EG – Sep 20013 – page 1 of 60
REFLECTIONS ON RISK AND VALUE IN
ENTERPRISE GOVERNANCE OF IT
A story of risk, value, uncerta...
EG – Sep 20013 – page 3 of 60 3
º Likely to achieve its objectives
º Resilient enough to learn and adapt
º Judiciously man...
EG – Sep 20013 – page 5 of 60 5
º Essentially two things
º Risk and Value
º Entirelly intertwined
From “ValIT Governance o...
EG – Sep 20013 – page 7 of 60
IMPLEMENTING IT GOVERNANCE
EG – Sep 20013 – page 8 of 60
IMPLEMENTING IT GOVERNANCE
Are we d...
EG – Sep 20013 – page 9 of 60
The Board
providing high
level direction
and control.
Line Management
translating plans
into...
EG – Sep 20013 – page 11 of 60
+8% +20%%1
0 +2%
ManagementPracticesScore
Intensity of IT deployment
McKinsey & London Scho...
EG – Sep 20013 – page 13 of 60
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT...
EG – Sep 20013 – page 15 of 60
ITGI, ING and IBM – 2006 – in support of ValIT
How are we dealing with Risk and Value ?H d ...
EG – Sep 20013 – page 17 of 60
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT...
EG – Sep 20013 – page 19 of 60
How are we doing about Value?
€200m
Expected Benefits
€114 m -€ 100 m
€ 100 m
Budgeted ROI ...
EG – Sep 20013 – page 21 of 60 CIONet and ISACA – Survey of 56 CIO’s – Aug 2009
How are we dealing with Risk and Value ?H ...
EG – Sep 20013 – page 23 of 60
CIO/CEO Discussion topics by priority – CIONet and ISACA Survey Aug 2012 of 90 CIO’s
Depth ...
EG – Sep 20013 – page 25 of 60
How are we dealing with Risk and Value ?
List of IT Outsourcing Risks from one of the most
...
EG – Sep 20013 – page 27 of 60
Resource
Assessment
Threat
Assessment
Vulnerability
Assessment
Risk
Assessment
Determine
sa...
EG – Sep 20013 – page 29 of 60
II. Vulnerability
a. Inherent Susceptibility
1. Type of Business (internal)
2. Environment ...
EG – Sep 20013 – page 31 of 60
3
1
Resource
Assessment
Threat
Assessment
Vulnerability
Assessment
Impact
Assessment
Determ...
EG – Sep 20013 – page 33 of 60
1. Just over one third is theft either
◦ in collusion with outsiders (22%)
◦ by insiders (1...
EG – Sep 20013 – page 35 of 60
3
5
Developing IT Risk Scenarios
Scenario
Probability
of
Occurrence
Im
pact
Nr Description ...
EG – Sep 20013 – page 37 of 60
How should we be dealing with Risk and Value ?
º Simple model
º Clear responsibilities and ...
EG – Sep 20013 – page 39 of 60
How should we be dealing with Risk and Value ?
º Accept and manage uncertainty
º Define ris...
Upcoming SlideShare
Loading in...5
×

ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk Enterprise in Governance of IT - shared

175

Published on

ISACA Indonesia Special Technical Session,
9 September 2013 @ Gran Sahid, Jakarta, Indonesia,
featuring Prof Erik Guldentops, CISA,CISM

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
175
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk Enterprise in Governance of IT - shared"

  1. 1. EG – Sep 20013 – page 1 of 60 REFLECTIONS ON RISK AND VALUE IN ENTERPRISE GOVERNANCE OF IT A story of risk, value, uncertainty, aircraft carriers, racing cars and sailing trips. ISACA Indonesia Expert Event September 2013 Erik Guldentops, Antwerp Management School, Belgium EG – Sep 20013 – page 2 of 60 RISK AND VALUE Positioning risk and value within enterprise governance of IT ISACA Indonesia Expert Event September 2013
  2. 2. EG – Sep 20013 – page 3 of 60 3 º Likely to achieve its objectives º Resilient enough to learn and adapt º Judiciously managing its resources º Appropriately recognising opportunities º Obtain enterprise value from IT enabled business initiatives º Applying “due care” about IT related risks From “The IT Governance Briefing”, ITGI. www.isaca.org Enterprise Governance of IT Top management needs to know that IT is Resource Management ITIT GovernanceGovernance DomainsDomains Resource Management Enterprise Governance of IT EG – Sep 20013 – page 4 of 60 4 º Essentially two things º Risk and Value From “CobiT5 : A Business Framework, www.isaca.org Enterprise Governance of IT Resource Management ITIT GovernanceGovernance DomainsDomains Resource Management Enterprise Governance of IT
  3. 3. EG – Sep 20013 – page 5 of 60 5 º Essentially two things º Risk and Value º Entirelly intertwined From “ValIT Governance of IT Investments, www.isaca.org Enterprise Governance of IT Value = (Benefits – Costs) adjusted for Risk Resource Management ITIT GovernanceGovernance DomainsDomains Resource Management Enterprise Governance of IT EG – Sep 20013 – page 6 of 60 Translate strategy into action • Increase automation (make the business effective) • Decrease cost (make the enterprise efficient) • Manage risks (security, reliability & compliance) Set Objectives • IT is aligned with the business • IT enables the business and maximises benefits • IT resources are used responsibly • IT-related risks are managed appropriately Translate direction into strategy Measure and report performance Provide direction Evaluate performance IT GOVERNANCE IT MANAGEMENT IMPLEMENTING IT GOVERNANCE www.isaca.org
  4. 4. EG – Sep 20013 – page 7 of 60 IMPLEMENTING IT GOVERNANCE EG – Sep 20013 – page 8 of 60 IMPLEMENTING IT GOVERNANCE Are we doing the right things? Are we doing them the right way? Are we doing them well? Are we getting the benefits? Are we governing things properly?
  5. 5. EG – Sep 20013 – page 9 of 60 The Board providing high level direction and control. Line Management translating plans into action and ensuring adequate performance. Executive Management translating direction into plans, focussing on the bottom-line results. IMPLEMENTING IT GOVERNANCE EG – Sep 20013 – page 10 of 60 The engines of IT Governance Where do we want to be? Objectives IT Strategy •Delivery Performance •Service Quality •Resource Utilisation •Benefits Realisation •Risk Reduction IT Scorecards How do we know we are progressing? Portfolio • Programmes • Projects • Services • Resources What are we doing to achieve them? IT Business Cases IMPLEMENTING IT GOVERNANCE
  6. 6. EG – Sep 20013 – page 11 of 60 +8% +20%%1 0 +2% ManagementPracticesScore Intensity of IT deployment McKinsey & London School of Economics surveying 100 companies – Oct 2005 Why invest in better governance of IT Risk and IT Value ? IMPLEMENTING IT GOVERNANCE EG – Sep 20013 – page 12 of 60 RISK AND VALUE How well are we doing in respect of minimising risk and optimising value of IT? ISACA Indonesia Expert Event September 2013
  7. 7. EG – Sep 20013 – page 13 of 60 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT One thousand 1000,- EG – Sep 20013 – page 14 of 60 RISK AND VALUE How well is the industry doing in respect of minimising risk and optimising value of IT? ISACA Indonesia Expert Event September 2013
  8. 8. EG – Sep 20013 – page 15 of 60 ITGI, ING and IBM – 2006 – in support of ValIT How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 16 of 60 ITGI, ING and IBM – 2006 – in support of ValIT How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT
  9. 9. EG – Sep 20013 – page 17 of 60 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT IT Solution Delivery IT Operational Implementation Business changes Business integration Business Operation Benefit Realisation IT Service Delivery Programme design and initiation ü X X X EG – Sep 20013 – page 18 of 60 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT Hope is not a method!
  10. 10. EG – Sep 20013 – page 19 of 60 How are we doing about Value? €200m Expected Benefits €114 m -€ 100 m € 100 m Budgeted ROI = * 100% = Expected Budget ROI as expected in the Business Case + 14% Actual ROI = € 114 m x 84 % x 1 1.12 € 100 m x 124 % * 100 %= - 38% Budget Overrun +24% Actual ROI allowing for typical solution delivery performance Actual ROI allowing for typical solution delivery performance 0.5 - € 100 m x 124 % + 14% Functionality achieved -16% Approximately 6 months delay, so benefits discounted at 12% After - Tax Rate Actual ROI after corrections SDP. ROI= -38% Expected. ROI = 14% Cumulative cashflow(€) Time à Actual ROI after corrections SDP. ROI= -38% Expected. ROI = 14% Cumulative cashflow(€) Time à We don’t learn from our past EG – Sep 20013 – page 20 of 60 How are we doing about Value? We don’t learn from our past -5 0 5 10 15 20 1.5 3 1.5 Good fit Theoretical curve -5 0 5 10 15 20 4.5 4 3.5 3 2.5 2 Solution Delivery Performance Good fit Theoretical curve Empirical curve Correctioninthebusinesscase
  11. 11. EG – Sep 20013 – page 21 of 60 CIONet and ISACA – Survey of 56 CIO’s – Aug 2009 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 22 of 60
  12. 12. EG – Sep 20013 – page 23 of 60 CIO/CEO Discussion topics by priority – CIONet and ISACA Survey Aug 2012 of 90 CIO’s Depth Frequency Mechanism Cost Effectiveness Agile/Innovation Risk How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 24 of 60 CIO/CEO Discussion topics by priority – CIONet and ISACA Survey Aug 2012 of 90 CIO’s Depth Frequency Mechanism Cost Effectiveness Agile/Innovation Risk How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT
  13. 13. EG – Sep 20013 – page 25 of 60 How are we dealing with Risk and Value ? List of IT Outsourcing Risks from one of the most important academic sources on the subject H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 26 of 60 How are we dealing with Risk and Value ? Lack of appropriate governance Unhappy users Biased portrayal by vendor Low process maturity Hidden costs VULNERABILITY VULNERABILITYIMPACT IMPACTTHREAT RISK = a important threat that applied to an applicable vulnerability, results in an significant business impact Risk Scenarios An important mechanism for risk management and especially to debate and decide on risk relevance and mitigation H d li ith Ri k d V l ? Enterprise Governance of IT
  14. 14. EG – Sep 20013 – page 27 of 60 Resource Assessment Threat Assessment Vulnerability Assessment Risk Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up The right terminology? EG – Sep 20013 – page 28 of 60 Resource Assessment Threat Assessment Vulnerability Assessment Risk Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up I. Threat a. Unintentional 5. Acts of Gods 6. Accidents 7. Errors of Omission 8. Errors of Commission b. Intentional 9. Fraud 10. Damage 11. Sabotage The right terminology?
  15. 15. EG – Sep 20013 – page 29 of 60 II. Vulnerability a. Inherent Susceptibility 1. Type of Business (internal) 2. Environment (external) b. Control Deficiency 3. Absence of Controls 4. Ineffectiveness of Controls Resource Assessment Threat Assessment Vulnerability Assessment Risk Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up The right terminology? EG – Sep 20013 – page 30 of 60 Resource Assessment Threat Assessment Vulnerability Assessment Impact Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up III. Impact a. Tangible 12. Financial 13. People b. Intangible 14. Reputation 15. Business Continuity 16. Competitiveness The right terminology?
  16. 16. EG – Sep 20013 – page 31 of 60 3 1 Resource Assessment Threat Assessment Vulnerability Assessment Impact Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up I. Vulnerability a. Inherent Susceptibility 1. Type of Business (internal) 2. Environment (external) b. Control Deficiency 3. Absence of Controls 4. Ineffectiveness of Controls II. Threat a. Unintentional 5. Acts of Gods 6. Accidents 7. Errors of Omission 8. Errors of Commission b. Intentional 9. Fraud 10. Damage 11. Sabotage III. Impact a. Tangible 12. Financial 13. People b. Intangible 14. Reputation 15. Business Continuity 16. Competitiveness IT Risk Analysis Threat Assessment Vulnerability Assessment Impact Assessment R I S K EG – Sep 20013 – page 32 of 60 Insiders Collusion Outsiders 70 25 5 Based on combined sources from 2006 •ISF, E&Y, CSI etc Note: Within the largest group ‘Internal Errors & Omissions’ there are significantly more errors of commission than omission. The right focus?
  17. 17. EG – Sep 20013 – page 33 of 60 1. Just over one third is theft either ◦ in collusion with outsiders (22%) ◦ by insiders (10%) ◦ by outsiders (3%) 2. Just under one third is errors by commission ◦ no or bad instructions ◦ wrong instructions ◦ wrong examples 3. Well under one third is errors by omission ◦ awareness, training & education ◦ discipline & motivation ◦ remuneration & enforcement The right focus? EG – Sep 20013 – page 34 of 60 How are we dealing with Risk and Value ? Enterprise Governance of IT
  18. 18. EG – Sep 20013 – page 35 of 60 3 5 Developing IT Risk Scenarios Scenario Probability of Occurrence Im pact Nr Description H, M, L H, M, L <an important business impact caused by a significant threat exploiting an applicable vulnerability> Vandalism to the production chain (V) by disgruntled employees (T) results in delivery of faulty products (I) Faulty products delivered to customers (T) is followed by litigation (V) resulting in fines and lawyer fees (I) <an important business impact caused by a significant threat exploiting an applicable vulnerability> EG – Sep 20013 – page 36 of 60 For both risk and value, accept uncertainty and deal with it! How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT
  19. 19. EG – Sep 20013 – page 37 of 60 How should we be dealing with Risk and Value ? º Simple model º Clear responsibilities and accountabilities º Monitor, direct and evaluate º Tools: Scorecards and Business Cases º Structured interactions How should we be dealing with Risk and Va Enterprise Governance of IT EG – Sep 20013 – page 38 of 60 How should we be dealing with Risk and Value ? º Manage uncerainty º Portfolio management of all major inititiatives º Business cases take into account past history, all activities to achieve the benefits and the full economic lifecycle of the initiative º Business cases assign clear accountabilities and are continuously kept up-to-date º Focus on initiatives that fit with strategy, reuse resources and have top management’s support How should we be dealing with Risk and Va Enterprise Governance of IT
  20. 20. EG – Sep 20013 – page 39 of 60 How should we be dealing with Risk and Value ? º Accept and manage uncertainty º Define risk tolerance at the top º Continuous pragmatic approach º Identification, awareness, responsiveness º Less focus on big risks and more on day-to-day value preservation º Clarity of definitions and concepts and the use of risk scenarios º Awareness of bias (capability, subjectivity, sensational) How should we be dealing with Risk and Va Enterprise Governance of IT

×