Introducing the IT Governance Model

1
Introducing the IT Governance Model
12. International Information System Auditand
Control Conference

• Urs Fischer, CPA (Swiss), CISA, CIA
• Head of IT Risk Mgmt Security, Vice President
• Swiss Life Group

2
(No Transcript)
3
Agenda

• Why
• is IT Governance important
• implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using
  COBIT?
• The Swiss Life Way
• Summary / Conclusions

4
Agenda

• Why
• is IT Governance important
• implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using
  COBIT?
• The Swiss Life Way
• Summary / Conclusions

5
IT Governance

• Dependence on IT for core business
• The value of intangible assets
• IT essential to their creation and maintenance

• Emerging accounting standards for recording
  intangible assets
• A firm is inherently fragile if its value
  emanates more from conceptual as distinct from
  physical assets. Trust and reputation can vanish
  overnight. A factory cannot! Alan Greenspan

6
Process Responsibilities

• Governance Responsibilities
• take stakeholder value into account
• give direction to the processes
• ensure they provide results
• ensure they act on the results
• get results and challenge them

7
Shared Responsibilities
8
Stakeholders apply pressure
9
What is Management Thinking ?
Personal visual contact
Uncertainty, Complexity Growth
Technology can help fulfil a visionary dream,
but often its use is closer to a sobering
nightmare! Vesa Vaino, CEO Merita Bank, SIBOS,
Helsinki, 1998
I am writing a book on the history of
Information Technology in order to better
understand why it is such a mess! Philippe
Corniou, CIO, Renault, ISACA International
Conference, Paris, 2001
IT has been the longest running disappoinment
in business in the last 30 Years! Jack Welch,
Chairman General Electric, World Economic Forum,
Davos, 1997
10
Why implementing IT Governance

• Due diligence
• infrastructure and productive functions
• skills, culture, operating environment
• capabilities, risks, process knowledge and
  customer information
• service levels

Enterprises should be equally inquisitive about
themselves.
11
Criticality

• IT entails huge investments and large risks
• The increasing dependence on information and the
  systems and communications that deliver it
• The dependence on entities beyond the direct
  control of the enterprise
• IT failures increasingly impacting reputation and
  enterprise value
• The potential for technologies to dramatically
  change organisations and business practices,
  create new opportunities and reduce costs
• The need to build and maintain knowledge
  essential to sustain and grow the business

12
Strategic Importance

• If so, wouldnt you want to know whether your
  organisations IT is
• Likely to achieve its objectives?
• Resilient enough to learn and adapt?
• Judiciously managing the risks it faces?
• Appropriately recognising opportunities and
  acting upon them?

• Why has IT not been
• addressed
• requires more technical insight
• treated as separate entity
• IT is complex

13
Why is it not being addressed ?
14
The response is IT Governance
15
IT Governance Defined
IT governance is the responsibility of the board
of directors and executive management. It is an
integral part of enterprise governance and
consists of the leadership and organisational
structures and processes that ensure that the
organisations IT sustains and extends the
organisations strategies and objectives.
16
Stakeholders
17
IT Governance Framework
DIRECT

• Objectives
• IT is alignedwith the busi-ness and
  maxi-mises benefits.
• IT resourceare usedresponsible
• IT-relatedrisks aremanagementapproriately

IT Activities
PLAN/ORGANIZE ACQUIRE/IMPLEMENT DELIVER/SUPPORT MO
NITOR
PLAN DO CHECK CORRECT
Manage risks
Realize benefits
-security -reliability -compliance
-increase automation -effective
-decrease costs -efficient
REPORT
18
Agenda

• Why
• is IT Governance important
• implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using
  COBIT?
• The Swiss Life Way
• Summary / Conclusions

19
Lifecycle (1)
20
Life Cycle (2)
21
IT Alignment

• The Board should drive business alignment by
• Ascertaining that the IT strategy is aligned with
  the business strategy
• Ascertaining that IT delivers against the
  strategy through clear expectations and
  measurement
• Directing IT strategy to balance investments
  between supporting and growing the enterprise
• Making considered decisions about where IT
  resources should be focused

IT alignment is a journey, not a
destination.
22
Value Delivery (Value Creation)

• The board should drive alignment to ensure that
  IT delivers value
• with the business strategy focussing on
  competitive advantage, elapsed time for
  order/service fulfillment, customer satisfaction,
  customer wait time, employee productiveness and
  profitability
• supported by an IT strategy that delivers on
  time, within budget and with the benefits that
  were promised

IT value is in the eye of the beholder.

23
Risk Management (Value Preservation)

• The board should manage enterprise risk by
• Ascertaining that there is transparency about the
  significant risks to the organisation
• Being aware that the final responsibility for
  risk management rests with the board
• Considering that a proactive risk management
  approach creates competitive advantage
• Insisting that risk management is embedded in the
  operation of the enterprise
• Obtaining assurance that management has put
  processes and technology in place for information
  security

It is the IT alligators that you do not see that
will get you!
24
Resource Management

• Outsourcing
• Trusted Suppliers
• Training
• Competency
• Skills development
• Retention

Recognises the importance of people in addition
to hardware and software
25
Performance Management
Objectives Demonstrate the value added by the IT
Organization Determine the effectiveness of the
IT Organization Set guidelines for the IT
Strategic plan Communicate and motivate about IT
performance Establish IT Management reporting Key
result The most effective means to achieve IT and
Business alignment Critical success
factor Approval of the IT Scorecard by key
stakeholders
If you are playing the enterprise game and not
keeping ITs score, you are only practicing.

26
IT Balanced Scorecard
27
IT Governance Activities
28
Agenda

• Why
• is IT Governance important
• implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using
  COBIT?
• The Swiss Life Way
• Summary / Conclusions

29
Get informed about

• Questions Boards and Management should ask
• Business and IT Outcome Drivers
• Best practices in IT Governance
• Business/IT Strategic alignment issues
• Business and IT Performance Measures
• IT Strategy Committee
• Roles and Responsibilities
• It Governance Maturity
• Find out where you are and where you want to be
• Translate the gap into a simple action plan

30
Questions to Ask
To uncover IT Issues
To Find Out How Management Addresses the IT Issues
To Self-assess IT Governance Practices

• How often do IT projects fail to deliver what
  they promised?
• Are end users satisfied with the quality of the
  IT service?
• Are sufficient IT resources, infrastructure and
  competencies available to meet strategic
  objectives?

• How well are enterprise and IT objectives
  aligned?
• How is the value deliver-ed by IT measured?
• What strategic inititiaves has executive
  manage-ment taken toe manage ITs criticality
  relative to maintenance and growth of the
  enterprise and are they appropriate?

• Is the board regularly briefed on IT risks to
  which the enterprise is exposed?
• Is IT a regular item on the agenda of the board
  and is it addressed in a structured manner?
• Does the board articulate and communicate the
  business objectives for IT alignment?

31
IT Strategy Committee

• assisting the Board in its IT Governance
  responsibilities
• incorporating IT Governance into Corporate
  Governance
• an industry best practice
• advice on strategy
• focus on IT value, risks and performance

32
Get Documented (1)
Download from www.itgi.org
33
Get Documented (2)
Download from www.itgi.org
34
Get Documented (3)
Download from www.itgi.org
35
Get Documented (4)
Available from ISACA-Bookstoore www.isaca.org
36
Get Documented (4)
Download from www.itgi.org
37
Agenda

• Why
• is IT Governance important
• implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using
  COBIT?
• The Swiss Life Way
• Summary / Conclusions

38
Implementation Strategies (1)

• Management-directed
• Pluses
• Management support
• Approach not clear
• Audit respect of management
• Minuses
• Resources
• Possible resistance
• Lack of co-ordination
• Pressure

• IT-requested
• Pluses
• IT/audit collaboration
• Control conscience
• More likely to succeed
• Minuses
• Business users missing from implementation
• Controls for manual processes may be missing
• Lack of co-ordination

39
Implementation Strategies (2)

• Audit-mandated
• Pluses
• Control focus
• Improved process
• Minuses
• Resistance to audit directive
• IT and users not part of the process
• Lack of co-ordination
• No understanding of resource need

• Organisationally Co-ordinated and Accepted
• Pluses
• Process improvement
• Controls included
• All parts of organisation buy in
• Tools to measure and assess
• Controls implemented
• Minus
• Resource and time

40
The Road Map to IT Governance
41
Link
42
Navigation
Phase
Step
Process Step
43
Example
44
Phase 1 - Identify Needs
Identify Needs
45
Phase 2 - Envision Solution
Envision Solution
Envision Solution
46
Phase 3 - Plan Solution
Plan Solution
Plan Solution
47
Phase 4 - Implement Solution
Implement Solution
Implement Solution
48
Agenda

• Why
• is IT Governance important
• implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using
  COBIT?
• The Swiss Life Way
• European Functional IT Governance
• Maturity Benchmark
• Summary / Conclusions

49
Agenda

• Why
• is IT Governance important
• implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using
  COBIT?
• The Swiss Life Way
• European Functional IT Governance
• Maturity Benchmark
• Summary / Conclusions

50
Organisation
51
Group Directive on European Functional IT
Governance (1)

• Defines the fundamental rules governing the
  functional relationship (CTOs and Group IT Mgmt
  at Head Office)
• Sets Leading governance principles
• Defines the Governing Bodies and Functions
• Assigns the responsibilities and authorities
• In the appendix
• Governance Principles per COBIT?-Process
• Decision matrices

52
Leading Governance Principles

• Functional IT governance is based on the
  principle of subsidiarity decisions shall be
  taken at the country level to the maximum extent
  possible.
• Decisions to be taken at Group level are those
  which
• are either related to policies/standards in the
  area of operational IT risk and IT security
  management or
• have material impact on IT costs of two or more
  countries.
• Those decisions shall be taken after consultation
  of the involved parties (Country CEOs and CTOs)
  and, if possible, on the basis of consensus.

53
Governing Bodies and Functions

• IT Board
• European IT Operations Panel
• European IT Procurement Panel
• European IT Risk Security Panel
• European IT Controlling and Reporting Panel

54
Responsibilities and Authorities

• Based upon five authority types (Definition /
  Recommendation Approval Execution Information
  Involvement Monitoring and Control)
• Group CTO
• Country CEOs
• Country CTOs
• Head of European Functional IT Management
• Group Head of IT Risk Security

55
Governance Principles per COBIT?-Process (1)
56
Governance Principles per COBIT?-Process (2)
57
Decision Matrices
58
Agenda

• Why
• is IT Governance important
• implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using
  COBIT?
• The Swiss Life Way
• European Functional IT Governance
• Maturity Benchmark
• Summary / Conclusions

59
CobiT Maturity Model
The maturity model provided by the CobiT
Management Guidelines for the 34 CobiT IT
processes is becoming an increasingly popular
tool to manage the timeless issue of balancing
risk and control in a cost-effective manner.
60
CobiT Maturity Model

• The CobiT Maturity Model is an IT governance tool
  used to measure how well developed the management
  processes are with respect to internal controls.
• The maturity model allows an organisation to
  grade itself from non-existent (0) to optimised
  (5).
• A fundamental feature of the maturity model is
  that it allows an organisation to measure as-is
  maturity levels, and define to-be maturity levels
  as well as gaps to fill. As a result, an
  organisation can discover practical improvements
  to the system of internal controls of IT.

61
CobiT Maturity Model

• However, maturity levels are not a goal, but
  rather they are a means to evaluate the adequacy
  of the internal controls with respect to company
  business objectives. IT should support, for
  example
• Raising awareness
• Identifying weaknesses
• Identifying priority improvements

62
Benchmark Approach

• The most common approach of measuring maturity is
  a multidisciplinary group of people whoin a
  facilitated workshop styledebate and come to a
  consensus as to the enterprise's current level of
  maturity.
• The principle of not assigning a higher level
  when not all elements of the lower level are
  being applied (threshold approach) should be
  followed wherever possible but one should not be
  too stringent about it.

63
Benchmark Approach

• Another very pragmatic approach adopted by some
  is to decompose the maturity descriptions into a
  number of statements to which management can
  provide their level of agreement (e.g., "a lot,"
  "largely," "somewhat," "marginally" or "not at
  all").
• Swiss Life Approach

64
The Method

• Based on a questionnaire derived from the COBIT?
  Maturity Model
• Relies on a "scenario" concept.
• Questionnaire is intended to capture the
  compliance of an IT organisation under
  investigation to the diverse scenarios.
• An algorithm computes a "compliance" vector that
  describes the compliance of the organisation to
  every scenario.
• Then, it uses the vector to compute the maturity
  level as a weighted average of the organisation's
  compliance with respect to each scenario.

65
The Questionnaire
66
The Questionnaire (1)

• The figure displays an example of how the
  questionnaire statements were derived for the
  maturity model of process PO10 Managing Projects.

67
Compliance Value (2)
68
The Algorithm (2)
69
Total Maturity Level (2)
70
Conclusion

• Because of its construction criteria, the
  questionnaire is aligned completely with the
  maturity model and fairly detailed with respect
  to the maturity requirements.
• This will prove to be useful to support
  subsequent discussions aimed at identifying the
  key points that will enable or preventing the
  organisation to reach a given maturity level and
  therefore mitigate the existing risks.

71
Agenda

• Why
• is IT Governance important
• implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using
  COBIT?
• The Swiss Life Way
• Summary / Conclusions

72
Effective IT Governance

• Is the responsibility of executive management and
  the board of directors
• protects shareholder value
• requires that risks are understood and made
  transparent
• directs and controls IT investment, to leverage
  opportunities,to obtain benefits and to mitigate
  risks
• aligns IT with the business, accepting IT is
  critical to the enterprise and a component of the
  strategic plan, influencing strategic
  opportunities
• sustains current operations and prepares for the
  future
• is an integral part of a global governance
  structure

73
Why should we care

• IT is integral and critical to the business
• Shareholders are holding Boards accountable
• Boards are holding management responsible
• An immense shift from tangible to intangible
  assets, the majority of the latter being
  information
• Boards and management will look for support to
  obtain assurance about the cost, return and risk
  of IT to the business

74
Conclusions

• IT is an integral part of the business
• IT governance is an integral part of corporate
  governance

75
For More Information

• Urs Fischer, CPA (Swiss), CISA, CIA
• Group Head of IT Risk Mgmt Security, Vice
  President
• Swiss Life Group
• urs.fischer_at_swisslife.ch