1 IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE ANSWERS AND PRACTICAL TIPS FROM THE IT GOVERNANCE AUDIT PROFESSIONALS JOHAN LIDROS, PRESIDENT EMINERE GROUP KATE MULLIN, CISO, HEALTH PLAN SERVICES & HARRINGTON HEALTH AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org
Contents 2 Introduction IT Governance Q&A References 2
Objectives 3 Discuss the five key components of IT Governance Understand the key IT governance frameworks and standards The values of IT Governance ROI research and case studies Audit IT Governance and the 10 quick wins in improving IT Governance Ask your questions And more... 3
Auditing and IT Governance 4 IIA Standard 2011: Governance states, the internal audit activity it must assess whether the information technology governance of the organization supports the organization s strategies and objectives. 4
Healthcare IT Characteristics 5 Diversified IT environment Medical Devices and IT System coming together Meaningful use and HIE are changing g the IT environment Many regulatory requirements Constantly new and changing threats/risks related to the use of technology Immature IT/Information Security 5
GRC G Governance (Corporate Governance) R Risk (Enterprise Risk Management) C Compliance IT Governance 6
Shift the IT Perspective: 7 Area From To Scope: Technical problem Enterprise problem/opportunity Ownership: IT Enterprise Funding: Expense Investment Application: Platform/practice Process Approach: Adhoc Managed & Strategic 7
Contents 8 Introduction IT Governance Q&A References 8
Enterprise Governance 9 is a set of responsibilities and practices exercised by the board and executive management with the goal of Providing strategic direction Ensuring that objectives are achieved Ascertaining that risks are managed appropriately Verifying that the enterprise s resources are used responsibly is about Conformance: adhering to legislation, internal policies, audit requirements, etc. Performance: improving profitability, efficiency, effectiveness, growth, etc. 9
What is IT Governance? 10 IT governance is a subset of enterprise governance. Governance of IT encompasses several initiatives for board members and executive management. They must be aware of the role and impact of IT on the enterprise, define constraints within which IT professionals should operate, measure performance, understand risk and obtain assurance. IT Governance Institute 10
Balance of IT Governance Goals 11 The board must direct the balance between conformance and performance goals. 11
IT Governance Areas Process Maturity Rating 0 Non-existent: The process (control/procedures) does not exist. 1 Initial/Ad hoc: The process is informal, undocumented and reactive. 2 Repeatable: The process is repeatable but may be applied inconsistently as needed. 3 Defined: The process is documented and communicated. 4 Managed: The process is implemented and measurable. 5 Optimizing: Managed process with continuous performance improvements utilizing best practices. N/A Not Applicable: The process is not applicable to the review or has not been reviewed for other reasons. 12
Value of IT Governance 13 How the Masters of IT Deliver More Value and Less Risk IT Policy Compliance Group, December 2010 How High Performance Organizations Manage IT IT Policy Compliance Group, April 2011 13
Value of IT Governance 14 Mature IT Governance has a strong business value that improves the organization s performance. The most mature organizations show: 7% higher profit margins than average 7-8% higher customer/patient satisfaction and retention than average Less than half in regulatory compliance spending 14
Profile Masters of IT: Practices of Best Performers Revenue and profits that are 75 percent higher than industry peers Customer retention-rates that are 50 percent higher than industry peers Spending on IT budgets that is 30 percent higher than industry peers Spending on information security that t is 37 percent higher h than peers Business disruptions that are 100 percent lower than industry peers Data loss or theft incidents that are 75 percent lower than industry peers Audit deficiencies that are 65 percent less than industry peers Page 15 15
Best Performers Masters of IT IT Balanced Scorecards that are linked to business Balanced Scorecards Ongoing IT Portfolio revision for effective management of asset use, growth strategy, value and risk Strategic IT Maps that align value and risk between the business of the enterprise and IT Standardization on COBIT, ISO and CIS benchmarks to preserve value, manage controls and mitigate risk Page 16
Best Performers Masters of IT Electronic systems of record in IT GRC systems for values, policies, controls, risks, assets and regulatory mandates Automation of key procedures to manage value and risk Daily, weekly and bi-monthly assessments to manage value and risk Dashboards, scorecards and reporting focused on operating units, business units, business functions, regulatory mandates, across silos and people Page 17
IT Governance you can not manage what you can not measure. 18
Resource Management Risk Management 19 Performance Measurement Accountability Roles and Responsibilities Major/Main Responsibilities Board Strategic Direction CEO Delivery of Strategy t CIO Implementation of Strategy
Roles/Responsibilities ACCOUNTABILITY Accountability applies to those who own the required resources and have the authority to approve the execution and/or accept the outcome of an activity within specific Risk IT processes. RESPONSIBILITY: Responsibility belongs to those who must ensure that the activities are completed successfully. Legend of the table: When a cell is YELLOW, the role carries responsibility and/or partial accountability for the process When a cell is GREEN, the role carries main accountability for the process. Only one role can be the main accountable for a given process. 20
Responsibilities & Accountability (RISK-IT) ROLE DEFINITIONS, RESPONSIBILITIES & ACCOUNTABILITY RISK GOVERNANCE RISK EVALUATION RISK RESPONSE Role Board Chief Executive Officer (CEO) Chief Risk Officer (CRO) Chief Information Officer (CIO) Chief Financial Officer (CFO) Enterprise Risk Committee Business Management Business Process Owner Risk Control Functions Definition of the Role This group of most senior and/or non-executives of the enterprise who are accountable for the governance of the enterprise and have overall control of its resources. The highest ranking officer who is in charge of the total management of the enterprise. The individual who oversees all aspects of risk management across the enterprise. An IT risk officer function may be established to oversee IT-related risk. The most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources. The CIO typically chairs the governance council that manages the portfolio. The most senior official of the enterprise who is accountable for financial planning, record keeping, investor relations and financial risks. The group of executives of the enterprise who are accountable for the enterprise-level collaboration and consensus required to support enterprise risk management activities and decisions. Common Risk View A Integrate with ERM Risk- Aware Decisions A (Accountable) Collect Data Analyze Risk Maintain Risk Profile Articulate Risk Manage Risk R R (Responsible) A React to Events R R R A R R A R R R R R R R R R R R R R R R R Business individuals with roles related to managing (a) programme(s). R R A A A R R R The individual responsible for identifying process requirements, approving process design and managing process performance. In general, a business process owner must at an appropriately high level in the enterprise and have authority to commit resources to process-specific risk management activities. The functions in the enterprise responsible for managing specific risk domains (e.g. Chief Information Security Officer, business continuity plan disaster recovery, supply chain, Project Management Office). Human The most senior official of the enterprise who is accountable for planning and policies with respect to all human resources R resources (HR) in the enterprise. Compliance and Audit R R R R R R R R A R R R R R R R R R The functions in the enterprise responsible for compliance and audit. R R 21
IT Governance Framework in Place (COBIT 5) 22 22
IT Governance Control Areas 23 23
IT Governance Architecture Header Drivers PERFORMANCE: Business Goals CONFORMANCE HIPAA, PCI, etc. 24 Enterprise Governance Balanced Scorecards COSO IT Governance COBIT Best Practice Standards RISK IT ITIL ISO27000/ HITRUST PMI CMMi Processes and Procedures IT Risk Management IT Service Security/Risk Management Principles Project Management Principles System Development (adapted from ITGI, 2007, p. 12) 24
IT Governance Framework 25 COSO COBIT NIST ISO 9000 WHAT HOW ITIL SCOPE OF COVERAGE 25
COBIT 5 26 Governance of Enterprise IT Evolut tion of sco ope IT Governance Management Control Audit Val IT 2.0 (2008) Risk IT (2009) COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5 1996 1998 2000 2005/7 2012 An business framework from ISACA, at www.isaca.org/cobit 26
ISACA 2010 IT Governance Global Study Wllk Well-known frameworks and solutions. Selected IT governance frameworks 27
COBIT 5 28 28
COBIT Principles and Enablers COBIT 5 Enterprise Enablers 29 29
COBIT Principle 5 30 30
COBIT 5 Processes 31
COBIT 5 Information Security 32 Business Model for Information Security (BMIS) The focus on information security management system (ISMS) in the align, plan and organize (APO) management domain, APO13 Manage security, establishes the prominence of information security within the COBIT 5 process framework. 32
Enterprise Risk Management RISK IT Enterprise Risk Strategic Risk Environmental Risk Market Risk Credit Risk Operational Risk Compliance Risk IT-related Risk IT Benefit/Value Enablement IT Program and IT Operations and Risk Project Delivery Risk Service Delivery Risk Technology enabler for new business initiativesiti Technology enabler for efficient operations Project relevance Project quality Projects overrun IT Service interruptions Security issues Compliance issues 33
Risk to Controls 34 34
Contents 35 Introduction IT Governance Q&A References 35
Contents 36 Introduction IT Governance Q&A References 36
References 37 ISACA COBIT RISK-IT IT IT Governance Institute IIA GTAG 7 IT Governance IT Policy Compliance Group (www.itpolicycompliance.com) HIMSS (IT Governance in Healthcare & Hospitals) 37
Question & Answers 38 Page 38
Save the Date September 21-24, 2 2014 33 rd Annual Conference Austin, Texas 39