Upload
bill-lisse
View
1.992
Download
5
Embed Size (px)
DESCRIPTION
The importance of IT Governance
Citation preview
What Every Executive Needs to Know About IT Governance
Presented by
Bill Lisse, CGEIT, CISSP, CISA, CHFI, CSSA, GPCI, GHSC
Technology and Risk Services Manager
Battelle & Battelle LLP
Corporate Governance
• Provides the structure for determining organizational objectives and monitoring performance to ensure that objectives are attained• Defining strategic goals, desirable
behaviors, and measuring outcomes• There is no single model of good
corporate governance
IT Governance
• Specifying the decision rights and accountability framework to encourage desirable behavior in the use of information system assets• Who makes decisions, why, and how?
• IT Governance Simultaneously Empowers and Controls
IT Governance
• Summary• starts with business needs and
priorities• involves the business process
owners in significant ways• Evaluates performance against
business requirements
IT Governance Components
IT Value Delivery
Risk Management
Performance Management
IT Strategic Alignment
Stakeholder Value
Drivers
IT Resource Management
IT Governance Frameworks
• Control Objectives for Information and related Technology (COBIT)
• The Information Technology Infrastructure Library (ITIL) • International Organization for Standardization (ISO)
• ISO 20000 IT Service Management • ISO 27000 IT Security
• Committee of Sponsoring Organizations of the Treadway Commission (COSO)• Enterprise Risk Management Framework• Guidance for Smaller Public Companies
IT Strategic Alignment
• Aligning business with collaborative solutions (current and future)• Does the IT strategy support the
enterprise strategy?• Does IT…
• Add value to products and services?• Assist in competitive positioning?• Contain costs and improve administrative
efficiency?• Increase managerial effectiveness?
IT Strategic Alignment
• Define IT’s strategic role• IT needs to understand its mission
objectives as they relate to the business
• Monitor the business impact of the IT applications and infrastructure portfolio
• Stakeholder involvement in IT investment decisions
IT Value Delivery
• A clear understanding of requirements and expected value of IT investments• Breaking into new markets• Drive competitive strategies• Increase revenue generation• Improve quality and/or customer
satisfaction• Assure customer retention
IT Value Delivery
• Clearly set expectations• Business requirements• Scalability and flexibility• Timeframes• Functionality• Operationally sound• Total Cost of Ownership
Set a common language for value; otherwise, value is in the eye of the beholder.
Risk Management
• Safeguarding IT assets and disaster recovery• A clear understanding of the
organizations appetite for risk• Management level approval for risk
response• Due diligence
“I cannot imagine any condition which could cause this ship to founder. I cannot conceive of any disaster happening to this vessel.” – Captain of the Titanic, 1912
Risk Management
• Operational• Business disruptions (e.g. information
security threats)
• Financial (Errors or Fraud)• Compliance (FACTA, SOX §404,
GLBA, PCI DSS, HIPAA, etc…)• Depends on the industry
“If every hour a burglar turned up at your house and rattled the locks on the doors and windows to see if he could get in, you might consider moving to a safer neighborhood. And while that may not be happening to your home, it probably is happening to any PC you connect to the net.” - Mark Ward, Tracking down hi-tech crime
Resource Management
• Optimizing knowledge and infrastructure• IT personnel
• staffing, skills, training, etc…
• Assets• Make vs. Buy decisions
• Enterprise Resource Planning (ERP) Systems• Vendor management (Service Level Agreements, SAS
70, contracts)
• IT Project Management
The ability to balance the cost of infrastructure assets with the quality of service required is critical to successful value delivery.
Performance Management
• Monitoring IT Services and tracking project delivery
• IT metrics using multiple indicators, perspectives and dimensions
• Gartner Group’s “Five Pillars”• Structure • Process • People • Alignment and Communication • Tools, Metrics and Investment Appraisal
Examples of Metrics for a Board Balanced Scorecard
Perspective Objective Example Metrics
Financial•Long-term financial success •Short-term financial success •Long-term success of changes
•Return on investment •Stock price •Success of change
Stakeholders
•Ethical behavior and legal compliance •Corporate governance and accountability •Management of stakeholders’ needs
•Number of ethical/legal violations •Number of voluntary disclosures •Number of meetings with stakeholders
Internal processes
•Risk and crisis management •Performance evaluation systems •Review of strategic plans •Functioning of the board
•Number of risk audits performed •Number of board members owning stock •Number of hours spent on strategic issues •Overall attendance at meetings
Learning and growth
•Succession for CEO •Composition of the board •Skills and knowledge
•Interim CEO identified •Percent of directors financially literate •Existence of training programs
(Adapted from Epstein, M.J.; M.J. Roy; “How Does Your Board Rate?,” Strategic Finance, February, p. 25-31, 2004)
Performance Measurement
• How often do IT projects fail to deliver?• Are the end user satisfied with the quality
of service?• How much of the IT effort is reactive
rather than proactive?• Does management articulate and
communicate business objectives for IT alignment?
• How is the value delivered by IT measured?
IT Governance Maturity Model
Managed & Measurable
Defined Process
Repeatable, but Intuitive
Initial – Ad Hoc
Non-Existent
4
3
5
2
1
0
Maturity Level
Current Issues
• Top Seven Business Issues• Regulatory Compliance• Enterprise-based IT Management and IT
Governance• Information Security Management• Disaster Recovery/Business Continuity• IT Value Management• Challenges of Managing IT Risks• Compliance with Financial Reporting
Source: ISACA Top Business/Technology Issues Survey Results, 2008
Next Steps
• Set up a governance organizational framework
• Align IT strategy with business goals• Understand and define risks• Define target areas• Analyze current capabilities and identify
gaps• Development improvement strategies• Measure results• Re-evaluate (at least annually)
Further Research
• CIO Magazine http://www.cio.com • IT Governance Institute (ITGI) http://www.iti.org
• Board Briefing on IT Governance, 2nd Edition • IT Compliance Institute (ITCi) http://www.itcinstitute.com • ISACA http://www.isaca.org• Institute of Internal Auditors http://www.theiia.org • Measuring Performance and Demonstrating Results of
Information Technology Investments http://www.gao.gov/special.pubs/ai98089.pdf
• IT Governance Domains Practices and Competencies: Measuring and Demonstrating the Value of IT http://www.isaca.org/AMTemplate.cfm?Section=Deliverables&Template=/ContentManagement/ContentDisplay.cfm&ContentFileID=14864
Conclusion
• Contact InformationBill LisseTechnology and Risk Services ManagerBattelle & Battelle LLPEmail: [email protected]: (937) 853-1490 (direct)
“Organizations that are very, very good at doing things that are not important will never be market leaders.” Gary Cokins, Performance Management 2004