Implementing IT Governance Paul Williams paulwilliamsconsulting.co.uk ISACA London Chapter October...

Implementing IT Governance

Paul Williams

paulwilliamsconsulting.co.uk

ISACA London Chapter

October 2002


Today’s IT Environment

ComplexHeterogeneous

High business dependencyGrowing

costs

More & more networking

Increasing Risks

Distributed

Higher expectations


•Security / integrity•Effectiveness and efficiency•Implementation to impossible timetables•Reduced Costs - (“Total cost of ownership” - TCO)•Service levels•Innovative solutions•Value for money•And….source, implement and exploit risky new technology

What the IT function must deliver


“IT has been the longest running disappointment in business in the last 30 years!”Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997

“Technology can help fulfil a visionary dream, but often its use is closer to a sobering nightmare!”

Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998

Is IT Working?Is IT Working?

“I am writing a book on the history of information technology…in order to better understand why it is such a mess!”

Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001

“IT investments did not have an impact on productivity in 53 out of 59 economic sectors”

McKinsey report 2001


Analyst Group Gartner is claiming that 20% of corporate IT budgets are wasted. In western Europe some £99bn of IT spending goes on projects and equipment that fails to deliver the expected achievements, Gartner said.

Advising constant re-evaluation of the value and viability of new initiatives Gartner said one way of avoiding waste is to "kill projects early and often".

Typical areas of waste include "over specifying" hardware and network infrastructure, unnecessary customisation of software and poor control of licensing.


Enterprise and IT Governance

Enterprise Governance The rules and

processes through which business opportunities and risks are recognised and managed to ensure enhanced and sustainable stakeholder value.

IT Governance The management

processes which ensure the delivery of the expected benefits of IT in a controlled way to help enhance the long term sustainable success of the enterprise.


MIT Definition of IT Governance

We define IT governance as:

‘specifying the decision rights and accountability framework to encourage desirable behaviours in the use of IT’

Peter Weill, Director MIT Center for Information Systems Research


MIT Definition of IT Governance

We define IT governance as:

‘specifying the decision rights and accountability framework to encourage desirable behaviours in the use of IT’

‘Governance is not about what decisions get made – that is management – but it is about who makes the decisions and how they are made.’Peter Weill, Director MIT Center for Information Systems Research


‘(Governance) is about the increasing necessity for directors and senior management within companies to be accountable for corporate actions, or inactions, carried out in their name.’


The IT aspects of corporate governance are one of the things that chief executives think they don’t have to understand - until it bites them!

Peter Morriss KPMG


But sometimes they do get bitten…….

• Denial of service

• Viruses

• Poor systems reliability

• Failed projects

• Website defacement

• Incorrect management reporting

• Excess costs


Stakeholders Apply PressureStakeholders Apply Pressure

Shareholders and ExecutiveLower cost, higher profitability andLower cost, higher profitability andincreased market shareincreased market share

Customers and Staff More functionality at lower cost andMore functionality at lower cost andgreater ease of usegreater ease of use

Society Greater accountability for executives inGreater accountability for executives inprivate and public sectorprivate and public sector


Cadbury: “…strengthen internal control…boards need to set strategic aims, provide leadership, supervise management and report to shareholders on their stewardship.”

Turnbull: “…board to assure appropriate and effective processes to monitor risk and effectiveness of the system of internal control… broader corporate governance role for audit committees...monitor and report on risks...”

BIS: “...governance arrangements for critical systems should be effective, accountable and transparent…”

The governance frameworkThe governance framework

Stewardship is extending to IT as boards begin to understand Stewardship is extending to IT as boards begin to understand the depth of their enterprise’s reliance on IT.the depth of their enterprise’s reliance on IT.


The need for governance over IT

“IT governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied will have an immense impact on whether the entity will attain its vision, mission or strategic goals”

Robert Roussey CPA, Professor University of Southern California


The need for governance over IT

“The Board of Directors of my company is well aware its role is to oversee the company’s organisational strategies, structures, systems, staff and standards. However, as President of the company it is my responsibility to ensure that they extend that oversight to the company’s IT as well. In today’s economy and with our reliance on IT for competitive advantage, we simply cannot afford to apply to our IT anything less than the commitment we apply to overall governance” Michael Cangemi, President Etienne Aigner Group


This criticality arises from: The increasing dependence on information and the systems and

communications that deliver it The dependence on entities beyond the direct control of the

enterprise IT failures increasingly impacting reputation and enterprise value The potential for technologies to dramatically change

organisations and business practices, create new opportunities and reduce costs

The risks of doing business in an interconnected world The need to build and maintain knowledge essential to sustain

and grow the business

IT Is Critical to Most BusinessesIT Is Critical to Most Businesses


How Should the Board Address IT Governance Responsibilities?

Drive business alignment Manage enterprise risk Measure performance Seek formal and relevant

assurance Ask the right questions


Example questions Are enterprise and IT objectives linked and

synchronised? Is there an up to date inventory of IT risks

relevant to the enterprise? How does our company compare with our

competitors in terms of adoption of best IT practices?

How often and by how much do IT related projects go over budget?

Are end users satisfied with the services delivered by IT?


Board self-assessment Is the Board aware of current developments in

IT from a business perspective? Is IT a regular item on the Board agenda and is

it discussed in an informed and structured manner?

Is the reporting level of IT appropriate to its importance to the organisation?

Is the Board assured of the fact that suitable IT resources are available to meet the objectives of the business?

Is value for money being obtained from IT investment?


Case History 1


Enterprise Background European Financial Services Company 30+ branches around Europe Annual IT budget £16 million Uncertainty over IT value Uncertainty over IT direction and

management Pilot consulting project agreed to identify

specific issues and recommendations using four domains of Cobit


Cobit Domains Strategy alignment IT organisation Managing the IT

investment Defining and managing

service levels


Strategy alignment (sample findings) Current IT strategy incoherent – more tactical

than strategic IT ‘strategy’ used primarily as a means to

support budget requests IT only discussed at Board level during

budgeting process Lack of consistent IT awareness and

knowledge at senior business levels IT priorities dictated via a ‘lobbying’ process Current systems a plethora of point solutions

rather than an integrated coherent whole.


IT Organisation (sample findings) IT Steering Committee existed but involvement

delegated to lower levels of management Business departments inconsistently represented No direct link between SC and Board IT function seen as an inhibitor rather than as an

enabler Communication between IT and business not good Security responsibility delegated at too low a level IT function seen as technology rather than

business focussed.


Managing the IT Investment (sample findings)

Difficult to identify true IT costs due to ‘smoke and mirrors’ budgeting and cost management

Perception of high infrastructure costs Significant use of (expensive) contractors (to

overcome internal headcount restrictions) IT seen as central cost, user departments did

not need to identify or prove value New IT investments given approval (or

rejected) without proper financial appraisal No post-implementation review.


Defining and managing service levels (sample findings)

Service level agreements (where they existed) not formally monitored

No use of IT service or value related metrics ……….but, service levels and infrastructure

reliability regarded as very good!


Recommendations included…. IT education for all Board members and senior

managers IT matters to be a formal Board agenda item Improved IT investment approval process IT Steering Committee to be redefined and re-

constituted Greater transparency to IT costings Contractors vs headcount to be reviewed Formal IT strategy process to be undertaken Metrics to be developed (balanced scorecard?)


Case History 2


Enterprise Background Global financial services organisation Banking, insurance and asset

management Annual IT budget £1.8 billion Total IT investment portfolio £3 billion Existing strong IT governance

processes


Existing governance processes included….. IT policy and strategy determined through fully

representative IT Policy Committee – three Board members are active members of this Committee

Central small HQ unit reporting to main Board director charged with defining and reporting on relevant IT metrics

Annual ‘IT dashboard’ process with full analysis and actions

Central monitoring of IT investment portfolio Commitment to IT value reporting including how

IT spend impacts shareholder value


……we obtain maximum value from our investment in IT ;

……we continue to focus our IT investments in highest value areas;

……the efficiency and effectiveness of our IT operations compares

well against our competitors;

……we obtain maximum leverage globally from our IT investments.

……we continue to attract and retain the best people;

……IT properly supports, enables, and enhances our business;

……we improve our ability to manage our IT related project portfolio;

……IT related risks are being properly managed and mitigated.

Our (the Board’s) commitment to IT governance helps us to ensure over time that…


How does the IT Dashboard help us do this?

Enables us, over time, to develop and compare the most appropriate

metrics on IT spend, performance and value;

Helps to identify positive and negative trends and thus enable best

practices to be shared and, where appropriate, managerial actions to be

taken;

Enables direct comparison with specifically commissioned peer group

information;

Enables direct comparison of metrics between different business units;

Assists senior business and IT management to exercise their

governance responsibilities over IT investments.


Metrics included IT costs by category and by activity IT Staff numbers and costs analysed by activity Fulltime versus contract IT staff Outsourcing ratios Workstation costs IT intensity IT related operational risk incidents (number & value) IT security incidents (number & value) Various IT project metrics IT investment management CMM level (current and

projected)


Improve - Process capability maturity model

Process evolutionProcess

characteristicsMethod of

achievement

OptimisingImproved feedback into the process yielding continuous improvement

(Quantitative)Process measurements indicating performance levels

(Quantitative)Process definedand institutionalised

(Intuitive)Process highly dependent on individuals and their commitment

(Ad hoc / chaotic)

Automation

Complete control structuresPerformance analysis

Policies, procedures and standards definedCorporate knowledge

Quality peopleDefined tasks

Undefined tasksRelies on initiative

Qualityand

control

Risk

Pro

cess evolu

tion

Initial

Repeatable

Defined

Manage


IT Governance Problem Indicators include…….

IT not on Board Room agenda IT not directly represented at Board level IT and Business strategy not concurrently prepared and

aligned IT managed by technology rather than by business focus History of late or failed business system implementations IT seen as a cost rather than as a provider of value External or internal perception that organisation is not

making the most of technology Inadequate or non-existent IT related metrics Technology investments justified on cost savings rather

than on revenue enhancement


What can auditors do to help? Promote the strong messages of IT governance Become more aware of the root causes of

reported related IT issues Help to bridge the communication gap between

the business and IT Help in the identification of metrics Help ensure the reliability of reported metrics Contribute to the metrics analysis – what do they

mean and what are the implications and actions? Promote Cobit as a framework for governance

improvement


IT Governance WebSite

www.itgi.org


Paul Williams

[email protected]

Implementing IT Governance Paul Williams paulwilliamsconsulting.co.uk ISACA London Chapter October...

Documents

Transcript of Implementing IT Governance Paul Williams paulwilliamsconsulting.co.uk ISACA London Chapter October...