View
1.765
Download
0
Category
Preview:
DESCRIPTION
Citation preview
IT Governance within Financial Institutions
Kirk Tyrell, CISAAssistant DirectorFinancial Institutions Supervisory DivisionBank of Jamaicawww.boj.org.jm
CARTAC & Caribbean Group of Banking SupervisorsIT Workshop for Regional Bank Examiners
June 23 – 25, 2009Georgetown, Guyana
Topics
What does IT Governance involve? Why is IT Governance Important What you must know about IT
Governance? Supervisory Expectation for IT
Governance ?
What is IT Governance?
“…is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.” (source www.wikipedia.com)
……
What is IT Governance?
“… the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.” (source www.ITGI.org)
Problems With IT Governance
Is IT governance different from IT management and IT controls? Why the confusion?
Does IT confers strategic advantage?
Are all the detailed process controls necessary?
Why the Increased Focus on IT Governance?
High profile collapse (e.g. Enron, Arthur Anderson, WorldCom, AIB, HSBC, etc.)
Maintaining (or Recapturing) public confidence and trust
Anchor for effective risk management
……
Why the Increased Focus on IT Governance?
Respond to call for greater transparency and closer oversight …prevent similar problems from
happening again Board and executive management
awareness of the challenges facing IT management
Sarbanes-Oxley and Basel II in Europe
……
Why the Increased Focus on IT Governance?
“…effective corporate governance is essential to maintaining public trust and confidence in the banking sector, and provides a crucial anchor for sound risk management practices." Mr Jaime Caruana, Chairman of the Basel Committee and Governor of the Bank of Spain
IT Governance Goals
Provide assurance that the investments in IT generate business value
Establish structures and controls to mitigate the risks that are associated with IT
A proactive and holistic approach to talent management within IT
IT Governance Frameworks
Enhancing Corporate Governance for Banking Organizations (BIS)
The IT Infrastructure Library (ITIL)
Control Objectives for Information and related Technology (COBIT)
The ISO/IEC 27001 (ISO 27001)
……
IT Governance Frameworks
ISO/IEC 38500:2008 Corporate Governance of Information Technology
Others: The IT Baseline Protection Catalogs, or IT-
Grundschutz Catalogs, ("IT Baseline Protection Manual" before 2005)
The Information Security Management Maturity Model ISM3
AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology
……
Non-IT Specific Frameworks
The Balanced Scorecard (BSC) - method to assess an organization’s performance in many different areas
Six Sigma - focus on quality assurance
Sub-Domains of IT Governance
Regulatory compliance Information governance and
information security IT Service Management Project governance Risk management
……
Sub-Domains of IT Governance
Knowledge Management, including Intellectual Capital
Business continuity and disaster recovery
Components of IT Governance Cycle
Create strategic alignment: SISP based on overall
plan
Manage system daily to ensure achievement of
targets
Structure/ Organize IT resources for
increased efficiency/ effectiveness
Risk management establish controls to ensure achievement
of goals
Determine and obtain input for achievement of goals/objectives
Audit/ Performance measurement: hold
persons accountable
Policies of Board of Directors and
Directives of top Management
Apply necessary corrective action to the results of the assessment
Create strategic alignment: SISP based on overall
plan
Manage system daily to ensure achievement of
targets
Structure/ Organize IT resources for
increased efficiency/ effectiveness
Risk management establish controls to ensure achievement
of goals
Determine and obtain input for achievement of goals/objectives
Audit/ Performance measurement: hold
persons accountable
Policies of Board of Directors and
Directives of top Management
Apply necessary corrective action to the results of the assessment
IT Governance Domain (COBIT)
RESOURCE MANAGEMENT
PE
RF
OR
MA
NC
E
ME
AS
UR
EM
EN
T
RIS
K
MA
NA
GE
ME
NT
VALUE DELIVERYSTRATEGIC
ALIGNMENT
ITGOVERNANCE
DOMAINS
IT Governance Domain (COBIT)
RESOURCE MANAGEMENT
PE
RF
OR
MA
NC
E
ME
AS
UR
EM
EN
T
RIS
K
MA
NA
GE
ME
NT
VALUE DELIVERYSTRATEGIC
ALIGNMENT
ITGOVERNANCE
DOMAINS
Domain 1 – Strategic Alignment
Achievement of IT alignment requires: Leadership and commitment from the
highest levels Proactive engagement
Domain 1 – Strategic Alignment
The board should take responsibility for:
Ensuring that IT strategy is aligned with business strategy
Ensuring that IT delivers against the strategy
Directing IT strategy to balance investments
Domain 1 – Strategic Alignment
Making informed decisions about the focus and priority for the use of IT resources
Ensuring that appropriate IT and related business resources are available
Domain 1 – Strategic Alignment
…there is a strong argument that ultimate responsibility for IT strategy setting and implementation should rest with the business leadership.
the right things are chosen in the first place
thing being done well
things being done the right
way
derive maximum benefits
Domain 1 – Strategic Alignment
Internal bodies in the form of: IT Investment Committee IT Policy Committee IT Steering Committee IT Strategy Committee
Domain 1 – Strategic Alignment
Domain 1 – Strategic Alignment
Examiners’ Expectation: Duties of IT Strategy and IT Steering
Committees are defined in a formal charter
Ensure that the financial institution is paying attention to the importance of IT strategic planning and its alignment with business objectives
IT Governance Domain (COBIT)
RESOURCE MANAGEMENT
PE
RF
OR
MA
NC
E
ME
AS
UR
EM
EN
T
RIS
K
MA
NA
GE
ME
NT
VALUE DELIVERY
STRATEGIC
ALIGNMENT
ITGOVERNANCE
DOMAINS
Domain 2 – Value Delivery
Essential components: IT governance overall is about
delivering value and managing risk Value delivery, which embodies the
concept of risk-related returns Value delivery is not possible
without strategic alignment and resource management
Domain 2 – Value Delivery
…it is impossible to provide transparency of success or failure without performance measurement
Domain 2 – Value Delivery
…value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT (source ITGI)
Domain 2 – Value Delivery
Key Board responsibilities: ensure that stakeholder value is
obtained allocation of resources
Domain 2 – Value Delivery
A study carried out within global financial services group, ING2, indicates that IT-related business investments have the potential to deliver far greater returns than almost any other conventional investment.Source: ITGI, 2008
Domain 2 – Value Delivery
IT-related spending or investment: Run the business Grow the business Transform the business
Source: The META Group
Domain 2 – Value Delivery
Key components of an IT investment approval process include:
Preparation of a comprehensive business case based upon a consistent corporate standard and agreed assumptions (e.g. tax rates and inflation rates)
Establish an approval board or committee
Domain 2 – Value Delivery
Consideration of key financial metrics (e.g. NPV, IRR and payback period, etc.)
Provision for proper accountability for the delivery of results
Definition of appropriate hurdle rates for IT investments
Domain 2 – Value Delivery
Providing assurance that: proper project management processes
will be followed, all parts of the business will be affected
by the outcome and Resources necessary to maximize the
chances of success will be committed Increase capability maturity model
(CMM) level for systems development and implementation
Domain 2 – Value Delivery
Realizing the Benefits: The clarity and precision of
anticipated benefits Ongoing tracking of the actual
benefits achieved Ensure appropriate accountability
Domain 2 – Value Delivery
Examiners’ Expectation Board monitors IT delivery against the
strategy through clear expectations and measurement
Management sets baselines for measuring capacity and growth planning, service improvement and utilizes industry standards and bench marking
Operation management measures and reports on budget achievement
IT Governance Domain (COBIT)
RESOURCE MANAGEMENT
PE
RF
OR
MA
NC
E
ME
AS
UR
EM
EN
T
RIS
K
MA
NA
GE
ME
NT
VALUE DELIVERYSTRATEGIC
ALIGNMENT
ITGOVERNANCE
DOMAINS
Domain 3 – Performance Delivery
Demonstrates the effectiveness and added business value of IT
Getting business value from IT and measuring that value are important governance domains
Domain 3 – Performance Delivery
IT performance management is aimed at: identifying and quantifying IT costs and IT
benefits. Limitations of traditional quantifiable
performance measures (financial terms) such as ROI, NPV, IRR and payback method
Overcome limitations of measuring “unquantifiable” values, i.e. IT balanced scorecard
Domain 3 – Performance Delivery
The Balanced Scorecard (BSc) is a performance management tool which began as a concept for measuring whether the smaller scale operational activities of a company are aligned with its larger scale objectives in terms of vision and strategy
Domain 3 – Performance Delivery
By focusing not only on financial outcomes but also on the operational, marketing and developmental inputs to these, the BSc helps provide a more comprehensive view of a business, which in turn helps organizations act in their best long-term interests(source Wikipedia)
Domain 3 – Performance Delivery
IT Governance Domain (COBIT)
RESOURCE MANAGEMENT
PE
RF
OR
MA
NC
E
ME
AS
UR
EM
EN
T
RIS
K
MA
NA
GE
ME
NT
VALUE DELIVERYSTRATEGIC
ALIGNMENT
ITGOVERNANCE
DOMAINS
Domain 4 – Risk Management
Requires: Risk awareness by senior corporate
officers A clear understanding of the financial
institution’s appetite for risk Understanding of compliance
requirements Transparency about the significant risks
to the enterprise Embedding of risk management
responsibilities into the organization
IT Governance Domain (COBIT)
RESOURCE MANAGEMENT
PE
RF
OR
MA
NC
E
ME
AS
UR
EM
EN
T
RIS
K
MA
NA
GE
ME
NT
VALUE DELIVERYSTRATEGIC
ALIGNMENT
ITGOVERNANCE
DOMAINS
Domain 5 – Resource Management
Optimal investment in, and the proper management of, critical IT resources (i.e. applications, information, infrastructure and people)
Key issues relate to the optimization of knowledge and infrastructure
Examiners’ Responsibilities
Review: IT strategies, plan and budgets Security policy documentation Organizational charts Job descriptions Steering committee reports Change management procedures
……
Examiners’ Responsibilities
Operation reports and procedures Quality assurance procedures
..Noting exceptions and absence of documentation
……
Examiners’ Responsibilities
Reviewing contractual commitments: Development of contractual
requirements Contract biding process Contract selection process Contract acceptance, maintenance
and compliance
Lessons Learnt
Each financial institution should have an IT Steering Committee with requisite board and management involvement
The board and management should ensure that policies and procedures are reviewed periodically for relevance
Financial institutions to adopt applicably industry best practices and rules to guide IT management.
Questions
Additional Resources
Executive Summary, COBIT v3.0 and COBIT v4.1 Retrieved from http://en.wikipedia.org/wiki/COBIT
ITIL for service delivery CMM for solution delivery ISO 17799 for information security PMBOK or PRINCE2 for project
management
Recommended