Understanding IT Governance and Risk Management


Published on

Describes IT Governance Holistic Framework for establishing transparent relation between Business and IT environment.
Describes Governance services and Risk Management Methods

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Achieving broad-based operational excellence means going beyond individual operational
    services (such as running financial systems, supply chain systems, personnel systems) to all the
    services provided by the information technology infrastructure. Two points are important:
    the overall budget for IT operations and support must be divided into a set of defined
    products and services, so that all IT costs can be mapped to valuable business services; and
    all the services must achieve the desired level of efficiency, productivity, and reliability.
    In the portfolio view, the productivity of the total organization is the sum of the parts, so
    examining the parts from the perspective of the business could indicate where to focus for future
    improvement. In a traditional budget presentation, IT costs might be divided into such categories
    as mainframe operations, server operations, desktop services, data communications, voice
    communications, and so on, with each area claiming some productivity improvements that prove
    difficult for senior management to follow and accept. If, however, the categories are businessoriented
    products and services (described in section 4.3), then productivity could be related
    directly to business results. The most useful examples would be trends in the cost per financial
    transaction, cost per personnel action, cost of supply-chain management, and so on. The value
    side of the equation would show metrics of the time to do the monthly close, the ratio of internal
    promotions to external hires, the incidence of outages in the supply chain, and so on.
    The result of this approach would be only a few metrics but these would be compelling for
    senior management. Connected to business activities that senior management understand, they
    would follow a pattern: for each activity there would be one or two value metrics, a cost metric,
    and one or two service metrics. These could all easily be grouped into a management dashboard,
    so to speak, which might indeed guide the organization toward operational excellence, as
    illustrated in Figure 2. The dashboard is only the instrument panel; the management tool is an
    overall production system portfolio that represents the ongoing linkage of IT systems to the
  • Understanding IT Governance and Risk Management

    1. 1. Understanding about IT Governance and Risk Management Jiri Cejka, Senior Manager, dipl.El.-Ing, CISA jiri.cejka@is-governance.com
    2. 2. Outline 1. IT Governance Market Issues Business Management and dependence on IT Technology IT Governance Situation; 2. Holistic Framework for IT Governance Approach; Scope Objectives – IT Processes: Alignment Business and IT – IT Risks: Value/Cost Relationship and Risk measurement – Operational Excellence Client Benefits 3. Benefits of IT Governance framework 4. IT Governance Services & Methodologies Risk Management Services Jiri J. Cejka Methodologies and Tools 2
    3. 3. 1. IT Governance Market Issues Jiri J. Cejka 3
    4. 4. Business Management and dependence on IT Technology Today’s management: More dependent on IT technology to run its business to achieve competitive advantage The IT responsibility of corporate executive is growing: to ensure that systems and processes are properly controlled required level of governance is in place Businesses are continuously looking towards lower costs and value-for-money – from all aspects of business IT is becoming a significant expenditure – second after staff costs. Jiri J. Cejka 4
    5. 5. Example: What management need to know before investing into SW development Are funds available? Will the investment save us money? What is project payback period and ROI? Is this ROI higher then those who propose the alternative uses for money? What are the implications to business? (business processes, tax) Can SW be depreciated? If so can be used declining balance or straight depreciation schedules? How can the development engineer answer these questions? Solution by using the method to measure to produce numbers in terms of: productivity improvement cost reduction/avoidance quality improvements, and/or time-to-market reduction strategies Jiri J. Cejka 5
    6. 6. Situation The requirement coming from businesses: IT processes must be appropriately controlled Management is under pressure from regulators and the capital markets: Competitive advantage is gained from IT investment As a result companies seek incremental advantages from use of cutting edge technology: By turning to the third party providers By implementing optimising programs Jiri J. Cejka 6
    7. 7. Issues to be solved The reliance IT raises number of issues: How can management effectively manage its organisation? How can management understand the control structure? How can the external auditor gain sufficient audit evidence? “How could Business understand the impact of IT?” Jiri J. Cejka 7
    8. 8. 2. IT Governance Holistic Framework Jiri J. Cejka 8
    9. 9. Outline Approach Value of IT to Business - Examples, View What do we need Framework IT Governance - Objectives Objective 1: Business - IT Alignment; IT Processes Analysis Objective 2: Value /Cost Relationship; Risks Measures Objective 3: Operational excellence Implementation of Infrastructure, Outsourcing Condition of success Benefits Communication channels Summary of benefits Jiri J. Cejka 9
    10. 10. Value of IT to Business: Examples To measure value of IT is not a new idea - Examples: 1. What Added Value is your IT giving? – – 1. IT involvement in the business imperatives Vision of IT that could be shared by business and IT leaders More money wasted in IT that created? – 1. IT System will pay off only if design and management are based upon culture and politics that are intended to support Focus on strategic instinct of Business Mgrs? – Evaluating IT based on ability to improve operations? Right ideas but: business does not derive benefits it needs from spending on IT required level of business-IT alignment and integration not good enough. As a result the Business leaders still have difficulties: lack of understanding of how IT could contribute to business difficult to reconcile IT costs with the value received. Jiri J. Cejka 10
    11. 11. Value of IT to Business: View 1 Since decades business-IT alignment has been emphasized - with focus on management of IT projects however they represent normally 25-30% of IT Budget only To manage IT properly Value/Cost relationship need to be focused on other IT components that project development: operation of business applications support service - marketing, sales, utility application Example: operational and support services are production phase of IT project project not ready with acceptance tests but following maintenance, operation support are included: project costs less relevant Framework with value metrics to organize project, operation and support phase: integrated Project portfolio with development and production activities accounting perspective: capital vs. operating expense Jiri J. Cejka 11
    12. 12. Value of IT to Business - View 2 Business value of new functionality delivered by IT project created by both development nor production shared and consistent approach to manage value/costs Project management: post-implementation phase to be extended continuing relevance/value to business efficient and reliable operation is part of project Benefit of this holistic approach: limited focus on project as an “investment” is stopped: – – management has continuous cost/value overview – Jiri J. Cejka success/failure of project measured with operational work the monitoring results are applicable to future projects 12
    13. 13. What do we need? Challenge of governing enterprise’s IT is recognized since years, however the results do not give the required level of alignment and integration. An approach is needed that is inclusive – with a scope reflecting range of activities and responsibilities of IT – and specific. Holistic Framework addressing three Primary Objectives: 1. 2. Relates costs of IT with the value brought to business 3. Jiri J. Cejka Fosters strategic and tactical alignment of IT with Business Support drive toward operational excellence 13
    14. 14. Objective 1: How to align IT Business? Goal: “Identify the strategic important elements of business value to which IT can significantly contribute:” Two classical views of IT for businesses, i.e. providing of information vs. supporting information services has changed – Examples: Implementing new sales strategy, planning responsive technology push of internet Information is now an integral part of the business: – Role of IT expands: alignment even more important for business Step 1. Identify main value-adding activities and linked strategies Identify the opportunities to use information services to support business strategy Add new activities as a part of IT portfolio - basis for alignment Metrics for business value have to be identified and implemented by both business and IT Jiri J. Cejka 14
    15. 15. Objective 1: How to align ITBusiness? Step 2. Ensure involvement of senior management: strategic planning Ongoing dialogue necessary Full understanding of planned use and impact of IT technology Formal decision making - critical decision fully committed Step 3. Organize the environment to optimise IT Processes Implement process to perform planning by both IT and business mgr – Business leader develop IT fluency – IT leaders business fluency Implement process of managing execution – – Management commitments, contracts, project teams, deliverables – Jiri J. Cejka division in phases, definition of decisions stages develop of process to maintain and tune the strategy 15
    16. 16. Objective 2: How to manage ValueCost Relationship and IT portfolio? Goal: “How to institutionalise the developed way of alignment Business - IT?” Focus on active management of IT portfolio Initial development of IT portfolio needs adaptations with changed needs, opportunities and priorities Step 1. Find way how to characterize the IT portfolio for management Collection of techniques that provide understanding – Risk-Business Transformation - Volume of value measurement – Interpretation allows Management to make decisions – further views: Net present Value Result balanced portfolio aligned with Strategy Jiri J. Cejka 16
    17. 17. Objective 2: How to manage ValueCost Relationship and IT portfolio? Step 2. Clarify process for managing the IT portfolio Annual review, reviews depending on changes Checkpoints, balance resources Step 3. Make sure that decisions are based on organisation’s needs Example: Resources allocated on relative strategic value of competing projects is better than even allocation across all units using different tools to describe projects and analysing both – risk profiles – potential business value Result: – Jiri J. Cejka Business-visible impact of alternative decisions 17
    18. 18. Objective 3: Service management and Operational Excellence Goal: “By selection of right metrics that drive the performance provide better understanding for management” Step 1. Identify Elements of Business value Step 2. Transform the Qualitative measures into Quantitative by setting thresholds or targets Step 3. Use metrics that are tied closely with business performance predefined set of “interesting metrics” is not the right way. Example 1: Install program where chosen measure is “higher yield” Metric is ratio of products with higher quality: target financial benefit Jiri J. Cejka 18
    19. 19. Objective 3: Service management and Operational Excellence Example 2: Improve customer focus with installed support sales system Metric is ratio assessment of customer satisfaction Example 3: Implementation of Cost / Performance with preventive measurement system Several metrics needed (depreciation, maintenance cots, lease) If scope of system changes slowly (list of equipment) - total costs fine If changes are rapid: volume adjustment and unit cost are relevant Jiri J. Cejka 19
    20. 20. Objective 3: Service management and Operational Excellence Required Implication for the organization: Define formal organization structure responsible for service – Assigning product / service management – Positive effect: tightly focused responsibility and accountability Operation for business users requires both business and technical expertise: – business and technical aspects correct evaluated – ensure accuracy, completeness, consistency Ideal Goal: “Creating product-management organization including both skills” Jiri J. Cejka 20
    21. 21. Objective 3: Operational Excellence Goal : “Achieve the measurable efficiency, productivity and reliability of services in terms of business value” Step 1. Divide the overall budget for IT operations and support into a set of defined products/services Step 2. All costs to be mapped into valuable business services Step 3. Measure the productivity in terms of total organization business orientation: Classic technical orientation: costs of mainframe, desktop, split into parts that are difficult to follow by senior management New approach: Costs directly oriented with business results: cost per transaction, cost of SCM, personal action. Benefits Result: Only a few metrics are used, however they are compelling for senior management: 1-2 value metrics, 1 cost metric and 1-2 service metrics Jiri J. Cejka 21
    22. 22. Implication for Outsourcing Benchmarking measurement of IT services with external providers measurement of costs, volumes and quality of services Further factors - dependency, hidden costs, flexibility Two frequent factors for outsourcing: The internal IT organization has failed to achieve cost/value relationship required by management Expectation that outsourcer performs task better However two risks are frequent the data to support these decision are missing the approach to evaluate the outsourcer is not existing Holistic approach developed can help to Develop appropriate metrics to support necessary analysis The same tool to be used to measure internal and external service Management of outsourcing relationship and contracts Business view: combination of costs, service level and quality Jiri J. Cejka 22
    23. 23. Implementing the IT Governance Framework Two aspects for successful implementation of IT Governance framework: 1. Behavioural and procedural aspect Disciplines involved in managing programs/projects must be accepted New practises of management ad reporting must be adopted – Approach: starting with visible project – Training new methods 2. Automation of data collection Relying upon ad hoc methods is time and resources consuming Automating allows more time to analyse and to communicate Jiri J. Cejka 23
    24. 24. 3. Benefits IT Governance Benefits of IT Governance framework Jiri J. Cejka 24
    25. 25. Benefit 1: Communication between Business and IT groups Senior Business management Business improvement that results from their knowledge participation in IT decision making Mid-level Business manager position not sure that IT function will justify given resources 1. Win: IT governance management framework and tool to communicate with senior management 2. Win: to help communicate with IT management to ensure that business services they are responsible will meet commitments Senior IT manager 1. Win: Communicate with senior business managers 2. Win: Communication with IT staff Clear focus on important strategic and operational issues Project and Product Service managers - proposed framework helps to explain the IT issue in business terms develop realistic “service contracts” Jiri J. Cejka 25
    26. 26. Benefit 2: Communication between Business and IT groups Senior IT Management Senior Business Management Middle IT Management IT Projects, Products & Services Middle level Business Management Jiri J. Cejka 26
    27. 27. Summary of Benefits of IT Governance framework in place Benefits extend business and IT functions Facilitating communication about how IT contributes to the business across levels and functions improves coordination and cooperationManagers learns more about effort that they affect Communication to leaders clear Result Synergy will increase Duplication of effort reduced Effectiveness of project delivery grows Jiri J. Cejka 27
    28. 28. 4. IT Governance and Risk Management Services, Methodologies Services Methodologies and Tools Jiri J. Cejka 28
    29. 29. IT Governance Environment Value for money: is management getting value for money from their IT spend / IT skills? is IT addressing the business strategy?; IT accountability; KPIs in the business; managing constant change in IT; and project directors increasingly being major budget holders. Internal audit: Internal IT audit skills outsourcing of internal audit Technology: imaging, data capture and electronic document management; use of the internet; and knowledge management. Corporate Governance: Governance of controls and risk self assessment Initiatives on control and risk self assessment. Jiri J. Cejka 29
    30. 30. Governance Services Either in terms of the target of the review/advice, or the readership of the report Outsourcing: continued outsourcing of IT (service level agreements); outsourcing security administration; third party reviews. Regulation: Regulatory authority reviews; privacy/data protection laws; Software licensing laws; Ethical IT; and health, safety and environment issues. Transactions: Transaction Services, Corporate Finance; Increased focus on IT security in commercial sector - new security techniques. Jiri J. Cejka 30
    31. 31. Governance Methods and Tools Process Assessment and Improvement Tools Business Management Process BMP Strategic Analysis, Performance Analysis Process Performance Improvement (BPI) – Balance Score Card (BSC) – Active Based Costing (ABM) Risk Management Tools Environment: – IT Risk Management Benchmarking (ITRMB) Project: – – Jiri J. Cejka Project Risk Assessment: Project management Methodology (PMM) Project management Control Method: Rational Unified Process (RUP) 31
    32. 32. Business Management Process BMP BMP is about assessing the risk our clients face. Business risks are diverse and constantly changing: as the business world becomes more and more reliant on technology, technology risks become critical to manage there are many points within the BMP audit in which the technology component of business risk are addressed Equations: Business risk = Audit risk Technology Risk = Audit risk Jiri J. Cejka BMP‘s added value: by assessing of client risk in all its forms and delivering more valuable business solutions to meet the client's diverse needs. 32
    33. 33. Strategic Analysis Strategic Analysis is the framework to process the fundamental business risks associated with the client's strategy and their ability to execute that strategy Review Background Information Jiri J. Cejka Understand Bus. Objectives Strategy & Technology Use 33 Identify Significant Strategic Risks Review Findings and Conclusions Document Findings and Conclusions in Workpapers
    34. 34. Business Performance Analysis BPA Focused area: risk assessment and process analysis, utilising information on key performance indicators. Strategic and Process analysis, Testing control. Approach involves identifying and gaining an understanding of the client's key processes for identifying business risks, understanding how the client mitigates risk. Assist in BPA for Key Processes that are Technically Dependent Jiri J. Cejka Perform BPA For Key Processes that are Highly Techn. Dependent 34 Review Findings and Conclusions Document Findings and Conclusions in Workpapers
    35. 35. Business Performance Improvement BPI New Performance Measurement Design Details Design High Level Design Design Solution Details Conceptual Solution IT Assessment Focus Focus Build New Org. Structure Build and Test Performance Performance Management Management Deploy Implement Program Program Management Management Enhance Envision Enhance Envision Awaken Certification Strategic Plan Jiri J. Cejka 35
    36. 36. BPI: Visualization of Perspective using Balanced Score Card (BSC) How should we appear to our customers? Financial Perspective • Critical SuccessFactors • Performance Indicators • Targets Customer Perspective Vision and Strategy • Critical SuccessFactors • Performance Indicators • Targets How do we appear to our shareholders? What financial outcomes do we need to generate? Organizational Learning Perspective • Critical SuccessFactors • Performance Indicators • Targets Process/Product Perspective What business processes must we excel at to satisfy our customers and owners? Are these processes effective (i.e. adding value for customers)? Are they efficient? Jiri J. Cejka • Critical SuccessFactors • Performance Indicators • Targets 36 Are we able to sustain innovation, change and improvement? How will we maintain our ability to meet customer expectations?
    37. 37. BPI Approach: Process Improving “Best-in-class” product delivery times 9 7 1 6 9 Define 2 5 2 3 4 Develop 3 8 7 8 Produce 8 5 2 4 Market 9 1 2 2 Service 8 Identify focused areas Consistently competitive pricing 2 Weighted average Highly accurate customer orders 2 Critical Success Factors Rapid development and launch of new products 9 Process Impact Analysis Long-term customer loyalty and satisfaction 2 3 9 6 Account Critical Success Factors Business Processes Total Elapsed Time Customer Process Workflow Visualization of bottlenecks This Segment Elapsed Time Opportunities Estimating of Risks and Costs Benefits of Priority Opportunities Risks or constraints Benefits This Segment Elapsed Time Costs • Eliminates cost of cutting a • Comp-Sys can be used for cheque. Savings of $1/claim change at no cost; Time / ($110,000 a month) Resources required to revise • Increased customer satisfaction forms Risks/Constraints • Need to create a link to Banks; Banks require leadtime (3 and 15 days) to clear payments • Implement a Document Imaging Systemscanning and processing to allow of forms, receipts and related documentation. • Reduced time delays • ~ $1,000,000 ; • Reduced errors and inaccurate Resources required to handle payments to customers the large volume of documents • Reduced learning curve for new staff The new system must process over • Reduced hand-offs 30,000 documents/year. • Enable Assembly Clerks to sort and classify claim forms associated with implementing Jiri J. Cejka • Establish an Electronic Funds Transfer (EFT) system in order to eliminate the need to generate cheques. This Segment Elapsed Time 37 • Reduced bottlenecks • Greatly increased productivity • Requires retraining of staff • May require additional resources • Create an electronic catalogue of existing reports. (Comp-Sys could be used to enable this change). • Improved quality of reports • Improved customer service • The cost of enabling this change with Comp-Sys is $200,000. • Requires method for updating the catalogue; Use of different platforms makes access for all difficult • Process ID cards in Sales Offices (may require additional printers) • Reduced delays to process and print cards • Cost of forty new printers for ID cards at a cost of $2,000 each, plus installation/tests (~$10,000). • Requires additional time to install printers in offices
    38. 38. Risk Assessment Methods Risk Assessment considers management's perceptions, assumptions, and judgments about business risks and controls. It delivers audit evidence through substantive audit procedures. IT Risk Management Benchmarking (ITRMB) Project Management Methodology (PMM) Project Risk Assessment Project management and control: Rational Unified Process (RUP) Jiri J. Cejka 38
    39. 39. IT Risk Management Benchmark ITRMB Scope: provide an objective means of reviewing the risks in relation to use of IT, and ensure that they are being controlled provide a means of benchmarking organisation’s key IT Risks and Controls against other organisations; review organisations' IT Controls against the BS7799. Benefits: Substantiate issues reported to management Allow management to benchmark corporate performance in the fields of IT risk and IT controls. Provide a high level assurance to management of their compliance with the British Standard on IS Management; Allow management to benchmark internally. i.e. between different operations. Jiri J. Cejka 39
    40. 40. Project Risk Assessment Scope of Process: involves the identification, analysis, management and monitoring of risk Approach after identification of potential risks: determine the relative exposure in terms of time and cost, to reduce the level of risk to an acceptable level. identify both preventive actions and contingency actions (to mitigate the impact of the risk if it materializes) Benefits of Risk Management Process : Is proactive, focusing on prevention rather than cure Includes periodic risk assessments throughout the work lifecycle Jiri J. Cejka 40