Value-centric approach to governance, risk & compliance
1. a value centric approach to
governance risk & compliance
Aaron Weller, CGEIT
CEO, Concise Consulting
aaron.weller@conciseconsulting.com
@GotPrivacy
2. Last Slide First
1. IT departments too often focus on delivering
something rather than delivering value
2. Risk and Compliance often distract from
Governance rather than complementing it
3. Good Governance models exist. Wheel
invention skills are not required.
4. Governance is important but not urgent.
Find ways to make it urgent.
5. Measure things. Ideally, useful things.
2
3. The Information Paradox
• More and more businesses see IT as
absolutely vital to their continued success,
and ability to operate.
• More and more money is being invested in IT
(albeit a temporary blip last couple of years).
• Yet…a large proportion of IT investments fail
to deliver what was expected.
• Q: What is missing?
3
4. A: Focus on VALUE
How often does the question get asked
“Are we maximizing the value of our IT-
enabled business investments such that:
– We are getting optimal benefits
– At an affordable cost
– With an acceptable level of risk
…over the full economic life cycle of
the investment?
4
5. Our Track Record
• 62 % of organizations experienced IT projects that failed to
meet their schedules
• 49% had budget overruns
• 47% had higher-than-expected maintenance costs
• 41% failed to deliver expected business value and ROI
• 25%+ of all software and services projects are canceled
before completion
• Up to 80% of budgets are consumed fixing self-inflicted
problems
Remember that every piece of technology you run today was
part of an implementation project at some time!
5
7. Key Takeaway
Governance, Risk and Compliance should not be
3 separate activities. They should be 3 aspects
of the same activity.
Governance of Enterprise IT directs the IT
organization to achieve business objectives,
manage risks to those objectives and achieve
compliance with laws and regulations.
7
8. IT change (typically)
< business change
• The large majority of IT change results in even
more significant change in the business that it
supports.
• Governance is as much about understanding
how IT can help to achieve overall business
goals, as optimizing what IT does.
• There is nothing so useless as doing
something well which does not need to be
done.
8
9. What does your organization
want from IT?
1. Utility Provider - primary purpose is to provide common
infrastructure and information management services.
2. Process Optimizer – has two primary purposes; provide a
common infrastructure and information management, as
well as help optimize business processes and enable
business-unit-specific objectives.
3. Revenue Enabler – has three primary purposes; common
information management services, business process
optimization, as well as enable customer-facing products
and services.
Source: www.itpi.org 9
10. Enabling Broader IT Strategy
Services
Required
Services Tomorrow
Required
Today
Services
Offered
Today
• Identify Gaps
• Prioritize business requirements
• Develop plans to migrate from current state to desired state
• Track and communicated progress in terms of business value 10
11. Steps to Governance
• Creating the right environment for
Governance
– Guiding principles
– Framework for accountability
– Measuring results
• Implementing a lifecycle approach
– Aligning with the ‘rhythm of the business’
– A journey, not a destination
11
13. One View of IT Governance
ic t D Valu
teg en eli e
tra nm
S ig
ve
ry
Al IT
IT
Governance
ent
Perf sureme
Perf sureme
Perf sureme
Perf sureme
Mea
Mea
Mea
Mea
Domains
agem
Risk
orm
orm
orm
orm
anc
anc
anc
anc
Man
e
e
e
e
Resource
nt
nt
nt
nt
Management
Source: ISACA Board Briefing on IT Governance 13
14. Another View – 6 Principles
1. Responsibility: Individuals and groups understand and
accept their responsibilities
2. Strategy: Business strategy takes into account current and
future capabilities of IT
3. Acquisition: IT acquisitions are made for valid reasons
with balance between short and long term goals
4. Performance: IT is fit for purpose in supporting the
organization.
5. Conformance: IT conforms with all mandatory legislation
and regulations.
6. Human Behavior: IT policies, practices and decisions
demonstrate respect for human behavior.
Source: ISO 38500 - Corporate Governance of IT 14
16. Two key governance outcomes
1. Delivering IT value to the business
2. Mitigating IT-related risks
16
17. Another View of GRC
Respons-
ibilities
Principles
Objectives
Controls
Test Plans
17
18. Quick note on Risk Assessments
Best Practices are intended as the
default for use by people who don’t
have the time or skill to perform a
proper risk assessment.
Gene Schultz
19. Why Use Metrics?
There are two possible outcomes: if the
result confirms your hypothesis, then
you've made a measurement. If the result
is contrary to your hypothesis, then you've
made a discovery.
Enrico Fermi
19
21. CMM For Metrics
Focus Sample Metrics What gets reported
Optimization
• Real time alerts and reporting based on baselines
Efficiency and trends
• Effort to respond to each incident
• Baselines set
Baseline • Reports based on trending and baselines
• Type detected
Trending • Severity
• Resolution Time
• # of policies documented
Activity • # detected per week/month/year
21
22. What should be measured?
• Key Compliance Indicators
• Key Risk Indicators
• Key Governance Indicators
1. Activity level?
2. Baseline level?
3. Efficiency level?
22
23. Good governance works
A survey on IT governance conducted by ISACA
and PwC found a positive statistical correlation
between the maturity of IT governance practices
and the outcomes delivered by IT.
– When IT governance practices are more advanced,
IT outcomes are better
– Similarly, a lower state of advancement of IT
governance practices correlates with poorer IT
outcomes
23
24. But can be challenging to
achieve
Only 38 percent of executives/senior management can describe
their enterprise’s IT governance process. This is largely because
in most cases, IT governance has not been designed; it has just
developed ‘piecemeal’ in response to specific issues.
[IT Governance, Weil and Ross]
Only 40% of approved projects have realistic benefit
statements.
<10% of enterprises ensure that benefits are realized post-
project.
<5% of enterprises hold project stakeholders responsible for
achieving planned benefits. [META Group]
In many enterprises, less than 8 percent of the IT budget is
actually spent on initiatives that bring value to the enterprise.
[Butler Group]
24
25. “Two roads diverged in a wood, and I … I took
the one less traveled by, and that has made all
the difference.” 25
26. Last Slide Last
1. IT departments too often focus on delivering
something rather than delivering value
2. Risk and Compliance often distract from
Governance rather than complementing it
3. Good Governance models exist. Wheel
invention skills are not required.
4. Governance is important but not urgent.
Find ways to make it urgent.
5. Measure things. Ideally, useful things.
26