Superior it governance with iso 38500.key

creating lasting value

IT GOVERNANCE WITH ISO 38500

firms with effective IT governance have 20% higher profits
than their competitors (MIT, 2009)

Gooimeer 4
1411 DC Naarden
Netherlands
Tel: +31 35 6783922
+31 614 026 541
Web: www.bastagroup.nl
Email: office@bastagroup.nl

BastaGroup bv 2010 ¥- -
MATS BEEM @

Content

• introduction
• the courses & workshops
• why should I have IT governance at all?
• why ISO 38500?
• ISO 38500: for whom?
• the 6 principles
• the model
• evaluating, directing and monitoring

BastaGroup bv 2011

• these are the supporting slides, used in a half-day
introductory course on ISO 38500
• ISO 38500
‣ has a stakeholder rather than shareholder focus
‣ tells you what you should have, not how you should
do it, but some have far reaching consequences
• some suggestions on how to implement are included.
• Our implementation guideline comes with an
implementation workshop.

BastaGroup bv 2011 3

The courses and the workshops

introduction to IT ½ day, max 15 participants
governance with ISO 38500

ISO 38500 gap analysis 2 day training, 8 hours
training & workshops preparations + homework, 2
day workshop. 3-7 participants

ISO 38500 implementation 2 day training, + homework, 2
training & workshop day workshop. 3-7 participants


• IT is a business responsibility*
• effective use of IT requires effective governance
for value delivery & IT impact risk management
• ISO 38500 compliance requires formalised
governance as you need to be able to
demonstrate that you comply
• existing IT governance frameworks (like BiSL)
- do not address the board & director level or
are too complex (COBIT)
- are more suited to a bottom up extension to
ISO 38500, than to be used on their own
- are more IT’ish

*According to ISO 38500: “Responsibility for specific aspects of IT may be delegated to managers within the
organization. However, accountability for the effective, efficient and acceptable use and delivery of IT by an organization
remains with the directors and cannot be delegated.:


Different studies show:
• when true costs are added up only 20% of projects with a
positive ROI (Mercer, 2001, BASTA 2004-2010)
• only 32% succeeded (Standish Group 2009), even worse
than 2002 with 34% successful
• estimated over $50 Billion write-offs per year on IT
projects (Standish Group)
• after software development projects have been delivered:
• the estimated costs of software defects are still $60
Billion annually (USA, National Institute of Standards and
Technology, 2002)
but:
• results with very experience project managers and good
governance are twice as good (Chris Sauer 2007, Mats Beem 2010)
• firms with effective IT governance have 20% higher
profits than their competitors (MIT, 2009)


Failing IT can have major impact on the bottom line
and can even cause the company to fail

example, case CETECO:

• during explosive growth, a software implementation
failed

• as a result the company no longer had insight in
who owed them money or who had payed

• the company is now bankrupt and all directors have
been sentenced to pay damages to the
shareholders (current estimation €190 Million)


ISO 38500: for whom?

Internal:

• all of senior management (all the way up to the
supervisory and executive boards)

• auditors

• internal service providers

External:

• advisors/specialists
• service providers
• auditors


ISO 38500: what is it for?

Board of Directors:

- assurance that you can have confidence in your IT
governance as part of your corporate governance

All directors:

- guidance in how to govern IT
Auditors and directors:

- basis for objective evaluation of IT governance


ISO 38500: the principles

1. responsibility

2. strategy

3. acquisition

4. performance

5. conformance

6. human behaviour


ISO 38500: responsibility

the responsibility principle:

- understanding (‘what is included’ and
‘what does the responsibility mean’) and
accepting (‘I agree that I am responsible’
and ‘I feel responsible’) responsibility for
supply and demand of IT

- those who have the responsibility also
have the authority (explicit and well
documented, part of the normal, overall
command structure)


ISO 38500:strategy

the strategy principle:

- business strategy takes into account current and
future capabilities of IT (does the strategy make
appropriate use of what IT can and cannot do, does
the strategy take into account what needs to be
changed in IT in order to achieve the business
goals)

- the IT strategy takes into account current and future
business requirements (having been involved in
establishing current requirements and being
involved in regular evaluations, being involved in the
processes of business planning and strategic
planning)


ISO 38500:acquisition

the acquisition principle:

- IT is acquired for valid reasons (in line with business
& IT planning) based on appropriate and current
analysis (positive business case with regular
evaluations), with clear (unambiguous) and
transparent (process and reasoning are clear to all
who need to know) decision making

- there is appropriate balance between benefits,
opportunities, costs and risks, both in the short and
long term (‘does the business case take all of the
above into account?’)


ISO 38500:performance

the performance principle:

- IT is fit for purpose in supporting the
organisation, providing the right services at the
right service levels, for both current and future
requirements (‘there is no such thing as a good
car, a minivan, a truck, a sportscar all serve
different purposes, there is no such thing as
good IT, it needs to be ‘fit for purpose’)


ISO 38500:conformance

the conformance principle:

- IT complies with all mandatory legislation and
regulations (e.g.: security standards, privacy
legislation, spam legislation, trade practices
legislation, record keeping requirements,
environmental legislations, health and safety
legislation, accessibility legislaton, social
responsibility standards)


ISO 38500:human behaviour

the human behaviour principle:

- IT policies, practices and decisions
demonstrate respect for human behaviour,
including the current and evolving needs of all
the people in the process


Business Business
pressures needs
evaluate

direct Pro-
po
monitor
sals
Plans
& Perfor
Polici mance
es Confor
mance
Business processes

IT projects IT operations


Directors should govern IT through 3 main tasks:
✓ N.B.: not just the IT directors, but directors in general including the board
(s) (one of the starting points of ISO 38500 is that the director responsible
for IT is a business person).

✓ all three tasks are processes, that should be repeatable and that you should
be able to demonstrate that you have them and that they work

✓ if you organise the processes well, you get formal compliance (being able to
demonstrate compliance) for free, if you don’t organise them well, it will be
extra overhead, resulting in extra costs and lowered agility

1. give direction and manage, where should we go with IT: direct preparation
and implementation of plans and policies, to ensure that the use of IT meets
business objectives

2. check if it works, did we do what we planned: monitor conformance to
policies and performance against plans
3. judgement, how are we doing with IT: evaluate current and future use of IT.
Evaluation is beyond checking if you have done what you planned to do


ISO 38500 example where/how to implement -1

• strategy:
- have the IT director in on all meetings where you have business
directors & have actions & decisions documented of each
meeting
- at least once a year, organise a session, challenging the
business directors, IT director, BIM & architecture, to come up
with ways to address strategic business issues, solving problems
& coming up with possibilities to improve the competitive
position
- make sure business and IT make it a common activity
• business planning
directors & have actions & decisions documented of each
meeting
- organise a session (at least once a year), challenging the IT
director, BIM and architecture, to join forces with at least one
business director and his delegates, to come up with concrete
improvement plans based on the suggested ideas in the strategy
sessions


ISO 38500 example where/how
to implement -2
• portfolioplanning
directors
- have actions & decisions documented of each meeting
- have 3-7 (preferable 3-5) business programmes that are to implement
the business goals from the business plan
- have the business owners of the business goals be the business
owners of the programmes, be the chairpersons of the respective
steering committees
- it is likely, that IT plays a role in all programmes, make sure sessions
are organised, where the business programmes and ideas for
implementation are confronted with the best specialists in IT* in order
to get good estimates on consequences
- track progress on all programmes, document well
• IT budget
directors
- who has the benefit will pay the cost
- if benefit allocation is hard or impossible, who drives the cost will pay
the cost
- if owners of cost drivers are (too) hard to find, allocate costs by
generic overhead rules
- rule of thumb: maximum of 20% via general overhead**


ISO 38500 example where/how to implement -3

• business cases
- have the IT director in on all meetings where you have
business directors
- use discounted cashflows for each business case
- use a risk adjusted interest rates for all calculations
- close to your normal cost of capital for replacing something
you already have
- 1% up to 15% risk adjustment for individual projects,
depending on the specifics of the project
- calculating consequences for your financial accounts is a
separate exercise, that should not be the basis for decision
making
• ops review
- have the IT director in on all meetings where you have
business directors
- part of the agenda: tracking ops consequences of the portfolio,
get input from the portfolio-committee and give conclusions as
feedback


The ‘responsibility principle’ in practice:
• evaluate:
- ‘what are the options for assigning responsibilities?’ taking into
account the way IT should support the business & the
competencies of the people give those responsibilities
- business managers should be responsible, supported by IT
specialists. In order for them to be responsible and successful, the
business managers need to be IT savvy (be able to judge IT) and
IT managers need to be business savvy (at least understanding
business processes and values in the context of the business
strategy)
- direct: directors should assure that plans are carried out in line
with responsibilities and that they get the right information to
carry their (director’s) responsibility
• monitor: ‘are the right mechanisms in place?’ ‘do all understand and
take their responsiblity?’ ‘what is their performance?’


The ‘responsibility principle’ in practice -2:

• although the principle is clear, responsibilities in practice often aren’t,
how to solve it*? An example of a pragmatic approach that works (a
more detailed program is available):
• make 2 - 5 teams, 1-2 from IT, 1-3 from the business & a facilitator
that knows corporate governance, IT governance, ISO 38500 and
has hands on IT management and executive experience
• ask the IT teams to produce a list of their outputs for the business
and the business for a list of their expected outputs from IT
• ditto for the processes: what are the processes that create the
outputs according t IT and what according to the business
• create one list of outputs and processes in a combined IT/business
workshop
• in a second workshop: define the responsibilities per step, make sure
the authorities are aligned with the responsibilities
• confront the responsibility chart with the formal organisation and
resolve issues where necessary


The ‘strategy principle’ in practice -1:

• evaluate:

- regularly look at how IT and the business (processes) are
developing, ensuring that IT will provide for future business needs

- in all plans and policies, ensure that IT activities are in line with
requirements (possibly changing due to changing circumstances)
and risks are appropriately dealt with

• direct: directors must make sure that the organisation benefits from
IT, including innovative use of IT that is necessary to respond to new
challenges or opportunities

• monitor: directors should monitor progress of IT proposals (projects,
renewals) in all their aspects, including the achievement of it’s
intended benefits


The ‘strategy principle’ in practice -2:

(a more detailed program to set up IT-business alignment/integration is
available):

• IT needs to be in the process of strategy development and
understanding the strategy needs to be in the process of IT
development*

• this requires business savvyness in IT and IT-savvyness in business,
including the board

• Business Information Management and Architecture are the critical
functions to get right

• to get these functions right, you need the right competencies


ISO 38500: strategy, about
competencies

• some competencies can be learned or improved significantly but
some competencies can’t, they are more or less ‘ hardwired’ in the
individual’s brain
• if a competency that cannot be trained is essential for a certain
role, be sure to treat this competence or these competencies
separately (competence management frameworks typically do
not distinguish between the two (can be trained/cannot be
trained)!)
• 3 A’s and an F is still good on average, but an F for an essential
competence that is not trainable will always lead to failure
• ideally, all competencies mentioned per role/function will be present
in each employee with that role
• it is usually sufficient however, to have the competencies for the
role rather than the individual, as that makes it easier (but still
difficult) to get the right people
• in italics are the skills that everyone in the role should have
(distinguishing between technical- and business architects)
• there are some extra conditions to be met, that will be different in
each situation


ISO 38500: strategy, about competencies and
business IT alignment/integration

• 60-80% of IT project failures* can be contri- buted to poor
requirements, poor analysis, miscommunication. What to do:
- put together a program for (at least) senior IT staff, to
learn about the business
- ditto for teaching non-IT managers & directors enough
about IT (IT-savvyness programme)
- an IT ‘posting’ should be part of all career paths to the top
- don’t compromise on quality when hiring Business
Information Managers and architects (see next two slides)


Business Information Management:

• can conceptualise operational, technical & business issues

• can operationalise concepts (NOT the same as the above!)

• oversees the whole and understands how things are connected and
how they impact each other

• can explain a problem to different audiences, changes wording
accordingly

• score high on the “in basket” test

• know the business domains

• can visualise concepts


Architecture:

• technical architects:
- can conceptualise technical issues
- can operationalise technical concepts (NOT the same as the
above!)
- oversees the whole of the technology architecture and
understands how things are connected and how they impact
each other
- know about construction by theory and experience
• business architects:
- can conceptualise business issues
- can operationalise concepts (broader than just technical)
- oversees the whole and understands how things are connected
and how they impact each other
• translate business goals in technology solutions working with
technical architects and specialists
• score high on the “in basket” test


The ‘acquisition principle’ in practice:
• evaluate
- professional judgement of business cases (treated like other
business cases)
- look at IT alternatives for the proposed solution (there is always
an alternative)
- use the appropriate interest rate/IRR (internal rate of return):
cost of money in the financial markets: when there is risk, you
risk adjust (see SFB’s Return on IT presentation)
• direct
- have the right people involved (judgement, professional skills &
‘the numbers’ and use a professional process and documentation
• monitor
- make sure you can get the numbers from your financial system
exactly the way you made your business case
- involve suppliers enough in the process to have a common
understanding of why and under what conditions you want to
acquire
*our experience shows that responsibilities aren’t as well described as the board expects them to be


The ‘performance principle’ in practice
✓ fit for purpose: being able to judge if IT is ‘fit for purpose’, requires
alignment to function properly (see ‘the strategy principle’ and the
SFB presentation: ‘how to get business IT alignment right’)
✓ the focus on risk in ISO 38500‘s performance principle is best
addressed by having proper processes for the whole of IT in place
and get the risk management as a result. If all risk areas are
addressed in isolation, the cost usually rises and the agility will
suffer
- evaluate: are proposals for renewal or innovation addressing all
relevant issues and if we agree on the proposals, does it provide us
with the IT we need?
- direct: direct those responsible to make sure the business gets
what it needs when it needs it and make sure the right resourcing
is available
- monitor: can you actually conclude that you get the IT your
organisations needs? (supporting the business, right priority
resourcing, policies followed properly)


The conformance principle in practice:

• evaluate:
- conformance to internal policies and guidelines, regulatory, legal
and contractual obligations and to professional guidelines where
applicable
- conformance to the (organisation’s own) system of governance of
IT
• direct:
- those responsible to establish mechanisms that ensure compliance
with relevant obligations
- to ensure that policies exist and are enforced that enable the
organisation to comply with internal obligations
- that IT staff follow relevant guidelines for professional behaviour
and development
- actions relating to IT to be ethical
• monitor:
- compliance and conformance using appropriate reporting and audit
practices
- IT activities to ensure that all relevant obligations
are met


The human behaviour principle in practice:
• evaluate: ensure that human behaviours are identified and considered
• direct:

- It activities to be consistent with human behaviours
- that any issue (risk, opportunity, concern, generic issue etc) can
be raised by anyone at any time

- issues that are raised are addressed according to the rules
(policies, procedures) and escalated to the right level of decision
making
• monitor

- IT activities to ensure that identified human behaviours are
relevant and paid proper attention

- work practices, to ensure consistency with the right use of IT


BastaGroup
wie wij zijn

Gooimeer 4
1411 DC Naarden
Tel: 035 6783922
Web: www.bastagroup.nl
Email: office@bastagroup.nl

BastaGroup bv © maart 2011 Pagina

BastaGroup is een interimmanagement- en
adviesgroep van oud executives, directeuren en
senior managers

Wij onderscheiden ons door onze mensen die:
• die een gemeenschappelijke drive hebben: tastbaar, meetbaar,
zichtbaar en duurzaam waarde creëren voor haar klanten en de
mensen die daar werken
• een academische achtergrond hebben en model- en
conceptkennis met praktische ervaring combineren
• een lange staat van dienst in het bedrijfsleven op senior niveau
hebben , met eindverantwoordelijkheid voor divisies of gehele
organisaties
• over disciplinaire grenzen heen kijken, en top en de bottom line
begrijpen
• weten dat greenfield een illusie is, kennen het WAT, en weten
ook HOE, met doorleefd oordeel over (on)mogelijkheden en
consequenties
• pragmatisch zijn en verantwoordelijkheid nemen voor het
resultaat


Wat kunnen we voor u betekenen?

Think: Analyseren van as-is situatie, kansen, problemen en uitdagingen;
transparant, inzichtelijk, werkbaar en meetbaar

Design: Adviseren over verbeteringen, aanpak, opzet, inrichting, mogelijke
routes, interventies en veranderingen
best practices, management ervaring, professioneel oordeel, pragmatisch

Build: Realiseren van het advies door het voeren van het (verander-)
management
ervaringen delen, juiste keuzes maken, versnelling realiseren en doelstellingen
bereiken op een resultaatgerichte manier: afgerekend worden op toegevoegde
waarde. Niet het rapport maar de implementatie en gerealiseerde verbetering telt

Operate: Interimmanagement
tijdelijk management tijdens overgang van verandering naar steady state

Maintain: Werving en selectie van nieuwe capaciteit en competenties
Bestendigen van de verandering door de juiste mens op de juiste plaats


De onderwerpen

• Waarde uit ICT halen, zonder kopzorgen en onnodige kosten
• Human Capital sneller en beter in zetten zodat uw toptalenten
niet vroegtijdig vertrekken
• Een samenhangende corporate responsibility invullen die recht
doet aan uw bedrijfsidentiteit
• De best practices in uw organisatie zo organiseren dat die overal
toegepast gaan worden
• Opzetten en inrichten van een project management office zodat
na een jaar uw eigen mensen het kunnen en ook doen!
• Onderzoeken en verbeteren van de effectiviteit van uw IT
organisatie zodat u miscommunicatie voorkomt en belangrijke
aspecten niet over het hoofd ziet
• Uw commissarissen, raad van bestuur, directie en senior
management team bijspijkeren over de essentiële do’s en don’ts
van het management van ICT (zonder 1 gram techniek)


Voor wie hebben BastaGroup
& Associates gewerkt?
• Achmea • Rijkswaterstaat
• AkzoNobel
• Meeus Holding
• AON
• Nierstichting Nederland
• Corporate Express
• Parcom
• CRV
• Pearle
• CWI
• DHV • Pon Holding

• Facilicom • Rabobank
• Fetim • Randstad
• Het Financieele Dagblad • Shell
• GGD Rotterdam • Stater
• Heineken • Swets
• Helm Chemicals
• Verenigde Bloemenveiling
• Highspeed Alliance Aalsmeer
• ICTU • Vopak
• Intratuin • vtsPN
• Koninklijke JPC
• Wavin
• LVNL
• WE Europe
• Mediq
• Wehkamp
• Ministerie van Justitie, IND
• Wolterskluwer
• Ministerie van Verkeer &
Waterstaat


Klanten feedback

• Initiatiefrijk en inspirerend (“goede sparring partner in het gesprek”)

• Denkers en doeners (“ze denken op conceptueel niveau, maar kunnen het ook implementeren”)

• Gericht op vernieuwing en verbetering (“bouwen, maar breken niet”)

• Integrale denkers (“plaatsen het in breder kader”)

• Maatschappelijk betrokken (“hebben ook andere drijfveren dan alleen geld verdienen”)

• Goede samenwerkers (“we hebben het samen gedaan”)

• Scherpe analytici (“leggen onverwachte combinaties”)

• Zetten kennis verstandig in (“slim en pragmatisch”)

• Overzicht en inzicht (“begrijpen wat er leeft in het bedrijf of de overheid en politiek”)

• Serieuze gesprekspartner (“weten waar ze het over hebben”)

• Onafhankelijk en integer (“zitten niet bij de klant om uren te schrijven”)

• Geld meer dan waard (“leveren top-level adviezen voor een zeer aanvaardbare prijs”)

• Zorgen voor een snelle ROI van hun eigen inzet (“combineren technische inbreng met
commercieel realisme”)
Onderzoek VitaSim, september 2008


Voor een persoonlijk gesprek

Drs Reinier van den Biggelaar
06 5319 5513

Drs Mats Beem
06 1402 6541

Drs Jaap Acohen
06 3890 2961

Of via het BastaGroup kantoor Tel: 035 6783922
Gooimeer 4 Email: office@bastagroup.nl
1411DC Naarden Web: www.bastagroup.nl


ISO iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso

iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso iso























Superior it governance with iso 38500.key

More Related Content

What's hot

Similar to Superior it governance with iso 38500.key

Recently uploaded

Superior it governance with iso 38500.key