OLG CobiT Deployment. IT Business Process Improvement

Transcription

1 OLG CobiT Deployment IT Business Process Improvement

2 Goal & Agenda Goal: To share information about the implementation of the CobiT Controls for IT Governance at Ontario Lottery & Gaming (OLG). Agenda: About OLG About OLG IT Why CobiT & Continuous Improvement Program CobiT Program History Prioritizing key CobiT Controls Project Initiation focal points Deployment & Assessment Strategy & Methodologies Assessment Output Tools More Lessons Learned

3 About OLG Entertainment Businesses: OLG Lotteries OLG Bingo OLG Casinos Resort Casinos OLG Slots In the Community: In business for over 32 years OLG provide jobs to more than 20,000 Ontarians Supports countless businesses Community Investments Ontario Trillium Foundation (Over the past thirty years): OLG has generated more than $28 billion to support Ontario's health care, physical fitness, sport, recreation and cultural activities. Contribution To the Province 1.8 Billion Corporate Responsibility 53 Million Support For Local Communities 1.8 Billion In addition, OLG awarded over $1.6 billion in prizes last year to our players.

4 About OLG IT Clients: Lottery Technology: Terminals at over 9,000 retailers across Ontario Peak Transactions - 2 million per hour. Bingo Gaming 4 OLG Operated Electronic Bingo Centers in Ontario 22 OLG Big Link Bingo participating Bingo Locations 22 Charity Casinos and Racetracks 12,500 slot machines Shared Services (Across all Clients) 30 Locations 2 Data Centers 24x7 Operations PCs, Network Devices 425+ Servers Infrastructure Delivery Services (Operations) Planning & Project Office Lottery & Bingo Technology Gaming Technology Architecture & Emerging Technologies Corporate Services Technology IT & Business Process Improvement Information Technology

5 Why CobiT Do any of these conditions sound familiar? IT managers operating like fire-fighters Why do we have so many changes, incidents & problems? Why are Service Levels not defined? Fragmented IT infrastructures Growing complexity of IT environments Communication gap between business and IT managers Impaired organisational flexibility and nimbleness to change Increasing pressure to leverage technology in business strategies Marginal ROI/productivity gains on technology investments User frustration leading to ad hoc solutions How can we know when we are in control? The need for an IT Management Control Framework

6 The Program CobiT is another Process Improvement Program Enabler Performance Metrics BPM CobiT Continuous Process Improvement/ Optimize Processes ITIL/ITSM Six Sigma Charter/Business Case Process Optimization Strategic Objective (From the IT Strategic Plan) Control which activities/measures to focus on to keep on top IT Risk Mitigation Strategy Regulatory/Compliance Strategy IT Value Enabler leaning out the organization, eliminating waste & efficiency gains through automation & repeatability CobiT has a very comprehensive listing of IT Processes 4 Domains 34 Processes

7 OLG CobiT Program History & Milestones Phase 1(Q1 2008) - CobiT Education & Discovery Problem Statement Workshop (Identify the needs) CobiT Awareness Education (Vendor Assisted) CobiT High Level Assessments (Vendor Assisted) Formal CobiT Training for key Program Resources Phase 2 (2008) - CobiT Detailed Assessments & Deployment Prioritized Top 10 Processes Detailed Assessment of Top 5 (Incident (DS8), Problem (DS10), Change (AI6), Project (PO10), SLM (DS1) Business Cases and Project Plan development (March/April 2008) Execute Improvements (May December 2008) Phase 3 (2009) - CobiT Detailed Assessments & Deployment: Repeat Above for next 5 (Release Management (AI7), IT Risk (PO9), Security (DS5), Vendor Management (DS2), Information Architecture (PO2).

8 Prioritizing key CobiT Controls High-level (CobiT) Controls Evaluation Vendor Supplied & facilitated Drivers Analysis : (scoring) Demand (Who Cares) - business drivers Consequence (So What) - severity of concern (IT Perspective) Mitigation (Now What) how much maturity improvement is needed Evaluate all 34 and generate a report of prioritized control objectives/processes from multiple perspectives Internal Drivers to Consider Strategic IT Plans Do you have Optimize Processes as an objective? IT & or Enterprise Risk Management Assessments IT Audit Plans Business Feedback what s not working well - service wise Senior Management Rationale (gut feel or otherwise) Any past Technology Roadmap assessments (e.g. ITSM Plans) CobiT Quick Start Existing Best Practice Processes implemented

9 Project Initiation Accountability, Roles & Responsibilities: Process Champion Process Owners Process Managers Process Users Effort estimates/duration (% Availability of SME s) Active engagement of Process Teams (Owner, Manager & SMEs) Get commitment acknowledgement or whatever

10 Assessment Methodology Six Sigma CobiT Implementation Roadmap Multiple assessments vs one at time? Consider the options. Assessment Participants (How many is enough?) Bronze/Silver/Gold Assessments (1 mo./2 mo./3 mo.) Tools Assessment Strategy External vendor vs. internally driven, or a combination with knowledge transfer

11 The CobiT Implementation Strategy

12 OLG CobiT Deployment Methodology Complete process documentation Defined Roles & Responsibilities Implement control metrics Execute process eassessment Establish baseline maturity 5 Control 1* Assess Complete project planning Implement recommendations 4 Improve High level (CobiT) Process 2* Identify Control Gap analysis Establish desired maturity Control Recommendations 3* Prioritize Prioritize Control Recommendations Start initiative/project planning *Steps 1, 2 & 3 are part of the Assessments. Steps 4 & 5 represent execution of Initiatives/Projects

13 CobiT Assessment Design Methodology Maturity Attribute Analysis Technique People questions Process questions Technology questions Awareness and Communication PC2 Process Ownership PC4 Roles and Responsibilities Skills Capability AI7.1 Training AI7.2Test Plan AI7.3 Implementation Plan AI7.4 Test Environment AI7.5 System and Data Conversion AI7.6 Testing of Changes AI7.7 Final Acceptance Test AI7.8 Production Implementation AI7.9 Post Implementation Review PC1 Process Goals and Objectives PC3 Process Repeatability PC5 Policy, Plans and Procedures PC6 Process Performance Improvement Tools and Automation Online Questionnaire (electronic Assessment Tool) Structured Results Analysis: 1. Baseline maturity of control, based on assessment responses 2. Findings & gaps derived from assessment-taker responses & comments Maturity & Control Improvement Recommendations

14 Assessment Output Process: PO9 Assess & Manage Risks Current Maturity: 2.7 Normalized Maturity: 3.5 Process Goals: Under controlled Control Objectives: Monitor Closely: Priority Recommendation (See Section 4) Related Findings Steps / Actions for Recommendation Specfic CobiT PO9 Control Objectives: Risk of not doing Audit Finding CobiT Generic Process Control: 8 Risk Management Process Training Enhancements Value Drivers: Increased staff awareness of what to do and why Decreasing number of incidents from policy violations Policies and associated procedures remaining current and effective Develop Training Plan: Identify different Types of Training: e.g. Process Training for Process Users; Formal Risk Management Training for Process Team from a Training Vendor. Identify Key Risk Assessment/Monitoring Resources/Sources: Develop Training Content for internal Training (e.g. Process Users; Stakeholders; Business Stakeholders) Execute the Training Plan (Execute in Year 2 of a 3 Year Improvement Plan) N/A Staff members not knowing how to perform critical tasks Policy violations Loss of key organizational knowledge when key resources with the skill and process knowledge leave or are moved to other roles. N/A N/A N/A PC 3 Process Repeatability PC 5 Poliicy, Plans and Procedures 4 Measure Success of Training N/A PC6 Process Performance Improvement

15 More Lessons Learned & Considerations Culture - reactionary/firefighting organization vs service oriented/measurement driven: May need a strong component of organizational change management in your project/program Strong presence from Process Champions & Owners Strong project leadership and facilitation Establish quick wins & publish Process is bureaucracy Dispel this notion that process is an added complication: process = must do job responsibilities Program Success Indicators Process Team buy-in to recommendations Track improvements and report status up the chain Process KPI s should be implemented and reported and if possible attribute/report the improvements over time Process Improvement Program Team doing all the work Enable the functional areas (Process Owner & Manager) to do their own assessments & improvements Doing the same work as Audit does?

16 Improvements from CobiT Improved focus on Best Practices to get the right practices Better measurement know how Improved process integration Improved ability to show business importance of processes Overall control improvements Overall IT & Enterprise risk mitigation improvement Better understanding of the Audit angle Broader scope of process coverage 34 IT Process areas.

17 Tools & Resources ISACA Membership + Full Subscription ($250+ CAD) CobiT Executive Summary CobiT 4.1 Framework & Management Guidelines CobiT Quick Start CobiT Online (excellent web based CobiT Knowledge Base) CobiT Implementation Guide Prioritizing CobiT Controls: (References) ISACA IT Risk Practitioner Guide Toolkit CobiT Controls to Mitigate IT Risk Use with your own internal IT Risk references Industry Benchmarks? CobiT Online has a module for this. CobiT & Process Maturity Assessments/Improvements/Reporting Risk Resolver - (Multi functional, Tracks Improvement Progress; Complex to use; Costly) ITOptimizer - (Process Design & electronic Assessment Questionnaires & reporting; Well priced) Meycor - (extensive KPI database & dashboard Reporting Capability; Costly) Others (Not well developed)

18 Appendices

19 CobiT Content Explained Executive Summary: There is a method... Framework: The method is... Control Objectives: Minimum controls are... Audit Guidelines: Here is how you audit... Implementation Tool Set: Here is how you implement Management Guidelines: Here is how you measure Maturity Models: Here is how you compare...

20 CobiT Content Diagram How does the board exercise it s Responsibilities? Board Briefing On IT Governance 2 nd Edition Executives & Boards How do we measure Performance? How do we compare to others? And how do we improve over time? Mgmt. Guidelines Maturity Models Business & Technology Management What is the IT governance framework? How do we implement in the enterprise? How do we assess the IT governance framework? Governance, Assurance, Control & Security Professionals CobiT and Val IT Frameworks Control Objectives Key Management Practices IT Governance Implementation Guide 2 nd Edition CobiT Control Practices 2 nd edition IT Assurance Guide Source: CobiT v4.1 Figure 3 page 7

21 CobiT Framework Document Structure Appendices I: Map Business & IT Goals II: Map Processes COSO, Focus Areas, Resources & Information III: Maturity Model For Internal Control IV:CobiT Primary Reference Material V: CobiT 3 rd Versus 4 th Edition VI: Approach To R & D Glossary Of Terms Executive Summary CobiT Framework 34 Processes IT Assurance Guide High Level Control Objective (Section 1) Detailed Control Objectives (Section 2) Management Guidelines (Section 3) Maturity Models (Section 4) Description & Mappings Key Goals & Measures Control Practices Inputs, Outputs, RACI, Goals, KGIs & KPIs Process Specific

22 CobiT Process Model Control Objectives Key Goal Indicators (KGIs) IT IT Resource Inputs Process Outputs Information Criteria Control Practices Key Performance Indicators (KPIs) Maturity Model

23 Generic Process Controls (PCn) PC1 Process Owner PC2 Repeatability PC3 Goals & Objectives PC4 Roles & Responsibilities PC5 Process Performance PC6 Policy, Plans & Procedures

24 CobiT Generic Capability Maturity Attribute Table CMM Level Awareness and Communication Policies, Plans and Procedures Tools and Automation Skills and Expertise Responsibility and Accountability Goal Setting and Measurement 1 Recognition of the need for the process is emerging. There is sporadic communication of the issues. There are ad hoc approaches to processes and practices. The process and policies are undefined. Some tools may exist; usage is based on standard desktop tools. There is no planned approach to the tool usage. Skills required for the process are not identified. A training plan does not exist and no formal training occurs. There is no definition of accountability and responsibility. People take ownership of issues based on their own initiative on reactive basis. Goals are not clear and no measurement takes place. 2 There is awareness of the need to act. Management communicates the overall issues. Similar and common processes emerge, but are largely intuitive because of individual expertise. Some aspects of the process are repeatable because of individual expertise, and some documentation and informal understanding of policy and procedures may exist. Common approaches to the use of tools exist but are based on solutions developed by key individuals. Vendor tools may have been acquired, but are probably not applied correctly, and may even be shelf ware. Minimum skill requirements are identified for critical areas. Training is provided in response to needs, rather than on the basis of an agreed plan, and informal training on the job occurs. An individual assumes his/her responsibility and usually held accountable, even if this is not formally agreed. There is confusion about responsibility when problems occur, and a culture of blame tends to exist. Some goal setting occurs; some financial measures are established but are known only by senior management. There is inconsistent monitoring in isolated areas. 3 There is understanding of the need to act. Management is more formal and structured in its communication. Usage of good practices emerges. The process, policies and procedures are defined and documented for all key activities. A plan has been defined for use and standardization of tools to automate the process. Tools are being used for their basic purposes, but may not all be in accordance with the agreed plan, and may not be integrated with one another. Skill requirements are defined and documented for all areas. A formal training plan has been developed, but formal training is still based on individual initiatives. Process responsibility and accountability are defined and process owners have been identified. The process owner is unlikely to have the full authority to exercise the responsibilities. Some effectiveness goals and measures are set, but are not communicated, and there is clear link to business goals. Measurement processes emerge, but are not consistently applied. IT balanced scorecard (OLG Pillars & Objectives) ideas are being adopted, as occasional intuitive application of root cause analysis.

25 CobiT Generic Capability Maturity Attribute Table CMM Level Awareness and Communication Policies, Plans and Procedures Tools and Automation Skills and Expertise Responsibility and Accountability Goal Setting and Measurement 4 There is understanding of the full requirements. Mature communication techniques are applied and standard communication tools are in use. The process is sound and complete; internal best practices are applied. All aspects of the process are documented and repeatable. Policies have been approved and signed off on by management. Standards for developing and maintaining the processes and procedures are adopted and followed. Tools are implemented according to a standardized plan, and some have been integrated with other related tools. Tools are being used in main areas to automate management of the process and monitor critical activities and controls. Skill requirements are routinely updated for all areas, proficiency is ensured for all critical areas, and certification is encouraged. Mature training techniques are applied according to the training plan, and knowledge sharing is encouraged. All internal domain experts are involved, and the effectiveness of the training plan is assessed. Process responsibility and accountability are accepted and working in a way that enables a process owner to fully discharge his/her responsibilities. A reward culture is in place that motivates positive action. Efficiency and effectiveness are measured and communicated and linked to business goals and the IT strategic plan. The IT balanced scorecard (OLG Pillars & Objectives) is implemented in some areas with exceptions noted by management and root cause analysis is being standardized. Continuous improvement is emerging. 5 There is advanced, forwardlooking understanding of requirements. Proactive communication of issues based on trends exists, mature communication techniques are applied, and integrated communication tools are in use. External best practices and standards are applied. Process documentation is evolved to automated workflows. Processes, policies and procedures are standardized and integrated to enable end-to-end management and improvement. Standardized tool sets are used across the enterprise. Tools are fully integrated with other related tools to enable end-to-end support of the processes. Tools are being used to support improvement of the process and automatically detect control exceptions. The organization formally encourages continuous improvement of skills, based on clearly defined personal and organizational goals. Training and education support external best practices and use of leading-edge concepts and techniques. Knowledge sharing is an enterprise culture, and knowledge-based systems are being deployed. External experts and industry leaders are used for guidance. Process owners are empowered to make decisions and take action. The acceptance of responsibility has been cascaded down throughout the organization in a consistent fashion. There is an integrated performance measurement system linking IT performance to business goals by global application of the IT balanced scorecard. Exceptions are globally and consistently noted by management and root cause analysis is applied. Continuous improvement is a way of life.