the red zone, the more it needs to consider going beyond COB. Figure 6 Suitability Assessment (2) Suitability Assessment (2) <<Watch the Heat>> The infrastructure is an open, as opposed to closed, system (interconnections with customers, suppliers, etc.). There are -related regulations or contractual requirements applying to the enterprise. There is a need to provide outside assurance about. Definitely disagree Somewhat disagree Neither agree nor disagree Somewhat agree Fully agree Enterprise management is aware of issues and wonders whether a minimum baseline is sufficient. Enterprise management has identified the need for significant formal training relative to. Some practices and procedures have been defined, standardised and documented in a sustainable manner. Enterprise management knows that common tools would make some processes more effective and efficient. The expert(s) of the enterprise are needed for developing/improving business processes. HOW IS PRESENTED? The following pages provide a baseline for management and control over in SMEs and other entities where is less strategic and not as critical for survival. This baseline can also be used by larger organisations as a first step towards implementing governance using COB. It is presented in easy-to-read, tabular fashion, addressing 32 processes grouped in the four COB domains. For each process, there is at least one concrete control objective. For each control objective, information is provided on the RACI chart. Moreover, metrics are defined to measure the outcome of the control objective and the outcome of the process as a whole. Each control objective also contains a reference to the original detailed control objectives of the full COB 4.1 from which they are derived. This can help the user access the full COB material when extending and customising the COB framework for a specific organisation. The charts also provide an implementation status scale from 0 to 7 for each control objective. On this scale, the user can indicate where the enterprise is for a certain control objective (as-is position) and where it would like to be (to-be position). After analysing the gaps between these two positions, projects can be defined and initiated to close the gaps. An example is provided in figure GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 19

21 COB QUICKSTART,2 ND EDION Figure 7 COB Layout es and Good Practices AI6 Manage changes. COB COB of s s The COB baseline, with its control objectives provided on the following pages, is presented in the tabular form illustrated in figure 7 and contains: High-level description of the process COB management practices applicable after the suitability tests, organised by domain (PO, AI, DS and ME), and processes Reference to the full COB objectives used to construct the objective and the number of COB objectives in that process Potential self-assessment approach. Another option is to use traditional maturity levels: 0 Ad Hoc, 1 Initial, 2 Repeatable, 3 Defined, 4 Managed and 5 Optimised. for each of the management practices. For some typical roles in the organisation (executive committee, head of, head operations, head development and business managers), it is defined whether that role should be responsible, accountable, consulted or informed in the context of that specific control objective. The predefined roles should not be seen as full-time equivalents. Some of these roles can be combined in reality and fulfilled by the same person. Most important applicable metrics. These metrics are defined at two levels. For each individual management practice, some key outcome metrics are defined to measure the outcome of that objective (as defined in the column COB ). Next, outcome metrics are defined at the level of a complete processes (corresponding to the highlevel description of the process indicated in the column COB ). HOW IS IMPLEMENTED? Although can be used in a variety of ways, dependent upon the issues to be addressed, the structured process in figure 8 addresses the needs of a full implementation of an governance improvement programme GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

22 COB QUICKSTART FRAMEWORK Figure 8 Implementation PROCESS STEP PROCESS DESCRIPTION DELIVERABLE 1. Assess suitability. Apply the suitability assessment tool provided in to determine if the Decision on use of organisation is a suitable candidate for the use of the approach. The COB outcome will indicate whether the programme can be used as is or as supplemented with some of the more detailed components of the full COB, or the full COB should be applied from the outset. 2. Evaluate Use the baseline charts to define the organisation s as-is position. Typical As-is process positions current state. activities in this step involve basic data gathering, interviewing of key staff responsible for these processes, and review of performance results or audit reports. Alternatively, a working team of knowledgeable staff can be assembled to work with a facilitator to fast-track the process. 3. Determine Consider the organisation s operating environment and plot its to-be position on the To-be process positions target state. process tables. Typical considerations include: Nature of the industry Legal and regulatory requirements Sensitivity of information handled Technology dependency and goals It is important that this positioning be developed by the organisation s management and owners, if possible, but at least approved by them. 4. Analyse gaps. Examine the control practices associated with each process gap (difference between change the as-is and to-be positions) to determine the nature and magnitude of improvements definitions required. 5. Define Group the individual process change requirements logically into improvement improvement improvement projects projects that enable the organisation to make effective progress in projects. manageable stages. 6. Develop an Organise, prioritise and sequence the improvement projects into an integrated Integrated programme integrated programme plan taking into account the organisation s immediate needs, project plan governance interdependencies and resource availability. implementation programme. MIGRATION STRATEGIES TO MOVE FROM QUICKSTART TO FULL COB COB provides a baseline for control over and/or a starting point to a broader governance implementation. Any organisation applying COB can start building on this baseline but should also always analyse how organisationspecific business goals drive goals which, in turn, drive process goals. This analysis is required to identify potential extensions to the baseline as required by the organisation s business and governance objectives. Two approaches are suggested to move towards a more extended implementation of COB once has been implemented: 1. Leverage the cross-references provides a complete overview of cross-references to the full COB. If weaknesses are defined in specific areas, these cross-references can provide guidance to a more extended list of control objectives in specific domains. Based on the organisation s risk and value drivers, extra control objectives can be selected for which as-is and to-be situations can be analysed and translated into improvement programmes. 2. Plan a full governance implementation Follow the guidance provided in the Governance Implementation Guide: Using COB and Val, 2 nd Edition to initiate and plan an governance implementation programme. A road map with suggested activities and tasks is provided GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 21

23 COB QUICKSTART,2 ND EDION GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

24 COB QUICKSTART BASELINE C OB Q UICKSTART B ASELINE 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 23

25 COB QUICKSTART,2 ND EDION es and Good Practices PO1 Define a strategic plan. COB COB Ensure that strategy is aligned with and supports the overall business strategy. 1. Define the necessary contribution to the achievement of the entreprise's strategic objectives, related cost and performance objectives, and assess how can create business opportunities in a strategic plan. 2. Translate the strategic plan into short-term operations, projects and objectives. Assess the tactical performance objectives in terms of availability, functionality, current total cost of ownership and return on investment. PO1.4 PO1.2 PO1.3 PO1.5 PO1.6 of s A R C A R C C I s - related cost and performance objectives in the strategic plan that support the strategic business plan Existence of an approved strategic plan Percent of strategic/ tactical plans meetings where business representatives have actively participated Delay between updates of strategic plan and updates of tactical plans GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

26 COB QUICKSTART BASELINE es and Good Practices PO2 Define the information architecture. COB COB Establish an enterprise data model that incorporates a data classification scheme to ensure the integrity and consistency of all data. 3. Create and maintain one list; identify and describe the major data elements for the enterprise and their syntax rules, and consider who can access and modify. 4. Define and implement measures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives. PO2.2 PO2.3 PO2.4 of s R C A A R C s Frequency of updates to the data enterprise model Percent of data elements that do not have an owner The existence of an approved data model Percent of redundant/ duplicate data elements Percent of non-compliance with the data classification scheme 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 25

27 COB QUICKSTART,2 ND EDION es and Good Practices PO3 Determine technological direction. COB COB Verify that the technology plans are adequate to accommodate likely changes in technology and business direction. 5. Be aware of continuing support for current systems for their expected life span. Compare actual value for money against potential value for money of more recent but proven technology. PO3.1 PO3.3 of A R R s s Frequency of the technology infrastructure plan review/ update The existence of an approved and updated technology infrastructure plan GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

28 COB QUICKSTART BASELINE es and Good Practices PO4 Define the processes, organisation and relationships. COB COB Establish transparent, flexible and responsive organisational structures and define and implement processes with owners, roles and responsibilities integrated into business processes. 6. Assign -related roles and responsibilities clearly, with proper authority and reasonable expectations, and communicate to all; Pay attention to responsibilities in the area of security and quality. 7. Regularly review that -related roles and responsibilities are understood and exercised properly. Assess that people have the resources to exercise these responsibilities and be aware that concentrated roles and responsibilities can be misused. 8. Define where outside contracting and/or outsourcing can be applied and how they are to be controlled. PO4.6 PO4.7 PO4.8 PO4.10 PO4.11 PO4.14 PO4.15 of A R R A/R C C A/R C C s s Percent of roles with documented position and authority descriptions conflicting responsibilities in the view of segregation of duties delayed business initiatives due to organisational inertia or unavailability of necessary capabilities Percent of stakeholders satisfied with responsiveness escalations or unrosolved issues leading to the outsoucing of activities 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 27

29 COB QUICKSTART,2 ND EDION es and Good Practices PO5 Manage the investment. COB COB Make effective and efficient investment and portfolio decisions, and set and track budgets in line with strategy and investment decisions. 9. Plan and manage expenditures within an annual budget, reflecting the entreprise's priorities, and track expenditures against expected benefits. PO5.3 PO5.4 DS6.3 of A/R C C s s Percent of projects with the benefit defined up front Percent of projects with a post-project review Percent of investments exceeding or meeting the predefined business benefit GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.

30 COB QUICKSTART BASELINE es and Good Practices PO6 Communicate management aims and direction. COB COB Appropriately define and promulgate management aims and directions with respect to. 10. Make decisions, communicate consistently and discuss regularly on the basic rules of the use, acceptable and reasonable behaviour, and operating principles of. 11. Encourage responsiveness in staff relative to applicable external requirements, risks, the protection of resources, the integrity of systems and intellectual property rights of own software and enterprise data. Establish some simple dos and don ts. PO6.3 PO6.4 PO6.5 PO6.2 PO6.3 PO6.4 PO6.5 of s I A/R C C I I A/R C C I s Percentage of stakeholders who understand the control framework Percentage of stakeholders who are non-compliant with the policy Timeliness and frequency of communication to stakeholders Level of understanding of costs, benefits, strategy, policies and service levels 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 29