1 / 57

ITM Governance & Management Controls

ITM Governance & Management Controls. CANHEIT Overview Presentation - June 2012 Clark Ferguson, CIO, University of Lethbridge. Agenda. Program Overview. Governance & Management Controls Overview Session. Program. Alberta … Post secondary sector … Information & Technology Management …

abdalla
Download Presentation

ITM Governance & Management Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ITM Governance & Management Controls CANHEIT Overview Presentation- June 2012 Clark Ferguson, CIO, University of Lethbridge

  2. Agenda

  3. Program Overview Governance & Management Controls Overview Session

  4. Program Alberta … Post secondary sector … Information & Technology Management … Control Framework Program

  5. Introduction Provincial Office of the Auditor General increasing attention to governance & management controls across public sector Alberta Advanced Education & Technology (AET) initiated program and enlisted support of post secondary leaders Recognition that all post secondary institutions would need to comply Quality of institutional systems would vary based on size of institution and capacity to allocate scarce resources Province-wide program with contributions by AET & institutions Leveraged program management and specialized consultants to harvest industry and institutional best practices

  6. Achievements 26 post secondary institutions (all but 1 or 2) engaged 2 years of projects have been successfully completed with 1 project rescheduled due to quality problems Significant involvement of business leaders and IT experts in projects Team approach, high quality project deliverables, and strong communications & training have led to rapid adoption

  7. Lessons Learned Dedicated program management and expert project consultants freed participating institutions to focus on contribution Governance and approval of project and program materials tricky but with minor rework, successful process achieved Procurement process to contract project experts and careful oversight of their work extremely important Joint approach has yielded very high quality deliverables and commitment amongst institutions share best practices

  8. Business Drivers Rising expectations regarding organizational governance Concern over generally increasing level of IT expenditure & demand for better return on IT investments Need to meet regulatory requirements Significance of selection of service provider & management of outsourcing Increasingly complex risk associated with information management & related technology Need to optimize costs by following standards and best practices Growing maturity and acceptance of frameworks and standards Need for assessment against standards and peer organizations

  9. There are 5 Points Really! Proper Governance Strategic Alignment Value Realization Risk Management Resource Optimization

  10. Initiated a Program to… • Collaboratively develop a system-wide control framework for managing information and related technology that will assist with the implementation of strategic priorities, policies and principles through: • Common best practice controls that are modifiable, scalable and implementable • A shared content management system that will foster ongoing collaboration and effectively manage the control life cycle

  11. Standards ITM Control Framework COBIT Legislation PMBOK ITIL ISO 2700x HOW WHAT SCOPE OF COVERAGE

  12. Translating Theory into Reality!

  13. Program Design Year 1 (2010) Information & Technical Management (December 2011) Enterprise Architecture (Resched. to Yr 3) Identity Management & Information Security (December 2011) Year 2 (2011) Information Management (February 2013) Technology Management (February 2013) Enterprise Architecture (February 2013) Year 3 (2012) Control Framework & Policies Project (June 2010) Privacy Project (November 2010) Change Management Project (October 2010) Governance Project (April 2011) Content Mgmt. System Project (April 2012) Complete In progress Information Management ... Continued (August 2013) Wrap-up Project (December 2013) Year 4 (2013) Post-Secondary System ITM Control Framework

  14. Participation • Volunteers from the Institutions • Program designed to provide opportunity to volunteer: • Working Group = 6-12 hours/month • Key Stakeholders = 2-4 hours/month • Project Steering Committee = 2 hours/month • Composition impacts legitimacy of deliverables • Committed participants who see the bigger picture

  15. Collaboration Benefits PSS expert body of knowledge Relationships Synergy Sharing and capture of knowledge Bleeding edge Ongoing support Common foundation for future opportunities

  16. Moving Forward (aka implementation) Look at the framework as a whole Determine what pieces you need and how ‘deep’ you want to go in each area Know your capabilities, capacity, current maturity, resource availability Be realistic in your planning Assign dedicated people to manage, communicate, train and assist with organizational change Don’t underestimate the commitment that's required Don’t forget to collaborate Keep your eye on the end game

  17. U of L Status

  18. Implementation Overview Governance & Management Controls Overview Session

  19. Alignment Map

  20. Controls Summary

  21. Development of Controls Controls derived through ~3,000 hours of synthesis, discussion and adaptation to the post-secondary environment • Cobit 4.1 • Risk IT • Val IT • ITIL • Service Strategy • Service Design • Continual Service Improvement • ISO/IEC 20000, ISO 31000 • Web research

  22. ITM Control Framework – Implementation Lifecycle Use of maturity models (next slide)

  23. Cobit Maturity Scale Program Objective: To increase the maturity level of all participating Institutions to a COBIT Maturity Level 3 by June 2014 in the areas where the controls have been implemented within the Institution.  1 Initial/Ad Hoc 2 Repeatable but Intuitive 3 Defined Process 4 Managed and Measurable 5 Optimized

  24. Section 1 – Foundation Elements Governance & Management Controls Overview Session

  25. Foundation Pieces • (17) Key Concepts • An ITM control framework is a critical part of every institution’s internal control program to mitigate risks and ensure: • Management understands ITM’s role and relevance in the organization • Alignment of investment with the institution mandate and strategic direction • Value delivery • Compliance with external requirements • Continuous improvement re: ITM processes • It is the responsibility of the Board of Governors & executive management to communicate ITM investment objectives and expectations re: control environment and to provide training • Planning and adequate resourcing are essential

  26. Foundation Pieces • (17) ITM Governance Questions The strategic question Are we doing the right things? The value question Are we getting the benefits? Are we doing them the right way? The architecture question Are we getting them done well? The delivery question

  27. Foundation Pieces • (17) Roles & Responsibilities

  28. Foundation Pieces • (17) Lifecycle Management of Controls • Institution needs to appoint a ‘custodian’ or manager of the framework and maintain a log of all compliance requirements • Comprehensive procedure required for: • Identifying externally generated requirements in a timely manner • Identifying internally generated requirements • Escalating and resolving issues identified through implementation/operation of the ITM Control Framework • Framework needs to be regularly reviewed • Internal audit • Periodic 3rd party reviews • Provide for approved and documented exceptions to compliance with controls

  29. Section 2 – Strategic Alignment Governance & Management Controls Overview Session

  30. Key Concepts • Strategic Alignment • (4) • Strategic ITM Plan is an integral element of the comprehensive institution plan….not an afterthought! • Performance is measured using an ITM Balanced Scorecard • ITM investments should be managed across the institution in portfolios • Outcomes • Alignment of business, ITM and risk management objectives • Organization, services, application portfolios, technologies, competencies, processes & methodologies are in place to maximize ITM contribution • Bi-directional education & involvement in ITM and business planning • Regular assessment re: ITM contribution to business objectives • Roadmap for addressing future needs

  31. Critical Success Factors • Strategic Alignment • (4) • Clearly articulated institutional vision and priorities • Planning is considered important and closely linked to institutional budget • ITM plan is published • Formal communication strategy specific to ITM stakeholders developed with communication strategy for comprehensive institution plan • ITM governance practices are seen to be effective • Close relationships between ITM and non-ITM organizations and staff • Informal and formal • Communication with and involvement of key constituents, especially faculty and deans

  32. Comprehensive Institution Plan Institutional Access Plan Strategic Priorities Institutional Research Plan Goals & Expected Outcomes • Strategic Alignment • (4) Performance Measures Financial Plan ITM Plan Capital Plan • Plan to Plan • Purpose • Process • Scope Assess Current ITM capability & performance Conduct Gap Analysis Describe Desired ITM Future Articulate Goals, Objectives, Strategies & Measures Develop Business Cases for Individual Initiatives Adjust Plan as Required Categorize by Portfolio and Prioritize

  33. ITM Planning in Context • Strategic Alignment • (4) Comprehensive Institution Plan Business Goals for IT IT Goals Enterprise Architecture Balanced Scorecard deliver Business Requirements Governance Requirements Information require influence Information Services IT Processes Applications run imply Information Criteria* Infrastructure & People need * effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability

  34. Section 3 – Risk Management Governance & Management Controls Overview Session

  35. Key Concepts • Risk Mgmt. • (8) • ITM risk is business risk • ITM risk always exists, whether it is detected or recognized • Management of ITM-related risk is an essential and strategic component of responsible administration and should be integrated into overall enterprise risk management • Who should be involved? • Board members and senior executives who need to set direction & monitor risk at the enterprise level • Managers of ITM and business departments who define risk management processes • Risk management professionals • External stakeholders

  36. ITM Risk Categories • Risk Mgmt. • (8) • ITM benefit risk • Missed opportunities to use technology to improve efficiency of effectiveness of business processes or as an enabler for new business initiatives • IT program and project delivery risk • Failure to realize the expected contribution of ITM to new or improved business solutions • IT operations and service delivery risk • Where performance of IT systems and services does not meet service level expectations

  37. Risk Mgmt. Principles • Risk Mgmt. • (8) • ITM risk management always connects to business objectives • Focus is on the business outcome • ITM risk governance aligns the management of ITM-related risk with overall ERM • ITM governance should balance the costs and benefits of managing ITM risk • There should be open communication regarding ITM risk • Establishment of well-defined risk tolerance levels by the Board and executive management should be coupled with definition and enforcement of personal accountability for operating within tolerance levels • ITM risk management is continuously improved

  38. ITM Risk Management Framework Risk Governance Ensure ITM risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return Integrate with ERM Establish & Maintain a Common Risk View Make Risk-Aware Business Decisions • Risk Mgmt. • (8) Business Objectives Analyze Risk Manage Risk Articulate Risk Collect Data Maintain Risk Profile React to Events Risk Response Ensure ITM-related risk issues, opportunities and events are addressed in a cost-effective manner, in line with business priorities. Risk Evaluation Ensure ITM-related risks and opportunities are identified, analyzed and presented in business terms. Communication

  39. Risk Appetite • Risk Mgmt. • (8) • Risk appetite • Amount of risk the institution is willing to accept in pursuit of its mission • “What level of risk are we comfortable living with?” • Provides context for analysis and response to individual risks by management • Defined/approved by the Board of Governors in terms of frequency and impact • No absolute norm or standard of what constitutes acceptable risk • Should be clearly communicated to stakeholders and staff through policies and standards • Consider objective capacity to absorb loss & management culture

  40. Scoping ITM Risk Management Activities ITM Risk Management Scoping Based on Risk Assessment Results • Detailed scenario development and frequent maintenance of the risk register • Independent review of risk analysis results • Quarterly detailed reporting on risk profile • ... Very High • Risk Mgmt. • (8) • Detailed scenario development and frequent maintenance of the risk register • Independent review of risk analysis results • Semi-annual detailed reporting on risk profile • ... High • Detailed scenario development for analysis • Self-assessment and review • Yearly update and quarterly summary reporting • ... Medium • Self-assessment and review • Generic scenarios • Less frequent reporting • ... Low

  41. Section 4 – Value Delivery: ITM Financial Management Governance & Management Controls Overview Session

  42. Key Concepts • Financial Management • (6) • Institution must establish a financial management framework for information and related technology • Approved by the ITM Steering Committee • CIO accountable to the ITM Steering Committee for implementing and monitoring the effectiveness of the framework and ensuring integration with enterprise policies, standards etc. • Should be formally evaluated based on schedule determined by ITM Steering Committee • Focused on ensuring accountability and transparency re: value contribution and total cost of ownership of information and related technology • 3 main elements: • ITM budget management, portfolio mgmt. and cost/benefit management

  43. ITM Financial Mgmt. as Process • Comprehensive Institution Plan • Enterprise Architecture • Information Security Plan • Strategic ITM Plan • ITM Tactical Plans • Budget • Actual Expenditures vs. Budget Reports • Updated portfolios • Accountability & Transparency re: Value Contribution & TCO through Cost/Benefit Reports Inputs Outputs Financial Management Framework • Financial Management • (6)

  44. ITM Financial Mgmt. Framework ITM Governance Financial Management Framework ITM Budget Management Portfolio Management People Assets Information Assets Application Assets Infra-structure Assets Service Assets Process Assets + + + + + • Financial Management • (6) Investment Prioritization within Portfolios Business Case Development & Use Cost/Benefit Management

  45. High-Level Process Elements • Financial Management • (6) • Budget Management • Define strategic business objectives and determine high-level budget envelopes • Develop ITM budget • Monitor and report on actual results • Develop ITM budget recommendations

  46. High-Level Process Elements • Financial Management • (6) • Portfolio Management • Define portfolios and sub-categories • Determine the investment ‘weight’ of each portfolio or sub-category • Develop and use ITM business cases for ITM investment • Prioritize investments within portfolios • Identify HR needs across portfolios • Review and report on project, program and portfolio performance

  47. Section 5 – Value Delivery: Human Resources Management Governance & Management Controls Overview Session

  48. Key Concepts • Human Resources Management • (3) • Processes for the management of IT human resources are an essential part of an ITM Control Framework • CIO (not HR) is responsible for ensuring the institution has an ITM workforce with the skills necessary to achieve organizational and ITM goals • Main tasks: • Define, monitor and supervise execution of ITM roles & responsibilities • Provide appropriate and sufficient training (technical, internal control and security) • Minimize dependency on key staff • Ensure compliance with organizational policies • Report to the ITM Steering Committee on key issues

  49. Why ITM HR Mgmt. is Important • Human Resources Management • (3) Labour costs 30% - 60% of the ITM budget Quality of ITM personnel has enormous impact on effectiveness of the service provider organization, end-user satisfaction, optimizing value and proactive use of technology Market for highly proficient IT resources is competitive and will get more so – hiring and retaining the best resources will continue to be a critical success factor for the CIO Unique aspects to management of IT professionals (pool characteristics, diverse career expectations, training requirements) exacerbates need for involvement of ITM managers Turnover costs are enormous (e.g., 1 – 2 times annual salary)

  50. HR Management as Process • Human Resources Management • (3) • Integrated Governance Structure • ITM Organization Chart • ITM Strategic & Tactical Plans • ITM Budget • Business Requirements • IT HR policy and procedures • IT skills matrix • Job descriptions • Staff skills and competencies, including individual training logs • Training plans Inputs Outputs IT Human Resource Management

More Related