Current approaches to IT governance...ISO / IEC 27002 (tidl. ISO 17799) PRINCE 2 Comprehensive COBIT...

1 Lars Groth INF5890 IT governance

IINF5890

Current approaches to

IT governance

Lars Groth


Complexity in the IT portfolio: DnB

DHL Blip BBS FD HP

Lax.

NT DNT

MIC PAX Class IMS/DC FD CROP FD SML Frans LOKE

Web og wap NT

FD

Base cam

p

XML gw

NT

Nips

Henrik IIX

Jane Seym

our

766 Marie

Xxl Antoinette

Olav V

Oscar II

Louis XVI

Le Dauphin.

Louis XIV

Elisabeth I.

Bredbånd

RPC Nips o APPC

Tost) APPC

Kontoer

Produkter

Kundert

Tjenester

Osv

Lån.

RPC PM / AML 123

Mye ovid

DN

Aftenposten

Client M

Q

566Tull

Investr

Fillete

788 Tøys

PD

P LIS

425 PO

RT

1478

NAV

DBS PD

Highw

ay MQ

Bil&fly

MQ

STG

SP

R

Reskontro

Forf.reg.

KGS

RTS

M

ottak

CTlib/ ADO

Harald V

II

MQ

Law

RPC Båt og motor

211 Og

322 Abra

702 Dans

003 Ka

511 Tull

922 Ren

Haakon V

Lusete

517 Pen

xls PPT

MQ

NL (SMD)

APPC

Fleipe W

eboffice

VTRAN

Hele rekka

MQ

MQ

RPC MQ

DocsO

pen

Finansavisen

Docum

ents

ADO

811 Hokus

FCP

El.skr.

DIB

FF

Onlipaper

SOAP

BBS WS

Potetskr

OnD

emand(014)

Oppvask

Mac

Magnus

Bøker

7/23

722 Pokus

Sikkerhet

655 Sang

Beat fat

MQ

780 Pokem

on

ata o/l

Anne B

oleyn

FD M

erva

671 West w

ing

US

B B

lueray

APPC

BaltAX

899 Ede

Lappete

Delter

Klump

Voltram

XML

Sang

XML/MQ

MQ

Motorveien

Nyttnytt

GUL

Alt annet

Blip


http://www.ifsworld.com/nb-NO/Product?cceid=dBFeCDadaDHeEbAcbdBfcHGFJIGAfBGf&cciid=bdf37d38-fabb-46ed-bdb5-da79ff639ec3�



http://www.ifsworld.com/nb-NO/�


Governance takes time and energy – is it worth it?

Good IT governance pays, because

IT is expensive

IT is pervasive

New IT technologies bombard enterprises with new business opportunities

IT governance is critical to organizational learning about IT value

IT value depends on more than good technology

Senior management has limited bandwidth

Leading enterprises govern IT differently


Basically, it is quite simple:

It si about making sure that information technology provides the best possible support for the enterprise in delivering what it is there to deliver

Then it is about managing that technology in a prudent and professional way, just as any other asset class

“Good IT governance isn’t rocket science, but it requires discipline and commitment.

– Craig Symons, Forrester Research


First traces in 1962 og 63

Ph. M. Thurston: ”Who Should Control Information Systems?”

– Harvard Business Review, November-december 1962

J. T. Garrity: ”Top Management and Computer Profits” – Harvard Business Review, July-August 1963


Most people point to Venkatraman: L. Loh og N. Venkatraman:

– Diffusion of Information Technology Outsourcing: Influence Sources and the Kodak Effect, Information Systems Research, 4, 1992

J. C. Henderson og Venkatraman: – Strategic alignment: Leveraging information technology for transforming

organizations, IBM Systems Journal, 1, 1993


1993


Michael Holm Larsen, Mogens Kühn Pedersen og Kim Viborg Andersen: IT Governance: Reviewing 17 IT Governance Tools and Analysing the Case of Novozymes A/S Proceedings of the 39th Hawaii International Conference on System Sciences - 2006


Partial or incidental ITIL Six Sigma CMM/CMMI IT Due Diligence IT Service CMM SOX SAS70 SysTrust IT Audit ISO / IEC 27002 (tidl. ISO 17799) PRINCE 2

Comprehensive COBIT ASL/BiSL IT Governance Review IT Governance Assessment IT Governance Checklist ITGAP (IT Governance Assessment Process) Model ISO 38500 IT Governance Standard

Frameworks for governance


Relevant Norwegian laws - there are many!

Generally, they fall into three classes: – Laws that apply to all enterprises, public and

private – Laws applying to public enterprises and public

administration only – Laws applying to specific sectors or industries

The relevant provisions in these laws mainly regulate matters such as:

– Information storage – Information safeguarding – Information access – Information use, incl. universal design – Public access to information – Copyright, intellectual property


Some examples: Laws applying to all enterprises

– Act relating to the processing of personal data (Personopplysningsloven) – Act relating to copyright in literary, scientific and artistic works, etc. (Åndsverksloven) – Act relating to a prohibition against discrimination on the basis of disability (Diskriminerings-

og tilgjengelighetsloven)

Laws applying to public enterprises and public administration – Act relating to procedure in cases concerning the public administration (Forvaltningsloven),

(especially §15) – Act relating to public access to documents in the public administration (Offentlighetsloven)(a

new EU-directive is underway) – Act relating to Protective Security Services (Sikkerhetsloven) – Act relating to archives (Arkivloven) and Act relating to the legal deposit of generally

available documents with regulations (Pliktavleveringsloven) – Act relating to public procurement (Lov om offentlige anskaffelser) – Regulations relating to ICT standards (Forskrift om IKT-standarder) – Local government act (Kommuneloven)

Sector laws – Act relating to health personnel etc. (Helsepersonelloven) – Act relating to municipal health and care services etc. (Helse- og omsorgstjenesteloven) – Act on personal health data filing systems and the processing of personal health data

(Helseregisterloven)


COBIT Control Objectives for Information and Related Technology

A framework developed by ISACA (Information Systems Audit and Control Association), which was founded in 1967

First version launched in 1996, present version (5.0) published 2012

In 1998, ISACA established IT Governance Institute to start research on governance

ISACA offers certification in four areas, including governance: – Certified Information Systems Auditor (CISA) – Certified Information Security Manager (CISM) – Certified in the Governance of Enterprise IT (CGEIT) – Certified in Risk and Information Systems Control (CRISC)


Governance of Enterprise IT

COBIT 5

IT Governance

COBIT4.0/4.1

Management

COBIT3

Control

COBIT2

An business framework from ISACA, at www.isaca.org/cobit

Audit

COBIT1

COBIT 5: Now One Complete Business Framework for

2005/7 2000 1998

Evo

lutio

n of

sco

pe

1996 2012

Val IT 2.0 (2008)

Risk IT (2009)

© 2012 ISACA® All rights reserved.


Main document Summer 2012


”Information is a key resource for all enterprises, and throughout the whole information life cycle there is a huge dependency on technology.”

Information and related technologies are pervasive in enterprises and they need to be governed and managed in a holistic manner, taking in the full end-to-end business and IT functional areas of responsibility.”

– CobiT5, Executive Summary


COBIT5: Enabling a Holistic Approach

Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.


• Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM).

• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

23

The difference between governance and management


COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective.

This means that COBIT 5: – Integrates governance of

enterprise IT into enterprise governance.

– That is, the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system. COBIT 5 aligns with the latest views on governance.

2. Covering the Enterprise End-to-end


Comprehensive COBIT ASL/BiSL IT Governance Review IT Governance Assessment IT Governance Checklist ITGAP (IT Governance Assessment Process) Model ISO 38500 IT Governance Standard


This book draws on a considerable number of studies at CISR (Center for Information Systems Research ved MIT Sloan School of Management)

A study from 2001-2003 of 256 enterprises from North and South America, Asia and Europe

40 case studies from USA and Europe from 1999 to 2003

One study of 30 IT managers from 2001

An exploratory study of IT governance from 1998-99

An examination of IT governance arrangements in 24 Fortune 100 firms in 2000


Governance of IT: ”Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT”

To govern is to determine who decides what. Three questions must be addressed:

1. What decisions must be made to ensure effective management and use of IT?

2. Who should make these decisions? 3. How will these decisions be made and monitored?

The authors assert that the research presented in the book shows that the enterprises with the best technology utilization achieves up to 40% better return on their IT investmenst than their competitors


IT: One of the six key assets


What decisions must be made? 1. IT principles

– What is the enterprise’s desired operating model? – How will IT support it? – How will IT be funded?

2. IT architecture – What are the needs for integration and standardization – and can they be fulfilled?

3. IT infrastructure – What is going to be included in the shared platforms and services?

• Hardware and system software • IT skills and knowledge • Shared services like network and shared databases • Shared applications

4. Business application needs – What is needed, what to buy and what to develop? Particularely important when:

• Application needs challenge the establishes architecture • Parallel projects with overlapping specifications results in solutions that do not work

together, or parallel storage of data

5. Investment and prioritization – How much to spend, what to spend it on, who pays, and how to reconcile the needs of

the different IT constituencies


”The best predictor of IT governance performance is the percentage of managers in leadership positions who can accurately describe IT governance.”


Managers taking courses at MIT answers a question about the IT governance arrangements in their enterprise:

”What IT governance?”

”Anarchy!”

”Depends on the amount of money involved.”

”Let me ask my CIO.”

”The business units make all the strategic decisions.”

”Joint decision making between the business unit heads and the central IT group.”

”Senior management lays down the law.”

My IT folks manage those things.”


The basic IT governance arrangements Business monarchy

– Senior management decides

IT monarchy – IT managers decide

Feudalism – A few strong middle managers dominate – managers for

processes, products or regions

Federalism – Decisions are taken jointly by senior and business unit managers

Duopoly – A two-party arrangement between the IT executives and a group of

business managers

Anarchy – Groups and strong individuals on all levels make their own

decisons based on local needs


The governance matrix

IT Principles

IT Architecture

IT Infrastructure

Strategies

Business Application

Needs IT

Investments Business Monarchy

IT Monarchy

Feudal

Federal

Duopoly

Anarchy

Don’t Know


The governance matrix (Complete)

IT Principles

IT Architecture

IT Infrastructure Strategies


Needs IT

Investments Input Decision Input Decision Input Decision Input Decision Input Decision

Business Monarchy

IT Monarchy

Feudal

Federal

Duopoly

Anarchy


Most common arrangements Percent per decision type for 256 enterprises from 23 countries

IT Principles

IT Architecture



Needs IT

Investments Input Decision Input Decision Input Decision Input Decision Input Decision

Business Monarchy 0 27 0 6 0 7 1 12 1 30

IT Monarchy 1 18 20 73 10 59 0 8 0 9

Feudal 0 3 0 0 1 2 1 18 0 3

Federal 83 14 46 4 59 6 81 30 93 27 Duopoly 15 36 34 15 30 23 17 27 6 30 Anarchy 0 0 0 1 0 1 0 3 0 1

100% 100% 100% 100% 100% 100% 100% 100% 100% 100%

Fat red numbers: Most common arrangements for information input Fat black numbers: Most common arrangements for decisions


Reasons for differences between enterprises: Different goals, both strategic and regarding performance

– Growth, consolidation, innovation – Private/public/not-for-profit

Different organizational structures or inadequate organizational structure

Position on the learning curve for IT governance

Enterprise size and complexity

Regional and industrial differences


Public/private Where do public enterprises differ? – Public value, not profit – Great emphasis on efficiency (cost) – Budget-based expenditure control as prime governance tool – Higher degree of formalization – Longer chains of command – Often less focus on progress in projects

Differences in governance as seen in the research results: – More business monarchies in all decisions except architectures – Significantly fewer IT monarchies in all decisions – More federal arrangements in all decisions except investments – More federal arrangements for input to all decisions – More duopolies for architecture


Mechanisms for implementing IT governance

We need to put in place decision-making structures

We need formal alignment processes

We need to communicate about it


Common decision mechanisms under different governance arrangements

Business Monarchy – Senior managment committees – Federal beslutningsstrukturer

IT Monarchy – IT leadership committees – Architecture committees

Duopolies – IT council comprising business and IT executives – Process teams with IT members – Business/IT relationship managers


Alignment Process for approval of investments

Process for architectural exceptions

Service Level Agreements

Chargeback arrangements

Tracking of projects and resources consumed

Formally tracking business value of IT


Communication Senior management announcements

Formal committees

Office of CIO or office of IT governance

Portals

Work with nonconformists


Implementing IT governance You will need mechanisms for

– decision-making – alignment – communication

Limit decision-making structures

Provide for overlapping membership in decision-making structures

– It is exceedingly simpler to achieve alignment inside heads than between heads

Implement mechanisms at multiple levels in the enterprise – Local needs for standardization may vary

Clarify accountabililty


What will work best?

That which suites YOU! IT should contribute as much as possible to the realization of enterprise goals....

....in a cost effective way.


Cost-effectiveness in use of IT

Effectiveness in use of IT for asset utilization

Effectiveness in use of IT for growth

Effectiveness in use of IT for business flexibility

How to assess IT governance? Calculating Governance Performance Score

Importance Not important Very importantGovernance outcome 1 2 3 4 5Cost-effective use of ITEffective use of IT for growthEffective use of IT for asset utilizationEffective use of IT for business flexibility

Achievements Not succesful Very successfulSuccess measure 1 2 3 4 5Cost-effective use of ITEffective use of IT for growthEffective use of IT for asset utilizationEffective use of IT for business flexibility

Governance Performance Score: Max score: 100 Min score: 20


Accumulated answers from ITLED-courses (69 answers)

%


Seven characteristics of top governance performers

1. More managers in leadership positions could describe IT governance

2. Greater engagement and knowledge on the part of senior management

3. More direct involvement of the senior leaders in IT governance

4. Clearer business objectives for IT investment

5. More differentiated business strategies

6. Fever renegade and more formally approved exceptions

7. Fever changes in governance


IT Principles

IT Architecture



Needs IT

Investments

Input Decision Input Decision Input Decision Input Decision Input Decision

Business Monarchy 0 27 0 6 0 7 1 12 1 30

IT Monarchy 1 18 20 73 10 59 0 8 0 9

Feudal 0 3 0 0 1 2 1 18 0 3

Federal 83 14 46 4 59 6 81 30 93 27 Duopoly 15 36 34 15 30 23 17 27 6 30 Anarchy 0 0 0 1 0 1 0 3 0 1

100% 100% 100% 100% 100% 100% 100% 100% 100% 100%

Governance arrangements: The best and worst performers Percent per decision type


Symptoms of ineffective governance

Senior management senses low value from IT investments

IT is often a barrier to implementing new strategies

The mechanisms to make IT decisions are slow or contradictory

Senior management cannot explain IT governance

Projects often run late and over budget

Senior management sees outsourcing as a quick fix to IT problems

Governance changes frequently


What can you do?

Map out the present governance onto both diagrams (framework and governance matrix) Compare the two and ask how well the objectives on the Design Framework are achieved by the governance arrangements matrix – how can governance be improved?

Audit the IT governance mechanisms: – How many are active? – Are they effective both independently and

jointly?


Discuss the framework in a senior management meeting – especially the top boxes left and right – then design the matrix that fits the conclusions

Lead the change by using the «to be» versions of the Design Framework and the matrix

What can you do?


Top ten leadership

principles of IT governance

1. Actively design governance

2. Know when to redesign

3. Involve senior managers

4. Make choices

5. Clarify the exception-handling process

6. Provide the right incentives

7. Assign ownership an accountability for IT governance

8. Design governance at multiple organization levels

9. Provide transparency and education

10. Implement common mechanisms across the six key assets

Current approaches to IT governance...ISO / IEC 27002 (tidl. ISO 17799) PRINCE 2 Comprehensive COBIT...

Documents

Transcript of Current approaches to IT governance...ISO / IEC 27002 (tidl. ISO 17799) PRINCE 2 Comprehensive COBIT...