Governance Tools Boyd Carter 2006

2,711 views
2,539 views

Published on

An Overview of Governance Tools

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,711
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
107
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Governance Tools Boyd Carter 2006

    1. 1. Introduction to Governance Frameworks A selection of governance tools and how they may be used. Elegant Solutions Boyd Carter - 2006 Copyright © 2006 elegantsolutions.ca (Permission is granted to use unchanged. elegantsolutions.ca) www.elegantsolutions.ca
    2. 2. Governance – OECD <ul><li>A working definition of corporate governance </li></ul><ul><li>Grant Kirkpatrick, Corporate Affairs Division, OECD </li></ul><ul><li>Corporate governance … involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. </li></ul><ul><li>Corporate governance also provides the structure through which the </li></ul><ul><ul><li>objectives (i.e. strategy) of the company are set , and </li></ul></ul><ul><ul><li>the means of obtaining those objectives and </li></ul></ul><ul><ul><li>monitoring performance are determined. </li></ul></ul>
    3. 3. Governance – CIMA <ul><li>CIMA – Chartered Institute of Management Accountants </li></ul><ul><li>Enterprise governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly . </li></ul>
    4. 4. Governance – it SMF <ul><li>it SMF – IT Service Management Forum </li></ul><ul><li>IT governance is the system by which IT within enterprises is directed and controlled. The IT governance structure specifies the distribution of rights and responsibilities among different participants, such as the board, business and IT managers, an spells out the rules and procedures for making decision on IT. By doing this, it also provides the structure through which the IT objectives are set , and the means of attaining those objectives and monitoring progress . </li></ul>
    5. 5. Governance In Context <ul><li>Relationships </li></ul><ul><li>Rights and Responsibilities </li></ul><ul><li>Structure (framework) which facilitates </li></ul><ul><ul><li>Setting objectives </li></ul></ul><ul><ul><li>attaining those objectives </li></ul></ul><ul><ul><li>monitoring performance </li></ul></ul>
    6. 6. Governance Cycles <ul><li>OECD </li></ul><ul><li>Balanced Scorecard </li></ul><ul><li>Deming on Quality </li></ul><ul><li>ITIL </li></ul><ul><li>COBIT </li></ul>
    7. 7. Cycles – Quality (Deming) <ul><li>Plan </li></ul><ul><li>Do </li></ul><ul><li>Check </li></ul><ul><li>Act </li></ul>Plan Do Check Act
    8. 8. Cycles – Quality (Deming) <ul><li>Plan </li></ul><ul><ul><li>Goals and Targets </li></ul></ul><ul><ul><li>Methods to Achieve </li></ul></ul><ul><li>Do </li></ul><ul><ul><li>Education & Training </li></ul></ul><ul><ul><li>Implement Work </li></ul></ul><ul><li>Check </li></ul><ul><li>Act </li></ul>Ishikawa expanded Deming's four steps into the following six: Source: http://dtiinfo1.dti.gov.uk/mbp/bpgt/m9ja00001/m9ja0000110.html#ishikawa
    9. 9. Cycles – OECD <ul><li>Political Agenda </li></ul><ul><li>Issue Analysis </li></ul><ul><li>Policy Making </li></ul><ul><li>Implementation </li></ul><ul><li>Monitoring </li></ul>A. Macintosh. Using information and communication technologies to enhance citizen engagement in the policy process. In Promises and Problems of E-Democracy: Challenges of Online Citizen Engagement. OECD, Paris, 2004.
    10. 10. Cycles – Balanced Scorecard <ul><li>Cause & Effect </li></ul><ul><li>Future Orientation </li></ul><ul><li>Operational Excellence </li></ul><ul><li>Meet Stakeholder Expectations </li></ul><ul><li>Corporate Contribution </li></ul>Measuring and Improving IT Governance Through the Balanced Scorecard By Wim Van Grembergen and Steven De Haes Copyright © 2005 Information Systems Audit and Control Association. All rights reserved.
    11. 11. Cycles – ITIL <ul><li>Service Strategies </li></ul><ul><li>Design </li></ul><ul><li>Transition </li></ul><ul><li>Operations </li></ul><ul><li>Continuous Improvement </li></ul>ITIL.org · ITIL V3 - Service Life Cycle · Service Strategy
    12. 12. Cycles – TOGAF The US Federal CIO Council’s perspective <ul><li>How EA Processes fit within the Enterprise Life Cycle </li></ul><ul><ul><li>Engineering </li></ul></ul><ul><ul><li>Program Mgmt. </li></ul></ul><ul><ul><li>Capital Planning & Investment Control Processes </li></ul></ul>From TOGAF version 8.1, and The US Federal CIO Council’s &quot; A Practical Guide to Federal Enterprise Architecture”
    13. 13. Cycles – COBIT <ul><li>Objectives </li></ul><ul><li>Direct </li></ul><ul><li>Create </li></ul><ul><li>Protect </li></ul><ul><li>Act </li></ul><ul><li>Monitor </li></ul>From Article: IT Governance Hands-on: Using COBIT to Implement IT Governance1 By Luc Kordel, CISA, RE, CISSP, CIA, RFA <ul><li> Governance </li></ul><ul><ul><li>Alignment </li></ul></ul><ul><ul><li>Value Delivery </li></ul></ul><ul><ul><li>Risk Mgmt. </li></ul></ul><ul><ul><li>Resource Mgmt. </li></ul></ul><ul><ul><li>Performance Mgmt. </li></ul></ul>
    14. 14. Cycles – Buffalo City <ul><li>Planning </li></ul><ul><li>Implementation </li></ul><ul><li>Review </li></ul><ul><li>Evaluation </li></ul><ul><li>Reporting </li></ul><ul><li>The public participates in everything except the actual implementation </li></ul>From a thesis by Quinton Walter Williams, January 2006, Masters of Business Administration, Rhodes Investec Business School, RHODES UNIVERSITY, entitled: IMPLEMENTING PERFORMANCE MANAGEMENT AT LOCAL GOVERNMENT LEVEL IN SOUTH AFRICA: A CASE STUDY ON THE IMPACT OF ORGANISATIONAL CULTURE.
    15. 15. Cycles – Quality Governance <ul><li>Relationships, Rights & Responsibilities </li></ul><ul><li>Structure (Framework) which facilitates </li></ul><ul><ul><li>Setting Objectives </li></ul></ul><ul><ul><ul><li>Plan </li></ul></ul></ul><ul><ul><ul><ul><li>Goals and Targets </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Methods to Achieve </li></ul></ul></ul></ul><ul><ul><li>Attaining those objectives </li></ul></ul><ul><ul><ul><li>Do </li></ul></ul></ul><ul><ul><ul><ul><li>Education & Training </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Implement Work </li></ul></ul></ul></ul><ul><ul><li>Monitoring Performance </li></ul></ul><ul><ul><ul><li>Check </li></ul></ul></ul><ul><ul><ul><li>Act </li></ul></ul></ul>
    16. 16. Frameworks – COSO PWC Presentation: COSO 1 COSO 2 PWC ERM-SET.pdf
    17. 17. Frameworks – COSO COSO for Smaller Public Companies (COSO 3) Image from Volume 2 of COSO’s Internal Control over Financial Reporting – Guidance for Smaller Public Companies
    18. 18. Frameworks – COSO Image from COSO’s ERM – Integrated Framework
    19. 19. Frameworks – COSO Image from COSO’s ERM – Integrated Framework
    20. 20. Frameworks – COSO Example of Framework Content Image from Resolver’s Compliance Framework
    21. 21. Frameworks – COBIT COBIT Products Image from the IT Governance Institute’s COBIT4
    22. 22. Frameworks – COBIT The COBIT Cube Image from the IT Governance Institute’s research-PMBOK-Mapping-COBIT
    23. 23. Frameworks – COBIT COBIT Mapped to PMBOK COBIT is also Mapped to SEI-CMM, Prince2, ITIL, COSO, TOGAF & ISO 17799 Image from the IT Governance Institute’s research-PMBOK-Mapping-COBIT
    24. 24. Frameworks – COBIT COBIT Quickstart to Estimate Scope Image from the IT Governance Institute’s COBIT Quickstart <ul><ul><ul><li>SEG = </li></ul></ul></ul><ul><ul><ul><li>Segregation of Duties </li></ul></ul></ul><ul><ul><ul><li>SCS = </li></ul></ul></ul><ul><ul><ul><li>Simple Command Structure </li></ul></ul></ul><ul><ul><ul><li>SCP = </li></ul></ul></ul><ul><ul><ul><li>Short Communications Path </li></ul></ul></ul><ul><ul><ul><li>SOC = </li></ul></ul></ul><ul><ul><ul><li>Span Of Control </li></ul></ul></ul><ul><ul><ul><li>ITL = </li></ul></ul></ul><ul><ul><ul><li>IT Level (of Sophistication) </li></ul></ul></ul><ul><ul><ul><li>ITS = </li></ul></ul></ul><ul><ul><ul><li>IT Strategic Importance </li></ul></ul></ul><ul><ul><ul><li>ITE = </li></ul></ul></ul><ul><ul><ul><li>IT Expenditures </li></ul></ul></ul>In this example, the small company is very dependent on its Information Technology. This would indicate the use of COSO for Smaller Public Companies for the Business Framework and either a complete COBIT Framework for IT or an extended COBIT Quickstart with applicable portions of the complete COBIT Framework added to the project.
    25. 25. Frameworks – COBIT VALIT To Optimize IT Investments Image from the IT Governance Institute’s VALIT-Framework
    26. 26. Frameworks – COBIT VALIT To Optimize IT Investments Image from the IT Governance Institute’s VALIT-Framework
    27. 27. Frameworks – COBIT Example of Framework Content Image from Resolver’s Compliance Framework
    28. 28. Frameworks – ITIL From a GC IT Services Perspective With COBIT for Program Management Image from The Treasury Board Profile of GC Information Technology Services http://www.tbs-sct.gc.ca/cio-dpi/webapps/technology/profil/profil05_e.asp
    29. 29. Frameworks – ITIL From an HP IT Services Planning Perspective A common ITIL Image, this one from HP’s IT Service Management and IT Governance: Review, Comparative Analysis and their Impact on Utility Computing
    30. 30. Frameworks – ITIL From an Application Services Library Perspective Another common ITIL Image, this one from ASLfoundation.org Planning to Implement Service Management Service Management Service Support Service Delivery T h e B u s i n e s s The Business Perspec- tive Applications Management ICT Infra- structure Mgt T h e T e chnology Security Management
    31. 31. Frameworks – ITIL From an HP IT Services Operations Perspective A common ITIL Image, this one from HP’s IT Service Management and IT Governance: Review, Comparative Analysis and their Impact on Utility Computing
    32. 32. Frameworks – BSC From an IT Governance Perspective Image from the IT Governance Institute’s Information Systems Control Journal The Balanced Scorecard and IT Governance By Wim Van Grembergen, Ph.D.
    33. 33. Frameworks – BSC From an IT Governance Perspective Image from the IT Governance Institute’s Information Systems Control Journal The Balanced Scorecard and IT Governance By Wim Van Grembergen, Ph.D.
    34. 34. Frameworks – BSC <ul><li>Financial </li></ul><ul><li>Internal Business Processes </li></ul><ul><li>Learning & Growth </li></ul><ul><li>Customer </li></ul>From a Performance Measurement Presentation in the archives of the Faculty of Technology, Policy and Management, TBM.tudelft.nl, slide context attributed to: R.S. Kaplan, The balanced scorecard, 1996 Strategy to Operational Terms To succeed financially, how should we appear to our shareholders? initiatives targets measures objectives Financial initiatives targets measures objectives initiatives targets measures objectives initiatives targets measures objectives To achieve our vision , how should we appear to our customers ? To satisfy our shareholders and customers what business processes must we aim at? Customer Internal Business Process To achieve our vision, how will we sustain our ability to change and improve ? Learning and Growth The balanced scorecard provides a framework to translate a strategy into operational terms Vision and strategy
    35. 35. Frameworks – TOGAF From TOGAF version 8.1
    36. 36. Frameworks – TOGAF From TOGAF version 8.1
    37. 37. Frameworks – Zachman From TOGAF version 8.1, Framework image from ZIFA.com
    38. 38. Standards – AcSOC & PSAB <ul><li>AcSOC’s primary function is to serve the public interest by overseeing the activities of the Accounting Standards Board (AcSB) and the Public Sector Accounting Board (PSAB). The AcSB and the PSAB both develop and establish standards and guidance governing financial accounting and reporting in Canada. The AcSB sets standards for profit-oriented enterprises and not-for-profit organizations, while the PSAB sets standards for public sector entities. </li></ul>
    39. 39. Standards – PSAB <ul><li>Focus: Accounting Standards for Public Sector entities </li></ul><ul><li>Consider PSAB when you need “to maintain the financial integrity of the entity” (Council role “e”) </li></ul>
    40. 40. Standards – ISO/IEC 17799 <ul><li>ISO 17799 Information Technology </li></ul><ul><ul><li>Code of Practice for Information Security Management </li></ul></ul><ul><ul><li>Published by the International Organisation for Standardisation (http://www.iso.org) and International Electrotechnical Commission ( http://www.iec.org ) </li></ul></ul>
    41. 41. Standards – CMMI <ul><li>Best-known Maturity Model </li></ul><ul><ul><li>Initial </li></ul></ul><ul><ul><li>Repeatable </li></ul></ul><ul><ul><li>Defined </li></ul></ul><ul><ul><li>Measurable </li></ul></ul><ul><ul><li>Optimized </li></ul></ul>CMMI as described by: 1 initial Project management Process definition Process measurements Process control Ad hoc, chaotic 4 quantitatively managed Proces performance is predictable 2 managed Projects perform according to plan 5 optimizing Continually improving of process performance 3 defined Projects are more consistent across the organization
    42. 42. Standards – ISO 17799 Domains <ul><li>Security Policy </li></ul><ul><li>Security Organization </li></ul><ul><li>Asset Classification and Control </li></ul><ul><li>Personnel Security </li></ul><ul><li>Physical and Environmental Security </li></ul><ul><li>Communications and Operations Management </li></ul><ul><li>Access Control Access Control </li></ul><ul><li>Systems Development & Maintenance Systems </li></ul><ul><li>Business Continuity Management </li></ul><ul><li>Compliance </li></ul>
    43. 43. Standards – ISO 17799 <ul><li>Focus: </li></ul><ul><ul><li>Controls need to be established to ensure that the specific security objectives of the organization are met </li></ul></ul><ul><li>Consider it when: </li></ul><ul><ul><ul><ul><li>You need guidance regarding the establishment and operation of security controls </li></ul></ul></ul></ul>
    44. 44. Standards – PMBOK® <ul><li>Project Management Body of Knowledge </li></ul><ul><li>Planning and controlling projects </li></ul><ul><li>Broadly applicable; Small to large scale </li></ul><ul><li>Different domains or industries </li></ul><ul><li>Globally recognized </li></ul><ul><li>ANSI American National Standard </li></ul><ul><li>IEEE Standard </li></ul>
    45. 45. Standards – PMBOK® <ul><li>Focus : </li></ul><ul><ul><li>Planning and controls of projects </li></ul></ul><ul><ul><li>Commonly accepted framework </li></ul></ul><ul><ul><li>Not a ‘how’, but ‘what’ </li></ul></ul><ul><li>Consider it when: </li></ul><ul><ul><li>You are leading a small or large project or initiative </li></ul></ul>
    46. 46. Processes – Six Sigma Six Sigma was invented by Motorola in 1986 as a way to measure defects and improving quality. Since then, it has evolved to a business improvement methodology that focuses an organization on customer requirements, process alignment, analytical rigor and timely execution.
    47. 47. Processes – Six Sigma <ul><li>Focus : </li></ul><ul><ul><li>Quality is defined by customer requirements for the chosen process </li></ul></ul><ul><ul><li>Defects are defined and counted </li></ul></ul><ul><ul><li>Inconsistencies in the process, known as variation , are studied </li></ul></ul><ul><li>Consider it when : </li></ul><ul><ul><li>process involves producing a product or service for a customer and you want to measure improvements. </li></ul></ul>
    48. 48. Processes – LEAN (Kaizen) <ul><li>Lean is about reducing or eliminating all activities that do not add value. It reduces or eliminates 8 principle sources of waste: </li></ul><ul><ul><li>Waiting - set-up, changeover, no work, no operator, downtime </li></ul></ul><ul><ul><li>Inventory - stagnant Work-in-Process, spare parts, just-in-case </li></ul></ul><ul><ul><li>Overproduction - batch runs, minimum run rates </li></ul></ul><ul><ul><li>Extra Processing - rework, conditioning </li></ul></ul><ul><ul><li>Motion - non-adjacent processing, go-fer </li></ul></ul><ul><ul><li>Transportation - moving product </li></ul></ul><ul><ul><li>Defects - rejects </li></ul></ul><ul><ul><li>Underutilized People - THE GREATEST WASTE OF ALL! </li></ul></ul>From a TechHelp presentation, www.techhelp.org
    49. 49. Integration Matrix <ul><li>What was the One Common Denominator for Frameworks and Standards? </li></ul><ul><li>Right! COBIT! </li></ul><ul><li>COBIT has been mapped to </li></ul><ul><ul><li>COSO </li></ul></ul><ul><ul><li>ITIL </li></ul></ul><ul><ul><li>SEI-CMMI </li></ul></ul><ul><ul><li>PMBOK & Prince2 </li></ul></ul><ul><ul><li>TOGAF </li></ul></ul><ul><ul><li>ISO 17799 </li></ul></ul>
    50. 50. Integration Matrix * See note on Bill 198 – next slide DIRECTIVES - REQUIREMENTS FRAMEWORKS STANDARDS PROCESSES IT POLICY-BASED INITIATIVES <ul><li>Corporate………... </li></ul><ul><li>Orders in Council </li></ul><ul><li>Directives </li></ul><ul><li>Policy </li></ul>IT SUSTAINMENT <ul><li>Social………...... </li></ul><ul><li>Conservation </li></ul><ul><li>Environment </li></ul><ul><li>Health & Safety </li></ul>IT DEVELOPMENT <ul><li>Government…… </li></ul><ul><li>Federal </li></ul><ul><li>Provincial </li></ul><ul><li>Regional </li></ul><ul><li>Bill 198* </li></ul>IT GOVERNANCE INTEGRATING FRAMEWORK IS COBIT COSO ISO 17799 ITIL BSC PMBOC TOGAF PSAB CMMI TOOLS FOR SUCCESS – SIX-SIGMA / LEAN / OTHER INITIATIVES
    51. 51. BILL 198 <ul><li>An Act to implement Budget measures and other initiatives of the Government </li></ul><ul><li>Bill 198 enables Ontario Municipal Statutes </li></ul><ul><li>Bill 198 also enables OSC regulations, but that’s not germane to this presentation…yet. </li></ul><ul><li>It may be in the future. </li></ul><ul><li>In the context of “a public sector entity”, there is the possibility that public sector entities may, at some point in time, be required to satisfy “OSC-type” regulations in a manner similar to public companies listed on the TSX and other exchanges. This is beginning to happen voluntarily in some places as a “matter of good governance”. </li></ul>
    52. 52. Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley Why is this document so important?
    53. 53. Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.) Internal Controls - Integrated Framework (Not ERM) Version 2.0 benefits from lessons learned during the first two years. Auditing Standard 2 (AS2) COBIT Control Objectives ITIL Activities ISO 17799 Security Sarbanes-Oxley Act of 2002 Bill 198
    54. 54. <ul><li>Why is this document so important? </li></ul><ul><ul><li>The first edition has been downloaded more than a quarter of a million times* </li></ul></ul><ul><ul><li>De facto standard for evaluating information technology (IT) controls in support of compliance Governance </li></ul></ul><ul><ul><li>More than 100 expert reviewers provided input to second edition. </li></ul></ul><ul><ul><li>The second edition incorporates many of the lessons learned since the first edition of the publication was issued. </li></ul></ul><ul><ul><li>De facto Road Map for designing a governance initiative based on COBIT, which is already integrated with much of COSO, ITIL & ISO17799 </li></ul></ul>Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.) * From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp
    55. 55. Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.) * From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp
    56. 56. Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.) * From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp
    57. 57. Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.) * From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp 1. Plan and Scope 2. Assess Risk
    58. 58. Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.) * From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp 3 Document Controls 4.1 Evaluate Design 4.2 Evaluate Operational Effectiveness
    59. 59. Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.) * From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp 5. Evaluate and Remediate Deficiencies 6. Build Sustainability
    60. 60. Integration – How to Integrate IT Governance Based on COBIT4 <ul><li>Follow the Compliance Road Map </li></ul><ul><li>Use all of COBIT4’s Control Objectives initially </li></ul><ul><li>Scale back where not applicable </li></ul><ul><li>Scale up with other frameworks where applicable. For example: </li></ul><ul><ul><li>ITIL in COBIT4 is to ensure compliance with regulations, add more ITIL where appropriate </li></ul></ul><ul><ul><li>Same for ISO 17799, PMBOK, TOGAF & CMMI </li></ul></ul><ul><ul><li>Customize to fit your environment, as you did with the Tailored PM Framework </li></ul></ul>
    61. 61. Questions?

    ×