it governance overview - isaca · · 2015-12-14while balancing risk versus return over it and its...
TRANSCRIPT
IT Governance Overview
December 7, 2015
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
1
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
2
Here with you today
Tom Johnston, CISA, CISM, CGEIT, CRISCDirector – IT Audit and Assurance (216) 875 [email protected]
Brian Greenberg, CISADirector, IT Advisory(216) [email protected]
www.kpmg.com
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
3
By the end of this session, you should be better able to:
● Define IT governance including its supporting components and frameworks
● Understand how stakeholder expectations from IT are changing and how these changing expectations are impacting the IT organization
● Describe the benefits of effective IT governance
● Identify pain points and triggers that indicate a need for IT governance improvements or change
● Describe characteristics and use of governance models and RACI for decision-making
● Understand how CIO’s can overcome this disruption with a new operating model for IT
● Recognize the characteristics of top performers in IT governance
Today’s Objectives
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
4
The framework of rules and practices by which a board of directors ensures
accountability, fairness, and transparency in a company’s relationship with all its
stakeholders (financiers, customers, management, employees, government and the
community.
Corporate Governance
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
5
Information and technology (IT) governance is a subset discipline of corporate
governance, focused on information and technology (IT) and its performance and risk
management. The interest in IT governance is due to the ongoing need within
organizations to focus value creation efforts on an organization's strategic objectives and
to better manage the performance of those responsible for creating this value in the best
interest of all stakeholders.
IT Governance
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
6
Data governance is a control that ensures that the data entry by an operations team
member or by an automated process meets precise standards, such as a business rule, a
data definition and data integrity constraints in the data model. The data governor uses
data quality monitoring against production data to communicate errors in data back to
operational team members, or to the technical support team, for corrective action. Data
governance is used by organizations to exercise control over processes and methods
used by their data stewards and data custodians in order to improve data quality.
Data Governance
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
7
Defining IT GovernanceThere are many definitions, but consistent themes throughout
IT Governance is a process for managing and controlling the use of technology to
create value for the organization. Effective IT Governance improves IT quality, which
affects every business process in the organization.
- AMR Research
An integral part of enterprise governance and consists of the leadership and
organizational structures and processesthat ensures the organization's IT sustains and extends the organization's strategies
and objectives.
- IT Governance Institute
Structure of relationships and processes to direct and control the
enterprise in order to achieve the enterprise's goals by adding value
while balancing risk versus return over IT and its processes.
- ISACA
The assignment of decision rights and the accountability framework to
encourage desirable behavior in the use of IT.
- Peter Weill and Marianne Broadbent, MIT Sloan School of Business
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
8
Three Primary Drivers for IT Governance Design
OrganizationalAlignment
StrategicAlignment
Returns onIT Investment
The need to align control of IT with decision making authority in the business
The need to engender the behaviors for IT to deliver the enterprise vision and associated strategies
The need to ensure that the returns on IT investments are maximized across the enterprise
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
9
IT Governance
Governance Framework
Operational IS Processes
Organisational Fram
ework
Strategic Planning
Managem
ent comm
ittees
Policies & Standards
Solution Dev
Project Mgt
Security Mgt
Availability Mgt
Service Mgt
Financial Mgt
Operations M
gt
IS Audit
Support Mgt
Change M
gt
Performance Management
Process Elements
Risk Management
Resource Management
Communications
Compliance
:
The IT governance framework, operational processes and governance activities can be represented as follows:
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
10
Governance Framework
The governance framework assists in the implementation of the IS Strategy and the governance of IS.
Organizational Framework – The structures whereby IT reports into / takes direction from the business as well as the organizational structures, roles and responsibilities within IT
Strategic Planning – The process whereby the IT Strategy is developed
Management Structures - The various management structures responsible for deploying the strategy and management of IT – most of these should have participation by representatives of the business
Policies & Standards - The development and implementation of policies and standards for the organization that allow for the standardization and managed development of the IT function
Governance Framework
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
11
Operational IT processes
These are processes whereby IT is managed on a daily basis. These processes should be designed in such a way as to include IT governance activities that would assist them in operating as designed.
• Solution Development – planning and implementing systems (including applications, databases, and infrastructure)
• Project Management - management of all projects and monitoring system development lifecycles
• Security Management - security tailored to the organization, ongoing assessments, anti-virus, firewalls, intrusion detection
• Availability Management - Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP)
• Service Management - Service Level Agreements (SLA’s), managing third-parties, user satisfaction surveys
• Financial Management - budgeting across IT as well as for projects, timekeeping systems
• Operations Management – application, database, network management, back-ups & recovery, batch processing, shift handovers
• IS Audit - integration into internal audit function, IT audit plan, how quickly the organization responds to issues, keeping up to date with audit regulations
• Support Management - service / help desk, incident management, first, second and third line support
• Change Management – change management process, configuration management, authorization, change advisory boards and release management
Operational IT
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
12
IT Process Elements
The day-to-day IT governance actions that occur (usually within the operational processes).
• Performance Management – measuring the performance of resources within the organization by means of collating and communicating metrics
• Risk Management - activities to ensure that risks specific to the process are identified and mitigated
• Resource Management - activities to ensure that the correct resources (both people and technology) are assigned to the correct tasks. Recruiting and training of staff, capacity planning
• Communications - activities to ensure that adequate communication takes place both between IT processes as well as between IT and the business
• Compliance - with both external legislation/regulations and internal policies, procedures and standards
IT Process Elements
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
13
The ability to sponsor, make and enforce the right IT decisions
What is the source of leadership?How will progress to desired outcomes be promoted or evangelized?
What are our core beliefs?What are the policies by which we must abide?
How are decisions made?Who plays what role?What processes are used?
What accountabilities and authorities exist?What is measured and by whom?What incentive system is used?How is non-compliance addressed?How are justified exceptions considered?
Defining IT GovernanceA simple and straightforward definition
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
14
Defining IT GovernanceComponents include principles, structure, processes and accountabilities
IT Governance components include principles, structures, processes, and accountability mechanisms employed to guide IT efforts and decision making toward achieving organizational objectives.
IT GovernancePrinciples
What are the core beliefs and assumptions?
StructureHow are we organized?
ProcessesHow are decisions
made?
AccountabilityWho makes decisions
and how are they enforced?
●Statements of belief that are the foundation for directing decision making
●Include policies, standards and guidelines
●Governing bodies●Reporting structures●Operating charters
●Key types of decisions●Key inputs and
outputs and who supplies and receives input
●Decision processes●Appeals mechanisms●Communications
●Roles and responsibilities for IT and business stakeholders
●Performance management and incentives
●Performance reporting
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
15
IT Governance Considerations
Principles Accountability
Processes Structure
What are the core beliefs and assumptions?■ Statements of belief that are the
foundation for directing decision making■ Include policies, standards and
guidelines
How are decisions made?■ Key types of decisions■ Key inputs and outputs and who
supplies and receives input■ Decision processes■ Appeals mechanisms■ Communications
How are we organized?■ Governing bodies■ Reporting structures■ Operating charters
Who makes decisions and how are they enforced?■ Roles and responsibilities for IT and
business stakeholders■ Performance management and incentives■ Performance reporting
15
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
16
Example IT Governance ComponentsPrinciples
CLIENT SAMPLE
A set of overarching principles will guide our IT governance efforts
• Create major strategic cross-division investments• Exploit leverage and synergy across the group• Make the whole greater than the sum of the parts
• Reduce duplication and redundancy• Manage risks across the group• Create and manage shared utilities
• Inject new ideas and stimulate fresh thinking• Create stretching targets to build skills• Prepare the organization as a whole for the new world
Achieve a powerful
growth strategy
Operate effectively at low cost
Stimulate innovation
and “stretch”
EXAMPLE
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
17
Example IT Governance ComponentsStructure
CLIENT SAMPLE
Our new IT governance structure is comprised of three tiers to manage funding, prioritization and delivery
Governance Structure
I. Investment Committee (Quarterly)♦ Govern budgeting and ongoing approval of new funding (IT
spend)♦ Approve and re/prioritize project pipeline that crosses
multiple Program♦ Provide a receiver view
II. Steering Committee (Monthly)♦ Govern ongoing approval and re/prioritization of project
pipeline within assigned budget, and new requests of $250K (IT spend) and over within each Program; If additional funding is required, requests are escalated to the Investment Committee
♦ Aligned to a business lead at the Program or Initiative level and prioritization takes place within the business’ budget
♦ Address issues escalated from Working Groups♦ Monitor performance and value realization of work effort♦ Offer a provider view
III. Working Groups (Weekly/biweekly as necessary)
♦ Current meetings that allow business sponsors, IT leads and Project Managers to define IT priorities, short term project efforts and address any tactical delivery issues
♦ Manage incoming requests of under $250K within the established budget
♦ Necessary if the Steering Committee is too broad
Investment CommitteeBy Division
Sponsor
SteeringCommitteeBy Program
Working GroupPeriodic Review and Prioritization Meetings
Between Business and ITBy Initiative, or Project
New Governance
Bodies
Ad-hoc meetings in
practice
EXAMPLE
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
18
Example IT Governance ComponentsProcesses
CLIENT SAMPLE
We’ve designed a comprehensive planning and approval process for managing newly submitted requests
Manage Delivery of Projects
Steering Committee
PM
Program Lead
Project Planning and Approval Process
Estimate Costs and Duration
Staff/Schedule Projects
AdequateInformationProvided?
BA
Business & IT
Submit New
Request
Notes: • The planning process is outside of the annual budget process.• Does not include detailed SDLC processes during “Manage Delivery of Projects.”
Request Closed
Accept forScheduling?
Is theRequest Within
Budget?
ReallocateFunding?
Request Closed
ReallocateFunding?
ProvideAdditionalFunding?
Reallocate
Yes
No
Reject
Investment Committee
Request Closed
Request Closed
Additional Funding
Approved
Additional Funding Rejected
YesYes
No No
No
Accept forDefinition?
Yes
Request Closed
Define Business
Requirements
AdequateInformationProvided?
CapabilityEnhancement
/Support
Reject
Yes Yes
NoNo
EXAMPLE
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
19
Example IT Governance ComponentsAccountability
CLIENT SAMPLE
Project Manager
Prioritize IT Project Pipeline Across
Projects
Manage Budget
and Headcount
Develop IT Budget
(for Program)
Define IT Strategic Direction
(for Program)
CTO
Business Sponsor
Individual Roles and Responsibilities – RACI Diagram
Program (X) Lead
C C I C R C R C R R
R R R R C R A A & R A A
A A R C C A C C C C
C I C C A I I C C I
C C A A C C I I I I
Resource Hiring
Develop Project
Plan and Execute IT
Projects
Clear definition of standardized roles and responsibilities is a key characteristic of a high performance IT operating model
Line of Business Lead & COO
Prioritize IT Project Pipeline Within
Projects
Accountable
The individual who is ultimately accountable for a decision or action; includes yes/no and power of veto. Only one accountable person is assigned to a task.
Responsible
Individuals who perform a task (doer responsible for execution / action). The degree of responsibility is defined by the accountable person. Responsibilities can be shared.
RA C Consulted / Participated
Individuals to be consulted prior to a final decision or action being taken. Two way communication.
I Informed
Individuals to be Informed after a decision or action is taken.
Define Resource Allocation
Across Portfolio
Staff Time Sheet
Review and
Approval
Fund IT Budget
(for Program)
Business and IT Collaborate IT Line Management
- Key relationships
CLIENT SAMPLESuper Initiative: Business Sponsor:Technology Manager: Business Head:CTO: COO:
Actuals Budget Var Forecast Budget VarX X
Actuals Budget Var Forecast Budget VarX X
Actuals Budget Var Forecast Budget VarX X
Actuals Budget Var Forecast Budget VarX X
Current Orig Current Prior
Desk Name 3-Feb-07 27-Jan-07 Green Green 90% High
Hiring additional developers to focus on release xxx.
Desk Name 3-Feb-07 27-Jan-07 Red Red 20%
Desk Name 3-Feb-07 27-Jan-07 Amber Amber 90%
Desk Name 24-Feb-07 24-Feb-07 Amber Green 25%
Green Green
Green Green
Green Green
Desk Name 18-Nov-06 18-Nov-06 Complete Complete 100% Req Date Effort (Days) Comments
Desk Name 29-Jan-07 29-Jan-07 Complete Complete 100%Desk Name 29-Jan-07 29-Jan-07 Complete Complete 100% XXXXXXXX
XXXX XXXXXXXX
XXXXXXXXX
YTDTotal
Full Year
Description
This super initiative is focused on….
Project 2
Project 3
XXXXXXXXX
YTD Full Year
Full YearYTD
YTD
New Development
Project 1
Project 4
% Complete RAG Explanation / AccomplishmentsDeliverable DateSponsor Desk
Desk 1Desk 2Desk 3
RAG StatusKey Projects
Scope Change
Full Year
XXX
Mitigation ActionGrade
Lights On
New Funding Requests
Potential delay of release xxx.
Description of Risk
XXXX
Discretionary Enhancements
Comments
Projects Delivered on Time (x/y)
XXXX
Completed Milestones / Deliverables
XXXX
XXXX
Business Drivers
In the past month we released…and…accomplished…Highlights from the Past
Month
Projects Reprioritized
Dates changed in the last period
Metric #
Financial Summary (thousand of $)
Deliverables
on track to meet potential for slippage exists; managing issues & mitigating slippage exists or near certain--escalation RAG Legend:
Monthly Change Request Activity
Super Initiative Overview
Issues & Risk
Super Initiative Scorecard
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
20
Defining IT GovernanceA sample of the many frameworks and guides to address components of IT governance
ISO 38500ISO’s IT Governance Framework for Board and C-level executives and decisions.
COBIT 5.0ISACA’s Control Objectives for IT. Relevant to audit of IT management, controls and operations related to financials.
VAL IT 2.0ISACA’s framework for the governance of IT investments. Principles and processes are used for IT portfolio management.
Balanced ScorecardStrategic Management System developed by Kaplan/Norton. Involves joint strategy development and performance metrics.
Applied Information EconomicsUses value ranges and probabilities to rank investments within an IT system/application portfolio.
Earned Value ManagementA way of comparing what work is completed against time and budget. Used at NASA and all Federal government agencies on external projects.
ITILa set of concepts and practices for IT services management, development and operations. Provides a comprehensive checklists, tasks and procedures.
PMBOKPMI’s Project Management Body of Knowledge. A tactical guide for planning and executing projects.
Prince2A structured, process-driven approach to project management (not just for IT).
FISMAA framework for managing information security that must be followed for all information systems used or operated by or on behalf of a U.S. federal government agency
Total Quality ManagementSeeks to put quality awareness in all organizational processes. Focus is on satisfaction, continuous improvement and long term results.
Six SigmaA business management strategy which seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors).
Lean ITPrinciples for which central concern, applied in the context of IT, is the elimination of waste, where waste is work that adds no value to a product or service.
ISO 20000Promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements. Compliments ITIL and COBIT.
RISK ITISACA’s framework to assist enterprises to identify, govern and manage IT-related risks.
ISACA’s IT GovernanceTwo guides which provide guidance over the implementation and continuing improvement of IT governance
20
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
21
Benefits of IT GovernanceIt’s about more than just control
Managing / Controlling
Improved accountability over IT
More transparency of risk, return and performance for IT decision-making
Efficient management of IT processes and resources
Encourages desired behaviors in the use of IT
Value Better alignment of business and IT
goals
Increased buy-in from executives for IT direction and investments
Improved business value of IT
Enables higher levels of IT service and enterprise performance
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
22
Typical IT Governance Pain Points The need for improved IT governance can manifest itself in many ways
Poor Investment Management
• Increasing costs
• Lack of business value of IT (real or perceived)
• Hidden or rogue IT spending
Performance Issues
• Failing initiatives – over budget, behind schedule or not meeting objectives
• Significant incidents related to IT risk, such as data loss or network outages
• Failure to meet regulatory or contractual requirements
• Limited IT innovation and business agility
• Business dissatisfaction or a reluctance to engage with IT
Ineffective Use of Resources
• Duplication or overlap between initiatives or wasting of resources
• Insufficient IT resources, staff with inadequate skills, staff burnout, or dissatisfaction
• Vendor service delivery problems, such as agreed service levels consistently not being met
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
23
IT Governance ModelsNot one size-fits-all, but benefited by a balanced approach
Some divisional
needs unmet
No divisional control of
central overhead costs
No divisional ownershipof systems
Enterprise priorities over divisional
prioritiesScale
economies
Control of standards
Criticalmass of
skills
Pooling of divisionally responsive
competencies
Responsive to divisional
needs
Reinvention of wheels
Inconsistent competence and quality across the enterprise
Balance ofIT priorities
Enterprise perspective
Missed synergies and scale
economies
Excessive overall costs to the enterprise
Centralized Federated DecentralizedIT Governance Model
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
24
IT Governance ModelsRethinking the IT Governance Model – an Example (1/4) CASE
EXAMPLE
5
The current divisional approach to governing IT has served Juno adequately in the past but is no longer sustainable
● There is substantial overlap and duplication of IT activities, resources and spend− Reuse and sharing of IT assets are the exception
● Multiple, incompatible application systems have been built to support similar products and business processes across different divisions
− Major new investments are being made in overlapping areas ● Infrastructure solutions have been locally optimised, ignoring potential
efficiencies at the regional and group level− Significant potential to achieve economies of scale are not being exploited
●There is no common IT strategy or architecture around which to align projects and investments
● Processes to align divisional and enterprise priorities are missing● No mechanisms exist to identify, encourage and where necessary, enforce cross
divisional collaboration
Note that “Juno” is a fictitious name
These are as many issues for the business as there are for IT.
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
25
IT Governance ModelsRethinking the IT Governance Model – an Example (2/4)
Today’s IT governance issues are serious. Economic performance is being negatively impacted, and effective execution of enterprise business strategies is at risk.
Implications for Juno
Missing opportunities to exploit economies of
scale
Struggling to implement enterprise
strategies
Wasting money through duplicating
solutions
516-May-01 Draft – For Discussion Purposes
The current local approach to governing IT has served Junoadequately in the past but is no longer sustainable.
• There is substantial overlap and duplication of IT activities, resource and spend
– Reuse and sharing of IT assets are the exception
• Multiple, incompatible application systems have been built to support similar products and business processes across different divisions
– Major new investments are being made in overlapping areas • Infrastructure solutions have been locally optimised, ignoring potential
efficiencies at the regional and group level– Significant potential to achieve economies of scale are not being exploited
• There is no common IT strategy or architecture around which to align projects and investments
– Processes to align divisional and enterprise IT priorities are missing
• No mechanisms exist to identify, encourage and where necessary, enforce cross-division IT collaboration
These are as much issues for the business as they are for IT. These are as much issues for the business as they are for IT.
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
26
IT Governance ModelsRethinking the IT Governance Model – an Example (3/4)
A three-point approach will address these issues and position Juno IT to enable implementation of key business strategies and deliver greater value.
Put in place the enablers to allow an increasing number of common IT solutions to be conceived, created, rolled out and managed
Convergethrough common
solutions
Speed up solution delivery, and reduce IT development and operational costs by exploiting economies of scale and introducing best-in-class practices at a enterprise level
Exploit our Scale
Introduce the governance and organization to ensure resources and investments are effectively leveraged across the group in line with business strategies
Collaborateto leverage assets
& resources
• Agreed architectures and standards
• Aligned local & enterprise IT strategies
• Leveraged development through IT solution centers
• Rationalized IT operations and procurement
• Collaborative IT governance by IT executives with a mandate for achieving shared goals
• An issues-driven agenda• Divisions with IT representation
and guidance
CASE EXAMPLE
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
27
IT Governance ModelsRethinking the IT Governance Model – an Example (4/4)
Three primary options exist for how IT may be governed in the future.
Divisional
Flexibility Model
Collaborative
Model
Enterpise
Consistency Model
• Centrally-managed assets and resources
• A forum to institutionalise collaboration
• Rewarded collaboration & discouraged divergence
• Knowledge and resource sharing encouraged
• Solution delivery centrally-managed
• IT operations centrally-managed
• Vendor relationships and procurement centrally-managed
• Shared IT solution centres for common solutions
• Shared IT operations managed on enterprisebasis
• Enterprise vendor contracts
• Solutions delivered through division-managed IT units
• IT operations division managed
• Vendor relationships locally-managed
• Single Juno IT strategy• Architecture & standards
centrally mandated• Solution design centrally-
driven
• Aligned IT strategies• Common, agreed
architecture & standards• Divisional IT for divisional
solutions & common solution integration
• Division-developed IT strategies & architectures with suggested group standards
Convergethrough common
solutions
Collaborate to leverage assets and resources
Exploit our Scale
Primary IT Governance Models
CASE EXAMPLE
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
28
Positioning IT to Enable Execution of Key Business Strategies
Approach to Address Key Governance Issues
Put in place the enablers to allow an increasing number of common IT solutions to be conceived, created, rolled out and managed
Convergethrough common
solutions
Speed up solution delivery, and reduce IT development and operational costs by exploiting economies of scale and introducing best-in-class practices at a regional level
Exploit our Scale
Introduce the governance and organisation to ensure resources and investments are effectively leveraged across the group in line with business strategies
Collaborateto leverage assets &
resources
• Agreed architectures and standards
• Aligned local & regional IT strategies
• Leveraged development through shared facilities
• Rationalized IT operations and procurement
• Collaborative IT governance by IT executives with a mandate for achieving shared goals
• An issues-driven agenda• IT standards with IT
representation and guidance
ILLUSTRATIVE
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
29
Three Primary Options for Global IT Governance
Primary IT Governance Models
Local Flexibility Model
CollaborativeModel
EnterpriseConsistency Model
• Centrally-managed assets and resources
• A forum to institutionalise collaboration
• Rewarded collaboration & discouraged divergence
• Knowledge and resource sharing encouraged
• Solution delivery centrally-managed
• IT operations centrally-managed
• Vendor relationships and procurement centrally-managed
• Shared IT solution centres for common solutions (may be MF-hosted)
• Shared IT operations managed on regional basis
• Regional vendor contracts
• Solutions delivered through locally-managedIT units
• IT operations locally managed
• Vendor relationships locally-managed
• Single IT strategy• Architecture & standards
centrally mandated• Solution design centrally-
driven
• Aligned IT strategies• Common, agreed
architecture & standards• Local IT for local solutions
& common solution integration
• Locally-developed IT strategies & architectures with suggested group standards
Convergethrough common
solutions
Collaborate to leverage assets and resources
Exploit our Scale
ILLUSTRATIVE
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
30
Primary Global Governance Models for IT
• Locally-developed technology strategies
• Local architectures with suggested enterprise standards
• Technology solutions delivered through locally-managed units
• Technology operations locally managed
• Vendor relationships locally-managed
• Knowledge and resource sharing encouraged
• Aligned technology strategies• Common, agreed architecture & standards• Local technology for local solutions &
common solution integration• Shared solution centers for common
technology solutions• Shared technology operations managed on
global basis• Combination of local and global vendor
contracts• Institutionalized collaboration• Discouraged divergence
Representative Practices
Local Governance“Local Flexibility Model”
Optimize for:•Local responsiveness•Flexibility and choice
Hybrid Governance“Collaborative Model”
Optimize for a sensible and pragmatic balance
• Single ITS@KPMG strategy• Architecture & standards
centrally-mandated• Technology solution design
centrally-driven• Technology solution delivery
centrally-managed• Technology operations
centrally-managed• Vendor relationships and
procurementcentrally-managed
• Centrally-managed assets and resources
Enterprise-driven Governance“Enterprise Consistency Model”
Optimize for:• Economies of scale• Lowest enterprise risk• Global synergies
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
31
Primary Global Governance Models for IT (Further details)
Illustrative Governance ModelsLocal Flexibility
Optimizes local control and responsiveness
Enterprise Consistency
Optimizes for enterprise scale and synergies
Traditional Federated
Optimizes for balance of enterprise scale/ synergy and response to local needs
• Locally-developed technology strategies considering enterprise priorities
• Locally-managed business and IT relationships
• Local architecture and standards, considering global suggestions
• Global standards limited to enterprise systems and firm-wide mandates
• Solutions delivered by locally-managed firms, e.g., member firm or regional collective
• Technology solutions designed and developed locally for local needs and priorities
• Solution IP owned locally• Locally-managed technology operations
and services• Vendor relationships and procurement
locally-managed• Knowledge and resource sharing
encouraged
• Single, global strategy• Centrally-managed relationships with
functional representatives• Centrally-mandated architecture &
standards• Solutions delivered centrally; consistent
globally• Centrally designed and developed
technology for globally-represented needs• Solution IP owned at global level• Globally-managed service level
agreements with limited flexibility for local preferences and willingness to pay
• Globally-managed vendor relationships and procurement
• Centrally-managed assets and resources
• Aligned technology strategies• Primarily local business and IT
relationships, coordinated globally• Common, agreed architecture &
standards; limited global mandates• Local technology for local solutions• Enterprise solutions delivered by global
directly or via globally-managed regional facilities
• Global design for common and enterprise solution; local design and development for local
• Shared solutions delivered by global directly or via globally-managed regional facilities
• Combination of local and global vendor relationships and procurement
• Leverage global vendor contracts for local use
• Institutionalized collaboration, with global coordination
• Discouraged divergence
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
32
Representative Leading Global IT Governance Practices (1/2)
IT strategy and planningClear and globally-consistent process for annual IT planning integrated with a clear and globally-consistent business
planning process (including roles, responsibilities, accountabilities)Globally-consistent and centrally enforced business case process
Business liaison and relationshipBusiness-knowledgeable yet IT-savvy representatives from IT to serve as trusted advisors to the businessBalance of corporate, process-owner, regional and local liaisons
Architecture and tools standardizationGlobal business architecture with clearly definition of elements that are common, shared or localGlobally-defined standards for all levels of data, infrastructure, applications and methods (e.g., development)Exception process defined and waivers approved by central groupMigration plans to standards approved by senior management and funded to reduce first-mover penalties
Demand and service managementFormal, regular process for prioritizing systems modifications and major enhancementsClear guidelines on release scope (to prevent over enhancing older applications)User-driven process to review demand backlog, priorities, and make tradeoffsUser-driven signoff on scope, charter, acceptable completionProject post-mortem reviews, including peer review (e.g., cross-BU, cross-region)Globally defined and management of IT performance metrics
ILLUSTRATIVE
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
33
Representative Leading Global IT Governance Practices (2/2)
Resource allocation and prioritizationFormal annual process, integrating global IT investments and spendingForced prioritization of highest priority and returning projects and investmentsIdentification of scope overlap and integration issuesCentrally-controlled program management for common or cross-BU investments and initiativesStraight-forward yet fair mechanism to share costs across BU’s (e.g., shared development, solution centers)
People skills and capacity managementFull global view of skills and functions by geography, business, central and vendorActivity utilization of all employees and service providersConsistent training and development programActive sharing of people for skills transfer and development
Vendor and procurement managementGlobally consistent performance metrics for providers, aligned with corporate objectivesCentralized negotiation of software, services, hardware, and network contracts for common or shared elementsGlobal inventory of all contracts with targeted expiration dates and plans to centralize
Knowledge ManagementCentrally-managed knowledge capture and sharingCentrally funded and managed incentives to share
ILLUSTRATIVE
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
34
Sample Company Example
Example
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
35
Business Information (BI) – Governance Operating Approach
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
36
Thorough Integration Of The Reporting Framework Thorough integration of financial and management reporting domains Streamlined reporting and analysis process Automated workflow Automation of manual activities (where appropriate).
VISION
1
5
4
3
2
Reporting Strategy Is Aligned To The Enterprise
Business Needs And Value Drivers
Vision and strategy is widely understood and accepted Key Metrics are defined, mapped to key business driver s and include leading indicators Reporting information drives decision making System investments are fully aligned with defined business drivers and priorities.
Information Oversight Is Clearly Defined And Managed
Clear ownership and accountability for information, processes,
and business rules Formalized change management Systematic controls and governance Sound data quality and integrity Standardization of business rules and
calculations.
Information Is Utilized To Predict Economic
Performance And Engineered To help manage Threats
Insight into execution of strategy with visibility into cause and effect relationships Performance is predictable Risks are identified and reported early Leading indicators provide diagnostic perspective of the business.
Single, Integrated Repository For Facts And Data
Single version of the truth with common, consistent
taxonomy Standard reporting views Standard metrics / key performance
indicators (KPIs) Centralized, enterprise wide reporting
framework / platform that is scalable Consistent, timely, accurate information Help maximize the value of aggregating
customer -specific information.
1
2
3
5
4
Reporting Governance is one element of the larger Reporting Strategy
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
37
The following components should be implemented to create a strong reporting governance model
Enables JCI to centrally control change requests which will proactively drive continuous improvement
Drives business decisions and actions to achieve desired results
Establishes a process to coordinate and manage reports across multiple systems and business units
Manages maintenance and best practices to ensure complete and accurate reports that can be utilized across the organization
Reporting GovernanceRepresentation from Business, IT, Process, and Report Owners
Clear and transparent processes for the maintenance of the reporting strategyReporting Demand Management Reporting Standard Operating Procedures
Clear Criteria for Prioritization
Escalation Paths and Timeliness (SLA)
Reporting and Data Usage Policies
Reporting Continuous Improvement
Ensuring agreed to prioritization and consistent communication with stakeholders
Program Buy-In
Communication Plan
Program Communication Communication
Automated Workflow Escalation ProceduresChange Champions
Roles and ResponsibilitiesGoverning Body Roles and Responsibilities
Formalized Interactive Relationships
Governance Program
Vision and Objectives Charter Meetings, Artifacts, and Cadence
Governance Organization
Processes and Procedures
Change Management
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
38
Governing bodies reinforce efforts for consistent systems and processes
Standard Reports
Availability and Use of Data
Reporting Systems
Metric Alignment Across JCI Business Units
Reporting Definitions, Terminology and Rules
Departmental Reporting Processes
Reporting Controls
Reporting Elements
In process
To be completed
Governance Organization
Maintain the integrity of enterprise
reporting while ensuring renewed alignment to JCI decision priorities
■ Reporting strategy■ Business requirements■ Standard tool set■ Standards enforcement policy■ Change management process and exceptions
Establish…
■ Purpose■ Guiding principles ■ Authority■ Scope■ Mission■ Ownership
■ Accountability■ Performance
measurements■ Operating
procedures and rhythms
Define…
Key
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
39
Executive Sponsors
Reporting Governance Board (RGB)
Data Super Users
Data Users
Executive SponsorsWho Financial/Operational Reporting, BU Leadership and Internal Audit
Manage Reporting Governance Board; Certification of financial statements; Funding; Escalated change requests
Govern Executive decisions
Data Super UsersWho Department data super users as identified by program stakeholders
Manage Report execution; Staff productivity and report quality; User access to reporting system
Govern Control compliance; Materiality thresholds; Policy adherence
Data Users Who Reporting users within AE, BE, PS, and Corp
Manage Report creation; Ad-hoc reporting
Govern Control and task execution
Reporting Governance Board (RGB)Who Department Leaders, Information Security, IT/Infrastructure, MDM, EBPOs
Manage Master listing of reports; Responsibility roster; Listing of reporting activity by department and role (w/ priority and alternate); Change communication plan
Govern Business rule compliance; Consistency; Calculation and standardization policies
Governance roles and responsibilities permeate the organization at all levels
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
40
Roles and responsibilities clearly define ownership and expectations of the governing bodies
Set policy, champion policy compliance, serve as ultimate authority
Review and prioritize requests/issues. Approve with Enterprise constituents; Communicate changes; Help manage Change
Gatekeeper of the Department; Determine validity of requests, Qualify the need, escalate to RGB if need is appropriate
Report/Data user, communicate needs/issues.
Executive SponsorsReporting Governance BoardData Super UsersBusiness Data Users
■ Request additional reports/report modifications using defined criteria from the RGB
■ Participate in the report development process (requirements gathering, user testing)
■ Communicate reporting and data issues to assigned Data Super User; provide documentation as required.
■ Determine if user requests have business value and escalate to appropriate governing body as needed
■ Prioritize reporting and data requests within their departments
■ Consistently interact and collaborate with RGB, technical architects, developers and testing teams
■ Be able to communicate business requirements to technical developers and be able to translate technical solutions to the business user community.
■ Meet regularly to review change requests submitted by Data Super Users
■ Prioritize incoming requests based on business need and identify if impact analysis needs to be done; assign tasks as needed
■ Approve or deny requests based on the reporting governance policy defined by Executive Sponsors
■ Escalate requests to Executive Sponsors when a consensus cannot be reached or the change conflicts with existing policies
■ Communicate request status, impact, and priority to all affected parties in accordance with the reporting communication policy
■ Update governance and communication policies in accordance with Executive direction
■ Maintain central repository of requests and provide tracking statistics (i.e., total number of requests, number open, number approved, etc.).
■ Provide vision and direction for reporting governance
■ Provide high level definition of enterprise reporting governance and communication policies
■ Assist with Communicate policy changes across the enterprise
■ Approve or deny escalated change requests by the Reporting Governance Board
Role
Primary ActivitiesResponsibilities
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
41
Data Super Users and the Reporting Governance Board use objective-driven criteria for the prioritization of request from Data Users
Future Focused
Efficient
Effective
Responsive
Materiality of Risk
Reporting Objective Can respond to changing information needs in a rapidly growing and changing organization
Request Criteria How will this impact the way we manage our global business to execute our future vision?
Reporting Objective Recognizes needs of internal customers both at Corporate and local level and balances priorities of multiple stakeholders
Request Criteria Will the change enhance reporting flexibility to meet the needs of multiple parties not just one BU?
Reporting Objective Determines the level of significance which considers risk and impact of instituting change
Request Criteria Will not making the change, jeopardize data integrity causing management to make decisions based on inaccurate information?
Reporting Objective Drives availability of information needed for business decisions across business units and projects to deliver results quickly
Request Criteria Does the benefits of instituting the change outweigh future costs?
Reporting Objective Able to drive change balancing the needs of a range of stakeholders
Request Criteria Does this increase accuracy and productivity through automation reducing manual processes?
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
42
MIT Governance StudyCharacteristics of Top Performers
Top IT governance performers had: More managers in leadership positions
who could accurately describe governance arrangements
More involvement of senior leaders in IT governance
Clearer business objectives for IT investment
Business strategies focused on customer intimacy and/or product innovation
Fewer renegade exceptions More exceptions through a formal
exception process Fewer changes in governance
from year to year
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
43
Top IT governance performers had highly effective:
MIT Governance StudyGovernance Mechanisms of Top Performers
6
7
8
9
10
Process teams with IT members
IT leadership committees comprising IT executives
Service level agreements
Web based portals
Executive and senior management committees (i.e., CxOs)
Formal tracking of the business value of IT
Business/IT relationship managers
Capital approval committees
Tracking of IT projects and resources consumed
IT council with business and IT executives
1
2
3
4
5
© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
44
Tom Johnston, CISA, CISM, CGEIT, CRISC
Director – IT Audit and Assurance
KPMG
Brian Greenberg
Director – Advisory Services
KPMG