Title: IT Governance within Financial Institutions
1IT Governance within Financial Institutions
CARTAC Caribbean Group of Banking
Supervisors IT Workshop for Regional Bank
Examiners June 23 25, 2009 Georgetown, Guyana
- Kirk Tyrell, CISA
- Assistant Director
- Financial Institutions Supervisory Division
- Bank of Jamaica
- www.boj.org.jm
2Topics
- What does IT Governance involve?
- Why is IT Governance Important
- What you must know about IT Governance?
- Supervisory Expectation for IT Governance ?
3What is IT Governance?
- is a subset discipline of Corporate Governance
focused on information technology (IT) systems
and their performance and risk management.
(source www.wikipedia.com)
4What is IT Governance?
- the leadership and organizational structures
and processes that ensure that the organization's
IT sustains and extends the organization's
strategies and objectives. (source www.ITGI.org)
5Problems With IT Governance
- Is IT governance different from IT management and
IT controls? Why the confusion? - Does IT confers strategic advantage?
- Are all the detailed process controls necessary?
6Why the Increased Focus on IT Governance?
- High profile collapse (e.g. Enron, Arthur
Anderson, WorldCom, AIB, HSBC, etc.) - Maintaining (or Recapturing) public confidence
and trust - Anchor for effective risk management
7Why the Increased Focus on IT Governance?
- Respond to call for greater transparency and
closer oversight - prevent similar problems from happening again
- Board and executive management awareness of the
challenges facing IT management - Sarbanes-Oxley and Basel II in Europe
8Why the Increased Focus on IT Governance?
- effective corporate governance is essential to
maintaining public trust and confidence in the
banking sector, and provides a crucial anchor for
sound risk management practices." Mr Jaime
Caruana, Chairman of the Basel Committee and
Governor of the Bank of Spain
9IT Governance Goals
- Provide assurance that the investments in IT
generate business value - Establish structures and controls to mitigate the
risks that are associated with IT - A proactive and holistic approach to talent
management within IT
10IT Governance Frameworks
- Enhancing Corporate Governance for Banking
Organizations (BIS) - The IT Infrastructure Library (ITIL)
- Control Objectives for Information and related
Technology (COBIT) - The ISO/IEC 27001 (ISO 27001)
11IT Governance Frameworks
- ISO/IEC 385002008 Corporate Governance of
Information Technology - Others
- The IT Baseline Protection Catalogs, or
IT-Grundschutz Catalogs, ("IT Baseline Protection
Manual" before 2005) - The Information Security Management Maturity
Model ISM3 - AS8015-2005 Australian Standard for Corporate
Governance of Information and Communication
Technology
12Non-IT Specific Frameworks
- The Balanced Scorecard (BSC) - method to assess
an organizations performance in many different
areas - Six Sigma - focus on quality assurance
13Sub-Domains of IT Governance
- Regulatory compliance
- Information governance and information security
- IT Service Management
- Project governance
- Risk management
14Sub-Domains of IT Governance
- Knowledge Management, including Intellectual
Capital - Business continuity and disaster recovery
15Components of IT Governance Cycle
16IT Governance Domain (COBIT)
17IT Governance Domain (COBIT)
18Domain 1 Strategic Alignment
- Achievement of IT alignment requires
- Leadership and commitment from the highest levels
- Proactive engagement
19Domain 1 Strategic Alignment
- The board should take responsibility for
- Ensuring that IT strategy is aligned with
business strategy - Ensuring that IT delivers against the strategy
- Directing IT strategy to balance investments
20Domain 1 Strategic Alignment
- Making informed decisions about the focus and
priority for the use of IT resources - Ensuring that appropriate IT and related business
resources are available
21Domain 1 Strategic Alignment
the right things are chosen in the first place
derive maximum benefits
things being done the right way
thing being done well
there is a strong argument that ultimate
responsibility for IT strategy setting and
implementation should rest with the business
leadership.
22Domain 1 Strategic Alignment
- Internal bodies in the form of
- IT Investment Committee
- IT Policy Committee
- IT Steering Committee
- IT Strategy Committee
23Domain 1 Strategic Alignment
24Domain 1 Strategic Alignment
- Examiners Expectation
- Duties of IT Strategy and IT Steering Committees
are defined in a formal charter - Ensure that the financial institution is paying
attention to the importance of IT strategic
planning and its alignment with business
objectives
25IT Governance Domain (COBIT)
26Domain 2 Value Delivery
- Essential components
- IT governance overall is about delivering value
and managing risk - Value delivery, which embodies the concept of
risk-related returns - Value delivery is not possible without strategic
alignment and resource management
27Domain 2 Value Delivery
- it is impossible to provide transparency of
success or failure without performance measurement
28Domain 2 Value Delivery
- value delivery is about executing the value
proposition throughout the delivery cycle,
ensuring that IT delivers the promised benefits
against the strategy, concentrating on optimizing
costs and proving the intrinsic value of IT
(source ITGI)
29Domain 2 Value Delivery
- Key Board responsibilities
- ensure that stakeholder value is obtained
- allocation of resources
30Domain 2 Value Delivery
- A study carried out within global financial
services group, ING2, indicates that IT-related
business investments have the potential to
deliver far greater returns than almost any other
conventional investment. - Source ITGI, 2008
31Domain 2 Value Delivery
- IT-related spending or investment
- Run the business
- Grow the business
- Transform the business
Source The META Group
32Domain 2 Value Delivery
- Key components of an IT investment approval
process include - Preparation of a comprehensive business case
based upon a consistent corporate standard and
agreed assumptions (e.g. tax rates and inflation
rates) - Establish an approval board or committee
33Domain 2 Value Delivery
- Consideration of key financial metrics (e.g. NPV,
IRR and payback period, etc.) - Provision for proper accountability for the
delivery of results - Definition of appropriate hurdle rates for IT
investments
34Domain 2 Value Delivery
- Providing assurance that
- proper project management processes will be
followed, - all parts of the business will be affected by the
outcome and - Resources necessary to maximize the chances of
success will be committed - Increase capability maturity model (CMM) level
for systems development and implementation
35Domain 2 Value Delivery
- Realizing the Benefits
- The clarity and precision of anticipated benefits
- Ongoing tracking of the actual benefits achieved
- Ensure appropriate accountability
36Domain 2 Value Delivery
- Examiners Expectation
- Board monitors IT delivery against the strategy
through clear expectations and measurement - Management sets baselines for measuring capacity
and growth planning, service improvement and
utilizes industry standards and bench marking - Operation management measures and reports on
budget achievement
37IT Governance Domain (COBIT)
38Domain 3 Performance Delivery
- Demonstrates the effectiveness and added business
value of IT - Getting business value from IT and measuring that
value are important governance domains
39Domain 3 Performance Delivery
- IT performance management is aimed at
- identifying and quantifying IT costs and IT
benefits. - Limitations of traditional quantifiable
performance measures (financial terms) such as
ROI, NPV, IRR and payback method - Overcome limitations of measuring
unquantifiable values, i.e. IT balanced
scorecard
40Domain 3 Performance Delivery
- The Balanced Scorecard (BSc) is a performance
management tool which began as a concept for
measuring whether the smaller scale operational
activities of a company are aligned with its
larger scale objectives in terms of vision and
strategy
41Domain 3 Performance Delivery
- By focusing not only on financial outcomes but
also on the operational, marketing and
developmental inputs to these, the BSc helps
provide a more comprehensive view of a business,
which in turn helps organizations act in their
best long-term interests - (source Wikipedia)
42Domain 3 Performance Delivery
43IT Governance Domain (COBIT)
44Domain 4 Risk Management
- Requires
- Risk awareness by senior corporate officers
- A clear understanding of the financial
institutions appetite for risk - Understanding of compliance requirements
- Transparency about the significant risks to the
enterprise - Embedding of risk management responsibilities
into the organization
45IT Governance Domain (COBIT)
46Domain 5 Resource Management
- Optimal investment in, and the proper management
of, critical IT resources (i.e. applications,
information, infrastructure and people) - Key issues relate to the optimization of
knowledge and infrastructure
47Examiners Responsibilities
- Review
- IT strategies, plan and budgets
- Security policy documentation
- Organizational charts
- Job descriptions
- Steering committee reports
- Change management procedures
48Examiners Responsibilities
- Operation reports and procedures
- Quality assurance procedures
- ..Noting exceptions and absence of documentation
49Examiners Responsibilities
- Reviewing contractual commitments
- Development of contractual requirements
- Contract biding process
- Contract selection process
- Contract acceptance, maintenance and compliance
50Lessons Learnt
- Each financial institution should have an IT
Steering Committee with requisite board and
management involvement - The board and management should ensure that
policies and procedures are reviewed periodically
for relevance - Financial institutions to adopt applicably
industry best practices and rules to guide IT
management.
51Questions
?
52Additional Resources
- Executive Summary, COBIT v3.0 and COBIT v4.1
Retrieved from http//en.wikipedia.org/wiki/COBIT - ITIL for service delivery
- CMM for solution delivery
- ISO 17799 for information security
- PMBOK or PRINCE2 for project management