Governance and Audit of IT in a Post-Recession World

©2010 Infonomics Pty Ltd Post-Recession World

Governance and Audit of IT in a

Post-Recession World

Mark ToomeyAuthor: Waltzing with the Elephant

Managing Director Infonomics Pty LtdMember, Standards Australia Committee IT-030

Member, ISO/IEC JTC-1 WG6

Page 10:00/1


A little (more) about me…

Page 20:01/1


The promise of Information Technology...

Page 3

Photo

s: (

1)

htt

p:/

/velo

city

reso

urc

e.c

om

/RS

6A

vantP

lus.

asp

x a

nd

Aud

i.(2

) Pub

lic d

om

ain

– w

idely

cir

cula

ted

em

ail

0:02/2

... or a shattered dream.


Governance and Management of ITGlobal Survey• From 11 Feb to 23 Mar 2010• Responses (complete – 75)

– 13 Board Directors– 23 Business roles– 39 IT roles

• Education– 38 Masters/MBA and above– 23 degree– 26 focused on technical– 35 focused on business

• Age– 22 are 36 – 45– 29 are 46 – 55– 19 are 56 Plus

• Organisation– 25 listed– 19 government– 15 private– 6 branch / subsidiary– 4 not-for-profit

• Location– 25 AU– 15 NL– 8 GB– 6 US– 4 ES– 2 NZ– AE, AR, AX, BE, CA, DE, IN, IT, TR, VG, ZA.

• Scale– 7 Up to US$ 500,000– 4 US$ 500,000 to US$ 2m – 5 US$ 2m to US$ 10m – 12 US$ 10m to US$ 100m– 41 More than US$ 100m

• Employees– 7 at 1 - 10 – 7 at 11 - 50 – 6 at 51 - 200 – 0 at 201 - 500 – 26 at 501 - 5000 – 29 at 5001 and above

Page 40:04/1


Governance and Management of ITGlobal Survey

Page 5

There is a strong track record over several years of successful IT projects that deliver the intended business outcomes.

0:05/1

24%48%



Page 6

Executive management has sufficient evidence that day to day business operations will not be seriously damaged by unplanned interruptions to operational IT systems.

0:06/1

46%32%



Page 7

The full spectrum of costs, risks, opportunities and value derived from the organization's current portfolio of operational IT systems is well understood and acceptable.

0:07/1

22%58%


From enormous challenge...

• Medicare database blunder (2005)• Customs commissions review of ICS

debacle (2006)• Defence weak on IT, says chief

(2007)• Vic: Health IT program late, over

budget (2008)• Consultant: 33% of IT spend is

wasted (2009)• Young war widows struggling (2009)• Software glitch stymies green loans

(2009)

• Licensing project over budget and a decade late(NSW, October 2009)

• e-government• e-health• Accessible government• Efficient government• “Joined up” government• Innovative government

• Post to offer passports online• Tech to prevent welfare cheats

• Real change, real solutions, delivered and acclaimed, in business as in government.

Page 8

... to outstanding performance

0:08/2


It can happen to anybody…

21 April 2023 Page 9

2004

Five Day Fiasco

2005

Cargo Management

2006

ERP Consolidation

2007

Futures Market

2008

Scrapped

2009

Amadeus

2010

Crippled

2010

Year 2010

… and it KEEPS happening!

0:10/3



Page 10

Most organizations are very effective in governing their use of IT.

0:13/1

4%82%

©2010 Infonomics Pty Ltd Post-Recession World 21 April 2023

We have tried to make IT better…

• Typical efforts to ensure that IT is doing its job competently– Rigour– Process– Control– Reporting

– … Miss the point!

ITILITIL Prince2Prince2 CoBITCoBIT

CMMICMMI PMBOKPMBOK

PPMPPM

Page 11

EtcEtcMSPMSP

0:14/1


We have tried to make IT better… …but we have missed the key issue!

21 April 2023 Page 120:15/2

©2010 Infonomics Pty Ltd Post-Recession World 21 April 2023

We have tried to make IT better…

• Typical efforts to ensure that IT is doing its job competently…– Rigour– Process– Control– Reporting

… Miss the point!• It’s not just in IT that problems develop:

– Use of IT to achieve business goals involvesbusiness change

• Process• People• Structure• Context

– And necessarily requires that business leaders engage fully:• Being responsible• Setting direction• Planning and implementing

Polishing INSIDE the Kettle improves supply…

… but does not fully address the problem of use!

Governance of IT has to deal with Governance of IT has to deal with how organisations USE IT as well as how organisations USE IT as well as with how IT departments operate.with how IT departments operate.

Governance of IT has to deal with Governance of IT has to deal with how organisations USE IT as well as how organisations USE IT as well as with how IT departments operate.with how IT departments operate.

DeliveryDelivery

UseUseMany issues arise Many issues arise here – outside IT’s here – outside IT’s sphere of control.sphere of control.

Many issues arise Many issues arise here – outside IT’s here – outside IT’s sphere of control.sphere of control.

Page 13

… the problem is not the IT function!

ITILITIL Prince2Prince2 CoBITCoBIT

CMMICMMI PMBOKPMBOK

PPMPPM EtcEtcMSPMSP

0:17/1



Page 14

Organizations that govern their IT very well have a strategic advantage.

0:18/1

90%3%


The purpose of information technology...

• Four key elements of operating organisations– People – who participate in business events– Process – what business events take place– Structure – where business events happen– Technology – enabling and recording events

• Operating context of the organisation– External– Internal.

• IT intrinsic to day to day operations – Generic - Email, Telephony, Information– Business process specific - Transactions,

Customers, Etc– Future capabilities and functions.

Page 15

ProcessProcess StructureStructure

PeoplePeople

TechnologyTechnology

The

Busin

ess C

onte

xt

The

Busin

ess C

onte

xt

Based on H.J. Leavitt’s Model of organisational change, published in 1965.

0:19/1

The Business System

The Business System



PeoplePeople


The Business System

The Business System

The

Busin

ess C

onte

xt

The

Busin

ess C

onte

xt

• Four key elements of operating organisations– People – who participate in business events– Process – what business events take place– Structure – where business events happen– Technology – enabling and recording events

• Operating context of the organisation– External– Internal.

• IT intrinsic to day to day operations – Generic - Email, Telephony, Information– Business process specific - Transactions,

Customers, Etc– Future capabilities and functions.

• When IT fails, everything goes pear-shaped– Citylink Melbourne, Tuesday 20 Sept 2006

The purpose of information technology...... we depend on it as a business tool.

Page 16

The Business System

The Business System

Based on H.J. Leavitt’s Model of organisational change, published in 1965.


PeoplePeople

StructureStructureProcessProcess

0:20/1



PeoplePeople


The Business System

The Business System

The

Busin

ess C

onte

xt

The

Busin

ess C

onte

xt


PeoplePeople


The Business System

The Business System

The

Busin

ess C

onte

xt

The

Busin

ess C

onte

xt

And we use IT as an enabler of change...

• IT is now a fundamental enabler of change and is leading to new business models and new business practices

– Eg e-Government

• Implementing IT enabled change involves attention to every facet of business models and practices

– Internal and external factors

Page 17

• Governing IT Enabled Change involves much more than governing technology activities.

“Traditional” IT Change Project“Traditional” IT Change Project

Omnibus Change• Business System

•Process•Technology•Structure•People

• Business Context•Process•Technology•Structure•People

Omnibus Change• Business System

•Process•Technology•Structure•People

• Business Context•Process•Technology•Structure•People

The Business System

The Business System


PeoplePeople

StructureStructureProcessProcessChangedProcess

ChangedProcess

ChangedStructureChangedStructure

ChangedPeople

ChangedPeople

ChangedTechnologyChanged

Technology

Changed Business System

Changed Business System

Chang

ed B

usin

ess Con

text

Chang

ed B

usin

ess Con

text

0:21/2

...but change involves much more than IT!


Ongoing business

operations

StrategicBusinessFuture

Reliable IT Service

Effective IT enabled change

Information technology is a tool ...

Page 18

Business Domain: How IT

is used to enable and operate the

business

IT Domain: How IT is

managed and delivered.

0:23/2

... what determines the use of the tool?.


Ongoing business

operations


Reliable IT Service

Effective IT enabled change

Business Domain: How IT

is used to enable and operate the

business

IT Domain: How IT is

managed and delivered.

The context for governance of IT...

Page 190:25/1

Ongoing business operations


Reliable IT ServiceEffective IT

enabled change

Business Domain: How IT is used to enable and operate the business

IT Domain: How IT is managed and

delivered.

Dem

and

Dem

and


GovernanceEvaluate

The context for governance of IT... ... is to direct and control the use.

Page 20

Managem

en

tR

esp

onsi

bili

tyTop level

overs

igh

t

Th

e S

yst

em

of

Govern

ance

0:26/1

Ongoing business operations


Reliable IT ServiceEffective IT

enabled change

Business Domain: How IT is used to enable and operate the business

IT Domain: How IT is managed and

delivered.

Dem

and

Dem

and

Direct MonitorCurrent & proposed

demand for & supply of IT



Page 21

Governance of IT means evaluating, directing and monitoring the current and proposed future use of IT. It involves overseeing preparation of plans for use of IT, overseeing delivery of business change enabled by IT and overseeing ongoing operational use of IT.

0:27/1

90%7%


Directing and controlling the use of IT... ...does not require technical expertise.

AS8015 &ISO 38500 principles• Responsibility;• Strategy;• Acquisition;• Performance;• Conformance;• Human Behaviour.

Page 22

Business

Pressures

Governance

Management

Evaluate

Direct Monitor

IT enabled business change

projects

IT enabled business

operations

0:28/2



Page 23

Governing the use of IT is the responsibility of those who have overall governance responsibility.

0:30/1

80%14%



Page 24

Too much of contemporary guidance on “IT Governance” is actually focused on “IT Management”.

0:31/1

78%6%


Peter Gershon told government leaders...

Finding

• Weak governance of Pan-Government issues related to ICT.

– Has led to significant fragmentation and duplication

• Lack of standardisation in common processes

• Agency governance mechanisms are weak in respect of focus on ICT efficiency and understanding of organisational capability to commission, manage and realise benefits from ICT-enabled projects.

– ICT vs organisational capability.

Recommendation

• Strengthen Pan-Government Governance

– Ministerial committee on ICT– Secretaries ICT Governance board

with strong mandate• Drive ministerial agenda on whole of

government use of ICT.

– Oversight of opt-outs– Redefine AGIMO role– Establish program board

• Strengthen Agency Governance– Link between policy formulation and

implementation– Best practices in benefits realisation.

Page 25

Those at the top

levels of

government have

to play their role in

governance of IT.

0:32/1

...it’s your job to drive success.

So do those at the

top of business –

but what is this

part?


Responsibility of business leaders...

• Plan the future model for an efficient and effective business that is inevitably enabled by and dependent on IT.

• Orchestrate the pervasive change to the systems of business – people, process, structure AND technology.

• Relentlessly drive change at the four points of the business system, never forgetting that leaving IT to lead or push WILL result in failure.

• Persistently measure performance of IT in business terms and control IT expenditure in those terms - for investments and business as usual.

• Encourage and reward appropriate behaviour of the people involved to maximise the outcomes of planned change.

Page 26

...is to lead change from the front.

0:33/3



Page 27

Achieving intended business outcomes is the principal measure of success for an “IT project”.

0:36/1

85%7%



Page 28

Business managers should be accountable for delivery of business outcomes which mark the successful completion of “IT projects”.

0:37/1

83%6%



Page 29

Effective governance of IT requires a set of management systems that are fit for purpose and appropriate to the nature of the organization.

0:38/1

87%6%



Page 30

A formal certification scheme is required, so that organizations can test and verify the effectiveness of their arrangements for governance of IT.

0:39/1

52%13%


Governance and Audit of IT in theThe Post-Recession World

• Clear understanding and delineation of governance and management roles;

• Governance focused on principles and behaviour, not process;

• Audit gives assurance to the board;• Audit looks beyond process to behaviour;• Scope of governance and audit engagement is the entire

business system;• Audit helps bring future problems into early focus.

Page 310:41/2


More information

www.infonomics.com.au

Page 320:43/7

Questions

Download these slides from: www.infonomics.com.au/PresGAPRW.htm.

Documents

Governance and Audit of IT in a Post-Recession World