IT Governance

IT Governance
« Some thoughts on how IT risk, control,
audit and assurance is evolving beyond
COBIT toward the broader concept of IT
governance; why IT governance should
be on the board agenda wherever IT is
strategic to the business; how it fits in
the broader concepts of enterprise
governance and how management and
boards can address it.»
p IT is an integral part
of the business
p IT governance is an
integral part of
corporate governance
 y Are they doing the right things?
What IT y Are they doing them the right way?
problem? y Are they being done well?
y Are we getting benefits?

IT governance is the responsibility of the board of

What does directors and consists of the leadership, organisational
the board structures and processes that ensure that the
do? organisation’s IT sustains and extends the organisation’s
strategies and objectives.

y Cascading strategy and goals

How does y Organisational alignment
management y A control framework
react? y Balanced business scorecard
IT Governance

y Stakeholders
y Governance Framework
y IT Alignment & Value Delivery
y Performance Measurement
y Risk Management
y Security
y Conclusions
Stakeholders Apply Pressure
Shareholders and Executive
Lower cost, higher profitability and
increased market share

Customers and Staff More functionality at lower cost and

greater ease of use

Society Greater accountability for executives in

private and public sector
What Are Customers Saying ?

E-biz Facts
 Guarantee of delivery
 Customer loyalty
 Ease of use
 Customer service
 Security
What Signals Are Regulators Giving?
Federal Reserve
 Focus on operational risk within which
security and IT are very significant
 All major risk issues have been caused by
breakdowns in
 Internal control
 Oversight
 Information technology
What Signals Are Regulators Giving?
President Clinton’s Commission on
Critical Infrastructure Protection
ü Concern for extreme dependence of industry
on IT
ü Two recommendations
l Awareness of senior company officers
l Need to address three technical improvements
u Authenticate
u Segregate
u Make accountable
What Do Standards Say ?
 Cadbury: “…strengthen internal control…boards need to set
strategic aims, provide leadership, supervise management and
report to shareholders on their stewardship.”
 Turnbull: “…board to assure appropriate and effective processes
to monitor risk and effectiveness of the system of internal control…
broader corporate governance role for audit committees...monitor
and report on risks...”
 BIS: “...governance arrangements for critical systems should be
effective, accountable and transparent…”

Stewardship is extending to IT as boards question the depth of

their enterprise’s reliance on IT.
 What Is Management Thinking ?
Uncertainty,
Personal & visual
complexity &
contact
growth

“IT has been the longest running disappointment in business in the last 30 years!”
Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997
“Technology can help fulfil a visionary dream, but often its use is closer to a
sobering nightmare!”
Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998
“I am writing a book on the history of information technology…in order to better
understand why it is such a mess!”
Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001
IT Governance

y Stakeholders
y Governance Framework
y IT Alignment & Value Delivery
y Performance Measurement
y Risk Management
y Security
y Conclusions
Why Get Into Governance?

“Due diligence”

IT is critical to the business

IT is strategic to the business

Expectations and reality don’t match

IT hasn’t gotten the attention it deserves

IT involves huge investments and large risks
Why Get Into Governance?
“Due diligence”
· Infrastructure and productive functions
· Skills, culture, operating environment
· Capabilities, risks, process knowledge and customer
information
· Service levels

Enterprises should be equally inquisitive about themselves.

IT Is Critical to Most Businesses
This criticality arises from:
· The increasing dependence on information and the systems and
communications that deliver it
· The dependence on entities beyond the direct control of the
enterprise
· IT failures increasingly impacting reputation and enterprise value
· The potential for technologies to dramatically change
organisations and business practices, create new opportunities
and reduce costs
· The risks of doing business in an interconnected world
· The need to build and maintain knowledge essential to sustain
and grow the business
IT Is Strategic to Most Businesses
If so, wouldn’t you want to know whether your
organisation’s information technology is:
· Likely to achieve its objectives?
· Resilient enough to learn and adapt?
· Judiciously managing the risks it faces?
· Appropriately recognising opportunities and acting on
them?
 Managing Information Technology
Expectations Reality
 Harness and exploit IT to  Business losses, reputational damage
deliver business value or a weakened competitive position
 Provide fast development,  Enterprise effectiveness and core
with appropriate quality and processes directly impacted by the
with security quality of IT deliverables
 Ascertain that IT investments  The failure of IT initiatives intended to
have a quantitative return and bring innovation to the enterprise to
IT does more with less achieve their promise
 Move from efficiency and  Technology that is inadequate for the
productivity gains towards enterprise or obsolete too soon
value creation and business  Poor support for the business
effectiveness, especially in  Deadlines that are not met
industries requiring that the  Costs that are higher than expected
focus move from the back and quality and efficiency lower than
office to the front office anticipated
 Why Has IT Not Gotten
the Attention It Merits?
· IT requires more technical insight than do other
disciplines to understand how IT
 Enables the enterprise
 Creates risks
 Gives rise to opportunities
· IT has traditionally been treated as an entity separate to
the business
· IT is complex, and even more so in the extended
enterprise operating in a networked economy
 IT Involves Huge Investments and
Large Risks
· October 1992: A new command and control
system developed by the London ambulance
service failed on the first day of operation.
· August 1997: UK investment managers, Save &
Prosper, abandoned a major new IT system, having
spent 2 million pounds on its design and
implementation.
· 1997: Barings Bank collapsed as a result of
unauthorized trading, in part enabled by the willful
manipulation of management information.
· October 1998: UK Internet bank Egg launched a
new online-only credit card, only to find its technical
infrastructure was unable to cope with the demand.
What Should Boards Do About It?
· Be driven by stakeholder value
· Adopt an IT governance framework
· Ask the right questions
· Focus on IT’s
 Alignment with the business
 Value delivery
IT Value
Delivery

 Risk management IT
Stakeholder Risk

· Measure results
Strategic
Value Drivers Management
Alignment

Performance
Measurement
What Should Management Do About It?
· Align IT strategy with business goals
· Cascade strategy and goals down into the organisation
· Set up organisational structures that facilitate strategy
implementation
· Adopt a control and governance framework
· Provide IT infrastructures that facilitate creation and sharing of
business information
· Embed responsibilities for risk management in the organisation
· Focus on important IT processes and core IT competencies
· Measure performance (balanced business scorecard)
COBIT: An IT Control Framework
 Starts from the premise that IT needs to deliver
the information that the enterprise needs to
achieve its objectives.
 Promotes process focus and process  Planning
 Acquiring & Implementing
ownership
 Divides IT into 34 processes belonging to four  Delivery & Support
 Monitoring
domains and provides a high level control
objective for each
 Looks at fiduciary, quality and security needs
 Effectiveness
of enterprises,providing seven information  Efficiency
criteria that can be used to generically define  Availability
what the business requires from IT  Integrity
 Confidentiality
 Is supported by a set of over 300 detailed
 Reliability
control objectives  Compliance
 COBIT: An IT Control Framework
Recent COBIT developments added a management and
governance layer, providing management with a toolbox
containing:
 Performance measurement elements (outcome measures and
performance drivers for all IT processes)

 A list of critical success factors that provides succinct non-

technical best practices for each IT process

 A maturity model to assist in benchmarking and decision-making

for control over IT
 IT Governance Defined (1)
Several definitions with common elements:
 Responsibility of the board of directors
 Protects shareholder value

 Ensures risk transparency

 Directs and controls IT investment, opportunity, benefits and risks

 Aligns IT with the business while accepting IT is a critical input to

and component of the strategic plan, influencing strategic

opportunities
 Sustains the current operation and prepares for the future

 Is an integral part of a global governance structure

 IT Governance Defined (2)
IT governance, like other governance subjects, is
the responsibility of executives and shareholders
(represented by the board of directors). It consists
of the leadership and organisational structures and
processes that ensure that the organisation’s IT
sustains and extends the organisation’s strategies
and objectives.
IT Governance Framework
Act if not
aligned

Set Deliver
Compar against
measurab e
le goals the goals
results

Measure
performanc
e
 IT Governance Framework
Provide
Direction
Set Objectives IT Activities
i IT is aligned with the i Increase automation
business (make the business
i IT enables the effective)
business and Compare i Decrease cost
(make the enterprise
maximises benefits
i IT resources are used efficient)
responsibly i Manage risks
i IT-related risks are (security, reliability and
managed appropriately compliance)

Measure
Performance
 IT Governance Activities & Subjects

IT Governance Activities Board and/or Activity Type

Management
Become informed of role and impact of IT on the enterprise B/M Plan
Set direction and expected return B Direct
Determine required capabilities and investments M Plan
Assign responsibilities B/M Direct
Sustain current operations M Organise
Make transformation happen B/M Direct
Define constraints within which to operate B Direct
Acquire and mobilise resources M Organise
Measure performance B Control
Manage risk B/M Control
Obtain assurance B Control
IT Governance Activities & Subjects
IT Governance Subjects
 The objectives of Information technology—how it:
- Improves cost-efficiencies
- Creates revenue enhancement
- Supports the building of new capabilities
- Enables core business processes
- Enables new business models
 The opportunities and risks of new technology:
- Internet and intranet
- E-commerce
- Mobile computing
- Workflow technology
- Knowledge systems, etc.
 The key processes and core competencies:
- The return on investment of IT projects and initiatives, and how they deliver
against expectations
- Performance of IT services against service level agreements
- IT risks, asset protection and information security
- IT acquisition and outsourcing strategies
- Important IT processes such as change, application and problem management
- Core IT competencies: planning, support, operations, project management,
knowledge management
- Ethical behavior, data privacy and fraud prevention
IT Governance

y Drivers
y Stakeholders
y Governance Framework
y IT Alignment & Value Delivery
y Risk Management
y Performance Measurement
y Security
y Conclusions
 IT Alignment
The Board should drive business alignment by:
 Ascertaining that the IT strategy is aligned with the business strategy
 Ascertaining that IT delivers against the strategy through clear expectations and measurement
 Directing IT strategy to balance investments between supporting and growing the enterprise
 Making considered decisions about where IT resources should be focused

Business
Strategy

Business Alignment
Operations Activities IT Strategy

IT Operations

“IT alignment is a journey, not a destination.”

 IT Value Delivery
The board should drive alignment to ensure that IT delivers value:
 With the business strategy focusing on competitive advantage, elapsed time for order/service
fulfillment, customer satisfaction, customer wait time, employee productivity and profitability
 Supported by an IT strategy that delivers on time, within budget and with the benefits that were
promised

Sample Measures Business Value Delivered

Revenue growth Business
Return on assets Business Unit Financial Management
Revenue per employee

Time to bring a new

product to market
Business Unit Operational
Sales from new product
Product or service quality

Implementation time:
new application Business Unit IT Applications
Implementation cost:
new application

Infrastructureavailability
Cost per transaction Firm-wide IT Infrastructure IT
Cost per workstation Management

Time for Business Impact Degree of influence

“IT value is in the eye of the beholder.”

 IT Risk Management
The board should manage enterprise risk by:
 Ascertaining that there is transparency about the significant
risks to the organisation
 Being aware that the final responsibility for risk
management rests with the board
 Being conscious that risk mitigation can generate
cost-efficiencies
 Considering that a proactive risk management approach
creates competitive advantage
 Insisting that risk management is embedded in the
operation of the enterprise

“It is the IT alligators you do not see that will get you!”
 IT Risk Management

Risk Management Expands….

hRisk Allocation - contracts, SLAs, etc.
hRisk Mitigation - security & control practices
hRisk Transfer - insurance & liability
hRisk Assurance - audit & certification
hRisk Acceptance - formal, transparent
 IT Balanced Scorecard
IT Goals and Measures Financial
Goals Measures

Customer Process
Goals Measures Information Goals Measures

Learning
Goals Measures

“If you are playing the enterprise game and not

keeping IT’s score, you are only practising.”
 IT Balanced Scorecard
Financial
• # of IT customers
Example IT Measures • Cost per IT customer
• Cost-efficiency of IT
processes up
• Delivery of IT value per
employee

Customer Process
• Level of service • Availability of systems
delivery up & services
• Satisfaction of existing • Developments on
customers schedule & budget
• # of new customers Information • Throughput &
reached response times
• # of new service • Amount of errors and
delivery channels rework
Learning
• Staff productivity &
morale
• # of staff trained in
new techno/services
• Value delivery per
employee up
• Increased availability
knowledge systems
 An IT scorecard is one of the most effective means to
achieve IT and business alignment

Scorecard Objectives
 Demonstrate the value added by the IT organisation
 Establish a balanced set of measures for determining the effectiveness of
the IT organisation
 Set guidelines for creating the IT strategic plan and linking it into
operational plans
 Communicate and motivate IT performance in key areas as required by
the business and its stakeholders
 Establish a framework for IT management reporting

Approvalof
Approval ofan
anIT
ITscorecard
scorecardby
bykey
keystakeholders
stakeholdersshould
shouldbe
be
consideredan
considered anIT
ITgovernance
governancebest
bestpractice.
practice.

From Ron Saull, CIO InvestorsGroup, Ca

IT Governance

y Drivers
y Stakeholders
y Governance Framework
y IT Alignment & Value Delivery
y Risk Management
y Performance Measurement
y Security
y Conclusions
 Information Security
Some Practices for the Board Room

i Know what questions to ask

i Know what is needed
i Raise the awareness at the top
i Have clarity of purpose
i Measure your performance
i Keep on doing it
 Information Security
Some Questions for the Board Room
 Would people recognise a security incident when they saw one? Would they ignore
it? Would they know what to do about it?
 Does anyone know how many computers the company owns? Would management
know if some went missing?
 Does anyone know how many people are using the organisation’s systems? Does
anybody care whether they are allowed or not, or what they are doing?
 Did the company suffer from the latest virus attack? How many did it have last year?
 What are the most critical information assets of the enterprise? Does management
know where the enterprise is most vulnerable?
 Is management concerned that company confidential information can be leaked ?
 Has the organisation ever had its network security checked by a third party?
 Is IT security a regular agenda item on IT management meetings?
 IT Security w Managing networked
Requirements c/s systems
w “Provenance” control
w Non-sharable info
Business Drivers w Profiling users
w Trust….
Shorter business cycles
Need to involve/connect/tie in with more partners
Network centric business models
Leverage VPN, remote access, collaborative tools

Technology Drivers
Manage Risk Leverage Opportunities
 Internet - UNIX - TCP/IP  E-cash, e-commerce, e-tc.
 More hackers, more tools  Open, modular, scalable
 Increased dependency on IT  Security a commodity
IT Security Awareness

How to sell to top management

 Different styles depending on function
 FUD
 Cost reduction
 Responsibility
 Differentiator
 Cost of security
 Strategic approach - benchmark - gap
analysis - choices
 Leadership
Cost of IT Industry
reference
site
Security
Benchmarking
Good
Practice

Cost of
noncompliance Baseline
operation

“Cowboy”
operation

5 - 10% 20 - 25% 45 - 50% 55%

Cost of security and control vs. IT Budget

= driver for change

 Security

IT Security
Policy Management Process
Human
Policy & Behaviour
Procedures 1 2 3 & Culture

Performance Network 6
Segregati
on
5
4 Applicati

System
on
Security
Access Control

Tools & Technology

0 1 2 3 4 5
Very Very 100
poor Poor Fair Good good Excel
92 96
1.
Policies & procedures 10 88
10
80
2.Security mgt 76
20
3.
Human behav. & culture 20
4.
Application security 60 64
20
5.
System access control 20
48
6.
Network segregation 100 40 42
Legend for symbols used Legend for ranking used
Average of best security
performers in the 5 - Excellent: Best possible, highly integrated 20
financial industry (begin 4 - Very good: Advanced level of practice
‘96)
3 - Good: Moderately good level of practice
Company status — Feb 2 - Fair: Some effort made to address issues 0
‘97 1 - Poor: Recognise the issues 1996 19971998199920002001
Company. objective for 0 - Very poor: Complete lack of good practice
2001
IT Security is a Continuous Effort
ŽPerform
Active
Monitoring

 Design Œ Issue Perform

Security Security Intrusion
Defenses Policy Testing

Security
Management