IT GOVERNANCE FRAMEWORK Mark Makepeace Mike Thorn Director Audit Director Business Standards & Improvement Group Internal Audit Business Information Systems 27 January 2005

Agenda Where we were Why we needed to change Where we are now How we got there and what we got from it Where next Lessons Learned

Definitions of IT Governance BIS takes its definitions of governance from those supplied by the IT Governance Institute (ITGI) ‘A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.’

Where we were Organisational governance structure Cascaded objectives Turnbull reporting IT “bricks” (RAG status) Benchmarking for IT services Balanced Scorecard and supporting MI Internal Audit assurance

Why we needed to change FSA regulated company and Stock Exchange Listed Demonstrable framework to satisfy External Audit and FSA supervision regime Credibility issue of internal framework versus industry standard Publication of ITGI Board Briefing on IT governance Share common understanding with IA of IT processes and risks to improve control and risk framework

Regulatory timeline

Where we are now Governance roles and responsibilities wheel: identifies what, how and who IT balanced scorecard: reports on IT capability and performance CobiT Heat Map: identifies priority processes for risk management and improvement investment MI Reporting Flow: reports on aspects of IT to top level within organisation to ensure no surprises

How we got there Using IA’s strong relationship with IT senior management Facilitate corporate and IT governance initiatives Selling benefits of joint approach External credibility of existing IT bricks De-mystify regulatory “jargon” Commitment of time and resources in “trusted” environment IT IA

Adopting CobiT - 1 2002 Assessment Cobit processes v of process L&G Bricks mapping CobiT Control Objectives Assessment of process Current and Goal maturity ratings CobiT management guidelines FSA inherent risk assessment CobiT framework Initial Heat Map published 2002 Process ownership assigned CobiT processes aligned to IT objectives CobiT control objectives IT Balanced scorecard aligned CobiT framework Note: internal audit involvement; CobiT module referenced

Adopting CobiT - 2 Half-yearly process Current and Goal maturity ratings assessment CobiT management guidelines Moved to process based risk management CobiT framework Governance database developed CobiT Control objectives 2003 / 2004 Governance Management Committee formed Half-yearly Heat Maps published CobiT framework Note: internal audit involvement; CobiT module referenced

Where Next - IT Governance Existing Process Process Improvement Based on CobiT Guidelines covering risk controls Include the 5 IT Governance Focus Areas Number of duplicate risks – variations on a theme Consolidate risks & underlying data Monthly balanced scorecard reporting focuses on risk Realign to the 5 IT governance focus areas Implementation of Governance Database Monthly MI easily produced

Lessons Learned - 1 In our view of FS sector, homegrown governance framework not sufficiently credible Essential to obtain and sustain senior management sponsorship across all relevant parties Organisation and existing management structure has finite capacity for change

Lessons Learned - 2 Implementation should be planned around existing capability Do not underestimate volume of work or difficulty of getting buy-in from business owners of IT processes i.e. manage facilities Maintain regular communication to keep topic “alive”

Questions?