Paradigm Shift: Governance & Management of Information & Related Technology October 2014

To Begin…. 2 All organizations, public and private, large or small, are facing a paradigm shift with respect to the governance and management of information and related technology

Context 3 (1) Appendix B (2) Registration, transactions, advice

Proposition (‘What’) Information is a strategic asset for ALL organizations – as important as people and capital IT is a critical enabler of most organizations Effective governance & management on an enterprise basis requires the active engagement of executive management BUT most executive teams remain largely unaware of: the potential rewards of effective governance and management of information and related technology their responsibilities re: information management and enterprise IT the existence of relevant standards and best practices 4

‘So What’ Information and IT investments are often not aligned with the organization’s strategic objectives Information and IT-related risks are not appropriately managed The enterprise does not optimize the value of its investment in information and related technology 5 The changing role of information and technology requires greater formality in governance and management

Why?Why? We are driving our organizations with data and information – with this comes risks and liabilities: –In not knowing where data is, or knowing where it is but allowing improper access –In using conflicting information –In being unable to prove a number on a report is THE number and is accurate –In being unable to produce documents (e.g., for discovery) –In destroying documents too late 6

The Solution 7 “Implementing good IT governance is almost impossible without engaging an effective governance framework.” - ISACA 2009

Alberta’s AG Weighs In…. “Alberta Government needs to better identify and mitigate IT risks. Government departments as a whole need to do a better job identifying risks to their systems and data. Then they need to implement well- designed, efficient, and effective IT controls to mitigate these risks and provide secure services and programs to Albertans.” – Auditor General, April

What Success Looks Like… Strategic alignment of investment in information and related technology with the organization’s goals We will get the right information to the right people at the right time so they can make informed decisions Improved value from investment in information and technology Effective management of information and technology-related risks IT services that meet the needs of the organization Protection of information and related IT assets from unauthorized access, use, disclosure, disruption, modification, or destruction Protection of stakeholders’ right to privacy and confidentiality 9

And in terms of Enterprise Information Management we will have: An in-depth understanding of what information is used, by whom, to attain specific Ministry goals and objectives An information model which illustrates information flows and dependencies across the Ministry A business case which provides the context and rationale for moving forward with specific EIM projects Process models and process improvement recommendations for key corporate functions A catalogue and detailed description of information requirements and metrics A listing of the EIM components (e.g., analytics, applications, business intelligence, content management, data models, master data management, meta data, portals, reporting, security, standards) required to deliver the information to meet business needs A complete list of the EIM principles, policies and standards which need to be developed The proposed approach to implementing data governance and ensuring data quality A detailed description of EIM functions, roles and responsibilities A taxonomy to enable navigation of unstructured content or content management 10

CONTROL FRAMEWORKS Paradigm Shift: Improving Governance and Management of Information and Related Technology 11

What is a Control Framework? An organized set of controls which, when implemented, supports effective governance and management of information and related technology. Provides a set of consistent principles that guides the development of controls and ensures alignment with the strategic direction and mandates of the organization. Assigns accountability and responsibility, influences how the controls should be structured and maintains a common glossary of terms. 12

Types of Controls Policies - high-level direction for what to do in a particular situation or set of circumstances; a type of position statement Organizational Structure - reveal vertical operational responsibilities and horizontal linkages and may be represented by an organization chart to demonstrate governance Standard - A mandatory requirement, code of practice or specification established and approved by authority that is used as a baseline to measure the quality or performance of a process or procedure Procedure - The steps people are expected to take and the sequence in which to perform those steps; a set of actions which are the official or accepted way of doing something Guideline - A document providing guidance, advice or explanation 13

BenefitsBenefits Helps organizations: –Better align their IM/IT activities to their business needs –Ensure that management understands IM/IT’s role and relevance in the organization –Fulfill their responsibilities for a sound internal control environment & demonstrate progress to regulators, business partners & external stakeholders –Ensure that Boards/management can meet their quality, fiduciary & security requirements –Clarify ownership, responsibilities and accountabilities for information and related technology 14

Control Areas Governance & Management Enterprise Architecture Privacy, Security & Identity Management Information Management Technology Management An Assessment Tool & Controls are developed and available for review/adaptation by GoA ministries 15

WRAPPING UP Paradigm Shift: Improving Governance and Management of Information and Related Technology 16

The “Larger Picture” 17 AwarenessUnderstandingBuy-in Leadership Enterprise View Alignment Essential for enterprise-wide systemic change

Critical Success Factors Understanding that governance and management of information and related technology is of strategic importance to the organization Executive leadership and ongoing involvement Enterprise view Long-term commitment coupled with short-term, incremental value delivery Effective program management Realistic assessment of organizational capacity for change 18 (1) Making EIM Work for Business, John Ladley, 2010

APPENDIX A - IMPLEMENTATION Paradigm Shift: Governance & Management of Information & Related Technology 19

Before we get started….. 20 (1) “Making EIM Work for Business: A Guide to Understanding Information as an Asset”, John Ladley, Morgan Kaufman 2010 Business transformation is not about retuning or tweaking or adding functionality; it is revolutionary. It involves fundamental business redesign to achieve improvements in client and stakeholder satisfaction, cost efficiencies and return on investment, improved risk management and more transparency and accountability (1).

Implementation Life Cycle 21

High-level Approach 22 Conduct Organizational Readiness Assessment Assess Maturity Level & Set Target Assess Compliance with Control Framework Prioritize Develop 3-Year Plan Assess Results

APPENDIX B - DEFINITIONS Paradigm Shift: Governance & Management of Information & Related Technology 23

Open Government (1) Governing doctrine which holds that citizens have the right to access the documents and proceedings of the government to allow for effective public oversight. Comprised of 3 strands: –Transparency: that the public understands the workings of their government; –Public engagement: that the public can influence the workings of their government by engaging in governmental policy processes and service delivery programs; and –Accountability: that the public can hold the government to account for its policy and service delivery performance. 24 (1)Open Government Partnership

Citizen Engagement (2) Involves citizens (individuals, not representatives) in policy or program development, from agenda setting and planning to decision-making, implementation and review Requires two way communication regarding policy or program change (interactive and iterative): –between government and citizens; –among citizens; –and among citizens and civil society groups Aims to share decision-making power and responsibility for those decisions Includes forums and processes through which citizens come to an opinion which is informed and responsible Generates innovative ideas and active participation Contributes to collective problem solving and prioritization Requires that information and process be transparent Depends on mutual respect between all participants 25 (2) Handbook on Citizen Engagement: Beyond Consultation, Sheedy, 2008