2
AGENDA
• The ‘Pitch’• Setting the stage
– Enterprise governance: Then and Now– The Auditor General is our friend– Progress in Alberta’s post-secondary sector
• Key concepts • Implementation• Discussion
4
To Begin….
All organizations, public and private, large or small, are facing a paradigm shift
with respect to the governance and management of information and related
technology
5
Catch-22
• a situation in which a desired outcome or solution is impossible to attain because of a set of inherently illogical rules or conditions;
• circular logic that prevents resolution of a problem;
• an unsolvable logical dilemma
6
Today’s Thesis (‘What’)
• IT is a critical enabler of most organizations & requires a special governance focus
• Effective governance & management of IT on an enterprise basis requires engagement of the Board of Directors & executive management
• Most Boards/executive teams remain largely unaware of their responsibilities re: enterprise IT, the inherent risks or potential rewards, or the existence of relevant standards and best practices
7
‘So What’
• IT investments are often not aligned with the organization’s strategic objectives
• IT-related risks are not appropriately managed
• The enterprise does not optimize the value of its investment in IT
8
How Did We Get Here?
• Talking to the wrong audiences– Auditors – Records managers– IT folks– Risk managers
• Pushing the ‘wrong’ message• Normal resistance to new roles/expectations• Implementation issues once we do get started
9
About the Message
“Alberta Government needs to better identify and mitigate IT risks.
Government departments as a whole need to do a better job
identifying risks to their systems and data. Then they need to
implement well-designed, efficient, and effective IT controls to
mitigate these risks and provide secure services and programs to
Albertans.”
– Auditor General, April 2008
11
In a Galaxy Far, Far Away(Really?)
• Executives had no desktops• No discussion at Executive
table re: IM/IT• No IT performance measures;
little or no reporting• No IM framework• No enterprise IT steering
committee• Major gaps in IT functionality• Ad hoc HR planning for IT• No IT business cases • No position description for CIO
• No IT strategic plan; MANY IT projects
• Acute dissatisfaction re: IT service levels
• No discussion re: IT-related risks
• IT projects with no ‘business’ owners
• No IT-service continuity plan• No portfolio management• Inadequate end-user training• Rudimentary supplier
management practices
12
Do These Scenarios Sound Familiar?
• Million-dollar projects, which may or may not match the company’s objectives, are awarded to business units headed by the squeakiest executives
• Weak IT governance structures mean that business executives don’t have clear ideas of what they’re approving and why
• The CIO ends up selling projects that should be generated and sold by line-of-business heads
• The company doesn’t build good business cases for IT projects or it doesn’t do them at all
• There are redundant projects(1).
(1) Todd Datz, CIO Magazine, 2003
• Rising expectations for organizational governance • Concern over generally increasing level of IT expenditure & demand
for better return on IT investments• Regulatory requirements• Significance of selection of service provider & management of
outsourcing to organizational effectiveness • Increasingly complex IM/IT risk • Need for assessment against standards and peer organizations• Growing maturity and acceptance of frameworks and standards
New (and Old) Business Drivers for IT Governance
13
14
Rx: IT Control Frameworks
“Implementing good IT governance is almost impossible without engaging an effective governance framework.”
- ISACA 2009
15
Benefits• Helps organizations:
– Better align their IT activities to their business needs
– Ensure that management understands IT’s role and relevance in the organization
– Fulfill their responsibilities for a sound internal control environment & demonstrate progress to regulators, business partners & external stakeholders
– Ensure that Boards/management can meet their quality, fiduciary & security requirements
– Clarify ownership, responsibilities and accountabilities for information and related technology
16
Alberta’s AG Weighs In…
“We recommend that the Department of Advanced Education and Technology give
guidance to public post-secondary Institutions on using an IT control
framework to develop control processes that are well-designed, efficient, and
effective.”
- April 2008 Auditor General’s Report
• Collaboratively develop a system-wide control framework for managing information and related technology
• Common best practice controls that are modifiable, scalable and implementable
• A shared content management system to enable ongoing collaboration and effectively manage the control life cycle
Alberta PSS ITM Control Framework Program
17
Legislation
COBIT
ISO
PMBOK ITIL
IM/IT Control Framework
WHAT HOW
SCOPE OF COVERAGE
BABOK
TOGAF
IM Industry
Best Practices
Can’t We Just Implement CoBIT?
Source: ISACA & Alberta PSS ITM Control Framework Program
20
Governance & Management Policy
The Institution manages its information and related technology
assets and services through effective governance structures and
processes that provide leadership, accountability and transparency
and engage key stakeholders to support the achievement of
positive outcomes and facilitate strategic oversight and decision
making.
Controls
WHAT needs to be controlled
(COBIT, legislation, ITIL, ISO)
HOW(Project Deliverables)
Procedures
Structures
Guidelines
Standards Examples from client or other organizations, &
best practices
21
IT Governance & Management
Controls(64)
Foundation Pieces
(17)
Strategic Alignment
(4)
Risk Management
(8)
Financial Management
(6)
Service Management
(26)
Human Resources
Management(3)
Controls Summary
22
Integrated Governance Structure
24
Programs
Board of Governors
Academic Council
President
Provost(VP Academic)
VP Research
VP University Services
VP Finance &
Admin
CIO (2)(3)
VP Student Services
Board Committees- Audit & Finance
- HR- Risk Mgmt.
- ITM(1)
Dean
Dean
CIO (2) (3)
Dean
ITM Steering CommitteeChief
Technology Officer
(1) Institution may address responsibilities through a special purpose committee, through existing committees or in plenary(2) Depending on institution, CIO may not sit as a member of the executive team, but must sit as a full member of the ITM Steering Committee(3) CIO sits ex officio on Board ITM Committee and/or in Board discussions of ITM(4) Depending on size/complexity of ITM activities(5) Project governance and fit within ITM governance as per Business Case
Technology Committee(4)
Architecture Review
Committee(4)
1 3
2 n
Portfolio Oversight(4)
Change Advisory Board(4)
Executive Committee
PortfolioMgmt. Cttee.
Portfolio
PortfolioMgmt. Cttee.
PortfolioMgmt. Cttee.
PortfolioMgmt. Cttee.
Project Oversight(5)
Organization Role ResponsibilityBoard • Oversight regarding strategic alignment, risk
management and value delivery of IT
Executive Committee • Approval of enterprise-level investment decisions, including adequate funding for development, implementation, communication and training re: IT controls
IT Steering Committee • Approval of IT Control Framework• Ensures control environment aligns with institution’s
management philosophy and operating style• Regular assessment of the maturity of the institution’s
control processesCIO • Overall development and implementation of the control
environment• Reporting on progress/results
Business Managers • Input to development of the control environment• Responsibility for operation of many controls
High-level Roles & Responsibilities
25
More about Boards
26
Have a fiduciary(1) responsibility to ensure the organization’s information resources and
related technology are managed to support and enable the organization’s strategic plan
(1) Specifically, a legal or ethical relationship of confidence or trust regarding the management of money or property
27
How Do They Do this?• Making sure information and IT are on the Board agenda• Asking the right questions about management’s activities • Helping management align IT initiatives with the institution’s
strategic direction• Ensuring it understands the potential impact of information
and IT-related risk• Requiring that IT performance be measured and reported
through a balanced scorecard or similar mechanism• Requiring that the organization implement an ITM control
framework• Monitoring the contribution of ITM to the institution
• Work with Executive Committee to obtain a clear understanding of the institution’s strategic and business objectives
• Create a vision for information management and technology in the future and sell it
• Implement information systems architecture that supports the institution’s comprehensive business plan
• Establish credibility of the IT Management Department
– Work with business units through the IT Steering Committee to establish standards and service levels
– Ensure these are met or exceeded• Increase the technical maturity of the organization
Key CIO Responsibilities
28
Not Your Father’s CIO
29
“One of the primary differences between today's CIOs and the
previous generation of IT leaders is the idea of transformational
change. Thirty years ago, nobody seriously believed that IT
would be called upon to lead enormous transformational efforts
affecting every aspect of a global enterprise. Today, in addition
to making sure that IT runs smoothly, the CIO is expected to
provide strategic leadership and high-level guidance. That is a
big difference indeed..”
- The Practical CIO: A Common Sense Guide for Successful IT Leadership, Jose Carlos Eiras
• Organization needs to appoint a ‘custodian’ or manager of the framework and maintain a log of all compliance requirements
• Comprehensive procedure required for:– Identifying externally generated requirements in a timely manner– Identifying internally generated requirements– Escalating and resolving issues identified through
implementation/operation of the IT Control Framework• Framework needs to be regularly reviewed
– Internal audit– Periodic 3rd party reviews
• Provide for approved and documented exceptions to compliance with controls
Lifecycle Management of ITControls
30
• Strategic IT Plan is an integral element of the organization’s strategic plan….not an afterthought!– Clearly articulated organization mission, vision and priorities– Planning is considered important and closely linked to
organization budget– Strategic IT plan is published– Formal communication strategy specific to IT stakeholders
developed
– Performance is measured using an IT Balanced Scorecard
• IT investments should be managed across the organization in portfolios
Strategic Alignment
31
Strategic Alignment
(4)
• ITM risk is business risk• ITM risk always exists, whether it is detected or recognized• Management of IT-related risk is an essential and strategic
component of responsible administration and should be integrated into overall enterprise risk management
• Who should be involved?– Board members and senior executives who need to set direction
& monitor risk at the enterprise level– Managers of IT and business departments who define risk
management processes– Risk management professionals– External stakeholders
Risk Management
32
• IT risk management always connects to business objectives; focus is on the business outcome
• IT risk governance aligns the management of IT-related risk with overall ERM
• IT governance should balance the costs and benefits of managing IT risk
• There should be open communication regarding IT risk• Establishment of well-defined risk tolerance levels by the Board and
executive management should be coupled with definition and enforcement of personal accountability for operating within tolerance levels
• IT risk management is continuously improved
Risk Management Principles
33
• Institution must establish a financial management framework for information and related technology– Approved by the IT Steering Committee– CIO responsible for implementing and monitoring the
effectiveness of the framework and ensuring integration with enterprise policies, standards etc.
– Should be formally evaluated based on schedule determined by IT Steering Committee
• Focused on ensuring accountability and transparency re: value contribution and total cost of ownership of information and related technology
Financial Management
34
What is Service Mgmt.?
35
“Service management is a set of specialized
organizational capabilities for providing value to
customers in the form of services(1)
These capabilities take the form of functions
and processes for managing services over their
lifecycle.”(1) ITIL, Office of Government Commerce, 2007
Service Lifecycle
36
Continual Service
Improvement
Service Strategy
Service Design
Service Transition
Service Operation
Envisioning & conceptualizing the set of services required to achieve business objectives
Designing the services to meet utility & warranty objectives
Moving services into live production
Managing services to ensure utility &
warranty objectives are achieved
Evaluating services & identifying ways to
improve their utility & warranty in support of
business objectives
• Processes for the management of IT human resources are an essential part of an IT Control Framework
• CIO (not HR) is responsible for ensuring the institution has an IT workforce with the skills necessary to achieve organizational and IT goals
• Main tasks:– Define, monitor and supervise execution of IT roles &
responsibilities– Provide appropriate and sufficient training (technical, internal
control and security)– Minimize dependency on key staff– Ensure compliance with organizational policies– Report to the IT Steering Committee on key issues
Human Resources Management
37
Create AwarenessAssess Current StateDefine Desired Future StateDevelop PlanExecute PlanMeasure ResultsSustain Momentum
IT Control Framework – Implementation Lifecycle
39
Use of maturity models
40
Implementation ChallengesPhase Challenge
Create awareness • Lack of senior management buy-in• Lack of enterprise policy & decision making structures
Assess current state • Cost of improvements outweighs perceived benefits• Lack of trust/good relationships between IT & business units
Define future state • Scarcity of good ‘role models’
Develop plan • Resistance to change• Defining the ‘critical path’• Failure to consider corporate culture & capacity
Execute plan • Trying to do too much at once• Lack of appropriate skills• Underestimating the level of effort required
Measure results • Starting out with too many performance measures• Too much complexity, precision• Lack of balance between ‘performance driver’ & ‘outcome’
measuresSustain momentum • IT governance ‘fatigue’
• Difficulty in proving benefits
41
Critical Success Factors
1. Identify a champion2. Shared understanding and vision
– Not implementing CoBIT, but improvements to how it governs & manages the IT contribution to the enterprise
– Tailor to fit the organization
3. Use the CoBIT umbrella but incorporate other standards as required
4. Ensure IT governance is integrated with enterprise governance
5. Stay focused– It’s a journey, not a destination– Recognize and celebrate progress