IT Governances


Published on

Stewardship is extending to IT as Boards question the depth of their enterprise’s reliance on IT.

Some thoughts on how IT risk, control, audit and assurance is evolving toward the broader concept of IT governance.

Why IT governance should be on the Board of Directors’ agenda wherever IT is strategic to the business.

How it fits in the broader concepts of enterprise governance and how management and boards can address it.

Published in: Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • IT Governances

    1. 1. IT Governances Stewardship is extending to IT as Boards question the depth of their enterprise’s reliance on IT
    2. 2. Background <ul><li>Some thoughts on how IT risk, control, audit and assurance is evolving toward the broader concept of IT governance. </li></ul><ul><li>Why IT governance should be on the Board of Directors’ agenda wherever IT is strategic to the business. </li></ul><ul><li>How it fits in the broader concepts of enterprise governance and how management and boards can address it. </li></ul>
    3. 3. What IT problem? <ul><li>Are they doing the right things? </li></ul><ul><li>Are they doing them the right way? </li></ul><ul><li>Are they being done well? </li></ul><ul><li>Are we getting benefits? </li></ul>
    4. 4. What does the board do? <ul><li>IT Governance is the responsibility of the Board of Directors and consists of the leadership, organizational structures and processes thatensure that the organization’s IT sustains and extends the organization’s strategies and objectives. </li></ul>
    5. 5. How does management react? <ul><li>Cascading strategy and goals </li></ul><ul><li>Organizational alignment </li></ul><ul><li>A control framework </li></ul><ul><li>Balanced business scorecard </li></ul>
    6. 6. Agenda <ul><li>Stakeholders </li></ul><ul><li>Governance Framework </li></ul><ul><li>IT Alignment & Value Delivery </li></ul><ul><li>Performance Measurement </li></ul><ul><li>Risk Management </li></ul><ul><li>Security </li></ul><ul><li>Conclusions </li></ul>
    7. 7. Stakeholders <ul><li>Stakeholders Apply Pressure </li></ul><ul><li>Shareholders and Executive - Lower cost, higher profitability and increased market share </li></ul><ul><li>Customers and Staff - More functionality at lower cost and greater ease of use </li></ul><ul><li>Society - Greater accountability for officers and executives in both the private and public sectors. </li></ul>
    8. 8. What are customers saying? <ul><li>Guarantee of delivery </li></ul><ul><li>Customer loyalty </li></ul><ul><li>Ease of use </li></ul><ul><li>Customer service </li></ul><ul><li>Security </li></ul>
    9. 9. How about the Regulators? <ul><li>The Federal Reserve, SEC </li></ul><ul><li>and now Congress and the Treasury </li></ul><ul><li>The focus is now on operational risks (in which security and IT are significant) </li></ul><ul><li>All major risk issues have been caused by breakdowns in </li></ul><ul><ul><li>Internal controls </li></ul></ul><ul><ul><li>Oversight </li></ul></ul><ul><ul><li>Information Technology </li></ul></ul>
    10. 10. <ul><li>Concern for extreme dependence of industry on IT </li></ul><ul><li>Two recommendations </li></ul><ul><ul><li>Awareness of senior company officers </li></ul></ul><ul><ul><li>Need to address three technical improvements </li></ul></ul><ul><ul><ul><li>Authenticate </li></ul></ul></ul><ul><ul><ul><li>Segregate </li></ul></ul></ul><ul><ul><ul><li>Make accountable </li></ul></ul></ul>The President’s Commission on Critical Infrastructure Protection
    11. 11. <ul><li>Transparency and Connectedness </li></ul><ul><li>Network Neutrality </li></ul><ul><li>Information Sharing </li></ul><ul><li>Modern Communications Infrastructure </li></ul><ul><li>Modernize Public Safety Networks </li></ul><ul><li>Employ Science, Technology and Innovation to address key issues, particularly in the area of health </li></ul>President Obama’s views on IT
    12. 12. How about standards? <ul><li>Cadbury: “…strengthen internal control…Boards need to set strategic aims, provide leadership, supervise management and report to shareholders on their stewardship.” </li></ul><ul><li>Turnbull: “…Board to assure appropriate and effective processes to monitor risk and effectiveness of the system of internal control… broader corporate governance role for audit committees...monitor and report on risks...” </li></ul><ul><li>BIS: “...governance arrangements for critical systems should be effective, accountable and transparent…” </li></ul>
    13. 13. and what does management think? <ul><li>“ IT has been the longest running disappointment in business in the last 30 years!” - Jack Welch, CoB, GE </li></ul><ul><li>“ Technology can help fulfill a visionary dream, but often its use is closer to a sobering nightmare!” - Vesa Vaino, CEO Merita Bank </li></ul><ul><li>“ That must be why we are not shipping Windows yet!” (and NT, 2000, XP, Vista, …) - Bill Gates, CEO Microsoft </li></ul><ul><li>Insert your own CoB/BoD/CEO/CIO/CTO’s, comments here - _________________________________________________________ </li></ul>
    14. 14. Why Get Into Governance? <ul><li>“ Due diligence” </li></ul><ul><li>IT is critical to the business </li></ul><ul><li>IT is strategic to the business </li></ul><ul><li>Expectations and reality don’t match </li></ul><ul><li>IT hasn’t gotten the attention it deserves </li></ul><ul><li>IT involves huge investments and large risks </li></ul>
    15. 15. Due Diligence <ul><ul><li>Infrastructure and productive functions </li></ul></ul><ul><ul><li>Skills, culture, operating environment </li></ul></ul><ul><ul><li>Capabilities, risks, process knowledge and customer information </li></ul></ul><ul><ul><li>Service levels </li></ul></ul>
    16. 16. IT Is Critical to Most Businesses <ul><li>This criticality arises from: </li></ul><ul><li>The increasing dependence on information and the systems/communications that deliver it </li></ul><ul><li>The dependence on entities beyond the direct control of the enterprise </li></ul><ul><li>IT failures increasingly impacting reputation and enterprise value </li></ul><ul><li>The potential for technology to change business organizations and practices, create new opportunities and reduce costs </li></ul><ul><li>The risks of doing business in an interconnected world </li></ul><ul><li>The need to build and maintain knowledge essential to sustain and grow the business </li></ul>
    17. 17. IT Is Strategic to Most Businesses <ul><li>If so, wouldn’t you want to know whether your organization’s IT is: </li></ul><ul><ul><li>Likely to achieve its objectives? </li></ul></ul><ul><ul><li>Resilient enough to learn and adapt? </li></ul></ul><ul><ul><li>Judiciously managing the risks it faces? </li></ul></ul><ul><ul><li>Appropriately recognizing opportunities and acting on them? </li></ul></ul>
    18. 18. Expectations <ul><li>Harness and exploit IT to deliver business value </li></ul><ul><li>Provide fast development, with appropriate quality and with security </li></ul><ul><li>Ascertain that IT investments have a quantitative return and IT does more with less </li></ul><ul><li>Move from efficiency and productivity gains towards value creation and business effectiveness, especially in industries requiring that the focus move from the back office to the front office </li></ul>
    19. 19. Reality <ul><li>Business losses, damage to reputation, or a weakened competitive position </li></ul><ul><li>Enterprise effectiveness and core processes directly impacted by the quality of IT deliverables </li></ul><ul><li>The failure of IT initiatives intended to bring innovation to the enterprise to achieve their promise </li></ul><ul><li>Technology that is inadequate for the enterprise or obsolete too soon </li></ul><ul><li>Poor support for the business </li></ul><ul><li>Deadlines that are not met </li></ul><ul><li>Costs that are higher than expected vs.. quality and efficiency lower than anticipated </li></ul>
    20. 20. Why hasn’t IT received the attention it merits? <ul><li>IT requires more technical insight than do other disciplines to understand how it: </li></ul><ul><ul><li>Enables the enterprise </li></ul></ul><ul><ul><li>Creates risks </li></ul></ul><ul><ul><li>Gives rise to opportunities </li></ul></ul><ul><li>IT has traditionally been treated as an entity separate to the business </li></ul><ul><li>IT is complex, and even more so in the extended enterprise operating in a networked (i.e., GLOBAL) economy </li></ul>
    21. 21. IT Involves Huge Investments and Risks <ul><li>October 1992: A new command and control system developed by the London ambulance service failed on the first day of operation. </li></ul><ul><li>August 1997: UK investment managers, Save & Prosper, abandoned a major new IT system, having spent 2 million pounds on its design and implementation. </li></ul><ul><li>1997: Barings Bank collapsed as a result of unauthorized trading, in part enabled by the willful manipulation of management information. </li></ul><ul><li>October 1998: UK Internet bank Egg launched a new online-only credit card, only to find its technical infrastructure was unable to cope with the demand. </li></ul>
    22. 22. (Son of) IT Involves Huge Investments and Risks <ul><li>Paypal: “ Why is there still so many problems with PayPal? I thought that class action lawsuit against it a few years back settled all of this stuff!” </li></ul><ul><li>eBay: Reputation and image deteriorates from both the seller and buyer’s perspectives. </li></ul><ul><li>Sept. 2008: Lehman Brothers filed for Chapter 11 bankruptcy protection; the filing marked the largest bankruptcy in U.S. history. </li></ul><ul><li>Dec. 2008: A Federal Judge appointed Irving Picard as Trustee for the liquidation of Bernard L. Madoff Investments Securities LLC ( B MIS ) pursuant to the Securities Investor Protection Act ( S IPA ) </li></ul>
    23. 23. What Should Boards Do About It? <ul><li>Be driven by stakeholder value </li></ul><ul><li>Adopt an IT governance framework </li></ul><ul><li>Ask the right questions </li></ul><ul><li>Focus on IT’s: </li></ul><ul><ul><li>Alignment with the business </li></ul></ul><ul><ul><li>Value delivery </li></ul></ul><ul><ul><li>Risk management </li></ul></ul><ul><li>Measure results </li></ul>
    24. 24. IT Value Delivery Stakeholder Value Drivers Performance Measurement Risk Management IT Strategic Alignment
    25. 25. What Should Management Do About It? <ul><li>Align IT strategy with business goals </li></ul><ul><li>Cascade strategy and goals down into the organization </li></ul><ul><li>Set up organizational structures that facilitate strategy implementation </li></ul><ul><li>Adopt a control and governance framework </li></ul><ul><li>Provide IT infrastructures that facilitate creation and sharing of business information </li></ul><ul><li>Embed responsibilities for risk management in the organization </li></ul><ul><li>Focus on important IT processes and core IT competencies </li></ul><ul><li>Measure performance (balanced business scorecard) </li></ul>
    26. 26. IT Governance Defined (1) <ul><li>Responsibility of the board of directors: </li></ul><ul><li>It protects shareholder value </li></ul><ul><li>It ensures risk transparency </li></ul><ul><li>It directs and controls IT investment, opportunity, benefits and risks </li></ul><ul><li>It aligns IT with the business </li></ul><ul><li>It sustains the current operation and prepares for the future </li></ul><ul><li>It’s an integral part of a global governance structure </li></ul>
    27. 27. IT Governance Defined (2) <ul><li>IT governance, like other governance subjects, is the responsibility of executives and shareholders (represented by the Board of Directors). It consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives. </li></ul>
    28. 28. IT Governance Framework Set measurable goals Compare results Measure performance Act if not aligned Deliver against the goals 
    29. 29. IT Governance Framework Provide Direction Compare Measure Performance IT Activities <ul><li>Increase automation (make the business effective) </li></ul><ul><li>Decrease cost (make the enterprise efficient) </li></ul><ul><li>Manage risks (security, reliability and compliance) </li></ul><ul><li>IT is aligned with the business </li></ul><ul><li>IT enables the business and maximizes benefits </li></ul><ul><li>IT resources are used responsibly </li></ul><ul><li>IT risks are managed appropriately </li></ul>Set Objectives
    30. 30. IT Alignment Business Strategy Alignment Activities IT Operations IT Strategy Business Operations
    31. 31. IT Value Delivery
    32. 32. IT Risk Management <ul><li>The board should manage enterprise risk by: </li></ul><ul><li>Ascertaining that there is transparency about the significant risks to the organization </li></ul><ul><li>Being aware that the final responsibility for risk management rests with the board </li></ul><ul><li>Being conscious that risk mitigation can generate cost-efficiencies </li></ul><ul><li>Considering that a proactive risk management approach creates competitive advantage </li></ul><ul><li>Insisting that risk management is embedded in the operation of the enterprise </li></ul>
    33. 33. Risk Management Expands … <ul><li>Risk Allocation - contracts, SLAs, etc. </li></ul><ul><li>Risk Mitigation - security & control practices </li></ul><ul><li>Risk Transfer - insurance & liability </li></ul><ul><li>Risk Assurance - audit & certification </li></ul><ul><li>Risk Acceptance - formal, transparent </li></ul>
    34. 34. IT Balanced Scorecard Information Financial Customer Process Goals Measures Goals Measures Learning Goals Measures Goals Measures
    35. 35. Example of IT measures <ul><li># of IT customers </li></ul><ul><li>Cost per IT customer </li></ul><ul><li>Cost-efficiency of IT processes up </li></ul><ul><li>Delivery of IT value per employee </li></ul>Information <ul><li>Availability of systems & services </li></ul><ul><li>Developments on schedule & budget </li></ul><ul><li>Throughput & response times </li></ul><ul><li>Amount of errors and rework </li></ul><ul><li>Level of service delivery up </li></ul><ul><li>Satisfaction of existing customers </li></ul><ul><li># of new customers reached </li></ul><ul><li># of new service delivery channels </li></ul>F inancial C ustomer <ul><li>Staff productivity & morale </li></ul><ul><li># of staff trained in new techno/services </li></ul><ul><li>Value delivery per employee up </li></ul><ul><li>Increased availability knowledge systems </li></ul>L earning P rocess
    36. 36. Scorecard Objectives <ul><li>Demonstrate the value added by the IT organization </li></ul><ul><li>Establish a balanced set of measures for determining the effectiveness of the IT organization </li></ul><ul><li>Set guidelines for creating the IT strategic plan and linking it into operational plans </li></ul><ul><li>Communicate and motivate IT performance in key areas as required by the business and its stakeholders </li></ul><ul><li>Establish a framework for IT management reporting </li></ul>
    37. 37. Information Security <ul><li>Know what questions to ask </li></ul><ul><li>Know what is needed </li></ul><ul><li>Raise the awareness at the top </li></ul><ul><li>Have clarity of purpose </li></ul><ul><li>Measure your performance </li></ul><ul><li>Keep on doing it </li></ul>
    38. 38. Samples from CobiT <ul><li>The following slides, describing IT Security, are examples “borrowed” from the CobiT Framework </li></ul>
    39. 39. Information Security Some Questions for the Board Room <ul><li>Would people recognise a security incident when they saw one? Would they ignore it? Would they know what to do about it? </li></ul><ul><li>Does anyone know how many computers the company owns? Would management know if some went missing? </li></ul><ul><li>Does anyone know how many people are using the organisation’s systems? Does anybody care whether they are allowed or not, or what they are doing? </li></ul><ul><li>Did the company suffer from the latest virus attack? How many did it have last year? </li></ul><ul><li>What are the most critical information assets of the enterprise? Does management know where the enterprise is most vulnerable? </li></ul><ul><li>Is management concerned that company confidential information can be leaked ? </li></ul><ul><li>Has the organisation ever had its network security checked by a third party? </li></ul><ul><li>Is IT security a regular agenda item on IT management meetings? </li></ul>Know what questions to ask
    40. 40. IT Security Requirements Business Drivers Know what's needed Shorter business cycles Need to involve/connect/tie in with more partners Network centric business models Leverage VPN, remote access, collaborative tools <ul><li>Manage Risk </li></ul><ul><li>Internet - UNIX - TCP/IP </li></ul><ul><li>More hackers, more tools </li></ul><ul><li>Increased dependency on IT </li></ul><ul><li>Leverage Opportunities </li></ul><ul><li>E-cash, e-commerce, e-tc. </li></ul><ul><li>Open, modular, scalable </li></ul><ul><li>Security a commodity </li></ul>Technology Drivers <ul><li>Managing networked c/s systems </li></ul><ul><li>“ Provenance” control </li></ul><ul><li>Non-sharable info </li></ul><ul><li>Profiling users </li></ul><ul><li>Trust…. </li></ul>
    41. 41. <ul><li>How to sell to top management </li></ul><ul><ul><li>Different styles depending on function </li></ul></ul><ul><ul><ul><li>FUD </li></ul></ul></ul><ul><ul><ul><li>Cost reduction </li></ul></ul></ul><ul><ul><ul><li>Responsibility </li></ul></ul></ul><ul><ul><ul><li>Differentiator </li></ul></ul></ul><ul><ul><li>Cost of security </li></ul></ul><ul><ul><li>Strategic approach - benchmark - gap analysis - choices </li></ul></ul>IT Security Awareness Raise the awareness at the top
    42. 42. Cost of IT Security Have a clarity of purpose Cost of security and control vs. IT Budget 5 - 10% 20 - 25% 45 - 50% 55% Cost of noncompliance Benchmarking Leadership “ Cowboy” operation Baseline operation Good Practice Industry reference site = driver for change
    43. 43. IT Security Performance Measure your performance Tools & Technology Process Policy & Procedures Security Management Human Behaviour & Culture System Access Control Network Segregation Application Security 1 2 3 6 5 4 Policy 0 1996 1997 1998 1999 2000 2001 20 40 60 80 100 92 88 76 64 48 42 96 Policies & procedures Security mgt Human behav. & culture Application security System access control Network segregation 1. 2. 3. 4. 5. 6. 10 10 20 20 20 20 100 0 Very poor 1 Poor 2 Fair 3 Good 4 Very good 5 Excel <ul><li>Legend for ranking used </li></ul><ul><li>5 - Excellent: Best possible, highly integrated </li></ul><ul><li>4 - Very good: Advanced level of practice </li></ul><ul><li>3 - Good: Moderately good level of practice </li></ul><ul><li>2 - Fair: Some effort made to address issues </li></ul><ul><li>1 - Poor: Recognise the issues </li></ul><ul><li>0 - Very poor: Complete lack of good practice </li></ul>Legend for symbols used Average of best security performers in the financial industry (begin ‘96) Company status — Feb ‘97 Company. objective for 2001
    44. 44. IT Security is a C ontinuous E ffort Keep on doing it  Perform Intrusion Testing Ž Perform Active Monitoring Œ Issue Security Policy  Security Management  Design Security Defenses
    45. 45. IT Governance Summarized <ul><li>Objectives </li></ul><ul><ul><li>To understand the issues and the strategic importance of IT </li></ul></ul><ul><ul><li>To ensure that the enterprise can sustain its operations and </li></ul></ul><ul><ul><li>To ascertain it can implement the strategies required to extend its activities into the future </li></ul></ul><ul><li>Goal </li></ul><ul><ul><li>Ensuring that expectations for IT are met and IT risks are mitigated </li></ul></ul>
    46. 46. IT Governance Summarized <ul><li>Position </li></ul><ul><ul><li>Within broad governance arrangements that cover relationships between the entity's management and its governing body, its owners and its other stakeholders and providing the structure through which: </li></ul></ul><ul><ul><ul><li>The entity's overall objectives are set </li></ul></ul></ul><ul><ul><ul><li>The method of attaining those objectives is outlined </li></ul></ul></ul><ul><ul><ul><li>The manner in which performance will be monitored is described </li></ul></ul></ul>