IT Governance: framework and case study
Presenter Yaowaluk Chadbunchachai Advisory Services Ernst & Young Corporate Services Limited
Presentation topics ERM and IT governance IT governance framework IT governance assessment Case study Implication of IT governance on internal audit We think IT governance needs to be a shared commitment across the business, it s not something that can be left to the CIO and IT departments. Instead, to be effective, it must be understood and the responsibility shared throughout the business. Page 3
ERM and IT governance
ERM and IT governance ISO9000 ISO38500 CMM ITIL SAS 70/ ISAE 3402 ISO31000 IT Governance Frameworks Confused?? ISO27001 COSO IC/ERM OCEG GRC Balanced Score Card COBIT Page 5
IT GRC Drivers & Objectives Most companies have take a very siloed approach to IT risk management which creates multiple redundancies and extensive inconsistency in how IT risks are assessed and managed. An effective IT GRC program will aggregate the evaluation of IT risks and controls to create a convergence of IT Risk activities which results in greater consistency and efficiency across the IT GRC program and the company as a whole. Common Current State Desired Future State External regulators, analysts, investors Board/senior management oversight Audit Risk Other committee committee committees Audit committee Compensation committee Board oversight Risk committees Executive management Other committee CEO CFO CRO General Counsel Inte ernal con ntrol Internal audit Risk management Compliance Internal control Information technology Legal and regulatory External audit Internal audit External audit Aligned mandate and scope Coordinated infrastructure and people Consistent methods and practices Common information and technology Business Business Business Business unit unit unit unit Business Business Business Business unit unit unit unit Page 6
ERM and IT governance ERM Page 7
IT governance framework
IT Governance Defined IT Governance is a set of IT management activities, policies, standards and measures developed to ensure desirable behavior, for the effective, efficient and secure use of technology. Ernst & Young Key IT Governance Decisions IT Governance Determines Evaluation of business initiatives and risk Prioritization of projects Who makes decisions Allocation of resources and budgets Power Performance measurements How they make them Allocation of costs and cost measurement Decision Process/Rights methods Why they make them Tracking and reporting mechanisms Alignment Assessment of value of an IT investment Without proper governance, an organization is at risk of losing its competitive advantage Page 9
Why is IT Governance necessary? Fundamentally, it enables a stronger competitive position due to improved performance, efficiency and effectiveness at all levels of the organization Ensures enterprise alignment Ensure effective IT processes and delivery Ensure effective risk management Establishes and deploys the right IT resources and capabilities Enables continuous performance improvement Underpins legal and regulatory compliance Page 10
The Enterprise Agenda for IT How does IT impact your business? Value how does IT create value for the enterprise? Cost how does IT help rationalize the overall costs of the business? Risk how does IT help the business manage its overall risk position? IT can be a competitive advantage or a corporate hindrance We believe that for IT to create a positive impact, there are four must do s for the enterprise relative to IT: Align Strategically Govern Effectively Operate Efficiently Measure Performance Op erate Effic ciently Align Strategically Manage Risk Create Value Objectives Rationalize Cost Measure Performance Gove ern Effectiv vely 11 Page 11
The ITGI Model Strategic Alignment Strategic Alignment, focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. Performanc nce Measurem ment Strategic Alignment Value Delivery IT Governance Domains Resource Risk Ma anagement Align IT strategy with enterprise strategy Ensure IT delivers against the strategy Co-responsibility of business and IT Direct IT strategy Ensure a culture of openness and collaboration among the business, geographical and functional units of the enterprise Page 12
The ITGI Model Value Delivery Value Delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT. Performanc nce Measurem ment Strategic Alignment Value Delivery IT Governance Domains Resource Risk Ma anagement Appropriate quality, on time and on budget Clarify value, educate, involve stakeholders and manage perceptions Formal tracking of business value of IT (business requirements & process change) Disciplined approach to project management with a larger role for the business Technology standardisation Page 13
The ITGI Model Risk Risk requires risk awareness by senior corporate officers, a clear understanding of the enterprise s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation. Performanc ce Measureme ent Strategic Alignment Value Delivery IT Governance Domains Resource Risk Managemen nt Awareness of IT risks based on proactive and continuous assessment Transparency to all stakeholders Establishing responsibility and embedding risk management into the organisation Risk mitigation can generate costefficiencies Information security Page 14
The ITGI Model Resource Resource is about the optimal investment in, and the proper p management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. Performanc nce Measurem ment Strategic Alignment Value Delivery IT Governance Domains Resource Risk Ma anagement Inventories of hardware and software Practices to train and retain skilled staff Clear, consistent t and enforced procurement policies Standardised and interoperable infrastructure Service level management Page 15
The ITGI Model Performance Measurement Performance Measurement, tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. Pe erformance e Measureme ent Strateg tegic Alignment nt Valu alue Delivery IT Governance e a Domains Resource Risk Managemen ent Define and monitor measures IT Balanced Scorecard as emerging reporting system A management reporting system that feeds back into the strategy The most effective means to achieve IT and Business alignment Enabling effective value measurement (ROI, NPV ) Page 16
IT governance assessment
Assessing IT Governance Initial/ Repeatable Defined Managed Non-existent Ad Hoc but Intuitive process and Measurable Optimised i 0 1 2 3 4 5 (Maturity Model - CobiT 4.1 ) 0 - processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated. Page 18
Assessing IT Governance Sample Maturity Model for IT Governance Value Delivery Domain 1. IT Direction i & Planning 2. Enterprise IT Architecture 3. Value Measurement 4. Project Portfolio Mgt 5.3 rd Party Relationship Mgt 0 1 2 3 4 5 Non- Existent IT Governance Value Delivery Maturity Model - CobiT 4.1 Initial/ Ad Hoc Repeatable but Intuitive Defined process Managed and Measurable Optimized 0 1 2 3 4 5 Legend Current State Interim Target State Target State 0 - Processes are non-existent 1 - Processes are ad hoc & disorganized 2 - Processes are repeatable but intuitive 3 - Processes are defined, documented & communicated 4 - Processes are managed & measured 5 - Processes are optimized Legend Current State Interim Target State Target State Example also in Appendix D (page 48) of Board Briefing on IT Governance booklet Page 19
Assessing IT Governance Maturity model ranking Organizational scorecard to ITGI model Gap analysis leading to improvement initiatives Uses a scale of 0 through 5 to measure the maturity level of the area being assessed Do not assume that the desired state is always 5 Critical to perform analysis over time; especially as the business changes (e.g. mergers, integrations, etc.) Page 20
Example: IT Governance Maturity Assessment Components IT Governance Framework Strategic Alignment Value Delivery Risk Resource Performance Measurement Program Mission and Framework Program Oversight Communication Strategy Corporate Alignment Role of IT/Definition of IT Value Strategic Direction Business, IT and Operations Alignment Investment Prioritization and Allocation IT Direction and Planning Enterprise IT Architecture Value Measurement Program and Project Third-Party Relationship IT & Business Risk Alignment Integrated IT Risk Framework IT Risk Oversight IT Resource & Asset Infrastructure Technology Lifecycle Knowledge Strategic Sourcing Performance Metrics Performance Monitoring Quality Improvement Continuous Process Improvement Scope of Potential Measurement 3.5 2 2.5 4 3 1.5 Maturity Model Scale IT Governance Maturity Score Distribution 5 0 Processes are non-existent 4 1 Processes are ad-hoc and disorganized 3 2 Processes are repeatable but intuitive 3 Processes are defined, documented and intuitive 2 4 Processes are managed and measured 1 5 Processes are optimized 0 ITG SA VD RiM ReM PM Page 21
Example: IT Governance Executive Stakeholder Questionnaire Degree of Agreement (Max, Average, Min) Strategic Alignment 5 4 3 2 1 1 I am informed of the strategy of the business. 2 I understand the technology strategy of the organization. 3 I agree with how projects and initiatives are prioritized. 4 I understand how budgets are agreed upon. 5 Projects are aligned with organizational strategy. 6 Project alignment is periodically reevaluated. 7 IT stakeholders are brought into the project early in the planning phase of the project. Value Delivery 8 I am realizing the full value of the investment in IT. 9 If and/or when I we upgrade software or infrastructure, I believe I have input into the decision. 10 I am aware of the IT charges (and how the IT charges) are allocated. Strongly Agree Agree Undecided/ Neutral Disagree Strongly Disagree 11 The organization formally recognizes and measures the value delivered from a technology-enabled process. Page 22
Case study Implication of IT governance on internal audit
Link risk to IT objectives and processes IT objectives and strategies Inherent key IT risks IT processes IT governance and strategy IT development and design IT operations Information security and protection Guidance and oversight Strategic planning Deliver superior systems and applications Technology enablement to achieve business objectives Superior service support and delivery Continuity of services Optimize operating efficiency Protection of information Effectively manage security risk Link ob bjectives to risks ficance of the ris sk to IT objective es Eva aluate the signif IT Process Duplication and Inefficiencies Emerging Technologies Technology Direction System Disruptions Contracts/3rd Party Vendors - Outsourcing Records Retention Regulatory Compliance People Global Sourcing Business Continuity Asset and Portfolio IT Infrastructure Capacity IT Security/Privacy Financial Reporting Link risk ks to IT pro ocesses Evaluate Mana agement and Co ontrol Activities Infrastructure and Asset Change Service Level Production Support Problem and incident management Project/ program management Customer Support Page 24
IT Audit (or IT Risk ) can bring more value to the organization Implementing measures for compliance has made organizational change management a key skill of the IT auditor The same skills used to facilitate compliance can now be used to facilitate IT Effectiveness With the focus over the past five years on financial and compliance risk, strategic and operational risk has been largely ignored It is critical for organizations to refresh their IT risk universe to include all IT risks We are seeing a significant shift in the charter of IT auditors and a renewed focus on assessing and reducing strategic and operational risk Page 25
What is the role of your IT Audit function? Is IT Audit focused solely on financial and compliance risk? What is needed to take IT Audit to the next level? CGEIT Certification PMI/CMMI Training i ITIL Training Co-sourcing agreement with knowledge transfer How can IT Audit demonstrate more value to the organization? Make sure your IT risk assessment process evaluates the impact of all major IT risks, including operational and strategic risks Measure the before and after impact of initiatives designed to better manage strategic and operational risks Page 26
Thank you
Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve potential. For more information, please visit www.ey.com. Ernst & Young refers to the global organization ation of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. 2010 Ernst & Young Corporate Services Limited. All Rights Reserved.