IT Governance within Financial Institutions

  • 1,253 views
Uploaded on

 

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,253
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
92
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • In contrast, the IT Governance Institute expands the definition to include foundational mechanisms: "… the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.“ The rising interest in IT governance is partly due to compliance initiatives, for instance Sarbanes-Oxley in the USA and Basel II in Europe, as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization. A characteristic theme of IT governance discussions is that the IT capability can no longer be a black box. The traditional involvement of board-level executives in IT issues was to defer all key decisions to the company's IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers, and in particular departments such as finance, have the necessary input into the decision making process. This prevents IT from independently making and later being held solely responsible for poor decisions. It also prevents critical users from later finding that the system does not behave or perform as expected
  • In contrast, the IT Governance Institute expands the definition to include foundational mechanisms: "… the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.“ The rising interest in IT governance is partly due to compliance initiatives, for instance Sarbanes-Oxley in the USA and Basel II in Europe, as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization. A characteristic theme of IT governance discussions is that the IT capability can no longer be a black box. The traditional involvement of board-level executives in IT issues was to defer all key decisions to the company's IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers, and in particular departments such as finance, have the necessary input into the decision making process. This prevents IT from independently making and later being held solely responsible for poor decisions. It also prevents critical users from later finding that the system does not behave or perform as expected
  • Problems with IT governance Is IT governance different from IT management and IT controls? The problem with IT governance is that often it is confused with good management practices and IT control frameworks. ISO 38500 has helped clarify IT governance by describing it as the management system used by directors. In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance. Nicholas Carr has emerged as a prominent critic of the idea that information technology confers strategic advantage .[does IT implementations provide strategic advantages for financial institutions] This line of criticism might imply that significant attention to IT governance is not a worthwhile pursuit for senior corporate leadership. However, Carr also indicates counterbalancing concern for effective IT risk management. The manifestation of IT governance objectives through detailed process controls (e.g. in the context of project management) is a frequently controversial matter in large scale IT management. See Agile methods. The difficulties in achieving a balance between financial transparency and cost-effective data capture in IT financial management (e.g., to enable chargeback) is a continual topic of discussion in the professional literature[6], [7] and can be seen as a practical limitation to IT governance
  • After the widely reported collapse of Enron in 2000, and the alleged problems within Arthur Andersen and WorldCom, the duties and responsibilities of the boards of directors for public and privately held corporations were questioned. As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Act was written to stress the importance of business control and auditing. Sarbanes-Oxley and Basel-II in Europe have been catalysts for the development of the discipline of information technology governance since the early 2000s. AIB - $700mn losses due to internal fraud “rogue trader” HSBC – Fraud at funds for which Republic Bank of New York had been custodian led to HSBC making a $575mn settlement
  • After the widely reported collapse of Enron in 2000, and the alleged problems within Arthur Andersen and WorldCom, the duties and responsibilities of the boards of directors for public and privately held corporations were questioned. As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Act was written to stress the importance of business control and auditing. Sarbanes-Oxley and Basel-II in Europe have been catalysts for the development of the discipline of information technology governance since the early 2000s.
  • What are the goals of IT Governance? The primary goals for information technology governance are to assure that the investments in IT generate business value, and mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications, infrastructure, etc.
  • IT Governance Frameworks There are quite a few supporting mechanisms developed to guide the implementation of information technology governance. Some of them are: The IT Infrastructure Library (ITIL) is a detailed framework with hands-on information on how to achieve a successful operational Service management of IT, developed and maintained by the United Kingdom's Office of Government Commerce, in partnership with the IT Service Management Forum. Control Objectives for Information and related Technology (COBIT) is another approach to standardize good information technology security and control practices. This is done by providing tools to assess and measure the performance of 34 IT processes of an organization. The ITGI (IT Governance Institute) is responsible for COBIT The ISO/IEC 27001 (ISO 27001) is a set of best practices for organizations to follow to implement and maintain a security program. It started out as British Standard 7799 ([BS7799]), which was published in the United Kingdom and became a well known standard in the industry that was used to provide guidance to organizations in the practice of information security. The IT Baseline Protection Catalogs, or IT-Grundschutz Catalogs, ("IT Baseline Protection Manual" before 2005) are a collection of documents from the German Federal Office for Security in Information Technology (FSI), useful for detecting and combating security-relevant weak points in the IT environment. The collection encompasses over 3000 pages with the introduction and catalogs. The Information Security Management Maturity Model ISM3 is a process based ISM maturity model for security. AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008 ISO/IEC 38500:2008 Corporate governance of information technology, (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
  • IT Governance Frameworks There are quite a few supporting mechanisms developed to guide the implementation of information technology governance. Some of them are: The IT Infrastructure Library (ITIL) is a detailed framework with hands-on information on how to achieve a successful operational Service management of IT, developed and maintained by the United Kingdom's Office of Government Commerce, in partnership with the IT Service Management Forum. Control Objectives for Information and related Technology (COBIT) is another approach to standardize good information technology security and control practices. This is done by providing tools to assess and measure the performance of 34 IT processes of an organization. The ITGI (IT Governance Institute) is responsible for COBIT The ISO/IEC 27001 (ISO 27001) is a set of best practices for organizations to follow to implement and maintain a security program. It started out as British Standard 7799 ([BS7799]), which was published in the United Kingdom and became a well known standard in the industry that was used to provide guidance to organizations in the practice of information security. The IT Baseline Protection Catalogs, or IT-Grundschutz Catalogs, ("IT Baseline Protection Manual" before 2005) are a collection of documents from the German Federal Office for Security in Information Technology (FSI), useful for detecting and combating security-relevant weak points in the IT environment. The collection encompasses over 3000 pages with the introduction and catalogs. The Information Security Management Maturity Model ISM3 is a process based ISM maturity model for security. AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008 ISO/IEC 38500:2008 Corporate governance of information technology, (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
  • What we must know about the 5 domains of IT Governance Strategic Alignment Strategic alignment is one of the five domains within IT governance, as shown in figure 1. Proper governance over the achievement of IT alignment requires leadership and commitment from the highest levels of the enterprise. This requires the proactive engagement of the chief executive officer (CEO) and board. The board should take responsibility for: Ensuring that IT strategy is aligned with business strategy Ensuring that IT delivers against the strategy Directing IT strategy to balance investments appropriately among systems that support the enterprise as it is, transform the enterprise or grow the enterprise Making informed decisions about the focus and priority for the use of IT resources Ensuring that appropriate IT and related business resources are available to enable IT to deliver upon its expectations
  • What we must know about the 5 domains of IT Governance Strategic Alignment Strategic alignment is one of the five domains within IT governance, as shown in figure 1. Proper governance over the achievement of IT alignment requires leadership and commitment from the highest levels of the enterprise. This requires the proactive engagement of the chief executive officer (CEO) and board. The board should take responsibility for: Ensuring that IT strategy is aligned with business strategy Ensuring that IT delivers against the strategy Directing IT strategy to balance investments appropriately among systems that support the enterprise as it is, transform the enterprise or grow the enterprise Making informed decisions about the focus and priority for the use of IT resources Ensuring that appropriate IT and related business resources are available to enable IT to deliver upon its expectations
  • What we must know about the 5 domains of IT Governance Strategic Alignment Strategic alignment is one of the five domains within IT governance, as shown in figure 1. Proper governance over the achievement of IT alignment requires leadership and commitment from the highest levels of the enterprise. This requires the proactive engagement of the chief executive officer (CEO) and board. The board should take responsibility for: Ensuring that IT strategy is aligned with business strategy Ensuring that IT delivers against the strategy Directing IT strategy to balance investments appropriately among systems that support the enterprise as it is, transform the enterprise or grow the enterprise Making informed decisions about the focus and priority for the use of IT resources Ensuring that appropriate IT and related business resources are available to enable IT to deliver upon its expectations
  • Within the IT service delivery continuum (figure 2), the prime outcome from successful IT and business alignment is a satisfactory answer to the first question: are we doing the right things? Of course the ultimate success factor is the assurance that the enterprise is getting the maximum benefits from the investment, but this is achievable only if the right things are chosen in the first place, are being done the right way and are being done well. There is a strong argument that ultimate responsibility for IT strategy setting and implementation should rest with the business leadership. In practice, business strategy is formulated to some extent at all levels of a business. The overall strategic direction is set by the CEO and board, taking into account such factors as the external economic and political environment, the capabilities and known strategies of the competition, regulatory frameworks, skills and resource availability, and appetite for risk.
  • Many successful companies have established properly representative internal bodies in the form of: IT investment committee IT Policy Committee IT Steering Committee IT Strategy Committee Principal amongst these groups are the IT strategy and the IT steering committees. The prime role of the strategy committee (as the name implies) is to assist and advise the board on the formulation of IT strategy, whilst the prime role of the IT steering committee is to assist the executive in the delivery of that strategy. The strategy committee is seen as comprising primarily main board directors, including non-executives, with the CIO acting as a full or an ex officio member. The important matter is to ensure that all significant lines of business are represented at the highest levels and this responsibility is not delegated downwards. Ideally, the CEO, or at least a very senior director, should chair either of these committees with IT being represented by the CIO and perhaps the CTO.
  • The second domain of the 5 areas is Value Delivery. It could be argued that unless success is achieved in the other four domains, achieving value delivery will remain elusive. The essential components of IT governance might therefore be expressed as follows: IT governance overall is about delivering value and managing risk. Value delivery, which embodies the concept of risk-related returns, is perhaps the most important. Value delivery is not possible without strategic alignment and resource management. It is impossible to provide transparency of success or failure without performance measurement.
  • The second domain of the 5 areas is Value Delivery. It could be argued that unless success is achieved in the other four domains, achieving value delivery will remain elusive. The essential components of IT governance might therefore be expressed as follows: IT governance overall is about delivering value and managing risk. Value delivery, which embodies the concept of risk-related returns, is perhaps the most important. Value delivery is not possible without strategic alignment and resource management. It is impossible to provide transparency of success or failure without performance measurement.
  • The META Group for example, defines three categories of IT-related spending or investment: Run the business—The spending necessary to maintain existing operations at the existing level Grow the business—The spending necessary to, for instance, provide additional automation to improve efficiency or the consolidation of data centers to reduce costs and increase competitiveness Transform the business—The introduction of new areas of business, the expansion into new markets or any other radical transformation project designed to lead to significantly enhanced revenues and profits
  • Within many financial institutions the decision-making process over which projects to select for approval and those to be declined or deferred becomes very subjective, often clouded in political uncertainty, and not always based on totally reliable, objective, complete or consistent underlying data and analysis. Establish an approval board or committee with appropriate representation from both business and IT to ensure that decisions are made with neutral bias and with proper transparency of all business case components, particularly including strategic alignment and financial returns Proper consideration of key financial metrics on the proposed return from the candidate investments, including key indicators such as net present value (NPV), internal rate of return and payback period Provision for proper accountability for the delivery of results. If the corporate culture is one whereby there is no actual accountability (e.g., no impact on personal bonuses and other incentives), then no one will take seriously the requirement for accurate and reliable financial metrics in the first place. This means that there must be a reliable process to measure the actual returns that are achieved from each investment. Definition of appropriate hurdle rates for IT investments. This process is described later. • Assurance that proper project management processes will be followed, including the full involvement of skilled and experienced resources to deliver and manage the project, together with appropriate reporting to a properly qualified and representative project governance board or committee • Assurance that all parts of the business that will be affected by the outcome of the project are properly involved and will commit the resources necessary to maximise the chances of success • An understanding of the potential impact on the value return from this investment from previous solutions delivery experience. For example, if IT-related business investments consistently overrun their original budgets by 20 percent, this 20 percent overrun must be factored into the expected return for each business case. This ‘solutions delivery effect’ can often have the effect of turning an expected profitable outcome into a negative one. This is always a useful and essential sanity check on any proposed project. Without building in the expected impact of an overrun, the business case will be overstated. Keeping this constant focus on solutions delivery performance will also help the organisation improve, perhaps through undertaking the steps necessary to increase its capability maturity model (CMM) level for systems development and implementation. Of course, past experience in other factors such as time overrun or underdelivery of functionality must similarly be factored in.
  • Within many financial institutions the decision-making process over which projects to select for approval and those to be declined or deferred becomes very subjective, often clouded in political uncertainty, and not always based on totally reliable, objective, complete or consistent underlying data and analysis. Establish an approval board or committee with appropriate representation from both business and IT to ensure that decisions are made with neutral bias and with proper transparency of all business case components, particularly including strategic alignment and financial returns Proper consideration of key financial metrics on the proposed return from the candidate investments, including key indicators such as net present value (NPV), internal rate of return and payback period Provision for proper accountability for the delivery of results. If the corporate culture is one whereby there is no actual accountability (e.g., no impact on personal bonuses and other incentives), then no one will take seriously the requirement for accurate and reliable financial metrics in the first place. This means that there must be a reliable process to measure the actual returns that are achieved from each investment. Definition of appropriate hurdle rates for IT investments. This process is described later. • Assurance that proper project management processes will be followed, including the full involvement of skilled and experienced resources to deliver and manage the project, together with appropriate reporting to a properly qualified and representative project governance board or committee • Assurance that all parts of the business that will be affected by the outcome of the project are properly involved and will commit the resources necessary to maximise the chances of success • An understanding of the potential impact on the value return from this investment from previous solutions delivery experience. For example, if IT-related business investments consistently overrun their original budgets by 20 percent, this 20 percent overrun must be factored into the expected return for each business case. This ‘solutions delivery effect’ can often have the effect of turning an expected profitable outcome into a negative one. This is always a useful and essential sanity check on any proposed project. Without building in the expected impact of an overrun, the business case will be overstated. Keeping this constant focus on solutions delivery performance will also help the organisation improve, perhaps through undertaking the steps necessary to increase its capability maturity model (CMM) level for systems development and implementation. Of course, past experience in other factors such as time overrun or underdelivery of functionality must similarly be factored in.
  • Within many financial institutions the decision-making process over which projects to select for approval and those to be declined or deferred becomes very subjective, often clouded in political uncertainty, and not always based on totally reliable, objective, complete or consistent underlying data and analysis. Establish an approval board or committee with appropriate representation from both business and IT to ensure that decisions are made with neutral bias and with proper transparency of all business case components, particularly including strategic alignment and financial returns Proper consideration of key financial metrics on the proposed return from the candidate investments, including key indicators such as net present value (NPV), internal rate of return and payback period Provision for proper accountability for the delivery of results. If the corporate culture is one whereby there is no actual accountability (e.g., no impact on personal bonuses and other incentives), then no one will take seriously the requirement for accurate and reliable financial metrics in the first place. This means that there must be a reliable process to measure the actual returns that are achieved from each investment. Definition of appropriate hurdle rates for IT investments. This process is described later. • Assurance that proper project management processes will be followed, including the full involvement of skilled and experienced resources to deliver and manage the project, together with appropriate reporting to a properly qualified and representative project governance board or committee • Assurance that all parts of the business that will be affected by the outcome of the project are properly involved and will commit the resources necessary to maximise the chances of success • An understanding of the potential impact on the value return from this investment from previous solutions delivery experience. For example, if IT-related business investments consistently overrun their original budgets by 20 percent, this 20 percent overrun must be factored into the expected return for each business case. This ‘solutions delivery effect’ can often have the effect of turning an expected profitable outcome into a negative one. This is always a useful and essential sanity check on any proposed project. Without building in the expected impact of an overrun, the business case will be overstated. Keeping this constant focus on solutions delivery performance will also help the organisation improve, perhaps through undertaking the steps necessary to increase its capability maturity model (CMM) level for systems development and implementation. Of course, past experience in other factors such as time overrun or underdelivery of functionality must similarly be factored in.
  • Realising the Benefits The clarity and precision of anticipated benefits as defined in the business case are key to the actual and demonstrable achievement of value. It should become standard practice for financial institutions to track the actual benefits achieved from the development and implementation of IT-related business solutions. Only in this way will it be possible to establish the extent to which the investment has paid off and to ensure appropriate accountability. The tracking of benefits needs to be ongoing from the date of implementation of the project.
  • The major advantage of the IT BSC is that it provides a systematic translation of the strategy into critical success factors and metrics, which materialises the strategy. (CIO of a financial organisation) The balanced scorecard gives a balanced view of the total value delivery of IT to the business. It provides a snapshot of where your IT organization is at a certain point in time. Most executives, like me, do not have the time to drill down into the large amount of information. (Vice president of an insurance organisation)
  • Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization.
  • Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.
  • Irrespective size and complexity each should have a IT Steering Com. The steering committee will ensure that IT is in line with business objectives and that value is being derived. Too often the Board is not aware of what is happening in IT, especially for MOD, projects, etc

Transcript

  • 1. IT Governance within Financial Institutions Kirk Tyrell, CISA Assistant Director Financial Institutions Supervisory Division Bank of Jamaica www.boj.org.jm CARTAC & Caribbean Group of Banking Supervisors IT Workshop for Regional Bank Examiners June 23 – 25, 2009 Georgetown, Guyana
  • 2. Topics
    • What does IT Governance involve?
    • Why is IT Governance Important
    • What you must know about IT Governance?
    • Supervisory Expectation for IT Governance ?
  • 3. What is IT Governance?
    • “… is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.” (source www.wikipedia.com )
    ……
  • 4. What is IT Governance?
    • “… the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.” (source www.ITGI.org )
  • 5. Problems With IT Governance
    • Is IT governance different from IT management and IT controls? Why the confusion?
    • Does IT confers strategic advantage?
    • Are all the detailed process controls necessary?
  • 6. Why the Increased Focus on IT Governance?
    • High profile collapse (e.g. Enron, Arthur Anderson, WorldCom, AIB, HSBC, etc.)
    • Maintaining (or Recapturing) public confidence and trust
    • Anchor for effective risk management
    ……
  • 7. Why the Increased Focus on IT Governance?
    • Respond to call for greater transparency and closer oversight
      • … prevent similar problems from happening again
    • Board and executive management awareness of the challenges facing IT management
    • Sarbanes-Oxley and Basel II in Europe
    ……
  • 8. Why the Increased Focus on IT Governance?
    • “… effective corporate governance is essential to maintaining public trust and confidence in the banking sector, and provides a crucial anchor for sound risk management practices." Mr Jaime Caruana, Chairman of the Basel Committee and Governor of the Bank of Spain
  • 9. IT Governance Goals
    • Provide assurance that the investments in IT generate business value
    • Establish structures and controls to mitigate the risks that are associated with IT
    • A proactive and holistic approach to talent management within IT
  • 10. IT Governance Frameworks
    • Enhancing Corporate Governance for Banking Organizations (BIS)
    • The IT Infrastructure Library (ITIL)
    • Control Objectives for Information and related Technology (COBIT)
    • The ISO/IEC 27001 (ISO 27001)
    ……
  • 11. IT Governance Frameworks
    • ISO/IEC 38500:2008 Corporate Governance of Information Technology
    • Others:
      • The IT Baseline Protection Catalogs, or IT-Grundschutz Catalogs, ("IT Baseline Protection Manual" before 2005)
      • The Information Security Management Maturity Model ISM3
      • AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology
    ……
  • 12. Non-IT Specific Frameworks
    • The Balanced Scorecard (BSC) - method to assess an organization’s performance in many different areas
    • Six Sigma - focus on quality assurance
  • 13. Sub-Domains of IT Governance
    • Regulatory compliance
    • Information governance and information security
    • IT Service Management
    • Project governance
    • Risk management
    ……
  • 14. Sub-Domains of IT Governance
    • Knowledge Management, including Intellectual Capital
    • Business continuity and disaster recovery
  • 15. Components of IT Governance Cycle
  • 16. IT Governance Domain (COBIT) RESOURCE MANAGEMENT PERFORMANCE MEASUREMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT IT GOVERNANCE DOMAINS
  • 17. IT Governance Domain (COBIT) RESOURCE MANAGEMENT PERFORMANCE MEASUREMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT IT GOVERNANCE DOMAINS
  • 18. Domain 1 – Strategic Alignment
    • Achievement of IT alignment requires:
      • Leadership and commitment from the highest levels
      • Proactive engagement
  • 19. Domain 1 – Strategic Alignment
    • The board should take responsibility for:
    • Ensuring that IT strategy is aligned with business strategy
    • Ensuring that IT delivers against the strategy
    • Directing IT strategy to balance investments
  • 20. Domain 1 – Strategic Alignment
    • Making informed decisions about the focus and priority for the use of IT resources
    • Ensuring that appropriate IT and related business resources are available
  • 21. Domain 1 – Strategic Alignment … there is a strong argument that ultimate responsibility for IT strategy setting and implementation should rest with the business leadership. the right things are chosen in the first place thing being done well things being done the right way derive maximum benefits
  • 22. Domain 1 – Strategic Alignment
    • Internal bodies in the form of:
    • IT Investment Committee
    • IT Policy Committee
    • IT Steering Committee
    • IT Strategy Committee
  • 23. Domain 1 – Strategic Alignment
  • 24. Domain 1 – Strategic Alignment
    • Examiners’ Expectation:
    • Duties of IT Strategy and IT Steering Committees are defined in a formal charter
    • Ensure that the financial institution is paying attention to the importance of IT strategic planning and its alignment with business objectives
  • 25. IT Governance Domain (COBIT) RESOURCE MANAGEMENT PERFORMANCE MEASUREMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT IT GOVERNANCE DOMAINS
  • 26. Domain 2 – Value Delivery
    • Essential components:
    • IT governance overall is about delivering value and managing risk
    • Value delivery, which embodies the concept of risk-related returns
    • Value delivery is not possible without strategic alignment and resource management
  • 27. Domain 2 – Value Delivery
    • …it is impossible to provide transparency of success or failure without performance measurement
  • 28. Domain 2 – Value Delivery
    • …value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT ( source ITGI )
  • 29. Domain 2 – Value Delivery
    • Key Board responsibilities:
      • ensure that stakeholder value is obtained
      • allocation of resources
  • 30. Domain 2 – Value Delivery
    • A study carried out within global financial services group, ING2, indicates that IT-related business investments have the potential to deliver far greater returns than almost any other conventional investment.
    • Source: ITGI, 2008
  • 31. Domain 2 – Value Delivery
    • IT-related spending or investment:
    • Run the business
    • Grow the business
    • Transform the business
    Source: The META Group
  • 32. Domain 2 – Value Delivery
    • Key components of an IT investment approval process include:
    • Preparation of a comprehensive business case based upon a consistent corporate standard and agreed assumptions (e.g. tax rates and inflation rates)
    • Establish an approval board or committee
  • 33. Domain 2 – Value Delivery
    • Consideration of key financial metrics (e.g. NPV, IRR and payback period, etc.)
    • Provision for proper accountability for the delivery of results
    • Definition of appropriate hurdle rates for IT investments
  • 34. Domain 2 – Value Delivery
    • Providing assurance that:
      • proper project management processes will be followed,
      • all parts of the business will be affected by the outcome and
      • Resources necessary to maximize the chances of success will be committed
    • Increase capability maturity model (CMM) level for systems development and implementation
  • 35. Domain 2 – Value Delivery
    • Realizing the Benefits:
    • The clarity and precision of anticipated benefits
    • Ongoing tracking of the actual benefits achieved
    • Ensure appropriate accountability
  • 36. Domain 2 – Value Delivery
    • Examiners’ Expectation
    • Board monitors IT delivery against the strategy through clear expectations and measurement
    • Management sets baselines for measuring capacity and growth planning, service improvement and utilizes industry standards and bench marking
    • Operation management measures and reports on budget achievement
  • 37. IT Governance Domain (COBIT) RESOURCE MANAGEMENT PERFORMANCE MEASUREMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT IT GOVERNANCE DOMAINS
  • 38. Domain 3 – Performance Delivery
    • Demonstrates the effectiveness and added business value of IT
    • Getting business value from IT and measuring that value are important governance domains
  • 39. Domain 3 – Performance Delivery
    • IT performance management is aimed at:
    • identifying and quantifying IT costs and IT benefits.
    • Limitations of traditional quantifiable performance measures (financial terms) such as ROI, NPV, IRR and payback method
    • Overcome limitations of measuring “unquantifiable” values, i.e. IT balanced scorecard
  • 40. Domain 3 – Performance Delivery
    • The Balanced Scorecard (BSc) is a performance management tool which began as a concept for measuring whether the smaller scale operational activities of a company are aligned with its larger scale objectives in terms of vision and strategy
  • 41. Domain 3 – Performance Delivery
    • By focusing not only on financial outcomes but also on the operational, marketing and developmental inputs to these, the BSc helps provide a more comprehensive view of a business, which in turn helps organizations act in their best long-term interests
    • ( source Wikipedia )
  • 42. Domain 3 – Performance Delivery
  • 43. IT Governance Domain (COBIT) RESOURCE MANAGEMENT PERFORMANCE MEASUREMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT IT GOVERNANCE DOMAINS
  • 44. Domain 4 – Risk Management
    • Requires:
    • Risk awareness by senior corporate officers
    • A clear understanding of the financial institution’s appetite for risk
    • Understanding of compliance requirements
    • Transparency about the significant risks to the enterprise
    • Embedding of risk management responsibilities into the organization
  • 45. IT Governance Domain (COBIT) RESOURCE MANAGEMENT PERFORMANCE MEASUREMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT IT GOVERNANCE DOMAINS
  • 46. Domain 5 – Resource Management
    • Optimal investment in, and the proper management of, critical IT resources (i.e. applications, information, infrastructure and people)
    • Key issues relate to the optimization of knowledge and infrastructure
  • 47. Examiners’ Responsibilities
    • Review:
    • IT strategies, plan and budgets
    • Security policy documentation
    • Organizational charts
    • Job descriptions
    • Steering committee reports
    • Change management procedures
    ……
  • 48. Examiners’ Responsibilities
    • Operation reports and procedures
    • Quality assurance procedures
    • ..Noting exceptions and absence of documentation
    ……
  • 49. Examiners’ Responsibilities
    • Reviewing contractual commitments:
    • Development of contractual requirements
    • Contract biding process
    • Contract selection process
    • Contract acceptance, maintenance and compliance
  • 50. Lessons Learnt
    • Each financial institution should have an IT Steering Committee with requisite board and management involvement
    • The board and management should ensure that policies and procedures are reviewed periodically for relevance
    • Financial institutions to adopt applicably industry best practices and rules to guide IT management.
  • 51. Questions ?
  • 52. Additional Resources
    • Executive Summary, COBIT v3.0 and COBIT v4.1 Retrieved from http://en.wikipedia.org/wiki/COBIT
    • ITIL for service delivery
    • CMM for solution delivery
    • ISO 17799 for information security
    • PMBOK or PRINCE2 for project management