1. John W. Lainhart IV
CISA, CISM, CGEIT, CIPP/G
Partner, Security, Privacy,
Wireless & IT Governance
IBM Global Business Services
Principal Advisory to IT
Governance Institute
john.w.lainhart@us.ibm.com
301-803-2745
C OBI T ® as a Risk Management
Framework
2. In This Presentation...
The Governance Environment
An introduction to IT Governance
An introduction to Control Objectives for
Information and related Technology (COBIT®)
Overview of COBIT® Supporting Materials
COBIT® Mappings to Other Standards
An introduction to ValIT™
An introduction to RiskIT™
Recently Announced Certification Program – CGEIT
Questions
3. IT Governance, C OBI T, Val IT and
Risk IT Are Brought to You by …
4. IT Governance Institute
IT Governance
Institute is a
non-profit
research think-tank
associated with
ISACA®
5. IT Governance Institute
Product Suite
Governance
Business and Technology
Management
Governance, Security and Assurance
Management
ITOBIT Control
Governance
C Information on
Board Briefing
IT Assurance
CValTIT
OBI 4.1
Implementation
ITPractices
Security Governance
Governance
Guide
Guide
8. What Makes IT Governance so
important?
Drivers
• Strategic importance of IT
• Extended Enterprise
• Regulatory requirements
• Cost optimisation
• Return on investment
• Gartner – more than 600
billion $ thrown away
annually on ill conceived or
ill executed IT projects
• Standish Group – about
• Low return from high-cost IT investments, and transparency of IT’s
20% of projects fail outright,
performance are two top issues 50% are challenged and
• More than 30% claim negative return from IT investments targeting only 30% are successful
efficiency gains
• ITGI 2005 Survey early
• 40% do not have good alignment between IT plans and business
strategy findings confirm concerns
• Interest in and use of active management of the return on IT investments
has doubled in 2 years (28% to 58%)
9. What makes IT Governance so
important?
Shareholders want protection for
the Enterprise’s Share Price
“…if not filed, auditor must include a
paragraph in its annual report that it
cannot vouch for the enterprise’s
ability as a going concern…”
“…financial reporting system is not
up to speed…”
“…the company has lost a third more of
its market value yesterday as it revealed
a virtual collapse of its financial
reporting system…”
“…data entry
problems…”
12. What is IT Governance?
“IT governance is the responsibility of the
board of directors and executive management.
It is an integral part of enterprise governance
and consists of the leadership and
organisational structures and processes that
ensure that the organisation’s IT sustains and
extends the organisation’s strategies and
objectives.”
ITGI, Board Briefing on IT Governance
13. IT Governance Needs a
Management Framework
C
GI T V
DE AL
Driving Forces
E N
R AT ME LI U E
VE
ST IGN RY
AL
Map Onto the
PER UREME
IT
T
MEA
IT Governance
M EN
GOVERNANCE
FOR
S
MAN RISK
AGE
MAN NT
Focus Areas
CE
RESOURCE
MANAGEMENT
14. IT Governance Focus Areas
Strategic alignment, focuses on ensuring the linkage of business and IT plan; on
defining, maintaining and validating the IT value proposition; on aligning IT operations
with the enterprise operations; and establishing collaborative solutions to
• Add value and competitive positioning to the enterprise’s products and services
• Contain costs while improving administrative efficiency and managerial effectiveness
Va
gic nt De lue
te liv
r a me
t n er
S ig y
A l
IT
IT
Governance
Perf ure
Perf ureme
t en
Me
Mea
Dom ains
agem
Man isk
orm
orm
s
s
R
ance t
ance t
Resource
n
n
Management
15. IT Governance Focus Areas
Value delivery is about executing the value proposition throughout the delivery cycle,
ensuring that IT delivers the promised benefits against the strategy, concentrating on
optimising expenses and proving the value of IT, and on controlling projects and
operational processes with practices that increase the probability of success (quality,
risk, time, budget, cost, etc)
Va
gic nt De lue
te liv
r a me
t n er
S ig y
A l
IT
IT
Governance
Perf ure
Perf ureme
ten
Me
Mea
Dom ains
agem
Man isk
orm
orm
s
s
R
ance t
ance t
Resource
n
n
Management
16. IT Governance Focus Areas
Risk management requires risk awareness of senior corporate officers, a clear under-
standing of the enterprise’s appetite for risk and transparency about the significant
risks to the enterprise; it embeds risk management responsibilities in the operation of
the enterprise and specifically addresses the safeguarding of IT assets, disaster
recovery and continuity of operations
Va
gic nt De lue
te liv
r a me
t n er
S ig y
A l
IT
IT
Governance
Perf ure
Perf ureme
ten
Me
Mea
Dom ains
agem
Man isk
orm
orm
s
s
R
ance t
ance t
Resource
n
n
Management
17. IT Governance Focus Areas
Resource management covers the optimal investment, use and allocation of IT
resources and capabilities (people, applications, technology, facilities, data) in servicing
the needs of the enterprise, maximising the efficiency of these assets and optimising
their costs, and specifically focusses on optimising knowledge and the IT infrastructure
and on where and how to outsource
Va
gic nt De lue
te liv
r a me
t n er
S ig y
A l
IT
IT
Governance
Perf ure
Perf ureme
t en
Me
Mea
Dom ains
agem
Man isk
orm
orm
s
s
R
ance t
ance t
Resource
n
n
Management
18. IT Governance Focus Areas
Performance measurement, tracking project delivery and monitoring IT services, using
balanced scorecards that translate strategy into action to achieve goals measur-able
beyond conventional accounting, measuring those relationships and knowledge-based
assets necessary to compete in the information age: customer focus, process efficiency
and the ability to learn and grow.
Va
gic nt De lue
te liv
r a me
t n er
S ig y
A l
IT
IT
Governance
Perf ure
Perf ureme
t en
Me
Mea
Dom ains
agem
Man isk
orm
orm
s
s
R
ance t
ance t
Resource
n
n
Management
21. IT Governance Control Cycle
Assess Environment
•Based on COBIT®, develop an approach for improved
internal control to meet regulatory requirements that
incorporates business and IT mission, vision, and
strategy
•Establish risk management strategy
•Formally document existing processes
22. IT Governance Control Cycle
Maintain IT Controls Framework
•Develop controls framework to supports sound
business decisions
•Document integration points in the current
environment
•Create an organizational mechanism to support the
governance of IT
•Mitigate identified risks through the IT controls
framework
23. IT Governance Control Cycle
Develop & Refine Governing Documents
•Utilize a central repository for governing documents
•Develop a consistent approach for creating governing
documents
•Consistently apply processes and procedures
•Gain executive commitment for IT governance
frameworks and structure
24. IT Governance Control Cycle
Communicate and Train
•Provide “Tone at the Top”
•Develop a strategic communication plan for mission
objectives and overall management direction
•Execute strategic communication plan
•Implement a standard training program to avoid
unnecessary and redundant training
25. IT Governance Control Cycle
Implement and Operate
•Align staff responsibilities with IT control objectives
•Achieve sustainability of IT controls in the operational
environment
•Support continuous improvement of operational
effectiveness and accountability
26. IT Governance Control Cycle
Measure and Validate
•Revise current metrics program to include newly
defined controls
•Verify the sustainability of defined controls
•Develop cost effective automated measurements
•Measure all processes to include Applications,
Databases, Platforms and Networks
27. IT Governance Control Cycle
Monitor and Report
•Report on continued effectiveness of controls
•Increase transparency to auditors of issues and
actions taken
•Accurately attest to IT’s compliance with policy,
laws, and regulations
•Improve existing processes using metrics trending
28. IT Governance Control Cycle
Enforce
•Reinforce required policy compliance and standards
conformance
•Define a consistent approach for enforcement
across all processes
30. C OBI T 4.1—The IT
Governance Framework
CobiT
Internationally accepted good practices
C OBI T
best practices
Management-oriented
Freely available
Sharing knowledge and leveraging expert
volunteers
repository for Continually evolving
Maintained by reputable not-for-profit
organisation
IT Processes
Maps 100% to COSO
IT Management Processes Maps strongly to all major related standards
IT Governance Processes Is a reference, set of best practices, not an
“off-the-shelf” cure
Enterprises still needs to analyse their
The only IT management control requirements and customise based
on:
and control framework Value drivers
that covers the end-to-end Risk profile
IT infrastructure, organisation and
IT life cycle project portfolio
31. COBIT: An IT Control Framework
Starts from the premise that IT needs to Domains:
1. Plan & Organize
deliver the information that the enterprise
2. Acquire & Implement
needs to achieve its objectives 3. Delivery & Support
Promotes process focus and process 4. Monitor & Evaluate
ownership Information Criteria:
Divides IT into 4 domains and 34 processes, 1. Effectiveness
2. Efficiency
with a total of 210 control objectives 3. Availability
4. Integrity
Looks at fiduciary, quality and security needs
5. Confidentiality
of enterprises and provides for seven 6. Reliability
information criteria that can be used to 7. Compliance
generically define what the business requires
IT Resources:
from IT 1. Applications
2. Information
Addresses the resources made available to
3. Infrastructure
and built up by IT 4. People
32. Key Driving Forces for
C OBI T How IT is What the
The resources
The resources How IT is What the
made available to— organised to
organised to stakeholders
stakeholders
made available to— respond to the Business expect from IT
and built up by—IT
and built up by—IT respond to the Requirements expect from IT
requirements IT
requirements Processes
IT
Resources
IT IT Business
Resources Processes Requirements
Applications Plan and Effectiveness
Organise
Information Efficiency
Aquire and
Infrastructure Confidentiality
Implement
Integrity
People Deliver and
Support
Availability
Compliance
Monitor and
Evaluate Information
reliability
33. C OBI T Business Objectives
Criteria
Framework •
•
•
Effectiveness
Efficiency
Confidentiality
• Integrity
• Availability
• Compliance
• Reliability
IT Resources
• Applications
• Information
• Infrastructure
Monitor and • People
Evaluate
Plan and
IT Life Organise
Deliver and Cycle
Support
Acquire and
Implement
34. C OBI T Processes
PO1 Define an IT Strategic Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organisation and Relationships
Plan and PO5 Manage the IT Investment
Organise PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
Acquire and AI4 Enable Operation and Use
Implement AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes
35. C OBI T Processes
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
Deliver and DS7 Educate and Train Users
Support DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations
ME1 Monitor and Evaluate IT Performance
Monitor and ME2 Monitor and Evaluate Internal Control
Evaluate ME3 Ensure Compliance With External Requirements
ME4 Provide IT Governance
36. C OBI T PC and AC
Processes
PC1 Process Goals and Objectives
PC2 Process Ownership
PC3 Process Responsibility
Process
Controls PC4 Roles and Responsibilities
PC5 Policy, Plans and Procedures
PC6 Process Performance Improvement
AC1 Source Data Preparation and Authorization
AC2 Source Data Collection and Entry
AC3 Accuracy, Completeness and Authenticity Checks
Application
Controls AC4 Processing Integrity and Validity
AC5 Output Review, Reconciliation and Error Handling
AC6 Transmission Authentication and Integrity
38. Control Objectives
P09.6 Maintenance and Monitoring of a Risk Action Plan
Prioritise and plan the control activities at all levels to implement the risk responses
identified as necessary, including identification of costs, benefits and responsibility for
execution. Obtain approval for recommended actions and acceptance of any residual
risks, and ensure that committed actions are owned by the affected process owner(s).
Monitor execution of the plans, and report on any deviations to senior management.
42. Maturity Levels in C OBI T
Non-existent Initial Repeatable Defined Managed Optimised
0 1 2 3 4 5
0 - Management processes are not applied at all.
1 - Processes are ad hoc and disorganised.
2 - Processes follow a regular pattern.
3 - Processes are documented and communicated.
4 - Processes are monitored and measured.
5 - Best practices are followed and automated.
43. Dimensions of Process
Maturity in C OBI T
We capture process maturity data on each of
six dimensions:
Awareness and communication
Policies, standards and procedures
Tools and automation
Skills and expertise
Responsibility and accountability
Goal setting and measurement
46. Implementation Guide
IT Governance Implementation Guide, 2nd
Edition
Detailed, structured guidance to the
implementation of IT governance
Generic IT governance implementation
guidance, not just COBIT
48. Control Practices
COBIT Control Practices, 2nd Edition
Detailed guidance on each of the control
objectives
Management-oriented
From three to 12 control practices per
control objective
50. Assurance Guide
IT Assurance Guide: Using COBIT
Detailed guidance to support assurance
practitioners in:
Financial statement audit
Internal audit
Value for money
Operational improvement
Guidance on:
How to leverage COBIT for assurance
Detailed assurance testing steps
52. Quickstart
For small and medium sized organizations and
larger organizations wanting to quickstart IT
governance
Selection of components from the complete
COBIT framework
Can be used as a baseline (set of “smart things to
do”) for small and medium-sized enterprises and
other entities where IT is not strategic or
absolutely critical for survival
Can also be a starting point for larger enterprises
in their first moves toward an appropriate level
of control and governance of IT
60. The Information Paradox
The value of IT is being
increasingly questioned... ??
?
…yet organizations continue to
spend more and more on IT
60
61. The Fundamental Question
Are we maximizing the value of our IT-
enabled business investments such
that:
we are getting optimal benefits;
at an affordable cost; and
with an acceptable level of risk?
Over the full economic life-cycle
of the investment
62. Without Effective Governance
Situation
Situation Leads to..
Leads to.. Results in..
Results in..
Budget overruns
S
Reluctance to say no Project delays
to projects Too many projects
Business needs
M
Lack of Strategic Focus
not met
O
Benefits not
received
T
Can’t kill projects
Quality of execution
Increased
P
Projects are “sold” on suffers
emotional basis -- not Complexity
selected
M
Sub-optimal
Underestimation of use of
Y resources
No strong review process risks and costs
S
Finger
Overemphasis on
pointing
Projects not aligned
Financial ROI
to strategy Lack of
No clear confidence (in
strategic criteria
for selection
IT)
Source: Fujitsu
63. Continuously Need to Question
The strategic question. Is the investment: In the value question. Do we have:
In line with our vision? A clear and shared understanding of the expected
Consistent with our business principles? benefits?
Contributing to our strategic objectives? Clear accountability for realising the benefits?
Providing optimal value, at affordable cost, at Relevant metrics?
an acceptable level of risk? An effective benefits realisation process?
Are we Are we
doing getting
the right the
Some things? benefits?
about the
fundamental value enabled
questions by IT
Are we Are we
doing them getting
the right them done
way? well?
The architecture question. Is the investment: The delivery question. Do we have:
In line with our architecture? Effective and disciplined delivery and change
management processes?
Consistent with our architectural principles? Competent and available technical and business
Contributing to the population of our resources to deliver:
architecture? the required capabilities; and
the organisational changes required to leverage the
In line with other initiatives? capabilities?
Source: The Information Paradox
64. Val IT
Processes & Key Management Practices
VG1 Ensure informed and committed leadership
VG2 Define and implement processes Value
VG3 Define roles & responsibilities
VG4 Ensure appropriate and accepted Governance
accountability (VG)
VG5 Define information requirements
VG6 Establish reporting requirements
VG7 Establish organisational structures
VG8 Establish Strategic Direction
VG9 Define investment categories
VG10 Determine target portfolio mix
VG11 Define evaluation criteria by category
PM1 Maintain human resource
Portfolio inventory
PM2 Identify resource requirements
Management PM3 Perform gap analysis
(PM) PM4 Develop resourcing plan
PM5 Monitor resource requirements
Investment and utilisation
PM6 Establish investment threshold
Management PM7 Evaluate initial programme
(IM) concept business case
PM8 Evaluate & assign relative score to
programme business case
IM1 Develop a high-level definition of investment opportunity PM9 Create overall portfolio view
IM2 Develop initial programme concept business case PM10 Make and communicate
IM3 Develop clear understanding of candidate programmes investment decision
IM4 Perform Alternatives Analysis PM11 Stage-gate (and fund) selected
IM5 Develop Programme plan programmes
IM6 Develop Benefits Realisation plan PM12 Optimize portfolio performance
IM7 Identify Full life cycle costs & benefits PM13 Re-prioritise portfolio
IM8 Develop detailed programme business case PM14 Monitor and report on portfolio
IM9 Assign clear accountability & ownership performance
IM10 Initiate, plan and launch the programme
IM11 Manage programme
IM12 Manage/track benefits
IM13 Update business case
IM14 Monitor and report on programme performance
IM15 Retire programme
65. P3M -Projects, Programs, and Portfolios
Portfolio – a suite of business
programmes managed to optimise
overall enterprise value
Portfolio
Management
Programme – a structured
grouping of projects designed to
Programme produce clearly identified
Management business value
Project
Management Project – a structured set of
activities concerned with delivering
a defined capability based on an
agreed schedule and budget
66. Val IT
Relationship between Processes & Practices
VG1-
Establish governance framework 4, 6 -7
Establish
Provide strategic direction portfolio parameters VG5,
VG VG8 9-11
PM1-5 PM6
Maintain Maintain
resource funding
profile profile
Evaluate & Move selected Manage Monitor & PM14
PM7-
prioritize investments to overall report on
10 investments active portfolio portfolio portfolio
performance
PM PM11 PM12-13
Analyse alternatives Assign Document
Identify business case
business Define candidate accountability
req’ts programme
IM4 IM9
IM1-2 IM8,
IM3, 5-7
13
Launch Manage Monitor &
Retire
programme programme report on
programme
execution programme
performance
IM15
IM IM10 IM 11-
12 IM14
67. Val IT Initiative …a value lens into
C T™
COBI T
Are we doing VG Val IT
PM
Are we getting
the right
the benefits?
things?
Va
Governance & management
ic
eg t Deli lue of a portfolio of business
at men Are we doing
r
St ign
Al
ve
ry them the right
way?
IM Are we doing
them well? change programmes
IT
IT
Gover nance
Governance
ent
P f s e e
P f s e e
P f s e e
Per f sureme
M a
M a
M a
Mea
Dom ains
agem
Man isk
o
o
o
orm
R
anc t
c
c
ce
Resource
n
n
n
n
Management Are we doing
Are we getting
the right
the benefits?
things?
Are we doing Are we doing
them the right them well?
way?
Are we doing
COBIT the right
Are we getting
ME
the benefits?
things?
Governance & management
PO
of a portfolio of technology Are we doing Are we doing
projects, services, systems
& supporting infrastructure
AI
them the right
way? DS
them well?
68. Val IT Initiative Status
DONE
Framework
Business Case
Case Study (initial)
IN PROCESS
Extend FW to services
& other IT assets/
resources & Simplify
Maturity Models
Management
Guidelines
Taxonomy
QuickStart Guide
1st Qtr. of 2008
PLANNE
D Business Case v2.0
Empirical Analysis Available for free download from:
Benchmarking www.isaca.org or www.itgi.org
69. The Business Challenge
Maximizing value and reducing risk made possible
by IT both enables and requires a through IT
governance approach that:
Ensures clarity of, and accountability for the desired
outcomes
Enables understanding of the full scope of effort
Breaks down the “silos” and “connects the dots”
Manage the full economic life-cycle
Senses and responds to changes and deviations
This is a significant leadership challenge,
opportunity and responsibility!
71. RISK IT DESCRIPTION
A risk management framework that provides the
missing link between enterprise risk
management and IT Management and control,
fitting in the overall IT Governance framework
of ITGI, and building upon all existing risk
related components within the current
frameworks, i.e., COBIT and Val IT
A number of related services and products
(practical guides, reference data,
interfaces/mapping with other standards, …)
72. RISK IT ACTIONS
ITGI Board discussion on this initiative and decision to proceed
with full business case development (July 2007)
Business Case development, (October 2007) including
Market survey
Feasibility study
High-level design of the product/service
Set-up project governance structure, incl. Core Team, expert team, identify
project manager(s) and potential resources
Define high-level development and roll-out plan
ITGI Board approved detailed business case and decision to
proceed with full project (November 2007)
RiskIT Task Force members appointed (December 2007)
First RiskIT Task Force meeting held in Ghent, Belgium on 18-19
January 2008
First draft RiskIT planned to be issued by December 2008
73. Risk IT
Processes & Key Management Practices
As of 19 January 2008 first Task Force
meeting in Ghent, Belgium
Risk
Governance
Glossary
Risk Risk
Inventory Repository Risk
Risk Monitoring
Management &
Reporting
High Level Risk Management Guidance: COSO ERM, AS/NZS 4360, etc
75. RELATIONSHIP OF COBIT/ VAL IT/ RISK IT
ValIT IT GOVERNANCE
Set Objectives
• Align business and IT
RiskIT
• Enable the business and maximise benefits
• Ensure effective and efficient use of resources
Evaluate • Manage IT risk as part of ERM Provide
performance • Fulfil compliance requirements direction
Measure and Translate
report direction into
performance Translate strategy into action strategy
• Make the business effective
• Make the business efficient
• Manage risks (security, reliability & compliance)
CobiT
• Manage service delivery consistency
IT MANAGEMENT