Presentation on theme: "Making sense of IT Governance –"— Presentation transcript:
1 Making sense of IT Governance – the implications of King IIIPresenter: Marlene Badenhorst (ACIS)
2 Content Research objective and research question Definitions of IT governanceLiterature review of selected Codes, Frameworks, Standards and Best PracticesAssessment of the current industry application of governance conceptsA generic governance framework for IT governance and the governance of outsourcingConclusion
3 Research objective & research question Literature review; IT governance efficiency survey to assess:Does known reference models, frameworks and standards address governance requirements of ICT outsourcing companies?Current status of IT governance practices.Research Question:Can a generic governance framework be formulated to address these requirements?The Research Objective was to assess the extent to which known governance reference models, frameworks and standards address the specific governance requirements of ICT outsourcing companies. The research study was supported by a governance efficiency survey conducted on a South African subsidiary of a multinational ICT outsourcing company, where the director’s duties in respect of IT governance, were assessed.Research question: “Can a generic governance framework be formulated to address the specific governance requirements of ICT outsourcing organisations?”
4 What is ‘IT Governance’? It is ...the responsibility of the board and executiveIt consists of...The leadership, organisational structures & processes...to ensure that the enterprise’s IT...sustain and extend organisational strategies & objectives.The main objective of IT governance is, as is the case with corporate governance, to facilitate the discharge of director’s duties.Source: ITGI
5 Enterprise governance drives IT governance Enterprise governance is about:ConformanceAdhering to legislation, internal policies, audit requirements, etc.PerformanceImproving profitability, efficiency, effectiveness, growth, etc.PerformanceConformanceGovernance is about meeting strategic objectives (performance) while meeting legal and regulatory, contractual and other obligatory requirements often supported by policies (conformance). The goal is to achieve both in a balanced way.Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board.Source: ITGI
6 What is the ‘governance of outsourcing’? The responsibilities, roles, objectives, interfaces & controls required... to anticipate change and ... manage the introduction, maintenance, performance, costs and control of third-party provided services.Source: ITGI
7 Literature review of selected codes, frameworks, standards and best practices
8 King III requirements – the link between IT governance practices and law Directors’ duty of care: ensure prudent and reasonable steps taken re IT governance.Corporate governance practices, codes and guidelines lift the bar of what are regarded as appropriate standards of conduct.Failure to meet a recognised standard of governance, albeit not legislated, may render a board or individual director liable at law.Criteria of good governance, governance codes and guidelines will be relevant in the court’s determination of what is regarded as an appropriate standard of conduct. The more established certain governance practices become, the more likely a court would regard conduct that conforms with these practices as meeting the required standard of care.Director’s responsibilities:It is every director's responsibility to ensure the business decisions are in line with the policies, procedures and plans that have been board sanctioned and approved. Directors have the ultimate responsibility to monitor the activities of the top management, and furthermore to act if not satisfied.
9 King III requirements: IT governance is the responsibility of the board;should be an integral part of enterprise governance structures;should be owned by the board.The board must set the management direction. Required to...assume more significant role in terms of IT governance, andinsist on establishment of an IT governance management framework:To be based on a common approach, eg. COBIT.The King Report echoes the ITGI with the view that IT governance should be an integral part of the overall governance structures within a company that ensure that the company's IT sustains and extends the strategy and objectivesThe board must set the direction management should follow. In order to do this, ...the board, its members and subcommittees and all executives should assume a more significant role in terms of IT governance, andthe Board should insist that a management framework for IT governance is established based on a common approach, for example COBIT (Control Objectives for Information and related Technology).
10 King III requirements: IT Governance focus areas IT governance should focus on four key areas:strategic alignment with business;value delivery;risk management; andresource management.IT governance should focus on four key areas:strategic alignment with the business and collaborative solutions, including the focus on sustainability and the implementation of ‘green IT’ principles;value delivery: concentrating on optimising expenditure & proving the value of IT;risk management: addressing the safeguarding of IT assets, disaster recovery and continuity of operations; andresource management: optimising knowledge and IT infrastructure.Furthermore, none of these factors can be managed appropriately without performance measurement, tracking project delivery and monitoring IT services.
11 King III requirements: IT Governance focus areas IT governance should focus on four key areas:strategic alignment with business;value delivery;risk management; andresource management.PERFORMANCEMEASUREMENTRESOURCEMANAGEMENTRISKVALUEDELIVERYSTRATEGICALIGNMENTCOBIT focus areasThe King III key areas for IT governance maps to the COBIT Focus Areas:1. Strategic alignmentFocuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations2. Value deliveryCreating new value for the enterprise,maintaining and extending existing value, andeliminating initiatives and assets that are not creating sufficient value.3. Risk managementEmbedding risk management responsibilities in the organisation to address IT-related risks and using IT to assist in managing business risks.4. Resource managementHaving the right capability to execute the strategic plan, and providing sufficient, appropriate and effective resources.5. Performance measurementTracking the achievement of the objectives of the enterprise to achieve goals measurable beyond conventional accounting;and compliance with specific external requirements.Source: ITGI
12 Context: Best Practices CobiT is a globally accepted framework for IT governance based on industry standards and best practices. Once implemented, executives can ensure IT is aligned effectively with business goals and better direct the use of IT for business advantage. CobiT provides a common language for business executives to communicate goals, objectives and results with audit, IT and other professionals.VAL IT: A practice-based governance framework that can provide boards and executive management teams with practical guidance in making IT investment decisions and using IT to create enterprise valueISO 38500: The purpose of this standard is to promote effective, efficient, and acceptable use of IT in all organisations.It sets out six principles for good corporate governance of IT: Responsibility, Strategy, Acquisition, Conformance, Performance and Human BehaviourITIL: The UK’s Office of Government Commerce (OGC) has documented a set of good practices to assist with provisioning and managing IT services to meet the needs of an organisation... It is not a Standard but a description of good practices to be adopted by an organisation and adapted to meet its specific needs.ISO/IEC 27002: The goal of ISO/IEC 27002:2005 is to provide information to parties responsible for implementing information security within an organisation. It can be seen as a best practice for developing and maintaining security standards and management practices within an organisation to improve reliability on information security in inter-organisational relationships.Gov of Outsourcing: The objective of this domain practise document is to provide companies with the current high level approaches and best practices for outsource governance.Source: Own source
13 Context: COBIT and VAL IT The strategic questionThe value question.Are we getting the benefits?Are we getting them done well?Are we doing the right things?Are we doing them the right way?VAL ITCOBITVal IT complements COBIT from a business and financial perspective. COBIT sets good practices for the means of contributing to the process of value creation, while Val IT sets good practices for the process outcomes, by providing enterprises with the structure they require to measure, monitor and optimise the realisation of business value from investment in IT.Are we doing the right things?The strategic question. Is the investment:In line with our visionConsistent with our business principlesContributing to our strategic objectivesProviding optimal value, at affordable cost, at an acceptable level of riskAre we doing them the right way?The architecture question. Is the investment:In line with our architectureConsistent with our architectural principlesContributing to the population of our architectureIn line with other initiativesAre we getting them done well?The delivery question. Do we have:Effective and disciplined management, delivery and change management processesCompetent and available technical and business resources to deliver:The required capabilitiesThe organisational changes required to leverage the capabilitiesAre we getting the benefits?The value question. Do we have:A clear and shared understanding of the expected benefitsClear accountability for realising the benefitsRelevant metricsAn effective benefits realisation process over the full economic life cycle of the investmentThe architecture questionThe delivery questionSource: Thorpe, cited by ITGI
15 Status: IT Governance Best Practise Implementation 72%13%8%7%66%14%10%16%9%61%21%50%20%12%18%51%Active management of IT ROIActual IT performance measurementIT Risk ManagementIT Value DeliveryIT resource managementAlignment between IT strategy and overall strategy0%100%Have implementedImplementing nowConsidering implementationNot considering implementationStatus of IT governance best practise implementation:Although the best practices presented are mature, openly available and clearly described in literature, they are not necessarily being widely adopted. The 2005 ITGI/Lighthouse survey returned that on average 50-60% percent of organisations are not considering implementing these practices. This implies that in many organisations the awareness phase is yet to be initiated, and there is a lot of room for improvement in the IT governance domain.Source: ITGI/Lighthouse survey 2005
16 Generic governance framework for IT and outsourcing
17 Generic governance model Outsource Client IT Governance FrameworkService Provider IT Governance FrameworkVAL ITCOBITOutsourceClientInterfaceServiceProviderEnterprise Governance of ITIT GovernancePractitioner processesCompliance require-mentsThe implementation of IT governance is an ongoing process, and the implementation of a governance framework is one of the first steps in this process.The Service Provider IT Governance Framework needs to mirror a largely similar arrangement at their outsource clients.The framework supplied by Val IT and COBIT needs to be supported by detail practitioner processes, for example ITIL.Various compliance requirements, for example SAS 70, the various ISO Standards, King III and the Companies Act will require either additional activities to be performed or current activities to be reviewed and adjusted to ensure compliance.Within the Outsource Client Interface, the necessary interfaces with outsourcing clients to ensure value delivery needs to be defined, which must be aligned and integrated with the Service Provider Interface at Outsource Clients.Source: own source
18 Outsource Client (Buyer) Generic process modelService ProviderInterfaceDevelopenterprisestrategyStrategicmanagement ofproduct portfoliomanagementof capacityManageOutsource Client (Buyer)Support processesClientOutsource Client (n)Outsource Client 3Outsource Client 2Outsource Client 1Service Provider (n)Service Provider 3Service Provider 2Service Provider 1Support processesAccording to Rottier, the generic enterprise management processes for any organisation consist of the development of enterprise strategy; strategic management of the product portfolio; and strategic management of capacity.All support processes (HR, Finance, IT, etc.) forms part of the ‘strategic management of capacity’ process.The Client Interface within an outsourcing organisation needs to integrate with the Service Provider Interface at their various clients.The degree of interfacing on each process within the Service Provider Interface depends on the contents of the outsourcing agreement, and can range from receiving information to being responsible for a significant part of a process. The client however stays accountable for the process, even where the outsourcer is responsible for the bulk of the process activities.According to the Meta Group, each process within the Service Provider Interface should be documented in the following manner:Roles and responsibilities: To define the expectations and actions to be undertaken by the client and its service providers.Information to exchange: To define the minimum information to be shared between parties throughout the service fulfilment lifecycle.Handover points: To define the interaction points between the client and its service providers.Policies: To align the service providers’ mode of operations with the client’s strategy and the enterprise architecture, [for example governance, management, control and assurance requirements].Multivendor matters: To ensure service providers operate effectively within a multisourced environment (e.g., ensuring that one service provider’s plans are performed with a full awareness of the impact on other service providers).Once the Service Provider Interface has been defined, the Service Provider needs to integrate it with the Client Interface processes within his own organisation.It must be noted that there is no solitary correct organisational format for the outsourcing function within an outsource client. The structure depends on several factors which need to be considered e.g. size of the company, geographically distributed resources, degree of centralisation of the outsourced function, or vendor strategy (single or multi vendor strategy). The adequate distribution of activities and responsibilities between the partners and the hierarchical levels are the rationale for the design of the outsource governance organisation.Source: own source
19 IT governance interrelationships (service provider perspective)Board ofDirectorsIT Strategy CommitteeCompen-sation CommitteeFinance CommitteeBusiness Strategy CommitteeAudit CommitteeCEOCFOCompliance, Audit, Risk & Security(CARS)IT Steering CommitteeSales & MarketingIT Architecture Review BoardAs organisations differ from each other, the governance bodies responsible for IT governance may differ from organisation to organisation. The key point is that the board needs to take full and active responsibility for ensuring that IT and business strategy are properly aligned. The way in which it chooses to do this depends upon individual circumstances.This diagram, while not intended to represent an organisational chart/structure, shows the IT governance interrelationships as applicable to an Outsourcing Service Provider. (The model has been simplified for presentation purposes and a full version of the model is available in my paper. The model can be generalised to apply to any organisation by removing the Account Management and Sales and Marketing functions)The bodies in the darker blue shade form the organisational backbone of IT governance in terms of COBIT. Whilst the IT Strategy Committee operates on board level, the IT Steering Committee, Architecture Review Board, Technology Council and Process Oversight Committee play a crucial role in the alignment on executive level. The Compliance, Audit, Risk and Security entities provide independent assurance to demonstrate that IT delivers what is needed, measures compliance with policies and focuses on alerts to new risks.From a Value Management perspective (shaded light blue), the Investment Services Board (ISB) is primarily accountable for managing the enterprise’s portfolio of investment programmes and existing/current services. The Value Management Office (VMO) acts as the secretariat for the ISB in managing investment and service portfolios.According to the ITGI, it is of importance to ensure that the committees’ meetings are attended by the nominated members and that this responsibility is not delegated downwards. The delegation of these responsibilities to lower-level personnel will weaken the effectiveness of the committees and can lead to decisions that are not necessarily in the best interests of the business.Technology CouncilAccount ManagementBusiness ExecutivesCIOHRProgramme Management Office (PGMO)Process Oversight Committee......‘IT’Source: ITGI, own source
20 IT governance interrelationships (service provider perspective)Board ofDirectorsIT Strategy CommitteeCompen-sation CommitteeFinance CommitteeBusiness Strategy CommitteeAudit CommitteeCEOCFOInvestment & Services Board (ISB)Compliance, Audit, Risk & Security(CARS)IT Steering CommitteeValue Management Office (VMO)Sales & MarketingIT Architecture Review BoardAs organisations differ from each other, the governance bodies responsible for IT governance may differ from organisation to organisation. The key point is that the board needs to take full and active responsibility for ensuring that IT and business strategy are properly aligned. The way in which it chooses to do this depends upon individual circumstances.This diagram, while not intended to represent an organisational chart/structure, shows the IT governance interrelationships as applicable to an Outsourcing Service Provider. (The model has been simplified for presentation purposes and a full version of the model is available in my paper. The model can be generalised to apply to any organisation by removing the Account Management and Sales and Marketing functions)The bodies in the darker blue shade form the organisational backbone of IT governance in terms of COBIT. Whilst the IT Strategy Committee operates on board level, the IT Steering Committee, Architecture Review Board, Technology Council and Process Oversight Committee play a crucial role in the alignment on executive level. The Compliance, Audit, Risk and Security entities provide independent assurance to demonstrate that IT delivers what is needed, measures compliance with policies and focuses on alerts to new risks.From a Value Management perspective (shaded light blue), the Investment Services Board (ISB) is primarily accountable for managing the enterprise’s portfolio of investment programmes and existing/current services. The Value Management Office (VMO) acts as the secretariat for the ISB in managing investment and service portfolios.According to the ITGI, it is of importance to ensure that the committees’ meetings are attended by the nominated members and that this responsibility is not delegated downwards. The delegation of these responsibilities to lower-level personnel will weaken the effectiveness of the committees and can lead to decisions that are not necessarily in the best interests of the business.Technology CouncilAccount ManagementBusiness ExecutivesCIOHRProgramme Management Office (PGMO)Process Oversight Committee......‘IT’Source: ITGI, own source
21 Conclusion Best practices not widely adopted Significant room for improvement in most companies’ IT governance domainGovernance best practices address outsourcing governance only to limited extentA focussed effort is required by SA companies to ensure compliance to the King III principles for good IT governanceThe generic framework that has been formulated addresses the need for an integrated approach to IT governanceAlthough best practices are mature, openly available and clearly described in literature, they are not necessarily widely adopted. This implies that in many organisations, there is significant room for improvement in the IT governance domain of outsource service providers and clients. The research furthermore returned that current known governance reference models, frameworks and standards to a limited extent, address the specific governance requirements of ICT outsourcing companies. The overall results indicate that a focussed effort is required by SA outsource service providers and outsource clients alike to firstly assess their current state of compliance, and secondly to ensure their continual compliance to the King III principles for good IT governance. The generic IT governance framework as discussed earlier serves as a valuable contribution to this effort by providing practical models for the integration of processes and the organisation design of the service provider and outsource client.
24 COBIT & Other IT Management Frameworks Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’).COSOISO 27002COBITISO 9000ITILWHATHOWIt is normal for COBIT to be used in conjunction with other good practices, standards and in-house developed guidance. COBIT can act like an umbrella providing the framework for everything else.COBIT is focused on what is required to achieve adequate management and control of IT, and is positioned at a high level. COBIT hasbeen aligned and harmonised with other, more detailed, IT standards and good practices COBIT acts as an integrator of these different guidance materials, summarising key objectives under one umbrella framework that also links to governance and business requirements.COSO (and similar compliant frameworks) is generally accepted as the internal control framework for enterprises. COBIT is thegenerally accepted internal control framework for IT.SCOPE OF COVERAGESource: ITGI
25 Enterprise Governance Best Practice Standards Where Does COBIT Fit?CONFORMANCEBasel II, Sarbanes-Oxley Act, etc.PERFORMANCE:Business GoalsDriversBalancedScorecardEnterprise GovernanceCOSOCOBITIT GovernanceThis slide shows how COBIT fits into the hierarchy—from business drivers at the top, down to specific governance processes and procedures. COBIT is the bridge between business and enterprise governance requirements and specific IT governance practices.ISO9001:2000ISO27002ISO20000Best Practice StandardsProcesses and ProceduresQAProceduresSecurityPrinciplesITILSource: ITGI
26 BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES COBIT FrameworkBUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVESINFORMATIONC O B I TF R A M E W O R KME1 Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure compliance with external requirements.ME4 Provide IT governance.PO1 Define a strategic IT plan.PO2 Define the information architecture.PO3 Determine technological direction.PO4 Define the IT processes, organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.EfficiencyIntegrityEffectivenessAvailabilityMONITORANDEVALUATEComplianceConfidentialityPLANANDORGANISEReliabilityITRESOURCESDS1 Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical environment.DS13 Manage operations.COBIT’s information criteria:To satisfy business objectives, information needs to conform to certain control criteria, which COBIT refers to as businessrequirements for information. Based on the broader quality, fiduciary and security requirements, seven distinct, certainlyoverlapping, information criteria are defined as follows:• Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely,correct, consistent and usable manner.• Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.• Confidentiality concerns the protection of sensitive information from unauthorised disclosure.• Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values andexpectations.• Availability relates to information being available when required by the business process now and in the future. It also concernsthe safeguarding of necessary resources and associated capabilities.• Compliance deals with complying with the laws, regulations and contractual arrangements to which the business process issubject, i.e., externally imposed business criteria as well as internal policies.• Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary andgovernance responsibilities.The COBIT domains:To govern IT effectively, it is important to appreciate the activities and risks within IT that need to be managed. They are usually ordered intothe responsibility domains of plan, build, run and monitor. Within the COBIT framework, these domains are called:• Plan and Organise (PO)—Provides direction to solution delivery (AI) and service delivery (DS)• Acquire and Implement (AI)—Provides the solutions and passes them to be turned into services• Deliver and Support (DS)—Receives the solutions and makes them usable for end users• Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followedAcross these four domains, COBIT has identified 34 IT processes. The ME domain addresses performance management, monitoring of internal control, regulatory compliance and governance (ME4).ApplicationsInformationInfrastructurePeopleDELIVERANDSUPPORTACQUIREANDIMPLEMENTAI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and changes.Source: ITGI
27 Responsibility & Accountability Chart Performance Indicators Interrelationship of the COBIT ComponentsResponsibility & Accountability ChartPerformance IndicatorsKey ActivitiesControl PracticesControlDesign TestsMaturity ModelsOutcome MeasuresControl Outcome TestsControl ObjectivesIT ProcessesIT GoalsBusiness Goalsperformed byrequirementsinformationbroken down intofor performancefor outcomefor maturityaudited withimplementedwithbasedonderivedfrommeasured bycontrolled byThis shows all the components of COBIT and how they relate to each other.Source: ITGI
28 Return on Investment and Cost-efficiency Dimensions of Maturity100%12345HOW(capability)MUCH(coverage)WHAT(control)IT Mission and GoalsReturn on Investment and Cost-efficiencyRisk and CompliancePrimary DriversCapability: Is the level of maturity required in the process to meet business requirements (ideally driven by clearly defined business and IT goals). The COBIT maturity models focus on capability and help an enterprise recognise the capability that best fits specific process requirements.Coverage: Is a measure of performance, i.e., how and where the capability needs to be deployed based on business need, and investment decisions based on costs and benefits. For example, a high level of security may have to be focused upon only for the most critical enterprise systems.Control: Is a measure of actual control and execution of the process, in managing risks and delivering the value expected in line with business requirements and risk appetite. A process may appear to be at the right capability level with the right management characteristics, but still fail because of an inadequate control design. This is an assessment against the COBIT control objectives considered necessary for the process. COBIT provides a generic maturity model for internal control, and processes PO6 and ME2 help institutionalise the need for good controls.Source: ITGI
29 VAL IT domains & processes Develop and initiate the initial programme business caseUnderstand the candidate programme & implementation optionsDevelop full life-cycle costs and benefitsDevelop the programme planDevelop the detailed candidate programme business caseUpdate operational IT portfoliosLaunch and manage the programmeUpdate the business caseRetire the programmeMonitor and report on the programmeInvestmentManagement (IM)Establish strategic direction and target investment mixManage the availability of human resourcesDetermine the availability and sources of fundsEvaluate and select programmes to fundOptimise investment portfolio performanceMonitor and report on investment portfolio performancePortfolioManagement (PM)Establish informed and committed leadershipDefine portfolio characteristicsDefine and implement processesAlign & integrate value management with enterprise financial planningContinuously improve value management practicesEstablish effective governance monitoringValueGovernance (VG)Source: ITGI
30 Road map to IT governance Raise awareness & obtain management commitmentIdentify NeedsDefine scopeDefine risksDefine resources and deliverablesPlan programmeEnvision solutionAssess actual performanceDefine target for improvementAnalyse gaps and identify improvementsPlan solutionDefine projectsDefine improvement planImplement solutionImplement the improvementsMonitor implementation performanceReview programme effectivenessOperationalise solutionBuild sustainabilityIdentify new governance requirementsThe COBIT governance framework, composed of four domains; 34 high-level control objectives; more than 200 detailed control objectives; and thousands of goals, metrics, gaps, risks and assets, is a complex system.The IT Governance Framework in its simplest form is implemented by one of the 34 COBIT processes. It however interacts heavily with a number of COBIT processes and provides the governance “link” for all the COBIT processes. This implies that, from a governance perspective, not all 34 processes needs to be implemented immediately: the decision about which processes to implement and their required maturity level should be dictated by strategic business drivers, risks and compliance requirements.To make an IT governance implementation project successful:Make IT governance a workable solution—able to deal with the challenges and pitfalls presented by IT.Focus as much on improving performance and enabling competitive advantage as preventing problems.Make IT governance a shared responsibility between the business (customer) and the IT service provider, with the full commitment and direction of the board.Align IT governance within a wider enterprise governance scheme.Boards and executive management need to extend enterprise governance to include IT, provide the necessary leadership and organisational structures, and insist on well-managed and properly controlled processes.Source: ITGI