ISACA Edmonton Chapter – March 8, 2012

•
•
•
•
•
The ‘Pitch’
Setting the stage
– Enterprise governance: Then and Now
– The Auditor General is our friend
– Progress in Alberta’s post-secondary sector
Key concepts
Implementation
Discussion
2

Building Acceptance & Governance of Enterprise IT
3

All organizations, public and private, large or small, are facing a paradigm shift with respect to the governance and management of information and related technology
4

Catch-22
• a situation in which a desired outcome or solution is impossible to attain because of a set of inherently illogical rules or conditions;
• circular logic that prevents resolution of a problem;
• an unsolvable logical dilemma
5

• IT is a critical enabler of most organizations & requires a special governance focus
• Effective governance & management of IT on an enterprise basis requires engagement of the Board of
Directors & executive management
• Most Boards/executive teams remain largely unaware of their responsibilities re: enterprise IT, the inherent risks or potential rewards, or the existence of relevant standards and best practices
6

• IT investments are often not aligned with the organization’s strategic objectives
• IT-related risks are not appropriately managed
• The enterprise does not optimize the value of its investment in IT
7

•
•
•
•
Talking to the wrong audiences
– Auditors
– Records managers
– IT folks
– Risk managers
Pushing the ‘wrong’ message
Normal resistance to new roles/expectations
Implementation issues once we do get started
8

“Alberta Government needs to better identify and mitigate IT risks.
Government departments as a whole need to do a better job identifying risks to their systems and data. Then they need to implement well-designed, efficient, and effective IT controls to mitigate these risks and provide secure services and programs to
Albertans.”
– Auditor General, April 2008
9

Building Acceptance & Governance of Enterprise IT
10

• Executives had no desktops
• No discussion at Executive table re: IM/IT
• No IT performance measures; little or no reporting
• No IM framework
• No enterprise IT steering committee
• Major gaps in IT functionality
• Ad hoc HR planning for IT
• No IT business cases
• No position description for CIO
• No IT strategic plan; MANY IT projects
• Acute dissatisfaction re: IT service levels
• No discussion re: IT-related risks
• IT projects with no ‘business’ owners
• No IT-service continuity plan
• No portfolio management
• Inadequate end-user training
• Rudimentary supplier management practices
11

• Million-dollar projects, which may or may not match the company’s objectives, are awarded to business units headed by the squeakiest executives
• Weak IT governance structures mean that business executives don’t have clear ideas of what they’re approving and why
• The CIO ends up selling projects that should be generated and sold by line-of-business heads
• The company doesn’t build good business cases for IT projects or it doesn’t do them at all
• There are redundant projects (1) .
(1) Todd Datz, CIO Magazine, 2003
12

•
•
•
•
•
•
• Rising expectations for organizational governance
Concern over generally increasing level of IT expenditure & demand for better return on IT investments
Regulatory requirements
Significance of selection of service provider & management of outsourcing to organizational effectiveness
Increasingly complex IM/IT risk
Need for assessment against standards and peer organizations
Growing maturity and acceptance of frameworks and standards
13

“Implementing good IT governance is almost impossible without engaging an effective governance framework.”
-
ISACA 2009
14

• Helps organizations:
– Better align their IT activities to their business needs
– Ensure that management understands IT’s role and relevance in the organization
– Fulfill their responsibilities for a sound internal control environment & demonstrate progress to regulators, business partners & external stakeholders
– Ensure that Boards/management can meet their quality, fiduciary
& security requirements
– Clarify ownership, responsibilities and accountabilities for information and related technology
15

“We recommend that the Department of
Advanced Education and Technology give guidance to public post-secondary
Institutions on using an IT control framework to develop control processes that are well-designed, efficient, and effective .”
April 2008 Auditor General’s Report
16

• Collaboratively develop a system-wide control framework for managing information and related technology
• Common best practice controls that are modifiable, scalable and implementable
• A shared content management system to enable ongoing collaboration and effectively manage the control life cycle
17

IM/IT Control Framework
C OBI T
Legislation
BABOK
ISO
IM
Industry
Best
Practices HOW WHAT
ITIL
TOGAF
PMBOK
SCOPE OF COVERAGE
Source: ISACA & Alberta PSS ITM Control Framework Program

19

The Institution manages its information and related technology assets and services through effective governance structures and processes that provide leadership, accountability and transparency and engage key stakeholders to support the achievement of positive outcomes and facilitate strategic oversight and decision making.
20

WHAT needs to be controlled
(COBIT, legislation,
ITIL, ISO)
HOW
(Project Deliverables)
Structures
Standards
Procedures
Guidelines
Examples from client or other organizations, & best practices
21

Foundation
Pieces
(17)
Human
Resources
Management
(3)
IT Governance
& Management
Controls
(64)
Service
Management
(26)
Financial
Management
(6)
Strategic
Alignment
(4)
Risk
Management
(8)
22

Building Acceptance & Governance of Enterprise IT
23

Academic
Council
Board of Governors
Board Committees
- Audit & Finance
- HR
- Risk Mgmt.
- ITM
(1)
VP
University
Services
President
VP
Student
Services
Provost
(VP Academic)
VP
Research
Executive Committee
Dean Dean
Dean
Programs
CIO
(2) (3)
VP
Finance &
Admin
CIO
(2)(3)
Chief
Technology
Officer
(1) Institution may address responsibilities through a special purpose committee, through existing committees or in plenary
(2) Depending on institution, CIO may not sit as a member of the executive team, but must sit as a full member of the ITM Steering Committee
(3) CIO sits ex officio on Board ITM Committee and/or in Board discussions of ITM
(4) Depending on size/complexity of ITM activities
(5) Project governance and fit within ITM governance as per Business Case
ITM
Steering Committee
Change
Advisory
Board
(4)
Technology
Committee
(4)
Architecture
Review
Committee
(4)
Portfolio Oversight(4)
Portfolio
Mgmt.
Cttee.
Project Oversight
(5)
1 3
2 n
Portfolio
Portfolio
Mgmt.
Cttee.
Portfolio
Mgmt.
Cttee.
Portfolio
Mgmt.
Cttee.
24

Organization Role
Board
Executive Committee
IT Steering Committee
CIO
Business Managers
Responsibility
• Oversight regarding strategic alignment, risk management and value delivery of IT
• Approval of enterprise-level investment decisions, including adequate funding for development, implementation, communication and training re: IT controls
• Approval of IT Control Framework
• Ensures control environment aligns with institution’s management philosophy and operating style
• Regular assessment of the maturity of the institution’s control processes
• Overall development and implementation of the control environment
• Reporting on progress/results
• Input to development of the control environment
• Responsibility for operation of many controls 25

Have a fiduciary (1) responsibility to ensure the organization’s information resources and related technology are managed to support and enable the organization’s strategic plan
(1) Specifically, a legal or ethical relationship of confidence or trust regarding the management of money or property
26

•
•
•
•
•
•
•
Making sure information and IT are on the Board agenda
Asking the right questions about management’s activities
Helping management align IT initiatives with the institution’s strategic direction
Ensuring it understands the potential impact of information and IT-related risk
Requiring that IT performance be measured and reported through a balanced scorecard or similar mechanism
Requiring that the organization implement an ITM control framework
Monitoring the contribution of ITM to the institution
27

•
•
•
•
•
Work with Executive Committee to obtain a clear understanding of the institution’s strategic and business objectives
Create a vision for information management and technology in the future and sell it
Implement information systems architecture that supports the institution’s comprehensive business plan
Establish credibility of the IT Management Department
– Work with business units through the IT Steering Committee to establish standards and service levels
– Ensure these are met or exceeded
Increase the technical maturity of the organization
28

“One of the primary differences between today's CIOs and the previous generation of IT leaders is the idea of transformational change. Thirty years ago, nobody seriously believed that IT would be called upon to lead enormous transformational efforts affecting every aspect of a global enterprise. Today, in addition to making sure that IT runs smoothly, the CIO is expected to provide strategic leadership and high-level guidance. That is a big difference indeed ..”
The Practical CIO: A Common Sense Guide for Successful IT Leadership, Jose Carlos
Eiras
29

•
Organization needs to appoint a ‘custodian’ or manager of the framework and maintain a log of all compliance requirements
•
•
•
Comprehensive procedure required for:
– Identifying externally generated requirements in a timely manner
– Identifying internally generated requirements
– Escalating and resolving issues identified through implementation/operation of the IT Control Framework
Framework needs to be regularly reviewed
– Internal audit
– Periodic 3 rd party reviews
Provide for approved and documented exceptions to compliance with controls
30

Strategic
Alignment
(4)
•
•
Strategic IT Plan is an integral element of the organization’s strategic plan….not an afterthought!
– Clearly articulated organization mission, vision and priorities
– Planning is considered important and closely linked to organization budget
– Strategic IT plan is published
– Formal communication strategy specific to IT stakeholders developed
– Performance is measured using an IT Balanced Scorecard
IT investments should be managed across the organization in portfolios
31

•
•
•
•
ITM risk is business risk
ITM risk always exists, whether it is detected or recognized
Management of IT-related risk is an essential and strategic component of responsible administration and should be integrated into overall enterprise risk management
Who should be involved?
– Board members and senior executives who need to set direction
& monitor risk at the enterprise level
– Managers of IT and business departments who define risk management processes
– Risk management professionals
– External stakeholders
32

•
•
•
•
•
•
IT risk management always connects to business objectives; focus is on the business outcome
IT risk governance aligns the management of IT-related risk with overall ERM
IT governance should balance the costs and benefits of managing IT risk
There should be open communication regarding IT risk
Establishment of well-defined risk tolerance levels by the Board and executive management should be coupled with definition and enforcement of personal accountability for operating within tolerance levels
IT risk management is continuously improved
33

•
•
Institution must establish a financial management framework for information and related technology
– Approved by the IT Steering Committee
– CIO responsible for implementing and monitoring the effectiveness of the framework and ensuring integration with enterprise policies, standards etc.
– Should be formally evaluated based on schedule determined by
IT Steering Committee
Focused on ensuring accountability and transparency re: value contribution and total cost of ownership of information and related technology
34

“Service management is a set of specialized organizational capabilities for providing value to customers in the form of services (1)
These capabilities take the form of functions and processes for managing services over their lifecycle .”
(1) ITIL, Office of Government Commerce, 2007
35

Evaluating services & identifying ways to improve their utility & warranty in support of business objectives
Service
Strategy
Envisioning & conceptualizing the set of services required to achieve business objectives
Managing services to ensure utility & warranty objectives are achieved
Service
Operation
Continual
Service
Improvement
Service
Transition
Service
Design
Moving services into live production
Designing the services to meet utility & warranty objectives
3
6

•
•
•
Processes for the management of IT human resources are an essential part of an IT Control Framework
CIO (not HR) is responsible for ensuring the institution has an IT workforce with the skills necessary to achieve organizational and IT goals
Main tasks:
– Define, monitor and supervise execution of IT roles & responsibilities
– Provide appropriate and sufficient training (technical, internal control and security)
– Minimize dependency on key staff
– Ensure compliance with organizational policies
– Report to the IT Steering Committee on key issues
37

Building Acceptance & Governance of Enterprise IT
38

Measure
Results
Execute
Plan
Sustain
Momentum
Create
Awareness
Develop
Plan
Assess
Current State
Define
Desired
Future
State
Use of maturity models
39

Phase Challenge
Create awareness • Lack of senior management buy-in
• Lack of enterprise policy & decision making structures
Assess current state
• Cost of improvements outweighs perceived benefits
• Lack of trust/good relationships between IT & business units
Define future state • Scarcity of good ‘role models’
Develop plan
Execute plan
• Resistance to change
• Defining the ‘critical path’
• Failure to consider corporate culture & capacity
• Trying to do too much at once
• Lack of appropriate skills
• Underestimating the level of effort required
Measure results
• Starting out with too many performance measures
• Too much complexity, precision
• Lack of balance between ‘performance driver’ & ‘outcome’ measures
Sustain momentum
• IT governance ‘fatigue’
• Difficulty in proving benefits
40

1.
2.
3.
4.
5.
Identify a champion
Shared understanding and vision
– Not implementing CoBIT, but improvements to how it governs & manages the IT contribution to the enterprise
– Tailor to fit the organization
Use the CoBIT umbrella but incorporate other standards as required
Ensure IT governance is integrated with enterprise governance
Stay focused
– It’s a journey, not a destination
– Recognize and celebrate progress
41