IT Governance Masterclass Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA International VP, IT Governance Institute Professor, Solvay Business School Managing Partner, ICT Control NV 1
Georges Ataya MSCS, PBA, CISA, CISM, CISSP Professor and Academic Director at Solvay Brussels School of Economics and Management in charge of IT Management Education www.solvay.edu/it) International Vice President of the IT Governance Institute (ITGI.org) Managing Partner ICT Control SA (www.ictcontrol.eu) Participated in various researches and publications. Georges@ictcontrol.eu www.ataya.info 2
Four education channels (solvay.edu/it) Executive Masters Executive Programmes Professional Seminars Professional Update Sessions 3
Forces Driving IT Governance Compliance Strategy and value ROI Service Management Security Project Execution 4
Why Does IT needs a Governance Framework? Do any of these conditions sound familiar? Increasing pressure to leverage technology in business strategies Growing complexity of IT environments Fragmented IT infrastructures Demand for technologists outstripping supply Communication gap between business and IT managers IT service levels that are disappointing IT costs perceived to be out of control Marginal ROI/productivity gains on technology investments Impaired organisational flexibility and nimbleness to change User frustration leading to ad hoc solutions IT managers operating like fire fighters 5
Without Effective Governance Situation Lack of Strategic Focus Projects are sold on emotional basis -- not selected Reluctance to say no to projects No strong review process Can t kill projects Leads to.. Too many projects Underestimation of risks and costs Quality of execution suffers Results in.. Budget overruns Project delays Business needs not met Benefits not received Increased Complexity Sub-optimal use of resources Finger pointing Overemphasis on Financial ROI No clear strategic criteria for selection Projects not aligned to strategy Lack of confidence (in IT) Source: Fujitsu 6
IT Governance Needs a Management Framework Driving Forces Map Onto the IT Governance Focus Areas IT GOVERNANCE Concepts RESOURCE MANAGEMENT 7
Definition 8
Six IT Governance domains IT Governance Concepts Risk Management Strategic Alignment Resources Management Value Management Performance Measurement 9
CGEIT domain 1 IT Governance Concepts IT Governance Concepts From IT Governance to Corporate Governance Establishing accountability Major Governance Frameworks Summary of IT Governance implementation practices Process Improvement and IT Practices Adapting IT practices to Enterprise s needs and culture Translate Business objectives into action Marketing and communication Practices Assurance Practices Governance, Risk and Compliance (GRC) practices 10
Governance, Risk & Compliance: GRC Risk is the effect of uncertainty on business objectives; risk management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events. Risk Compliance Governance Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures. Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed. Source: OCEG (Open Compliance and Ethics Group) 11
EDM-based model for IT Governance Corporate Governance of IT Evaluate Direct Plans Policies Proposals Business Processes Monitor Performance Conformance IT Projects IT Operations 12
6 Principles of ISO 38500 1. Responsibility 2. Strategy 3. Acquisition 4. Performance 5. Conformance Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions. The organization s business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization s business strategy. IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements. IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced. 6. Human Behaviour IT policies, practices and decisions demonstrate respect for Human Behaviour, including the current and evolving needs of all the people in the process. For each principle, the draft standard prescribes guidance for adherence in 3 aspects: Evaluate, Direct, and Monitor 13
Setting the Direction of IT Governance across the enterprise (in support of the business) Provide Direction Set Objectives IT is aligned with the business IT enables the business & maximises benefits IT resources are used responsibly IT-related risks are managed appr opriately Compare Measure Performance IT Activities Increase automation (make the business effective) Decrease cost (make the enterprise efficient) Manage risks (security, reliability & compliance) Objective: ensure that IT enables, sustains and extends the organisation s strategies and objectives Method: providing direction and exercising control Content: Leadership, organisational structures and processes Responsibility: board of directors and executive management Source: IT Governance Institute 14
Setting the Direction of IT Governance across the enterprise (in support of the business) Evaluate performance IT GOVERNANCE Set Objectives IT is aligned with the business IT enables the business and maximises benefits IT resources are used responsibly IT-related risks are managed appropriately Provide direction Measure and report performance Translate strategy into action Increase automation (make the business effective) Decrease cost (make the enterprise efficient) Manage risks (security, reliability & compliance) IT MANAGEMENT Translate direction into strategy Source: EG Consult 15
Summary of IT Governance implementation practices Business as Usual A sequence of activities to build and sustain IT governance in the organisation Evaluation Develop IT Governance Organisation Improvement Projects Awareness Need Analysis Gap Analysis A generic road map helps organisations to design the IT governance implementation effort. Nothing Source: IT Governance Institute 16
Scope, objectives and benefits of continuous process improvement and use of IT best practices, standards and frameworks to complement each other Source: IT Governance Institute 17
CGEIT Domain 2: Strategic Alignment Strategic Alignment Strategic alignment that impact the enterprise Strategic business planning process and techniques Linking enterprise business strategies with related best practices Scope, objectives and benefits of investment programs Portfolio, Program and Project management Enterprise Architecture IT support to key business processes Dynamic business modelling Elements of IT planning Mapping strategy processes and monitor key metrics Benchmarking strategic performance 18
Value chain linkage between Enterprise Strategy and IT Enterprise Strategy & Architecture Business Goals for IT IT Goals IT Processes IT Scorecard Business Requirements Governance Requirements deliver Information require Information Services influence IT Processes run Applications imply Information Criteria need Infrastructure & People Source: IT Governance Institute 19
Linking Business and IT Goals Source: IT Governance Institute 20
Linking IT Goals and IT Processes Source: IT Governance Institute 21
CGEIT Domain 3: Value Management Value Management Techniques and frameworks for Enterprise, Information and IT architecture Solution delivery processes and practices (systems development life cycle) IT service delivery processes and practices (IT Service Management) Practices and processes in value governance IT investment processes, funding models and investment lifecycle management Benefits management Cost optimisation Developing and monitoring business cases Portfolio, program and project management practices Managing and reporting the status of IT investments 22
Practices and processes in value governance Value Governance elements VALUE Total Benefits Total Costs Strategy Management Portfolio Management Programme Management Project Management A s s e t M g m t A r c h i t e c t u r e M a n a g e m e n t RISK Operations Management Source: IT Governance Institute 23
Val IT principles Practices and processes in value governance IT-enabled investments will be managed as a portfolio of investments IT-enabled investments will include the full scope of activities that are required to achieve business value IT-enabled investments will be managed through their full economic life cycle Results CIO Interviews Value delivery practices will recognise that there are different categories of investments that will be evaluated and managed differently Value delivery practices will define and monitor key metrics and will respond quickly to any changes or deviations Value delivery practices will engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realisation of business benefits Value delivery practices will be continually monitored, evaluated and improved Source: IT Governance Institute 24
Cost Optimisation Opportunities and Strategies for Cost Optimisation INFRASTRUCTURE PROCESS PEOPLE HARDW ARE SOFTWARE TELECOMS Mainframes Servers Desktops Laptops/PDAs Applications System software Databases Desktop software Data (LAN) Data (WAN) Voice Internet Procurement (AI5) Financing Policy (PO5) IT Management and Organisation Asset Management Budgeting and Cost Monitoring (PO5 and DS6) Deployment of Human Capital Capacity and Utilisation Warranty and Maintenance Platform and Product Consolidation Software Licensing Capacity and Utilisation Project Portfolio Management (PO10) Programme and Project Management (PO10) Contract/Third-party Service Management (DS2) IT Recruitment Staff Retention Replacement Strategy Platform Standardisation In-house and User Development Legacy/In-house Application Support Acceptable Use Policies Leverage of New Technologies Asset Management (DS9) Operations and Systems Management (DS13) Service Desk and Service Delivery (DS8) Use of IT Contract Staff Training and Staff Development Source: IT Governance Institute 25
Developing and monitoring business cases Why the business case? Understanding of what you plan to achieve; how you are going to manage it and who is accountable Basis for comparison and choice Recording all that needs to be tracked (cost, risks, benefits, etc.) Maintain clarity on what you are doing 2. Alignment RESOURCES Business Outcomes Business Capability Operational Capability Technical Capability Solution delivery and monitoring Developing the business case 7. Documentation 1. Fact Sheet 3. Financial Benefits 4. Non-financial Benefits 6. Optimising risk & return 5. Risks 8. Maintenance Source: Fujitsu Consulting, Information Paradox by John Thorp 26
Practices and processes in value governance Val IT2 framework domains and processes 3 Domains 22 Processes 74 Key Mgmt. Practices Value Governance (VG) VALUE GOVERNANCE (VG) VG1: Establish informed and committed leadership (5) VG2: Define and implement processes (6) VG3: Define portfolio characteristics (5) VG4: Align and integrate value management with enterprise financial planning (4) VG5: Establish effective governance monitoring (4) VG6: Continuously improve value management practices (1) Portfolio Management (PM) PORTFOLIO MANAGEMENT (PM) PM1: Establish strategic direction and target investment mix (4) PM2: Determine the availability and sources of funds (1) PM3: Manage availability of human resources (10) PM4: Evaluate and select programmes to fund (5) PM5: Monitor and report on portfolio performance (5) PM6: Optimise investment portfolio performance (2) Source: IT Governance Institute Investment Management (IM) INVESTMENT MANAGEMENT (IM) IM1: Develop and evaluate initial programme concept business case (3) IM2: Understand the candidate programme and implementation options (2) IM3: Develop the programme plan (1) IM4: Develop full life cycle costs and benefits (3) IM5: Develop the detailed candidate programme business case (3) IM6: Launch and manage the programme (3) IM7: Update operational IT portfolios (1) IM8: Update the business case (2) IM9: Monitor and report on the programme (3) IM10: Retire the programme (1) 27
Portfolio Categorisation Degrees of freedom to allocate funds Portfolio, program and project management practices VENTURE GROWTH DISCRETIONARY ENHANCEMENT S Discretionary Investments Transform the Business Grow the Business Every investment need not follow: The same level of value analysis The same level of control Value Assessment Cost Benefit Analysis Impact Analysis Clarity of connection with desired business outcomes NON DISCRETIONARY CORE Non-Discretionary Costs Run the Business Little Analysis Source: META Group 28
Value Governance is based around The Four Ares - continually asking Are we doing the right things? Are we getting the benefits? Are we doing them the right way? Are we getting them done well? Source: Fujitsu Consulting 29
CGEIT Domain 4: Risk Management Risk Management Context of risk management at strategic, portfolio, program, project and operations levels Overview of risk management frameworks and standards (COSO ERM, MoR, OCTAVE, ISO 31000, AS/NZ 4360:2004) Establishing the enterprise risk management framework (including risk classification model) in the context of business objectives and the environment both external and internal Mapping business processes to IT processes in a risk context to understand dependencies and root cause Defining the enterprise risk appetite Risk management of enterprise IT resources (application, information, infrastructure, people) Identifying threats, vulnerabilities and opportunities inherent in enterprise use of IT resources, and types of business risks, exposures and threats involved Quantitative and qualitative methods to determine sensitivity, criticality and maturity of IT-related contributions to business success Quantitative and qualitative methods to assess IT risks (including enterprise-specific specific descriptive measurement scales, IT-related asset valuation methods and risk probability, use of both audit and stream data types, and impact and loss expectancy models/techniques) Methods to uncover rare but high-impact impact risk types, such as process analysis techniques Risk mitigation strategies in relation to the use of IT in the enterprise Effective risk management techniques for IT-related activities, including reporting of identified risks 30
Risk Management Risk analysis concerned with gathering information about exposure to risk so that the organisation can make appropriate decisions and manage risks appropriately Risk management requires processes to monitor risks, including adequate information about risks and the decision process supported by risk analysis, identification and evaluation 31
Risk approaches Dependent on the type of risk and its significance to the business, management and the board may choose to: Mitigate Transfer Accept Implementing controls, e.g., acquire and deploy security technology to protect the IT infrastructure Sharing risk with partners transferring it to insurance coverage or Formally acknowledging that the risk exists and monitoring it 32
IT Risk Analysis Approach Risk management of enterprise IT resources (application, information, infrastructure, people) Source: IT Governance Institute 33
CGEIT Domain 5: Resources Management Resources Management Corporate business and IT resources (people, applications, infrastructure and information) IT resources acquisition processes (people, application, software, hardware, facilities and outsourced services) Skill and technology mixes required to meet the enterprise s business objectives Human resource management processes and optimization practices needed to meet established technical and business proficiency, competency, and capability requirements Outsourcing and offshoring processes that may be employed to meet investment program and operation and service level agreements The strengths and weaknesses inherent within the enterprise s human and technical business and IT resources and how to identify trainers with the requisite skill sets to maintain work competency and proficiency Business and IT resource planning and strategic and tactical planning methods, techniques and processes Quantitative and qualitative methods used to determine and evaluate business and IT resource utilization and the availability of these resources to effectively meet enterprise objectives Methods for monitoring and reporting on business and IT resource performance 34
Corporate business and IT resources The IT resources identified in COBIT can be defined as follows: Applications are the automated user systems and manual procedures that process the information. Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business. Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications. People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required. 35
Establish technical and business proficiency, competency, and capability requirements Resources management requires adequate processes for defining and maintaining: IT Principles IT Architecture IT Infrastructure Business application needs IT Investment and prioritisation 36
Does Your IT Architecture Look Like (needed a) blueprint to bring order to spaghetti layer of applications, boxes and wires Toby Redshaw VP of Strategy & Architecture Motorola 37
Four architectural views Business View Application View Information View Technology View What are the business strategies and processes that will make us Which successful applications do we need to facilitate the business What information do we need to manage in the process What and technology business manipulate is needed the information to support the information and application needs 38
39
Outsourcing 40
CGEIT Domain 6: Performance Measurement Performance Measurement Enterprise strategy mapping and balanced scorecard principles Leading practices in performance measurement (e.g., maturity models) and effective industry benchmarking techniques Scope, objectives and benefits of commonly used IT maturity models, including their maturity attributes Outcome measures and performance drivers Continuous improvement methodologies Characteristics of, and selection criteria for measures and metrics Tools and techniques that facilitate data collection and measurement, including automated monitoring Role of good communications and organizational change in performance improvement Root cause analysis and lifecycle cost-benefit analysis techniques Evaluating and monitoring IT performance in the context of IT Governance 41
Mission: Provide high quality customer satisfaction at optimal cost. Source: Kaplan & Norton Enterprise strategy mapping and balanced scorecard principles Strategic Objectives: premier/preferred service provider industry leader in efficient service delivery Measurement: Balanced Approach Financial Perspective: Is IT delivering products and services cost effectively? Organizational Perspective: Is IT building capability and improving processes? Goals Process Perspective: How effective and efficient are IT processes to deliver products and services? Balanced Scorecard Approach for IT Customer Perspective: What are our customers perceptions of IT services and performance? What is ITs purpose? What does IT need to do to achieve its mission? A mechanism to communicate the objectives and monitor how successfully they are being achieved by recognising four key perspectives of ITs performance 42
Enterprise strategy mapping and balanced scorecard principles Cascading Performance Measurement Business Unit Mission and Strategy OBJECTIVES at all levels should fall into the four perspectives Financial Customer Internal Business Processes Learning and Innovation Strategic Objectives and Measures The Process of developing the BSC, and cascading it down the organisation, ensures that everyone understands the business units long-term objectives, as well as Departmental Business Plans Team Business Plans the strategy for achieving them. Individual Performance Measures Source: Balanced Scorecard Collaborative 43
Leading practices in performance measurement (e.g. maturity models) and effective industry benchmarking techniques Performance Measurement Where are we going? Vision How do we get there? What do we need to do well? Strategy Critical Success Factors How do we measure how well we are doing? How do we measure process improvement? How do we ensure customer satisfaction? Financial Perspective Key Performance Indicators Customer Perspective Process Perspective Process Performance Metrics Service Level Metrics Organizational Learning Source: Balanced Scorecard Collaborative 44
Benchmarking Leading IT process practices maturity in by performance industry sector measurement (e.g. maturity models) and effective industry benchmarking techniques M1 3.50 Po1 Po3 DS11 3.00 2.50 Po5 DS10 DS5 DS4 2.00 1.50 Po9 Po10 A11 DS1 A12 A16 A15 Finance Other IT Services Public Sector Ret & Manu DS10 DS5 DS11 M1 3.50 Po1 Po3 3.00 2.50 2.00 1.50 1.00 Po5 Po9 Po10 DS10 DS5 DS11 M1 3.50 Po1 Po3 3.00 2.50 2.00 1.50 1.00 Po5 Po9 Po10 DS10 DS5 DS11 M1 3.50 Po1 Po3 3.00 Po5 2.50 2.00 Po9 1.50 1.00 Po10 DS4 DS1 A16 A15 Financial Services Public Sector Retail/Manufacturing Source: IT Governance Institute A11 DS4 A12 DS1 A16 A15 A11 DS4 A12 DS1 A16 A15 A11 A12 45
Outcome measures and performance drivers Business Goal Maintain enterprise reputation and leadership IT Goal Ensure IT Services can resist and recover from attacks Process Goal Detect and resolve unauthorised access Activity Goal Understand security requirements, vulnerabilities and threats Number of Number of actual Number of actual incidents causing incidents because IT incidents with public of unauthorised business impact embarrassment access Outcome Metric Outcome Metric Outcome Metric Frequency of review of the type of security events to be monitored Outcome Metric Source: IT Governance Institute 46
Outcome measures and performance drivers Business Goal Maintain enterprise reputation and leadership leadership IT Goal Ensure IT Services can resist and recover from attacks Process Goal Detect and resolve unauthorised access Number of actual IT incidents with business impact Performance Metric Number of actual incidents because of unauthorised access Performance Metric Frequency of review of the type of security events to be monitored Performance Metric Source: IT Governance Institute 47
Governance Frameworks 48
Components of an Enterprise Governance framework mapping to some frameworks Source: IT Governance Institute 49
Review of major standards and frameworks relevant to IT Governance Add: TOGAF, Strategy Maps, Val IT Add: Val IT, PMBOK Source: Calder-Moir Framework for IT Governance (base) 50
IT Governance aspects addressed by CobiT and Val IT Frameworks Business Outcomes Functionality Agility Value Val IT Governance Drivers Return Compliance Comfort Risk Benefits IT Goals CobiT IT Processes Complementary (e.g. ITIL, Pri nce2 etc) IT Operations 51
What framework? 52
Where Does Frameworks Fit? Drivers PERFORMANCE: Business Goals CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. Enterprise Governance Balanced Scorecard COSO IT Governance COBIT 4.1 Standards Best Practice ISO 9001:2000 ISO 27002 ISO 20000 Processes and Procedures QA procedures Security Principles ITIL V3 53
COBIT COBIT = Control OBjectives for Information and Related Technology Process-oriented oriented framework for IT Governance Focused on business goals and how IT supports their achievement A tool for Business management IT management IT process managers First developed in 1992 Issued by IT Governance Institute Content is managed by the COBIT Steering Committee Accepted globally as the de facto control framework for IT Governance Documents can be downloaded from isaca.org or ITGI.org 54
COBIT Framework BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES ME1 ME2 ME3 ME4 Monitor and evaluate IT performance. Monitor and evaluate internal control. Ensure compliance with external requirements. Provide IT governance. DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. C O B I T F R A M E W O R K MONITOR AND EVALUATE Efficiency Effectiveness Compliance DELIVER AND SUPPORT Reliability INFORMATION IT RESOURCES Applications Information Infrastructure People Integrity Availability Confidentiality ACQUIRE AND IMPLEMENT PLAN AND ORGANISE PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. AI1 AI2 AI3 AI4 AI5 AI6 AI7 Identify automated solutions. Acquire and maintain application software. Acquire and maintain technology infrastructure. Enable operation and use. Procure IT resources. Manage changes. Install and accredit solutions and changes. 55
COBIT PC and AC Processes Process Controls PC1 PC2 PC3 PC4 PC5 PC6 Process Goals and Objectives Process Ownership Process Responsibility Roles and Responsibilities Policy, Plans and Procedures Process Performance Improvement Application Controls AC1 AC2 AC3 AC4 AC5 AC6 Source Data Preparation and Authorization Source Data Collection and Entry Accuracy, Completeness and Authenticity Checks Processing Integrity and Validity Output Review, Reconciliation and Error Handling Transmission Authentication and Integrity 56
Mapping IT Management Frameworks 57
Mapping IT Management Frameworks Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together. 58
59
Questions & Answers 60