Your SlideShare is downloading. ×
A Value Centric Approach to Governance Risk & Compliance
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

A Value Centric Approach to Governance Risk & Compliance


Published on

Presentation by Aaron Weller for InnoTech Oregon 2011.

Presentation by Aaron Weller for InnoTech Oregon 2011.

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. a value centric approach togovernance risk & compliance Aaron Weller, CGEIT CEO, Concise Consulting @GotPrivacy
  • 2. Last Slide First1. IT departments too often focus on delivering something rather than delivering value2. Risk and Compliance often distract from Governance rather than complementing it3. Good Governance models exist. Wheel invention skills are not required.4. Governance is important but not urgent. Find ways to make it urgent.5. Measure things. Ideally, useful things. 2
  • 3. The Information Paradox• More and more businesses see IT as absolutely vital to their continued success, and ability to operate.• More and more money is being invested in IT (albeit a temporary blip last couple of years).• Yet…a large proportion of IT investments fail to deliver what was expected.• Q: What is missing? 3
  • 4. A: Focus on VALUEHow often does the question get asked“Are we maximizing the value of our IT-enabled business investments such that: – We are getting optimal benefits – At an affordable cost – With an acceptable level of risk …over the full economic life cycle of the investment? 4
  • 5. Our Track Record• 62 % of organizations experienced IT projects that failed to meet their schedules• 49% had budget overruns• 47% had higher-than-expected maintenance costs• 41% failed to deliver expected business value and ROI• 25%+ of all software and services projects are canceled before completion• Up to 80% of budgets are consumed fixing self-inflicted problemsRemember that every piece of technology you run today waspart of an implementation project at some time! 5
  • 6. ComplianceRisk Governance 6
  • 7. Key TakeawayGovernance, Risk and Compliance should not be3 separate activities. They should be 3 aspectsof the same activity.Governance of Enterprise IT directs the ITorganization to achieve business objectives,manage risks to those objectives and achievecompliance with laws and regulations. 7
  • 8. IT change (typically)< business change• The large majority of IT change results in even more significant change in the business that it supports.• Governance is as much about understanding how IT can help to achieve overall business goals, as optimizing what IT does.• There is nothing so useless as doing something well which does not need to be done. 8
  • 9. What does your organizationwant from IT?1. Utility Provider - primary purpose is to provide common infrastructure and information management services.2. Process Optimizer – has two primary purposes; provide a common infrastructure and information management, as well as help optimize business processes and enable business-unit-specific objectives.3. Revenue Enabler – has three primary purposes; common information management services, business process optimization, as well as enable customer-facing products and services.Source: 9
  • 10. Enabling Broader IT Strategy Services Required Services Tomorrow Required Today Services Offered Today• Identify Gaps• Prioritize business requirements• Develop plans to migrate from current state to desired state• Track and communicated progress in terms of business value 10
  • 11. Steps to Governance• Creating the right environment for Governance – Guiding principles – Framework for accountability – Measuring results• Implementing a lifecycle approach – Aligning with the ‘rhythm of the business’ – A journey, not a destination 11
  • 12. Know what this is? 12
  • 13. One View of IT Governance ic t D Valu teg en eli e tra nm S ig ve ry Al IT IT Governance ent Perf sureme Perf sureme Perf sureme Perf sureme Mea Mea Mea Mea Domains agem Risk orm orm orm orm anc anc anc anc Man e e e e Resource nt nt nt nt Management Source: ISACA Board Briefing on IT Governance 13
  • 14. Another View – 6 Principles1. Responsibility: Individuals and groups understand and accept their responsibilities2. Strategy: Business strategy takes into account current and future capabilities of IT3. Acquisition: IT acquisitions are made for valid reasons with balance between short and long term goals4. Performance: IT is fit for purpose in supporting the organization.5. Conformance: IT conforms with all mandatory legislation and regulations.6. Human Behavior: IT policies, practices and decisions demonstrate respect for human behavior. Source: ISO 38500 - Corporate Governance of IT 14
  • 15. Key Governance Questions Source: ValIT v2.0 (based on The Information Paradox) 15
  • 16. Two key governance outcomes1. Delivering IT value to the business2. Mitigating IT-related risks 16
  • 17. Another View of GRC Respons- ibilities Principles Objectives Controls Test Plans 17
  • 18. Quick note on Risk AssessmentsBest Practices are intended as thedefault for use by people who don’thave the time or skill to perform aproper risk assessment.Gene Schultz
  • 19. Why Use Metrics?There are two possible outcomes: if theresult confirms your hypothesis, thenyouve made a measurement. If the resultis contrary to your hypothesis, then youvemade a discovery.Enrico Fermi 19
  • 20. Measure the right things 20
  • 21. CMM For Metrics Focus Sample Metrics What gets reportedOptimization • Real time alerts and reporting based on baselines Efficiency and trends • Effort to respond to each incident • Baselines set Baseline • Reports based on trending and baselines • Type detected Trending • Severity • Resolution Time • # of policies documented Activity • # detected per week/month/year 21
  • 22. What should be measured?• Key Compliance Indicators• Key Risk Indicators• Key Governance Indicators1. Activity level?2. Baseline level?3. Efficiency level? 22
  • 23. Good governance worksA survey on IT governance conducted by ISACAand PwC found a positive statistical correlationbetween the maturity of IT governance practicesand the outcomes delivered by IT. – When IT governance practices are more advanced, IT outcomes are better – Similarly, a lower state of advancement of IT governance practices correlates with poorer IT outcomes 23
  • 24. But can be challenging toachieveOnly 38 percent of executives/senior management can describetheir enterprise’s IT governance process. This is largely becausein most cases, IT governance has not been designed; it has justdeveloped ‘piecemeal’ in response to specific issues.[IT Governance, Weil and Ross]Only 40% of approved projects have realistic benefitstatements.<10% of enterprises ensure that benefits are realized post-project.<5% of enterprises hold project stakeholders responsible forachieving planned benefits. [META Group]In many enterprises, less than 8 percent of the IT budget isactually spent on initiatives that bring value to the enterprise.[Butler Group] 24
  • 25. “Two roads diverged in a wood, and I … I tookthe one less traveled by, and that has made all the difference.” 25
  • 26. Last Slide Last1. IT departments too often focus on delivering something rather than delivering value2. Risk and Compliance often distract from Governance rather than complementing it3. Good Governance models exist. Wheel invention skills are not required.4. Governance is important but not urgent. Find ways to make it urgent.5. Measure things. Ideally, useful things. 26
  • 27. Complex Problems? Concise Solutions. @GotPrivacy