What Every Executive Needs to Know About IT Governance

Presented by

Bill Lisse, CGEIT, CISSP, CISA, CHFI, CSSA, GPCI, GHSC

Technology and Risk Services Manager

Battelle & Battelle LLP

Corporate Governance

• Provides the structure for determining organizational objectives and monitoring performance to ensure that objectives are attained• Defining strategic goals, desirable

behaviors, and measuring outcomes• There is no single model of good

corporate governance

IT Governance

• Specifying the decision rights and accountability framework to encourage desirable behavior in the use of information system assets• Who makes decisions, why, and how?

• IT Governance Simultaneously Empowers and Controls

IT Governance

• Summary• starts with business needs and

priorities• involves the business process

owners in significant ways• Evaluates performance against

business requirements

IT Governance Components

IT Value Delivery

Risk Management

Performance Management

IT Strategic Alignment

Stakeholder Value

Drivers

IT Resource Management

IT Governance Frameworks

• Control Objectives for Information and related Technology (COBIT)

• The Information Technology Infrastructure Library (ITIL) • International Organization for Standardization (ISO)

• ISO 20000 IT Service Management • ISO 27000 IT Security

• Committee of Sponsoring Organizations of the Treadway Commission (COSO)• Enterprise Risk Management Framework• Guidance for Smaller Public Companies

IT Strategic Alignment

• Aligning business with collaborative solutions (current and future)• Does the IT strategy support the

enterprise strategy?• Does IT…

• Add value to products and services?• Assist in competitive positioning?• Contain costs and improve administrative

efficiency?• Increase managerial effectiveness?

IT Strategic Alignment

• Define IT’s strategic role• IT needs to understand its mission

objectives as they relate to the business

• Monitor the business impact of the IT applications and infrastructure portfolio

• Stakeholder involvement in IT investment decisions

IT Value Delivery

• A clear understanding of requirements and expected value of IT investments• Breaking into new markets• Drive competitive strategies• Increase revenue generation• Improve quality and/or customer

satisfaction• Assure customer retention

IT Value Delivery

• Clearly set expectations• Business requirements• Scalability and flexibility• Timeframes• Functionality• Operationally sound• Total Cost of Ownership

Set a common language for value; otherwise, value is in the eye of the beholder.

Risk Management

• Safeguarding IT assets and disaster recovery• A clear understanding of the

organizations appetite for risk• Management level approval for risk

response• Due diligence

“I cannot imagine any condition which could cause this ship to founder. I cannot conceive of any disaster happening to this vessel.” – Captain of the Titanic, 1912

Risk Management

• Operational• Business disruptions (e.g. information

security threats)

• Financial (Errors or Fraud)• Compliance (FACTA, SOX §404,

GLBA, PCI DSS, HIPAA, etc…)• Depends on the industry

“If every hour a burglar turned up at your house and rattled the locks on the doors and windows to see if he could get in, you might consider moving to a safer neighborhood. And while that may not be happening to your home, it probably is happening to any PC you connect to the net.” - Mark Ward, Tracking down hi-tech crime

Resource Management

• Optimizing knowledge and infrastructure• IT personnel

• staffing, skills, training, etc…

• Assets• Make vs. Buy decisions

• Enterprise Resource Planning (ERP) Systems• Vendor management (Service Level Agreements, SAS

70, contracts)

• IT Project Management

The ability to balance the cost of infrastructure assets with the quality of service required is critical to successful value delivery.

Performance Management

• Monitoring IT Services and tracking project delivery

• IT metrics using multiple indicators, perspectives and dimensions

• Gartner Group’s “Five Pillars”• Structure • Process • People • Alignment and Communication • Tools, Metrics and Investment Appraisal

Examples of Metrics for a Board Balanced Scorecard

Perspective Objective Example Metrics

Financial•Long-term financial success •Short-term financial success •Long-term success of changes

•Return on investment •Stock price •Success of change

Stakeholders

•Ethical behavior and legal compliance •Corporate governance and accountability •Management of stakeholders’ needs

•Number of ethical/legal violations •Number of voluntary disclosures •Number of meetings with stakeholders

Internal processes

•Risk and crisis management •Performance evaluation systems •Review of strategic plans •Functioning of the board

•Number of risk audits performed •Number of board members owning stock •Number of hours spent on strategic issues •Overall attendance at meetings

Learning and growth

•Succession for CEO •Composition of the board •Skills and knowledge

•Interim CEO identified •Percent of directors financially literate •Existence of training programs

(Adapted from Epstein, M.J.; M.J. Roy; “How Does Your Board Rate?,” Strategic Finance, February, p. 25-31, 2004)

Performance Measurement

• How often do IT projects fail to deliver?• Are the end user satisfied with the quality

of service?• How much of the IT effort is reactive

rather than proactive?• Does management articulate and

communicate business objectives for IT alignment?

• How is the value delivered by IT measured?

IT Governance Maturity Model

Managed & Measurable

Defined Process

Repeatable, but Intuitive

Initial – Ad Hoc

Non-Existent

4

3

5

2

1

0

Maturity Level

Current Issues

• Top Seven Business Issues• Regulatory Compliance• Enterprise-based IT Management and IT

Governance• Information Security Management• Disaster Recovery/Business Continuity• IT Value Management• Challenges of Managing IT Risks• Compliance with Financial Reporting

Source: ISACA Top Business/Technology Issues Survey Results, 2008

Next Steps

• Set up a governance organizational framework

• Align IT strategy with business goals• Understand and define risks• Define target areas• Analyze current capabilities and identify

gaps• Development improvement strategies• Measure results• Re-evaluate (at least annually)

Further Research

• CIO Magazine http://www.cio.com • IT Governance Institute (ITGI) http://www.iti.org

• Board Briefing on IT Governance, 2nd Edition • IT Compliance Institute (ITCi) http://www.itcinstitute.com • ISACA http://www.isaca.org• Institute of Internal Auditors http://www.theiia.org • Measuring Performance and Demonstrating Results of

Information Technology Investments http://www.gao.gov/special.pubs/ai98089.pdf

• IT Governance Domains Practices and Competencies: Measuring and Demonstrating the Value of IT http://www.isaca.org/AMTemplate.cfm?Section=Deliverables&Template=/ContentManagement/ContentDisplay.cfm&ContentFileID=14864

Conclusion

• Contact InformationBill LisseTechnology and Risk Services ManagerBattelle & Battelle LLPEmail: wlisse@battellecpas.comVoice: (937) 853-1490 (direct)

“Organizations that are very, very good at doing things that are not important will never be market leaders.” Gary Cokins, Performance Management 2004