IT Governance

1
IT Governance

• Aligning Business and IT

Bill McSpadden September 9, 2008
2
Topics

• What is IT Governance
• Why is IT Governance important
• 5 Domains
• Key findings from 2008 IT GOVERNANCE STATUS
  REPORT
• Obstacles with implementing (so far)
• Choosing a framework for IT Governance
• Getting Started
• Balanced Scorecards What Can You Do as Auditor?

3
What is IT Governance?

• ITGI definition
• IT governance consists of the leadership and
  organizational structures and processes that
  ensure that the organizations IT sustains and
  extends the enterprises strategies and
  objectives.
• At its core, IT has 2 responsibilities
• IT must deliver value
• Enable the business

4
Subset of Corporate Governance

• IT Governance is a subset discipline of Corporate
  Governance focused on information technology (IT)
  systems and their performance and risk
  management.
• The rising interest in IT governance is partly
  due to compliance initiatives (e.g.
  Sarbanes-Oxley and Basel II)
• Acknowledgment that IT projects can easily get
  out of control and profoundly affect the
  performance of an organization.

5
Purpose of IT Governance

• Establish and clarify accountability and decision
  rights (clearly define roles and authority).
• Manage risks, change and contingency proactively.
• Improve IT organizational performance,
  compliance, maturity and staff development.
• Improve customer service and overall
  responsiveness.

6
What does it mean?

• Governance is about deciding the "who, what,
  when, why, and how" of decision-making.
• The decisions required by the organization (the
  "what")
• The roles (the "who") in the organization that
  are accountable for which decisions
• Policies that guide how the decisions should be
  made (the "why")
• The measures that enable informed decision-making
  (the "how")
• At what point in the governance process is the
  decision appropriately made? (the "when")

7
Purpose of IT Governance

• Align IT investments and priorities more closely
  with the business.
• Manage, evaluate, prioritize, fund, measure and
  monitor requests for IT services and the
  resulting work and deliverables, in a more
  consistent and repeatable manner that optimizes
  returns to the business.
• Manage the responsible utilization of resources
  and assets.
• Ensure that IT delivers on its plans, budgets and
  commitments.

8
Why IT Governance?

• The rising interest in IT governance is partly
  due to compliance initiatives
• IT is tightly coupled to business performance
• IT presents the extremes of bothvery large
  investments
• IT-related risks must be mitigated.

9
Benefits of IT Governance

• Formalizes IT oversight and accountability to
  ensure more effective and ethical management.
• Improves planning, integration, communications
  and performance between the Business Units and IT
  Groups and within IT Groups (across silos).
• Improves ROI based demand management (IT
  requests and Total Cost of Ownership) decisions
  to analyze, prioritize, fund, approve and manage
  major IT investments (capital and operating
  expenses).
• Optimize assets and human capital resources.
• Facilitates compliance and audits (e.g. SOX,
  FDA, HIPAA, etc.) by documenting processes,
  controls and decision authority.

10
5 domains

• Strategic Alignment
• Value Delivery
• Risk Management
• Resource Management
• Performance Measurement

11
Strategic Alignment

• Strategic Alignment focuses on ensuring the
  linkage of business and IT plans
• IT value proposition
• Defining,
• Maintaining
• Validating
• Aligning IT operations with enterprise operations

12
Value Delivery

• Value Delivery is about executing the value
  proposition throughout the delivery cycle,
  ensuring that IT delivers the promised benefits
  against the strategy, concentrating on optimizing
  costs and proving the intrinsic value of IT.
• Governance are mostly qualitative and less
  quantitative which does not lend itself to value
  delivery.
• Many new IT Governance initiatives often have no
  mechanism in place to measure the success or
  benefits of their governance efforts.
• When IT Governance performance measurement
  disciplines and practices are in use, they are
  mostly informal, subjective or based on
  qualitative measures only.

13
Value Delivery (contd)

• Some organizations measure progress in terms of
  the performance of their IT Governance measures
  (process indicators) and less on the eventual
  outcome, e.g. cost savings.
• There are many reported benefits for IT
  Governance that are not quantified or measured,
  including Enhanced IT alignment Cost savings
  Improved customer satisfaction and Greater
  security
• Only in certain cases (approximately 16 of the
  participants) are hard figures on benefits
  available, e.g. in the area of budget savings or
  headcount reductions.

14
Value Delivery (contd)

• In some cases, significant cost savings (of more
  than 30) were reported.
• The main driver in these cases was indeed cost
  reduction, and a strong target and corresponding
  monitoring mechanism was implemented.
• Only a portion of the target benefits
  materialized in the short term, e.g. large-scale
  standardization projects take years to deliver
  their benefits.

15
Risk Management

• Requires
• Risk awareness by senior corporate officer
• A clear understanding of the enterprises
  appetite for risk
• Transparency about the significant risks to the
  enterprise
• Embedding of risk management responsibilities
  into the organization

16
Resource Management

• Optimal investment in, and the proper management
  of, critical IT resources
• Processes
• People
• Applications
• Infrastructure
• Information
• Key issues relate to the optimization of
  knowledge and infrastructure.

17
Performance Measurement

• For example, balanced scorecards that translate
  strategy into action to achieve goals measurable
  beyond conventional accounting.
• Tracks and monitors strategy implementation
• Project completion
• Resource usage
• Process performance
• Service delivery

18
IT GOVERNANCE GLOBAL STATUS REPORT 2008

• Key Findings of the Survey
• C-level is champion,  daily practice is still
  very much a CIO/IT director issue.
• 2. The importance of IT continues to increase
  63 rate as very important (up from 57).
• 3. Self-assessment regarding IT governance - 54
  at CMM defined or better (up from 38)
• 4. Communication between IT and users is
  improving, but slowly.
• 5. There is still substantial room for
  improvement in alignment between IT governance
  and corporate governance only 62 rated at good
  or better

19
IT GOVERNANCE GLOBAL STATUS REPORT 2008

• 6. IT-related problems persist. While
  security/compliance is an issue, people are the
  most critical problem.
• 7. Good IT governance practices are known and
  applied, but not universally.
• 8. Action is being taken to implement IT
  governance activities way up from 2006 (52 vs
  36)
• 9.Organizations use the well-known frameworks and
  solutions.
• 10.COBIT awareness has exceeded 50 percent, and
  adoption and use remain around 30 percent.
• a. 25-35 apply COBIT to the letter or are very
  strict.
• b. 51 - COBIT is one of the reference sources.

20
Not as easily implemented as thought

• Implementing IT governance is not as
  straightforward as perhaps once thought (NOTE
  The same can be said regarding COBIT
  implementation.)
• Good IT governance practices are not built
  overnight they require time and continued
  commitment.
• Implementing COBIT is not a matter of taking it
  out of the box and implementing it as written.
• It is a process of selecting the most appropriate
  elements, tailoring them as needed and applying
  them to the specific needs of the organisation.

21
Choosing a framework

• CoBIT the most popular
• Basically, its a set of guidelines and
  supporting toolset for IT governance that is
  accepted worldwide.
• CoBIT is well-suited to organizations focused on
  risk management and mitigation.
• COBIT is perceived to be a valuable framework for
  IT governance (89 report satisfied).
• The latest version, released in May 2007, is
  CoBIT 4.1.

22
Choosing a framework

• ITIL The Information Technology Infrastructure
  Library
• eight sets of management procedures
• service delivery
• service support
• service management
• ICT infrastructure management
• software asset management
• business perspective
• security management
• application management
• ITIL is a good fit for organizations concerned
  about operations.

23
Choosing a framework

• COSO (Committee of Sponsoring Organizations )
  Guidelines on many functions
• human resource mgt -- risk
• external resources -- information technology
• Enterprise operations -- legal affairs
• procurement -- marketing and sales
• inbound/outbound logistics -- financial
  functions
• Reporting
• COSO is a more business-general framework than IT

24
Choosing a framework

• CMMI The Capability Maturity Model Integration
• Created by Carnegie-Mellons Software Engineering
  Institute
• Process improvement approach that contains 22
  process areas.
• Divided into appraisal, evaluation and structure
• Well-suited to organizations that need help with
  application development, lifecycle issues and
  improving the delivery of products throughout the
  lifecycle.

25
Choosing a framework

• More than 95 of the participants use one of the
  major IT Governance frameworks.
• A small number of them use their own (or
  consultant-defined) frameworks. The major
  frameworks used include
• CoBIT accounts for 63 of the frameworks in use
• ITIL used by 60 of the participants
• Other frameworks used to a lesser degree include
• CMMI, Prince II, COSO, and ISO17799
• Consider a mix CoBIT as an overall framework
  then use ITIL for your operations, CMMI for
  development and ISO 17799 for security

26
How much is enough Governance?

• Investment in IT
• Degree of business dependency on technology.
• Management philosophy and policies (e.g. first
  mover versus follower).
• Complexity, size and duration of initiatives.
• Scope enterprise wide versus a subset of the
  enterprise number of locations domestic versus
  International.
• Degree of risk.
• Regulatory, control and documentation
  compliance.
• Level of security required.
• Degree of accountability required and desired.

27
Getting Started - Assessment

• Assessment use CMM
• 0 Nonexistent Management processes are not
  applied at all
• 1 Initial Processes are ad hoc and disorganized
• 2 Repeatable Processes follow a regular pattern
• 3 Defined Processes are documented and
  communicated
• 4 Managed Processes are monitored and measured
• 5 Optimized Best practices are followed and
  automated
• Identify areas of improvement

28
Use of Multiple Frameworks
29
Getting Started Decide Scope

• Engage senior business managers
• Assign accountability and not just to the CIO.
  senior managers must participate in the
  committees, the approval processes, and
  performance reviews.
• Key roles and responsibilities must be formally
  agreed to upfront and communicated to
  organization in the form of a RACI Matrix
  (Responsible, Approve, Consult, and Inform).
• Program/project scope, requirements and
  deliverables (as in a charter) should be approved
  upfront by the sponsor and monitored throughout
  the development or procurement, testing, training
  and implementation phases.

30
Getting Started

• Communication and change management
• Focus, execute and enforce
• Define a benefit management system and set
  achievable targets/expectations
• Evolution, as opposed to revolution
• Dont over-engineer IT Governance

31
Getting Started - Scoping

• Governance redesign should be infrequent. Our
  recommendation is that a change in governance is
  required with a change in desirable behavior.
• Clarify the exception-handling process
• It's not possible for IT governance to meet every
  goal, but governance can and should highlight
  conflicting goals for debate.

32
Getting Started

• IT governance should be owned by the board. Its
  not an IT management responsibility any more than
  financial governance is a financial functional
  responsibility.
• Tailor to your organization
• Align incentives
• Governance needs to be owned where it can be
  carried out effectively, which will differ from
  organisation to organisation.
• Educate

33
A possible schedule
34
Getting Started - Metrics

• The execution of these plans and objectives must
  be monitored and measured by a combination
• Consistent program and project metrics should be
  instituted based on time, cost, resources,
  quality, risk and customer satisfaction.
• Formal and informal status review meetings and
  reports (e.g. report cards, dashboards).
• The outcomes should link critical success factors
  to KPIs that are measurable, part of a standard
  reporting system and linked to a governance
  component.
• If one cannot measure it, it does not count.

35
Getting Started - Metrics

• Establish measurements
• Measure at all levels of the enterprise
• Each area will need its own metrics and
  performance thresholds, rollups with drill-down
  to the items themselves
• Assets- Broken down by "function" (software,
  hardware, interface, etc.)Projects- Broken down
  by "type"Service Level Agreements- Broken down
  by unique agreement

36
Getting started - Organization

• The following arrangements are the most common
• Centralized
• decision making for IT technology choices
• Infrastructure
• Budgets
• Decentralized
• application development
• projects

37
Clarify the exception-handling process

• The process is clearly defined and understood by
  all. Clear criteria and fast escalation encourage
  only business units with a strong case to pursue
  an exception.
• The process has a few stages that quickly move
  the issue up to senior management. Thus, the
  process minimizes the chance that architecture
  standards will delay project implementation.
• Successful exceptions are adopted into the
  enterprise architecture, completing the
  organizational learning process.

38
Smaller organization addendum

• The balance between creativity/agility/innovation
  and restrictive governance arrangements needs to
  be found in smaller organisations.
• Leverage corporate governance arrangements that
  were introduced mainly for regulatory reasons to
  introduce enhanced IT Governance practices, and
  hence improve IT performance.
• Knowledge and awareness of frameworks that could
  help to improve IT Governance arrangements, and
  how to use them in the most flexible manner, is
  needed

39
Obstacles in implementing IT Gov

• The three Cs (culture, resistance to change,
  communications)
• Internal politics IT Governance often brings a
  shift in decision rights and associated power
  Resistance to acceptance of standards/policies
• Resistance to accept accountability some
  organisations report strong resistance by the
  business in accepting accountability for
  IT-related investments as part of newly
  introduced IT Governance arrangements and
• Obtaining sufficient business involvement in
  governance initiatives.

40
What Can You Do as an Auditor?

• Check for alignments top to bottom
• Assess maturity
• Look for the metrics are they meaningful and
  related to IT Governance concepts
• Is participation adequate at all levels?
• Check if the controls are appropriate?
• Socialize the concepts

41
More Information . . .

• Resources
• www.itgi.org
• www.isaca.org

42

• Questions?

43

• Feel free to contact me with questions
• Bill McSpadden, CISA
• Protiviti Inc
• 913-685-6200 or 913-661-7403
• Bill.mcspadden_at_protiviti.com