1

IT GovernanceIT GovernanceAligning Business and IT

Bill McSpaddenSeptember 9, 2008

2

Topics

• What is IT Governance• Why is IT Governance important• 5 Domains• Key findings from 2008 IT GOVERNANCE STATUS

REPORT • Obstacles with implementing (so far)• Choosing a framework for IT Governance• Getting Started• Balanced Scorecards: What Can You Do as Auditor?

3

What is IT Governance?

ITGI definition:

IT governance consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the enterprise’s strategies and objectives.

At its core, IT has 2 responsibilities:

1.IT must deliver value

2.Enable the business

4

Subset of Corporate Governance

• IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.

• The rising interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley and Basel II)

• Acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization.

5

Purpose of IT Governance

• Establish and clarify accountability and decision rights (clearly define roles and authority).

• Manage risks, change and contingency proactively.• Improve IT organizational performance, compliance,

maturity and staff development.• Improve customer service and overall responsiveness.

6

What does it mean?

Governance is about deciding the "who, what, when, why, and how" of decision-making.

• The decisions required by the organization (the "what")• The roles (the "who") in the organization that are

accountable for which decisions• Policies that guide how the decisions should be made

(the "why")• The measures that enable informed decision-making

(the "how")• At what point in the governance process is the decision

appropriately made? (the "when")

7

Purpose of IT Governance

• Align IT investments and priorities more closely with the business.

• Manage, evaluate, prioritize, fund, measure and monitor requests for IT services and the resulting work and deliverables, in a more consistent and repeatable manner that optimizes returns to the business.

• Manage the responsible utilization of resources and assets.

• Ensure that IT delivers on its plans, budgets and commitments.

8

Why IT Governance?

• The rising interest in IT governance is partly due to compliance initiatives

• IT is tightly coupled to business performance• IT presents the extremes of both—very large

investments • IT-related risks must be mitigated.

9

Benefits of IT Governance

• Formalizes IT oversight and accountability to ensure more effective and ethical management.

• Improves planning, integration, communications and performance between the Business Units and IT Groups and within IT Groups (across silos).

• Improves ROI based demand management (IT requests and Total Cost of Ownership) decisions to analyze, prioritize, fund, approve and manage major IT investments (capital and operating expenses).

• Optimize assets and human capital resources.

• Facilitates compliance and audits (e.g. SOX, FDA, HIPAA, etc.) by documenting processes, controls and decision authority.

10

5 domains

• Strategic Alignment• Value Delivery• Risk Management• Resource Management• Performance Measurement

11

Strategic Alignment

• Strategic Alignment focuses on ensuring the linkage of business and IT plans

• IT value proposition– Defining, – Maintaining– Validating

• Aligning IT operations with enterprise operations

12

Value Delivery

• Value Delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.

• Governance are mostly qualitative and less quantitative which does not lend itself to ‘value delivery’.

• Many new IT Governance initiatives often have no mechanism in place to measure the success or benefits of their governance efforts.

• When IT Governance performance measurement disciplines and practices are in use, they are mostly informal, subjective or based on qualitative measures only.

13

Value Delivery (cont’d)

• Some organizations measure progress in terms of the performance of their IT Governance measures (process indicators) and less on the eventual outcome, e.g. cost savings.

• There are many reported benefits for IT Governance that are not quantified or measured, including: Enhanced IT alignment; Cost savings; Improved customer satisfaction; and Greater security

• Only in certain cases (approximately 16% of the participants) are hard figures on benefits available, e.g. in the area of budget savings or headcount reductions.

14

Value Delivery (cont’d)

• In some cases, significant cost savings (of more than 30%) were reported.

• The main driver in these cases was indeed cost reduction, and a strong target and corresponding monitoring mechanism was implemented.

• Only a portion of the target benefits materialized in the short term, e.g. large-scale standardization projects take years to deliver their benefits.

15

Risk Management

Requires: • Risk awareness by senior corporate officer• A clear understanding of the enterprise’s appetite for risk• Transparency about the significant risks to the enterprise • Embedding of risk management responsibilities into the

organization

16

Resource Management

• Optimal investment in, and the proper management of, critical IT resources:– Processes– People– Applications– Infrastructure– Information

• Key issues relate to the optimization of knowledge and infrastructure.

17

Performance Measurement

For example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

• Tracks and monitors strategy implementation• Project completion• Resource usage• Process performance• Service delivery

18

IT GOVERNANCE GLOBAL STATUS REPORT — 2008

Key Findings of the Survey

1. C-level is ‘champion”,  daily practice is still very much a CIO/IT director issue.

2. The importance of IT continues to increase – 63% rate as very important (up from 57%).

3. Self-assessment regarding IT governance - 54% at CMM defined or better (up from 38%)

4. Communication between IT and users is improving, but slowly.

5. There is still substantial room for improvement in alignment between IT governance and corporate governance – only 62% rated at good or better

19

IT GOVERNANCE GLOBAL STATUS REPORT — 2008

6. IT-related problems persist. While security/compliance is an issue, people are the most critical problem.

7. Good IT governance practices are known and applied, but not universally.

8. Action is being taken to implement IT governance activities – way up from 2006 (52% vs 36%)

9.Organizations use the well-known frameworks and solutions.

10.COBIT awareness has exceeded 50 percent, and adoption and use remain around 30 percent.

a. 25-35% apply COBIT to the letter or are very strict.

b. 51% - COBIT is ‘one of the reference sources’.

20

Not as easily implemented as thought

• Implementing IT governance is not as straightforward as perhaps once thought (NOTE: The same can be said regarding COBIT implementation.)

• Good IT governance practices are not built overnight; they require time and continued commitment.

• Implementing COBIT is not a matter of taking it out of the box and implementing it as written.

• It is a process of selecting the most appropriate elements, tailoring them as needed and applying them to the specific needs of the organisation.

21

Choosing a framework

CoBIT: the most popular• Basically, it’s a set of guidelines and supporting toolset

for IT governance that is accepted worldwide. • CoBIT is well-suited to organizations focused on risk

management and mitigation.• COBIT is perceived to be a valuable framework for IT

governance (89% report satisfied).• The latest version, released in May 2007, is CoBIT 4.1.

22

Choosing a framework

ITIL: The Information Technology Infrastructure Library• eight sets of management procedures

– service delivery– service support – service management– ICT infrastructure management– software asset management– business perspective– security management– application management

• ITIL is a good fit for organizations concerned about operations.

23

Choosing a framework

COSO (Committee of Sponsoring Organizations ) Guidelines on many functions:– human resource mgt -- risk– external resources -- information technology– Enterprise operations -- legal affairs– procurement -- marketing and sales– inbound/outbound logistics -- financial functions– Reporting

• COSO is a more business-general framework than IT

24

Choosing a framework

CMMI: The Capability Maturity Model Integration• Created by Carnegie-Mellon’s Software Engineering

Institute• Process improvement approach that contains 22 process

areas. • Divided into appraisal, evaluation and structure• Well-suited to organizations that need help with

application development, lifecycle issues and improving the delivery of products throughout the lifecycle.

25

Choosing a framework

• More than 95% of the participants use one of the major IT Governance frameworks.

• A small number of them use their own (or consultant-defined) frameworks. The major frameworks used include:– CoBIT: accounts for 63% of the frameworks in use– ITIL: used by 60% of the participants– Other frameworks used to a lesser degree include:

• CMMI, Prince II, COSO, and ISO17799

• Consider a mix: CoBIT as an overall framework; then use ITIL for your operations, CMMI for development and ISO 17799 for security

26

How much is enough Governance?

• Investment $ in IT

• Degree of business dependency on technology.

• Management philosophy and policies (e.g. first mover versus follower).

• Complexity, size and duration of initiatives.

• Scope — enterprise wide versus a subset of the enterprise; number of locations; domestic versus International.

• Degree of risk.

• Regulatory, control and documentation compliance.

• Level of security required.

• Degree of accountability required and desired.

27

Getting Started - Assessment

• Assessment – use CMM– 0 Nonexistent – Management processes are not

applied at all– 1 Initial – Processes are ad hoc and disorganized– 2 Repeatable – Processes follow a regular pattern– 3 Defined – Processes are documented and

communicated– 4 Managed – Processes are monitored and measured– 5 Optimized – Best practices are followed and

automated• Identify areas of improvement

28

Use of Multiple Frameworks

29

Getting Started – Decide Scope

• Engage senior business managers– Assign accountability – and not just to the CIO.

senior managers must participate in the committees, the approval processes, and performance reviews.

• Key roles and responsibilities must be formally agreed to upfront and communicated to organization in the form of a RACI Matrix (Responsible, Approve, Consult, and Inform).

• Program/project scope, requirements and deliverables (as in a charter) should be approved upfront by the sponsor and monitored throughout the development or procurement, testing, training and implementation phases.

30

Getting Started

• Communication and change management• Focus, execute and enforce• Define a benefit management system and set achievable

targets/expectations• Evolution, as opposed to revolution• Don’t over-engineer IT Governance

31

Getting Started - Scoping

• Governance redesign should be infrequent. Our recommendation is that a change in governance is required with a change in desirable behavior.

• Clarify the exception-handling process• It's not possible for IT governance to meet every goal,

but governance can and should highlight conflicting goals for debate.

32

Getting Started

• IT governance should be owned by the board. It’s not an IT management responsibility any more than financial governance is a financial functional responsibility.

• Tailor to your organization• Align incentives • Governance needs to be owned where it can be carried

out effectively, which will differ from organisation to organisation.

• Educate

33

A possible schedule

34

Getting Started - Metrics

The execution of these plans and objectives must be monitored and measured by a combination:

• Consistent program and project metrics should be instituted based on time, cost, resources, quality, risk and customer satisfaction.

• Formal and informal status review meetings and reports (e.g. report cards, dashboards).

• The outcomes should link critical success factors to KPIs that are measurable, part of a standard reporting system and linked to a governance component.

• If one cannot measure it, it does not count.

35

Getting Started - Metrics

Establish measurements– Measure at all levels of the enterprise– Each area will need its own metrics and performance

thresholds, & rollups with drill-down to the items themselves

– Assets- Broken down by "function" (software, hardware, interface, etc.)Projects- Broken down by "type"Service Level Agreements- Broken down by unique agreement

36

Getting started - Organization

The following arrangements are the most common: – Centralized

• decision making for IT technology choices• Infrastructure• Budgets

– Decentralized• application development• projects

37

Clarify the exception-handling process

• The process is clearly defined and understood by all. Clear criteria and fast escalation encourage only business units with a strong case to pursue an exception.

• The process has a few stages that quickly move the issue up to senior management. Thus, the process minimizes the chance that architecture standards will delay project implementation.

• Successful exceptions are adopted into the enterprise architecture, completing the organizational learning process.

38

Smaller organization addendum

• The balance between creativity/agility/innovation and restrictive governance arrangements needs to be found in smaller organisations.

• Leverage corporate governance arrangements that were introduced mainly for regulatory reasons to introduce enhanced IT Governance practices, and hence improve IT performance.

• Knowledge and awareness of frameworks that could help to improve IT Governance arrangements, and how to use them in the most flexible manner, is needed

39

Obstacles in implementing IT Gov

• The three Cs (culture, resistance to change, communications)

• Internal politics – IT Governance often brings a shift in decision rights and associated power; Resistance to acceptance of standards/policies;

• Resistance to accept accountability – some organisations report strong resistance by the business in accepting accountability for IT-related investments as part of newly introduced IT Governance arrangements; and

• Obtaining sufficient business involvement in governance initiatives.

40

What Can You Do as an Auditor?

• Check for alignments – top to bottom• Assess maturity• Look for the metrics – are they meaningful and related to

IT Governance concepts• Is participation adequate at all levels?• Check if the controls are appropriate?• Socialize the concepts

41

More Information . . .

Resources

www.itgi.org

www.isaca.org

42

Questions?

43

• Feel free to contact me with questions:

Bill McSpadden, CISA

Protiviti Inc

913-685-6200 or 913-661-7403

Bill.mcspadden@protiviti.com