Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Comprehending Information Technology Governance

It's the presentation slides the trainer deliver as part of the courseware for 'Information Technology Governance' training.

  • Login to see the comments

Comprehending Information Technology Governance

  1. 1. Comprehending Information Technology Governance Delivered on February 2013 Goutama Bachtiar Technology Advisor, Consultant and Auditor T: @goudotmobi
  2. 2. Allow Me to Introduce Myself February 2013 Developed by @goudotmobi 2
  3. 3. Trainer Profile  15 years of working experience with exposure in advisory, consulting, audit, training and education, software development, project management and network administration  VP - Head of Information Technology at Roligio Group  Advisor at Global Innovations and Technology Platform  Subject Matter Expert, Editorial Journal Reviewer and Exam Developer at ISACA  Program Evaluator at Project Management Institute  Microsoft Faculty Fellow  Columnist and contributor at ZDNet Asia,, Forbes Indonesia, DetikINET and InfoKomputer among others
  4. 4. February 2013 Developed by @goudotmobi 4
  5. 5. Background and Objectives BACKGROUND • IT Governance is to a country’s constitution what management is to the country’s laws • Corporate Governance, IT Governance, and IT Security Governance are responsibilities of Board or Senior Management • The significance of IT governance can be judged from the fact that ISACA has introduced a new certification, Certified in the Governance of Enterprise IT (CGEIT), effective since December, 2008, just on the respective subject • Topics covered will map directly to ISACA’s job practice areas (domains) OBJECTIVES • The training will address key knowledge areas related to IT Governance domains: IT Governance Framework, IT/Business Strategy Alignment, IT Value Delivery, Risk Management, Resource Management and Performance Measurement • Differentiate between IT Governance and IT Management, and help set up IT Governance Framework including IT alignment, Value delivery, Risk Management, Performance Management, and Resource Utilization February 2013 Developed by @goudotmobi 5
  6. 6. Targeted Participants • Corporate and IT management interested in learning the “what” and “how to” on IT Governance • IT auditors and Management Consultants who’d like to learn how to audit IT Governance, and provide governance-related services to Senior Client Management • Senior IT management responsible for understanding theory and implementation of IT Governance, Value Delivery, IT Risk Management, Information Security, and Balanced Score Card (BSC) Implementation February 2013 Developed by @goudotmobi 6
  7. 7. Training Agenda • • • • • • • Governance vs Management IT Governance Framework IT Alignment with Business Requirements IT Value Delivery IT Risk Management IT Performance Measurement IT Balanced Score Card February 2013 Developed by @goudotmobi 7
  8. 8. Training Agenda (cont’d) • • • • • • • IT Resource Management Board’s Oversight Committees IT Strategy Committee IT Steering Committee Board’s Business Continuity Oversight Auditing IT Governance Maturity of IT Governance With CMM Scale February 2013 Developed by @goudotmobi 8
  9. 9. ISACA Certification CGEIT constitutes: 1. IT Governance Framework (25%) 2. Strategic Alignment (15%) 3. Value Delivery (15%) 4. Risk Management (20%) 5. Resource Management (13%) 6. Performance Measurement (12%) February 2013 Developed by @goudotmobi 9
  11. 11. Common Issues • • • • Disconnect between IT & everyone else IT is overwhelmed Projects are delayed; not as successful Customer dissatisfaction & “I’ll do it myself” mentality • Multiple systems exist for similar needs • IT lacks direction February 2013 Developed by @goudotmobi 11
  12. 12. Common Issues (cont’d) • • • • • No one person is accountable for IT Technology does not make things better Security concerns Data in multiple places/hard to pull together Projects not delivered or not done well February 2013 Developed by @goudotmobi 12
  13. 13. Solution • • • • • • Well-defined decision making process Forward thinking IT leadership High-performing IT management team Easily understood Architecture & Standards Project Evaluation & Prioritization Best Practice Project Management approach February 2013 Developed by @goudotmobi 13
  14. 14. Understanding IT Governance • Comprises the body of issues addressed in considering how IT is applied within the enterprise. • Effective enterprise governance focuses on: – Individual and group expertise – Experience in specific areas • Key element: alignment of business and IT February 2013 Developed by @goudotmobi 14
  15. 15. What is IT Governance? • Structure to help align IT strategy with business strategy • According to ITGI, there are 5 areas of focus: – Strategic alignment – Value delivery – Resource management – Risk management – Performance measures February 2013 Developed by @goudotmobi 15
  16. 16. IT Governance Definition “The responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives” February 2013 Developed by @goudotmobi 16
  17. 17. Three Pillars of IT Governance IT Governance Infrastructure Management 1 7 IT Use/Demand Management Developed by @goudotmobi IT Project Management
  18. 18. Managing Ever-Increasing Complexity February 2013 Developed by @goudotmobi 18
  19. 19. IT Governance Institute • IT Governance Institute ( is a non-profit, independent research entity that provides guidance for global business community on issues related to governance of IT assets • Established by ISACA in 1998 to help exec and IT pro ensure that IT delivers value and its risks are mitigated through alignment with enterprise objectives, IT resources are properly allocated, and IT performance is measured • ITGI developed Control Objectives for Information and related Technology (COBIT®) and Val ITTM, and offers original research and case studies to help enterprise leaders and boards of directors fulfill their IT governance responsibilities and help IT professionals deliver valueadding services February 2013 Developed by @goudotmobi 19
  20. 20. Why is IT Governance important? • • • • • • Compliance with regulations Competitive advantage Support of enterprise goals Growth and innovation Increase in intangible assets Reduction of risk February 2013 Developed by @goudotmobi 20
  21. 21. Why is IT Governance important? (cont’d) February 2013 Developed by @goudotmobi 21
  22. 22. Who is involved? • • • • • Team leaders Managers Executives Board of Directors Stakeholders February 2013 Developed by @goudotmobi 22
  23. 23. Governance and Management • Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM) • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM) February 2013 Developed by @goudotmobi 23
  24. 24. Corporate Governance of IT ISO/IEC 38500: 2008 Corporate governance of IT Scope • Provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of IT within their organizations • Applies to the governance of management processes (and decisions) relating to the ICT services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization February 2013 Developed by @goudotmobi 24
  25. 25. Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate Governance of IT 2.1 Principles Principle 1: Responsibility Principle 2: Strategy Principle 3: Acquisition Principle 4: Performance Principle 5: Conformance Principle 6: Human Behavior February 2013 Developed by @goudotmobi 25
  26. 26. IT Governance Landscape February 2013 Developed by @goudotmobi 26
  27. 27. Approaches Currently In Use • Business As Usual - “Firefighting” • Legislation - “Forced” • Best Practice Focused February 2013 Developed by @goudotmobi 27
  28. 28. Commencing Best Practices Quality & Control Models • ISO 900x • COBIT® • TQM • EFQM • Six Sigma • COSO • Deming • etc.. Process Frameworks • ITIL® • Application Service Library • Gartner CSD • IBM Processes • EDS Digital Workflow • Microsoft MOF • Telecom Ops Map • etc.. •What is not defined cannot be controlled •What is not controlled cannot be measured •What is not measured cannot be improved February 2013 Developed by @goudotmobi 28
  29. 29. ITIL® v2 to v3 Introduction to ITIL T h e Planning To Implement Service Management T h e Service Management B The u Business s Perspective i Service n Delivery Small-Scale e Implementation s s Application Management Service Support ICT Infrastructure Management Security Management T e c h n o l o g y Software Asset Management February 2013 Developed by @goudotmobi 29
  30. 30. ITIL® v2 Service Support Model The Business, Customers or Users Monitoring Tools Incidents Incident Management Service reports Incident statistics Audit reports Communications Difficulti Updates es Work-arounds Queries Customer Survey reports Enquirie Incidents Service Desk Changes s Customer Survey Problem reports Management Releases Problem statistics Problem reports Problem reviews Diagnostic aids Audit reports Incidents February 2013 Change Management Change schedule CAB minutes Change statistics Change reviews Audit reports Problems Known Errors Release Management Release schedule Release statistics Release reviews Secure library’ Testing standards Audit reports Changes CMDB Developed by @goudotmobi Configuration Management CMDB reports CMDB statistics Policy standards Audit reports ReleasesCls Relationships 30
  31. 31. ITIL® V2 Service Delivery Model Business, Customers and Users Communications Querie Updates Reports s Enquiri Service Level es Availability Management Availability plan AMDB Design criteria Targets/Thresholds Reports Audit reports Management Capacity Management Capacity plan CDV Targets/thresholds Capacity reports Schedules Audit reports Requirements Targets Achievements Financial Management For IT Services Financial plan Types and models Costs and charges Reports Budgets and forecasts Audit reports Management Tools February 2013 Alerts and Exceptions Changes Developed by @goudotmobi SLAs, SLRs OLAs Service reports Service catalogue SIP IT Exception Service Continuity reports Management Audit reports IT continuity plans BIS and risk analysis Requirements defined Control centers DR contracts Reports Audit reports 31
  32. 32. IT Governance and ITIL®version 3 February 2013 Developed by @goudotmobi 32
  33. 33. IT Governance and COBIT Why Get Into Governance? • Due diligence” • IT is critical to the business • IT is strategic to the business • Expectations and reality don’t match • IT hasn’t gotten the attention it deserves • IT involves huge investments and large risks February 2013 Developed by @goudotmobi 33
  34. 34. IT Governance and COBIT “Due diligence” • Infrastructure and productive functions • Skills, culture, operating environment • Capabilities, risks, process knowledge and customer information • Service levels Enterprises should be equally inquisitive about themselves. February 2013 Developed by @goudotmobi 34
  35. 35. IT Governance and COBIT IT Is Critical to Most Businesses This criticality arises from: • The increasing dependence on information and the systems and communications that deliver it • The dependence on entities beyond the direct control of the enterprise • IT failures increasingly impacting reputation and enterprise value • The potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs • The risks of doing business in an interconnected world • The need to build and maintain knowledge essential to sustain and grow the business February 2013 Developed by @goudotmobi 35
  36. 36. IT Governance and COBIT Why Has IT Not Gotten the Attention It Merits? • IT requires more technical insight than do other disciplines to understand how IT • Enables the enterprise • Creates risks • Gives rise to opportunities • IT has traditionally been treated as an entity separate to the business • IT is complex, and even more so in the extended enterprise operating in a networked economy February 2013 Developed by @goudotmobi 36
  37. 37. IT Governance and COBIT October 1992: A new command and control system developed by the London ambulance service failed on the first day of operation. 1997: Barings Bank collapsed as a result of unauthorized trading, in part enabled by the willful manipulation of management information. August 1997: UK investment managers, Save & Prosper, abandoned a major new IT system, having spent 2 million pounds on its design and implementation. February 2013 Developed by @goudotmobi October 1998: UK Internet bank Egg launched a new onlineonly credit card, only to find its technical infrastructure was unable to cope with the demand. 37
  38. 38. IT Governance and COBIT What Should Boards Do About It? • • • • Be driven by stakeholder value Adopt an IT governance framework Ask the right questions Focus on IT’s • Alignment with the business • Value delivery • Risk management • Measure result IT Value Delivery IT Strategic Alignment Stakeholder Value Drivers Risk Management Performance Measurement February 2013 Developed by @goudotmobi 38
  39. 39. IT Governance and COBIT What Should Management Do About It? Align IT strategy with business goals Cascade strategy and goals down into the organisation Set up organisational structures that facilitate strategy implementation Adopt a control and governance framework Provide IT infrastructures that facilitate creation and sharing of business information Embed responsibilities for risk management in the organisation Focus on important IT processes and core IT competencies Measure performance (balanced business scorecard) February 2013 Developed by @goudotmobi 39
  40. 40. IT Governance and COBIT COBIT: An IT Control Framework      Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high level control objective for each Looks at fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of over 300 detailed control objectives February 2013 Developed by @goudotmobi • Planning • Acquiring & Implementing • Delivery & Support • Monitoring  Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance       40
  41. 41. IT Governance and COBIT IT Governance Defined (1) Several definitions with common elements: • • • • Responsibility of the board of directors Protects shareholder value Ensures risk transparency Directs and controls IT investment, opportunity, benefits and risks • Aligns IT with the business while accepting IT is a critical input to and component of the strategic plan, influencing strategic opportunities • Sustains the current operation and prepares for the future • Is an integral part of a global governance structure February 2013 Developed by @goudotmobi 41
  42. 42. IT Governance and COBIT IT Governance Defined (2) IT governance, like other governance subjects, is the responsibility of executives and shareholders (represented by the board of directors). It consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. February 2013 Developed by @goudotmobi 42
  43. 43. IT Governance and COBIT IT Governance Framework Act if not aligned Set measurable goals Deliver Compare against the results goals Measure performance February 2013 Developed by @goudotmobi 43
  44. 44. IT Governance and COBIT IT Governance Framework Set Objectives IT is aligned with the business IT enables the business and maximises benefits IT resources are used responsibly IT-related risks are managed appropriately Provide Direction IT Activities Compare Increase automation (make the business effective) Decrease cost (make the enterprise efficient) Manage risks (security, reliability and compliance) Measure Performance February 2013 Developed by @goudotmobi 44
  45. 45. Enterprise Governance • Responsibilities and practices exercised by the board and executive management with goals of: • Provide strategic direction • Ensure achieved objectives • Appropriately managed risk • Responsible resource use February 2013 Developed by @goudotmobi 45
  46. 46. Enterprise Governance Objective A Balance of • Performance By improve profit, efficiency, effectiveness, growth, etc • Conformance Adhere to legislation, internal policies, audit requirements, etc Both Enterprise governance and IT governance require a balance between performance and conformance goals as directed by the board February 2013 Developed by @goudotmobi 46
  47. 47. Enterprise vs IT Governance • Enterprise Responsibilities and practices exercised by the board and exec management with goals of: – – – – Provide strategic direction Ensure achieved objectives Appropriately managed risk Responsible resource use • IT Part of enterprise governance Consisting of leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and furthers the enterprise strategies and objectives February 2013 Developed by @goudotmobi 47
  48. 48. Governance as Control Views February 2013 Developed by @goudotmobi 48
  49. 49. Governance Stakeholder Responsibilities February 2013 Developed by @goudotmobi 49
  50. 50. Governance, Stakeholders, Interests • IT Governance is part of Enterprise Governance • Governance Focus Areas – Strategic Alignment – Value Delivery – Risk Management – Resource Management – Performance Measurement • Governance objective is balance of – Performance – Value Delivery – Conformance – Risk Management February 2013 Developed by @goudotmobi 50
  51. 51. Governance, Stakeholders, Interests (cont’d) Governance Stakeholders include – Board & Executives – Business & IT Management – Risk and Compliance & IT Audit Stakeholders – Have Governance Role & Responsibilities – Expect Inputs and Deliver Outputs to Governance Process February 2013 Developed by @goudotmobi 51
  52. 52. IT Governance Framework (ITGI) Provide Direction IT Activities Set Objectives v v v v IT is aligned with the business IT enables the business and maximizes benefits IT resources are used responsibly IT-related risks managed appropriately v Compare v v Increase automation (make the business effective) Decrease cost (make enterprise efficient) Manage risks (security reliability and compliance) Measure Performance February 2013 Developed by @goudotmobi 52
  53. 53. Governance Support with COBIT February 2013 Developed by @goudotmobi 53
  54. 54. Control Objectives for IT (COBIT) February 2013 Developed by @goudotmobi 54
  55. 55. COBIT Processes February 2013 Developed by @goudotmobi 55
  56. 56. COBIT Processes (cont’d) February 2013 Developed by @goudotmobi 56
  57. 57. Content Overview • For Framework  Process Controls  Application Controls  Maturity Attributes • For each Process  Description, linkage to business goal, …  Detailed Control Objectives  Management Guidelines     February 2013 Process Inputs and Outputs Process Activities and RACI Measurements Maturity Model Developed by @goudotmobi 57
  58. 58. Val IT V.2.0 – Value Management February 2013 Developed by @goudotmobi 58
  59. 59. Val IT • Val IT supports the enterprise goal of • creating optimal value from IT enabled investments at an affordable cost, with an acceptable level of risk • and is guided by • a set of principles applied in value management processes • that are enabled by • key management practices • and are measured by • performance against goals and metrics February 2013 Developed by @goudotmobi 59
  60. 60. Val IT Key Definitions • Project—A structured set of activities concerned with delivering a defined capability (that is necessary but not sufficient to achieve a required business outcome) to the enterprise based on an agreed upon schedule and budget • Program —A structured grouping of inter-dependent projects that are both necessary and sufficient to achieve a desired business outcome and create value. These projects could involve, but are not limited to, changes in the nature of the business, business processes, the work performed by people, as well as the competencies required to carry out the work, enabling technology and organizational structure. The investment program is the primary unit of investment within Val IT • Portfolio—Groupings of ‘objects of interest’ (investment program, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value. The investment portfolio is of primary interest to Val IT • IT service, project, asset or other resource portfolios are of primary interest to COBIT February 2013 Developed by @goudotmobi 60
  61. 61. Val IT Framework February 2013 Developed by @goudotmobi 61
  62. 62. Value Governance The goal of VG is to ensure that value management practices are embedded in the enterprise, enabling it to secure optimal value from its IT‐enabled investments throughout full economic life cycle An executive commitment to value governance helps enterprises: – Establish the governance framework for value management in a manner that is fully integrated with overall enterprise governance – Provide strategic direction for the investment decisions – Define the characteristics of portfolios required to support new investments and resulting IT services, assets and other resources – Improve value management on a continual basis, based on lessons learned February 2013 Developed by @goudotmobi 62
  63. 63. Value Governance Process • VG1: Establish informed and committed leadership • VG2: Define and implement processes • VG3: Define portfolio characteristics • VG4: Align and integrate value management with enterprise financial planning • VG5: Establish effective governance monitoring • VG6: Continuously improve value management practices February 2013 Developed by @goudotmobi 63
  64. 64. Portfolio Management • The goal of portfolio management (PM) is to ensure that an enterprise secures optimal value across its portfolio of IT‐enabled investments • An executive commitment to portfolio management helps enterprises: – Establish and manage resource profiles – Define investment thresholds – Evaluate, prioritize, and select, defer, or reject new investments – Manage and optimize the overall investment portfolio – Monitor and report on portfolio performance February 2013 Developed by @goudotmobi 64
  65. 65. Portfolio Management Process • PM1 Establish strategic direction and target investment mix • PM2 Determine the availability and sources of funds • PM3 Manage the availability of human resources • PM4 Evaluate and select program to fund • PM5 Monitor and report on investment portfolio performance • PM6 Optimize investment portfolio performance February 2013 Developed by @goudotmobi 65
  66. 66. Investment Management The goal of investment management (IM) is to ensure that the enterprise’s individual IT-enabled investments contribute to optimal value. When organizational leaders commit to investment management they improve their ability to: – – – – Identify business requirements Develop a clear understanding of candidate investment program Analyze alternative approaches to implementing the program Define each program and document, and maintain a detailed business case for it, including benefits’ details, throughout full economic life cycle of investment – Assign clear accountability and ownership (for benefits realization) – Manage each program through its full economic life cycle, including retirement – Monitor and report on each program’s February 2013 Developed by @goudotmobi 66
  67. 67. Investment Management Process • IM1 Develop and evaluate the initial program concept business case • IM2 Understand the candidate program and implementation options • IM3 Develop the program plan • IM4 Develop full life‐cycle costs and benefits • IM5 Develop the detailed candidate program business case • IM6 Launch and manage the program • IM7 Update operational IT portfolios • IM8 Update the business case • IM9 Monitor and report on the program • IM10 Retire the program February 2013 Developed by @goudotmobi 67
  68. 68. Risk IT February 2013 Developed by @goudotmobi 68
  69. 69. Types of Risk February 2013 Developed by @goudotmobi 69
  70. 70. Risk IT Principles • The Risk IT framework principles are – Effective enterprise governance of IT risk: – Always connects to business objectives – Aligns the management of IT‐related business risk with overall enterprise risk management – Balances the costs and benefits of managing risk • Effective management of IT risk – Promotes fair and open communication of IT risk – Establishes the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well‐defined tolerance levels – Is a continuous process and part of daily activities February 2013 Developed by @goudotmobi 70
  71. 71. Risk IT Building Blocks Key building blocks of good IT risk management: • Set responsibility for IT risk management • Set objectives and define risk appetite and tolerance • Identify, analyze and describe risk • Monitor risk exposure • Treat IT risk • Link with existing guidance to manage risk February 2013 Developed by @goudotmobi 71
  72. 72. Risk Assessment ISACA Risk IT Information Security Risk Management for ISO 27001 IT Risk Assessment Frameworks CRAMM Information Security Toolkit OCTAVE (Operationally Critical Threat, Asset, Vulnerability Evaluation) February 2013 Developed by @goudotmobi 72
  73. 73. IT Risk ASSESSMENT •Definition of risk assessment The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat. February 2013 Developed by @goudotmobi 73
  74. 74. IT Risk ASSESSMENT Components of risk assessment • Threats to, and vulnerabilities of, processes and/or assets (including both physical and information assets) • Impact on assets based on threats and vulnerabilities • Probabilities of threats (combination of the likelihood and frequency of occurrence) February 2013 Developed by @goudotmobi 74
  75. 75. ISACA Risk IT Risk IT: A Balance is Essential • Risk and value are two sides of the same coin. • Risk is inherent to all enterprises. BUT Enterprises need to ensure that opportunities for value creation are not missed by trying to eliminate all risk. February 2013 Developed by @goudotmobi 75
  76. 76. Risk IT Extends Val IT and COBIT Risk IT complements and extends COBIT and Val IT to make a more complete IT governance guidance resource. February 2013 Developed by @goudotmobi 76
  77. 77. IT-related Risk Management Risk IT is not limited to information security. It covers all ITrelated risks, including: • Late project delivery • Not achieving enough value from IT • Compliance • Misalignment • Obsolete or inflexible IT architecture • IT service delivery problems February 2013 Developed by @goudotmobi 77
  78. 78. Guiding Principles of Risk IT  Always connect to enterprise objectives.  Align the management of IT-related business risk with overall enterprise risk management.  Balance the costs and benefits of managing risk.  Promote fair and open communication of IT risk. February 2013 Developed by @goudotmobi 78
  79. 79. Guiding Principles of Risk IT  Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels.  Understand that this is a continuous process and an important part of daily activities. February 2013 Developed by @goudotmobi 79
  80. 80. Key Risk IT Content: The “What” • Key content of the Risk IT framework includes: • Risk management essentials • In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture • In Risk Evaluation: Describing business impact and risk scenarios • In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation • Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.) February 2013 Developed by @goudotmobi 80
  81. 81. Key Risk IT Content: The “What” • Process model sections that contain: • Descriptions • Input-output tables • RACI (Responsible, Accountable, Consulted, Informed) table • Goals and Metrics Table • Maturity model is provided for each domain • Appendices • Reference materials • High-level comparison of Risk IT to other risk management frameworks and standards • Glossary February 2013 Developed by @goudotmobi 81
  82. 82. Risk IT Three Domains February 2013 Developed by @goudotmobi 82
  83. 83. Risk IT: The “How” • Key contents of The Risk IT Practitioner Guide: • • Review of the Risk IT process model Risk IT to COBIT and Val IT • How to use it: 1. Define a risk universe and scoping risk management 2. Risk appetite and risk tolerance 3. Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture 4. Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers 5. Risk scenarios: includes capability risk factors and environmental risk factors 6. Risk response and prioritisation 7. A risk analysis workflow: “swim lane” flow chart, including role context 8. Mitigation of IT risk using COBIT and Val IT • • Mappings: Risk IT to other risk management standards and frameworks Glossary February 2013 Developed by @goudotmobi 83
  84. 84. Risk/Response Definition The purpose of defining a risk response is to bring risk in line with the defined risk tolerance for the enterprise after due risk analysis. In other words, a response needs to be defined such that future residual risk (=current risk with the risk response defined and implemented) is as much as possible (usually depending on budgets available) within risk tolerance limits. February 2013 Developed by @goudotmobi 84
  85. 85. Risk IT Benefits and Outcomes Accurate view on current and near-future IT-related events End-to-end guidance on how to manage IT-related risks Understanding of how to capitalise on the investment made in an IT internal control system already in place Integration with the overall risk and compliance structures within the enterprise Common language to help manage the relationships Promotion of risk ownership throughout the organisation Complete risk profile to better understand risk February 2013 Developed by @goudotmobi 85
  86. 86. Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27000 Family of Standards • ISO/IEC 27001 based on BS7799 by British Standards Institution • Adopts “plan-do-check-act” process model • Information Security Management System (ISMS) standard (ISO/IEC 27001) • Formal specification  mandates specific requirements • Adoption of ISO/IEC 27001 allows for formal audit and certification to explicit standard • Risk management based on ISO/IEC 27000 standards February 2013 Developed by @goudotmobi 86
  87. 87. Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27005 • Information security risk management standard • Does not specify, recommend or name any specific risk analysis method • Does specify a structured, systematic and rigorous process from analysis risks to creating the risk treatment plan February 2013 Developed by @goudotmobi 87
  88. 88. CRAMM Information security risk toolkit • Provides staged and disciplined approach towards IT risk assessment Source: February 2013 Developed by @goudotmobi 88
  89. 89. CRAMM Information security risk toolkit Asset identification and valuation • • • • Physical Software Data Location Threat and vulnerability assessment • • • • • Hacking Viruses Failures of equipment or software Wilful damage or terrorism Errors by people Countermeasure selection and recommendation February 2013 Developed by @goudotmobi 89
  90. 90. CERT OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation Framework by Software Engineering Institute (1999) • Components of information security risk evaluation • Processes with required inputs, activities, outputs • Phase 1: Build asset-based threat profiles • Phase 2: Identify Infrastructure Vulnerabilities • Phase 3: Develop security strategy and plans Self-directed information security risk evaluation Analysis team includes people from business units and IT department February 2013 Developed by @goudotmobi 90
  91. 91. CERT OCTAVE February 2013 Developed by @goudotmobi 91
  92. 92. CERT OCTAVE February 2013 Developed by @goudotmobi 92
  93. 93. Regulatory requirements Steps to determine compliance with external requirements: • Identify external requirements • Establishment and organization • Responsibilities • Correlation to financial, operational and IT audit functions • Document pertinent laws and regulations • Banking Act • Insurance Act • Circulars by Regulator • Government Instruction Manual or Circular • Statutory Act February 2013 Developed by @goudotmobi 93
  94. 94. Val IT Principles • IT enabled investments will: – Be managed as a portfolio of investments – Include the full scope of activities required to achieve business value – Be managed through their full economic life cycle • Value delivery practices will: – Recognize that there are different categories of investments that will be evaluated and managed differently – Define and monitor key metrics and will respond quickly to any changes or deviations – Engage all stakeholders and assign appropriate accountability to the delivery of capabilities and the realization of business benefits – Be continually monitored, evaluated and improved February 2013 Developed by @goudotmobi 94
  95. 95. The COBIT 5 Framework • Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. • COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. • The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector. February 2013 Developed by @goudotmobi 95
  96. 96. COBIT 5 Principles Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 96
  97. 97. COBIT 5 Enablers Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 97
  98. 98. COBIT 5: Now One Complete Business Framework for Evolution of scope Governance of Enterprise IT IT Governance Val IT 2.0 Management (2008) Control Risk IT (2009) Audit COBIT1 1996 COBIT2 1998 COBIT3 2000 COBIT4.0/4.1 2005/7 COBIT 5 2012 An business framework from ISACA, at © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 98
  99. 99. COBIT 5 Framework  The main, overarching COBIT 5 product  Contains the executive summary and the full description of all of the COBIT 5 framework components:  The five COBIT 5 principles  The seven COBIT 5 enablers plus  An introduction to the implementation guidance provided by ISACA (COBIT 5 Implementation)  An introduction to the COBIT Assessment Programme (not specific to COBIT 5) and the process capability approach being adopted by ISACA for COBIT February 2013 Developed by @goudotmobi 99
  100. 100. COBIT 5 Product Family Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 100
  101. 101. Five COBIT 5 Principles The five COBIT 5 principles: 1.Meeting Stakeholder Needs 2.Covering the Enterprise End-to-end 3.Applying a Single Integrated Framework 4.Enabling a Holistic Approach 5.Separating Governance From Management February 2013 Developed by @goudotmobi 101
  102. 102. Meeting Stakeholder Needs Principle 1. Meeting Stakeholder Needs  Enterprises exist to create value for their stakeholders. February 2013 Source: COBIT® 5, figure 3. © 2012 ISACA® All rights reserved. Developed by @goudotmobi 102
  103. 103. Meeting Stakeholder Needs (cont.) Principle 1. Meeting Stakeholder Needs:  Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting—things to each of them.  Governance is about negotiating and deciding amongst different stakeholders’ value interests.  The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions.  For each decision, the following can and should be asked: - Who receives the benefits? - Who bears the risk? - What resources are required? February 2013 Developed by @goudotmobi 103
  104. 104. Meeting Stakeholder Needs (cont.) Principle 1. Meeting Stakeholder Needs:  Stakeholder needs have to be transformed into an enterprise’s practical strategy.  The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customised goals within the context of the enterprise, IT-related goals and enabler goals. February 2013 Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved. Developed by @goudotmobi 104
  105. 105. Meeting Stakeholder Needs (cont.) Principle 1. Meeting Stakeholder Needs: Benefits of the COBIT 5 goals cascade:  It allows the definition of priorities for implementation, improvement and assurance of enterprise governance of IT based on (strategic) objectives of the enterprise and the related risk.  In practice, the goals cascade:  Defines relevant and tangible goals and objectives at various levels of responsibility.  Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects.  Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals. February 2013 Developed by @goudotmobi 105
  106. 106. Covering the Enterprise End-to-end Principle 2. Covering the Enterprise End-to-end:  COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective.  This means that COBIT 5:  Integrates governance of enterprise IT into enterprise governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance.  Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. February 2013 Developed by @goudotmobi 106
  107. 107. Covering the Enterprise End-to-end (cont.) Principle 2. Covering the Enterprise End-to-end Key components of a governance system Source: COBIT® 5, figure 8. © 2012 ISACA® All rights reserved. Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 107
  108. 108. Applying a Single Integrated Framework Principle 3. Applying a Single Integrated Framework:  COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises:  Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000  IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI  This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator.  ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references. February 2013 Developed by @goudotmobi 108
  109. 109. Enabling a Holistic Approach Principle 4. Enabling a Holistic Approach COBIT 5 enablers are: • Factors that, individually and collectively, influence whether something will work—in the case of COBIT, governance and management over enterprise IT • Driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve • Described by the COBIT 5 framework in seven categories February 2013 Developed by @goudotmobi 109
  110. 110. Enabling a Holistic Approach (cont.) Principle 4. Enabling a Holistic Approach Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 110
  111. 111. Enabling a Holistic Approach (cont.) Principle 4. Enabling a Holistic Approach: 1. Processes—Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals 2. Organisational structures—Are the key decision-making entities in an organisation 3. Culture, ethics and behaviour—Of individuals and of the organisation; very often underestimated as a success factor in governance and management activities 4. Principles, policies and frameworks—Are the vehicles to translate the desired behaviour into practical guidance for day-to-day management 5. Information—Is pervasive throughout any organisation, i.e., deals with all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 6. Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services 7. People, skills and competencies—Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions February 2013 Developed by @goudotmobi 111
  112. 112. Enabling a Holistic Approach (cont). Principle 4. Enabling a Holistic Approach:  Systemic governance and management through interconnected enablers—To achieve the main objectives of the enterprise, it must always consider an interconnected set of enablers, i.e., each enabler:  Needs the input of other enablers to be fully effective, e.g., processes need information, organisational structures need skills and behaviour  Delivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient  This is a KEY principle emerging from the ISACA development work around the Business Model for Information Security (BMIS). February 2013 Developed by @goudotmobi 112
  113. 113. Enabling a Holistic Approach (cont). Principle 4. Enabling a Holistic Approach COBIT 5 Enabler Dimensions: • All enablers have a set of common dimensions. This set of common dimensions: – Provides a common, simple and structured way to deal with enablers – Allows an entity to manage its complex interactions – Facilitates successful outcomes of the enablers Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 113
  114. 114. Separating Governance From Management Principle 5. Separating Governance From Management:  The COBIT 5 framework makes a clear distinction between governance and management.  These two disciplines:  Encompass different types of activities  Require different organisational structures  Serve different purposes  Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.  Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO. February 2013 Developed by @goudotmobi 114
  115. 115. Separating Governance From Management (cont.) Principle 5. Separating Governance From Management: • Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM). • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). February 2013 Developed by @goudotmobi 115
  116. 116. Separating Governance From Management (cont.) Principle 5. Separating Governance From Management: COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown. Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 116
  117. 117. Separating Governance From Management (cont.) Principle 5. Separating Governance from Management:  The COBIT 5 framework describes seven categories of enablers (Principle 4). Processes are one category.  An enterprise can organise its processes as it sees fit, as long as all necessary governance and management objectives are covered. Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives.  COBIT 5 includes a process reference model (PRM), which defines and describes in detail a number of governance and management processes. The details of this specific enabler model can be found in the COBIT 5: Enabling Processes volume. February 2013 Developed by @goudotmobi 117
  118. 118. COBIT 5: Enabling Processes  COBIT 5: Enabling Processes complements COBIT 5 and contains a detailed reference guide to the processes that are defined in the COBIT 5 process reference model:  In Chapter 2, the COBIT 5 goals cascade is recapitulated and complemented with a set of example metrics for the enterprise goals and the IT-related goals.  In Chapter 3, the COBIT 5 process model is explained and its components defined.  Chapter 4 shows the diagram of this process reference model.  Chapter 5 contains the detailed process information for all 37 COBIT 5 processes in the process reference model. February 2013 Developed by @goudotmobi 118
  119. 119. COBIT 5: Enabling Processes (cont.) Source: COBIT® 5, figure 29. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 119
  120. 120. COBIT 5: Enabling Processes (cont.) February 2013 Developed by @goudotmobi Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 120
  121. 121. COBIT 5: Enabling Processes (Cont.) COBIT 5: Enabling Processes: • The COBIT 5 process reference model subdivides the ITrelated practices and activities of the enterprise into two main areas—governance and management— with management further divided into domains of processes: • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. • The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM). February 2013 Developed by @goudotmobi 121
  122. 122. COBIT 5 Implementation • The improvement of the governance of enterprise IT (GEIT) is widely recognised by top management as an essential part of enterprise governance. • Information and the pervasiveness of information technology are increasingly part of every aspect of business and public life. • The need to drive more value from IT investments and manage an increasing array of IT-related risk has never been greater. • Increasing regulation and legislation over business use of information is also driving heightened awareness of the importance of a well-governed and managed IT environment. February 2013 Developed by @goudotmobi 122
  123. 123. COBIT 5 Implementation (cont.) • ISACA has developed the COBIT 5 framework to help enterprises implement sound governance enablers • Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework • Best practices and standards are also available to underpin COBIT 5 • Frameworks, best practices and standards are useful only if they are adopted and adapted effectively • There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully February 2013 Developed by @goudotmobi 123
  124. 124. COBIT 5 Implementation (cont.) • COBIT 5: Implementation covers the following subjects: • Positioning GEIT within an enterprise • Taking the first steps towards improving GEIT • Implementation challenges and success factors • Enabling GEIT-related organisational and behavioural change • Implementing continual improvement that includes change enablement and programme management • Using COBIT 5 and its components February 2013 Developed by @goudotmobi 124
  125. 125. COBIT 5 Implementation (cont.) February 2013 Source: COBIT® 5, figure 17. © 2012 ISACA® All rights reserved. Developed by @goudotmobi 125
  126. 126. COBIT 5 Future Supporting Products
  127. 127. COBIT 5 Product Family Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 127
  128. 128. COBIT 5 Future Supporting Products Future supporting products: • Professional Guides: • COBIT 5 for Information Security • COBIT 5 for Assurance • COBIT 5 for Risk • Enabler Guides: • COBIT 5: Enabling Information • COBIT Online Replacement • COBIT Assessment Programme: • Process Assessment Model (PAM): Using COBIT 5 • Assessor Guide: Using COBIT 5 • Self-assessment Guide: Using COBIT 5 February 2013 Developed by @goudotmobi 128
  129. 129. Governance (and Management) in COBIT 5 • Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM). • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). • Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities. February 2013 Developed by @goudotmobi 129
  130. 130. Governance in COBIT 5 • The COBIT 5 process reference model subdivides the ITrelated practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. •01 Ensure governance framework setting and maintenance. •02 Ensure benefits delivery. •03 Ensure risk optimization. •04 Ensure resource optimization. •05 Ensure stakeholder transparency. • The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM). February 2013 Developed by @goudotmobi 130
  131. 131. Governance in COBIT 5 (cont.) February 2013 Developed by @goudotmobi Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 131
  132. 132. Risk Management in COBIT 5 • The GOVERNANCE domain contains five governance processes, one of which focuses on stakeholder risk-related objectives: EDM03 Ensure risk optimisation. • Process Description • Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. • Process Purpose Statement • Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised. February 2013 Developed by @goudotmobi 132
  133. 133. Risk Management in COBIT 5 (cont.) • The MANAGEMENT Align, Plan and Organise domain contains a risk-related process: APO12 Manage risk. • Process Description • Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. • Process Purpose Statement • Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk. February 2013 Developed by @goudotmobi 133
  134. 134. Risk Management in COBIT 5 (cont.) February 2013 Developed by @goudotmobi Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 134
  135. 135. Risk Management in COBIT 5 (cont.) • All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities • EDM03 Ensure risk optimisation ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. • APO12 Manage risk provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. • All other processes include practices and activities that are designed to treat related risk (avoid, reduce/mitigate/control, share/transfer/accept). February 2013 Developed by @goudotmobi 135
  136. 136. Risk Management in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include risk-related roles. February 2013 Developed by @goudotmobi Source: COBIT® 5: Enabling Processes, page 108. © 2012 ISACA® All rights reserved. 136
  137. 137. Compliance in COBIT 5 • The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. • Process Description • Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. • Process Purpose Statement • Ensure that the enterprise is compliant with all applicable external requirements. February 2013 Developed by @goudotmobi 137
  138. 138. Compliance in COBIT 5 (cont.) February 2013 Developed by @goudotmobi Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 138
  139. 139. Compliance in COBIT 5 (cont.) • Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03). • In addition to MEA03, all enterprise activities include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governancedetermined principles, policies and procedures. February 2013 Developed by @goudotmobi 139
  140. 140. Compliance in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. February 2013 Developed by @goudotmobi Source: COBIT® 5: Enabling Processes, page 213. © 2012 ISACA® All rights reserved. 140
  141. 141. CHALLENGES AND CONCERNS RELATE TO IT GOVERNANCE February 2013 Developed by @goudotmobi 141
  142. 142. Aligning IT and Business Strategy • Corporate Mission – Business Goals – IT Strategy • Requires involvement from many levels and activities within the enterprise. • Lack of alignment leads to adverse business issues. • Strong IT Governance contributes toward proper alignment. February 2013 Developed by @goudotmobi 142
  143. 143. IT Service Delivery February 2013 Developed by @goudotmobi 143
  144. 144. Ensuring Value and Effectiveness • IT issues are the least understood, despite increasing reliance placed on IT. • Initiate IT governance structures with the right level of executive involvement. • Board of Director’s require essential IT related skills February 2013 Developed by @goudotmobi 144
  145. 145. Information Systems Governance • Consists of leadership, organizational structures and processes that safeguard information. • Security over information assets. • Benefits of IS Governance. • IS is a top-down process. February 2013 Developed by @goudotmobi 145
  146. 146. Measuring IT Governance Performance • Measuring IT performance is a key concern as it demonstrates the effectiveness and added business value of IT. • Commonly seen as the IT “Black Hole” – costs continually rise without clear evidence of value derived from the IT function. • Traditional performance measurement methods require monetary values which are hard to apply to IT systems. February 2013 Developed by @goudotmobi 146
  147. 147. IT Governance Performance Management Approaches February 2013 Developed by @goudotmobi 147
  148. 148. IT Balanced Scorecard • One of the most effective means to aid an organization in achieving IT and business alignment. • Provides a systematic translation of the IT strategy into tangible success factors and metrics. • Gives a balanced view of the value added by IT to the business. • Calculating the value of IT investments is a business issue for which business managers are ultimately responsible for. February 2013 Developed by @goudotmobi 148
  149. 149. ISACA Global Status Report 2K8 (cont’d) Research purposes  Reach members of the C-Suite to determine their sense of priority and actions taken relative to IT governance  Understand their need for tools and services to help ensure effective IT governance Detailed objectives  Survey and analyze the degree to which the concept of IT governance is recognized, established and accepted within boardrooms and especially by chief information officers (CIOs)  Determine what level of IT governance expertise exists and which frameworks are known and are (or will be) adopted  Measure the extent to which ITGI’s own framework, Control Objectives for Information and related Technology (COBIT), is selected and how it is perceived February 2013 Developed by @goudotmobi 149
  150. 150. ISACA Global Status Report 2K8 (cont’d) Revealed Results  Insufficient IT staff availability, service delivery issues and difficulty proving the value of information technology continue to concern executives at organizations around the world  58% noted an insufficient number of staff, compared to 35 percent in 2005  48 % said that IT service delivery problems remain the second most common problem  38 %point to problems relating to staff with inadequate skills  30 % reported problems anticipating the return on investment (ROI) for IT expenditures  The study is a follow-up to ITGI’s 2003 and 2005 surveys and tracks IT governance trends over the past four years February 2013 Developed by @goudotmobi 150
  151. 151. ISACA Global Status Report 2K8 (cont’d) • Survey Sample Researchers contacted CIOs and chief executive officers (CEOs). The total number of interviews conducted was 749, of which 652 were from a random sample of organizations 71 were known as COBIT users and 26 were experienced COBIT users • Global Reach The interviews were conducted worldwide (in 23 countries), and all continents/regions were represented. February 2013 Developed by @goudotmobi 151
  152. 152. New Ways of Implementing IT Governance Lifecycle Approach by synergizing in between COBIT, ValIT and RiskIT February 2013 Developed by @goudotmobi 152
  153. 153. Implementing IT Governance Life Cycle February 2013 Developed by @goudotmobi 153
  154. 154. Lifecycle Phase Walkthrough Phases: • What are the drivers? • Where are we now? • Where do we want to be? • What needs to be done? • How do we get there? • Did we get there? • How do we keep the momentum going? February 2013 Developed by @goudotmobi 154
  155. 155. What Are The Drivers? • Goal of Phase: – Outline the business case – Identify stakeholders, roles & responsibilities – IT Governance program “wake-up call” and communication kick-off • Need for new or improved IT Governance Organization recognized in Pain Points and/or Trigger events • Pain Points analyzed for root cause and opportunities looked for during Trigger events • Root causes and opportunities provide business case for improved or new IT Governance initiatives February 2013 Developed by @goudotmobi 155
  156. 156. Trigger Events • • • • • • • • • Merger, acquisition or divestiture An enterprise-wide governance focus or Shift in the market, economy or competitive position Change in business operating model or sourcing arrangements A new CIO, CFO, COO or CEO External audit or consultant assessments A new business strategy New regulatory or compliance requirements Significant technology change or paradigm shift February 2013 Developed by @goudotmobi 156
  157. 157. Common Painful Points • • • • • • • • • • • Failed IT initiatives Rising Costs Resource waste through duplication or overlap in IT Perception of low business initiatives value for IT investments Significant incidents related to IT risk (e.g. data loss) Service Delivery Problems Failure to meet regulatory or contractual requirements Audit findings for poor IT performance or low service levels Insufficient IT resources IT Staff burnout/disastisfaction IT enabled changes frequently failing to meet business needs (late deliveries or budget overruns) • Hidden and/or rogue IT spending • Multiple and complex IT assurance efforts • Board members or senior managers that are reluctant to engage with IT February 2013 Developed by @goudotmobi 157
  158. 158. Where are we now? • Define the Problems and Opportunities – See paint point causes and trigger event opportunities • Form Powerful Guiding Team – Knowledgeable about the business environment – Have insight into influencing factors • Assess the Current State – Identify IT goals and their alignment with enterprise goals – Identify the most important processes – Understand management’s risk appetite – Understand the maturity of existing governance and related processes February 2013 Developed by @goudotmobi 158
  159. 159. Where do we want to be? • Define the Roadmap – Describe the high level change enablement plan and objectives • Communicate Desired Vision – Develop a communication strategy – Communicate the vision – Articulate the rationale and benefits of the change – Set the “tone at the top” • Define Target State and Perform Gap Analysis – Define the target for improvement – Analyze the gaps – Identify potential improvements February 2013 Developed by @goudotmobi 159
  160. 160. What Needs to be done? • Develop Program Plan – Prioritize potential initiatives – Develop formal and justifiable projects – Use plans that include contribution and program objectives • Empower Role Players and Identify Quick Wins – High Benefit, easy implementation should come first – Obtain buy-in by key stakeholders affected by the change – Identify strengths in existing processes and leverage accordingly • Design and Build Improvements – Plot improvements onto a grid to assist with prioritization – Consider approach, deliverables, resources needed, costs, estimated time scales, project dependencies and risks February 2013 Developed by @goudotmobi 160
  161. 161. How Do We Get There? • Execute the Plan – Execute projects according to an integrated program plan – Provide regular update reports to stakeholders – Document and Monitor the contribution of projects while managing risks identified • Enable Operation and Use – Build on the momentum and credibility of quick wins – Plan cultural and behavioral aspects of the broader transition – Define Measures of Success • Implement Improvements – Adopt and Adapt best practices to suit the organization’s approach to policies and process changes February 2013 Developed by @goudotmobi 161
  162. 162. Did We Get There? • Realize Benefits – Monitor the overall performance of the program against business case objectives – Monitor and measure the investment performance • Embed New Approaches – Provide transition from project mode to “business as usual” – Monitor whether new roles and responsibilities have been taken on – Track and assess objectives of the change response plans – Maintain communication and ensure communication between appropriate stakeholders continues • Operate and Measure – Set targets for each metric – Measure metrics against targets – Communicate results and adjust targets as necessary February 2013 Developed by @goudotmobi 162
  163. 163. How Do We Keep Momentum Going? • Continual Improvements – keeping the momentum is critical to sustainment of the lifecycle • Review the Program Benefits – Review Program effectiveness through program review gate • Sustain – Conscious reinforcement (reward achievers) – Ongoing communication campaign (feedback on performance) – Continuous top management commitment • Monitor and Evaluate – Identify new governance objectives based on program experience – Communicate lessons learned and further improvement requirements for the next iteration of the cycle February 2013 Developed by @goudotmobi 163
  164. 164. Identifying Challenges February 2013 Developed by @goudotmobi 164
  165. 165. Change Enablement • Guidance provided at each lifecycle phase • Based on Cotter Model – Establish a sense of urgency – Form a powerful guiding coalition – Create and communicate a clear vision, expressed simply – Empower others to act on the vision, identifying and implementing quick-wins – Enable use and implement improvements/produce more change – Institutionalize new approaches – Sustain February 2013 Developed by @goudotmobi 165
  166. 166. Program Management Guidance • Guidance provided at each lifecycle phase – Initiate program – Define problems and opportunities – Define roadmap – Develop program plan – Execute plan – Realize benefits – Review program effectiveness • Detailed guidance provided by Val IT February 2013 Developed by @goudotmobi 166
  167. 167. RESOURCE MANAGEMENT February 2013 Developed by @goudotmobi 167
  168. 168. Considerations in a Sourced Environment • Sourcing Strategy • Contract Management • Finance Management • Relationship Management • Performance Management February 2013 168 Developed by @goudotmobi
  169. 169. Sourcing Strategy • Part of IT Strategic Plan • Inventory of critical Supplier relationships • Update based on changes to Business, IT or Supplier Strategies • May contain intervention plans February 2013 169 Developed by @goudotmobi
  170. 170. Contract Management • Initial negotiation and inlife change management • Defines Services/Quality • Defines ownership of Intellectual Property • Compliance with Law and Policy • Audit Rights February 2013 170 Developed by @goudotmobi
  171. 171. Contract Change Management • Required by either changing business needs or to address ambiguity. • Should be viewed as a negotiation. • Each party will attempt to get concessions not previously obtained - value is at risk • Depend on Relationship Management for smaller changes to avoid this risk February 2013 171 Developed by @goudotmobi
  172. 172. Intellectual Property • Supplier IP may be used to deliver efficiencies ($) • However, use of Supplier IP may limit sourcing flexibility. • Who owns process ‘know-how’ and does this change over time? • What risk does this represent? February 2013 172 Developed by @goudotmobi NPS
  173. 173. Intellectual Property Mitigations • Inventory, inventory, inventory – IT processes supporting the business – Materials (documents, rights, etc.) • Risk Management discussion with business • Seek legal help • Follow up! February 2013 173 Developed by @goudotmobi
  174. 174. Audit Rights • • • • Business requirements drive specifics. Must be in the initial contract For supplier shared services, SAS70 Type II Audit rights should be unlimited and at no cost. NPS February 2013 174 Developed by @goudotmobi
  175. 175. Finance Management • Deal financials reporting • Invoice Verification – Service receipt – Credits – Incentives • Internal cost recovery NPS February 2013 175 Developed by @goudotmobi
  176. 176. Finance Management • This is THE PLACE to receive an independent confirmation of IT value delivery. • Budgets are a very unforgiving reality check! NPS February 2013 176 Developed by @goudotmobi
  177. 177. Relationship Management • Overall Supplier management • Monitor business needs • Communication Forums • Issue Management • Risk Management • Project Management February 2013 177 Developed by @goudotmobi
  178. 178. Risk Management • IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total. • As before, there may be a translation here from technical risk to business risk. • Can use Probability x Business Impact as the metric. The business should supply the Impact. • This can be a powerful tool to use with Suppliers. They speak the lingua franca as well. NPS February 2013 178 Developed by @goudotmobi
  179. 179. Project Management •Good Project Management helps assure value delivery •Define ‘project’ vs. ‘daily work’ in the contract. •Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables) NPS February 2013 179 Developed by @goudotmobi
  180. 180. Performance Management • • • • Aligning Service Delivery Requirements Managing and Reporting against SLAs Management of individual projects Work prioritization February 2013 180 Developed by @goudotmobi
  181. 181. Best Practices for IT Governance IT governance has become significant due to: • Demands for better return from IT investments • Increases in IT expenditures • Regulatory requirements for IT controls • Selection of service providers and outsourcing • Complexity of network security • Adoptions of control frameworks • Benchmarking February 2013 Developed by @goudotmobi 181
  182. 182. Best Practices for IT Governance (cont’d) Audit role in IT governance • Audit plays a significant role in the successful implementation of IT governance within an organization • Reporting on IT governance involves auditing at the highest level in the organization and may cross division, functional or departmental boundaries February 2013 Developed by @goudotmobi 182
  183. 183. Best Practices for IT Governance (cont’d) • In accordance with the defined role of the IS auditor, the following aspects related to IT governance need to be assessed: – Alignment of the IS function with the organization’s mission, vision, values, objectives and strategies – Achievement of performance objectives established by the business (e.g., effectiveness and efficiency) by the IS function – Legal, environmental, information quality, fiduciary, security, and privacy requirements – The control environment of the organization – The inherent risks within the IS environment – IT investment/expenditure February 2013 Developed by @goudotmobi 183
  184. 184. Auditing IT Governance Indicators of potential problems include: • Unfavorable end-user attitudes • Excessive costs • Budget overruns • Late projects • High staff turnover • Inexperienced staff • Frequent hardware/software errors February 2013 Developed by @goudotmobi 184
  185. 185. IT Governance Audit Planning • Audit Team Composition • Audit Criteria • Learning from the Balanced Scorecard Approach February 2013 185 Developed by @goudotmobi
  186. 186. Audit Team Composition • Leadership - Business or IT? – Audit Supervision and Auditor in Charge Independence is a must • Beware setting up an audit team that may reflect corporate IT Governance issues • Consider sourcing knowledgeable auditors February 2013 186 Developed by @goudotmobi
  187. 187. IT Governance Audit Criteria/Standards • IIA Governance Auditing Standards • ISACA / ITGI IT Governance Auditing Guidelines • ITGI Risk IT Framework • ITGI Val IT Framework • << Insert your Company business policies here >> February 2013 187 Developed by @goudotmobi
  188. 188. Learnings from the Balanced Scorecard • Consider IT Governance from various business points of view (1) – Corporate – Customer – Operational Excellence – Future / Sustainability 1. “Measuring and Improving IT Governance Through the Balanced Scorecard” Information Systems Control Journal, Volume 2, 2005 February 2013 188 Developed by @goudotmobi
  189. 189. Balanced Scorecard: Corporate View Objective Business/ IT Alignment Operational budget approval Value Delivery Business Unit Performance Cost Management Attainment of expense and recovery targets Risk Management Results of Internal Audits Intercompany Synergy February 2013 189 Example Metrics Single System Solutions Developed by @goudotmobi
  190. 190. Balanced Scorecard: Customer View Objective Customer Satisfaction Business Unit Survey ratings Competitive Costs Attainment of unit cost targets Development Performance Major Project Scores Operational Performance February 2013 190 Example Metrics Attainment of targeted levels Developed by @goudotmobi
  191. 191. Balanced Scorecard: Operational View Objective Development Process Function Point Measures Operational process Change Management effectiveness Process Maturity Level of IT Processes Enterprise Architecture February 2013 191 Example Metrics State of the infrastructure assessment Developed by @goudotmobi
  192. 192. Balanced Scorecard: Future View Objective Human Resource Management Staff Turnover Employee Satisfaction Satisfaction survey scores Knowledge Management February 2013 192 Example Metrics Implementation of learned lessons Developed by @goudotmobi
  193. 193. Reviewing Documentation The following documents should be reviewed: • IT strategies, plans and budgets • Security policy documentation • Organization/functional charts • Job descriptions • System development and program change procedures • Operations procedures • Human resource manuals • Quality assurance procedures February 2013 Developed by @goudotmobi 193