340 likes | 517 Views
Making sense of IT Governance –. the implications of King III Presenter: Marlene Badenhorst (ACIS). Content. Research objective and research question Definitions of IT governance Literature review of selected Codes, Frameworks, Standards and Best Practices
E N D
Making sense of IT Governance – the implications of King III Presenter: Marlene Badenhorst (ACIS)
Content • Research objective and research question • Definitions of IT governance • Literature review of selected Codes, Frameworks, Standards and Best Practices • Assessment of the current industry application of governance concepts • A generic governance framework for IT governance and the governance of outsourcing • Conclusion
Research objective & research question Research Objective: • Literature review; IT governance efficiency survey to assess: • Does known reference models, frameworks and standards address governance requirements of ICT outsourcing companies? • Current status of IT governance practices. Research Question: • Can a generic governance framework be formulated to address these requirements?
What is ‘IT Governance’? It is ... the responsibility of the board and executive It consists of... The leadership, organisational structures & processes... to ensure that the enterprise’s IT... sustain and extend organisational strategies & objectives. Source: ITGI
Enterprise governance drives IT governance • Enterprise governance is about: • Conformance • Adhering to legislation, internal policies, audit requirements, etc. • Performance • Improving profitability, efficiency, effectiveness, growth, etc. Performance Conformance Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. Source: ITGI
What is the ‘governance of outsourcing’? The responsibilities, roles, objectives, interfaces & controls required... to anticipate change and ... manage the introduction, maintenance, performance, costs and control of third-party provided services. Source: ITGI
Literature review of selected codes, frameworks, standards and best practices
King III requirements – the link between IT governance practices and law • Directors’ duty of care: ensure prudent and reasonable steps taken re IT governance. • Corporate governance practices, codes and guidelines lift the bar of what are regarded as appropriate standards of conduct. • Failure to meet a recognised standard of governance, albeit not legislated, may render a board or individual director liable at law.
King III requirements: IT governance • IT governance... • is the responsibility of the board; • should be an integral part of enterprise governance structures; • should be owned by the board. • The board must set the management direction. Required to... • assume more significant role in terms of IT governance, and • insist on establishment of an IT governance management framework: • To be based on a common approach, eg. COBIT.
King III requirements: IT Governance focus areas • IT governance should focus on four key areas: • strategic alignment with business; • value delivery; • risk management; and • resource management.
STRATEGIC VALUE ALIGNMENT DELIVERY RISK PERFORMANCE MANAGEMENT MEASUREMENT www.itgi.org www.itgi.org RESOURCE MANAGEMENT King III requirements: IT Governance focus areas • IT governance should focus on four key areas: • strategic alignment with business; • value delivery; • risk management; and • resource management. COBIT focus areas Source: ITGI
Context: Best Practices Source: Own source
Context: COBIT and VAL IT The strategic question The value question. Are we doing the right things? Are we getting the benefits? VAL IT Are we doing them the right way? Are we getting them done well? COBIT The architecture question The delivery question Source: Thorpe, cited by ITGI
Status: IT Governance Best Practise Implementation Alignment between IT strategy and overall strategy 16% 12% 51% 21% IT resource management 18% 12% 20% 50% IT Value Delivery 9% 9% 21% 61% IT Risk Management 9% 9% 16% 66% Actual IT performance measurement 10% 10% 14% 66% Active management of IT ROI 7% 8% 13% 72% 0% 100% Have implemented Considering implementation Implementing now Not considering implementation Source: ITGI/Lighthouse survey 2005
Service Provider IT Governance Framework Outsource Client IT Governance Framework Generic governance model Enterprise Governance of IT VAL IT VAL IT Compliance require-ments Compliance require-ments COBIT COBIT Practitioner processes Practitioner processes IT Governance Service Provider Interface Outsource Client Interface Source: own source
Service Provider Outsource Client (Buyer) Generic process model Manage enterprise Manage enterprise Develop enterprise strategy Strategic management of product portfolio Strategic management of capacity Develop enterprise strategy Strategic management of product portfolio Strategic management of capacity Support processes Support processes Client Interface Service Provider Interface Outsource Client 1 Service Provider 1 Outsource Client 2 Service Provider 2 Outsource Client 3 Service Provider 3 Outsource Client (n) Service Provider (n) Source: own source
IT governance interrelationships (service provider perspective) Board of Directors IT Strategy Committee Compen-sation Committee Finance Committee Business Strategy Committee Audit Committee CEO CFO Compliance, Audit, Risk & Security(CARS) IT Steering Committee Sales & Marketing IT Architecture Review Board Technology Council Account Management Business Executives Programme Management Office (PGMO) HR CIO Process Oversight Committee . . . . . . ‘IT’ Source: ITGI, own source
IT governance interrelationships (service provider perspective) Board of Directors IT Strategy Committee Compen-sation Committee Finance Committee Business Strategy Committee Audit Committee CEO Investment & Services Board (ISB) CFO Compliance, Audit, Risk & Security(CARS) Value Management Office (VMO) IT Steering Committee Sales & Marketing IT Architecture Review Board Technology Council Account Management Business Executives Programme Management Office (PGMO) HR CIO Process Oversight Committee . . . . . . ‘IT’ Source: ITGI, own source
Conclusion • Best practices not widely adopted • Significant room for improvement in most companies’ IT governance domain • Governance best practices address outsourcing governance only to limited extent • A focussed effort is required by SA companies to ensure compliance to the King III principles for good IT governance • The generic framework that has been formulated addresses the need for an integrated approach to IT governance
COBIT & Other IT Management Frameworks Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’). COSO ISO 27002 COBIT ISO 9000 ITIL HOW WHAT SCOPE OF COVERAGE Source: ITGI
Where Does COBIT Fit? CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. PERFORMANCE: Business Goals Drivers Balanced Scorecard Enterprise Governance COSO COBIT IT Governance ISO 9001:2000 ISO 27002 ISO 20000 Best Practice Standards QA Procedures Security Principles Processes and Procedures ITIL Source: ITGI
COBIT Framework BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES INFORMATION C O B I T F R A M E W O R K ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide IT governance. PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. Integrity Efficiency Effectiveness Availability Compliance Confidentiality PLAN AND ORGANISE MONITOR AND EVALUATE Reliability IT RESOURCES DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. Applications Information Infrastructure People DELIVER AND SUPPORT AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. ACQUIRE AND IMPLEMENT Source: ITGI
Interrelationship of the COBIT Components Business Goals information requirements IT Processes IT Goals broken down into controlled by measured by audited with derived from Key Activities Control Outcome Tests Control Objectives for maturity for performance for outcome implemented with audited with performed by based on Responsibility & Accountability Chart Performance Indicators Outcome Measures Maturity Models Control Design Tests Control Practices Source: ITGI
HOW (capability) Dimensions of Maturity 5 IT Mission and Goals 4 3 2 1 Risk and Compliance HOW MUCH (coverage) 0 100% Return on Investment and Cost-efficiency WHAT (control) Primary Drivers Source: ITGI
VAL IT domains & processes Establish informed and committed leadership Define and implement processes Define portfolio characteristics Value Governance (VG) Align & integrate value management with enterprise financial planning Establish effective governance monitoring Continuously improve value management practices Establish strategic direction and target investment mix Determine the availability and sources of funds Manage the availability of human resources Portfolio Management (PM) Evaluate and select programmes to fund Monitor and report on investment portfolio performance Optimise investment portfolio performance Develop and initiate the initial programme business case Understand the candidate programme & implementation options Develop the programme plan Develop full life-cycle costs and benefits Develop the detailed candidate programme business case Launch and manage the programme Update operational IT portfolios Investment Management (IM) Source: ITGI Update the business case Monitor and report on the programme Retire the programme
Road map to IT governance Identify Needs Define resources and deliverables Plan programme Raise awareness & obtain management commitment Define scope Define risks Envision solution Assess actual performance Define target for improvement Analyse gaps and identify improvements Plan solution Define projects Define improvement plan Implement solution Implement the improvements Monitor implementation performance Review programme effectiveness Operationalise solution Build sustainability Identify new governance requirements Source: ITGI