IT GOVERNANCE FRAMEWORK - gitoc.fs.gov.za
Transcript of IT GOVERNANCE FRAMEWORK - gitoc.fs.gov.za
1 | P a g e I T G o v e r n a n c e F r a m e w o r k
Department of Police, Roads and Transport
FREE STATE PROVINCE
IT GOVERNANCE FRAMEWORK
DATE 7 March 2012
REVISION 1.0
Document ID ICT-006-032012
2 | P a g e I T G o v e r n a n c e F r a m e w o r k
Index
1. Introduction Page 3
2. Various Definitions of Governance Page 4
3. Corporate Governance versus IT Governance Page 4
3.1 Corporate Governance Page 5
3.2 IT Governance Page 5
4 IT Governance Framework Page 6
5 What IT Governance will deliver & 5 Governance focus Page 8
6 Five IT Governance Decision Areas (Domain) Page 10
7 Decision Model and Governance Style Page 11
8 IT Governance Mechanism Page 12
8.1 Governance Matrix Page 13
8.2 Roles and Responsibility Page 13
8.3 Governance Map Page 15
9 IT Governance Process Page 15
10 IT Policies, Standards and Procedures Page 20
11 IT Process Page 20
12 IT Governance Page 21
13 Signatures Page 21
3 | P a g e I T G o v e r n a n c e F r a m e w o r k
1. Introduction
This was compiled using the information that was prepared by Mr Gawie Wellemse as a
Provincial Strategy direction through the leadership of his CIO, Mr Tshepo Motiki, who is a
provincial Chairperson of the Provincial Government Information Technology Council.
From relative obscurity a few years ago, several factors have come together to make the
concept of formal Information Technology (IT) Governance a good idea for virtually every
organisation, both public and private. Key motivators include the need to comply with a
growing list of regulations related to financial and technological accountability, and pressure
from shareholders e.g. Department of Public Service and Administration (DPSA) and
customers.
IT Governance has been described by Gartner2 as an effective and efficient management of IT
resources to facilitate the achievement of business goals and objectives. Simply put, it’s putting
structure around how organisations align IT strategy with business strategy, ensuring that
organisations stay on track to achieve their strategies and goals and implementing good ways to
measure IT’s performance. It ensures that all stakeholders’ interests are taken into account and
that processes provide measurable results.
IT does not exist for its own sake within an organisation; it is there to ensure that business
achieves sustainable success. IT Governance becomes a management practice for governing
the processes and decisions related to the use of IT within the organisation. IT Governance has
risen in importance because of the widening gulf between what the business expects and what
IT is prepared to deliver. IT has grown to be seen as a cost centre with little direct benefits to
the organisation it serves. An IT Governance framework is meant to align IT functions to the
business, minimise the risk IT introduces and ensure that there is value in the investment made
in IT.
Organizations today are subject to many regulations governing data retention, confidential
information, financial accountability and recovery from disasters. While none of these
regulations requires an IT Governance framework, many have found it to be an excellent way
to ensure regulatory compliance. By implementing IT governance, the organisation will have
the internal controls needed to meet the core guidelines of many of these regulations, such as
the Public Services Act (PSA), 1994 (Proclamation Nr. 103 of 1994), the Public Financial
Management Act (PFMA), 1999 (Act 1 of 1999, as amended by Act 29 of 1999) and the State
Information Technology Agency (SITA) Act, 1998 (Act 88 of 1998 as amended by Act 38 of
2002).
1 Provincial Government of the Western Cape (2010). Information
Technology Governance Strategy. Pages 129 (main source). 2 The Gartner
Group is an international body that delivers technology research to global
technology business leaders to make informed decisions on key initiatives.
4 | P a g e I T G o v e r n a n c e F r a m e w o r k
2. Various Definitions of IT Governance
a) The structure, oversight and management processes which ensure the delivery of the
expected benefits of IT in a controlled way to help enhance the long term sustainable
success of the enterprise.
b) IT governance is the responsibility of the board of directors and executive management.
It is an integral part of enterprise governance and consists of the leadership and
organisational structures and processes that ensure that the organisation’s IT sustains
and extends the organisation’s strategies and objectives.
c) A structure of relationships and processes to direct and control the enterprise in order to
achieve the enterprise’s goals by adding value while balancing risk versus return over
IT and its processes.
d) Specifying the decision rights and accountability framework to encourage desirable
behaviours in the use of IT.
e) Governance is not about what decisions get made – that is management – but it is about
who makes the decisions and how they are made.
f) IT governance is the term used to describe how those persons entrusted with
governance of an entity will consider IT in their supervision, monitoring, control and
direction of the entity. How IT is applied will have an immense impact on whether the
entity will attain its vision, mission or strategic goals.
3. Corporate Governance versus IT Governance
Corporate Governance is the set of processes, customs, policies, laws, management practices
and institutions affecting the way an entity is controlled and managed. It incorporates all the
relationships among the many stakeholders involved and aims to organize them to meet the
goals of the organization in the most effective and efficient manner possible. An effective
corporate governance strategy allows an organization to manage all aspects of its business in
order to meet its objectives.
Information technology governance, however, is a subset discipline of Corporate Governance.
Although it is sometimes mistaken as a field of study on its own, IT Governance is actually a
part of the overall Corporate Governance Strategy of an organization. IT Governance and
associated governance mechanisms provide the linkage between responsible Corporate
Governance and effective IT Management.
3 Brisebois R Boyd G & Shadid Z. (2010). What is IT Governance? Available:
http://www.intosaiitaudit.org/intoit_article /25_p30top35.pdf. Last accessed 28
January 2011.
5 | P a g e I T G o v e r n a n c e F r a m e w o r k
3.1 Corporate Governance
The field of Corporate Governance is a multifaceted subject that includes several fields of
study. These fields include areas such as:
a) Accountability and fiduciary duty. These advocate the implementation of guidelines
and mechanisms to ensure management acts in good faith and that the public
organization is protected from wrongdoing or fraud.
b) Economic efficiency view. This involves how the corporate governance system intends
to optimize results, and meet its objectives.
c) Strategic efficiency view. This involves public policy objectives that are not directly
measurable in economic terms such as alleviation of poverty, access to markets, income
stabilization, health care and job creation. These are issues that are the main focus of
most public sector institutions and are not readily measured in economic terms.
d) Stakeholder view. This area of study focuses more attention and accountability on other
stakeholders such as citizens, employees, businesses and other levels of government
(i.e. provincial, municipal or local authorities).
3.2 IT Governance
IT Governance focuses specifically on information technology systems, their performance and
risk management. The primary goals of IT Governance are to assure that the investments in IT
generate business value, and to mitigate the risks that are associated with IT. This can be done
by implementing an organizational structure with well-defined roles for the responsibility of
information, business processes, applications and infrastructure.
IT governance should be viewed as how IT creates value that fits into the overall Corporate
Governance Strategy of the organization, and never be seen as a discipline on its own. In taking
this approach, all stakeholders would be required to participate in the decision making process.
This creates a shared acceptance of responsibility for critical systems and ensures that IT
related decisions are made and driven by the business and not vice versa.
IT governance is needed to ensure that the investments in IT generate value reward and
mitigate IT associated risks, avoiding failure. IT is central to organizational success – effective
and efficient delivery of services and goods – especially when the IT is designed to bring about
change in an organization. This change process commonly referred to as ’business
transformation’ is now the prime enabler of new business models both in the private and public
sectors. Business transformation offers many rewards, but it also has the potential for many
risks, which may disrupt operations and have unintended consequences. The dilemma becomes
how to balance risk and rewards when using IT to enable organizational change.
6 | P a g e I T G o v e r n a n c e F r a m e w o r k
4. IT Governance Framework
IT Governance focuses specifically on information technology systems, their performance and
risk management. The primary goals of IT Governance are to assure that the investments in IT
generate business value, and to mitigate the risks that are associated with IT. This can be done
by implementing an organisational structure with well-defined roles for the responsibility of
information, business processes, applications and infrastructure.
IT Governance deals with how IT decisions are made and by whom detailing who has decision
making rights, who is supposed to provide the input to inform the decisions and who is
accountable for implementing the decisions. It is ultimately about making IT decisions the right
way. Governance of IT will help the Free State Provincial Government (FSPG) to integrate IT
with the business and improve the cost effectiveness of IT.
The IT Governance framework will deal with the following:
a) What key IT decisions are need to be made and by whom?
b) What decision models are to be used in these decisions?
c) What IT Governance structures, processes, strategy, policies, standards and procedures are
required for correct decision making?
d) What IT processes and procedures are required ensure that IT ultimately serves the
business?
The IT Governance framework is aligned with the King III Code of Practice for IT Governance
as well as best practice control and process frameworks in supporting business aligned use of
and investment in IT. The key frameworks that support this governance framework are the
following:
4 Brisebois R Boyd G & Shadid Z. (2010). What is IT Governance?
Available: http://www.intosaiitaudit.org/intoit_articles/25_p30top35.pdf.
Last accessed 28 January 2011.
7 | P a g e I T G o v e r n a n c e F r a m e w o r k
Framework Acronym Description
Control Objectives for Information
Technology
COBIT Provides comprehensive IT Governance Processes,
IT alignment and IT controls.
Projects in Controlled Environments PRINCE2 Managing IT projects an realizing value from IT.
Capability Maturity Model Integration CMMI Process improvement approach used in the
development of applications (software).
Information Technology Infrastructure
Libraries
ITIL Set of processes for managing IT services.
Information Technology Risk
Management
ITRM Framework for managing and mitigating risks
resultant from IT.
International Organization for
Standardization 27000
ISO 2700 Framework for information security.
Publicly Available Specifications 56 PAS 56 Guide to Business Continuity Management.
Publicly Available Specifications 77 PAS 77 Guide to IT Service Continuity Management
The Provincial Government Information Technology Officers Council (PGITOC) adopted
COBIT as the overall IT governance framework for the FSPG. The following diagram5
illustrates how the different frameworks (with COBIT as the overarching framework) work
unitedly to provide guidance in the governance of IT from strategic to process level:
Diagram illustrating how the different frameworks work unitedly (with COBIT overarching).
5
Sun Microsystems Inc. (2010). Positioning of Frameworks. Available:
http://www.isaca.org/Groups/ProfessionaEnglish/frameworks/
GroupDocuments/frameworks_v3_111908.pdf. Last accessed 27/01/2011.
8 | P a g e I T G o v e r n a n c e F r a m e w o r k
5. What IT Governance will deliver and the five IT Governance focus areas
There are two major outcomes from IT Governance:
1. IT value delivery to departments.
2. Mitigating IT related risks.
Both the above-mentioned outcomes are achieved through
focusing on the five IT Governance areas6 as illustrated on the
image to the right and explained below.
IT GOVENANCE FOCUS AREAS
NR AREA DESCRIPTION
1 Strategic
Alignment
Focuses on ensuring the linkage of business and IT plans, on defining,
maintaining and validating the IT value proposition and on aligning IT
operations with the organization operations.
2 Value
Delivery
Is about executing the value proposition throughout the delivery cycle,
ensuring that IT delivers the promised benefits against the strategy,
concentrating on optimizing costs and proving value of IT.
3 Risk
Management
Requires risk awareness by senior management, a clear understanding
of the organization’s appetite for risk, transparency about the
significant risks to the organization and embedding of risk management
responsibilities into the organization.
4 Resource
Management
Is about the optimal investment in, and the proper management of,
critical IT resources: Processes, people, applications, infrastructure and
information. Key issues related to the optimization of knowledge and
infrastructure.
5 Performance
Measurement
Tracks and monitors strategy implementation, project completion,
resource usage, process performance and service delivery, using, for
example, balanced scorecards resource and usage dashboards that
translate strategy into action to achieve goals measureable beyond
conventional accounting.
Strategic Alignment: • Linking business and IT plan. • Defining, maintaining and validating the IT value proposition. • Aligning IT operations with the organization operations. • Provide collaborative solutions that contain costs while improving administrative efficiency and managerial effectiveness.
Best Practices: • Integrated approach to business/IT strategy. • Cascading strategy and objectives down into the organization. • Co-responsibility of business and IT. • Clearer objectives for IT investments. • IT Strategy and IT Standing Committees.
9 | P a g e I T G o v e r n a n c e F r a m e w o r k
Value Delivery: •Executing the value proposition throughout the delivery cycle. •Ensuring that IT delivers the promised benefits against the strategy. •Concentrating on optimizing expenses and proving IT’s value. •Controlling projects and operational processes with practices that increase probability of success (budget, risk, quality etc.).
Best Practices: •Tracking of business value of IT. •Enabling effective value measurements (ROI, TCO etc.). •Disciplined approach to project management with a larger role for the business. •Commitment to formal methodologies/processes for application development and service delivery. •Enterprise architecture planning.
Risk Management: •Requires risk awareness of senior management, a clear understanding of the organization’, appetite for risk and transparency about the significant risks to the organization. •Embeds risk management responsibilities in the operation of the organization. •Addresses the safeguard of IT assets, disaster recovery and continuity of operations.
Best Practices: •Awareness of IT risks based on continuous assessment. •Transparency to all stakeholders. •Establishing responsibility and embedding risk management into the organization. •An integral part of compliance and assurance. •Use of formal IT risk and control frameworks. •Process management disciplines.
Resource Management: •Optimal investment, use and allocation of IT resources and capabilities (people, applications, infrastructure, and data). •Maximizing the efficiency of these assets and optimizing their costs. •Optimizing knowledge and the IT infrastructure. •Knowing where, when and how to outsource
Best Practices: •Supply/demand balancing. •Practices to train and sustain staff. •Consumption base chargeback. •Formalized vendor management disciplines.
Performance Measurement: • Using balanced scorecards that translate strategy into action to achieve goals measureable beyond conventional accounting. • Measuring relationships and assets necessary to compete (customer focus, process efficiency and the ability to learn and grow). • Tracking project delivery and monitoring IT services.
Best Practices: • IT balanced scorecard as emerging reporting system. • A management reporting system that feeds back into the strategy. • Use of benchmarking for performance comparison. • IT scorecard approval by the key stakeholders for alignment.
6
Saull, R. (2006). IT Governance. A Framework for Performance and
Compliance. Available: http://itgi.jp/conf200611/ronsaull.pdf. Last accessed
28 January 2011.
10 | P a g e I T G o v e r n a n c e F r a m e w o r k
7 University of West Florida (2009). IT Governance. Available:
http://argowiki.com/index.php?title=IT_Governance. Last accessed
01February 2011.
6. Five IT Governance Decisions Areas (Domains)7
IT Governance necessitates key decisions regarding IT in the FSPG. Some of these decisions
must be made in conjunction with the business to get full value from the IT investment. It is
important to articulate these key decision areas (domains) in order for IT to perform according
to requirements. The following five key IT decision areas exist:
11 | P a g e I T G o v e r n a n c e F r a m e w o r k
7. Decision Model and Governance Style
The FSPG has chosen a decentralised model (IT unit per department) for providing IT goods and
services to the various departments. Strategic IT matters are considered by the PGITOC that is
chaired by the Chief Information Officer (CIO) (Department of the Premier) with IT Managers of
the various departments as members. It is imperative to immerse IT into the business so that its
plans are aligned to the business and its decisions and the business decisions are concluded in the
right manner that advances the objectives of the departments.
There are generally six general governance styles for providing input or making decisions
regarding the five key IT decision areas (domains) mentioned in paragraphs 6.1 to 6.5. The styles
reflect a mix of shared responsibilities (for input and decision making) between IT and business in
governing the five decision areas.
The following six classic styles exist in a typical IT Governance structure: The FSPG IT
Governance uses a mix of governance styles across the five decision areas. The variety of styles
highlights different required roles for input and decision making in support of business needs. The
primary IT governance styles for the FSPG are the Business and IT Monarchy as well as the
Duopoly style.
Nr. Style Description
1. Business
Monarchy This is where the Head of the Department, the Chief Financial Officer (CFO) and the
Chief Information Officer (CIO)/ IT Manager (the so called C-level executives) make
the decisions. Recently the CIO/IT Manager has been more involved and has a more
active role in the decision making within the business monarchy level. At this level,
decisions are derived from input from many areas.
2. IT
Monarchy
The IT monarchy consists of IT executives (CIO and IT Managers). Within this
governance archetype, decisions could be made by way of an IT leadership committee
(for example the PGITOC). At this level, decision rights for both IT Infrastructure
Strategies and IT Architecture are the responsibility of the IT monarchy.
3. Feudal Feudal governance is characterized by delegated or otherwise dispersed governing
rights. The exercising of decision making is highly localized, and central leadership is
weak or at least unobtrusive. This model usually arises in organizations with highly
independent and incongruent business units.
4. Federal This governance archetype attempt to balance responsibilities in the decision making
process. Normally this form of decision making consists of the C-level executives and
representatives from one other tier within the organization (for example business
leaders tier, business process owners tier, IT leaders tier, etc.). The federal approach is
often used for input rights, but less often for decision rights. Given the breadth of
opinions under this structure, it is no surprise that there is a propensity for discord.
5. Duopoly This archetype is characterized by a two party involvement consisting of one IT group
and one business group. This archetype could be used by the business side to introduce
business objectives and by the IT side to introduce available technologies so both sides
can ultimately reach decisions on viable solutions.
6. Anarchy Business process owners and end users have decision rights under this archetype.
Surprisingly, most large firms display elements of anarchy. When optimization and
customization supersede sharing and standardization, it makes sense to delegate
decision rights to end-users.
12 | P a g e I T G o v e r n a n c e F r a m e w o r k
8. IT Governance Mechanism
The FSPG has adopted formal governance mechanisms in order to implement the governance styles and decision model. These governance mechanisms and structures are there to ensure joint decision making where necessary, allocating accountability and responsibility for IT decisions. These formal governance mechanisms are the following:
Nr. Mechanism Acronym Description
1 Executive Council
EXCO Set the strategic objectives for the Province.
2 Head of
Department HoD Ensure that the DPRT has an appropriate IT
procurement and system which is fair, equitable, competitive and cost-effective.
3 Chief Financial Officer
CFO Ensure that the prescriptions of the Public Finance Management Act (PFMA), 1999, (Act 1of 1999) as amended by Act 29 of 1999 including the Framework for Supply Chain Management (SCM) are being adhered to.
4 Form of Heads of Department
FoHoD All the accounting officers (Heads of Department) in the FSPG. It acts as a forum responsible for guiding IT and extracting maximum strategic value out of IT.
5 Chief Information Officer
CIO Give practical effect to the responsibilities of the Head of
Department to keep departments updated on strategic IT matters and developments.
6 Provincial Government Information Technology Council
PGITOC Plan, coordinate, monitor and share Information Management and Information Technology between the departments. The PGITOC is ultimately responsible for IT Governance.
7 Standing Committees
SC Investigate, consider and make recommendations to PGITOC regarding IT matters.
8 Service Level Agreements
SLA Specify and measure IT services. SLAs also include Memoranda of Understanding (MOUs).
9 Business Unit Managers
BUM Determine business and IT requirements and relaying it to CIO/IT Managers.
13 | P a g e I T G o v e r n a n c e F r a m e w o r k
8.1 Governance Matrix (Input and Decision Rights)
STYLE
DECISION AREA
IT Principles IT
Infrastructure
Strategies
IT Architecture Business IT
Application
Needs
IT Investment
and
Prioritization
Rights Rights Rights Rights Rights Input Decision Input Decision Input Decision Input Decision Input Decision
Business
Monarchy
DG
FoHoD
DG
FoHoD
DG
FoHoD
HoD
CFO
IT
Monarchy
PGITOC SC
CIO
PGITOC SC
CIO
PGITOC CIO CIO
Feudal
Federal
Duopoly SC,BUM,
CIO
BUM BUM
CIO
Anarchy
The net result from the governance mechanisms over the five key IT decision areas is the
following:
a) Collaborative decision making between the departments and IT leadership for IT
Principles, IT Investment and Prioritization.
b) IT leadership has the responsibility for finalising IT Infrastructure Strategies and IT
Architecture.
c) Departmental input in determining IT Application Needs.
8.2 Roles and Responsibilities (Accountability Framework)
8.2.1 Head of Department
In terms of Section 38 (1)(a)(iii) of the PFMA (Act 1 of 1999, as amended by Act 29 of
1999) the accounting officer (HoD) for a department (PRT) must ensure that the department
has and maintains an appropriate procurement and provisioning system which is fair, equitable,
transparent, competitive and cost-effective. Flowing from this the Director General (DG) is
accountable for IT Governance at Provincial level and this role is dispatched at a departmental
level to the Head of Department (HoD), in this case, HoD: Police, Roads and Transport. The
HoD has also delegated some of his responsibilities to the CIO, who among other things,
ensure that IT Governance is in place and that IT supports FSPG objectives. The HODs are
ultimately responsible for cultivating an understanding for the value of IT within their
departments.
8.2.2 Provincial Government Information Technology Officers Council
The PGITOC champions IT innovations in the FSPG. In so doing, the PGITOC considers
crosscutting IT related solutions proposed by departments for implementation and make
recommendations on their approval to FoHoD. The Council thus functions as a gatekeeper for
proposed crosscutting IT solutions. The PGITOC also makes recommendations on the adoption
of proposed IT strategies, policies, norms and standards.
The PGITOC also considers IT architecture variations and reviews IT risk strategy for
consistency with the architecture. The CITCOM is also responsible for defining multi
departmental and single departmental initiatives and approving IT standards. In sum, the
14 | P a g e I T G o v e r n a n c e F r a m e w o r k
PGITOC is the de facto IT Strategy Committee and acts on behalf of FoHoD (to which it is
accountable) on how to best use IT within the organisation.
The PGITOC operations are regulated by the following:
a) Free State Growth and Development Strategy Plan.
b) Individual department’s strategic and IT plans.
c) Integrated Development Plan (IDP).
d) SITA Act, 1998 and Regulations.
e) Public Service Acts and Regulations
f) Public Finance Management Act, 1999 and Regulations.
The PGITOC is governed by a Charter approved by FoHoD and meets at least once every
month (and whenever circumstances so determine). The PGITOC is constituted by the
following:
a) CIO who is the Chairperson.
b) IT Managers from each department as appointed by the HODs.
c) Managers in the IT unit of the PRT.
d) Provincial representative of the State Information Technology Agency (SITA) as
Associate Members only on the standing committees.
e) Secretary – official from the IT unit, Department of Premier.
The following Standing Committees exist within the PGITOC:
a) Procurement and IT Economic Development
b) E-government and –governance.
c) Risk, Audit, Projects and Change Management
d) Security, Architecture and Free and Open Source Software (FOSS).
The Departmental Steering Committee (Steercom) is governed by a Charter approved by the
Department of Police, Roads and Transport and meets at least once every month (and whenever
circumstances so determine). The steercom is constituted by the following:
a) Chairperson: To be an Executive Manager appointed by the HoD.
b) Members: Departmental CIO and Business managers in accordance to the mandate the
HoD may decide with an aim to beef-up the decision making process.
c) Secretary: official from the Service Management division of the ICT Unit, PRT.
The CIO reports to the Corporate Service Executive, who reports to the Head of Department,
simultaneously, the CIO will report to the PGITOC that will report to FoHoD and the
Department of Public Service and Administration through the CIO and the office of the
Government Chief Information Officer (GCIO). Steercom members report to the HOD, who in
turn reports to their Member of EXCO.
8.2.3 Departmental Chief Information Officer
A Provincial IT Manager is responsible for the following:
a) Represent the department at the Government Information Technology Officers Council
on provincial level (PGITOC).
b) Interact regularly on matters of IT governance with the PGITOC.
15 | P a g e I T G o v e r n a n c e F r a m e w o r k
c) Report on a regular basis to Senior Management (SM) in the department as well as to
the PGITOC in order to ensure transparency of IT operations and implementation.
d) Implement and monitor an IT Governance framework (COBIT) to deliver value and
manage risk.
e) Implement IT strategies, policies, standards and procedures.
f) Implement an organisational structure geared for getting value out of IT for
departments.
g) Implement governance structures (e.g. SLAs).
h) Create an awareness of the maturity levels of governance
i) Implement an IT planning process that is integrated with the departmental strategy
development process.
j) Align IT operations with departmental operations.
k) Translate business requirements into efficient and effective IT solutions.
8.3 Governance Map
9. IT Governance Process
Control Objectives for Information and related Technology (COBIT) provides comprehensive
good practices and processes for enforcing successful governance of IT – embedding IT and its
value within the FSPG.
COBIT contributes to IT governance by providing a framework to ensure that:
a) IT is aligned to Departments and their business;
b) IT enables departments and maximises benefits;
c) IT resources are used responsibly; and
d) IT risks are managed appropriately.
COBIT has four domains that contain control processes to be used in achieving governance
(primarily resource utilisation, business alignment of IT, value delivery and the management of
IT risk). The four COBIT domains are: Plan and Organise (PO), Acquire and Implement (AI),
Deliver and Support (DS) and Monitor and Evaluate (ME).
16 | P a g e I T G o v e r n a n c e F r a m e w o r k
8
Albinowski, G. (2010). (COBIT) IT Governance + Risk IT Practitioner Guide.
Available:
http://www.goldenline.pl/forum/1318590/cobititgovernanceriskitpractitionerguid
e . Last accessed 08 February 2011.
Control Objectives for Information and related Technology (COBIT) provides comprehensive
good practices and processes for enforcing successful governance of IT – embedding IT and its
value within the FSPG.
COBIT contributes to IT governance by providing a
framework to ensure that
a) IT is aligned to Departments and their business;
b) IT enables departments and maximises benefits;
c) IT resources are used responsibly; and
d) IT risks are managed appropriately.
COBIT has four domains that contain control processes to be
used in achieving governance (primarily resource utilisation,
business alignment of IT, value delivery and the management
of IT risk). The four COBIT domains are: Plan and Organise (PO), Acquire and Implement
(AI), Deliver and Support (DS) and Monitor and Evaluate (ME). COBIT FRAMEWORK
COBIT is further complimented by two other IT governance frameworks that will be used in
the FSPGs governance of IT. These complementary frameworks are Val IT and Risk IT. The
two frameworks extend COBIT with more detail and processes for the two governance focus
areas of Value Delivery and Risk Management.
‘The links between COBIT and Val IT
are focussed on programme and portfolio
management and investment management, and
primarily the COBIT IT processes that
deal with strategy and portfolios (PO1),
Val IT and Risk IT8 investment and budgets
(PO5), solution delivery (PO10), service
management (DS1) and performance reporting
(ME1).The links between COBIT and Risk IT
are focussed on risks related to strategic
choices (PO1), roles and responsibilities for
risk related functions (PO4), risk related
policies and frameworks
17 | P a g e I T G o v e r n a n c e F r a m e w o r k
PO6), risk management (PO9), business continuity (DS4) and various other specific risk
related service delivery activities in the DS
domain.9
The diagram10
to the right illustrates how COBIT
links the business requirements with the abilities or
value of IT.
IT Resources are those resources that were made
available by the IT units in the various
departments.
IT Processes are activities to organize IT units and
to respond to departments' needs.
Business requirements are departmental
expectations of IT. COBIT (Control Objectives for Information and related Technology) cover
the following four domains:11
1. Plan and Organize (PO).
2. Acquire and Implement (AI).
3. Deliver and Support (DS).
4. Monitor and Evaluate (ME).
The key to maintaining profitability in a technologically changing environment is how well
control is maintained. COBIT's Control Objectives provides the critical insight needed to
delineate a clear policy and good practice for IT controls. Included are the statements of
desired results or purposes to be achieved by implementing the 210 specific and detailed
control objectives throughout the 34 highlevel IT processes.
Overview of the COBIT’s 34 highlevel IT processes (some of this processes can further be
enhanced through the use of Val IT and Risk IT):
Plan and Organize (PO)
The Plan and Organization (PO) domain covers the use of IT and how best it can be used in an
organization to help achieve the organization’s goals and objectives. It also highlights the
organizational and infrastructural form IT is to take in order to achieve the optimal results and
to generate the most benefits from the use of IT. The following table lists the highlevel IT
processes for the Planning and Organization (PO) domain:
Process Description
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects
18 | P a g e I T G o v e r n a n c e F r a m e w o r k
Acquire and Implement (AI)
The Acquire and Implement (AI) domain covers identifying IT requirements, acquiring the
technology, and implementing it within the organization’s current business processes. This
domain also addresses the development of a maintenance plan that an organization should
adopt in order to prolong the life of an IT system and its components. The following table lists
the high-level IT processes for the Acquisition and Implementation (AI) domain:
Process Description
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes
Delivery and Support (DS)
The Delivery and Support (DS) domain focuses on the delivery aspects of the information
technology. It covers areas such as the execution of the applications within the IT system and
its results, as well as, the support processes that enable the effective and efficient execution of
these IT systems. These support processes include security issues and training. The following
table lists the high-level IT processes for the Delivery and Support (DS) domain:
Process Description
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations
The Monitoring and Evaluation (ME) domain deals with an organization’s strategy in assessing
the needs of the organization and whether or not the current IT system still meets the objectives
for which it was designed and the controls necessary to comply with regulatory requirements.
Monitoring also covers the issue of an independent assessment of the effectiveness of IT
system in its ability to meet business objectives and the organization’s control processes by
internal and external auditors. The following table lists the high-level IT processes for the
Monitoring and Evaluate (ME) domain:
19 | P a g e I T G o v e r n a n c e F r a m e w o r k
9
ISACA. (2011). Implementing and Continually Improving IT Governance.
Available: http://www.isaca.org/Knowledge
Center/Research/ResearchDeliverables/Pages/ImplementingandContinually-
ImprovingITGovernance1.aspx. Last accessed 08
February 2011.
10
Albinowski, G. (2010). (COBIT) IT Governance + Risk IT Practitioner Guide.
Available: http://www.goldenline.pl/forum/1318590/
cobititgovernanceriskitpractitionerguide. Last accessed 08 February 2011.
11
Palante, JP. (2010). CobiT domains and processes. Available:
http://www.qualifiedauditpartners.be/index.php?cont=463&lgn=3.
Last accessed 08 February 2011.
Process Description
ME1 Monitor and Evaluate IT Performance
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Compliance with External Requirements
ME4 Provide IT Governance
COBIT Framework
20 | P a g e I T G o v e r n a n c e F r a m e w o r k
10. IT Policies, Standards and Procedures
IT Policies will be established and enforced to govern the governance process requirements.
Policies will have, where necessary, accompanying standards and procedures to guide
implementation.
Goals will continuously be evaluated to determine possible risks. The impact of risks can be
evaluated by considering what might happen if the expectations surrounding that risk are not
made clear to everyone in the organization. If an identified risk and its impact stand in the way
of achieving a goal, then it will likely need to be addressed by a policy. In this way,
management establishes clear guidelines that help ensure desired performance, fitting checks
and balances and appropriate workplace interactions.
The following activities are involved in this process of identifying areas that require policies:
a) Documenting goals.
b) Assessing current state.
c) Envisioning future state.
d) Performing gap analysis.
Other sources to policy content will be some of the IT process specific frameworks that
complement COBIT such as ISO 27000 for security, ITIL (Information Technology
Infrastructure Library) for service management and CMMI (Capability Maturity Model
Integration) for software development.
Provincial IT Policies and Standards (impacting on the FSPG) are recommended by the
PGITOC and FoHoD and approved by the DG. Departmental IT Policies and Standards are
recommended by the CIO/IT Managers and approved by the Heads of Department.
11. IT Process
COBIT provides detailed IT Governance, IT Management and general IT Processes. It is
however, necessary to augment these with some industry recognised and domain specific
frameworks and their processes.
In the Plan and Organise domain TOGAF (The Open Group Framework) will be used in:
PO1: Define an IT strategic plan.
PO2: Define the Information Architecture.
In the same domain a process methodology based on PRINCE II will be used in:
PO10: Manage Projects.
In the Acquire and Implement domain CMMI will be used in
conjunction with ITIL in:
AI2: Acquire and Maintain Application Software.
AI3: Acquire and Maintain technology Infrastructure.
AI4: Enable Operation and Use.
AI6: Manage Changes.
21 | P a g e I T G o v e r n a n c e F r a m e w o r k
In the Deliver and Support domain ITIL processes will be used in:
DS1: Define and Manage Service Levels.
DS3: Manage Performance and Capacity.
DS6: Identify and Allocate Costs.
DS8: Manage Service Desk Incidents.
DS9: Manage the Configuration.
DS10: Manage Problems.
DS13: Manage Operations.
Within the same Deliver and Support domain ISO 27000 with its processes will be used as the
security standard in:
DS5: Ensure System Security.
DS7: Educate and train users.
In the Monitor and Evaluate domain ISO 9000 with its processes will be used as the quality
standard in:
ME1: Monitor and Evaluate IT Performance.
ME2: Monitor and Evaluate Internal Control.
ME3: Ensure Compliance with External Requirements.
12. IT Governance Performance Matrix12
IT Governance also means that control
mechanisms are to be provided to senior
management. The Standard IT balanced
scorecard13
(BSC figure 1) is a good
illustration of how this control question can
be answered. The scorecard provides
accounting officers with crucial control
measures on IT expenses, user satisfaction,
efficiency of development and operations,
expertise of IT staff and may compare these
measures with benchmarking figures. This
avoids that IT reporting is restricted to
technical matters such as the selection of a
new voice communication network and
assures that inhibitors for new business
strategies can be detected and be acted upon.
The IT units will use BSCs to give
performance reports to accounting officers.
Figure 1 shows a standard IT balanced
scorecard. The User Orientation perspective
represents the user evaluation of IT. The
Operational Excellence perspective represents the IT processes employed to develop and
deliver the applications. The Future Orientation perspective represents the human and
technology resources needed by IT to deliver its services. The Business Contribution
perspective captures the business value of the IT investments. Each of these perspectives has to
22 | P a g e I T G o v e r n a n c e F r a m e w o r k
13
The Balanced Scorecard (BSC) initially developed by Kaplan and Norton, is a
performance management system that should allow enterprises to drive their
strategies on measurement and follow-up. In recent years the BSC has been
applied to IT.
12
Van Grembergen, W. (2010). The Balanced Scorecard and IT Governance.
Available: http://www.isaca.org/Certification/CGEIT
CertifiedintheGovernanceofEnterpriseIT/PreparefortheExam/Study-
Materials/Documents/TheBalancedScorecardandIT
Governance.pdf. Last accessed 09 February 2011.
be translated into corresponding metrics and measures that assess the current situation.
These assessments have to be repeated periodically and have to be confronted with goals that
have to be set beforehand and with benchmarking figures. Very essential is that within an IT
BSC the cause and effect relationships are established and the connections between the two
types of measures, outcome measures and performance drivers, are clarified. A well-built IT
scorecard needs a good mix of these two types of measures. Outcome measures such as
developers’ productivity (e.g., number of function points per person per month) without
performance drivers such as IT staff education (e.g., number of educational days per person per
year) do not communicate how the outcomes are to be achieved.
Performance drivers without outcome measures may lead to significant investment without a
measurement whether this strategy is effective. These cause an defect relationships have to be
defined throughout the whole scorecard (Figure 2): More and better education of IT staff
(future perspective) is an enabler (performance driver) for a better quality of developed systems
(operational excellence perspective) that in turn is an enabler for increased user satisfaction
(user perspective) that eventually must lead to a higher business value of IT (business
contribution perspective).
IT Governance is part of corporate governance and
has to provide the organizational structures to
enable the creation of business value
through IT, the assurance that there are no IT
investments in bad projects and that there are
adequate IT control mechanisms. The
methodology of the balanced scorecard is a
measurement and management system that is very
suitable for supporting the IT Governance process
and the IT/business alignment process.
It is believed that in the near future many
organizations will use a cascade of a
business balanced scorecard and IT
balanced scorecards as a way of assuring
IT Governance and achieving the
integration of business and IT decisions.
23 | P a g e I T G o v e r n a n c e F r a m e w o r k
13. Glossary
AI Acquire and Implement.
BSC Balanced Scorecards: Scorecard that provides accounting officers with crucial control
measures on IT expenses, user satisfaction, efficiency of development and operations,
expertise of IT staff and may compare these measures with benchmarking figures.
BUM Business Unit Managers.
CFO Chief Financial Officer.
CIO Chief Information Officer.
CMMI Capability Maturity Model Integration: Set of processes for managing IT services.
COBIT Control Objectives for Information Technology: Managing IT projects and realizing value
from IT.
Corporate
Governance
The set of processes, customs, policies, laws, management practices and institutions
affecting the way an entity is controlled and managed.
DG Director General.
DPSA Department of Public Service and Administration.
DS Deliver and Support.
EXCO Executive Council.
FoHoD Form of Heads of Department.
FSPG Free State Provincial Government.
ISO 2700 International Organization for Standardization 27000: Guide to Business Continuity
Management.
ISO 9000 International Organization for Standardization 9000: A family of standards related to
quality management systems and is designed to help organizations ensure they meet the
needs of customers and other stakeholders. ISO 9000 deals with the fundamentals of
quality management systems, including the eight management principles on which the
family of standards is based. ISO 9001 deals with the requirements that organizations
wishing to meet the standard have to meet.
IT Information Technology.
IT Governance
The structure, oversight and management processes which ensure the delivery of the
expected benefits of IT in a controlled way to help enhance the long term sustainable
success of the enterprise.
ITIL Information Technology Infrastructure Libraries: Framework for managing and mitigating
risks resultant from IT.
ITRM Information Technology Risk Management: Framework for information security.
HoD Head of Department
King III Code of
Practice for IT
Governance
IT Governance is a new issue introduced in the King III code. The King III code places IT
governance in the hands of the board and specifically states that the board should be
responsible for information technology (IT) governance ensuring that the business of IT is
properly managed in the company. Whereas King I and King II applied to public, listed
companies only, King III applies to all entities, regardless of the manner and form of
incorporation. The King III code of Governance became effective on 1st March 2010.
ME Monitor and Evaluate.
PAS 56 Publicly Available Specifications 56: Guide to IT Service Continuity
Management
PAS 77 Publicly Available Specifications 77: Provides comprehensive IT Governance Processes,
IT alignment and IT controls.
Performance
Measurement
Tracks and monitors strategy implementation, project completion, resource usage, process
performance and service delivery, using, for example, balanced scorecards resource and
usage dashboards that translate strategy into action to achieve goals measureable beyond
conventional accounting.
PFMA Public Financial Management Act, 1999 (Act 1 of 1999, as amended by Act 29 of 1999).
PGITOC Provincial Government Information Technology Officers Council.
PO Plan and Organise.
PRINCE2 Projects in Controlled Environments: Process improvement approach used in the
development of applications (software).
PSA Public Services Act, 1994 (Proclamation Nr. 103 of 1994).
Resource Is about the optimal investment in, and the proper management of, critical IT resources:
24 | P a g e I T G o v e r n a n c e F r a m e w o r k
Management Processes, people, applications, infrastructure and information. Key issues related to the
optimization of knowledge and infrastructure.
Risk IT Provides an end to end, comprehensive view of all risks related to the use of IT and a
similarly thorough treatment of risk management, from the tone and culture at the top, to
operational issues.
Risk
Management
Requires risk awareness by senior management, a clear understanding of the organization’s
appetite for risk, transparency about the significant risks to the organization and embedding
of risk management responsibilities into the organization.
ROI Return On Investment: A performance measure used to evaluate the efficiency of an
investment or to compare the efficiency of a number of different investments. To calculate
ROI, the benefit (return) of an investment is divided by the cost of the investment; the
result is expressed as a percentage or a ratio
SC Standing Committees.
SITA Act State Information Technology Agency (SITA) Act, 1998 (Act 88 of 1998 as amended by
Act 38 of 2002).
SLA Service Level Agreements.
Strategic
Alignment
Focuses on ensuring the linkage of business and IT plans, on defining, maintaining and
validating the IT value proposition and on aligning IT operations with the organization
operations.
TCO Total Cost of Ownership: is a financial estimate whose purpose is to help consumers and
enterprise managers determine direct and indirect costs of a product or system. It is a
management accounting concept that can be used in full cost accounting or even ecological
economics where it includes social costs.
TOGAF The Open Group Framework: A framework for enterprise architecture which provides a
comprehensive approach to the design, planning, implementation, and governance of
enterprise information architecture.
Val IT A governance framework that can be used to create business value from IT investments. It
consists of a set of guiding principles and a number of processes and best practices that are
further defined as a set of key management practices to support and help executive
management and boards at an enterprise level.
Value Delivery Is about executing the value proposition throughout the delivery cycle, ensuring that IT
delivers the promised benefits against the strategy, concentrating on optimizing costs and
proving value of IT.
14. Signatures