Implementing IT Governance Paul Williams paulwilliamsconsulting.co.uk ISACA London Chapter October...
-
Upload
lorraine-webster -
Category
Documents
-
view
213 -
download
1
Transcript of Implementing IT Governance Paul Williams paulwilliamsconsulting.co.uk ISACA London Chapter October...
Implementing IT Governance
Paul Williams
paulwilliamsconsulting.co.uk
ISACA London Chapter
October 2002
paulwilliamsconsulting.co.uk
paulwilliamsconsulting.co.uk
paulwilliamsconsulting.co.uk
Today’s IT Environment
ComplexHeterogeneous
High business dependencyGrowing
costs
More & more networking
Increasing Risks
Distributed
Higher expectations
paulwilliamsconsulting.co.uk
•Security / integrity•Effectiveness and efficiency•Implementation to impossible timetables•Reduced Costs - (“Total cost of ownership” - TCO)•Service levels•Innovative solutions•Value for money•And….source, implement and exploit risky new technology
What the IT function must deliver
paulwilliamsconsulting.co.uk
“IT has been the longest running disappointment in business in the last 30 years!”Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997
“Technology can help fulfil a visionary dream, but often its use is closer to a sobering nightmare!”
Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998
Is IT Working?Is IT Working?
“I am writing a book on the history of information technology…in order to better understand why it is such a mess!”
Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001
“IT investments did not have an impact on productivity in 53 out of 59 economic sectors”
McKinsey report 2001
paulwilliamsconsulting.co.uk
paulwilliamsconsulting.co.uk
Analyst Group Gartner is claiming that 20% of corporate IT budgets are wasted. In western Europe some £99bn of IT spending goes on projects and equipment that fails to deliver the expected achievements, Gartner said.
Advising constant re-evaluation of the value and viability of new initiatives Gartner said one way of avoiding waste is to "kill projects early and often".
Typical areas of waste include "over specifying" hardware and network infrastructure, unnecessary customisation of software and poor control of licensing.
paulwilliamsconsulting.co.uk
Enterprise and IT Governance
Enterprise Governance The rules and
processes through which business opportunities and risks are recognised and managed to ensure enhanced and sustainable stakeholder value.
IT Governance The management
processes which ensure the delivery of the expected benefits of IT in a controlled way to help enhance the long term sustainable success of the enterprise.
paulwilliamsconsulting.co.uk
MIT Definition of IT Governance
We define IT governance as:
‘specifying the decision rights and accountability framework to encourage desirable behaviours in the use of IT’
Peter Weill, Director MIT Center for Information Systems Research
paulwilliamsconsulting.co.uk
MIT Definition of IT Governance
We define IT governance as:
‘specifying the decision rights and accountability framework to encourage desirable behaviours in the use of IT’
‘Governance is not about what decisions get made – that is management – but it is about who makes the decisions and how they are made.’Peter Weill, Director MIT Center for Information Systems Research
paulwilliamsconsulting.co.uk
‘(Governance) is about the increasing necessity for directors and senior management within companies to be accountable for corporate actions, or inactions, carried out in their name.’
paulwilliamsconsulting.co.uk
The IT aspects of corporate governance are one of the things that chief executives think they don’t have to understand - until it bites them!
Peter Morriss KPMG
paulwilliamsconsulting.co.uk
But sometimes they do get bitten…….
• Denial of service
• Viruses
• Poor systems reliability
• Failed projects
• Website defacement
• Incorrect management reporting
• Excess costs
paulwilliamsconsulting.co.uk
Stakeholders Apply PressureStakeholders Apply Pressure
Shareholders and ExecutiveLower cost, higher profitability andLower cost, higher profitability andincreased market shareincreased market share
Customers and Staff More functionality at lower cost andMore functionality at lower cost andgreater ease of usegreater ease of use
Society Greater accountability for executives inGreater accountability for executives inprivate and public sectorprivate and public sector
paulwilliamsconsulting.co.uk
Cadbury: “…strengthen internal control…boards need to set strategic aims, provide leadership, supervise management and report to shareholders on their stewardship.”
Turnbull: “…board to assure appropriate and effective processes to monitor risk and effectiveness of the system of internal control… broader corporate governance role for audit committees...monitor and report on risks...”
BIS: “...governance arrangements for critical systems should be effective, accountable and transparent…”
The governance frameworkThe governance framework
Stewardship is extending to IT as boards begin to understand Stewardship is extending to IT as boards begin to understand the depth of their enterprise’s reliance on IT.the depth of their enterprise’s reliance on IT.
paulwilliamsconsulting.co.uk
The need for governance over IT
“IT governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied will have an immense impact on whether the entity will attain its vision, mission or strategic goals”
Robert Roussey CPA, Professor University of Southern California
paulwilliamsconsulting.co.uk
The need for governance over IT
“The Board of Directors of my company is well aware its role is to oversee the company’s organisational strategies, structures, systems, staff and standards. However, as President of the company it is my responsibility to ensure that they extend that oversight to the company’s IT as well. In today’s economy and with our reliance on IT for competitive advantage, we simply cannot afford to apply to our IT anything less than the commitment we apply to overall governance” Michael Cangemi, President Etienne Aigner Group
paulwilliamsconsulting.co.uk
This criticality arises from: The increasing dependence on information and the systems and
communications that deliver it The dependence on entities beyond the direct control of the
enterprise IT failures increasingly impacting reputation and enterprise value The potential for technologies to dramatically change
organisations and business practices, create new opportunities and reduce costs
The risks of doing business in an interconnected world The need to build and maintain knowledge essential to sustain
and grow the business
IT Is Critical to Most BusinessesIT Is Critical to Most Businesses
paulwilliamsconsulting.co.uk
How Should the Board Address IT Governance Responsibilities?
Drive business alignment Manage enterprise risk Measure performance Seek formal and relevant
assurance Ask the right questions
paulwilliamsconsulting.co.uk
Example questions Are enterprise and IT objectives linked and
synchronised? Is there an up to date inventory of IT risks
relevant to the enterprise? How does our company compare with our
competitors in terms of adoption of best IT practices?
How often and by how much do IT related projects go over budget?
Are end users satisfied with the services delivered by IT?
paulwilliamsconsulting.co.uk
Board self-assessment Is the Board aware of current developments in
IT from a business perspective? Is IT a regular item on the Board agenda and is
it discussed in an informed and structured manner?
Is the reporting level of IT appropriate to its importance to the organisation?
Is the Board assured of the fact that suitable IT resources are available to meet the objectives of the business?
Is value for money being obtained from IT investment?
Implementing IT Governance
Case History 1
paulwilliamsconsulting.co.uk
Enterprise Background European Financial Services Company 30+ branches around Europe Annual IT budget £16 million Uncertainty over IT value Uncertainty over IT direction and
management Pilot consulting project agreed to identify
specific issues and recommendations using four domains of Cobit
paulwilliamsconsulting.co.uk
Cobit Domains Strategy alignment IT organisation Managing the IT
investment Defining and managing
service levels
paulwilliamsconsulting.co.uk
Strategy alignment (sample findings) Current IT strategy incoherent – more tactical
than strategic IT ‘strategy’ used primarily as a means to
support budget requests IT only discussed at Board level during
budgeting process Lack of consistent IT awareness and
knowledge at senior business levels IT priorities dictated via a ‘lobbying’ process Current systems a plethora of point solutions
rather than an integrated coherent whole.
paulwilliamsconsulting.co.uk
IT Organisation (sample findings) IT Steering Committee existed but involvement
delegated to lower levels of management Business departments inconsistently represented No direct link between SC and Board IT function seen as an inhibitor rather than as an
enabler Communication between IT and business not good Security responsibility delegated at too low a level IT function seen as technology rather than
business focussed.
paulwilliamsconsulting.co.uk
Managing the IT Investment (sample findings)
Difficult to identify true IT costs due to ‘smoke and mirrors’ budgeting and cost management
Perception of high infrastructure costs Significant use of (expensive) contractors (to
overcome internal headcount restrictions) IT seen as central cost, user departments did
not need to identify or prove value New IT investments given approval (or
rejected) without proper financial appraisal No post-implementation review.
paulwilliamsconsulting.co.uk
Defining and managing service levels (sample findings)
Service level agreements (where they existed) not formally monitored
No use of IT service or value related metrics ……….but, service levels and infrastructure
reliability regarded as very good!
paulwilliamsconsulting.co.uk
Recommendations included…. IT education for all Board members and senior
managers IT matters to be a formal Board agenda item Improved IT investment approval process IT Steering Committee to be redefined and re-
constituted Greater transparency to IT costings Contractors vs headcount to be reviewed Formal IT strategy process to be undertaken Metrics to be developed (balanced scorecard?)
Implementing IT Governance
Case History 2
paulwilliamsconsulting.co.uk
Enterprise Background Global financial services organisation Banking, insurance and asset
management Annual IT budget £1.8 billion Total IT investment portfolio £3 billion Existing strong IT governance
processes
paulwilliamsconsulting.co.uk
Existing governance processes included….. IT policy and strategy determined through fully
representative IT Policy Committee – three Board members are active members of this Committee
Central small HQ unit reporting to main Board director charged with defining and reporting on relevant IT metrics
Annual ‘IT dashboard’ process with full analysis and actions
Central monitoring of IT investment portfolio Commitment to IT value reporting including how
IT spend impacts shareholder value
paulwilliamsconsulting.co.uk
……we obtain maximum value from our investment in IT ;
……we continue to focus our IT investments in highest value areas;
……the efficiency and effectiveness of our IT operations compares
well against our competitors;
……we obtain maximum leverage globally from our IT investments.
……we continue to attract and retain the best people;
……IT properly supports, enables, and enhances our business;
……we improve our ability to manage our IT related project portfolio;
……IT related risks are being properly managed and mitigated.
Our (the Board’s) commitment to IT governance helps us to ensure over time that…
paulwilliamsconsulting.co.uk
How does the IT Dashboard help us do this?
Enables us, over time, to develop and compare the most appropriate
metrics on IT spend, performance and value;
Helps to identify positive and negative trends and thus enable best
practices to be shared and, where appropriate, managerial actions to be
taken;
Enables direct comparison with specifically commissioned peer group
information;
Enables direct comparison of metrics between different business units;
Assists senior business and IT management to exercise their
governance responsibilities over IT investments.
paulwilliamsconsulting.co.uk
Metrics included IT costs by category and by activity IT Staff numbers and costs analysed by activity Fulltime versus contract IT staff Outsourcing ratios Workstation costs IT intensity IT related operational risk incidents (number & value) IT security incidents (number & value) Various IT project metrics IT investment management CMM level (current and
projected)
paulwilliamsconsulting.co.uk
Improve - Process capability maturity model
Process evolutionProcess
characteristicsMethod of
achievement
OptimisingImproved feedback into the process yielding continuous improvement
(Quantitative)Process measurements indicating performance levels
(Quantitative)Process definedand institutionalised
(Intuitive)Process highly dependent on individuals and their commitment
(Ad hoc / chaotic)
Automation
Complete control structuresPerformance analysis
Policies, procedures and standards definedCorporate knowledge
Quality peopleDefined tasks
Undefined tasksRelies on initiative
Qualityand
control
Risk
Pro
cess evolu
tion
Initial
Repeatable
Defined
Manage
paulwilliamsconsulting.co.uk
IT Governance Problem Indicators include…….
IT not on Board Room agenda IT not directly represented at Board level IT and Business strategy not concurrently prepared and
aligned IT managed by technology rather than by business focus History of late or failed business system implementations IT seen as a cost rather than as a provider of value External or internal perception that organisation is not
making the most of technology Inadequate or non-existent IT related metrics Technology investments justified on cost savings rather
than on revenue enhancement
paulwilliamsconsulting.co.uk
What can auditors do to help? Promote the strong messages of IT governance Become more aware of the root causes of
reported related IT issues Help to bridge the communication gap between
the business and IT Help in the identification of metrics Help ensure the reliability of reported metrics Contribute to the metrics analysis – what do they
mean and what are the implications and actions? Promote Cobit as a framework for governance
improvement
paulwilliamsconsulting.co.uk
paulwilliamsconsulting.co.uk
IT Governance WebSite
www.itgi.org