PPTX 571 KB
advertisement
CANHEIT Overview Presentation - June 2012 Clark Ferguson, CIO, University of Lethbridge Program Overview Implementation Overview Section 1 – Foundation Elements Section 2 – Strategic Alignment Section 3 – Risk Management Section 4 – Value Delivery: IT Financial Management Section 5 – Value Delivery: IT Human Resources Management Section 6 – Value Delivery: IT Service Management Wrap Up 2 Governance & Management Controls Overview Session 3 Alberta … Post secondary sector … Information & Technology Management … Control Framework Program 4 Provincial Office of the Auditor General increasing attention to governance & management controls across public sector Alberta Advanced Education & Technology (AET) initiated program and enlisted support of post secondary leaders Recognition that all post secondary institutions would need to comply Quality of institutional systems would vary based on size of institution and capacity to allocate scarce resources Province-wide program with contributions by AET & institutions Leveraged program management and specialized consultants to harvest industry and institutional best practices 5 26 post secondary institutions (all but 1 or 2) engaged 2 years of projects have been successfully completed with 1 project rescheduled due to quality problems Significant involvement of business leaders and IT experts in projects Team approach, high quality project deliverables, and strong communications & training have led to rapid adoption 6 Dedicated program management and expert project consultants freed participating institutions to focus on contribution Governance and approval of project and program materials tricky but with minor rework, successful process achieved Procurement process to contract project experts and careful oversight of their work extremely important Joint approach has yielded very high quality deliverables and commitment amongst institutions share best practices 7 Rising expectations regarding organizational governance Concern over generally increasing level of IT expenditure & demand for better return on IT investments Need to meet regulatory requirements Significance of selection of service provider & management of outsourcing Increasingly complex risk associated with information management & related technology Need to optimize costs by following standards and best practices Growing maturity and acceptance of frameworks and standards Need for assessment against standards and peer organizations 8 1. Proper Governance 2. Strategic Alignment 3. Value Realization 4. Risk Management 5. Resource Optimization 9 Collaboratively develop a system-wide control framework for managing information and related technology that will assist with the implementation of strategic priorities, policies and principles through: ◦ Common best practice controls that are modifiable, scalable and implementable ◦ A shared content management system that will foster ongoing collaboration and effectively manage the control life cycle 10 ITM Control Framework COBIT Legislation PMBOK WHAT ITIL SCOPE OF COVERAGE ISO 2700x HOW 11 Year 1 (2010) Control Framework & Policies Project (June 2010) Year 2 (2011) Information & Technical Management (December 2011) Year 3 (2012) Information Management (February 2013) Privacy Project (November 2010) Enterprise Architecture (Resched. to Yr 3) Change Management Project (October 2010) Governance Project (April 2011) Content Mgmt. System Project (April 2012) Identity Management & Information Security (December 2011) Technology Management (February 2013) Enterprise Architecture (February 2013) Complete In progress Year 4 (2013) Information Management ... Continued (August 2013) Wrap-up Project (December 2013) Post-Secondary System ITM Control Framework 13 Volunteers from the Institutions Program designed to provide opportunity to volunteer: ◦ Working Group = 6-12 hours/month ◦ Key Stakeholders = 2-4 hours/month ◦ Project Steering Committee = 2 hours/month Composition impacts legitimacy of deliverables Committed participants who see the bigger picture 14 PSS expert body of knowledge Relationships Synergy Sharing and capture of knowledge Bleeding edge Ongoing support Common foundation for future opportunities 15 Look at the framework as a whole Determine what pieces you need and how ‘deep’ you want to go in each area Know your capabilities, capacity, current maturity, resource availability Be realistic in your planning Assign dedicated people to manage, communicate, train and assist with organizational change Don’t underestimate the commitment that's required Don’t forget to collaborate Keep your eye on the end game 16 Program Two business and 3 IT participants in the program work Section 1 – Foundation Elements ITM Control Framework leader assigned; ITM policy approved by the Board in May 2012 Section 2 – Strategic Alignment Developing Fiscal 2014 budget in conjunction with University Strategic alignment Section 3 – Risk Management Initiated PCI improvement program; Planning external review of IT Security Section 4 – Financial Management Strengthening portfolio management; Developing a consolidated view of full IT spend Section 5 – HR Management Conducting key skills review and gap analysis Section 6 – IT Services Management Documenting service portfolio; Establishing business relationship management processes 17 Governance & Management Controls Overview Session 18 19 Foundation Pieces (17) Human Resources Management (3) Strategic Alignment (4) ITM Governance & Management Controls (64) Service Management Risk Management (26) (8) Financial Management (6) 20 Cobit 4.1 ◦ Risk IT ◦ Val IT ITIL ◦ Service Strategy ◦ Service Design ◦ Continual Service Improvement ISO/IEC 20000, ISO 31000 Web research Controls derived through ~3,000 hours of synthesis, discussion and adaptation to the post-secondary environment 21 Sustain Momentum Measure Results Identify Drivers Use of maturity models (next slide) Assess Current State Define Desired Future State Execute Plan Develop Plan 22 1 Initial/Ad Hoc 2 Repeatable but Intuitive 3 Defined Process 4 Managed and Measurable 5 Optimized Program Objective: To increase the maturity level of all participating Institutions to a COBIT Maturity Level 3 by June 2014 in the areas where the controls have been implemented within the Institution. 23 Governance & Management Controls Overview Session 24 Foundation Pieces (17) An ITM control framework is a critical part of every institution’s internal control program to mitigate risks and ensure: ◦ Management understands ITM’s role and relevance in the organization ◦ Alignment of investment with the institution mandate and strategic direction ◦ Value delivery ◦ Compliance with external requirements ◦ Continuous improvement re: ITM processes It is the responsibility of the Board of Governors & executive management to communicate ITM investment objectives and expectations re: control environment and to provide training Planning and adequate resourcing are essential 25 Foundation Pieces (17) The strategic question Are we doing the right things? The value question Are we doing them the right way? Are we getting the benefits? The delivery question Are we getting them done well? The architecture question 26 Foundation Pieces (17) Organization Role Responsibility Board of Governors • Oversight regarding strategic alignment, risk management and value delivery of ITM Executive Committee • Approval of enterprise-level investment decisions, including adequate funding for development, implementation, communication and training re: ITM controls ITM Steering Committee • • Approval of ITM Control Framework Ensures control environment aligns with institution’s management philosophy and operating style Regular assessment of the maturity of the institution’s control processes • CIO Business Managers • Overall development and implementation of the control environment Reporting on progress/results • • Input to development of the control environment Responsibility for operation of many controls • 27 Foundation Pieces (17) Institution needs to appoint a ‘custodian’ or manager of the framework and maintain a log of all compliance requirements Comprehensive procedure required for: ◦ Identifying externally generated requirements in a timely manner ◦ Identifying internally generated requirements ◦ Escalating and resolving issues identified through implementation/operation of the ITM Control Framework Framework needs to be regularly reviewed ◦ Internal audit ◦ Periodic 3rd party reviews Provide for approved and documented exceptions to compliance with controls 28 Governance & Management Controls Overview Session 29 Strategic Alignment (4) Strategic ITM Plan is an integral element of the comprehensive institution plan….not an afterthought! Performance is measured using an ITM Balanced Scorecard ITM investments should be managed across the institution in portfolios Outcomes ◦ Alignment of business, ITM and risk management objectives ◦ Organization, services, application portfolios, technologies, competencies, processes & methodologies are in place to maximize ITM contribution ◦ Bi-directional education & involvement in ITM and business planning ◦ Regular assessment re: ITM contribution to business objectives ◦ Roadmap for addressing future needs 30 Strategic Alignment (4) Clearly articulated institutional vision and priorities Planning is considered important and closely linked to institutional budget ITM plan is published ◦ Formal communication strategy specific to ITM stakeholders developed with communication strategy for comprehensive institution plan ITM governance practices are seen to be effective ◦ Close relationships between ITM and non-ITM organizations and staff ◦ Informal and formal ◦ Communication with and involvement of key constituents, especially faculty and deans 31 Comprehensive Institution Plan Strategic Alignment (4) Strategic Priorities Goals & Expected Outcomes Institutional Access Plan Performance Measures Financial Plan Institutional Research Plan ITM Plan Capital Plan Plan to Plan • Purpose • Process • Scope Assess Current ITM capability & performance Conduct Gap Analysis Describe Desired ITM Future Articulate Goals, Objectives, Strategies & Measures Develop Business Cases for Individual Initiatives Adjust Plan as Required Categorize by Portfolio and Prioritize 32 Strategic Alignment (4) Comprehensive Institution Plan Business Goals for IT Business Requirements require IT Goals Enterprise Architecture deliver Governance Requirements Information Services imply influence Information Criteria* Balanced Scorecard IT Processes run need Information Applications Infrastructure & People * effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability 33 Governance & Management Controls Overview Session 34 Risk Mgmt. (8) ITM risk is business risk ITM risk always exists, whether it is detected or recognized Management of ITM-related risk is an essential and strategic component of responsible administration and should be integrated into overall enterprise risk management Who should be involved? ◦ Board members and senior executives who need to set direction & monitor risk at the enterprise level ◦ Managers of ITM and business departments who define risk management processes ◦ Risk management professionals ◦ External stakeholders 35 Risk Mgmt. (8) ITM benefit risk ◦ Missed opportunities to use technology to improve efficiency of effectiveness of business processes or as an enabler for new business initiatives IT program and project delivery risk ◦ Failure to realize the expected contribution of ITM to new or improved business solutions IT operations and service delivery risk ◦ Where performance of IT systems and services does not meet service level expectations 36 Risk Mgmt. (8) ITM risk management always connects to business objectives ◦ Focus is on the business outcome ITM risk governance aligns the management of ITM-related risk with overall ERM ITM governance should balance the costs and benefits of managing ITM risk There should be open communication regarding ITM risk Establishment of well-defined risk tolerance levels by the Board and executive management should be coupled with definition and enforcement of personal accountability for operating within tolerance levels ITM risk management is continuously improved 37 Risk Mgmt. (8) Risk Governance Ensure ITM risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return Integrate with ERM Establish & Maintain a Common Risk View Manage Risk Articulate Risk Make RiskAware Business Decisions Business Objectives Collect Data React to Events Risk Response Ensure ITM-related risk issues, opportunities and events are addressed in a cost-effective manner, in line with business priorities. Analyze Risk Communication Maintain Risk Profile Risk Evaluation Ensure ITM-related risks and opportunities are identified, analyzed and presented in business terms. 38 Risk Mgmt. (8) Risk appetite ◦ Amount of risk the institution is willing to accept in pursuit of its mission “What level of risk are we comfortable living with?” ◦ Provides context for analysis and response to individual risks by management ◦ Defined/approved by the Board of Governors in terms of frequency and impact No absolute norm or standard of what constitutes acceptable risk ◦ Should be clearly communicated to stakeholders and staff through policies and standards Consider objective capacity to absorb loss & management culture 39 Risk Mgmt. (8) ITM Risk Management Scoping Based on Risk Assessment Results Very High • • • • Detailed scenario development and frequent maintenance of the risk register Independent review of risk analysis results Quarterly detailed reporting on risk profile ... High • • • • Detailed scenario development and frequent maintenance of the risk register Independent review of risk analysis results Semi-annual detailed reporting on risk profile ... Medium • • • • Detailed scenario development for analysis Self-assessment and review Yearly update and quarterly summary reporting ... Low • • • • Self-assessment and review Generic scenarios Less frequent reporting ... 40 Governance & Management Controls Overview Session 41 Financial Management (6) Institution must establish a financial management framework for information and related technology ◦ Approved by the ITM Steering Committee ◦ CIO accountable to the ITM Steering Committee for implementing and monitoring the effectiveness of the framework and ensuring integration with enterprise policies, standards etc. ◦ Should be formally evaluated based on schedule determined by ITM Steering Committee Focused on ensuring accountability and transparency re: value contribution and total cost of ownership of information and related technology 3 main elements: ◦ ITM budget management, portfolio mgmt. and cost/benefit management 42 Financial Management (6) Inputs Outputs Comprehensive Institution Plan Enterprise Architecture Information Security Plan Strategic ITM Plan ITM Tactical Plans Financial Management Framework Budget Actual Expenditures vs. Budget Reports Updated portfolios Accountability & Transparency re: Value Contribution & TCO through Cost/Benefit Reports 43 Financial Management (6) ITM Governance Financial Management Framework ITM Budget Management Portfolio Management Application Assets + Infrastructure Assets + Information Assets + People Assets + Process Assets + Service Assets Investment Prioritization within Portfolios Business Case Development & Use Cost/Benefit Management 44 Financial Management (6) Budget Management 1. Define strategic business objectives and determine highlevel budget envelopes 2. Develop ITM budget 3. Monitor and report on actual results 4. Develop ITM budget recommendations 45 Financial Management (6) Portfolio Management 1. Define portfolios and sub-categories 2. Determine the investment ‘weight’ of each portfolio or sub-category 3. Develop and use ITM business cases for ITM investment 4. Prioritize investments within portfolios 5. Identify HR needs across portfolios 6. Review and report on project, program and portfolio performance 46 Governance & Management Controls Overview Session 47 Human Resources Management (3) Processes for the management of IT human resources are an essential part of an ITM Control Framework CIO (not HR) is responsible for ensuring the institution has an ITM workforce with the skills necessary to achieve organizational and ITM goals Main tasks: ◦ Define, monitor and supervise execution of ITM roles & responsibilities ◦ Provide appropriate and sufficient training (technical, internal control and security) ◦ Minimize dependency on key staff ◦ Ensure compliance with organizational policies ◦ Report to the ITM Steering Committee on key issues 48 Human Resources Management (3) Labour costs 30% - 60% of the ITM budget Quality of ITM personnel has enormous impact on effectiveness of the service provider organization, end-user satisfaction, optimizing value and proactive use of technology Market for highly proficient IT resources is competitive and will get more so – hiring and retaining the best resources will continue to be a critical success factor for the CIO Unique aspects to management of IT professionals (pool characteristics, diverse career expectations, training requirements) exacerbates need for involvement of ITM managers Turnover costs are enormous (e.g., 1 – 2 times annual salary) 49 Human Resources Management (3) Inputs Outputs Integrated Governance Structure ITM Organization Chart ITM Strategic & Tactical Plans IT Human Resource Management IT skills matrix Job descriptions ITM Budget Business Requirements IT HR policy and procedures Staff skills and competencies, including individual training logs Training plans 50 Human Resources Management (3) Start Determine Personnel Needs • • Managing 10% attrition model IT staff career development Key drivers of staff retention Compensation Handling layoffs Management coaching Creating performance plans • • • • • • • • • Develop organization chart Perform swap analysis & identify personnel gaps Determine staffing strategy – contract, permanent, contract-to-hire Create final hiring plan Sourcing • Hiring • • • • Finalizing an offer decision Checking references Ramping up new hires quickly • • Permanent & contract candidate sourcing Additional screening for permanent hires Recruiting funnel Working with agencies & technical recruiters Interviewing • • • • • Interviewing techniques Interview team Best practices for conducting interviews High-volume interviewing Interviewing contractors 51 Governance & Management Controls Overview Session 52 Service Management (26) “The idea of strategic assets is important in the context of good practice in service management. It encourages IT organizations to think of investments in service management in the same way businesses think of investing in production systems, distribution networks R&D laboratories. Strategic assets provide the basis for core competence, distinctive performance, durable advantage and qualifications to participate in business opportunities. IT organizations can transform their service management capabilities into strategic assets.” - ITIL Service Strategy, OGC, 2011 53 Evaluating services & identifying ways to improve their utility & warranty in support of business objectives Service Strategy Service Operation Continual Service Improvement Managing services to ensure utility & warranty objectives are achieved Envisioning & conceptualizing the set of services required to achieve business objectives Service Design Designing the services to meet utility & warranty objectives Service Transition Moving services into live production 54 Service Strategy Strategy Management Service Portfolio Management Financial Mgmt. for IT Services Service Demand Management Business Relationship Mgmt. Service Design Identify Business Requirements & Drivers Define Services & Develop Service Catalogue Educate & Train Users Service Level Management Monitor Service Performance & Produce Service Reports Develop SLA Framework, SLAs & OLAs Review Service, Instigate Improvements & Update SLAs/OLAs Supplier Management Develop & Align Procurement Controls & Select Suppliers Develop/Manage Contracts & Relationships & Protect Enterprise Interests Monitor Supplier Performance Service Continuity Develop Service Continuity Framework Develop & Maintain Continuity Plans Test Continuity Plans Provide Training on ITM Continuity Plans Review Plan Effectiveness Service Management (26) ITSM Framework Element Description IT Service Strategy • Defining a strategy to deliver services to meet the institution’s business outcomes IT Service Design • Procedures for determining, documenting and agreeing upon requirements for new services and documenting in a service catalogue Service Level Mgmt. • Defining SLAs based on customer requirements and IT capabilities, service metrics, roles & responsibilities Supplier Mgmt. • Aligning procurement controls with those of the institution, identification & categorization of supplier relationships, developing and managing contracts, protecting IP & monitoring performance Service Continuity • Developing a service continuity framework consistent with institution business continuity 56 Questions? 57
