620 likes | 779 Views
Corporate Governance of Information Technology. Mark Toomey Managing Director Infonomics Pty Ltd Chair, Standards Australia Committee IT-030 Member, ISO/IEC JTC-1 SC-7 WG1A. 0:00.
E N D
Corporate Governance of Information Technology Mark Toomey Managing Director Infonomics Pty Ltd Chair, Standards Australia Committee IT-030 Member, ISO/IEC JTC-1 SC-7 WG1A 0:00
Use of this slideshow and copies thereof for the purpose of group knowledge transfer is restricted to personnel expressly approved by Infonomics and is subject to payment of a license fee.This material was prepared to provide general guidance and stimulate debate. It should not be construed as providing professional advice and services for any particular or specific situation. As such, it should not be used as a substitute for consultation with expert advisers. Before making any decision or taking any action you should consult with Infonomics Pty Ltd or other competent professionals. This PowerPoint slideshow is provided ACS members attending the Education Across the Nation series on Governance of IT, during 2009.The slideshow is provided for the personal use of ACS members during and after the lecture, for the purpose of their own self-development, and for the purpose of facilitating conversations with their colleagues, including top level management and directors. Permission is hereby given for participants in the Education Across the Nation series on Governance of IT to copy this material for these purposes only.The Education Across the Nation series on Governance of IT does not necessarily equip its participants with the in-depth knowledge required to enable the participants to act as instructors for classroom delivery of the material. 0:00
ISO 38500: First GlanceAustralian guidance leads the world… 0:02
Business Needs Business Pressures ISO 3500: First GlanceA Model, and Six Principles Corporate Governance • Responsibility; • Strategy; • Acquisition; • Performance; • Conformance; • Human Behaviour. Evaluate Monitor Proposals Direct Performance Conformance Plans, Policies Corporate Management IT Operations IT Projects 0:04
Why do we need a standard?IT keeps going wrong: July 2003 June 2004 October 2005 July 2006 0:06
Why do we need a standard?The names and stories keep rolling on… 2008. British Gas sued Accenture for £182Million. A failed billing system project resulted loss of a million customers and required 2,500 additional staff for two years. 2007. British Sky Broadcasting sued EDS for £709Million, following failure of its Customer Relationship Management (CRM) initiative. BSkyB claims it has lost significant anticipated benefits. IT crash hits Virgin Blue: April 17, 2008 St George admits to security flaw. March 25, 2008 Late Cancelled 0:08
Change Governance Problem on a Massive Scale. Why do we need a standard?Investigations reveal the true cause of problems! In the case of the ICS,there does not appear to have been an effective structure or process to direct and control the project, nor to make suitable risk decisions. To fulfil this task, Customs has hadat least 10 bodies responsible for different aspects of the management and governance of the ICS, including the interactions with industry… These bodies overlap in their responsibilities and accountabilities, and overall the program has no single business owner and accountabilities for its delivery are unclear. We have been unable to locate a clear and quantified set of outcomes and benefits expected from the introduction of the ICS Some changes have been the cause of severe disruptions and reduced process efficiency. Source: The Australian IT (online) and Booz Allan Hamilton Report “Review of the Integrated Cargo System” 0:10
Why do we need a standard?The problem is not in the process! The Gimli Glider. See http://www.casa.gov.au/wcmswr/_assets/main/fsa/2003/jul/22-27.pdf 0:12
Why do we need a standard?The Cost of IT Failures • In Australia alone: • Failed Projects: $1.5b + per annum* • Foregone Benefits: $20b per annum* • Operational Losses: $Incalculable • Reputation damage: $Incalculable. • But isn’t this the tip of the iceberg? • Competitors respond • Predators descend • Regulators investigate • Lawyers litigate • Today’s IT failure can have a serious impact on the bottom line, and in the boardroom. * Dr R C Young: What is the ROI for Project Governance? Macquarie University, November 2006. 1% – 3% GDP! 0:14
But we’ve already done IT Governance!Effort within IT has not solved the problem! • Investment ensures that IT is doing its job competently • Rigour • Process • Control • Reporting • But it’s not just in IT that problems develop: • Use of IT in achieving business goals involves business change • Process • People • Structure • Context • And necessarily requires that business leaders engage fully: • Being responsible • Setting direction • Planning and implementing Polishing INSIDE the Kettle improves supply… … but does not fully address the problem of use! ITIL Prince2 CoBIT Delivery CMMI PMBOK TOGAF Etc. Many issues arise here – outside IT’s sphere of control. Use Governance of IT has to deal with how organisations USE IT as well as with how IT departments operate. 0:16
The pressure for Board Oversight:KPMG Global IT Project Management Survey (Sep 05) • Traditional measures of success (time and budget) are being superseded: • “Achieving benefits – keeping commitments – is now the key determinant of project success.” • Since 2003, performance of projects has improved marginally: • Failure rates are still appalling; • Many organisations do not focus on realising or measuring benefits. • “The key element (that makes some organisations more successful) appears to be an appropriate governance framework – to complement planning and prioritisation of activities and to help ensure execution controls are in place until benefits are realised.” • “The board must put in place, through management, a rigorous oversight framework to monitor achievement of budgets, the meeting of timelines and to help ensure that the agreed benefits are realised. To achieve this, the board must receive the right information at the right time”. Those responsible at the top of the organisation must govern… 0:17
Understanding Corporate Governance of IT:Four key concepts Corporate Governance Business Systems and Change The Business Cycle: Demand and Supply The System for Governing IT 0:18
Corporate Governance:Fundamentals… Definition from “Report of the Committee on the Financial Aspects of Corporate Governance” (Chair: Sir Adrian Cadbury), London, 1992 Ownership “Appoint the Directors” Corporate Governance: The System by which entities are directed and controlled. (Cadbury) Governance “Protect owners interests” Direct Monitor Establish Strategy Management “Develop business capabilities” “Run business operations” Adapted from “Corporate Governance – A Working Definition”, Teresa Barger, Director IFC/World Bank Corporate Governance Department 0:20
Large Business Gov’tAgency Micro Business SME Business Seamless participation in all 3 levels Owner/Directors Electors Share-holders Government or Board Elected directors Low discretion management High discretion management High discretion management Corporate Governance:Fundamentals… Ownership “Appoint the Directors” Governance “Protect owners interests” Direct Monitor Establish Strategy Management “Develop business capabilities” “Run business operations” 0:21
Business Needs Business Pressures Corporate Governance:The Information (IT) domain. Corporate Governance Evaluate Monitor Proposals Direct Performance Conformance Plans, Policies Corporate Management IT Operations IT Projects Governance Domains and Systems Corporate Governance visibility and control Humanassets Physicalassets IPassets Information (IT) assets Relationship assets Management Responsibility Financial assets 0:23
Business Needs Business Needs Business Pressures Business Pressures Corporate Governance of IT. Corporate Governance Corporate Governance Evaluate Evaluate Monitor Monitor Proposals Proposals Direct Direct Performance Conformance Performance Conformance Plans, Policies Plans, Policies Corporate Management Corporate Management IT Operations IT Operations IT Projects IT Projects Governance Domains and Systems Corporate Governance visibility and control Corporate Governance of IT: The System by which the current and future use of IT is directed and controlled. Humanassets Physicalassets IPassets Information (IT) assets Relationship assets Management Responsibility Financial assets 0:24
Business Systems and Change • Operating context of the organisation • External • Internal. • Four key elements of operating organisations • People – who participate in business events • Process – what business events take place • Structure – where business events happen • Technology – enabling and recording events • IT intrinsic to day to day operations • Business process specific - Transactions, Customers, Etc • Generic - Email, Telephony, Information People The Business Context Process Structure The Business System Technology This model is a variant on H.J. Leavitt’s Model of organisational change, published in 1965. 0:25
Operating context of the organisation • External • Internal. • Four key elements of operating organisations • People – who participate in business events • Process – what business events take place • Structure – where business events happen • Technology – enabling and recording events • IT intrinsic to day to day operations • Business process specific - Transactions, Customers, Etc • Generic - Email, Telephony, Information • When IT fails, whole organisations and extended organisations stop • Citylink Melbourne, Tuesday 20 Sept 2006 People People The Business Context Process Structure The Business System Process Structure The Business System Technology Business Systems and Change Technology This model is a variant on H.J. Leavitt’s Model of organisational change, published in 1965. 0:26
People People Changed People The Business Context The Business Context Changed Business Context Process Process Structure Structure The Business System The Business System People Changed Process Changed Structure Changed Business System Technology Technology Changed Technology Process Structure The Business System Technology Business Systems and Change • Change Program • Business System • Process • Technology • Structure • People • Business Context • Process • Technology • Structure • People • Implementing IT enabled change involves attention to every facet of business models and practices • Internal and external factors • IT is now a fundamental enabler of change and is leading to new business models and new business practices • Eg e-Government “Traditional” IT Change Project • Governing IT Enabled Change involves much more than governing technology activities. 0:28
The Business Cycle:Demand and Supply Current Use: Run the Business Future Use: Plan the Business Plan Future Use: Build the Business Build Run 0:29
The Business Cycle:Demand and Supply The System of Management Current Use: Run the Business Future Use: Plan the Business Strategic Business Future Ongoing business operations Business Domain: How IT is used to enable and operate the business ValIT Supply Supply Demand Demand Future Use: Build the Business IT Domain: How IT is managed and delivered. Effective IT enabled change Reliable IT Service ITIL, ISO 20000, ISO 27000, CoBiT etc 0:30
The System for Governing IT:An integrated system overseen by the Board The System of Management Strategic Business Future Ongoing business operations Business Domain: How IT is used to enable and operate the business The System of Management ValIT Strategic Business Future Ongoing business operations Business Domain: How IT is used to enable and operate the business Supply Supply Demand Demand ValIT Supply Supply IT Domain: How IT is managed and delivered. Demand Demand Effective IT enabled change Reliable IT Service IT Domain: How IT is managed and delivered. Effective IT enabled change Reliable IT Service ITIL, ISO 20000, ISO 27000, CoBiT etc ITIL, ISO 20000, ISO 27000, CoBiT etc 0:31
The System for Governing IT:An integrated system overseen by the Board Corporate Governance Oversight Board oversight ISO 38500 Performance, Conformance Rules, Direction, Behaviour The System of Management Strategic Business Future Ongoing business operations Business Domain: How IT is used to enable and operate the business The System of Governance ValIT Supply Supply Management Responsibility Demand Demand IT Domain: How IT is managed and delivered. Effective IT enabled change Reliable IT Service ITIL, ISO 20000, ISO 27000, CoBiT etc 0:32
The System of GovernanceInside the System Vision Plan Strategy Strategy Plans Portfolio Build Enterprise Architecture Plan Program Information Security Information Security Initiatives Asset Project Build Run Run Operation Operation Adapted from a model developed by John Thorp, author of The Information Paradox. 0:34
The System of GovernanceThe System Perspective Vision Vision Vision • Corporate Governance • Evaluate, Direct • and Monitor Strategy Strategy Strategy Strategy Strategy Strategy Top Management - Plan, Supervise and Realise Plans Plans Plans Portfolio Portfolio Portfolio Enterprise Architecture Enterprise Architecture Enterprise Architecture Program Program Program Information Security Information Security Information Security Information Security Information Security Information Security Initiatives Initiatives Initiatives Asset Asset Asset Project Project Project Operation Operation Operation Operation Operation Operation Adapted from a model developed by John Thorp, author of The Information Paradox. Line Management - Implement and Operate 0:36
Business Needs Business Pressures Evaluate Corporate Governance Evaluate Monitor Proposals Direct Proposals: plans and suggestions Vision Strategy Detailed plans Initiatives Projects (and changes thereto) BAU Operations (the oft-forgotten default) Current and future use of IT Supply Governance Performance Conformance Plans, Policies Corporate Management IT Operations IT Projects 0:39
Business Needs Business Pressures Direct Corporate Governance Evaluate Monitor Proposals Direct Policy to guide management decisions. Strategy to establish focus and direction. Progressive allocation of resources. Clear delegation of authority. Appropriate incentives and rewards. Performance Conformance Plans, Policies Corporate Management IT Operations IT Projects 0:41
Business Needs Business Pressures Monitor Corporate Governance Evaluate Monitor Proposals Direct Achieving intended results And taking action if they are at risk Assuring conformance External and internal Making adjustments for reality Ensuring that management is doing its job properly. Ensuring that the governance system is effective. Performance Conformance Plans, Policies Corporate Management IT Operations IT Projects 0:43
Business Needs Business Pressures Six principles for good governance of IT Corporate Governance Evaluate Monitor Proposals Direct Responsibility Strategy Acquisition Performance Conformance Human Behaviour Performance Conformance Plans, Policies Corporate Management IT Operations IT Projects 0:45
Using ISO 38500 0:45
Using ISO 38500Guide for assessment and improvement What does each cell mean? How do you perform? What should you seek to improve? What consequences of improvement should you seek? 0:47
Using ISO 38500Benchmarking and comparing performance • Human Communities: • Who are they? • How do they behave? • What do they need? • What motivates them? Principles Responsibility Strategy Acquisition Performance Conformance Human Behaviour RMIT and Infonomics research 2006-7. Published in “Achieving Business Sustainability” (Infonomics), and “Information Technology Entrepreneurship and Innovation”, edited by Fang Zhao, published by IGI Global, 2008. 0:48
Using ISO 38500Learning through evaluating patterns Focusing on today - Insufficient attention given to the future? I know nothing about the IT in my organisation… IT not adequately integrated in corporate strategic thinking? RMIT and Infonomics research 2006-7. 0:49
Overall Overall Corporate Governance of ICT Planning 2.4 Responsibility 2.7 Acquire 3 Human Factors 3 Conform 2.9 Perform 2.9 1 2 3 4 5 6 A Typical Assessment ResultPoor performance in critical areas. • Responsibility: there is neither clear nor appropriate allocation of responsibility for IT. • Strategy: there is no effective planning for IT in the context of business strategy and direction. • Acquisition: decisions to invest in new IT capability are not made in an appropriate framework. • Performance: demand for IT service are unlikely to be met. • Conformance: the rules for IT are inadequate. • Human Behaviour: human issues are given scant attention in IT planning and delivery. 0:50
Using ISO 38500Closing the gaps in contemporary techniques CobiT ITIL Prince2 PMBOK Gateway ValIT People Control & Direct the Business Process Structure Control and Direct use of IT. Technology 0:52
Using ISO 38500 Developing Policy for control of IT Your ISO 38500 Framework • Strategic Policies • Your posture relative to Principles • Board role: consultation and approval • Operating policies • Specify how projects and operations are conducted • Board role: awareness • Usage policies • Rules for how people use the business systems and technology resources • Board role: part of user community. 0:53
ResponsibilityThe Crucial Strategic Policy • How is responsibility allocated for: • Allocating responsibility? • Developing business strategy and planning business use of (demand for) IT? • Developing strategies for supply and delivery of IT capability and service? • Making decisions to invest in IT? • Determining targets and measuring business and IT performance? • Ensuring that IT investment initiatives achieve agreed, appropriate success criteria? • Ensuring that business demand for operational supply of IT service is satisfied efficiently and effectively? • Understanding conformance requirements, establishing effective conformance rules, and assuring conformance? • Understanding and ensuring respect for human behaviours? • What are the responsibilities of each individual in respect of IT demand and supply? 0:54
Using the StandardFundamental Rules • Change Management Rule 0 – Engage the right sponsor and involve the right people. • Change Management Rule 1 – Communicate, Communicate, Communicate. • Change Management Rule 2 – Measure, adjust, measure. • Change Management Rule 3 – Start with the fundamentals. • Change Management Rule 4 – Small steps, with clear objectives. • Change Management Rule 5 – Keep communicating; keep measuring; keep improving. 0:55
Self Assessment When and how Branch feedback Information Age Article 0:57
Additional Material 0:59
Questions 0:60
What do you have to lose? Seize the opportunity! ISO/IEC 38500. Thank you. mtoomey@infonomics.com.au 0:70
Responsibility Who is responsible for what when it comes to current and future use of IT? Does everybody understand their responsibility? Do those with responsibility deliver? If IT is responsible for supply, who is responsible for demand? And who is responsible for results?
Strategy (Planning) Planning IT use (demand and supply) to best serve the organisation. Who should determine the organisations strategy for USE of IT? How are business strategy and IT strategy related? How is strategy enacted? Includes key planning disciplines Portfolio Project Architecture
Acquisition Decisions to invest in IT Decisions to continue existing IT initiatives Decisions to continue using operational IT Decisions on sourcing of IT capabilities Decisions on selection of technologies
Performance Current performance Operational objectives Investment objectives Future performance Running the business Delivering capability Stable base for change Implementing change Wide scope Systems and infrastructure People Management systems
Conformance Understanding the rules Formulating the rules Communicating the rules Enforcing the rules Identifying and sanctioning non-conformance