What Every Executive Needs To Know About IT Governance


Published on

The importance of IT Governance

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

What Every Executive Needs To Know About IT Governance

  1. 1. What Every Executive Needs to Know About IT Governance Presented by Bill Lisse, CGEIT, CISSP, CISA, CHFI, CSSA, GPCI, GHSC Technology and Risk Services Manager Battelle & Battelle LLP
  2. 2. Corporate Governance <ul><li>Provides the structure for determining organizational objectives and monitoring performance to ensure that objectives are attained </li></ul><ul><ul><li>Defining strategic goals, desirable behaviors, and measuring outcomes </li></ul></ul><ul><ul><li>There is no single model of good corporate governance </li></ul></ul>
  3. 3. IT Governance <ul><li>Specifying the decision rights and accountability framework to encourage desirable behavior in the use of information system assets </li></ul><ul><ul><li>Who makes decisions, why, and how? </li></ul></ul><ul><li>IT Governance Simultaneously Empowers and Controls </li></ul>
  4. 4. IT Governance <ul><li>Summary </li></ul><ul><ul><li>starts with business needs and priorities </li></ul></ul><ul><ul><li>involves the business process owners in significant ways </li></ul></ul><ul><ul><li>Evaluates performance against business requirements </li></ul></ul>
  5. 5. IT Governance Components Competitive Advantage IT Value Delivery Risk Management Performance Management IT Strategic Alignment Stakeholder Value Drivers IT Resource Management
  6. 6. IT Governance Frameworks <ul><li>Control Objectives for Information and related Technology (COBIT) </li></ul><ul><li>The Information Technology Infrastructure Library (ITIL) </li></ul><ul><li>International Organization for Standardization (ISO) </li></ul><ul><ul><li>ISO 20000 IT Service Management </li></ul></ul><ul><ul><li>ISO 27000 IT Security </li></ul></ul><ul><li>Committee of Sponsoring Organizations of the Treadway Commission (COSO) </li></ul><ul><ul><li>Enterprise Risk Management Framework </li></ul></ul><ul><ul><li>Guidance for Smaller Public Companies </li></ul></ul>
  7. 7. IT Strategic Alignment <ul><li>Aligning business with collaborative solutions (current and future) </li></ul><ul><ul><li>Does the IT strategy support the enterprise strategy? </li></ul></ul><ul><ul><li>Does IT… </li></ul></ul><ul><ul><ul><li>Add value to products and services? </li></ul></ul></ul><ul><ul><ul><li>Assist in competitive positioning? </li></ul></ul></ul><ul><ul><ul><li>Contain costs and improve administrative efficiency? </li></ul></ul></ul><ul><ul><ul><li>Increase managerial effectiveness? </li></ul></ul></ul>
  8. 8. IT Strategic Alignment <ul><li>Define IT’s strategic role </li></ul><ul><li>IT needs to understand its mission objectives as they relate to the business </li></ul><ul><li>Monitor the business impact of the IT applications and infrastructure portfolio </li></ul><ul><li>Stakeholder involvement in IT investment decisions </li></ul>
  9. 9. IT Value Delivery <ul><li>A clear understanding of requirements and expected value of IT investments </li></ul><ul><ul><li>Breaking into new markets </li></ul></ul><ul><ul><li>Drive competitive strategies </li></ul></ul><ul><ul><li>Increase revenue generation </li></ul></ul><ul><ul><li>Improve quality and/or customer satisfaction </li></ul></ul><ul><ul><li>Assure customer retention </li></ul></ul>
  10. 10. IT Value Delivery <ul><li>Clearly set expectations </li></ul><ul><ul><li>Business requirements </li></ul></ul><ul><ul><li>Scalability and flexibility </li></ul></ul><ul><ul><li>Timeframes </li></ul></ul><ul><ul><li>Functionality </li></ul></ul><ul><ul><li>Operationally sound </li></ul></ul><ul><ul><li>Total Cost of Ownership </li></ul></ul>Set a common language for value; otherwise, value is in the eye of the beholder.
  11. 11. Risk Management <ul><li>Safeguarding IT assets and disaster recovery </li></ul><ul><ul><li>A clear understanding of the organizations appetite for risk </li></ul></ul><ul><ul><li>Management level approval for risk response </li></ul></ul><ul><ul><li>Due diligence </li></ul></ul>“ I cannot imagine any condition which could cause this ship to founder. I cannot conceive of any disaster happening to this vessel.” – Captain of the Titanic, 1912
  12. 12. Risk Management <ul><li>Operational </li></ul><ul><ul><li>Business disruptions (e.g. information security threats) </li></ul></ul><ul><li>Financial (Errors or Fraud) </li></ul><ul><li>Compliance (FACTA, SOX §404, GLBA, PCI DSS, HIPAA, etc…) </li></ul><ul><ul><li>Depends on the industry </li></ul></ul>“ If every hour a burglar turned up at your house and rattled the locks on the doors and windows to see if he could get in, you might consider moving to a safer neighborhood. And while that may not be happening to your home, it probably is happening to any PC you connect to the net.” - Mark Ward, Tracking down hi-tech crime
  13. 13. Resource Management <ul><li>Optimizing knowledge and infrastructure </li></ul><ul><ul><li>IT personnel </li></ul></ul><ul><ul><ul><li>staffing, skills, training, etc… </li></ul></ul></ul><ul><ul><li>Assets </li></ul></ul><ul><ul><ul><li>Make vs. Buy decisions </li></ul></ul></ul><ul><ul><ul><ul><li>Enterprise Resource Planning (ERP) Systems </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Vendor management (Service Level Agreements, SAS 70, contracts) </li></ul></ul></ul></ul><ul><ul><li>IT Project Management </li></ul></ul>The ability to balance the cost of infrastructure assets with the quality of service required is critical to successful value delivery.
  14. 14. Performance Management <ul><li>Monitoring IT Services and tracking project delivery </li></ul><ul><li>IT metrics using multiple indicators, perspectives and dimensions </li></ul><ul><li>Gartner Group’s “Five Pillars” </li></ul><ul><ul><li>Structure </li></ul></ul><ul><ul><li>Process </li></ul></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Alignment and Communication </li></ul></ul><ul><ul><li>Tools, Metrics and Investment Appraisal </li></ul></ul>
  15. 15. (Adapted from Epstein, M.J.; M.J. Roy; “How Does Your Board Rate?,” Strategic Finance, February, p. 25-31, 2004) <ul><li>Interim CEO identified </li></ul><ul><li>Percent of directors financially literate </li></ul><ul><li>Existence of training programs </li></ul><ul><li>Succession for CEO </li></ul><ul><li>Composition of the board </li></ul><ul><li>Skills and knowledge </li></ul>Learning and growth <ul><li>Number of risk audits performed </li></ul><ul><li>Number of board members owning stock </li></ul><ul><li>Number of hours spent on strategic issues </li></ul><ul><li>Overall attendance at meetings </li></ul><ul><li>Risk and crisis management </li></ul><ul><li>Performance evaluation systems </li></ul><ul><li>Review of strategic plans </li></ul><ul><li>Functioning of the board </li></ul>Internal processes <ul><li>Number of ethical/legal violations </li></ul><ul><li>Number of voluntary disclosures </li></ul><ul><li>Number of meetings with stakeholders </li></ul><ul><li>Ethical behavior and legal compliance </li></ul><ul><li>Corporate governance and accountability </li></ul><ul><li>Management of stakeholders’ needs </li></ul>Stakeholders <ul><li>Return on investment </li></ul><ul><li>Stock price </li></ul><ul><li>Success of change </li></ul><ul><li>Long-term financial success </li></ul><ul><li>Short-term financial success </li></ul><ul><li>Long-term success of changes </li></ul>Financial Example Metrics Objective Perspective Examples of Metrics for a Board Balanced Scorecard
  16. 16. Performance Measurement <ul><li>How often do IT projects fail to deliver? </li></ul><ul><li>Are the end user satisfied with the quality of service? </li></ul><ul><li>How much of the IT effort is reactive rather than proactive? </li></ul><ul><li>Does management articulate and communicate business objectives for IT alignment? </li></ul><ul><li>How is the value delivered by IT measured? </li></ul>
  17. 17. IT Governance Maturity Model 2 1 0 Maturity Level Optimized Managed & Measurable Defined Process Repeatable, but Intuitive Initial – Ad Hoc Non-Existent 4 3 5
  18. 18. Current Issues <ul><li>Top Seven Business Issues </li></ul><ul><ul><li>Regulatory Compliance </li></ul></ul><ul><ul><li>Enterprise-based IT Management and IT Governance </li></ul></ul><ul><ul><li>Information Security Management </li></ul></ul><ul><ul><li>Disaster Recovery/Business Continuity </li></ul></ul><ul><ul><li>IT Value Management </li></ul></ul><ul><ul><li>Challenges of Managing IT Risks </li></ul></ul><ul><ul><li>Compliance with Financial Reporting </li></ul></ul>Source: ISACA Top Business/Technology Issues Survey Results, 2008
  19. 19. Next Steps <ul><li>Set up a governance organizational framework </li></ul><ul><li>Align IT strategy with business goals </li></ul><ul><li>Understand and define risks </li></ul><ul><li>Define target areas </li></ul><ul><li>Analyze current capabilities and identify gaps </li></ul><ul><li>Development improvement strategies </li></ul><ul><li>Measure results </li></ul><ul><li>Re-evaluate (at least annually) </li></ul>
  20. 20. Further Research <ul><li>CIO Magazine http://www.cio.com </li></ul><ul><li>IT Governance Institute (ITGI) http://www.iti.org </li></ul><ul><ul><li>Board Briefing on IT Governance, 2nd Edition </li></ul></ul><ul><li>IT Compliance Institute (ITCi) http://www.itcinstitute.com </li></ul><ul><li>ISACA http://www.isaca.org </li></ul><ul><li>Institute of Internal Auditors http://www.theiia.org </li></ul><ul><li>Measuring Performance and Demonstrating Results of Information Technology Investments http://www.gao.gov/special.pubs/ai98089.pdf </li></ul><ul><li>IT Governance Domains Practices and Competencies: Measuring and Demonstrating the Value of IT http://www.isaca.org/AMTemplate.cfm?Section=Deliverables&Template=/ContentManagement/ContentDisplay.cfm&ContentFileID=14864 </li></ul>
  21. 21. Conclusion <ul><li>Contact Information </li></ul><ul><ul><li>Bill Lisse </li></ul></ul><ul><ul><li>Technology and Risk Services Manager </li></ul></ul><ul><ul><li>Battelle & Battelle LLP </li></ul></ul><ul><ul><li>Email: [email_address] </li></ul></ul><ul><ul><li>Voice: (937) 853-1490 (direct) </li></ul></ul>“ Organizations that are very, very good at doing things that are not important will never be market leaders.” Gary Cokins, Performance Management 2004