Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study
Upcoming SlideShare
Loading in...5
×
 

Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study

on

  • 200 views

Presentation of paper "Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study" at WISG ACM conference, Chicago, 2006.

Presentation of paper "Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study" at WISG ACM conference, Chicago, 2006.

Statistics

Views

Total Views
200
Views on SlideShare
200
Embed Views
0

Actions

Likes
1
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study Presentation Transcript

  • The 1st ACM Workshop on Information Security Governance November 13, 2009 Chicago, USA Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study Christophe Feltus, Michaël Petit, Eric Dubois Public Research Center Henri Tudor, Luxembourg-Kirchberg, Luxembourg PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium The research was funded by the National Research Fund of Luxemburg
  • Introduction : • Governance of IT is becoming more and more necessary  Sarbanes-Oxley Act ▫ Transparency regarding account  Basel II ▫ Management of operational risk and people affectation for that task  ISO/IEC 38500:2008 ▫ Provide 6 principles for corporate governance of IT ▫ One principle dedicated to responsibility • Need for more responsibility, transparency, accountability, ethic, commitment
  • Introduction : • Companies are used to work with well-known management framework like :  ITIL (IT Information Library) ▫ a public library that focuses on IT services management for high-quality service provision  CIMOSA ▫ an enterprise architecture model to define industrial computer system architecture  ISO/IEC 15504 [7] ▫ a framework for the assessment of software processes  CobiT • As much responsibility models as frameworks
  • Introduction : • Many responsibility models means : ▫ No consensus between frameworks / no unique one ▫ No interoperability ▫ Many interpretations of the concepts • Objective of the research : ▫ Defining a common responsibility model • Research methodology : ▫ Analyse of the literature ▫ Elaboration of a responsibility model ▫ Successive refinement by comparing it with professional framework
  • Responsibility Responsibility: Foreword • Responsibility : abstract or concret concept ? • Many definitions in the literature • L. Cholvy proposes 3 of them : • Something bad happened and you caused it or could have prevented it • Obligation or moral duty to report or explain you actions or someone else’s action to a given authority (answerability) • Position, which enables you to make decisions in a given organization but implies that you must be prepared to justify your actions (accountablity) • ∆ def 1 def 2 = blame • ∆ def 2 def 3 = answerability ≠ accountability = position (rules)
  • Responsibility Responsibility: Foreword • D'Arcy McCallum : ▫ Responsibility is not something that you can actually assign to someone ▫ Responsibility, in fact, has to come from within ▫ A person is responsible: we mean that he holds a personal commitment to doing something to some standard of quality ▫ And while you cannot assign responsibility, you can and do assign accountability...with the expectation that a person will execute the activity assigned to them to a standard of quality • Commonly accepted responsibility definitions encompass the idea of “having the obligation to ensure that something happens”.
  • Accountability Sanction Answerability ComposeCompose 1 11 0..1 1 Compose 1..* Accountability : o Obligation or moral duty to report or explain the action or someone else’s action to a given authority [Cholvy et al.] o Obligation(s) to report the achievement, maintenance or avoidance of some given state [Sommerville et al.] o Accountability is composed of one answerability and zero or one sanction [Fox] Accountability Responsibility
  • Functional vs. Managerial Obligation Obligation : most frequent concept Functional vs. Structural Obligation [Dobson] : o functional obligation : what a employee must do with respect to a state of affairs (e.g. execute an activity) o structural (managerial) obligation : what a employee must do in order to fulfill a responsibility such as directing, supervising and monitoring Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability ComposeCompose 1 11 0..1 1 Compose 1..* Responsibility
  • Soft Accountability Hard Accountability Type of Type of Positive SanctionNegative Sanction Type of Type of OpaqueClear Type of Type of Transparency Generate 1 Compose 1..* Responsibility o Sanction is positive or negative  also : compensation or a remediation [Fox] o Transparency is clear : information access policies & reliable information o Transparency is opaque : information reveled nominally and ponctually Accountability Sanction Answerability Compose 1 11 0..1 1 Compose 1..* Responsibility Compose Accountability, Answerability, Transparency
  • Rights o Common but not systematically embedded concept o Capability : describes the possession of requisite qualities , skills or resourcs to performan action [Vernadat,F.B.][Yu et. Al][Qingfeng et al.] o Authority : the power to command and control others employees (CIMOSA) o Delegation right : right to transfer some part of the responsibility to another employee Access Right Type of Authority Type of Needed for Right Capability Type of Require 1 0..* Delegation Possibility Type of Accountability Sanction Answerability Compose 1 11 0..1 1 Compose 1..* Responsibility Compose Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..*
  • 1 Delegation Employee Delegation vs. affectation : o Affectation or Assignment is the action of linking an employee to a responsibility o Delegation is the transfer of an employee’s responsibility assignment to another employee  Right to further delegate the same obligation or not [Sommerville]  Delefation of accountability or not [Norman] Employee 1 0..* Commitment Antecedents Commitment Activate Type of1..* 1 Pledge Delegation Require 1 1..*0..* 1..* Is delegated Delegate Concernes Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Right Capability Type of Require 1 0..* Delegation Possibility Type of
  • Commitment Antecedents Commitment Commitment o Moral engagement to fulfill the action  difficult to integrate in a formalized framework o The psychological attachment felt by the person for the organization; it will reflect the degree to which the individual internalizes or adopts characteristics or perspetives of the organization [O’Reilly and Chapman] o The relative strength of an individual’s identification with and involvement in a particular organization [Mowday] o A structural phenomenon which occurs as a result of individual-organizational transactions and alterations in side-bets or investment over time [Hrebiniak and Alutto] Right Capability Require 1 0..* Employee 1 0..* Activate Type of1..* 1 Pledge Delegation Possibility Delegation Require 1 1..*0..* 1..* Is delegated Delegate Concernes Type of Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Type of 1
  • Continuance Type of AffectiveNormative Type of Type of Commitment Outcomes Citizen Behavior Type of Provide 1 0..* Employee Retention Type of Employee Performance Type of Willingness to Exert Efforts Type of Activate 1..* 1 Side-bets Desire Maintain Membership Belief in Goals And Values Contribute to Contribute to Contribute to Feeling of Obligation Contribute to Type of Type of Type of Type of Commitment Antecedents Commitment Commitment
  • Complete responsibility model Commitment Antecedents Commitment 1 Employee 1 0..* Activate 1..* 1 Pledge Delegation 0..* 1..* Is delegated Delegate Concernes Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Right Require 1 0..*
  • The COBIT responsibility model Control Action 11..* Employee Role 0..* 0..* Is hold o COBIT’s control are composed of actions to perform (obligation) o Employees hold roles like CEO, CFO, CIO, PMO, Head Operation, Business Executive,… o COBIT responsibility model is formalized through a RACI chart matrix attached to all 34 COBIT processes. o RACI stands for Responsible, Accountable, Consulted and Informed o Role may be Responsible, Accountable, Consulted and Informed depending on the control and the task to perform. RACI Chart Responsible Accountable Consulted Informed
  • Control The COBIT responsibility model Employee Role Action 1 0..* 0..* 1..* Is hold RACI Chart o Responsibility and Accountability at the same conceptual level part of the RACI chart o Accountability : the employee who provides direction and authorizes an action o Responsibility : the employee who gets the action done o “An individual assumes his/her responsibility and is usually held accountable”  It is possible or not to be responsible and accountable at the same time o “IT management has the resources and accountability needed to meet service level targets”  Accountability is possessed and as consequence, may be seen as rather a capability (or a right) than an accountability (or an obligation). Responsible Accountable Consulted Informed Affected to 0..* 0..* 0..* 0..* 0..* 0..* 1..* 1..* Affected to Analyzed by Viewable by 0..* 0..* 0..* 0..* 1..* 1..* 1..* 1..* Affected to Affected to Affected to Affected to
  • Responsible Control Affected to 0..* The COBIT responsibility model Accountable Consulted Informed Employee Role Action RACI Chart 1 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* Capability Needs 0..* 0..* 1..* 1..* 1..* 1..* 1..* 1..* 1..* Affected to Analyzed by Viewable by Affected to Affected to Affected to Affected to Is hold o Capability doen’s exist systematically in COBIT. It is necessary for an employee to perform an action o Authorithy : ”person or group who has the authority to approve or accept the execution of an action”  A type of right to approved or accept an action. Authority is something provided to the person responsible. I.e. the action ”Assigning sufficient authority to the problem manager”
  • Capability Needs 0..*Responsible Control Affected to 0..* The COBIT responsibility model Accountable Consulted Informed Employee Role Action RACI Chart 1 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 1..* 1..* 1..* 1..* 1..* 1..* 1..* Affected to Analyzed by Viewable by Affected to Affected to Affected to Affected to Is hold Commitment Pledge 0..* 1 0..* 0..* 1 1 o Assignement/delegation appears sporadically in COBIT and concerns mainly the capability or even the responsibility. o Commitment (appears in many controls but not explicitely defined)  […] employees are mindful of their compliance obligation (commitment antecedent)  “A positive, proactive information control environment, including a commitment to quality and IT security awareness, is established”  “Obtain commitment and participation from the affected employees in the definition and execution of the project […]”
  • 1 Accountability Obligation Sanction Answerability Managerial Obligation Functional Obligation Type of Type of ComposeCompose Compose Compose Compose 1..*11 1 11 1..* 0..1 0..* Right Capability Type of Require 1 0..* ResponsibilityEmployee Affectation /Delegation 1 0..* Commitment Antecedents Commitment Activate Type of1..* 1 Pledge o Obligation, Right, Capability and Commitment are systematically integrated o Accountability no more perceived as an attribute that links an employee to an action and that is on the same level as the responsibility but as a component that composes this responsibility. o Informed no more perceived as a type of allocation/assignment of “role – action” but as a type of right for responsibility. o Consulted is no more seen as a type of allocation/delegation of “role – action” but as a type of responsibility. Proposed integration in COBIT ConsultedType of Informed Type of Responsibility Accountability
  • Cobit RACI Chart Case Study • Action : Identify system owner’s • From : PO4 Define the IT Processes, Organisation and relationship • RACI : Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • Enhancement 1 • HO is responsible, he gets the activity done but is not accountable for it. What happen if he doesn’t do it ? • CIO is accountable. He is answerable and sanctionable. HO is responsible and accountable for the task CIO is responsible and accountable for the managerial obligation regarding the task. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • Enhancement 2 • CFO, BE and BPO are consulted. Does it imply something for them ? Consulted is not only a function. It is a responsibility. This means that responibility components needs to be clarify i.e. : the obligation, the accountability, or the right. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • Enhancement 3 • CA, HD, HITA, PMO, CARS are informed. Is the information for everyone absolutly necessary ?  Informed is more a right than a function. Consequently, it should be attached to another task and a link should be created between the information and its use for another task. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • Conclusion • Willingness to improve the governance of IT advocates for the definition of an innovative responsibility model, including meaningful responsibility concept. • Afterward, we have compare the responsibility model with the COBIT RACI chart and we have detected possible improvements. • Identify system owners action has been depicted to illustrate the added value of the model.
  • Thank you !
  • References • Christophe Feltus, Preliminary Literature Review of Policy Engineering Methods - Toward Responsibility Concept, International Conference on Information & Communication Technologies: from Theory to Applications (IEEE ICTTA2008), May 2008, Damascus, Syria. • Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability, Capability and Commitment, Fourth International Conference on Availability, Reliability and Security (“ARES 2009 – The International Dependability Conference”), IEEE, March 2009, Fukuoka, Japan. • Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International Conference on Computer Systems and Applications (AICCSA-09) IEEE, May 2009, Rabat, Morocco. • Christophe Feltus, Michaël Petit, François Vernadat, Enhancement of CIMOSA with Responsibility Concept to Conform to Principles of Corporate Governance of IT, 13th IFAC Symposium on Information Control Problems in Manufacturing, June 2009, Moscow, Russia.