© IT Management Consulting Ltd., London, Implementing IT Governance Frameworks within Regulated Institutions Malta, 25th June, 2007 Dr. Martin Rosenberg Program Director International IT Management Consulting Ltd.
© IT Management Consulting Ltd., London, IT Governance Drivers 1. Pace of creating new regulations is increasing. Compliance is not going away! 2. Shift from tactical compliance efforts towards addressing multiple regulations 3. Compliance projects are costly and long, need for standardization of controls and automation 4. Need to reduce compliance efforts from end-to-end perspective by focusing on improved risk management and reliable corporate governance 5. Corporate governance depends on IT governance that creates a common language across IT departments and business units, facilitates risk mitigation and benefits business performance 6. Auditor skills and relationships not sufficient, limited availability of skills within accounting companies and IT. Good IT governance needed to facilitate auditing tasks 7. IT frameworks to help develop IT governance policies and controls for different compliance requirements 8. Need to mange outsourcing, acquisitions and business performance
© IT Management Consulting Ltd., London, Sample of Regulations… … Euro-SOX (EU) EU Digital Signature Directive EU Data Protection Directive MiFID Basel II ISO Security Program Standards Payment Cards Data Security Standards … etc.
© IT Management Consulting Ltd., London, “IT Governance – A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.” source: ISACA IT Governance Definition
© IT Management Consulting Ltd., London, IT Governance is NOT IT Management or IT Standards DIRECT CONTROL RISK MANAGE DECIDE POLICIES PROCESSES RELATIONSHIPS MEASUREMENTS IT Organization IT Governance Structure
© IT Management Consulting Ltd., London, Need both Lifecycle Mgmt and Governance to properly manage investments, assets and quality Multiple Lifecycles Business Projects Services Assets Appl. Infra. Sourcing Plan Build Run Lifecycles evolve in different pace and need synchronization Example: Service Mgmt Lifecycle Applies to Multiple Lifecycles
© IT Management Consulting Ltd., London, IT Governance ties it all together and aligns with business goals IT Strategy Architecture Tech. Direction Program Mgmt Investments Resources IT Strategy Architecture Tech. Direction Program Mgmt Investments Resources POLICIES PROCESSES RELATIONSHIPS MEASUREMENTS DIRECT CONTROL RISK MANAGE DECIDE Plan Build Run Governing Lifecycles
© IT Management Consulting Ltd., London, IT ManagementIT Governance PLAN BUILD RUN DECIDE DIRECT CONTROL RISK MANAGE IT Governance is not IT Processes Execution Simplified View
© IT Management Consulting Ltd., London, Strategic Alignment Ensuring the link of business and IT plans, defining IT value proposition, aligning IT and business operations Value Delivery Executing IT value proposition via the delivery cycle Resource Management Optimal investment in and management of critical IT resources Risk Management Understanding enterprise’s appetite for risk and compliance requirements, implementing risk management responsibilities Performance Measurement Tracking and monitoring strategy implementation, project completion, process performance and service delivery (e.g. via balanced scorecards) ©2005 IT Governance Institute (ITGI), All rights reserved IT Governance Focus Areas
© IT Management Consulting Ltd., London, Strategic IT plan Info & Technical Architecture Investments and Budgets Program/Project Office Solutions/ Applications Development & Acquisition Projects & Enhancem. & Maintenance Service Delivery & Support Operations Vendor mgmt Performance Measurement Compliance & Control IT Governance Plan & Organize Develop Acquire & Implement Monitor & Evaluate Deliver & Support IT Organization’s Process Groupings - Problem Process Examples: PROBLEM: Very Little or NO End-to End Integration (Across the Board)
© IT Management Consulting Ltd., London, Uncoordinated Commitment Multiple, incompatible IT frameworks with diverse focus and purpose: Investment-centric Functionality-centric Service-centric Strategy Development Architecture Operations Outsourcers Business Relations Business Relations Different Views of IT Value through different Frameworks! Multitude of IT Frameworks and Lack of Integration ISO ITIL RUP Other… PMI/Prince2 TOGAF
© IT Management Consulting Ltd., London, COBIT an Integrating end-to-end ‘Umbrella’ Framework for IT COSO ISO ITIL TOGAF Best Practice Frameworks Other… COBIT PMI/Prince2 Business Function Business Function Business Function Business Function Business Function Business Function Business Function Business Function IT Function Corporate Governance IT Governance
© IT Management Consulting Ltd., London, Value Delivery Resource Mgmt Risk Mgmt Strategic Alignment Plan Build Run BusinessProjectsArchitecture Performance Mgmt COSO PMI/Prince2 TOGAF ISO Best Practice Frameworks (examples) ITIL SecurityServices IT Governance CMM COBIT an Integrating end-to-end ‘Umbrella’ Framework for IT
© IT Management Consulting Ltd., London, Business-Focused Process-Oriented Control-Based Measurement-Driven COBIT: An Integrated Control Framework
© IT Management Consulting Ltd., London, ©2005 IT Governance Institute (ITGI), All rights reserved Control, Alignment, Monitoring
© IT Management Consulting Ltd., London, PLAN AND ORGANIZE PLAN AND ORGANIZE AI1 Identify automated solutions AI2 Acquire and maintain application software AI3 Acquire and maintain technology infrastructure AI4 Enable operation and use AI5 Procure IT resources AI6 Manage changes AI7 Install and accredit solutions and changes ME1 Monitor & evaluate IT performance ME2 Monitor & evaluate internal control ME3 Ensure regulatory compliance ME4 Provide IT governance PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine technological direction PO4 Define IT processes, org. & relationships PO5 Manage the IT investment PO6 Communicate mgmt aims and direction PO7 Manage IT human resources PO8 Manage quality PO9 Assess and manage IT risks PO10 Manage projects DS1 Define and manage service levels DS2 Manage third-party services DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and allocate costs DS7 Educate and train users DS8 Manage service desk and incidents DS9 Manage the configuration DS10 Manage problems DS11 Manage data DS12 Manage the physical environment DS13 Manage operations DELIVER AND SUPPORT AQUIRE AND IMPLEMENT AQUIRE AND IMPLEMENT MONITOR AND EVALUATE MONITOR AND EVALUATE Business & Governance Objectives INFORMATION ©2005 IT Governance Institute (ITGI), All rights reserved Process Oriented
© IT Management Consulting Ltd., London, PLAN AND ORGANIZE PLAN AND ORGANIZE DELIVER AND SUPPORT AQUIRE AND IMPLEMENT AQUIRE AND IMPLEMENT MONITOR AND EVALUATE MONITOR AND EVALUATE COBIT IT Governance Framework COBIT IT Governance Framework ITIL Framework ITIL Framework Business Perspective Service Delivery Service Support Application Management ICT Infrastructure Mgmt Security Management INFORMATION Mapping doc with COBIT V3 exists with COBIT V4.0 coming soon, See ITGI COBIT and ITIL mapping
© IT Management Consulting Ltd., London, COBIT Framework provides well-defined links between: IT Governance Requirements, IT Processes and IT Controls Top-Down Summary COBIT framework ties businesses requirements for information and governance to the objectives of IT function COBIT process model enables IT activities and resources to be properly managed and controlled based on control objectives and aligned and monitored using KGI and KPI metrics Bottom-Up Summary IT resources are managed by IT processes to achieve IT goals that respond to the business requirements ©2005 IT Governance Institute (ITGI), All rights reserved COBIT Framework Model (summary)
© IT Management Consulting Ltd., London, Benefits for Different Stakeholders : Reduced Risk, Improved Efficiency, Predictability, Cost-efficient use of Resources ©2005 IT Governance Institute (ITGI), All rights reserved COBIT Framework - Benefits Executive Management - To obtain value from IT investments and balance risk and control investment in IT environment Business Management - To obtain assurance on the management and control of IT services provided by internal or third parties IT Management - To provide IT services that the business requires to support the business strategy in a controlled and managed way Auditors - To substantiate their opinions and/or provide advice to management on internal controls
© IT Management Consulting Ltd., London, COBIT – Widely Accepted IT Governance de facto standard Selected as IT Governance framework and IT Internal Control framework by governments, commercial organizations and service providers (in 100+ countries) Sample organizations: EU – European Commission Several Governments Quebec Auditor General Australian National Audit Office US Department of Defense US National Institute of Standards and Technology References COBIT U.S. House of Representatives Adopts COBIT US Federal Financial Institutions Examination Council (FFIEC) Office of The State Auditor of Massachusetts National Association of State Chief Information Officers (NASCIO) Argentina and Uruguay governments Colombian Bank Regulatory Body Philippine Commission on Audit (COA) Adopts COBIT E.g. companies: DaimlerChrysler, Royal Philips Electronics
© IT Management Consulting Ltd., London, Portfolio Management Continuous Improvement Bottleneck Method IT Governance Best Practices Implementation Methods IT Processes IT Resources Business Requirements Implementing IT Governance
© IT Management Consulting Ltd., London, IT Portfolio Management Selective governance processes implementation by: Populating and balancing portfolios (risks/returns, value) IT Initiatives Portfolio IT Investments Portfolio Program/Project Portfolio Services/Assets Portfolio Resource Management E.g. Services Portfolio is driven by overall IT Portfolio Management mapped to business drivers Risk Return Timing Value Investments Assets Applications Resources Services Projects IT Governance Implementation Method 1: Portfolio Management
© IT Management Consulting Ltd., London, COBIT Maturity Levels Selective governance processes implementation through: IT Governance Assessment Decision on risk levels Investments decisions in security & controls Monitoring & Controlling Capability & Performance Incremental Improvements-> Raising level of maturity 0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 50% 7% 30% 10% 3% ?% IT Governance Implementation Method 2: Continuous Improvement
© IT Management Consulting Ltd., London, Structured Quick-Wins method used by 7% of leading organizations Principle: “applying smallest change to get the biggest positive impact” Based on: Systemic thinking Options analysis Emerging “people change techniques” What-If Analysis Analyzing Potential Bottlenecks Dependencies Timing Risk Value Activities Systems, Skills Etc. Activities Systems, Skills Etc. Impact on Service Delivery Impact on Business Drivers Most Significant Bottleneck Change Implementation IT Governance Implementation Method 3: The Bottleneck Method©
© IT Management Consulting Ltd., London, Identifying “the weakest link” Prioritizing “first things first” Rapidly identifying hidden cost drivers and inefficiencies Enabling breakthrough improvements Continuous Improvement Bottleneck Method Effectiveness/Savings Time Breakthrough Improvements Fast-track effectiveness and cost savings compared with continuous improvement The Bottleneck Method© Benefits
© IT Management Consulting Ltd., London, One Day COBIT Implementation Workshop Deliverable Generic or Customer Tailored Workshop IT Governance Assessment/Readiness (COBIT Based) days Deliverable: Assessed Governance maturity level All Governance Committees & Processes “Skeleton” Implementation 4 – 6 weeks Deliverable: High level E-to-E Governance structure Quick-wins Process Improvements (via ‘bottleneck method’) of selected processes: month per 3 processes Deliverable: fast-track governance maturity improvement Incremental Process Improvements (via continuous improvement) of selected processes: 3 – 6 month per 3 processes Deliverable: next process maturity level Typical IT Governance implementation projects
© IT Management Consulting Ltd., London, Backup Slides
© IT Management Consulting Ltd., London, Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability ©2005 IT Governance Institute (ITGI), All rights reserved Business Focused: Information Criteria
© IT Management Consulting Ltd., London, COBIT® Foundation Course IT Control Objectives for Sarbanes-Oxley COBIT® Security Baseline Aligning COBIT®, ITIL® & ISO for Business Benefit COBIT Mapping: Mapping ISO/IEC 17799:2000 With COBIT COBIT Mapping: Mapping SEI’s CCM for SW With COBIT COBIT Mapping: Mapping PMBOK© With CobiT 4.0 COBIT Mapping: TOGAF With CobiT 4.0 COBIT Mapping: Mapping ISO 17799:2005 With CobiT 4.0 COBIT Mapping: Mapping PRINCE2 With CobiT 4.0 Current Enhancements to COBIT