Embed Size (px)
Citation preview
ITM Governance & Management Controls
CANHEIT Overview Presentation - June 2012
Clark Ferguson, CIO, University of Lethbridge
Agenda
2
Program Overview
Implementation Overview
Section 1 – Foundation Elements
Section 2 – Strategic Alignment
Section 3 – Risk Management
Section 4 – Value Delivery: IT Financial Management
Section 5 – Value Delivery: IT Human Resources Management
Section 6 – Value Delivery: IT Service Management
Wrap Up
Program OverviewGovernance & Management Controls Overview Session
3
Alberta …
Post secondary sector …
Information & Technology Management …
Control Framework Program
Program
4
Provincial Office of the Auditor General increasing attention to governance & management controls across public sector
Alberta Advanced Education & Technology (AET) initiated program and enlisted support of post secondary leaders
Recognition that all post secondary institutions would need to comply
Quality of institutional systems would vary based on size of institution and capacity to allocate scarce resources
Province-wide program with contributions by AET & institutions
Leveraged program management and specialized consultants to harvest industry and institutional best practices
Introduction
5
26 post secondary institutions (all but 1 or 2) engaged
2 years of projects have been successfully completed with 1 project rescheduled due to quality problems
Significant involvement of business leaders and IT experts in projects
Team approach, high quality project deliverables, and strong communications & training have led to rapid adoption
Achievements
6
Dedicated program management and expert project consultants freed participating institutions to focus on contribution
Governance and approval of project and program materials tricky but with minor rework, successful process achieved
Procurement process to contract project experts and careful oversight of their work extremely important
Joint approach has yielded very high quality deliverables and commitment amongst institutions share best practices
Lessons Learned
7
Rising expectations regarding organizational governance
Concern over generally increasing level of IT expenditure & demand for better return on IT investments
Need to meet regulatory requirements
Significance of selection of service provider & management of outsourcing
Increasingly complex risk associated with information management & related technology
Need to optimize costs by following standards and best practices
Growing maturity and acceptance of frameworks and standards
Need for assessment against standards and peer organizations
Business Drivers
8
1. Proper Governance
2. Strategic Alignment
3. Value Realization
4. Risk Management
5. Resource Optimization
There are 5 Points Really!
9
Collaboratively develop a system-wide control framework for managing information and related technology that will assist with the implementation of strategic priorities, policies and principles through:
◦ Common best practice controls that are modifiable, scalable and implementable
◦ A shared content management system that will foster ongoing collaboration and effectively manage the control life cycle
Initiated a Program to…
10
Standards
11
Legislation
COBIT
ISO 2700x
PMBOK
ITIL
ITM Control Framework
WHAT HOW
SCOPE OF COVERAGE
Translating Theory into Reality!
Program DesignControl
Framework & Policies
Project (June 2010)
Privacy Project
(November 2010)
Change Managemen
t Project(October 2010)
Governance Project
(April 2011)
Content Mgmt. System Project
(April 2012)
13Post-Secondary System ITM Control Framework
Year 1(2010)
Information & Technical
Management (December
2011)
Enterprise Architecture(Resched. to Yr
3)
Identity Managemen
t & Information
Security(December
2011)
Year 2(2011)
Information Management
(February 2013)
Technology Managemen
t(February
2013)
Enterprise Architecture
(February 2013)
Year 3(2012)
Information Management
... Continued (August 2013)
Wrap-up Project
(December 2013)
Complete
In progress
Year 4(2013)
Volunteers from the Institutions
Program designed to provide opportunity to volunteer:
◦ Working Group = 6-12 hours/month
◦ Key Stakeholders = 2-4 hours/month
◦ Project Steering Committee = 2 hours/month
Composition impacts legitimacy of deliverables
Committed participants who see the bigger picture
Participation
14
Collaboration Benefits
PSS expert body of knowledge
Relationships
Synergy
Sharing and capture of knowledge
Bleeding edge
Ongoing support
Common foundation for future opportunities
15
Look at the framework as a whole
Determine what pieces you need and how ‘deep’ you want to go in each area
Know your capabilities, capacity, current maturity, resource availability
Be realistic in your planning
Assign dedicated people to manage, communicate, train and assist with organizational change
Don’t underestimate the commitment that's required
Don’t forget to collaborate
Keep your eye on the end game
Moving Forward (aka implementation)
16
U of L Status
17
Program Two business and 3 IT participants in the program work
Section 1 – Foundation Elements
ITM Control Framework leader assigned;ITM policy approved by the Board in May 2012
Section 2 –Strategic Alignment
Developing Fiscal 2014 budget in conjunction with University Strategic alignment
Section 3 – Risk Management
Initiated PCI improvement program;Planning external review of IT Security
Section 4 –Financial Management
Strengthening portfolio management;Developing a consolidated view of full IT spend
Section 5 –HR Management
Conducting key skills review and gap analysis
Section 6 – IT Services Management
Documenting service portfolio;Establishing business relationship management processes
Implementation Overview
Governance & Management Controls Overview Session
18
Alignment Map
19
ITM Governance
& Management
Controls(64)
Foundation Pieces
(17)
Strategic Alignment
(4)
Risk Manageme
nt(8)
Financial Manageme
nt(6)
Service Manageme
nt(26)
Human Resources Manageme
nt(3)
Controls Summary
20
Cobit 4.1◦ Risk IT◦ Val IT
ITIL◦ Service Strategy◦ Service Design◦ Continual Service Improvement
ISO/IEC 20000, ISO 31000
Web research
Development of Controls
21
Controls derived through ~3,000 hours of synthesis, discussion and adaptation to the post-secondary
environment
Identify Drivers
Assess Current State
Define Desired Future State
Develop Plan
Execute Plan
Measure Results
Sustain Momentu
m
ITM Control Framework – Implementation Lifecycle
22
Use of maturity models
(next slide)
1 Initial/Ad Hoc
2 Repeatable but Intuitive
3 Defined Process
4 Managed and Measurable
5 Optimized
Cobit Maturity Scale
23
Program Objective:
To increase the maturity level of all participating Institutions to a COBIT Maturity Level 3 by June 2014 in the areas where the
controls have been implemented within the Institution.
Section 1 – Foundation Elements
Governance & Management Controls Overview Session
24
An ITM control framework is a critical part of every institution’s internal control program to mitigate risks and ensure:
◦ Management understands ITM’s role and relevance in the organization
◦ Alignment of investment with the institution mandate and strategic direction
◦ Value delivery
◦ Compliance with external requirements
◦ Continuous improvement re: ITM processes
It is the responsibility of the Board of Governors & executive management to communicate ITM investment objectives and expectations re: control environment and to provide training
Planning and adequate resourcing are essential
Key Concepts
25
Foundation Pieces
(17)
26
ITM Governance Questions
Are we doing the right things?
Are we doing them the right
way?
Are we getting them done well?
Are we getting the benefits?
The delivery question
The architecture question
The strategic question
The value question
Foundation Pieces
(17)
Organization Role Responsibility
Board of Governors • Oversight regarding strategic alignment, risk management and value delivery of ITM
Executive Committee • Approval of enterprise-level investment decisions, including adequate funding for development, implementation, communication and training re: ITM controls
ITM Steering Committee • Approval of ITM Control Framework• Ensures control environment aligns with
institution’s management philosophy and operating style
• Regular assessment of the maturity of the institution’s control processes
CIO • Overall development and implementation of the control environment
• Reporting on progress/results
Business Managers • Input to development of the control environment
• Responsibility for operation of many controls
Roles & Responsibilities
27
Foundation Pieces
(17)
Institution needs to appoint a ‘custodian’ or manager of the framework and maintain a log of all compliance requirements
Comprehensive procedure required for:◦ Identifying externally generated requirements in a timely
manner
◦ Identifying internally generated requirements
◦ Escalating and resolving issues identified through implementation/operation of the ITM Control Framework
Framework needs to be regularly reviewed◦ Internal audit
◦ Periodic 3rd party reviews
Provide for approved and documented exceptions to compliance with controls
Lifecycle Management of Controls
28
Foundation Pieces
(17)
Section 2 – Strategic Alignment
Governance & Management Controls Overview Session
29
Strategic ITM Plan is an integral element of the comprehensive institution plan….not an afterthought!
Performance is measured using an ITM Balanced Scorecard
ITM investments should be managed across the institution in portfolios
Outcomes◦ Alignment of business, ITM and risk management objectives
◦ Organization, services, application portfolios, technologies, competencies, processes & methodologies are in place to maximize ITM contribution
◦ Bi-directional education & involvement in ITM and business planning
◦ Regular assessment re: ITM contribution to business objectives
◦ Roadmap for addressing future needs
Key Concepts
30
Strategic Alignment
(4)
Clearly articulated institutional vision and priorities
Planning is considered important and closely linked to institutional budget
ITM plan is published◦ Formal communication strategy specific to ITM stakeholders
developed with communication strategy for comprehensive institution plan
ITM governance practices are seen to be effective◦ Close relationships between ITM and non-ITM organizations and
staff
◦ Informal and formal
◦ Communication with and involvement of key constituents, especially faculty and deans
Critical Success Factors
31
Strategic Alignment
(4)
32
Comprehensive Institution Plan
Strategic Priorities
Goals & Expected Outcomes
Performance Measures
Financial Plan
ITM Plan
Capital Plan
Institutional Access Plan
Institutional Research
Plan
Plan to Plan• Purpose• Process• Scope
Assess Current ITM capability &
performance
Describe Desired ITM Future
Conduct Gap Analysis
Articulate Goals, Objectives, Strategies &
Measures
Develop Business Cases
for Individual Initiatives
Categorize by Portfolio and
Prioritize
Adjust Plan as Required
Strategic Alignment
(4)
ITM Planning in Context
33
Strategic Alignment
(4)
Comprehensive Institution Plan
Business Goals for IT
IT GoalsEnterprise
ArchitectureBalancedScorecard
Governance Requirements
Business Requirements
Information Services
Information Criteria*
Information
ApplicationsIT
Processes
deliver
run
needInfrastructure
& People
require influence
imply
* effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability
Section 3 – Risk ManagementGovernance & Management Controls Overview Session
34
ITM risk is business risk
ITM risk always exists, whether it is detected or recognized
Management of ITM-related risk is an essential and strategic component of responsible administration and should be integrated into overall enterprise risk management
Who should be involved?◦ Board members and senior executives who need to set direction
& monitor risk at the enterprise level
◦ Managers of ITM and business departments who define risk management processes
◦ Risk management professionals
◦ External stakeholders
Key Concepts
35
Risk Mgmt.
(8)
ITM benefit risk◦ Missed opportunities to use technology to improve efficiency of
effectiveness of business processes or as an enabler for new business initiatives
IT program and project delivery risk◦ Failure to realize the expected contribution of ITM to new or
improved business solutions
IT operations and service delivery risk◦ Where performance of IT systems and services does not meet
service level expectations
ITM Risk Categories
36
Risk Mgmt.
(8)
ITM risk management always connects to business objectives◦ Focus is on the business outcome
ITM risk governance aligns the management of ITM-related risk with overall ERM
ITM governance should balance the costs and benefits of managing ITM risk
There should be open communication regarding ITM risk
Establishment of well-defined risk tolerance levels by the Board and executive management should be coupled with definition and enforcement of personal accountability for operating within tolerance levels
ITM risk management is continuously improved
Risk Mgmt. Principles
37
Risk Mgmt.
(8)
Risk EvaluationEnsure ITM-related risks and opportunities are identified, analyzed and presented in business terms.
Collect Data
Risk ResponseEnsure ITM-related risk issues, opportunities and events are addressed in a cost-effective manner, in line with business priorities.
Articulate Risk
Risk GovernanceEnsure ITM risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return
Manage Risk
React to Events
Establish & Maintain
a Common Risk View
Make Risk-Aware
Business Decisions
Integrate with ERM
Analyze Risk
Maintain Risk
Profile
BusinessObjectives
Communication
ITM Risk Management Framework
38
Risk Mgmt.
(8)
Risk appetite
◦ Amount of risk the institution is willing to accept in pursuit of its mission “What level of risk are we comfortable living with?”
◦ Provides context for analysis and response to individual risks by management
◦ Defined/approved by the Board of Governors in terms of frequency and impact No absolute norm or standard of what constitutes acceptable
risk
◦ Should be clearly communicated to stakeholders and staff through policies and standards
Consider objective capacity to absorb loss & management culture
Risk Appetite
39
Risk Mgmt.
(8)
Scoping ITM Risk Management Activities
40
Very High
High
Medium
Low
• Detailed scenario development and frequent maintenance of the risk register
• Independent review of risk analysis results• Quarterly detailed reporting on risk profile• ...
• Detailed scenario development and frequent maintenance of the risk register
• Independent review of risk analysis results• Semi-annual detailed reporting on risk profile• ...
• Detailed scenario development for analysis• Self-assessment and review• Yearly update and quarterly summary reporting• ...
• Self-assessment and review• Generic scenarios• Less frequent reporting• ...
ITM Risk Management Scoping Based on Risk Assessment Results
Risk Mgmt.
(8)
Section 4 – Value Delivery: ITM Financial Management
Governance & Management Controls Overview Session
41
Institution must establish a financial management framework for information and related technology◦ Approved by the ITM Steering Committee
◦ CIO accountable to the ITM Steering Committee for implementing and monitoring the effectiveness of the framework and ensuring integration with enterprise policies, standards etc.
◦ Should be formally evaluated based on schedule determined by ITM Steering Committee
Focused on ensuring accountability and transparency re: value contribution and total cost of ownership of information and related technology
3 main elements: ◦ ITM budget management, portfolio mgmt. and cost/benefit
management
Key Concepts
42
Financial Manageme
nt(6)
Comprehensive Institution Plan
Enterprise Architecture
Information Security Plan
Strategic ITM Plan
ITM Tactical Plans
Budget
Actual Expenditures vs. Budget Reports
Updated portfolios
Accountability & Transparency re: Value Contribution & TCO through Cost/Benefit Reports
ITM Financial Mgmt. as Process
43
Inputs
Financial Management Framework
Outputs
Financial Manageme
nt(6)
44
Portfolio Management
ITM Financial Mgmt. Framework
ITM Governance
Business Case Development & Use
ITM Budget Management
Cost/Benefit Management
Application Assets
Infra-structure Assets
Information Assets
People Assets + + +
Process
Assets+
Investment Prioritization within Portfolios
Fin
anci
al M
anagem
en
t Fr
am
ew
ork
Financial
Management(6)
Service
Assets+
Budget Management
1. Define strategic business objectives and determine high-
level budget envelopes
2. Develop ITM budget
3. Monitor and report on actual results
4. Develop ITM budget recommendations
High-Level Process Elements
45
Financial Manageme
nt(6)
Portfolio Management
1. Define portfolios and sub-categories
2. Determine the investment ‘weight’ of each portfolio or
sub-category
3. Develop and use ITM business cases for ITM investment
4. Prioritize investments within portfolios
5. Identify HR needs across portfolios
6. Review and report on project, program and portfolio
performance
High-Level Process Elements
46
Financial Manageme
nt(6)
Section 5 – Value Delivery: Human Resources
ManagementGovernance & Management Controls Overview Session
47
Processes for the management of IT human resources are an essential part of an ITM Control Framework
CIO (not HR) is responsible for ensuring the institution has an ITM workforce with the skills necessary to achieve organizational and ITM goals
Main tasks:◦ Define, monitor and supervise execution of ITM roles &
responsibilities
◦ Provide appropriate and sufficient training (technical, internal control and security)
◦ Minimize dependency on key staff
◦ Ensure compliance with organizational policies
◦ Report to the ITM Steering Committee on key issues
Key Concepts
48
Human Resources
Management
(3)
Labour costs 30% - 60% of the ITM budget
Quality of ITM personnel has enormous impact on effectiveness of the service provider organization, end-user satisfaction, optimizing value and proactive use of technology
Market for highly proficient IT resources is competitive and will get more so – hiring and retaining the best resources will continue to be a critical success factor for the CIO
Unique aspects to management of IT professionals (pool characteristics, diverse career expectations, training requirements) exacerbates need for involvement of ITM managers
Turnover costs are enormous (e.g., 1 – 2 times annual salary)
Why ITM HR Mgmt. is Important
49
Human Resources
Management
(3)
Integrated Governance Structure
ITM Organization Chart
ITM Strategic & Tactical Plans
ITM Budget
Business Requirements
IT HR policy and procedures
IT skills matrix Job descriptions Staff skills and
competencies, including individual training logs
Training plans
HR Management as Process
50
Inputs
IT Human Resource
Management
Outputs
Human Resources
Management
(3)
IT Human Resources Life Cycle
51
Human Resources
Management
(3)
Determine Personnel Needs
• Develop organization chart• Perform swap analysis &
identify personnel gaps• Determine staffing strategy
– contract, permanent, contract-to-hire
• Create final hiring plan
Sourcing• Permanent & contract
candidate sourcing• Additional screening for
permanent hires• Recruiting funnel• Working with agencies
& technical recruiters
Interviewing• Interviewing techniques• Interview team• Best practices for
conducting interviews• High-volume interviewing• Interviewing contractors
Hiring• Finalizing an offer
decision• Checking references• Ramping up new
hires quickly
Managing• 10% attrition model• IT staff career development• Key drivers of staff retention• Compensation• Handling layoffs• Management coaching• Creating performance plans
Start
Section 6– Value Delivery: IT Service Management
Governance & Management Controls Overview Session
52
Key Concept
53
Service Manageme
nt(26)
“The idea of strategic assets is important in the context of
good practice in service management. It encourages IT
organizations to think of investments in service management
in the same way businesses think of investing in production
systems, distribution networks R&D laboratories.
Strategic assets provide the basis for core competence,
distinctive performance, durable advantage and qualifications
to participate in business opportunities. IT organizations can
transform their service management capabilities into
strategic assets.”
- ITIL Service Strategy, OGC, 2011
Service Lifecycle
54
Continual Service
Improvement
Service Strategy
Service Design
Service Transition
Service Operation
Envisioning & conceptualizing the set of services required to achieve business objectives
Designing the services to meet utility & warranty objectives
Moving services into live production
Managing services to ensure utility &
warranty objectives are achieved
Evaluating services & identifying ways to
improve their utility & warranty in support of
business objectives
ITSM FrameworkService Strategy
Strategy Management Service Portfolio Management
Financial Mgmt. for IT Services
Service Demand Management
Business Relationship Mgmt.
Service Design
Identify BusinessRequirements & Drivers
Define Services & Develop Service Catalogue Educate & Train Users
Service Level Management
Develop SLA Framework, SLAs & OLAs
Monitor Service Performance & Produce
Service Reports
Review Service,Instigate Improvements & Update
SLAs/OLAs
Supplier Management
Develop & Align Procurement Controls& Select Suppliers
Develop/Manage Contracts & Relationships & Protect Enterprise Interests
Monitor Supplier Performance
Service Continuity
Develop Service Continuity Framework
Develop & Maintain Continuity Plans
Test Continuity Plans
Provide Training on
ITM Continuity PlansReview Plan
Effectiveness
ITSM Framework Element
Description
IT Service Strategy • Defining a strategy to deliver services to meet the institution’s business outcomes
IT Service Design • Procedures for determining, documenting and agreeing upon requirements for new services and documenting in a service catalogue
Service Level Mgmt. • Defining SLAs based on customer requirements and IT capabilities, service metrics, roles & responsibilities
Supplier Mgmt. • Aligning procurement controls with those of the institution, identification & categorization of supplier relationships, developing and managing contracts, protecting IP & monitoring performance
Service Continuity • Developing a service continuity framework consistent with institution business continuity
ITSM Standard Elements
56
Service Manageme
nt(26)
Wrap UpQuestions?
57
