The document provides information about an upcoming training on IT Governance to be delivered by Goutama Bachtiar. It includes details about the trainer's background and experience in IT advisory, consulting, auditing, and education. The training objectives are to address key knowledge areas related to IT Governance domains such as framework, strategy alignment, value delivery, risk management, and performance measurement. The targeted participants are corporate and IT management, IT auditors, and senior IT management. The training agenda covers various topics around governance vs management, frameworks, strategy, value, risk, performance and more. It also discusses the ISACA CGEIT certification domains that the training maps to.
2. Allow Me to Introduce Myself
February 2013
Developed by @goudotmobi
2
3. Trainer Profile
15 years of working experience with exposure in
advisory, consulting, audit, training and education,
software development, project management and
network administration
VP - Head of Information Technology at Roligio Group
Advisor at Global Innovations and Technology
Platform
Subject Matter Expert, Editorial Journal Reviewer and
Exam Developer at ISACA
Program Evaluator at Project Management Institute
Microsoft Faculty Fellow
Columnist and contributor at ZDNet Asia, e27.co,
Forbes Indonesia, DetikINET and InfoKomputer
among others
5. Background and Objectives
BACKGROUND
• IT Governance is to a country’s constitution what management is to the
country’s laws
• Corporate Governance, IT Governance, and IT Security Governance are
responsibilities of Board or Senior Management
• The significance of IT governance can be judged from the fact that ISACA
has introduced a new certification, Certified in the Governance of
Enterprise IT (CGEIT), effective since December, 2008, just on the
respective subject
• Topics covered will map directly to ISACA’s job practice areas (domains)
OBJECTIVES
• The training will address key knowledge areas related to IT Governance
domains: IT Governance Framework, IT/Business Strategy Alignment, IT
Value Delivery, Risk Management, Resource Management and
Performance Measurement
• Differentiate between IT Governance and IT Management, and help set up
IT Governance Framework including IT alignment, Value delivery, Risk
Management, Performance Management, and Resource Utilization
February 2013
Developed by @goudotmobi
5
6. Targeted Participants
• Corporate and IT management interested in learning
the “what” and “how to” on IT Governance
• IT auditors and Management Consultants who’d like to
learn how to audit IT Governance, and provide
governance-related services to Senior Client
Management
• Senior IT management responsible for understanding
theory and implementation of IT Governance, Value
Delivery, IT Risk Management, Information Security,
and Balanced Score Card (BSC) Implementation
February 2013
Developed by @goudotmobi
6
7. Training Agenda
•
•
•
•
•
•
•
Governance vs Management
IT Governance Framework
IT Alignment with Business Requirements
IT Value Delivery
IT Risk Management
IT Performance Measurement
IT Balanced Score Card
February 2013
Developed by @goudotmobi
7
8. Training Agenda (cont’d)
•
•
•
•
•
•
•
IT Resource Management
Board’s Oversight Committees
IT Strategy Committee
IT Steering Committee
Board’s Business Continuity Oversight
Auditing IT Governance
Maturity of IT Governance With CMM Scale
February 2013
Developed by @goudotmobi
8
9. ISACA Certification
CGEIT constitutes:
1. IT Governance Framework (25%)
2. Strategic Alignment (15%)
3. Value Delivery (15%)
4. Risk Management (20%)
5. Resource Management (13%)
6. Performance Measurement (12%)
February 2013
Developed by @goudotmobi
9
11. Common Issues
•
•
•
•
Disconnect between IT & everyone else
IT is overwhelmed
Projects are delayed; not as successful
Customer dissatisfaction & “I’ll do it myself”
mentality
• Multiple systems exist for similar needs
• IT lacks direction
February 2013
Developed by @goudotmobi
11
12. Common Issues (cont’d)
•
•
•
•
•
No one person is accountable for IT
Technology does not make things better
Security concerns
Data in multiple places/hard to pull together
Projects not delivered or not done well
February 2013
Developed by @goudotmobi
12
13. Solution
•
•
•
•
•
•
Well-defined decision making process
Forward thinking IT leadership
High-performing IT management team
Easily understood Architecture & Standards
Project Evaluation & Prioritization
Best Practice Project Management approach
February 2013
Developed by @goudotmobi
13
14. Understanding IT Governance
• Comprises the body of issues addressed in
considering how IT is applied within the
enterprise.
• Effective enterprise governance focuses on:
– Individual and group expertise
– Experience in specific areas
• Key element: alignment of business and IT
February 2013
Developed by @goudotmobi
14
15. What is IT Governance?
• Structure to help align IT strategy with
business strategy
• According to ITGI, there are 5 areas of focus:
– Strategic alignment
– Value delivery
– Resource management
– Risk management
– Performance measures
February 2013
Developed by @goudotmobi
15
16. IT Governance Definition
“The responsibility of executives and the board
of directors, and consists of the leadership,
organizational structures and processes that
ensure that the enterprise’s IT sustains and
extends the organization’s strategies and
objectives”
February 2013
Developed by @goudotmobi
16
17. Three Pillars of IT Governance
IT Governance
Infrastructure
Management
1
7
IT Use/Demand
Management
Developed by @goudotmobi
IT Project
Management
19. IT Governance Institute
• IT Governance Institute (www.itgi.org) is a non-profit,
independent research entity that provides guidance for
global business community on issues related to governance
of IT assets
• Established by ISACA in 1998 to help exec and IT pro ensure
that IT delivers value and its risks are mitigated through
alignment with enterprise objectives, IT resources are
properly allocated, and IT performance is measured
• ITGI developed Control Objectives for Information and
related Technology (COBIT®) and Val ITTM, and offers
original research and case studies to help enterprise
leaders and boards of directors fulfill their IT governance
responsibilities and help IT professionals deliver valueadding services
February 2013
Developed by @goudotmobi
19
20. Why is IT Governance important?
•
•
•
•
•
•
Compliance with regulations
Competitive advantage
Support of enterprise goals
Growth and innovation
Increase in intangible assets
Reduction of risk
February 2013
Developed by @goudotmobi
20
21. Why is IT Governance important? (cont’d)
February 2013
Developed by @goudotmobi
21
22. Who is involved?
•
•
•
•
•
Team leaders
Managers
Executives
Board of Directors
Stakeholders
February 2013
Developed by @goudotmobi
22
23. Governance and Management
• Governance ensures that enterprise objectives
are achieved by evaluating stakeholder needs,
conditions and options; setting direction through
prioritisation and decision making; and
monitoring performance, compliance and
progress against agreed-on direction and
objectives (EDM)
• Management plans, builds, runs and monitors
activities in alignment with the direction set by
the governance body to achieve the enterprise
objectives (PBRM)
February 2013
Developed by @goudotmobi
23
24. Corporate Governance of IT
ISO/IEC 38500: 2008
Corporate governance of IT
Scope
• Provides guiding principles for directors of organizations
(including owners, board members, directors, partners,
senior executives, or similar) on the effective, efficient,
and acceptable use of IT within their organizations
• Applies to the governance of management processes (and
decisions) relating to the ICT services used by an
organization. These processes could be controlled by IT
specialists within the organization or external service
providers, or by business units within the organization
February 2013
Developed by @goudotmobi
24
25. Corporate Governance of IT (cont.)
ISO/IEC 38500: 2008
Corporate Governance of IT
2.1 Principles
Principle 1: Responsibility
Principle 2: Strategy
Principle 3: Acquisition
Principle 4: Performance
Principle 5: Conformance
Principle 6: Human Behavior
February 2013
Developed by @goudotmobi
25
27. Approaches Currently In Use
• Business As Usual - “Firefighting”
• Legislation - “Forced”
• Best Practice Focused
February 2013
Developed by @goudotmobi
27
28. Commencing Best Practices
Quality & Control Models
• ISO 900x
• COBIT®
• TQM
• EFQM
• Six Sigma
• COSO
• Deming
• etc..
Process Frameworks
• ITIL®
• Application Service Library
• Gartner CSD
• IBM Processes
• EDS Digital Workflow
• Microsoft MOF
• Telecom Ops Map
• etc..
•What is not defined cannot be controlled
•What is not controlled cannot be measured
•What is not measured cannot be improved
February 2013
Developed by @goudotmobi
28
29. ITIL® v2 to v3
Introduction to ITIL
T
h
e
Planning To Implement Service Management
T
h
e
Service Management
B The
u Business
s Perspective
i
Service
n
Delivery
Small-Scale
e
Implementation
s
s
Application Management
Service
Support
ICT
Infrastructure
Management
Security
Management
T
e
c
h
n
o
l
o
g
y
Software Asset Management
February 2013
Developed by @goudotmobi
29
30. ITIL® v2 Service Support Model
The Business, Customers or Users
Monitoring
Tools
Incidents
Incident
Management
Service reports
Incident statistics
Audit reports
Communications
Difficulti
Updates
es
Work-arounds
Queries
Customer
Survey reports
Enquirie
Incidents Service Desk
Changes
s
Customer
Survey
Problem
reports
Management
Releases
Problem statistics
Problem reports
Problem reviews
Diagnostic aids
Audit reports
Incidents
February 2013
Change
Management
Change schedule
CAB minutes
Change statistics
Change reviews
Audit reports
Problems
Known Errors
Release
Management
Release schedule
Release statistics
Release reviews
Secure library’
Testing standards
Audit reports
Changes
CMDB
Developed by @goudotmobi
Configuration
Management
CMDB reports
CMDB statistics
Policy standards
Audit reports
ReleasesCls
Relationships
30
31. ITIL® V2 Service Delivery Model
Business, Customers and Users
Communications
Querie
Updates
Reports
s
Enquiri
Service Level
es
Availability
Management
Availability plan
AMDB
Design criteria
Targets/Thresholds
Reports
Audit reports
Management
Capacity
Management
Capacity plan
CDV
Targets/thresholds
Capacity reports
Schedules
Audit reports
Requirements
Targets
Achievements
Financial
Management
For IT Services
Financial plan
Types and models
Costs and charges
Reports
Budgets and forecasts
Audit reports
Management
Tools
February 2013
Alerts and
Exceptions
Changes
Developed by @goudotmobi
SLAs, SLRs
OLAs
Service reports
Service
catalogue
SIP
IT Exception
Service
Continuity
reports
Management
Audit reports
IT continuity plans
BIS and risk analysis
Requirements defined
Control centers
DR contracts
Reports
Audit reports
31
32. IT Governance and ITIL®version 3
February 2013
Developed by @goudotmobi
32
33. IT Governance and COBIT
Why Get Into Governance?
• Due diligence”
• IT is critical to the business
• IT is strategic to the business
• Expectations and reality don’t match
• IT hasn’t gotten the attention it deserves
• IT involves huge investments and large
risks
February 2013
Developed by @goudotmobi
33
34. IT Governance and COBIT
“Due diligence”
• Infrastructure and productive functions
• Skills, culture, operating environment
• Capabilities, risks, process knowledge and
customer information
• Service levels
Enterprises should be equally inquisitive
about themselves.
February 2013
Developed by @goudotmobi
34
35. IT Governance and COBIT
IT Is Critical to Most Businesses
This criticality arises from:
• The increasing dependence on information and the
systems and communications that deliver it
• The dependence on entities beyond the direct control of
the enterprise
• IT failures increasingly impacting reputation and enterprise
value
• The potential for technologies to dramatically change
organisations and business practices, create new
opportunities and reduce costs
• The risks of doing business in an interconnected world
• The need to build and maintain knowledge essential to
sustain and grow the business
February 2013
Developed by @goudotmobi
35
36. IT Governance and COBIT
Why Has IT Not Gotten the Attention It
Merits?
• IT requires more technical insight than do other
disciplines to understand how IT
• Enables the enterprise
• Creates risks
• Gives rise to opportunities
• IT has traditionally been treated as an entity
separate to the business
• IT is complex, and even more so in the extended
enterprise operating in a networked economy
February 2013
Developed by @goudotmobi
36
37. IT Governance and COBIT
October 1992: A new
command and control
system developed by
the London ambulance
service failed on the
first day of operation.
1997: Barings Bank
collapsed as a result of
unauthorized trading, in
part enabled by the
willful manipulation of
management
information.
August 1997: UK
investment managers,
Save & Prosper,
abandoned a major
new IT system, having
spent 2 million pounds
on its design and
implementation.
February 2013
Developed by @goudotmobi
October 1998: UK
Internet bank Egg
launched a new onlineonly credit card, only to
find its technical
infrastructure was
unable to cope with the
demand.
37
38. IT Governance and COBIT
What Should Boards Do About It?
•
•
•
•
Be driven by stakeholder value
Adopt an IT governance framework
Ask the right questions
Focus on IT’s
• Alignment with the business
• Value delivery
• Risk management
• Measure result
IT Value
Delivery
IT
Strategic
Alignment
Stakeholder
Value Drivers
Risk
Management
Performance
Measurement
February 2013
Developed by @goudotmobi
38
39. IT Governance and COBIT
What Should
Management Do About
It?
Align IT strategy with
business goals
Cascade strategy and
goals down into the
organisation
Set up organisational
structures that facilitate
strategy implementation
Adopt a control and
governance framework
Provide IT
infrastructures that
facilitate creation and
sharing of business
information
Embed responsibilities
for risk management in
the organisation
Focus on important IT
processes and core IT
competencies
Measure performance
(balanced business
scorecard)
February 2013
Developed by @goudotmobi
39
40. IT Governance and COBIT
COBIT: An IT Control Framework
Starts from the premise that IT needs to
deliver the information that the
enterprise needs to achieve its objectives.
Promotes process focus and process
ownership
Divides IT into 34 processes belonging to
four domains and provides a high level
control objective for each
Looks at fiduciary, quality and security
needs of enterprises, providing seven
information criteria that can be used to
generically define what the business
requires from IT
Is supported by a set of over 300 detailed
control objectives
February 2013
Developed by @goudotmobi
•
Planning
•
Acquiring &
Implementing
•
Delivery & Support
•
Monitoring
Effectiveness
Efficiency
Availability
Integrity
Confidentiality
Reliability
Compliance
40
41. IT Governance and COBIT
IT Governance Defined (1)
Several definitions with common elements:
•
•
•
•
Responsibility of the board of directors
Protects shareholder value
Ensures risk transparency
Directs and controls IT investment, opportunity, benefits
and risks
• Aligns IT with the business while accepting IT is a critical
input to and component of the strategic plan, influencing
strategic opportunities
• Sustains the current operation and prepares for the
future
• Is an integral part of a global governance structure
February 2013
Developed by @goudotmobi
41
42. IT Governance and COBIT
IT Governance Defined (2)
IT governance, like other governance subjects, is
the responsibility of executives and shareholders
(represented by the board of directors). It
consists of the leadership and organisational
structures and processes that ensure that the
organisation’s IT sustains and extends the
organisation’s strategies and objectives.
February 2013
Developed by @goudotmobi
42
43. IT Governance and COBIT
IT Governance Framework
Act if not
aligned
Set
measurable
goals
Deliver
Compare against the
results
goals
Measure
performance
February 2013
Developed by @goudotmobi
43
44. IT Governance and COBIT
IT Governance Framework
Set Objectives
IT is aligned with the
business
IT enables the
business and
maximises benefits
IT resources are used
responsibly
IT-related risks are
managed
appropriately
Provide
Direction
IT Activities
Compare
Increase automation
(make the business
effective)
Decrease cost
(make the enterprise
efficient)
Manage risks
(security, reliability and
compliance)
Measure
Performance
February 2013
Developed by @goudotmobi
44
45. Enterprise Governance
• Responsibilities and practices exercised by the
board and executive management with goals
of:
• Provide strategic direction
• Ensure achieved objectives
• Appropriately managed risk
• Responsible resource use
February 2013
Developed by @goudotmobi
45
46. Enterprise Governance Objective
A Balance of
• Performance
By improve profit, efficiency, effectiveness,
growth, etc
• Conformance
Adhere to legislation, internal policies, audit
requirements, etc
Both Enterprise governance and IT governance
require a balance between performance and
conformance goals as directed by the board
February 2013
Developed by @goudotmobi
46
47. Enterprise vs IT Governance
• Enterprise
Responsibilities and practices exercised by the board
and exec management with goals of:
–
–
–
–
Provide strategic direction
Ensure achieved objectives
Appropriately managed risk
Responsible resource use
• IT
Part of enterprise governance
Consisting of leadership, organizational structures and
processes that ensure that the enterprise’s IT sustains
and furthers the enterprise strategies and objectives
February 2013
Developed by @goudotmobi
47
50. Governance, Stakeholders, Interests
• IT Governance is part of Enterprise Governance
• Governance Focus Areas
– Strategic Alignment
– Value Delivery
– Risk Management
– Resource Management
– Performance Measurement
• Governance objective is balance of
– Performance – Value Delivery
– Conformance – Risk Management
February 2013
Developed by @goudotmobi
50
51. Governance, Stakeholders, Interests (cont’d)
Governance Stakeholders include
– Board & Executives
– Business & IT Management
– Risk and Compliance & IT Audit
Stakeholders
– Have Governance Role & Responsibilities
– Expect Inputs and Deliver Outputs to
Governance Process
February 2013
Developed by @goudotmobi
51
52. IT Governance Framework (ITGI)
Provide
Direction
IT Activities
Set Objectives
v
v
v
v
IT is aligned with the business
IT enables the business and
maximizes benefits
IT resources are used responsibly
IT-related risks managed
appropriately
v
Compare
v
v
Increase automation (make the
business effective)
Decrease cost (make enterprise
efficient)
Manage risks (security reliability
and compliance)
Measure
Performance
February 2013
Developed by @goudotmobi
52
57. Content Overview
• For Framework
Process Controls
Application Controls
Maturity Attributes
• For each Process
Description, linkage to business goal, …
Detailed Control Objectives
Management Guidelines
February 2013
Process Inputs and Outputs
Process Activities and RACI
Measurements
Maturity Model
Developed by @goudotmobi
57
58. Val IT V.2.0 – Value Management
February 2013
Developed by @goudotmobi
58
59. Val IT
• Val IT supports the enterprise goal of
• creating optimal value from IT enabled investments
at an affordable cost, with an acceptable level of risk
• and is guided by
• a set of principles applied in value management
processes
• that are enabled by
• key management practices
• and are measured by
• performance against goals and metrics
February 2013
Developed by @goudotmobi
59
60. Val IT Key Definitions
• Project—A structured set of activities concerned with delivering a defined
capability (that is necessary but not sufficient to achieve a required
business outcome) to the enterprise based on an agreed upon schedule
and budget
• Program —A structured grouping of inter-dependent projects that are
both necessary and sufficient to achieve a desired business outcome and
create value. These projects could involve, but are not limited to, changes
in the nature of the business, business processes, the work performed by
people, as well as the competencies required to carry out the work,
enabling technology and organizational structure. The investment program
is the primary unit of investment within Val IT
• Portfolio—Groupings of ‘objects of interest’ (investment program, IT
services, IT projects, other IT assets or resources) managed and monitored
to optimize business value. The investment portfolio is of primary interest
to Val IT
• IT service, project, asset or other resource portfolios are of primary
interest to COBIT
February 2013
Developed by @goudotmobi
60
62. Value Governance
The goal of VG is to ensure that value management practices
are embedded in the enterprise, enabling it to secure optimal
value from its IT‐enabled investments throughout full
economic life cycle
An executive commitment to value governance helps
enterprises:
– Establish the governance framework for value management in a
manner that is fully integrated with overall enterprise governance
– Provide strategic direction for the investment decisions
– Define the characteristics of portfolios required to support new
investments and resulting IT services, assets and other resources
– Improve value management on a continual basis, based on lessons
learned
February 2013
Developed by @goudotmobi
62
63. Value Governance Process
• VG1: Establish informed and committed
leadership
• VG2: Define and implement processes
• VG3: Define portfolio characteristics
• VG4: Align and integrate value management with
enterprise financial planning
• VG5: Establish effective governance monitoring
• VG6: Continuously improve value management
practices
February 2013
Developed by @goudotmobi
63
64. Portfolio Management
• The goal of portfolio management (PM) is to
ensure that an enterprise secures optimal value
across its portfolio of IT‐enabled investments
• An executive commitment to portfolio
management helps enterprises:
– Establish and manage resource profiles
– Define investment thresholds
– Evaluate, prioritize, and select, defer, or reject new
investments
– Manage and optimize the overall investment portfolio
– Monitor and report on portfolio performance
February 2013
Developed by @goudotmobi
64
65. Portfolio Management Process
• PM1 Establish strategic direction and target
investment mix
• PM2 Determine the availability and sources of
funds
• PM3 Manage the availability of human resources
• PM4 Evaluate and select program to fund
• PM5 Monitor and report on investment portfolio
performance
• PM6 Optimize investment portfolio performance
February 2013
Developed by @goudotmobi
65
66. Investment Management
The goal of investment management (IM) is to ensure that the
enterprise’s individual IT-enabled investments contribute to optimal
value. When organizational leaders commit to investment
management they improve their ability to:
–
–
–
–
Identify business requirements
Develop a clear understanding of candidate investment program
Analyze alternative approaches to implementing the program
Define each program and document, and maintain a detailed business
case for it, including benefits’ details, throughout full economic life
cycle of investment
– Assign clear accountability and ownership (for benefits realization)
– Manage each program through its full economic life cycle, including
retirement
– Monitor and report on each program’s
February 2013
Developed by @goudotmobi
66
67. Investment Management Process
• IM1 Develop and evaluate the initial program concept
business case
• IM2 Understand the candidate program and
implementation options
• IM3 Develop the program plan
• IM4 Develop full life‐cycle costs and benefits
• IM5 Develop the detailed candidate program business case
• IM6 Launch and manage the program
• IM7 Update operational IT portfolios
• IM8 Update the business case
• IM9 Monitor and report on the program
• IM10 Retire the program
February 2013
Developed by @goudotmobi
67
70. Risk IT Principles
• The Risk IT framework principles are
– Effective enterprise governance of IT risk:
– Always connects to business objectives
– Aligns the management of IT‐related business risk with
overall enterprise risk management
– Balances the costs and benefits of managing risk
• Effective management of IT risk
– Promotes fair and open communication of IT risk
– Establishes the right tone from the top while defining and
enforcing personal accountability for operating within
acceptable and well‐defined tolerance levels
– Is a continuous process and part of daily activities
February 2013
Developed by @goudotmobi
70
71. Risk IT Building Blocks
Key building blocks of good IT risk management:
• Set responsibility for IT risk management
• Set objectives and define risk appetite and
tolerance
• Identify, analyze and describe risk
• Monitor risk exposure
• Treat IT risk
• Link with existing guidance to manage risk
February 2013
Developed by @goudotmobi
71
72. Risk Assessment
ISACA Risk IT
Information Security Risk Management for
ISO 27001
IT Risk Assessment
Frameworks
CRAMM Information Security Toolkit
OCTAVE (Operationally Critical Threat,
Asset, Vulnerability Evaluation)
February 2013
Developed by @goudotmobi
72
73. IT Risk ASSESSMENT
•Definition of risk assessment
The potential that a given threat will exploit vulnerabilities of
an asset or group of assets to cause loss or damage to the
assets. The impact or relative severity of the risk is
proportional to the business value of the loss/damage and to
the estimated frequency of the threat.
February 2013
Developed by @goudotmobi
73
74. IT Risk ASSESSMENT
Components of risk assessment
• Threats to, and vulnerabilities of,
processes and/or assets (including both
physical and information assets)
• Impact on assets based on threats and
vulnerabilities
• Probabilities of threats (combination of
the likelihood and frequency of
occurrence)
February 2013
Developed by @goudotmobi
74
75. ISACA Risk IT
Risk IT: A Balance is Essential
• Risk and value are two sides of the same coin.
• Risk is inherent to all enterprises.
BUT
Enterprises need to ensure that opportunities for
value creation are not missed by trying to
eliminate all risk.
February 2013
Developed by @goudotmobi
75
76. Risk IT Extends Val IT and COBIT
Risk IT complements and
extends COBIT and Val IT
to make a more complete
IT governance guidance
resource.
February 2013
Developed by @goudotmobi
76
77. IT-related Risk Management
Risk IT is not limited to information security. It covers all ITrelated risks, including:
• Late project delivery
• Not achieving enough
value from IT
• Compliance
• Misalignment
• Obsolete or inflexible
IT architecture
• IT service delivery
problems
February 2013
Developed by @goudotmobi
77
78. Guiding Principles of Risk IT
Always connect to enterprise objectives.
Align the management of IT-related business risk
with overall enterprise risk management.
Balance the costs and benefits of managing risk.
Promote fair and open communication of IT risk.
February 2013
Developed by @goudotmobi
78
79. Guiding Principles of Risk IT
Establish the right tone from the top while defining
and enforcing personal accountability for operating
within acceptable and well-defined tolerance levels.
Understand that this is a continuous process and an
important part of daily activities.
February 2013
Developed by @goudotmobi
79
80. Key Risk IT Content: The “What”
• Key content of the Risk IT framework includes:
• Risk management essentials
•
In Risk Governance: Risk appetite and tolerance,
responsibilities and accountability for IT risk
management, awareness and communication, and risk
culture
•
In Risk Evaluation: Describing business impact and
risk scenarios
•
In Risk Response: Key risk indicators (KRI) and risk
response definition and prioritisation
• Section on how Risk IT extends and enhances COBIT and
Val IT (Note: Risk IT does not require the use of COBIT or
Val IT.)
February 2013
Developed by @goudotmobi
80
81. Key Risk IT Content: The “What”
• Process model sections that contain:
• Descriptions
• Input-output tables
• RACI (Responsible, Accountable, Consulted, Informed)
table
• Goals and Metrics Table
• Maturity model is provided for each domain
• Appendices
• Reference materials
• High-level comparison of Risk IT to other risk management
frameworks and standards
• Glossary
February 2013
Developed by @goudotmobi
81
82. Risk IT Three Domains
February 2013
Developed by @goudotmobi
82
83. Risk IT: The “How”
• Key contents of The Risk IT Practitioner Guide:
•
•
Review of the Risk IT process model
Risk IT to COBIT and Val IT
•
How to use it:
1. Define a risk universe and scoping risk management
2. Risk appetite and risk tolerance
3. Risk awareness, communication and reporting: includes key risk indicators, risk
profiles, risk aggregation and risk culture
4. Express and describe risk: guidance on business context, frequency, impact,
COBIT business goals, risk maps, risk registers
5. Risk scenarios: includes capability risk factors and environmental risk factors
6. Risk response and prioritisation
7. A risk analysis workflow: “swim lane” flow chart, including role context
8. Mitigation of IT risk using COBIT and Val IT
•
•
Mappings: Risk IT to other risk management standards and frameworks
Glossary
February 2013
Developed by @goudotmobi
83
84. Risk/Response Definition
The purpose of defining a risk
response is to bring risk in line
with the defined risk tolerance
for the enterprise after due risk
analysis.
In other words, a response needs
to be defined such that future
residual risk (=current risk with
the risk response defined and
implemented) is as much as
possible (usually depending on
budgets available) within risk
tolerance limits.
February 2013
Developed by @goudotmobi
84
85. Risk IT Benefits and Outcomes
Accurate view on current and near-future IT-related events
End-to-end guidance on how to manage IT-related risks
Understanding of how to capitalise on the investment made in an IT internal control
system already in place
Integration with the overall risk and compliance structures within the enterprise
Common language to help manage the relationships
Promotion of risk ownership throughout the organisation
Complete risk profile to better understand risk
February 2013
Developed by @goudotmobi
85
86. Information Security Risk Management
for Iso/IEC 27001/ISO 27005
ISO/IEC 27000 Family of Standards
• ISO/IEC 27001 based on BS7799 by British
Standards Institution
• Adopts “plan-do-check-act” process model
• Information Security Management System
(ISMS) standard (ISO/IEC 27001)
• Formal specification mandates specific
requirements
• Adoption of ISO/IEC 27001 allows for formal
audit and certification to explicit standard
• Risk management based on ISO/IEC 27000
standards
February 2013
Developed by @goudotmobi
86
87. Information Security Risk Management
for Iso/IEC 27001/ISO 27005
ISO/IEC 27005
• Information security risk management
standard
• Does not specify, recommend or name
any specific risk analysis method
• Does specify a structured, systematic
and rigorous process from analysis
risks to creating the risk treatment
plan
February 2013
Developed by @goudotmobi
87
88. CRAMM Information security risk
toolkit
• Provides staged and disciplined approach towards IT
risk assessment
Source: http://www.cramm.com/overview/howitworks.htm
February 2013
Developed by @goudotmobi
88
89. CRAMM Information security risk
toolkit
Asset identification and valuation
•
•
•
•
Physical
Software
Data
Location
Threat and vulnerability assessment
•
•
•
•
•
Hacking
Viruses
Failures of equipment or software
Wilful damage or terrorism
Errors by people
Countermeasure selection and recommendation
February 2013
Developed by @goudotmobi
89
90. CERT OCTAVE
Operationally Critical Threat, Asset, and
Vulnerability Evaluation Framework by
Software Engineering Institute (1999)
• Components of information security risk evaluation
• Processes with required inputs, activities, outputs
• Phase 1: Build asset-based threat profiles
• Phase 2: Identify Infrastructure Vulnerabilities
• Phase 3: Develop security strategy and plans
Self-directed information security risk
evaluation
Analysis team includes people from business
units and IT department
February 2013
Developed by @goudotmobi
90
93. Regulatory requirements
Steps to determine compliance with external requirements:
• Identify external requirements
• Establishment and organization
• Responsibilities
• Correlation to financial, operational and IT audit functions
• Document pertinent laws and regulations
• Banking Act
• Insurance Act
• Circulars by Regulator
• Government Instruction Manual or Circular
• Statutory Act
February 2013
Developed by @goudotmobi
93
94. Val IT Principles
• IT enabled investments will:
– Be managed as a portfolio of investments
– Include the full scope of activities required to achieve business value
– Be managed through their full economic life cycle
• Value delivery practices will:
– Recognize that there are different categories of investments that will be
evaluated and managed differently
– Define and monitor key metrics and will respond quickly to any changes
or deviations
– Engage all stakeholders and assign appropriate accountability to the
delivery of capabilities and the realization of business benefits
– Be continually monitored, evaluated and improved
February 2013
Developed by @goudotmobi
94
95. The COBIT 5 Framework
• Simply stated, COBIT 5 helps enterprises create
optimal value from IT by maintaining a balance
between realising benefits and optimising risk levels
and resource use.
• COBIT 5 enables information and related technology
to be governed and managed in a holistic manner for
the entire enterprise, taking in the full end-to-end
business and functional areas of responsibility,
considering the IT-related interests of internal and
external stakeholders.
• The COBIT 5 principles and enablers are generic
and useful for enterprises of all sizes, whether
commercial, not-for-profit or in the public sector.
February 2013
Developed by @goudotmobi
95
99. COBIT 5 Framework
The main, overarching COBIT 5 product
Contains the executive summary and the full
description of all of the COBIT 5 framework
components:
The five COBIT 5 principles
The seven COBIT 5 enablers plus
An introduction to the implementation guidance provided by
ISACA (COBIT 5 Implementation)
An introduction to the COBIT Assessment Programme (not
specific to COBIT 5) and the process capability approach
being adopted by ISACA for COBIT
February 2013
Developed by @goudotmobi
99
101. Five COBIT 5 Principles
The five COBIT 5 principles:
1.Meeting Stakeholder Needs
2.Covering the Enterprise End-to-end
3.Applying a Single Integrated Framework
4.Enabling a Holistic Approach
5.Separating Governance From Management
February 2013
Developed by @goudotmobi
101
103. Meeting Stakeholder Needs
(cont.)
Principle 1. Meeting Stakeholder Needs:
Enterprises have many stakeholders, and ‘creating value’
means different—and sometimes conflicting—things to
each of them.
Governance is about negotiating and deciding amongst
different stakeholders’ value interests.
The governance system should consider all stakeholders
when making benefit, resource and risk assessment
decisions.
For each decision, the following can and should be asked:
- Who receives the benefits?
- Who bears the risk?
- What resources are required?
February 2013
Developed by @goudotmobi
103
105. Meeting Stakeholder Needs
(cont.)
Principle 1. Meeting Stakeholder Needs:
Benefits of the COBIT 5 goals cascade:
It allows the definition of priorities for implementation,
improvement and assurance of enterprise governance of IT
based on (strategic) objectives of the enterprise and the
related risk.
In practice, the goals cascade:
Defines relevant and tangible goals and objectives at
various levels of responsibility.
Filters the knowledge base of COBIT 5, based on
enterprise goals to extract relevant guidance for inclusion
in specific implementation, improvement or assurance
projects.
Clearly identifies and communicates how (sometimes very
operational) enablers are important to achieve enterprise
goals.
February 2013
Developed by @goudotmobi
105
106. Covering the Enterprise End-to-end
Principle 2. Covering the Enterprise End-to-end:
COBIT 5 addresses the governance and management of
information and related technology from an enterprisewide,
end-to-end perspective.
This means that COBIT 5:
Integrates governance of enterprise IT into enterprise
governance, i.e., the governance system for enterprise IT
proposed by COBIT 5 integrates seamlessly in any
governance system because COBIT 5 aligns with the
latest views on governance.
Covers all functions and processes within the enterprise;
COBIT 5 does not focus only on the ‘IT function’, but
treats information and related technologies as assets that
need to be dealt with just like any other asset by everyone
in the enterprise.
February 2013
Developed by @goudotmobi
106
108. Applying a Single Integrated Framework
Principle 3. Applying a Single Integrated Framework:
COBIT 5 aligns with the latest relevant other standards and
frameworks used by enterprises:
Enterprise: COSO, COSO ERM, ISO/IEC 9000,
ISO/IEC 31000
IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series,
TOGAF, PMBOK/PRINCE2, CMMI
This allows the enterprise to use COBIT 5 as the
overarching governance and management framework
integrator.
ISACA plans a capability to facilitate COBIT user mapping
of practices and activities to third-party references.
February 2013
Developed by @goudotmobi
108
109. Enabling a Holistic Approach
Principle 4. Enabling a Holistic Approach
COBIT 5 enablers are:
• Factors that, individually and collectively,
influence whether something will work—in the
case of COBIT, governance and management
over enterprise IT
• Driven by the goals cascade, i.e., higher-level
IT-related goals define what the different
enablers should achieve
• Described by the COBIT 5 framework in seven
categories
February 2013
Developed by @goudotmobi
109
111. Enabling a Holistic Approach (cont.)
Principle 4. Enabling a Holistic Approach:
1. Processes—Describe an organised set of practices and activities to achieve
certain objectives and produce a set of outputs in support of achieving overall
IT-related goals
2. Organisational structures—Are the key decision-making entities in an
organisation
3. Culture, ethics and behaviour—Of individuals and of the organisation; very
often underestimated as a success factor in governance and management
activities
4. Principles, policies and frameworks—Are the vehicles to translate the desired
behaviour into practical guidance for day-to-day management
5. Information—Is pervasive throughout any organisation, i.e., deals with all
information produced and used by the enterprise. Information is required for
keeping the organisation running and well governed, but at the operational level,
information is very often the key product of the enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services
7. People, skills and competencies—Are linked to people and are required for
successful completion of all activities and for making correct decisions and
taking corrective actions
February 2013
Developed by @goudotmobi
111
112. Enabling a Holistic Approach (cont).
Principle 4. Enabling a Holistic Approach:
Systemic governance and management through
interconnected enablers—To achieve the main objectives
of the enterprise, it must always consider an
interconnected set of enablers, i.e., each enabler:
Needs the input of other enablers to be fully effective, e.g., processes
need information, organisational structures need skills and behaviour
Delivers output to the benefit of other enablers, e.g., processes deliver
information, skills and behaviour make processes efficient
This is a KEY principle emerging from the ISACA
development work around the Business Model for
Information Security (BMIS).
February 2013
Developed by @goudotmobi
112
114. Separating Governance From Management
Principle 5. Separating Governance From Management:
The COBIT 5 framework makes a clear distinction
between governance and management.
These two disciplines:
Encompass different types of activities
Require different organisational structures
Serve different purposes
Governance—In most enterprises, governance is the
responsibility of the board of directors under the
leadership of the chairperson.
Management—In most enterprises, management is the
responsibility of the executive management under the
leadership of the CEO.
February 2013
Developed by @goudotmobi
114
115. Separating Governance From Management (cont.)
Principle 5. Separating Governance From
Management:
• Governance ensures that stakeholders needs, conditions
and options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved; setting
direction through prioritisation and decision making;
and monitoring performance and compliance against
agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise objectives
(PBRM).
February 2013
Developed by @goudotmobi
115
117. Separating Governance From Management (cont.)
Principle 5. Separating Governance from
Management:
The COBIT 5 framework describes seven categories of
enablers (Principle 4). Processes are one category.
An enterprise can organise its processes as it sees fit,
as long as all necessary governance and management
objectives are covered. Smaller enterprises may have
fewer processes; larger and more complex enterprises
may have many processes, all to cover the same
objectives.
COBIT 5 includes a process reference model (PRM),
which defines and describes in detail a number of
governance and management processes. The details of
this specific enabler model can be found in the COBIT
5: Enabling Processes volume.
February 2013
Developed by @goudotmobi
117
118. COBIT 5: Enabling Processes
COBIT 5: Enabling Processes complements
COBIT 5 and contains a detailed reference guide
to the processes that are defined in the COBIT 5
process reference model:
In Chapter 2, the COBIT 5 goals cascade is recapitulated
and complemented with a set of example metrics for the
enterprise goals and the IT-related goals.
In Chapter 3, the COBIT 5 process model is explained and
its components defined.
Chapter 4 shows the diagram of this process reference
model.
Chapter 5 contains the detailed process information for all
37 COBIT 5 processes in the process reference model.
February 2013
Developed by @goudotmobi
118
121. COBIT 5: Enabling Processes (Cont.)
COBIT 5: Enabling Processes:
• The COBIT 5 process reference model subdivides the ITrelated practices and activities of the enterprise into two
main areas—governance and management— with
management further divided into domains of processes:
• The GOVERNANCE domain contains five
governance processes; within each process, evaluate,
direct and monitor (EDM) practices are defined.
• The four MANAGEMENT domains are in line with
the responsibility areas of plan, build, run and monitor
(PBRM).
February 2013
Developed by @goudotmobi
121
122. COBIT 5 Implementation
• The improvement of the governance of enterprise IT
(GEIT) is widely recognised by top management as an
essential part of enterprise governance.
• Information and the pervasiveness of information
technology are increasingly part of every aspect of
business and public life.
• The need to drive more value from IT investments and
manage an increasing array of IT-related risk has never
been greater.
• Increasing regulation and legislation over business use of
information is also driving heightened awareness of the
importance of a well-governed and managed IT
environment.
February 2013
Developed by @goudotmobi
122
123. COBIT 5 Implementation (cont.)
• ISACA has developed the COBIT 5 framework to help
enterprises implement sound governance enablers
• Indeed, implementing good GEIT is almost impossible
without engaging an effective governance framework
• Best practices and standards are also available to underpin
COBIT 5
• Frameworks, best practices and standards are useful only
if they are adopted and adapted effectively
• There are challenges that need to be overcome and issues
that need to be addressed if GEIT is to be implemented
successfully
February 2013
Developed by @goudotmobi
123
124. COBIT 5 Implementation (cont.)
• COBIT 5: Implementation covers the following subjects:
• Positioning GEIT within an enterprise
• Taking the first steps towards improving GEIT
• Implementation challenges and success factors
• Enabling GEIT-related organisational and behavioural
change
• Implementing continual improvement that includes
change enablement and programme management
• Using COBIT 5 and its components
February 2013
Developed by @goudotmobi
124
128. COBIT 5 Future Supporting Products
Future supporting products:
• Professional Guides:
• COBIT 5 for Information Security
• COBIT 5 for Assurance
• COBIT 5 for Risk
• Enabler Guides:
• COBIT 5: Enabling Information
• COBIT Online Replacement
• COBIT Assessment Programme:
• Process Assessment Model (PAM): Using COBIT 5
• Assessor Guide: Using COBIT 5
• Self-assessment Guide: Using COBIT 5
February 2013
Developed by @goudotmobi
128
129. Governance (and Management) in COBIT 5
• Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions and
options; setting direction through prioritisation and
decision making; and monitoring performance, compliance
and progress against agreed direction and objectives
(EDM).
• Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives (PBRM).
• Exercising governance and management effectively in
practice requires appropriately using all enablers. The
COBIT process reference model allows us to focus easily on
the relevant enterprise activities.
February 2013
Developed by @goudotmobi
129
130. Governance in COBIT 5
• The COBIT 5 process reference model subdivides the ITrelated practices and activities of the enterprise into two main
areas—governance and management—with management
further divided into domains of processes
• The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct and monitor
(EDM) practices are defined.
•01 Ensure governance framework setting and maintenance.
•02 Ensure benefits delivery.
•03 Ensure risk optimization.
•04 Ensure resource optimization.
•05 Ensure stakeholder transparency.
• The four MANAGEMENT domains are in line with the
responsibility areas of plan, build, run and monitor (PBRM).
February 2013
Developed by @goudotmobi
130
132. Risk Management in COBIT 5
• The GOVERNANCE domain contains five governance
processes, one of which focuses on stakeholder risk-related
objectives: EDM03 Ensure risk optimisation.
• Process Description
• Ensure that the enterprise’s risk appetite and tolerance
are understood, articulated and communicated, and
that risk to enterprise value related to the use of IT is
identified and managed.
• Process Purpose Statement
• Ensure that IT-related enterprise risk does not exceed
risk appetite and risk tolerance, the impact of IT risk to
enterprise value is identified and managed, and the
potential for compliance failures is minimised.
February 2013
Developed by @goudotmobi
132
133. Risk Management in COBIT 5 (cont.)
• The MANAGEMENT Align, Plan and Organise domain
contains a risk-related process: APO12 Manage risk.
• Process Description
• Continually identify, assess and reduce IT-related risk
within levels of tolerance set by enterprise executive
management.
• Process Purpose Statement
• Integrate the management of IT-related enterprise
risk with overall ERM, and balance the costs and
benefits of managing IT-related enterprise risk.
February 2013
Developed by @goudotmobi
133
135. Risk Management in COBIT 5 (cont.)
• All enterprise activities have associated risk exposures
resulting from environmental threats that exploit enabler
vulnerabilities
• EDM03 Ensure risk optimisation ensures that the
enterprise stakeholders approach to risk is articulated to
direct how risks facing the enterprise will be treated.
• APO12 Manage risk provides the enterprise risk
management (ERM) arrangements that ensure that the
stakeholder direction is followed by the enterprise.
• All other processes include practices and activities that
are designed to treat related risk (avoid,
reduce/mitigate/control, share/transfer/accept).
February 2013
Developed by @goudotmobi
135
137. Compliance in COBIT 5
• The MANAGEMENT Monitor, Evaluate and Assess domain
contains a compliance focused process: MEA03 Monitor,
evaluate and assess compliance with external
requirements.
• Process Description
• Evaluate that IT processes and IT-supported business
processes are compliant with laws, regulations and
contractual requirements. Obtain assurance that the
requirements have been identified and complied with, and
integrate IT compliance with overall enterprise compliance.
• Process Purpose Statement
• Ensure that the enterprise is compliant with all applicable
external requirements.
February 2013
Developed by @goudotmobi
137
139. Compliance in COBIT 5 (cont.)
• Legal and regulatory compliance is a key part of the
effective governance of an enterprise, hence its inclusion
in the GRC term and in the COBIT 5 Enterprise Goals and
supporting enabler process structure (MEA03).
• In addition to MEA03, all enterprise activities include
control activities that are designed to ensure compliance
not only with externally imposed legislative or regulatory
requirements but also with enterprise governancedetermined principles, policies and procedures.
February 2013
Developed by @goudotmobi
139
142. Aligning IT and Business Strategy
• Corporate Mission – Business Goals – IT
Strategy
• Requires involvement from many levels and
activities within the enterprise.
• Lack of alignment leads to adverse business
issues.
• Strong IT Governance contributes toward
proper alignment.
February 2013
Developed by @goudotmobi
142
144. Ensuring Value and Effectiveness
• IT issues are the least understood, despite
increasing reliance placed on IT.
• Initiate IT governance structures with the right
level of executive involvement.
• Board of Director’s require essential IT related
skills
February 2013
Developed by @goudotmobi
144
145. Information Systems Governance
• Consists of leadership, organizational
structures and processes that safeguard
information.
• Security over information assets.
• Benefits of IS Governance.
• IS is a top-down process.
February 2013
Developed by @goudotmobi
145
146. Measuring IT Governance
Performance
• Measuring IT performance is a key concern as it
demonstrates the effectiveness and added
business value of IT.
• Commonly seen as the IT “Black Hole” – costs
continually rise without clear evidence of value
derived from the IT function.
• Traditional performance measurement methods
require monetary values which are hard to apply
to IT systems.
February 2013
Developed by @goudotmobi
146
148. IT Balanced Scorecard
• One of the most effective means to aid an
organization in achieving IT and business alignment.
• Provides a systematic translation of the IT strategy
into tangible success factors and metrics.
• Gives a balanced view of the value added by IT to the
business.
• Calculating the value of IT investments is a business
issue for which business managers are ultimately
responsible for.
February 2013
Developed by @goudotmobi
148
149. ISACA Global Status Report 2K8 (cont’d)
Research purposes
Reach members of the C-Suite to determine their sense of priority
and actions taken relative to IT governance
Understand their need for tools and services to help ensure effective
IT governance
Detailed objectives
Survey and analyze the degree to which the concept of IT
governance is recognized, established and accepted within
boardrooms and especially by chief information officers (CIOs)
Determine what level of IT governance expertise exists and which
frameworks are known and are (or will be) adopted
Measure the extent to which ITGI’s own framework, Control
Objectives for Information and related Technology (COBIT), is
selected and how it is perceived
February 2013
Developed by @goudotmobi
149
150. ISACA Global Status Report 2K8 (cont’d)
Revealed Results
Insufficient IT staff availability, service delivery issues and difficulty
proving the value of information technology continue to concern
executives at organizations around the world
58% noted an insufficient number of staff, compared to 35 percent
in 2005
48 % said that IT service delivery problems remain the second most
common problem
38 %point to problems relating to staff with inadequate skills
30 % reported problems anticipating the return on investment (ROI)
for IT expenditures
The study is a follow-up to ITGI’s 2003 and 2005 surveys and tracks
IT governance trends over the past four years
February 2013
Developed by @goudotmobi
150
151. ISACA Global Status Report 2K8 (cont’d)
• Survey Sample
Researchers contacted CIOs and chief executive officers
(CEOs). The total number of interviews conducted was
749, of which 652 were from a random sample of
organizations
71 were known as COBIT users and 26 were
experienced COBIT users
• Global Reach
The interviews were conducted worldwide (in 23
countries), and all continents/regions were
represented.
February 2013
Developed by @goudotmobi
151
152. New Ways of Implementing IT Governance
Lifecycle Approach by synergizing in between COBIT, ValIT and RiskIT
February 2013
Developed by @goudotmobi
152
154. Lifecycle Phase Walkthrough
Phases:
• What are the drivers?
• Where are we now?
• Where do we want to be?
• What needs to be done?
• How do we get there?
• Did we get there?
• How do we keep the momentum going?
February 2013
Developed by @goudotmobi
154
155. What Are The Drivers?
• Goal of Phase:
– Outline the business case
– Identify stakeholders, roles & responsibilities
– IT Governance program “wake-up call” and
communication kick-off
• Need for new or improved IT Governance Organization
recognized in Pain Points and/or Trigger events
• Pain Points analyzed for root cause and opportunities
looked for during Trigger events
• Root causes and opportunities provide business case
for improved or new IT Governance initiatives
February 2013
Developed by @goudotmobi
155
156. Trigger Events
•
•
•
•
•
•
•
•
•
Merger, acquisition or divestiture
An enterprise-wide governance focus or
Shift in the market, economy or competitive position
Change in business operating model or sourcing
arrangements
A new CIO, CFO, COO or CEO
External audit or consultant assessments
A new business strategy
New regulatory or compliance requirements
Significant technology change or paradigm shift
February 2013
Developed by @goudotmobi
156
157. Common Painful Points
•
•
•
•
•
•
•
•
•
•
•
Failed IT initiatives
Rising Costs
Resource waste through duplication or overlap in IT
Perception of low business initiatives value for IT investments
Significant incidents related to IT risk (e.g. data loss)
Service Delivery Problems
Failure to meet regulatory or contractual requirements
Audit findings for poor IT performance or low service levels
Insufficient IT resources
IT Staff burnout/disastisfaction
IT enabled changes frequently failing to meet business needs (late
deliveries or budget overruns)
• Hidden and/or rogue IT spending
• Multiple and complex IT assurance efforts
• Board members or senior managers that are reluctant to engage with IT
February 2013
Developed by @goudotmobi
157
158. Where are we now?
• Define the Problems and Opportunities
– See paint point causes and trigger event opportunities
• Form Powerful Guiding Team
– Knowledgeable about the business environment
– Have insight into influencing factors
• Assess the Current State
– Identify IT goals and their alignment with enterprise goals
– Identify the most important processes
– Understand management’s risk appetite
– Understand the maturity of existing governance and
related processes
February 2013
Developed by @goudotmobi
158
159. Where do we want to be?
• Define the Roadmap
– Describe the high level change enablement plan and
objectives
• Communicate Desired Vision
– Develop a communication strategy
– Communicate the vision
– Articulate the rationale and benefits of the change
– Set the “tone at the top”
• Define Target State and Perform Gap Analysis
– Define the target for improvement
– Analyze the gaps
– Identify potential improvements
February 2013
Developed by @goudotmobi
159
160. What Needs to be done?
• Develop Program Plan
– Prioritize potential initiatives
– Develop formal and justifiable projects
– Use plans that include contribution and program objectives
• Empower Role Players and Identify Quick Wins
– High Benefit, easy implementation should come first
– Obtain buy-in by key stakeholders affected by the change
– Identify strengths in existing processes and leverage accordingly
• Design and Build Improvements
– Plot improvements onto a grid to assist with prioritization
– Consider approach, deliverables, resources needed, costs,
estimated time scales, project dependencies and risks
February 2013
Developed by @goudotmobi
160
161. How Do We Get There?
• Execute the Plan
– Execute projects according to an integrated program plan
– Provide regular update reports to stakeholders
– Document and Monitor the contribution of projects while
managing risks identified
• Enable Operation and Use
– Build on the momentum and credibility of quick wins
– Plan cultural and behavioral aspects of the broader transition
– Define Measures of Success
• Implement Improvements
– Adopt and Adapt best practices to suit the organization’s
approach to policies and process changes
February 2013
Developed by @goudotmobi
161
162. Did We Get There?
• Realize Benefits
– Monitor the overall performance of the program against business
case objectives
– Monitor and measure the investment performance
• Embed New Approaches
– Provide transition from project mode to “business as usual”
– Monitor whether new roles and responsibilities have been taken
on
– Track and assess objectives of the change response plans
– Maintain communication and ensure communication between
appropriate stakeholders continues
• Operate and Measure
– Set targets for each metric
– Measure metrics against targets
– Communicate results and adjust targets as necessary
February 2013
Developed by @goudotmobi
162
163. How Do We Keep Momentum Going?
• Continual Improvements – keeping the momentum is critical to
sustainment of the lifecycle
• Review the Program Benefits
– Review Program effectiveness through program review gate
• Sustain
– Conscious reinforcement (reward achievers)
– Ongoing communication campaign (feedback on performance)
– Continuous top management commitment
• Monitor and Evaluate
– Identify new governance objectives based on program experience
– Communicate lessons learned and further improvement
requirements for the next iteration of the cycle
February 2013
Developed by @goudotmobi
163
165. Change Enablement
• Guidance provided at each lifecycle phase
• Based on Cotter Model
– Establish a sense of urgency
– Form a powerful guiding coalition
– Create and communicate a clear vision, expressed simply
– Empower others to act on the vision, identifying and
implementing quick-wins
– Enable use and implement improvements/produce more
change
– Institutionalize new approaches
– Sustain
February 2013
Developed by @goudotmobi
165
166. Program Management Guidance
• Guidance provided at each lifecycle phase
– Initiate program
– Define problems and opportunities
– Define roadmap
– Develop program plan
– Execute plan
– Realize benefits
– Review program effectiveness
• Detailed guidance provided by Val IT
February 2013
Developed by @goudotmobi
166
168. Considerations in a Sourced
Environment
• Sourcing Strategy
• Contract
Management
• Finance
Management
• Relationship
Management
• Performance
Management
February 2013
168
Developed by @goudotmobi
169. Sourcing Strategy
• Part of IT Strategic Plan
• Inventory of critical Supplier relationships
• Update based on changes to Business, IT or
Supplier Strategies
• May contain intervention plans
February 2013
169
Developed by @goudotmobi
170. Contract Management
• Initial negotiation and inlife change management
• Defines Services/Quality
• Defines ownership of
Intellectual Property
• Compliance with Law and
Policy
• Audit Rights
February 2013
170
Developed by @goudotmobi
171. Contract Change Management
• Required by either changing business
needs or to address ambiguity.
• Should be viewed as a negotiation.
• Each party will attempt to get
concessions not previously obtained
- value is at risk
• Depend on Relationship
Management for smaller changes to
avoid this risk
February 2013
171
Developed by @goudotmobi
172. Intellectual Property
• Supplier IP may be
used to deliver
efficiencies ($)
• However, use of
Supplier IP may limit
sourcing flexibility.
• Who owns process
‘know-how’ and does
this change over
time?
• What risk does this
represent?
February 2013
172
Developed by @goudotmobi
NPS
173. Intellectual Property
Mitigations
• Inventory, inventory, inventory
– IT processes supporting the business
– Materials (documents, rights, etc.)
• Risk Management discussion with
business
• Seek legal help
• Follow up!
February 2013
173
Developed by @goudotmobi
174. Audit Rights
•
•
•
•
Business requirements drive specifics.
Must be in the initial contract
For supplier shared services, SAS70 Type II
Audit rights should be unlimited and at no
cost.
NPS
February 2013
174
Developed by @goudotmobi
175. Finance Management
• Deal financials reporting
• Invoice Verification
– Service receipt
– Credits
– Incentives
• Internal cost recovery
NPS
February 2013
175
Developed by @goudotmobi
176. Finance Management
• This is THE PLACE to receive an
independent confirmation of IT value
delivery.
• Budgets are a very unforgiving reality
check!
NPS
February 2013
176
Developed by @goudotmobi
177. Relationship Management
• Overall Supplier
management
• Monitor business needs
• Communication Forums
• Issue Management
• Risk Management
• Project Management
February 2013
177
Developed by @goudotmobi
178. Risk Management
• IT Governance process to evaluate
Supplier Financial, Service Delivery,
Relationship and Information Security
risks in total.
• As before, there may be a translation
here from technical risk to business risk.
• Can use Probability x Business Impact as
the metric. The business should supply
the Impact.
• This can be a powerful tool to use with
Suppliers. They speak the lingua franca as
well.
NPS
February 2013
178
Developed by @goudotmobi
179. Project Management
•Good Project Management helps assure value
delivery
•Define ‘project’ vs. ‘daily work’ in the contract.
•Has linkages to Finance Management (paying
Project costs), Service Delivery (assuring
Project deliverables)
NPS
February 2013
179
Developed by @goudotmobi
180. Performance Management
•
•
•
•
Aligning Service Delivery Requirements
Managing and Reporting against SLAs
Management of individual projects
Work prioritization
February 2013
180
Developed by @goudotmobi
181. Best Practices for IT Governance
IT governance has become significant due to:
• Demands for better return from IT investments
• Increases in IT expenditures
• Regulatory requirements for IT controls
• Selection of service providers and outsourcing
• Complexity of network security
• Adoptions of control frameworks
• Benchmarking
February 2013
Developed by @goudotmobi
181
182. Best Practices for IT Governance (cont’d)
Audit role in IT governance
• Audit plays a significant role in the successful
implementation of IT governance within an
organization
• Reporting on IT governance involves auditing at the
highest level in the organization and may cross
division, functional or departmental boundaries
February 2013
Developed by @goudotmobi
182
183. Best Practices for IT Governance (cont’d)
• In accordance with the defined role of the IS auditor, the
following aspects related to IT governance need to be
assessed:
– Alignment of the IS function with the organization’s mission,
vision, values, objectives and strategies
– Achievement of performance objectives established by the
business (e.g., effectiveness and efficiency) by the IS function
– Legal, environmental, information quality, fiduciary, security,
and privacy requirements
– The control environment of the organization
– The inherent risks within the IS environment
– IT investment/expenditure
February 2013
Developed by @goudotmobi
183
184. Auditing IT Governance
Indicators of potential problems include:
• Unfavorable end-user attitudes
• Excessive costs
• Budget overruns
• Late projects
• High staff turnover
• Inexperienced staff
• Frequent hardware/software errors
February 2013
Developed by @goudotmobi
184
185. IT Governance Audit Planning
• Audit Team Composition
• Audit Criteria
• Learning from the Balanced
Scorecard Approach
February 2013
185
Developed by @goudotmobi
186. Audit Team Composition
• Leadership - Business or IT?
– Audit Supervision and Auditor in
Charge Independence is a must
• Beware setting up an audit team
that may reflect corporate IT
Governance issues
• Consider sourcing
knowledgeable auditors
February 2013
186
Developed by @goudotmobi
187. IT Governance Audit Criteria/Standards
• IIA Governance Auditing
Standards
• ISACA / ITGI IT Governance
Auditing Guidelines
• ITGI Risk IT Framework
• ITGI Val IT Framework
• << Insert your Company business
policies here >>
February 2013
187
Developed by @goudotmobi
188. Learnings from the Balanced Scorecard
• Consider IT Governance from
various business points of view
(1)
– Corporate
– Customer
– Operational Excellence
– Future / Sustainability
1. “Measuring and Improving IT Governance Through the Balanced Scorecard”
Information Systems Control Journal, Volume 2, 2005
February 2013
188
Developed by @goudotmobi
189. Balanced Scorecard:
Corporate View
Objective
Business/ IT Alignment
Operational budget
approval
Value Delivery
Business Unit Performance
Cost Management
Attainment of expense and
recovery targets
Risk Management
Results of Internal Audits
Intercompany Synergy
February 2013
189
Example Metrics
Single System Solutions
Developed by @goudotmobi
190. Balanced Scorecard:
Customer View
Objective
Customer Satisfaction
Business Unit Survey
ratings
Competitive Costs
Attainment of unit cost
targets
Development Performance
Major Project Scores
Operational Performance
February 2013
190
Example Metrics
Attainment of targeted
levels
Developed by @goudotmobi
191. Balanced Scorecard:
Operational View
Objective
Development Process
Function Point Measures
Operational process
Change Management
effectiveness
Process Maturity
Level of IT Processes
Enterprise Architecture
February 2013
191
Example Metrics
State of the infrastructure
assessment
Developed by @goudotmobi
192. Balanced Scorecard:
Future View
Objective
Human Resource
Management
Staff Turnover
Employee Satisfaction
Satisfaction survey scores
Knowledge Management
February 2013
192
Example Metrics
Implementation of learned
lessons
Developed by @goudotmobi
193. Reviewing Documentation
The following documents should be reviewed:
• IT strategies, plans and budgets
• Security policy documentation
• Organization/functional charts
• Job descriptions
• System development and program change procedures
• Operations procedures
• Human resource manuals
• Quality assurance procedures
February 2013
Developed by @goudotmobi
193
Notes de l'éditeur
Trainer presentationslides for InformationTechnology Governance training. Image credit: Europeanfinancialreview.com
Image credit: blogs.adobe.com
Picture credit: Convergemerge and ISACA SF Chapter
Picture credit: Convergemerge and ISACA SF Chapter
Picture credit: Convergemerge and ISACA SF Chapter
Key Findings on the survey, see IT-Governance-Global-Status-Report-April-2008.pdf
Review Manual Reference Pages:p. 88 - 90
The IS auditor should confirm that the terms of reference state the:• Scope of the work• Reporting line to be used• IS auditor’s right of access to information
Content to Emphasize: The organizational status and skill sets of the IS auditor should be considered for appropriateness with regard to the nature of the planned audit. Review Manual Reference Pages:p. 90