Nov 29 it governance v2

562 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
562
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Nov 29 it governance v2

  1. 1. IT Governance: Sound Management Practices that Deliver Results November 29, 2006 2pm EST, 11am PST George Spafford, Principal Consultant, Pepperweed Consulting
  2. 2. Housekeeping <ul><li>Submitting questions to speaker </li></ul><ul><ul><li>Submit question at any time by using “Ask a question” section located on lower left-hand side of your console. </li></ul></ul><ul><ul><li>Questions about presentation content will be answered during 10 minute Q&A session at end of webcast. </li></ul></ul><ul><li>Technical difficulties? </li></ul><ul><ul><li>Click on “Help” link </li></ul></ul><ul><ul><li>Use “Ask a question” interface </li></ul></ul>
  3. 3. Main Presentation
  4. 4. Agenda <ul><li>What &quot;IT Governance&quot; entails </li></ul><ul><li>IT Mission Considerations </li></ul><ul><ul><li>Enablement </li></ul></ul><ul><ul><li>Risk Management </li></ul></ul><ul><li>Please email either George or Kendra for a copy of this PPT [email_address] [email_address] </li></ul>
  5. 5. Why should we care?
  6. 6. Why Governance Gets Attention <ul><li>AT Kearney 2004-2005 Technology Innovation Study: </li></ul><ul><ul><li>72% of business leaders believe IT enabled their business strategy but only 30% are “fully aligned” </li></ul></ul><ul><ul><li>45% of respondents believe IT is primarily focused on day-to-day requirements </li></ul></ul><ul><ul><li>70% identify technology innovation as critical yet 80% of actual IT investment is focused on infrastructure and core operation </li></ul></ul><ul><li>Projects </li></ul><ul><ul><li>$600 billion spent on ill conceived or poor executed IT projects – Gartner </li></ul></ul><ul><ul><li>71% of IT projects fail or are challenged – Standish </li></ul></ul><ul><li>Operational Processes </li></ul><ul><ul><li>80% of availability problems caused by human error – IDC </li></ul></ul><ul><ul><li>45% of operating expense budget consumed by unplanned work - ITPI </li></ul></ul>
  7. 7. What is governance?
  8. 8. Corporate Governance Defined <ul><li>Governance derives from the Latin word “gubernare” relating to the rudder and steering of a ship </li></ul><ul><li>&quot;Corporate Governance is concerned with holding the balance between economic and social goals and between individual and communal goals. The corporate governance framework is there to encourage the efficient use of resources and equally to require accountability for the stewardship of those resources. The aim is to align as nearly as possible the interests of individuals, corporations and society.&quot; -- Adrian Cadbury in “Global Corporate Governance Forum”, World Bank </li></ul><ul><li>“ Corporate governance is the set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. Corporate governance also includes the relationships among the many players involved (the stakeholders) and the goals for which the corporation is governed. The principal players are the shareholders, management and the board of directors. Other stakeholders include employees, suppliers, customers, banks and other lenders, regulators, the environment and the community at large.” – Wikipedia </li></ul>
  9. 9. So what is IT Governance?
  10. 10. IT Governance <ul><li>“ The overall objective of IT governance, therefore, is to understand the issues and the strategic importance of IT, so that the enterprise can sustain its operations and implement the strategies required to extend its activities into the future. IT governance aims at ensuring that expectations for IT are met and IT risks are mitigated.” – IT Governance Institute’s “Board Briefing on IT Governance” </li></ul><ul><li>It arose from a lack of discussions about IT at the Board and strategy levels </li></ul><ul><ul><li>Often times IT is only discussed with capital is needed </li></ul></ul><ul><ul><li>Organizations that had strategic IT discussions at the Board level outperformed competitors over the past five years – AT Kearney </li></ul></ul><ul><ul><li>The management of IT should be no different than any other functional area. </li></ul></ul><ul><li>In short, IT Governance outside of the Board level is really concerned about sound management and not governance per se </li></ul>
  11. 11. So, What’s the Goal?
  12. 12. To Maximize Sustainable Profits And the business knows this best. Alignment problems arise when IT goes around the business and pushes solutions.
  13. 13. Theory of Constraints <ul><li>Dr. Eliyahu Goldratt – Israeli Physicist </li></ul><ul><li>Organizations are systems of business units assembled to achieve a goal </li></ul><ul><li>If there isn’t a goal, there isn’t a system </li></ul><ul><li>Throughput accounting </li></ul><ul><ul><li>Inventory is money tied up in the system </li></ul></ul><ul><ul><li>Operating Expenses are monies consumed creating units of the goal </li></ul></ul><ul><ul><li>Throughput is the conversion of units of inventory into units of the goal </li></ul></ul><ul><ul><li>We want systems that improve throughput while driving down inventory and operating expenses </li></ul></ul><ul><li>Constraints are what inhibit attainment of the goal </li></ul><ul><li>We want to identify constraints and then act to drive them down to increases systemic throughput </li></ul><ul><li>Need to recognize that we are dealing with a system and focus on system throughput – not just local optimizations </li></ul><ul><li>If we can’t relate activities to the goal, then why are we performing the activities? </li></ul><ul><li>Resource </li></ul><ul><ul><li>Domenico Lepore and Oded Cohen. “Deming and Goldratt – The Theory of Constraints and the System of Profound Knowledge”. North River Press. 1999. </li></ul></ul><ul><ul><li>Eliyahu Goldratt. “Beyond the Goal: Eliyahu Goldratt Speaks on the Theory of Constraints”. Coach Series [Audio Book on CD]. 2005. </li></ul></ul>
  14. 14. What Is Constraining the Goal? When properly designed and implemented, IT is a force multiplier that empowers functional areas to attain their objectives in support of the Goal.
  15. 15. Improving the Organization * Adapted from ITIL Service Support Graphic
  16. 16. Value Enablement <ul><li>Positive Force Multiplication </li></ul><ul><li>vs. </li></ul><ul><li>Negative Force Multiplication </li></ul>
  17. 17. Quality Management <ul><li>Quality means conformance to requirements – Phil Cosby </li></ul><ul><li>This means </li></ul><ul><ul><li>IT must understand the customer’s requirements </li></ul></ul><ul><ul><li>IT must meet the customer’s requirements </li></ul></ul><ul><ul><li>This assumes that the customer and IT understand the goals of the organization and how functional area objectives support them </li></ul></ul><ul><li>After WWII in Japan, Ishikawa used to tell the people on the manufacturing line that the people in the next step were their customer </li></ul>
  18. 18. Business IT Alignment (BITA) <ul><li>Need the business engaged with IT and not just IT in a vacuum </li></ul><ul><li>“ Technology Pull” vs. “Technology Push” </li></ul><ul><li>IT Service Management – services that meet customer requirements both today and in the future </li></ul><ul><li>Primus inter pares </li></ul><ul><ul><li>“ First among equals” – IT and other managers working together </li></ul></ul><ul><ul><li>IT may know the technology but the business knows the business even better </li></ul></ul><ul><ul><li>IT and the business must leverage each others’ strengths and compensate for each others’ weaknesses </li></ul></ul><ul><ul><li>Requires dialogue, regular meetings, … and lots of hard work! </li></ul></ul><ul><ul><li>Roles & responsibilities must be understood </li></ul></ul><ul><ul><ul><li>It can’t just be IT – this is an organizational culture issue </li></ul></ul></ul><ul><ul><ul><li>Who better than logistics to argue for a new IT logistics service with IT playing a supporting role? </li></ul></ul></ul>
  19. 19. Communication Barrier <ul><li>Need to speak in terms of enabling objectives and goals while managing risks </li></ul><ul><ul><li>Focus on business and customer needs, technology is secondary </li></ul></ul><ul><li>Need to focus on terms that are mutually understood </li></ul><ul><li>IT must avoid “geekinese” and understand what management needs </li></ul><ul><ul><li>For example discussing requirements for a two page summary report vs. a forty page report that serves up lots of content but little information </li></ul></ul><ul><li>Communication must be on a regular schedule in a venue and format that maximizes senior management’s attention </li></ul>
  20. 20. Tone At The Top <ul><li>Senior management must support IT in deeds as well as words </li></ul><ul><li>“ Just get it done” can destroy all the organizational change work done to date </li></ul><ul><li>Recognize that IT must be engaged the same as any other technical group </li></ul>
  21. 21. Strategic Planning <ul><li>IT and the business must work together to accomplish objectives </li></ul><ul><li>IT needs to understand strategic plans in order to support the business and the business must understand IT’s capabilities </li></ul><ul><li>IT projects and resulting services are costly and can impact the quality of business services rendered – they need proper planning </li></ul><ul><ul><li>No different than planning for new production plants </li></ul></ul><ul><li>Recognition of IT value, not just cost </li></ul><ul><li>Board level IT strategy committee </li></ul>
  22. 22. Steering Committee <ul><li>Visibility and involvement into the direction of IT </li></ul><ul><li>Set within context of strategy </li></ul><ul><li>Steering committee defines </li></ul><ul><ul><li>Priorities </li></ul></ul><ul><ul><li>Tracks status of projects </li></ul></ul>
  23. 23. Service Development Lifecycle <ul><li>Quality standards around development projects </li></ul><ul><ul><li>Requirements definition </li></ul></ul><ul><ul><li>Coding standards </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><ul><li>Identification of best practices </li></ul></ul><ul><ul><li>Migration to production </li></ul></ul><ul><ul><li>Documentation </li></ul></ul><ul><ul><li>Evidentiary requirements </li></ul></ul><ul><ul><li>Roles and responsibilities </li></ul></ul><ul><li>Resource </li></ul><ul><ul><li>Carnegie Mellon’s Capability Maturing Model Integrated (CMMI) </li></ul></ul><ul><ul><li>Google </li></ul></ul>
  24. 24. Project Management <ul><li>29% of projects delivered on-time with expected features, 53% were challenged and 18% outright failed1 </li></ul><ul><li>The majority of the causal factors are non-technical including: </li></ul><ul><ul><li>Lack of project planning </li></ul></ul><ul><ul><li>Poor requirements definition </li></ul></ul><ul><ul><li>Correct stakeholders not involved, or not involved early enough </li></ul></ul><ul><ul><li>Poor communications </li></ul></ul><ul><ul><li>Insufficient management oversight </li></ul></ul><ul><li>Resources </li></ul><ul><ul><li>PMI’s Project Management Body of Knowledge (PM-BOK) </li></ul></ul><ul><ul><li>Projects in Controlled Environments Version Two (PRINCE2) </li></ul></ul><ul><ul><li>Google </li></ul></ul>1. “Third Quarter 2004 CHAOS Report”. The Standish Group.
  25. 25. IT Service Management (ITSM) <ul><li>Three objectives </li></ul><ul><ul><li>Align IT Services with the current and future needs of the business </li></ul></ul><ul><ul><li>To improve the quality of IT services delivered </li></ul></ul><ul><ul><li>To manage long-term costs of services </li></ul></ul><ul><li>This is a change in mindset away from technology to one of enabling services and quality </li></ul><ul><li>People, Processes and Technology </li></ul><ul><li>Resources </li></ul><ul><ul><li>Information Technology Infrastructure Library (ITIL) </li></ul></ul><ul><ul><li>IT Service Management Forum (itSMF) </li></ul></ul>
  26. 26. Internal Audit <ul><li>Dr. Deming eschewed the Shewhart cycle of Plan-Do-Check-Act </li></ul><ul><li>Audit plays an important role in organizations by performing a facet of the “check” function </li></ul><ul><ul><li>Ethics </li></ul></ul><ul><ul><li>Regulatory Compliance </li></ul></ul><ul><ul><li>Process Compliance </li></ul></ul><ul><ul><li>Control and Process Improvement Opportunities </li></ul></ul><ul><li>Resources </li></ul><ul><ul><li>The Institute of Internal Auditors (The IIA) </li></ul></ul><ul><ul><li>Information Systems Audit and Control Association (ISACA) </li></ul></ul>
  27. 27. Risk Management <ul><li>Safeguarding The Goal </li></ul>
  28. 28. Why Is Risk Management So Important? Limited Resources and Seemingly Unlimited Risks! Companies need to understand and prioritize risks in order to safeguard functional area objectives and organizational goals
  29. 29. Safeguard the Goal IT must reasonably safeguard the Goal by reducing residual risk to an acceptable level.
  30. 30. What Is a Risk? <ul><li>The probability of a negative event impacting the realization of functional area objectives and/or organizational goals </li></ul><ul><li>Does a risk matter if it doesn’t impact a functional area objective or organizational goal? </li></ul><ul><ul><li>NO </li></ul></ul><ul><li>Information Technologies are a threat vector </li></ul><ul><li>In the end there is only business risk </li></ul><ul><ul><li>It isn’t IT that goes out of business! </li></ul></ul><ul><li>IT should be a stakeholder in a larger Enterprise Risk Management (ERM) effort </li></ul><ul><li>Resource </li></ul><ul><ul><li>COSO Enterprise Risk Management (ERM) </li></ul></ul><ul><ul><li>NIST </li></ul></ul>
  31. 31. Use Controls to Manage Risk <ul><li>Risks cause variation around the achievement of objectives and goals </li></ul><ul><li>Some variation is always present and inevitable </li></ul><ul><li>By implementing processes with adequate controls, we strive to create a reasonable assurance that we can attain our objective </li></ul><ul><li>Controls are found in </li></ul><ul><ul><li>The services IT maintains and provisions </li></ul></ul><ul><ul><li>Within the applications users access </li></ul></ul><ul><li>Resource </li></ul><ul><ul><li>Information Systems Audit and Control Association (ISACA) – Control Objectives for IT and Related Technologies (COBIT) </li></ul></ul>
  32. 32. Don’t Try to Eliminate Risk! <ul><li>You can spend a fortune and you will never truly hit a 100% level of assurance – it’s not possible </li></ul><ul><li>The objective is to lower risk to an acceptable level, not eliminate it because that is not possible! </li></ul><ul><li>Work with senior management and Internal Audit to define what level of residual risk is acceptable </li></ul><ul><li>There is no prize for overly controlled processes – only costs, frustration and lost agility </li></ul>Level of Assurance Level of Investment 100%
  33. 33. Change Management <ul><li>Change Management is a risk management function and a foundation control </li></ul><ul><li>78-80% of unavailability is tied to human error </li></ul><ul><li>The result: Delayed projects and the perception that IT can not get anything done </li></ul><ul><li>As the levels of complexity and integration increase, so to does the need for effective change management otherwise forward momentum will stop and even reverse </li></ul><ul><li>Properly designed Change Management can facilitate agility because productive work can actually be accomplished </li></ul><ul><li>There is a huge difference between total changes and net successful changes </li></ul><ul><ul><li>Being able to deploy 10,000 patches overnight can crash thousands of systems overnight! </li></ul></ul><ul><li>Need a company specific change management process that balances off risks to the organization with the business’ need to change </li></ul><ul><li>Resources </li></ul><ul><ul><li>ITIL Service Support volume </li></ul></ul><ul><ul><li>ITPI’s Visible Ops methodology </li></ul></ul>
  34. 34. Continuous Improvement PLAN DO ACT CHECK
  35. 35. Continuous Improvement <ul><li>What is needed today will be different than what is needed later </li></ul><ul><li>Objectives, Risks, resources, and so on will all change over time </li></ul><ul><li>Continuous Improvement is a necessity </li></ul>
  36. 36. Continuous Improvement * Adapted from ITIL Service Support Graphic
  37. 37. If something doesn’t map to objectives and goals, then should it be done?
  38. 38. If something doesn’t map to objectives and goals, then should it be done? NO
  39. 39. Thank you for the privilege of facilitating this webcast
  40. 40. Questions?

×