Making sense of IT Governance

1
Making sense of IT Governance

• the implications of King III
• Presenter Marlene Badenhorst (ACIS)

2
Content

• Research objective and research question
• Definitions of IT governance
• Literature review of selected Codes, Frameworks,
  Standards and Best Practices
• Assessment of the current industry application of
  governance concepts
• A generic governance framework for IT governance
  and the governance of outsourcing
• Conclusion

3
Research objective research question

• Research Objective
• Literature review IT governance efficiency
  survey to assess
• Does known reference models, frameworks and
  standards address governance requirements of ICT
  outsourcing companies?
• Current status of IT governance practices.
• Research Question
• Can a generic governance framework be formulated
  to address these requirements?

4
What is IT Governance?

• It is ...
• the responsibility of the board and executive
• It consists of...
• The leadership, organisational structures
  processes...
• to ensure that the enterprises IT...
• sustain and extend organisational strategies
  objectives.

Source ITGI
5
Enterprise governance drives IT governance

• Enterprise governance is about
• Conformance
• Adhering to legislation, internal policies, audit
  requirements, etc.
• Performance
• Improving profitability, efficiency,
  effectiveness, growth, etc.

Enterprise governance and IT governance require a
balance between conformance and performance goals
directed by the board.
Source ITGI
6
What is the governance of outsourcing?

• The responsibilities, roles, objectives,
  interfaces controls required...
• to anticipate change and ...
• manage the introduction, maintenance,
  performance, costs and control of third-party
  provided services.

Source ITGI
7
Literature review of selected codes, frameworks,
standards and best practices
8
King III requirements the link between IT
governance practices and law

• Directors duty of care ensure prudent and
  reasonable steps taken re IT governance.
• Corporate governance practices, codes and
  guidelines lift the bar of what are regarded as
  appropriate standards of conduct.
• Failure to meet a recognised standard of
  governance, albeit not legislated, may render a
  board or individual director liable at law.

9
King III requirements IT governance

• IT governance...
• is the responsibility of the board
• should be an integral part of enterprise
  governance structures
• should be owned by the board.
• The board must set the management direction.
  Required to...
• assume more significant role in terms of IT
  governance, and
• insist on establishment of an IT governance
  management framework
• To be based on a common approach, eg. COBIT.

10
King III requirements IT Governance focus areas

• IT governance should focus on four key areas
• strategic alignment with business
• value delivery
• risk management and
• resource management.

11
King III requirements IT Governance focus areas

• IT governance should focus on four key areas
• strategic alignment with business
• value delivery
• risk management and
• resource management.

COBIT focus areas
Source ITGI
12
Context Best Practices
Source Own source
13
Context COBIT and VAL IT
The strategic question
The value question.
VAL IT
COBIT
The architecture question
The delivery question
Source Thorpe, cited by ITGI
14
Industry application of governance concepts
15
Status IT Governance Best Practise Implementation
Source ITGI/Lighthouse survey 2005
16
Generic governance framework for IT and
outsourcing
17
Generic governance model
Source own source
18
Generic process model
Support processes
Source own source
19
IT governance interrelationships (service
provider perspective)
Board of Directors
IT Strategy Committee
Audit Committee
Compen-sation Committee
Business Strategy Committee
Finance Committee
CEO
CFO
Compliance, Audit, Risk Security(CARS)
IT Steering Committee
Sales Marketing
IT Architecture Review Board
Technology Council
Account Management
Business Executives
Programme Management Office (PGMO)
HR
CIO
Process Oversight Committee
.
.
.
.
.
.
IT
Source ITGI, own source
20
IT governance interrelationships (service
provider perspective)
Board of Directors
IT Strategy Committee
Audit Committee
Compen-sation Committee
Business Strategy Committee
Finance Committee
CEO
Investment Services Board (ISB)
CFO
Compliance, Audit, Risk Security(CARS)
Value Management Office (VMO)
IT Steering Committee
Sales Marketing
IT Architecture Review Board
Technology Council
Account Management
Business Executives
Programme Management Office (PGMO)
HR
CIO
Process Oversight Committee
.
.
.
.
.
.
IT
Source ITGI, own source
21
Conclusion

• Best practices not widely adopted
• Significant room for improvement in most
  companies IT governance domain
• Governance best practices address outsourcing
  governance only to limited extent
• A focussed effort is required by SA companies to
  ensure compliance to the King III principles for
  good IT governance
• The generic framework that has been formulated
  addresses the need for an integrated approach to
  IT governance

22
(No Transcript)
23
Backup slides
24
COBIT Other IT Management Frameworks
Organisations will consider and use a variety of
IT models, standards and best practices. These
must be understood in order to consider how they
can be used together, with COBIT acting as the
consolidator (umbrella).
COSO
ISO 27002
COBIT
ISO 9000
ITIL
WHAT
HOW
SCOPE OF COVERAGE
Source ITGI
25
Where Does COBIT Fit?
CONFORMANCE Basel II, Sarbanes- Oxley Act, etc.
PERFORMANCE Business Goals
Drivers
Balanced Scorecard
Enterprise Governance
COSO
COBIT
IT Governance
ISO 90012000
ISO 27002
ISO 20000
Best Practice Standards
QA Procedures
Security Principles
Processes and Procedures
ITIL
Source ITGI
26
COBIT Framework
BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES
INFORMATION
C O B I T F R A M E W O R K
ME1 Monitor and evaluate IT performance. ME2
Monitor and evaluate internal control. ME3
Ensure compliance with external
requirements. ME4 Provide IT governance.
PO1 Define a strategic IT plan. PO2 Define the
information architecture. PO3 Determine
technological direction. PO4 Define the IT
processes, organisation and relationships. PO5
Manage the IT investment. PO6 Communicate
management aims and direction. PO7 Manage IT
human resources. PO8 Manage quality. PO9 Assess
and manage IT risks. PO10 Manage projects.
Integrity
Efficiency
Effectiveness
Availability
Compliance
Confidentiality
PLAN AND ORGANISE
MONITOR AND EVALUATE
Reliability
IT RESOURCES
DS1 Define and manage service levels. DS2
Manage third-party services. DS3 Manage
performance and capacity. DS4 Ensure continuous
service. DS5 Ensure systems security. DS6
Identify and allocate costs. DS7 Educate and
train users. DS8 Manage service desk and
incidents. DS9 Manage the configuration. DS10
Manage problems. DS11 Manage data. DS12 Manage
the physical environment. DS13 Manage
operations.
Applications Information Infrastructure People
DELIVER AND SUPPORT
AI1 Identify automated solutions. AI2 Acquire
and maintain application software. AI3 Acquire
and maintain technology infrastructure. AI4
Enable operation and use. AI5 Procure IT
resources. AI6 Manage changes. AI7 Install and
accredit solutions and changes.
ACQUIRE AND IMPLEMENT
Source ITGI
27
Interrelationship of the COBIT Components
Source ITGI
28
Dimensions of Maturity
Source ITGI
29
VAL IT domains processes
Source ITGI
30
Road map to IT governance
Source ITGI