After decades of struggle to be recognised as a strategic contributor, the IT function is finally being seen by C-level executives as an important part of the enterprise’s overall success. Even so, major concerns linger amongst these C-level executives around performance of the IT function and the staff that supports it. This is with good reason, since a number of enterprises have experienced significant financial loss associated with IT issues …
… but there is reason for hope as evidenced by the gains associated with effective IT shown in this slide. Good oversight over the information technology function is essential to its success. Successful enterprises recognise the benefits of IT and use it to drive stakeholder value.
IT governance goes a long way towards bridging the gap between corporate expectations and perceptions of the IT function. The need for top management direction and oversight regarding the value of IT and the management of IT-related risks are now understood as key elements of governance. Value, risk and control constitute the core of IT governance. IT governance consists of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives. Governance is not the sole responsibility of the CIO; it is the responsibility of an enterprise’s top executives and board of directors. Successful enterprises understand the risks and exploit the benefits of IT and find ways to deal with: • Aligning IT strategy with the business strategy • Ensuring investors and stakeholders that a ‘standard of due care’ around mitigating IT risks is being met by the enterprise • Providing organisational structures that facilitate the implementation of strategy and goals • Measuring IT’s performance These are the benefits of sound IT governance.
The C OBI T mission is to research, continually update, publicise and promote an authoritative, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals. Now in its 4.1 release, the framework has been used successfully by IT organisations and business executives in many industries and of many sizes. C OBI T provides a common language to communicate goals, objectives and expected results. A common language benefits all levels of IT, including management and stakeholders.
C OBI T has been developed and is maintained by ISACA, as well as industry experts, and control and security professionals. Its content is based on ongoing research into IT good practice and is continuously maintained, providing an objective and practical resource for all types of users. C OBI T is oriented towards the objectives and scope of IT governance, ensuring that its control framework is comprehensive, in alignment with enterprise governance principles and, therefore, acceptable to boards, executive management, auditors and regulators.
C OBI T delivers significant benefits in areas that are fundamental to every enterprise: value, risk and control. Implementing C OBI T also provides: Clearer security and privacy requirements, and more easily monitored implementation More efficient and successful audits IT compliance with regulatory requirements will become a normal management practice
C OBI T is based on the analysis and harmonisation of existing IT standards and good practices and conforms to generally accepted governance principles. It is positioned at a high level, driven by business requirements, covers the full range of IT activities, and concentrates on what should be achieved rather than how to achieve effective governance, management and control. Therefore, it appeals to executive management; business and IT management; governance, assurance and security professionals; and IT audit and control professionals. • Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. • Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT. • Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the enterprise. • Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. • Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
When we think about C OBI T and IT governance at the most fundamental level, there are four questions that every leader asks him or herself when it comes to IT initiatives: Is my IT organisation doing the right things? Are we doing them the right way? Are we getting them done well? Are we getting the benefits? Using the maturity models developed for each of C OBI T’s 34 IT processes, management can identify: • The actual performance of the enterprise—Where the enterprise is today • The current status of the industry—The comparison • The enterprise’s target for improvement—Where the enterprise wants to be • The required growth path between ‘as-is’ and ‘to-be’
Let’s take a closer look at the C OBI T framework. C OBI T defines IT activities in a generic process model within four domains along with a set of information criteria. The four domains are: Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to IT’s traditional responsibility areas of plan, build, run and monitor. The C OBI T framework provides a reference process model and common language for everyone in an enterprise to view and manage IT activities. Incorporating an operational model and a common language for all parts of the business involved in IT is one of the most important and initial steps towards good governance. It also provides a framework for measuring and monitoring IT performance, communicating with service providers and integrating best management practices. A process model encourages process ownership, enabling responsibilities and accountability to be defined. • Plan and Organise (PO) —Provides direction to solution delivery (AI) and service delivery (DS) (example controls: Define Strategic IT Plan, Manage Quality) • Acquire and Implement (AI) —Provides the solutions and passes them to be turned into services (example controls: Identify Automated Solutions, Manage Changes) • Deliver and Support (DS) —Receives the solutions and makes them usable for end users (example controls: Define and Manage Service Levels, Identify and Allocate Costs • Monitor and Evaluate (ME) —Monitors all processes to ensure that the direction provided is followed (example controls: Ensure Regulatory Compliance, Monitor and Evaluate IT Performance)
The chart illustrates the relationship between the business, IT, process and activity goals, and the different metrics. From top left to top right, the goals cascade is illustrated. Below the goal is the outcome measure for the goal. The small arrow indicates that the same metric is a performance indicator for the higher-level goal. The example provided is from DS5 Ensure systems security . C OBI T provides metrics only up to the IT goals outcome as delineated by the dotted line. While they are also performance indicators for the business goals for IT, C OBI T does not provide business goal outcome measures. The metrics have been developed with the following characteristics in mind: • A high insight-to-effort ratio (i.e., insight into performance and the achievement of goals as compared to the effort to capture them) • Comparable internally (e.g., percent against a base or numbers over time) • Comparable externally irrespective of enterprise size or industry • Better to have a few good metrics (may even be one very good one that could be influenced by different means) than a longer list of lower-quality metrics • Easy to measure, not to be confused with targets
C OBI T also provides information on what processes should be delegated and to whom they should be delegated. This helps to ensure that IT processes are being managed at the appropriate level within an enterprise. The ‘RACI’ Chart is defined for each process and indicates who is responsible, accountable, consulted or should be informed about specific tasks within a given process. The roles in the RACI chart are categorised for all processes as: • Chief executive officer (CEO) • Chief financial officer (CFO) • Business executives • Chief information officer (CIO) • Business process owner • Head operations • Chief architect • Head development • Head IT administration (for large enterprises, the head of functions such as human resources, budgeting and internal control) • The project management officer (PMO) or function • Compliance, audit, risk and security (groups with control responsibilities but not operational IT responsibilities)
C OBI T products have been organised into three levels designed to support: • Executive management and boards • Business and IT management • Governance, assurance, control and security professionals This C OBI T-based product diagram presents the generally applicable products and their primary audience. There are also derived products for specific purposes ( IT Control Objectives for Sarbanes-Oxley, 2nd Edition ), for domains such as security ( C OBI T ® Security Baseline and Information Security Governance: Guidance for Boards of Directors and Executive Management ), or for specific enterprises ( C OBI T ® Quickstart for small and medium-sized enterprises or for large enterprises wishing to ramp up to a more extensive IT governance implementation).
C OBI T is designed to be complementary to, and used together with, other standards and good practices. Detailed practices and standards such as ITIL, ISO 27001 and 27002, and PMBOK (the Project Management Body of Knowledge) cover specific areas and can be mapped to the C OBI T framework, providing a hierarchy of guidance. Standards should be implemented to benefit the specific needs of businesses and C OBI T can help ensure that various standards are aligned.
C OBI T has been deliberately designed so enterprises of all sizes and in all industries (including public and private businesses, and governmental and academic entities) can benefit from these tools. Sample companies who have implemented C OBI T are included here; you can also find more at our web site.
If you would like to learn more, or are interested in taking the first steps, you will find that our web site has a wealth of material. The site offers not only a PDF version of C OBI T you can download free of charge, it also offers archived Webcasts, case studies, access to the online discussion forum, and information on C OBI T training.
Transforming Enterprise IT Speaker Name/Title Date
IT Requires Executive Oversight <ul><li>An apparel manufacturing company’s difficulties in installing supply chain software cost it an estimated US $200 million </li></ul><ul><li>A publicly traded company admitted that a virtual collapse of its financial reporting system reduced its market value by one-third in a single day </li></ul><ul><li>An operational meltdown after the merger of two transportation companies was traced to the inability to coordinate their IT systems </li></ul> 2009 ISACA All Rights reserved. With good reason:
Oversight Can Lead to Value Creation <ul><li>A major airline’s supply chain transformation improved the forecast of demand, reduced procurement costs and increased service levels while costs fell </li></ul><ul><li>A technology products and services company saved US $12 billion over two years by linking up disparate pieces of its supply chain, thereby reducing inventory levels </li></ul> 2009 ISACA All Rights reserved. IT can provide significant benefits, too:
IT Governance Is the Key Issue <ul><li>Enterprises are sacrificing money, productivity and competitive advantage by not implementing effective IT governance </li></ul><ul><li>Executives need a better way to: </li></ul><ul><ul><li>Direct IT for optimal advantage </li></ul></ul><ul><ul><li>Measure the value provided by IT </li></ul></ul><ul><ul><li>Manage IT-related risks </li></ul></ul> 2009 ISACA All Rights reserved.
C OBI T ® is a Road Map to Good IT Governance <ul><li>Accepted globally as a set of tools that ensures IT is working effectively </li></ul><ul><li>Functions as an overarching framework </li></ul><ul><li>Provides common language to communicate goals, objectives and expected results to all stakeholders </li></ul><ul><li>Based on, and integrates, industry standards and good practices in: </li></ul><ul><ul><li>Strategic alignment of IT with business goals </li></ul></ul><ul><ul><li>Value delivery of services and new projects </li></ul></ul><ul><ul><li>Risk management </li></ul></ul><ul><ul><li>Resource management </li></ul></ul><ul><ul><li>Performance measurement </li></ul></ul> 2009 ISACA All Rights reserved.
Developed by the Leader in IT Governance 2009 ISACA All Rights reserved. Professional association with 86,000 constituents. Worldwide leader in IT governance, control, security and assurance. Offers the CISA, CISM and CGEIT certifications. Control Objectives for Information and related Technology
C OBI T ® Business Benefits <ul><li>C OBI T ® provides guidance for executive management to govern IT within the enterprise </li></ul><ul><ul><li>More effective tools for IT to support business goals </li></ul></ul><ul><ul><li>More transparent and predictable full life-cycle IT costs </li></ul></ul><ul><ul><li>More timely and reliable information from IT </li></ul></ul><ul><ul><li>Higher quality IT services and more successful projects </li></ul></ul><ul><ul><li>More effective management of IT-related risks </li></ul></ul> 2009 ISACA All Rights reserved.
Harmonising the Elements of IT Governance 2009 ISACA All Rights reserved. IT Governance Resource Management Strategic Alignment Value Delivery Performance Measurement Risk Management
A Closer Look at 2009 ISACA All Rights reserved.
C OBI T ® Answers Key Business Questions 2009 ISACA All Rights reserved. Is my information technology organisation doing the right things? Are we doing them the right way? Are we getting them done well? Are we getting the benefits? * * Based on the “Four Ares” as described by John Thorp in his book The Information Paradox, written jointly with Fujitsu, first published in 1998 and revised in 2003
The C OBI T ® Framework 2009 ISACA All Rights reserved.
C OBI T ® Defines Processes, Goals and Metrics 2009 ISACA All Rights reserved. Relationship Amongst Process, Goals and Metrics (DS5)
Defined Responsibilities for Each Process 2009 ISACA All Rights reserved. RACI Chart Activities Functions A RACI chart identifies who is R esponsible, A ccountable, C onsulted and/or I nformed. Link business goals to IT goals. C I A/R I C Identify critical dependencies and current performance. C C R A/R C C C C C C Build an IT strategic plan. A C C R I C C C C I C Build IT tactical plans. C I A C C C C C R I Analyse programme portfolios and manage project and service portfolios. C I I A R R C R C C I
C OBI T ® Products and Their Primary Audience 2009 ISACA All Rights reserved. C OBI T, Risk IT and Val IT frameworks Implementing and Continually Improving IT Governance C OBI T User Guide for Service Managers C OBI T and Application Controls
<ul><li>COBIT is often used at the highest level of IT governance </li></ul><ul><li>It harmonises practices and standards such as ITIL, ISO 27001 and 27002, and PMBOK </li></ul><ul><ul><li>Improves their alignment to business needs </li></ul></ul><ul><ul><li>Covers full spectrum of IT-related activities </li></ul></ul>C OBI T ® Harmonises Other Standards 2009 ISACA All Rights reserved. 27001/2
Used by Organisations Worldwide <ul><li>(for complete case studies visit www.isaca.org/cobitcasestudies ) </li></ul> 2009 ISACA All Rights reserved. ‘ We continue to recommend that enterprises use [C OBI T] to challenge their established IT governance procedures and to improve the controls they have in place.’ —Gartner also used by Allstate, Harley-Davidson, the Bahrain Civil Service Bureau and many others
Getting Started <ul><li>Visit www.isaca.org/cobit to download the C OBI T ® framework </li></ul> 2009 ISACA All Rights reserved.