IT Governance Infocom India Presentation December 6, 2006

Agenda n Why have IT Governance? n What is IT Governance? n Various elements of IT Governance n Frameworks for IT Governance n How Frameworks interact n How IT processes underpin IT Governance n Example of Framework integration n Metrics to measure IT process health

Why Bother About IT Governance? Decline of Business Readiness Lack of Effective Governance Can Lead to Catastrophic Failures!! Desired Level Major Effort for Recovery Catastrophic Failure!! IT Readiness Time

This is not a Rhetorical Conjecture! n Some Examples: n Largest Asian Stock Exchange suspended trading in November, 2005 due to incorrect software patch n Payroll of millions of customers of a major North American bank was affected in June, 2004 due to incorrect system update n Erroneous changes to Airline Ticketing system caused hundreds of international travel tickets being sold for less than $100

IT Governance – The Definition n IT Governance is a system that: n Directs and controls to administer necessary IT services to its clients n Specifies rights and responsibilities of parties* involved n Defines the policies and procedures; n Provides the structure to achieve the above * Customers, Regulators and Stakeholders The above closely follows corporate governance definition outlined by OECD (Organization for Economic Cooperation and Development) located in Paris, France.

IT Governance – Differing Viewpoints n Three Parties & Three Areas of Interest n Regulators – in Regulatory Compliance n Regulators are Government Agencies n Customers – in Effectiveness of IT Services and somewhat in Regulatory Compliance n Customers are recipients of IT Services n Stakeholders – in Efficiency and Effectiveness of IT Services and Regulatory Compliance n Stakeholders are managers and employees of an IT organization

Interest Areas of the Three Parties Efficiency, Effectiveness and Compliance are only possible through Deployment and Management of a Process Environment of Best Practices

Elements of Governance n Standard against which Governance can be assessed n Proven Set of Practices for the processes of an organization n Compliance for government regulations n Continuous Improvement to address Efficiency Governance is NOT just compliance of Government Regulations for Financial Disclosure

Frameworks impacting IT Governance – The Alphabet Soup n Standards Frameworks n ISO (Int. Org. for Standardization) – for Quality n Adoption for competitive reason and is optional n SOXA (Sarbanes-Oxley Act) – for Compliance n Regulatory requirements make adoption mandatory n Compliance Framework n COBIT (Control Objectives for Information and Related Technology) – for Controls

Frameworks impacting IT Governance – The Alphabet Soup n Best Practices Frameworks n CMMI (Capability Maturity Modeling Integration) – for IT Development n ITIL (Information Technology Infrastructure Library) – for IT Infrastructure Support n Continuous Improvement Framework n Six Sigma

Governance Elements - Also Underpinned by Best Practices

Processes Underpin Governance Elements n ITIL processes are necessary for ISO certification n ITIL helps to provide controls for COBIT n ITIL processes underpin CMMI for support and maintenance n Continuous Improvement & Six Sigma is only possible through deployment of ITIL best practices n ITIL Best Practices allow addressing of Effectiveness, Efficiency and Compliance

Users Difficulties, Inquiries Service Requests Change Requests Service Support Change Management Communication, Updates, Workarounds Incidents Releases Incident Management Problem Management Release Management Service Desk The Business, Customers Service Level Management Queries, Inquiries Communication` Service Delivery Availability Management Capacity Management Financial Management for IT Services IT Service Continuity Management Requirements, Targets, Achievements Availability Management Capacity Management Financial Management for IT Services IT Service Continuity Management Requirements, Targets, Achievements Configuration Management ITIL (IT Infrastructure Library)

ITIL and ISO - Achieving ISO Certification

Necessary Tasks for SOXA* Compliance 1. Display the Business Process 2. Define Control Objectives 3. Identify Risks (or “what-can-go- wrong”) in the process 4. Define specific Controls that are in place to mitigate the above Risks, and, 5. Produce Evidence to prove that the above Controls are effective ITIL Best Practices ITIL Best Practices *Sarbanes-Oxley Act – enacted by US Congress in 2002

ITIL and COBIT n While ITIL is about process best practice, COBIT is about control points n Procedures are mapped by ITIL best practices n Risks can be defined through Metrics n Software tool for ITIL management provide Control Evidence and Audit Logs

Integration of Development and Support Best Practices Application Management Lifecycle Elegantly Integrates ITIL and CMMI

ITIL and Six Sigma n ITIL Best Practice allows rapid adoption n No need to develop from scratch n ITIL defines metrics used as Six Sigma CTQs (“y”) and also for causes (“x”) n ITIL process management software tool provides data for necessary analyses n Application of Six Sigma require mature environment CTQ – “Critical to Quality” (as defined by customer)

Deployment of Frameworks n Parts of Frameworks can be applied as needed and incrementally n Even partial implementations of Frameworks can provide major benefits for superior Governance n Business goals decide what to adopt n Any Framework implementation is a major effort n Strong and committed leadership is not just crucial, it is absolutely mandatory to achieve superior governance

Support Infrastructure is a Must for Deployed Frameworks n Successful deployments require that the processes be: n Aligned – ensuring process objectives address business needs n Streamlined – through adoption of best practice n Mapped – through mapping of tasks for workflows and role assignments n Verified – by various organizational functions to meet their business requirements n Owned – by assigning formal roles for accountability n Documented – for consistency of implementation throughout the organization n Measured – to ensure that the process is effective and efficient while meeting compliance A support infrastructure essentially includes a number of formal roles such as the champions, process owners, process managers and others – depending on the nature of the framework and the organization

Integration of Frameworks – An Example in an ITIL Process

Metrics – Crucial to Manage Processes and Frameworks n Metrics Determine Process Health or Framework Maturity n 3M Principle – Measure-to-Monitor-to- Manage n To manage, one needs to monitor n To monitor, one needs to measure n ITIL Best Practices also provide relevant and well-defined Metrics for IT processes Continuous improvement is NOT possible without appropriate metrics

Examples of Applying 6σ Based Metrics Traditional Chart for Outage

Examples of Applying 6σ Based Metrics Statistical Chart (Boxplot) for Outage

Examples of Applying 6σ Based Metrics Traditional Outage Chart by Platform

Examples of Applying 6σ Based Metrics Outage Boxplot by Platform

Examples of Applying 6σ Based Metrics Xbar-R Control Chart – Internal Outages Weeks

Examples of Applying 6σ Based Metrics Xbar-R Control Chart – Int. & Ext. Outages Weeks

Agenda n Why have IT Governance? n What is IT Governance? n Various elements of IT Governance n Frameworks for IT Governance n How Frameworks interact n How IT processes underpin IT Governance n Example of Framework integration n Metrics to measure IT process health

Questions?