2What’s Included in This Presentation GRC in MOF 4.0Take a comprehensive look at governance, risk, and compliance through MOF 4.0Service Management FunctionsGet a basic understanding of how the MOF model can help show you immediate resultsMOF in ContextLearn more about how MOF fits into the bigger pictureCompliance ChallengesLook at new compliance challenges and how MOF deals with themGRC GuidanceUnderstand how addressing GRC affects your organizationConnect Governance, Risk, and ComplianceSee how MOF connects and addresses governance, risk, and complianceGRC Throughout the LifecycleLearn how MOF incorporates GRC into each lifecycle phaseFocus on G, R, and CGet a closer look at governance, risk, and complianceGRC Applied & IntegratedSee how the elements of GRC are applied and integrated into the lifecycle phasesMake GRC Work for YouLearn how MOF’s features produce resultsResourcesLink to helpful GRC resourcesSlide GoalThe goal of this slide is to outline the content included in this presentation.Slide NotesThe goal of this presentation is to provide you with foundational knowledge of MOF 4.0 as it relates to governance, risk, and compliance. We’ll examine how elements of MOF 4.0 address GRC, provide specific examples of MOF’s guidance, and discuss how GRC influences each of MOF’s lifecycle phases.Let us show you how MOF can help your organization address governance, risk, and compliance issues with ease.Use these slides for an in-depth look at GRC issuesSum It Up: MOF & GRCLearn how MOF provides examples of ‘good’ GRC dealings and influences all phases of the lifecycle
3MOF 4.0 – Addressing the IT Service Lifecycle Slide GoalThe goal of this slide is to take a look at what’s new and different in MOF 4.0.Slide NotesThe core content of MOF 4.0 moves beyond operations to address the entire IT service lifecycle. The easy-to-reference structure for its Service Management Functions (SMFs) emphasize outcomes, results, and roles. Because every organization is unique, the SMFs are anchored by questions a user faces. Lastly, a central component of MOF 4.0 is its online community—it provides a platform for IT pros to exchange ideas, contribute their own guidance, and communicate with Microsoft experts.This version of MOF was developed to:Reflect a single, comprehensive IT lifecycle.Connect service management theory to everyday tasks and activities.Align IT with business needs and goals.Address governance, risk, policy, and compliance.Support continuous improvement through community involvement.In short, MOF was created to help overburdened IT pros quickly access useful, relevant content. MOF 4.0 was designed to provide you with a clear look at how the entire IT lifecycle is interrelated, what decisions are required, and what outcomes are vital.
4MOF 4.0 Connects Service Management Standards to Practical Applications for the Community Goals and objectives: ISO 20000Management perspective: COBITIndustry StandardsProcess description: ITIL v3MOF 4.0GuidanceProcess guidance: MOF 4.0Control FrameworksConcepts, PracticesSolution AcceleratorsSlide GoalThe goal of this slide is to show how MOF fits into the big picture, helping you address GRC issues before they become problems.Slide NotesMOF 4.0 is backward-compatible with all previous versions of MOF. It also supports the integration of any policies, tasks, or activities based on other frameworks, such as ISO 20000, COBIT, and ITIL. What exactly does that mean?ISO is an independent standards organization. The ISO standard defines goals and objectives that can be used to certify an organization.COBIT has become the accepted set of controls for IT and is used for audit purposes to ensure compliance with regulatory requirements such as Sarbanes-Oxley.ITIL v3 identified rich concepts and practices and has expanded its process description for the entire IT lifecycle.MOF 4.0 provides guidance that can be used to meet ISO objectives, implement COBIT controls, and support ITIL processes. By using MOF, an organization like yours can immediately identify the outcomes, measures, accountabilities, and required activities to meet its service management goals.Processes + Guidance + Tools(for Specific Scenarios)System CenterInfrastructure AutomationCommunity
5Directives, Policy, Controls GRC GuidanceGovernanceRisk ManagementDirectives, Policy, ControlsSlide GoalThe goal of this slide is to illustrate MOF’s GRC guidance.Slide NotesGovernance, risk, and compliance are addressed in the foundational Manage Layer. GRC guidance becomes increasingly more prescriptive as you move along the continuum from governance to risk management to compliance. MOF helps clarify your organization’s directives, policy, and controls as you consider risk management.The goals of MOF’s GRC are to:Establish clear and effective decision making in the management of IT assets.Manage risk effectively.Comply with applicable policies, laws, and regulations.Proper attention to GRC activities will help your IT better contribute to your organization’s viability and improvement, allowing you to clearly say, “This is how we run IT and manage risk.”ComplianceMore prescriptive
6Connect Governance, Risk, and Compliance Addresses strategic planning, business/IT alignment, policy creation, and vision settingRisk tradeoff decisionsCompliance with governance rulesWho decides, and process to followRisk tolerance rulesRiskAddresses system threats, system vulnerability, protection of IT assets, and risks to management objectivesRisk tradeoff decisions(how they were made)Impact of not complyingComplianceAddresses adherence to laws, regulations, policies, standards, best practices, and frameworksSlide GoalThe goal of this slide is to demonstrate how governance, risk, and compliance connect.Slide NotesThe 3 practices that make up GRC—governance, risk, and compliance—share common and interrelated tasks. Because they have overlapping areas of responsibility and processes, they’re more effective when integrated and dealt with as combined practices. Combining can streamline processes and provide transparency and accountability.To review, let’s break it down: How does addressing GRC impact your business?Governance. Addresses strategic planning, business/IT alignment, policy creation, and vision setting.Risk. Addresses system threats, system vulnerability, protection of IT assets, and risks to management objectives.Compliance. Addresses adherence to laws, regulations, policies, standards, best practices, and frameworks.Working on an integrated GRC plan improves the alignment of IT and business goals because the right people are making the right decisions at the right time.
7GRC Influences All Lifecycle Phases Aiding decision making, balancing risk/benefittradeoffs, identifying accountabilitiesCreating a strategy that manages risks andensures risk management is appropriate forthe activities at handEstablishing guardrails for behaviors,communicating expectations, and validatingperformanceSlide GoalThe goal of this slide is to demonstrate how GRC influences all of the lifecycle phases.Slide NotesThe GRC SMF belongs to the Manage Layer of MOF’s IT service lifecycle because GRC activities comprise the foundation of an organization.The practices described in the GRC SMF, and GRC issues in general, are useful for those who:Make trade-off decisions for how IT resources will be used to meet goals and deliver business value.Need to manage risk from many sources, not only IT security risk.Make sure IT activities comply with regulations and directives.MOF 4.0 contains objectives for each phase that establish the context for the discussions that are relevant to that part of the lifecycle. MOF GRC creates organized process flows in all phases of the lifecycle by: aiding decision making, balancing trade-offs, and creating a strategy that manages risk and ensures risk management is appropriate for the activities performed.
8Governance, Risk, and Compliance Applied Identifies decision makers and stakeholdersDetermines accountability for actions and responsibility for outcomesAddresses how expected performance will be evaluatedRiskEmploys risk management throughout the IT lifecycle:• Business decisions • Policy adherence• Application development • Operational proceduresComplianceGuides behavior to make sure what takes place is what was intendedShows how IT is performing against objectivesSlide GoalThe goal of this slide is to illustrate how each component of GRC is applied in the lifecycle.Slide NotesWhile GRC make sense when grouped together, it’s also important to understand each component independently and its specific role in the lifecycle.GovernanceThis component identifies decision makers and stakeholders, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated. In short, governance relates to who’s doing what and how they’re held accountable.RiskEmployed from start to finish, risk management applies to business decisions, policy adherence, application development, and operations procedures. What does this mean for you? Effectively assessing, monitoring, and controlling risk by determining what controls need to be in place.ComplianceCompliance with applicable regulations is achieved by guiding behavior to make sure what takes place is what was intended. Addressing compliance helps show how IT is performing against your organization’s set objectives.
9IT GovernanceGovernance determines how IT makes investments, contributes to value, and achieves goals and management objectivesGood Governance:Manages IT services in a regulatory environmentFocuses on cost efficiencies and value contributionProvides insight into organizational processes that result in continuous improvement and optimization initiativesSlide GoalThe goal of this slide is to identify what governance means and what “good” governance looks like.Slide NotesGRC influences the entire lifecycle by helping organizations make good decisions, balance trade-offs, manage risks, and ensure risk management is relevant.Governance determines how IT makes investments, contributes to value, and achieves goals and management objectives.Good governance:Manages IT services in a regulatory environment.Focuses on cost efficiencies and value contribution.Provides insight into organizational processes that result in continuous improvement and optimization initiatives.
10Risk Management Good risk management: Risk management drives a structured approach to identifying, assessing, and managing potential threats to assets or the achievement of strategic goalsGood risk management:Drives consistent, recurring, and comprehensive reviews of IT plans, initiatives, projects, and activitiesResults in clear risk management decisionsProduces activities and internal controls that reduce risk likelihood or impactSlide GoalThe goal of this slide is to identify what risk management means and what “good” risk management looks like.Slide NotesRisk management drives a structured approach to identifying, assessing, and managing potential threats to assets or the achievement of management or strategic goals. It’s guided by a determination of risk tolerance and can be used to make varied decisions.Good risk management:Drives consistent, recurring, and comprehensive reviews of IT plans, initiatives, projects, and activities.Results in clear risk management decisions.Produces activities and internal controls that reduce risk likelihood or impact.
11Compliance establishes rules, guidelines, and communications to ensure an organization’s requirements are known and followedGood compliance:Ensures management intentions are realizedEstablishes evaluation when expectations are setAllows for effective monitoringComplianceSlide GoalThe goal of this slide is to identify what compliance means and what “good” compliance looks like.Slide NotesCompliance establishes rules, guidelines, and communications to ensure that an organization’s requirements are known and followed. Requirements are documented and communicated through policies.Good compliance:Ensures managements intentions are realized.Establishes evaluation when expectations are set.Allows for effective monitoring.
12Make MOF GRC Work for You Features:Specific goals, outcomes, and measures in each SMFClearly identified accountabilities and role types for each SMFObjectives, risks, and controls outlined for each phaseManagement reviews function as management controlsSlide GoalThe goal of this slide is to show how to make MOF GRC work for you.Slide NotesMOF effectively connects governance, risk, and compliance through:Specified goals, outcomes, and measures in each SMF.Clearly identified accountabilities and role types.Phase-appropriate objectives, risks, and controls.Management reviews that function as controls.The benefits of these features include clearly established accountabilities, effective risk management, and compliance with policies, laws, and regulations.Benefits:Clearly established accountabilitiesEffective risk managementCompliance with policies, laws, and regulations
13Resources MOF Home Page: www.microsoft.com/mof Compliance Home Page:IT Compliance Management Guide: D D A79- B91F213ED15D&displaylang=enSolution Accelerators Home Page:ContactSlide GoalThe goal of this slide is to list additional GRC resources.Slide NotesOnline resources for MOF and GRC include the MOF, Compliance, and Solution Accelerators home pages, as well as the IT Compliance Management Guide. And, as always, you can contact us directly at
14Thank you for taking the time to learn more about how MOF considers GRC throughout the IT service lifecycle. We hope we’ve shown you the value of incorporating MOF’s guidance into your organization’s approach to addressing governance, risk, and compliance issues.Remember, you can find MOF atNow get MOF, and get to work!