executive white paper

Transcription

1 EXECUTIVE WHITE PAPER executive white paper Governing IT to Maximise Value IT Governance for Compliance, Risk Management and Cost Reduction Contents Introduction...2 APM Technology...3 Governance...4 Compliance...6 Risk Management...8 Case Study...9 Conclusion...10 Next Steps

2 Introduction With a constant need to maintain and advance market position, today s corporations continue to invest significant resources in the development of intangible assets such as their intellectual capital, operational information and the technical capabilities to process and exploit them. Software applications remain the most costly and longest lived of all these intangible assets, as once deployed they quickly become integral components in business-critical processes. When you consider that overall IT investment is estimated to consume more than 50% of annual capital investment and represents more than 30% of an organisation s cost base 1, it is inevitable that there will be a strong focus on overseeing and monitoring the IT operation. With up to 76% 2 of IT budgets currently being used to simply maintain the current estate, it is particularly crucial to ensure the efficient use of all resources and to reduce operational costs where practical. The challenge for many boards is that while they understand the business value delivered by the IT organisation, they lack the means to gain a clear understanding of the IT operation. An effective IT governance framework closes this gap. It helps to manage the risks associated with IT s intensive investment and high impact profile, as demanded by today s stringent corporate governance requirements. Closely associated with governance are the areas of risk and compliance, and it is generally recognised that effective governance can only be achieved if these are managed together in a mutual and concerted manner. A combined approach to GRC (governance, risk and compliance) will deliver a more effective IT governance framework, helping organisations identify and mitigate potential risks, become more efficient, and ensure the overall value of the portfolio is maximized. Application Portfolio Management (APM) is a technology based process that can deliver the necessary insight into the application environment to drive this level of IT governance. With the associated technology, organisations can value their applications and assess them down to their code level to understand the system parameters and inter-dependencies that directly impact compliance efforts. This paper will cover all three aspects of the GRC agenda and how APM can be used to directly address them. 2

3 Gartner provides the following description of APM: properly executed, it enables the continuous evolution of the application inventory in the desired business and architectural directions, while providing the desired or contracted level of service support for the least investment and risk during an extended period 3. APM Technology Before examining the specific aspects of GRC in greater detail and how they can be effectively addressed by APM technology, a summary of typical APM technology capabilities is provided in figure 1. This is based up on Enterprise View, an APM technology solution from Micro Focus. While specific GCRM (Governance, Compliance, and Risk Management) technology solutions have arrived in the marketplace, APM is generating considerable interest because it enables the governance process to be interlinked with day-today management objectives. A core aspect of APM functionality is an ability to automate the collection and storage of information relevant to existing business processes and associated applications. The result is a dynamic inventory that lists the software attributes across the application portfolio lines of code, number of objects, file types, and number of programs, all of which are updated when a changes occur. This visibility provides actionable insight into the technical parameters of the application inventory, highlighting the value, inter-dependencies and risk exposure of individual systems. By delivering this level of technical information which offers wide business applicability, governance, compliance and risk management initiatives become implicitly embedded in the management process and help avoid some of the main obstacles associated with ensuring widespread adoption. Figure 1: Example of APM technology capabilities applicable to GRC A key element of any IT governance framework is access to relevant reporting and monitoring capabilities, though as Gartner points out there is no single application governance tool 4 currently available that offers a comprehensive silver-bullet approach. Instead, these capabilities are derived from a variety of different solution areas, with APM providing arguably the most complete functionality for extending governance across the application landscape, and the best approach for administering the bulk of today s IT expenditure. 3

4 Governance IT governance can be defined as the processes that ensure the effective and efficient use of IT, enabling an organization to achieve its goals 4. There is a growing consensus among commentators that it will overtake corporate governance in importance due to the strategic value of technology to the corporation. As Alan Calder puts it, Organizations that fail to direct and control their IT to best competitive advantage will be left as road kill on the information superhighway 1. To assist the creation of effective IT governance frameworks, a number of management standards have emerged. These include: CoBIT ( Control Objectives for Information and Related Technology) COSO (Committee of Sponsoring Organizations of the Treadway Commission) ISO27001 for certification of information security management ITIL (IT Infrastructure Library) ISO 2000 an international standard for IT service management Each standard has originated from different sponsoring organisations, in response to different business drivers; for example ITIL began as as a library of best practice processes for IT service management. However, regardless of emphasis and composition, any framework must incorporate objective measures that will enable an enterprise to understand where they currently are with regards to achieving an effective governance capability, and where improvement efforts should be targeted. To satisfy this information requirement, CoBit, as an example, defines a management toolkit comprising 5 : dashboards to provide indicators that the ship is on course. scorecards to provide measures that demonstrate satisfactory results are being achieved for the widest possible audience of stakeholders benchmarking to provide a comparative scale for assessing how the IT function is adapting to changes in its environment. A typical approach for this is to adopt the Software Engineering Institute s Capability Maturity Model (CMM) 6. The CoBit framework also defines the focus areas in which to apply this toolkit, as illustrated in figure 2 below. Figure 2: CoBiT s IT Governance Focus Areas 5 The aim of this framework is to ensure: IT is aligned with the business IT enables business execution and maximises benefits IT resources are used responsibly IT risks are managed appropriately 4

5 This is a good representation of the aims of most governance initiatives, and by examining each factor in turn, the following table summarizes how core APM capabilities map directly to the key elements of this framework and, by implication, the other standards mentioned above. CoBit Focus Area Strategic Alignment and Value Delivery Risk Management Resource Management (applications, information assets, technical infrastructure and people) APM Technology Capabilities Automate the compilation of business-value questionnaires to speed-up and simplify the analysis process to make large scale application reviews feasible. Provide a central storage repository for both the questionnaire review data and details of all application attributes across the portfolio, to enable the reporting of business value metrics against governance measures such as software or service quality. Enterprise View parses the application portfolio down to code level to provide a detailed understanding on the impact of any planned changes, and is equipped with a range of features that help reduce this type of risk. These features include: Technical inventory and software quality analysis that gauges the size and complexity of code to be altered, enabling the most appropriate change management procedures to be employed. Automated impact analysis to enable IT to review the attributes of all applications impacted by a proposed change and to generate a detailed impact assessment to improve risk mitigation planning, as well as ensuring completeness of execution and a reduction in the risk of abends. Additional features such as graphical representations of attribute relationships and automated production of technical documentation, to impart a broad understanding of the application environment and to ensure any changes are proposed with a greater appreciation of context and impact, reducing in turn the likelihood of defects and outages. Automatic calculation of software quality metrics, to provide indicators of how application code is currently being maintained and to help avoid any unnecessary complexity being added through poor programming standards which will only increase support costs over time. Top down business value and technology assessment support, combined with software quality analyses, provides a systematic and consistent method for determining candidate applications for migration to lower cost platforms. Graphical representations of attribute relationships, impact analyses and the automatic production of technical documentation, significantly reduces the ramp up time for teams looking to work on new applications. This in turn can deliver a step change in resource flexibility and productivity. 5

6 CoBit Focus Area Performance Management APM Technology Capabilities The combination of defect history from help desk ticketing systems, change history from source code management systems, and the business value and software quality data, are combined to create powerful role-based dashboards and management reports that span service, quality, and productivity performance. These can be in multiple views, spanning different departments, service areas and service providers, both internal and external to the business. This benchmarking of relative performance, which takes into account code complexity, allows comparisons to be made that can ultimately help maintain and improve performance levels and shift resources to those areas delivering the greatest return or in need of the greatest support. Many of the aspects mentioned in the table above are still applicable when the application portfolio has been outsourced. In this situation, it is vital to ensure good governance processes are being consistently applied to prevent erosion of asset values through poor quality development and unnecessary complexity. As the client, tracking SLA performance and benchmarking the performance of individual providers is a fundamental requirement for ensuring value maximization, as well as certifying that the provider is executing an effective governance model around code and service quality and protecting application asset value. Compliance Given the complex, multi-national, multi-regulatory environment that corporations operate in today, delivering statutory compliance is an intense and un-forgiving challenge for many senior IT managers. The regulatory mandates facing the enterprise will differ by sector, but the overall framework can be broadly broken down into three primary areas: Corporate governance - where acts such as the Sarbanes Oxley ( SOX ) Act of 2002 and the Combined Code on Corporate Governance in the UK, require companies listed on the USA Securities and Exchange Commission and the London Stock Exchange, to have in place internal control frameworks that enable the company s board to manage operational and financial risk effectively. Personal data and identity protection laws - require appropriate technical measures to be taken to prevent unauthorized or unlawful processing of personal data, accidental loss, destruction or damage. In the UK, the Data Protection Act of 1998 also stipulates that personal data should not be transferred to countries that cannot provide adequate protection. In addition, certain state laws in the USA, such as California s Security Breach Notification SB-1386, 7 require immediate disclosure to customers if a breach of personal data has occurred. Industry specific legislation - particularly 6

7 relevant to companies operating in the financia services industry where regulations, such as Basel II and Solvency 2 in the banking and UK insurance sector respectively, require accurate reporting on all risks relating to capital exposure. Other examples include the USA s HIPAA Health Insurance Portability and Accountability Act of , which designates the parameters of access controls that need to be in place to protect against inappropriate access to sensitive data. These are only a few examples of the myriad of compliance-related directives currently in existence, and the total number will surely expand in line with future political demands. The response to date of many IT organisations has largely been around ensuring appropriate access controls to systems and applications are in place and fault tolerant. However, the growing complexities of certain regulatory demands have implications at the application code level that require enhanced capabilities in compliance analysis. For example, access security standards have a direct impact on field/record and file structures, which in turn should be consistent throughout the multitude of interconnecting programmes and applications that form an organization s business and customer services processes. Ensuring compliance here will provide a sustained burden on resource capacities. APM technologies directly address these issues through a code level analysis capability that is ideal for assessing granular level compliance. In pursuit of total compliance coverage across the enterprise architecture, users can select individual applications and use the intelligent code search functions to rapidly bring up the relevant fields across all interconnected programmes and applications. In the case that changes are required, for example a field length expansion, APM supports such alterations by assessing the impact across all related applications to gauge the effort involved and the project risks. In this way APM technology can provide a very rapid, low risk approach to ensuring application compliance down to code level. Indeed, the demand for this capability is only likely to grow, with an increasing number of governance standards already stipulating that effective controls must be in place to assess and document program code changes. An example of this is the COSO framework which requires general controls to be deployed in accordance with the USA s Auditing Standard No 2 of the PCAOB (Public Company Accounting Oversight Board), paragraph 50, which states: information technology general controls over program development, program changes, computer operations...help ensure that specific controls over the processing of transactions are operating effectively. 7 Complete portfolio visibility is also critical for ensuring data access controls are effective across all applications to remove the threat of unauthorized entry. For some organisations this should prove straightforward enough, but in larger and more mature operations, the IT landscape has inevitably incorporated some ad hoc responses to tactical and strategic imperatives. The result is an elaborate and complex network permeating the entire organisation, and one that makes keeping track of the technologies and inter-relationships, at all levels of an application, extremely difficult. In this instance, IT controls are difficult to validate, and managers cannot guarantee 360 degree security for sensitive data. The graphical relationship maps that can be produced from a code level analysis within APM provide details of 7

8 how each application links with other applications to avoid these problems. In terms of the compliance requirements relating specifically to financial institutions, such as Basel II and Solvency 2, the challenge on the IT function is to ensure risk management reporting can be reconciled accurately down to a transactional level. Increasingly, this is prompting the need to analyse a system s transaction handling components at a code level. Again, the ability of APM technology to greatly enhance application and code level understanding makes such initiatives far more feasible. As well as these specific business issues, there are also more generic trends and developments that pose potential compliance risks. This is particularly reflected in the continual evolution of technology towards new, low-cost operating environments. The challenge here is to ensure compliance to the latest technical standards, which will in turn reflect the corporation s view of which developments can be considered acceptable. This can prove difficult in organizations with large, geographically dispersed, operations, but critical to the overall compliance agenda. To speed the process, self certification can prove extremely useful. The automated questionnaire capabilities within APM solutions can offer an effective approach to undertaking such an evaluation, with results stored in the APM repository for review or as a future audit trail. Risk Management Any change to mission-critical applications, ranging from small maintenance updates to large scale migrations, involves an inherent risk to the business due to the complexity and inter-dependency of today s architectural landscape. All too often, a change in one application will mysteriously cause another to stop and it can be weeks before the root cause is finally isolated. APM, through the data held on business value, service and software quality, as well as the technical inventory, provides a diversity of different views into existing applications to help mitigate such operational risks. It also helps manage strategic risk by providing an accurate decision-making framework for guiding application strategy in terms of retirements, investments, and modernisation or migration initiatives. Once candidates for a particular action have been identified, the extensive level of technical documentation available helps to determine the level of risk associated with any proposed activity. This in turn informs the benefit/risk trade-off analysis. The resulting combination of broad cross-portfolio clarification, together with a code level focus at an individual application level, provides an effective mechanism for balancing strategic risk. In terms of operational risk, once a course of action has been determined, the full range of knowledge available to IT personnel in conjunction with the automated production of technical documentation helps to clarify the best course of action and reduce overall exposure. For example, when modernizing an application, it is only with the insight provided by the graphical analysis of APM that project teams can ensure the changes are executed in a manner that continues to support the inter-relationships of 8

9 all programmes, objects and applications effectively. To avoid compromising compliance integrity, it is crucial that no adverse behaviour occurs due to oversights on application interrelationships and access permissions, particularly when handling sensitive data. Along with the ability to calculate precisely the impact of any changes, APM also helps detail the resources required for any potential application change project. This helps management to adequately plan, scope and resource individual projects, understand with confidence all the risks involved, and to improve the chances of the project being completed on time and within budget. Case Study To illustrate the benefits of APM technology in supporting governance, let us take a quick look at a real life example of a customer that has taken such an approach. In this case, a global bank was determined to improve its IT governance, driven by the specific goals of: 1. optimizing IT resources following a series of mergers and 2. gaining a better understanding of its complex internal processes More specifically, the bank wanted to address the maintainability and quality of its application code and evaluate whether their systems integrators were delivering the anticipated value in line with their support and maintenance agreements. The customer deployed the Micro Focus Enterprise View APM solution to consolidate multiple data strands into an accurate and comprehensive understanding of their application portfolio. An executive dashboard was then created to convey this new application insight, which was used in the management of a number of IT processes including resource budgeting and financing, capacity management, SLA management and customer demand and satisfaction management. The use of the Enterprise View has provided the bank with a continuous representation of a rapidly evolving and dynamic system. The information base now available has equipped the bank with an ability to produce targeted reporting on demand, at different levels of aggregation, for different end-user classes. Data can be now be split out by line of business, role, application area, language or any other useful criteria ongoing activities never enter uncontrolled cycles, they are always well reported, well controlled, and as a consequence, well governed. Through the new higher vision of the IT operation gained from the available analysis and insight, the bank has been able to improve the service level performance of its outsourcers and obtained contract renewals with clear performance measures and significant cost reductions. The bank has estimated that these reductions represent a 20% saving on their previous contract costs. 9

10 Conclusion Looking to the future, it is likely that IT governance obligations will only increase in size and scale. Therefore, a tool that can provide a precise analysis of an application down to the code level, including inter-dependencies and relationship views, should certainly be considered a key component in the IT organisation s governance armoury. Even if large sections of the technical environment have been outsourced, this only heightens the need to ensure compliance integrity and control standards are robust and fully functional. Visibility into the performance of outsource providers will help ensure quality and programming standards are being adhered to, ensuring the continued development of overall asset value. This also encourages a more strategic view of IT assets. A previous lack of in depth portfolio level application insight has run the risk of value optimization based on short term technology opportunism versus the systematic and holistic GRC-based view that can be achieved using APM technology. In summary, the benefits to IT governance initiatives that APM can deliver are extensive, providing in depth application understanding that helps identify areas of non-compliance and opportunities for maximizing the value of a portfolio of critical IT assets. In particular, it can help reduce the strategic risk connected to a failure to plan application strategy in a portfolio context. This can often precipitate a crisis management approach to the technological demands of the business, resulting in the adoption of short term measures that don t necessarily correspond with the intended governance framework or maximise asset value over the long term. But by using APM to assess business value and technology-related risk, management has the multi-dimensional visibility into potential hot spots and the ability to dive into the underlying problems for further investigation. This insight encourages a more pro-active approach to GRC and the capacity to manage and target resources in a more effective way and at the point of need. 10

11 Next Steps Micro Focus Enterprise View is a comprehensive APM solution offering the capabilities discussed in this paper. It is already deployed and delivering improved governance to a range of enterprise customers. Please visit for further information on how APM could deliver benefits for your business. References 1 Calder, Alan, IT Governance, A pocket guide, IT Governance Publishing Murphy, Phil, Building the business case for APM, Forrester Best Practices, Duggan, Jim, APM Improves Business Margins Through Cost and Risk Reduction, Gartner Research, Hotle, Matthew, The Seven Deadly Sins of Application Governance, Gartner Research, CoBiT, 4.1, IT Governance Institute, Calder, Alan, IT Regulatory Compliance in North America, IT Governance Publishing Micro Focus Worldwide Australia Belgium Canada x1123 France Germany Ireland Italy Japan Luxembourg Netherlands Norway Spain Sweden Switzerland United Kingdom United States Other Countries For contacts worldwidewww.microfocus.com/contact 2008 Micro Focus. All Rights Reserved. Micro Focus is a registered trademark. Other trademarks are the property of their respective owners. WPAPMG1108-US 11