grcm presentation on aug 4 2009
TRANSCRIPT
September 2009
INTEGRATING GOVERNANCE, RISK, AND COMPLIANCE MANAGEMENT TO ENHANCE REQUIREMENTS ENGINEERING IN INFORMATION TECHNOLOGY PROJECTS
Prepared by: Mr. Richard Bett,
M.Sc. PM, PMP
September, 2009September, 2009
Copyright @ 2009 ABET Technologies Incorporated
Outline2
1. Research Objectives2. Performing Requirements Engineering
(RE) 3. Governance, Risk and Compliance Mgmt
(GRCM)4. Research Methodology5. Data Analysis6. Conclusion7. References
1. Research Objectives3
Challenges and Success Factors as to Practicing Requirements Engineering (RE) in Information Technology (IT) Projects.
Relevance of GRCM for RE.
2. Performing Requirements Engineering 4
Overview of RE RE Process RE in General RE Capability Measurement Framework
3. Governance, Risk and Compliance Management (GRCM)
5
Foundation of GRCM as Best Practices Governance
Overview of IT Governance IT Governance Focus Areas IT Governance Tools
COBIT ITIL ISO 17799
3. Governance, Risk and Compliance Management (GRCM)- cont.
Risk Management Overview of Risk Management Project Risk Management Minimize Risks
Compliance Overview Compliance with Legal Requirements Reviews of Security Policy and Technical
Compliance
6
3. Governance, Risk and Compliance Management (GRCM)
System Audit Considerations Relating GRCM to Other Software
Engineering Practices GRCM Measurement Framework Measuring the Level of Capability in the
Organizational Context
7
4. Research Methodology8
Positivist Case Study Research
Research Process Design of the Case Study Conduct of the Case Study Analysis of the Case Study Evidence Writing up the Case Study Report
Case Profiles
99
4.1 BETT - GRCM Conceptual Framework
Governance Elements:§ IT Strategic Planning§ IT Project Management§ IT Control Framework§ IT Asset Management§ IT ProcessesRisk Management Elements:§ Embed into the project an IT
governance structure§ Establish an audit
committee§ Monitor IT resources to
ensure project tasks are completed
§ Risk analysis part of ongoing monitoring of IT risks and controls
Compliance Elements:§ Brief project mandate to
committees involved§ Ensure IT Alignment with
business§ Comply with new
regulations§ Consider security in the
project
Governance
Risk
Compliance
Management
Requirements Engineering:
§ Elicitation§ Analysis§ Prioritization§ Validation § Documentation§ Management
Organizational Context
§ Senior Management Leadership / Commitment
Correlation
5. Data Analysis
Capability Measurement Framework for GRCM and RE
Within-Case Analysis to Identify Key Relationships between GRCM and RE
Cross-Case Analysis to Identify Key Relationships between GRCM and RE
10
6. Case Studies11
6.1. Registration of Businesses on the Web
6.2. Corporate Intranet Revamp Project 6.3. Travel Automation Information
System 6.4. Financial Management Information
System (FMIS)
6.1. Case Study A Registration of Businesses on the Web
12
Who - Organization Where - Ottawa When - May 2008 What they did - Built a WEB application
(in-house) and made it available to organizations across Canada to register their business.
6.2. Case Study B Corporate Intranet Revamp Project
13
Who - Organization Where - Ottawa When - July 2007 What they did - Revamped their existing
Corporate intranet to better reflect the services offered to the internal users.
6.3. Case Study C Travel Automation Information System
14
Who - Organization Where - Ottawa When - February 2007 What they did - They went through an
exercise of identifying functional requirements and then met with technical to identify non-functional requirements.
An option analysis document was created and a recommendation was given as to whether they should opt for an in-house solution or go with COTS.
6.4. Case Study D Financial Management Information System15
Who - Organization Where - Ottawa When - September 2006 What they did - Upgraded their existing
financial application and needed to ensure all requirements were identified, prioritized and approved, before installing and configuring the application.
GRCM Capability Framework
16
GRCM Elements
Case Study
A B C D
Level of Capability
Governance
IT Strategic planning 32 2
3
IT Project Management 3 22
3
IT Control Framework 2 22
3
IT Asset Management 3 3 3 3
IT Processes 32 2
3
Risk Management
IT Governance Structure 2 3 2 3
Audit and Monitor 1 1 1 1
Monitor and Track Risks regularly 3 3 3 3
Perform risk analysis 3 2 2 3
Compliance
Brief project mandate to committees 3 3 2 3
Ensure IT Alignment with business2 2
2 3 Comply with regulations, policies and
procedures.3
3 3 3
Consider security in the project3
3 3 3Green (3) = Fully Integrated / full capabilityYellow (2) = Semi Integrated / poor capability Red (1) = Not Integrated /no capability
RE Capability Framework17
RE activities
Case Study
A B C D
Level of Capability
Elicitation 3 2 2 3
Analysis 3 3 23
Prioritization 3 2 23
Validation 3 3 23
Documentation2 2 2
3
Management2 2 2
3
Organizational Context Framework
18
Organizational Context
Case Study
A B C D
Level of Capability
Senior Management Leadership - Commitment3 3 2 3
Case Study D – Observation #119
GreatIT Strategic
Planning
- Elicitation- Analysis- Prioritization- Validation-Documentation- Management
GRCM ↑ RE ↑
Great Senior Management Leadership
OC ↑
(Enhancement)
Case Study D – Observation #220
Great IT Project Management
GRCM ↑
Great Senior Management Leadership
OC ↑
(Enhancement)
- Elicitation- Analysis- Prioritization- Validation- Documentation- Management
RE ↑
Case Study D – Observation #321
IT GovernanceStructure
GRCM ↑
Great Senior Management Leadership
OC ↑
(Enhancement)
- Elicitation- Analysis- Prioritization- Validation- Documentation- Management
RE ↑
Case Study D – Observation #422
Perform Risk Analysis
GRCM ↑
Great Senior Management Leadership
OC ↑
(Enhancement)
- Elicitation- Analysis- Prioritization- Validation- Documentation- Management
RE ↑
Case Study D – Observation #523
IT aligned with Business
GRCM ↑
Great Senior Management Leadership
OC ↑
(Enhancement)
- Elicitation- Analysis- Prioritization- Validation- Documentation- Management
RE ↑
Case Study C – Observation #124
IT Strategic Planning
- Elicitation- Analysis- Prioritization- Validation- Documentation- Management
GRCM ↓ RE ↓
Lack of Senior Management Leadership
OC ↓
(Moderator)
Case Study C – Observation #225
IT Project Management
- Elicitation- Analysis- Prioritization- Validation- Documentation- Management
GRCM ↓ RE ↓
Lack of Senior Management Leadership
OC ↓
(Moderator)
Case Study C – Observation #326
IT Governance Structure
- Elicitation- Analysis- Prioritization- Validation- Documentation- Management
GRCM ↓ RE ↓
Lack of Senior Management Leadership
OC ↓
(Moderator)
Case Study C – Observation #427
Perform Risk Analysis
- Elicitation- Analysis- Prioritization- Validation- Documentation- Management
GRCM ↓ RE ↓
Lack of Senior Management Leadership
OC ↓
(Moderator)
Case Study C – Observation #528
Ensure IT Alignment with Business
- Elicitation- Analysis- Prioritization- Validation- Documentation- Management
GRCM ↓ RE ↓
Lack of Senior Management Leadership
OC ↓
(Moderator)
Conclusion 29
The results from the research supports the two objectives.
Develop and validate a new GRCM and RE Capability Measurement Framework
Explore to what extent GRCM capabilities are correlated with RE capabilities.
References30
1. Abran, A., Moore, J., Bourque, P., Dupuis, R. (2004). "Guide to the Software Engineering Body of Knowledge." IEEE Computer Society.
2. Basili, V.B.L. (2006). "Empirical Software Engineering An international journal.“3. Beecham, S., Hatt, T., Rainer, A. (2003). "Defining a requirement process
Improvement Model."4. Boehm, T.P., Wigle, G.B., Tsai, J.T. "Specification of software quality attributes."
(Report RADC-TR-85-37).5. Cheng, H.C.B., Atllee, M. J. (2007). "Research Directions in Requirement
Engineering." IEEE Computer Society.6. Dekkers, C. A. (2005). "Creating requirements-based estimates before
requirements are complete." CrossTalk(4): 13-15.7. I.T.G.I. (2000). "COBIT 3rd Edition: Executive Summary, COBIT Steering
Committee and the IT Governance Institute., Illinois, USA, ISBN 1-893209-15-16."8. ITGI (2005). "Aligning Cobit, ITIL and ISO 17799 for Business Benefit.“9. ISACA (2007). "COBIT 4.1."10. Larsen, H.M., Pedersen K.M., Andersen, V.K. (2006). "Reviewing 17 IT Governance
Tools and Analyzing the Case of Novozymes A/S." IEEE.
References – cont’d31
11. PMI, Ed. (2004). A Guide to the Project Management Body of Knowledge. Third Edition, Project Management Institute.
12. Pressman, R. (2000). "Software Engineering: a practitioner’s approach. 5th edition.“13. Rad, F., Ed. (2002). Project Estimating and Cost Management, Management Concepts. Vienna,
VA.14. Shank, G. (2002). Qualitative Research. A Personal Skills Approach. New Jersey, Merril
Prentice Hall.15. Smolander, K., Lyytinen, K., Tahvanainen, V.P., Marttiin, P., Meta-Edit (1991). "A Flexible
Graphical Environment for Methodology Modelling." Advanced Information System Engineering, 3rd International Conference, CAiSE '91, Vol. Lecture Notes in Computer Science, Vol. 498 (Springer, Trondheim, Norway, 1991): 168-193.
16. Sommerville, I., Ed. (2001). Software Engineering, Addison-Wesley, Harlow, England.17. Sommerville, I. (2005). "Integrated Requirements Engineering: A Tutorial." IEEE Software.18. Standish, T. G. (2003). “Latest Standish Group CHAOS Report Shows Project Success Rates
Have Improved by 50 Percent .“19. Winter, R., Schelp, J. (2008). "Enterprise Architecture Governance: The Need for a Business To
IT Approach." ACM 20. Yin, R. (1994). Case study research: Design and methods (2nd ed.). Beverly Hills, CA: Sage
Publishing.