IT Governance

A Framework for Performance

and Compliance

1
What Makes IT Governance so important?

In October 2005 Mc Kinsey and the London School of Economics

measured the increase in productivity from investments in IT
versus investments in management practices in 100 enterprises.

Additional spending in Information Technology can raise

productivity….but only in well managed companies! 2
What Makes IT Governance so important?
Drivers
• Strategic importance of IT
• Extended Enterprise
• Regulatory requirements
• Cost optimisation
• Return on investment

•Gartner – more than 600

billion $ thrown away annually
on ill conceived or ill executed
IT projects
•Standish Group – about 20%
of projects fail outright, 50%
• Low return from high-cost IT investments, and transparency of IT’s are challenged and only 30%
performance are two top issues are successful
• More than 30% claim negative return from IT investments targeting
efficiency gains
• 40% do not have good alignment between IT plans and business strategy
• Interest in and use of active management of the return on IT investments
has doubled in 2 years (28% to
58%) 3
 What makes IT Governance so important?

Shareholders want protection for the

Enterprise’s Share Price

“…if not filed, auditor must include a

paragraph in its annual report that it
cannot vouch for the enterprise’s ability
as a going concern…”

“…financial reporting system is not

up to speed…”

“…the company has lost a third more of

its market value yesterday as it revealed
a virtual collapse of its financial reporting
system…”

“…data entry problems…”

4
What is IT
Governance?
“IT governance is the responsibility of the board of directors and
executive management. It is an integral part of enterprise governance
and consists of the leadership and organisational structures and
processes that ensure that the organisation’s IT sustains and extends
the organisation’s strategies and objectives.”

ITGI, Board Briefing on IT Governance

1. Strategic Alignment
V Aligning with the business and providing collaborative solutions
e gic t De alue
t
tra men liv 2. Value Delivery
S ign er
l
A y Executing the value proposition throughout the delivery cycle
IT 3. Resource Management
en t

Governance
Perf

Focus Optimising the development and use of available resources

Mea

a ge m
Risk
o rm

Area 4. Risk Management

s u r em

Ma n
anc

Safeguarding assets, disaster recovery and compliance

e
en t

Resource 5. Performance Measurement

Management Monitoring results for corrective action

5
 IT Governance – The Five Focus Areas
Strategic Alignment
•Linking business and IT plan
•Defining, maintaining and validating the IT value proposition
•Aligning IT operations with the enterprise operations
•Provide collaborative solutions that
• Add value and competitive positioning to the enterprise’s products and
ic V services
t eg nt De alue • Contain costs while improving administrative efficiency and managerial
ra e liv
St gnm er effectiveness
Ali y
IT Best Practices
PeP e

m
M

Governrnance
ana

•Integrated approach to business/IT strategy

gaeg
m em

Mec n

r fr

DFomcuasins
Risk
aeescae

•Cascading strategy and objectives down into the organisation

Areas
ofr o

naan
en e

•Co-responsibility of business and IT

enet n
usr u

m rm
t nt

M Ma

•Clearer objectives for IT investments

Resource
er

em

Management •IT Strategy and IT Steering Committees

In 2003, 49% of respondents had implemented, were considering

implementing or were in the process of implementing this phase of IT
governance. In 2005, 70%.

6
 IT Governance – The Five Focus Areas
Value Delivery
•Executing the value proposition throughout the delivery cycle
•Ensuring that IT delivers the promised benefits against the strategy
•Concentrating on optimising expenses & proving IT’s value
•Controlling projects and operational processes with practices that increase the
probability of success (quality, risk, time, budget, cost, etc.)
ic V
t eg nt De alue
ra e liv
St gnm er
Ali y Best Practices
IT •Formal tracking of business value of IT
m
PeP e s ausr u

GGoovoeveren •Enabling effective value measurement (ROI, TCO, NOV…)

gaeg
M M e ce
ana n et nt
m em

r fr

Risk
eae

rnaanancece •Disciplined approach to project management with a larger role for

c

naan
n

the business
ofr o er

t
e

DFomcuasin
enet n

s Areas •Commitment to formal methodologies/processes for development

M Ma
m rm

and service delivery

Resource
em

Management •Enterprise architecture planning

In 2003, 39% of respondents had implemented, were considering

implementing or were in the process of implementing this phase of IT
governance. In 2005, 69%.

7
 IT Governance – The Five Focus Areas
Risk Management
•Requires risk awareness of senior corporate officers, a clear understanding of the
enterprise’s appetite for risk and transparency about the significant risks to the
enterprise
•Embeds risk management responsibilities in the operation of the enterprise
•Addresses the safeguard of IT assets, disaster recovery and continuity of
operations
ic V
t eg nt De alue
ra e liv
St gnm er Best Practices
Ali y •Awareness of IT risks based on continuous assessment
IT
•Transparency to all stakeholders
m
PeP e s ausr u

GGoovoeveren
gaeg
M M c ne ce
ana n et nt

•Establishing responsibility and embedding risk management into

m em

r fr

Risk
eae

rnaanancece the organisation

naan
ofr o er

t
e

DFomcuasin
enet n

•An integral part of compliance and assurance

s Areas
M Ma
m rm

•Use of formal IT risk and control frameworks

Resource
em

•Process management disciplines

Management

In 2003, 34% of respondents had implemented, were considering

implementing or were in the process of implementing this phase of IT
governance. In 2005, 78%.

8
 IT Governance – The Five Focus Areas
Resource Management
•Optimal investment, use and allocation of IT resources and capabilities (people,
applications, infrastructure, data)
•Maximising the efficiency of these assets and optimising their costs
•Optimising knowledge and the IT infrastructure
•Knowing where and how to outsource
ic V
t eg nt De alue
ra e liv
St ignm er
Al y Best Practices
IT m •Supply/demand balancing
PeP e s ausr u

GGoovoeveren
gaeg
M M c ne ce

•Practices to train and sustain skilled staff including Career

ana n et nt
m em

r fr

Centres for project assigned staff

Risk
eae

rnaanancece
naan
ofr o er

t
e

DFomcuasin •Consumption-based chargeback

enet n

s Areas
M Ma
m rm

•Transparency in expense management and cost allocation

Resource
em

•Formalised vendor management disciplines

Management

In 2003, 50% of respondents had implemented, were considering

implementing or were in the process of implementing this phase of IT
governance. In 2005, 75%.

9
 IT Governance – The Five Focus Areas
Performance Measurement
•Using balanced scorecards that translate strategy into action to achieve goals
measurable beyond conventional accounting
•Measuring relationships and assets necessary to compete: customer focus,
process efficiency and the ability to learn and grow
•Tracking project delivery and monitoring IT services

ic V
t eg nt De alue
ra e liv
St gnm er Best Practices
Ali y
•IT Balanced Scorecard as emerging reporting system
IT
m

•A management reporting system that feeds back into the strategy

PeP e s ausr u

gaeg
M M c ne ce
ana n et nt

Covooeve
DFomcu
GGo
m em

•Use of benchmarking for performance comparison

r fr

Risk
eae

asins
naan

•IT Scorecard approval by the key stakeholders for alignment

ofr o er

t
e

Areas ana
enet n

rebnrnaiT
M Ma
m rm

Resource
ncece
em

Management

In 2003, 34% of respondents had implemented, were considering

implementing or were in the process of implementing this phase of IT
governance. In 2005, 67%.

10
11
Presentation Outline
1. Introduction
2. IT Governance Framework
3. IT Governance Implementation
4. Control Framework for SOX
5. Using CobiT for C/SOX
6. Issues in Application Controls

12
 Organisational Systems
The focus areas of IT Governance must be embedded within
the organisation’s systems.

Organisational systems are relatively stable, influence

everyone’s performance and can be consciously designed.

Culture

Habits and practices

Structure
Metrics and Rewards Responsibilities and
workflows

Internal
Economy
Methods
and Tools
Resource
Source: N. Dean Meyer
governance
processe
13
s
Strategic Alignment
Alignment is achieved within the structure of the companies’ annual planning and budgeting
process through the transparency of the value/risk versus cost propositions..
Structure

Strategy Inter-company I.S. Executive Committee, ISEC

Development Line of Business Steering Committees, Account Managers
Operations Business Process Owners, Account Managers, Service Delivery
Managers
Governance
Internal Economy Executive/Risk Management Committees, Functional Leadership

 I.S. expenses are targeted and capped (zero tolerance)

 I.S. expenses are fully burdened and recovered by consumption-based chargeback (zero
profit)
 Lines of business have clear ROE targets which include I.S. chargebacks
Methods & Tools

Strategy I.S. Strategy Map, Balanced Scorecard, CobiT Business Case

Development Disciplines > $500K
Operations Service Level Agreements, I.S. Product and Service
Governance Standards

Metrics & Rewards Risk / Compliance / Maturity Assessments (CobiT)

Financial Targets Minimum 15% annual growth in shareholder earnings, 18% ROE: Company, Line of Business

Contributing Metrics Sales, Expense Management, Customer Service, Project Delivery, Service
Rewards Achievement Ties to management incentives, stock option / purchase plans
Culture
 Empowered hierarchy, command and control management style
 Rigorous approaches to analysis, planning and risk management (fact-
Strong preference for measurable, verifiable
based)

benefits 14
Value Delivery
Value delivery is ensured on business projects and operations through co-responsibility with
business leaders and on governance through direct accountability to the executive
Structure
committees.
Development Business sponsors, I.S. Project Managers, I.S. leadership teams, A.C.T., PMI-based
methodology, formal SDLC methodologies

Operations Business process owners, Service Delivery Managers, Service Management Process Risk

Governance Management Committee (risk, compliance, audit, I.S.)

Internal Economy
 I.S. expense budgets are allocated to lines of business and specific activities, these allocations act as expense caps
 Allocations are exceeded only by formal change control first considering scope reduction
 Expense over-runs at the activity level are offset within the lines of business (LOB’s), or failing that, across the
LOB’s
Methods & Tools

Development Bates Project Management, SEI-CMMI, Enterprise Architecture, TeamPlay,

Operations SAP ITIL, CobiT, SAP
Governance CobiT, SAP, Terms of Engagement
Metrics & Rewards
Co-responsibility for results with business (quality, risk, time, cost)
Development
Co-responsibility for results with business (service, cost, problem management)
Operations
Accountability to executive committees (incidents, maturity, audits, initiative
Governance
completions) Ties to incentives at next levels of management and practitioners
Rewards
Culture
 Active, hands-on management of emerging results and adjusting
actions
 I.S.
Business
is a professional
partnership:services
businessorganisation:
says “what”,we
I.S.
charge
says “how”
for our services, strive for repeatable
performance 15
Risk Management
Risk management is approached by selecting an acceptable risk level based upon the detailed assessments of
exposure, probability of occurrence, compliance to legal or regulatory requirements and emerging industry good
practice.
Structure

Executive Executive committee sponsorship, risk committee oversight

Risk Management I.S. Risk Management Office with focus on risk assessment, security, privacy, DR, compliance
and process / quality management
Supplier Management Vendor Relations Team focuses on leveraged purchasing and contractual risks
Internal Economy
 Governance improvements are structured as internal I.S. initiatives and compete for approval along with
business projects
 Scrutiny is also focused on the total expenditures on risk management activities

Methods & Tools

Risk Management COSO/Methodware: Enterprise Risk Assessor

Security CobiT, ISO 17799
Disaster Recovery CobiT, IBM maturity framework
Control CobiT, COSO
Metrics & Rewards
Progress
Measured through initiative completions, maturity assessments and
Results
audits Avoidance of major incidents (non-occurrence, response)
Rewards
Tied to incentive based on results, progress and quality of assessments
Culture

 Willingness to accept reasonable level of risk

 Risks must be explained in detail and target maturity levels justified
 Risk management viewed as overhead, value proposition is challenging
16
Resource Management
Resource management is the most direct and controllable leverage point to ensure the delivery of our
financial targets and is the focus of our detailed and active management approach.
Structure

Development Business steering committees, business sponsors, I.S. project managers Business process
Operations owners, Account Managers, Service Delivery Managers
Governance Risk Management Committee, functional leadership, ISFM, Career Centres, ISHR
Organisation
Internal Economy

 I.S. expense budgets are allocated to lines of business and specific activities, these allocations act as expense
caps
 I.S. is accountable to manage within its budget (gatekeeper role)
 Business leaders cannot spend above their I.S. budget without approval of the president.
Methods & Tools
Financial SAP, TeamPlay, MICS, Remedy
Human Resources TimeControl, SEI-PCMMI, Career Centres for project assigned
Assets staff Applications / Data Inventory, Remedy

Metrics & Rewards

Financial Expense management, unit cost targets
Human Resources Utilisation / “billable” ratios, blended labour rates, benchmark staffing
ratios
Assets Rewards
Managed seat costs, recovery for assets Tied to management incentives
at all levels
Culture
 Strong belief in internal expense management capability
 Decided preference for internal sourcing and control
 Expectation of managers to know / be engaged at a detailed level and be fiscally
responsible
17
Performance Measurement
Performance measurement is an essential element of the management discipline to drive delivery, validate the
effectiveness of business and I.S. strategy and to trigger management rewards based on company
performance and individual contributions to its achievement.
Structure

I.S. Executive Committee, ISFM, Process Management function

Strategy
I.S. Project Managers, I.S. Project Management Office
Development
Operations Account Managers, Service Delivery Managers, Service Management
Governance Process Risk Management Organisation, Internal Audit, Compliance Officers

Internal Economy
 Measurement investments are reviewed along with other control costs
 Measurement systems must demonstrate that control information is actionable and costs do not exceed the
value obtained.

Methods & Tools

Strategy I.S. Balanced Scorecard, CobiT Major

Development Projects Review methodology
Operations Operations Management Report by LOB,
Governance ITIL CobiT
Metrics & Rewards

Metrics Measurable outcomes are required for all management objectives

Rewards Rewards and bonuses are only triggered when results are
Culture measured

 Belief: “If you cannot measure it, you cannot manage

it”
 “We
“Show
deliver
me” culture,
on our commitments”
insistence on demonstrable results
18
Key IT Governance Practices
 Executive and business level steering committees
 Clear roles and responsibilities – business sponsors say “what”, IT
says “how” (Terms of Engagement)
 Internal economy model – supply/demand balancing, consumption
based chargeback
 Use of best practice frameworks for process and control
 Linkage of measured results to rewards
 Strong culture of rigorous analysis, fact-based decision making and
active, hands-on management

19
General Approach to Governance
Implementation

1. Identify priority issue(s) (governance or business drivers)

2. Map to IT goals, process and affected resources
3. Assign to Process Owner
4. Resolve issue and adjust process/resources
5. Use responsibility matrix to determine job impacts
6. Change job descriptions/expectations
7. Change measurement/monitoring systems
8. Incorporate into performance appraisals/reward processes

20
Issues in Application Controls
 The need for risk management is not appreciated
– Demonstrate the value received for the investment in controls
– Conduct regular communication and change management

 Business slow to recognise responsibility for Application Controls

– Ensure Application Control and IT General Control teams
coordinate
– Acknowledge shared responsibility for sign-off

 Many older application do not have the required controls

– If risk is high, identify compensating controls
– If risk is low, waive the requirement on a case-by-case basis

21
Issues in Application Controls
 Difficult to determine an ‘appropriate and measured response’
– Identify critical business processes based on risk and
materiality
– Limit work to high priority processes

 There is a general lack of internal control expertise

– Define and implement standardised monitoring processes
– Minimise the risk of re-work – Do it right the first time!

 No definitive guidance from consultants or government

– Use common sense based on experience
– Be able to justify the decisions made

22
• https://www.itgovernance.co.uk/it_governance

23