IT Governances

IT Governances Stewardship is extending to IT as Boards question the depth of their enterprise’s reliance on IT

Background Some thoughts on how IT risk, control, audit and assurance is evolving toward the broader concept of IT governance. Why IT governance should be on the Board of Directors’ agenda wherever IT is strategic to the business. How it fits in the broader concepts of enterprise governance and how management and boards can address it.

What IT problem? Are they doing the right things? Are they doing them the right way? Are they being done well? Are we getting benefits?

What does the board do? IT Governance is the responsibility of the Board of Directors and consists of the leadership, organizational structures and processes thatensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

How does management react? Cascading strategy and goals Organizational alignment A control framework Balanced business scorecard

Agenda Stakeholders Governance Framework IT Alignment & Value Delivery Performance Measurement Risk Management Security Conclusions

Stakeholders Stakeholders Apply Pressure Shareholders and Executive - Lower cost, higher profitability and increased market share Customers and Staff - More functionality at lower cost and greater ease of use Society - Greater accountability for officers and executives in both the private and public sectors.

What are customers saying? Guarantee of delivery Customer loyalty Ease of use Customer service Security

How about the Regulators? The Federal Reserve, SEC and now Congress and the Treasury The focus is now on operational risks (in which security and IT are significant) All major risk issues have been caused by breakdowns in Internal controls Oversight Information Technology

Concern for extreme dependence of industry on IT Two recommendations Awareness of senior company officers Need to address three technical improvements Authenticate Segregate Make accountable The President’s Commission on Critical Infrastructure Protection

Transparency and Connectedness Network Neutrality Information Sharing Modern Communications Infrastructure Modernize Public Safety Networks Employ Science, Technology and Innovation to address key issues, particularly in the area of health President Obama’s views on IT

How about standards? Cadbury: “…strengthen internal control…Boards need to set strategic aims, provide leadership, supervise management and report to shareholders on their stewardship.” Turnbull: “…Board to assure appropriate and effective processes to monitor risk and effectiveness of the system of internal control… broader corporate governance role for audit committees...monitor and report on risks...” BIS: “...governance arrangements for critical systems should be effective, accountable and transparent…”

and what does management think? “ IT has been the longest running disappointment in business in the last 30 years!” - Jack Welch, CoB, GE “ Technology can help fulfill a visionary dream, but often its use is closer to a sobering nightmare!” - Vesa Vaino, CEO Merita Bank “ That must be why we are not shipping Windows yet!” (and NT, 2000, XP, Vista, …) - Bill Gates, CEO Microsoft Insert your own CoB/BoD/CEO/CIO/CTO’s, comments here - _________________________________________________________

Why Get Into Governance? “ Due diligence” IT is critical to the business IT is strategic to the business Expectations and reality don’t match IT hasn’t gotten the attention it deserves IT involves huge investments and large risks

Due Diligence Infrastructure and productive functions Skills, culture, operating environment Capabilities, risks, process knowledge and customer information Service levels

IT Is Critical to Most Businesses This criticality arises from: The increasing dependence on information and the systems/communications that deliver it The dependence on entities beyond the direct control of the enterprise IT failures increasingly impacting reputation and enterprise value The potential for technology to change business organizations and practices, create new opportunities and reduce costs The risks of doing business in an interconnected world The need to build and maintain knowledge essential to sustain and grow the business

IT Is Strategic to Most Businesses If so, wouldn’t you want to know whether your organization’s IT is: Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognizing opportunities and acting on them?

Expectations Harness and exploit IT to deliver business value Provide fast development, with appropriate quality and with security Ascertain that IT investments have a quantitative return and IT does more with less Move from efficiency and productivity gains towards value creation and business effectiveness, especially in industries requiring that the focus move from the back office to the front office

Reality Business losses, damage to reputation, or a weakened competitive position Enterprise effectiveness and core processes directly impacted by the quality of IT deliverables The failure of IT initiatives intended to bring innovation to the enterprise to achieve their promise Technology that is inadequate for the enterprise or obsolete too soon Poor support for the business Deadlines that are not met Costs that are higher than expected vs.. quality and efficiency lower than anticipated

Why hasn’t IT received the attention it merits? IT requires more technical insight than do other disciplines to understand how it: Enables the enterprise Creates risks Gives rise to opportunities IT has traditionally been treated as an entity separate to the business IT is complex, and even more so in the extended enterprise operating in a networked (i.e., GLOBAL) economy

IT Involves Huge Investments and Risks October 1992: A new command and control system developed by the London ambulance service failed on the first day of operation. August 1997: UK investment managers, Save & Prosper, abandoned a major new IT system, having spent 2 million pounds on its design and implementation. 1997: Barings Bank collapsed as a result of unauthorized trading, in part enabled by the willful manipulation of management information. October 1998: UK Internet bank Egg launched a new online-only credit card, only to find its technical infrastructure was unable to cope with the demand.

(Son of) IT Involves Huge Investments and Risks Paypal: “ Why is there still so many problems with PayPal? I thought that class action lawsuit against it a few years back settled all of this stuff!” eBay: Reputation and image deteriorates from both the seller and buyer’s perspectives. Sept. 2008: Lehman Brothers filed for Chapter 11 bankruptcy protection; the filing marked the largest bankruptcy in U.S. history. Dec. 2008: A Federal Judge appointed Irving Picard as Trustee for the liquidation of Bernard L. Madoff Investments Securities LLC ( B MIS ) pursuant to the Securities Investor Protection Act ( S IPA )

What Should Boards Do About It? Be driven by stakeholder value Adopt an IT governance framework Ask the right questions Focus on IT’s: Alignment with the business Value delivery Risk management Measure results

IT Value Delivery Stakeholder Value Drivers Performance Measurement Risk Management IT Strategic Alignment

What Should Management Do About It? Align IT strategy with business goals Cascade strategy and goals down into the organization Set up organizational structures that facilitate strategy implementation Adopt a control and governance framework Provide IT infrastructures that facilitate creation and sharing of business information Embed responsibilities for risk management in the organization Focus on important IT processes and core IT competencies Measure performance (balanced business scorecard)

IT Governance Defined (1) Responsibility of the board of directors: It protects shareholder value It ensures risk transparency It directs and controls IT investment, opportunity, benefits and risks It aligns IT with the business It sustains the current operation and prepares for the future It’s an integral part of a global governance structure

IT Governance Defined (2) IT governance, like other governance subjects, is the responsibility of executives and shareholders (represented by the Board of Directors). It consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

IT Governance Framework Set measurable goals Compare results Measure performance Act if not aligned Deliver against the goals 

IT Governance Framework Provide Direction Compare Measure Performance IT Activities Increase automation (make the business effective) Decrease cost (make the enterprise efficient) Manage risks (security, reliability and compliance) IT is aligned with the business IT enables the business and maximizes benefits IT resources are used responsibly IT risks are managed appropriately Set Objectives

IT Alignment Business Strategy Alignment Activities IT Operations IT Strategy Business Operations

IT Risk Management The board should manage enterprise risk by: Ascertaining that there is transparency about the significant risks to the organization Being aware that the final responsibility for risk management rests with the board Being conscious that risk mitigation can generate cost-efficiencies Considering that a proactive risk management approach creates competitive advantage Insisting that risk management is embedded in the operation of the enterprise

Risk Management Expands … Risk Allocation - contracts, SLAs, etc. Risk Mitigation - security & control practices Risk Transfer - insurance & liability Risk Assurance - audit & certification Risk Acceptance - formal, transparent

IT Balanced Scorecard Information Financial Customer Process Goals Measures Goals Measures Learning Goals Measures Goals Measures

Example of IT measures # of IT customers Cost per IT customer Cost-efficiency of IT processes up Delivery of IT value per employee Information Availability of systems & services Developments on schedule & budget Throughput & response times Amount of errors and rework Level of service delivery up Satisfaction of existing customers # of new customers reached # of new service delivery channels F inancial C ustomer Staff productivity & morale # of staff trained in new techno/services Value delivery per employee up Increased availability knowledge systems L earning P rocess

Scorecard Objectives Demonstrate the value added by the IT organization Establish a balanced set of measures for determining the effectiveness of the IT organization Set guidelines for creating the IT strategic plan and linking it into operational plans Communicate and motivate IT performance in key areas as required by the business and its stakeholders Establish a framework for IT management reporting

Information Security Know what questions to ask Know what is needed Raise the awareness at the top Have clarity of purpose Measure your performance Keep on doing it

Samples from CobiT The following slides, describing IT Security, are examples “borrowed” from the CobiT Framework

Information Security Some Questions for the Board Room Would people recognise a security incident when they saw one? Would they ignore it? Would they know what to do about it? Does anyone know how many computers the company owns? Would management know if some went missing? Does anyone know how many people are using the organisation’s systems? Does anybody care whether they are allowed or not, or what they are doing? Did the company suffer from the latest virus attack? How many did it have last year? What are the most critical information assets of the enterprise? Does management know where the enterprise is most vulnerable? Is management concerned that company confidential information can be leaked ? Has the organisation ever had its network security checked by a third party? Is IT security a regular agenda item on IT management meetings? Know what questions to ask

IT Security Requirements Business Drivers Know what's needed Shorter business cycles Need to involve/connect/tie in with more partners Network centric business models Leverage VPN, remote access, collaborative tools Manage Risk Internet - UNIX - TCP/IP More hackers, more tools Increased dependency on IT Leverage Opportunities E-cash, e-commerce, e-tc. Open, modular, scalable Security a commodity Technology Drivers Managing networked c/s systems “ Provenance” control Non-sharable info Profiling users Trust….

How to sell to top management Different styles depending on function FUD Cost reduction Responsibility Differentiator Cost of security Strategic approach - benchmark - gap analysis - choices IT Security Awareness Raise the awareness at the top

Cost of IT Security Have a clarity of purpose Cost of security and control vs. IT Budget 5 - 10% 20 - 25% 45 - 50% 55% Cost of noncompliance Benchmarking Leadership “ Cowboy” operation Baseline operation Good Practice Industry reference site = driver for change

IT Security Performance Measure your performance Tools & Technology Process Policy & Procedures Security Management Human Behaviour & Culture System Access Control Network Segregation Application Security 1 2 3 6 5 4 Policy 0 1996 1997 1998 1999 2000 2001 20 40 60 80 100 92 88 76 64 48 42 96 Policies & procedures Security mgt Human behav. & culture Application security System access control Network segregation 1. 2. 3. 4. 5. 6. 10 10 20 20 20 20 100 0 Very poor 1 Poor 2 Fair 3 Good 4 Very good 5 Excel Legend for ranking used 5 - Excellent: Best possible, highly integrated 4 - Very good: Advanced level of practice 3 - Good: Moderately good level of practice 2 - Fair: Some effort made to address issues 1 - Poor: Recognise the issues 0 - Very poor: Complete lack of good practice Legend for symbols used Average of best security performers in the financial industry (begin ‘96) Company status — Feb ‘97 Company. objective for 2001

IT Security is a C ontinuous E ffort Keep on doing it  Perform Intrusion Testing Ž Perform Active Monitoring Œ Issue Security Policy  Security Management  Design Security Defenses

IT Governance Summarized Objectives To understand the issues and the strategic importance of IT To ensure that the enterprise can sustain its operations and To ascertain it can implement the strategies required to extend its activities into the future Goal Ensuring that expectations for IT are met and IT risks are mitigated

IT Governance Summarized Position Within broad governance arrangements that cover relationships between the entity's management and its governing body, its owners and its other stakeholders and providing the structure through which: The entity's overall objectives are set The method of attaining those objectives is outlined The manner in which performance will be monitored is described

IT Governances

More Related Content

What's hot

Viewers also liked

Similar to IT Governances

More from Jerald Burget

Recently uploaded

IT Governances