IT Governance: framework and case study. 22 September 2010

IT Governance: framework

d

t d

and case study

Presenter

Yaowaluk Chadbunchachai

Yaowaluk Chadbunchachai

Advisory Services

Presentation topics

►

ERM and IT governance

►

IT governance framework

►

IT governance assessment

g

►

Case study – Implication of IT governance

on internal audit

on internal audit

“We think IT governance needs to be a shared commitment across

the business, it’s not something that can be left to the CIO and IT

departments. Instead, to be effective, it must be understood and

p

,

,

the responsibility shared throughout the business.”

ERM and IT governance

ISO9000

_ISO38500

OCEG

CMM

Balanced

IT

IT

GRC

ITIL

Balanced

_Score

C

d

IT

IT

Governance

Governance

Frameworks

Frameworks

_Card

SAS 70/

ISAE 3402

Frameworks…

Frameworks…

Confused ??

Confused ??

ISO27001

COBIT

S

3 0

ISO31000

COSO IC/ERM

IT GRC Drivers & Objectives

► Most companies have take a very siloed approach to IT risk management which creates multiple

redundancies and extensive inconsistency in how IT risks are assessed and managed.

A ff ti IT GRC ill t th l ti f IT i k d t l t t f

► An effective IT GRC program will aggregate the evaluation of IT risks and controls to create a convergence of

IT Risk Management activities which results in greater consistency and efficiency across the IT GRC program and the company as a whole.

Common Current State Desired Future State

Board oversight Audit committee Compensation committee Risk committees Other committee Executive management

External – regulators, analysts, investors Board/senior management oversight

Audit Risk Other

e

rnal _ntrol

Executive management

CEO CFO CRO General Counsel

committee committee committees

Internal audit Int e co n External audit Aligned mandate and scope

Internal audit Risk management Compliance Internal control Information technology Legal and regulatory External audit

Business Business Business Business

g p

Coordinated infrastructure and people Consistent methods and practices Common information and technology Business Business Business Business

22 September 2010 Page 6 _{© Ernst & Young Corporate Services Limited 2010. All Rights Reserved.} IT governance: framework and case study

ERM and IT governance

ERM

IT Governance Defined

“IT Governance is a set of IT management activities, policies,

g

, p

,

standards and measures developed to ensure desirable behavior,

for the effective, efficient and secure use of technology.”

E t & Y Ernst & Young

IT Governance Determines Key IT Governance Decisions

► Evaluation of business initiatives and risk

► Who makes decisions

► Power

► How they make them

► Decision Process/Rights

► Evaluation of business initiatives and risk ► Prioritization of projects

► Allocation of resources and budgets ► Performance measurements

All i f d ► Decision Process/Rights

► Why they make them

► Alignment

► Allocation of costs and cost measurement

methods

► Tracking and reporting mechanisms

► Assessment of value of an IT investment

Without proper governance, an organization

is at risk of losing its competitive advantage

► Assessment of value of an IT investment

22 September 2010 Page 9 IT governance: framework and case study

Why is IT Governance necessary?

►

Fundamentally, it enables a stronger competitive position due

to improved performance efficiency and effectiveness at all

to improved performance, efficiency and effectiveness at all

levels of the organization

►

Ensures enterprise alignment

►

Ensures enterprise alignment

►

Ensure effective IT processes and delivery

►

Ensure effective risk management

►

Establishes and deploys the right IT resources and

y

g

capabilities

►

Enables continuous performance improvement

p

p

►

Underpins legal and regulatory compliance

The Enterprise Agenda for IT

►How does IT impact your business?

► Value – how does IT create value for the

Align Strategically

enterprise?

► Cost – how does IT help rationalize the overall

costs of the business?

Create Value

g

g

y

vely

Op

costs of the business?

► Risk – how does IT help the business manage

its overall risk position?

►IT can be a competitive advantage or a corporate

Objectives

ern E

ff

ecti

v

er

at

e E

ffi

c

►IT can be a competitive advantage or a corporate hindrance

►We believe that for IT to create a positive impact,

Manage

_Risk

Rationalize

_Cost

Go

ve

cien

tly

there are four “must do’s” for the enterprise relative to IT: ► Align Strategically

Measure Performance

► Govern Effectively ► Operate Efficiently ► Measure Performance

22 September 2010 Page 11 IT governance: framework and case study

The ITGI Model – Strategic Alignment

Strategic Alignment, g g , focuses on ensuring the linkage of business and IT g g plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.

ic V

ic V ► Align IT strategy with enterprise strategy

Strateg ic

Align

ment DelivValu_erye

t

P IT IT

Strateg ic

Align

ment DelivValu_erye

t

P IT IT

g gy p gy

► Ensure IT delivers against the strategy ► Co-responsibility of business and IT ► Direct IT strategy Risk anag em ent Pe rfo rm an_c M ea_su re_m Governance Governance Domains Domains Risk anag em ent Pe rfo rm an_c M ea_su re_m Governance Governance Domains

Domains ► Ensure a culture of openness and collaboration among the business,

geographical and functional units of the

Ma Resource Management nc e m en_{t M}a Resource Management nc e m en_t enterprise

The ITGI Model – Value Delivery

Value Delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, y g p g gy

concentrating on optimising costs and proving the intrinsic value of IT.

ic V

ic V

► Appropriate quality, on time and on

budget

Strate gic Align

ment DelivValu_erye

t

P IT IT

Strate gic Align

ment DelivValu_erye

t

P IT IT

► Clarify value, educate, involve

stakeholders and manage perceptions F l t ki f b i l Risk anag em ent Pe rfo rm an_c M ea su re_m Governance Governance Domains Domains Risk anag em ent Pe rfo rm an_c M ea su re_m Governance Governance Domains

Domains ► Formal tracking of business value _{of IT (business requirements &} process change)

► Disciplined approach to project

Ma Resource Management nc e m en_{t M}a Resource Management nc e m

en_t ► Disciplined approach to project

management with a larger role for the business

► Technology standardisation

22 September 2010 Page 13 IT governance: framework and case study

The ITGI Model – Risk Management

Risk Management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, , g p pp , understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk

management responsibilities into the organisation.

gic t D Val

gic t D Val ► A areness of IT risks based on

Strateg ic

Align

ment DelivValu_erye

nt P M _{GovernanceGovernance}IT IT Strateg ic Align

ment DelivValu_erye

nt

P

M _{GovernanceGovernance}IT IT

► Awareness of IT risks based on

proactive and continuous assessment

► Transparency to all stakeholders ► Establishing responsibility and

Risk Man agem en Pe rfo rm an_c M ea_su re_m e Governance Governance Domains Domains Risk Man agem en Pe rfo rm an_c M ea_su re_m e Governance Governance Domains

Domains ► Establishing responsibility and _{embedding risk management into the} organisation

► Risk mitigation can generate

cost-Ma Resource Management ce en_{t M}a Resource Management ce

en_t ► Risk mitigation can generate

cost-efficiencies

► Information security

The ITGI Model – Resource Management

Resource Management is about the optimal investment in, and the proper management of, critical IT resources: applications, information,

p p g , pp , ,

infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure.

ic V

ic V ► Inventories of hardware and

Strateg ic

Align

ment DelivValu_erye

t

P IT IT

Strateg ic

Align

ment DelivValu_erye

t

P IT IT

software

► Practices to train and retain

skilled staff Cl i t t d f d Risk anag em ent Pe rfo rm an_c M ea_su re_m Governance Governance Domains Domains Risk anag em ent Pe rfo rm an_c M ea_su re_m Governance Governance Domains

Domains ► Clear, consistent and enforced _{procurement policies}

► Standardised and interoperable

infrastructure Ma Resource Management nc e m en_{t M}a Resource Management nc e m en_t infrastructure

► Service level management

The ITGI Model – Performance Measurement

Performance Measurement, tracks and monitors strategy implementation project completion resource usage process implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

tegic nt D Valu

tegic nt D Valu ► Define and monitor measures

Strateg Align

ment Delivalue_ery

ent

Pe

M _{GovernanceGovernance}IT IT

Strateg Align

ment Delivalue_ery

ent

Pe

M _{GovernanceGovernance}IT IT

► Define and monitor measures

► IT Balanced Scorecard as emerging

reporting system

► A management reporting system that

Risk Man agem en erf orm an ce M ea_su re_m e Go e a ce Domains Domains Risk Man agem en erf orm an ce M ea_su re_m e Go e a ce Domains

Domains ► A management reporting system that feeds back into the strategy

► The most effective means to achieve IT

and Business alignment

M Resource Management e en_{t M} Resource Management e

en_{t and Business alignment}

► Enabling effective value measurement

(ROI, NPV…)

Assessing IT Governance

N

i

Initial/

Repeatable

Defined

Managed

O i i d

0

1

2

3

4

5

Non-existent

_{Ad Hoc}

_{but Intuitive}

_process

_{and Measurable Optimised}

0 - Management processes are not applied at all

(Maturity Model - CobiT 4.1 )

0 - Management processes are not applied at all.

1 - Processes are ad hoc and disorganised.

2 - Processes follow a regular pattern

2 - Processes follow a regular pattern.

3 - Processes are documented and communicated.

4 - Processes are monitored and measured

4 - Processes are monitored and measured.

5 - Best practices are followed and automated.

Assessing IT Governance

Sample Maturity Model for IT Governance

i i l i

1

0

IT Governance – Value Delivery

Maturity Model - CobiT 4.1

Value Delivery

Domain 1 2 3 4 5

IT Direction & Planning Enterprise IT Architecture Value Measurement Project Portfolio Mgt 1. 2. 3. 4. Non-Existent Initial/ Ad Hoc Repeatable but Intuitive Defined process Managed and Measurable Optimized 0 1 2 3 4 5 3rd_{Party Relationship Mgt} 5. Legend Current State 0 - Processes are non-existent

1 - Processes are ad hoc & Legend

Current State Interim Target State

Current State Interim Target State Target State

disorganized

2 - Processes are repeatable but intuitive

3 - Processes are defined, documented & communicated 4 P d & Target State 4 - Processes are managed & _measured

5 - Processes are optimized

Example also in Appendix D (page 48) of Board Briefing on IT Governance booklet

22 September 2010 Page 19 IT governance: framework and case study

Assessing IT Governance

►

Maturity model ranking

►

Organizational scorecard to ITGI model

►

Organizational scorecard to ITGI model

►

Gap analysis leading to improvement initiatives

►

Uses a scale of 0 through 5 to measure the maturity level of the area

being assessed

►

Do not assume that the desired state is always 5

Critical to perform analysis over time; especially as the

business changes (e.g. mergers integrations etc ) mergers, integrations, etc.)

Example: IT Governance Maturity

Assessment Components

Assessment Components

Strategic Alignment Performance Measurement Resource Management Risk Management Value Delivery IT Governance Framework ►Role of IT/Definition of IT Value ►Strategic Direction ►Performance Metrics ►Performance Monitoring ►Quality ►IT Resource & Asset Management ►Infrastructure Management ►IT & Business Risk Management Alignment ►Integrated IT ►IT Direction and Planning ►Enterprise IT Architecture ►Value ►Program Mission and Framework ►Program Oversight ►Communication ►Business, IT and Operations Alignment ►Investment Prioritization and Allocation y Improvement ►Continuous Process Improvement ►Scope of Potential g ►Technology Lifecycle Management ►Knowledge Management ►Strategic g Risk Management Framework ►IT Risk Oversight Measurement ►Program and Project Management ►Third-Party Relationship Strategy ►Corporate Alignment Allocation Potential Measurement ►Strategic Sourcing Relationship Management

Maturity Model Scale

3.5 2 2.5 4 3 1.5

5 IT Governance Maturity Score Distribution

0 Processes are non-existent

1 Processes are ad-hoc and disorganized 2 Processes are repeatable but intuitive

3 Processes are defined, documented and intuitive 4 Processes are managed and measured

ITG SA VD RiM R M PM 1 2 3 4 0

22 September 2010 Page 21 IT governance: framework and case study

Example: IT Governance Executive

Stakeholder Questionnaire

Stakeholder Questionnaire

Degree of Agreement

(Max, Average, Min)

Strategic Alignment Strong ly Agree Agree Und ecided/ Neutra l Disagre e Strong ly Disagre e 5 4 3 2 1 Strategic Alignment 5 4 3 2 1

1 I am informed of the strategy of the business.

2 I understand the technology strategy of the organization.

3 I agree with how projects and initiatives are prioritized.

4 I understand how budgets are agreed upon. 5 Projects are aligned with organizational strategy.

6 Project alignment is periodically reevaluated.

7 IT t k h ld b ht i t th j t l i th l i h f th j t 7 IT stakeholders are brought into the project early in the planning phase of the project.

Value Delivery

8 I am realizing the full value of the investment in IT.

9 If and/or when I we upgrade software or infrastructure, I believe I have input into the decision.pg p

10 I am aware of the IT charges (and how the IT charges) are allocated.

11 The organization formally recognizes and measures the value delivered from a technology-enabled process.

Case study – Implication of IT governance on

internal audit

Link risk to IT objectives and processes

Inherent key IT risks IT processes

IT objectives and strategies

es

► IT Process Duplication and Inefficiencies ► Emerging Technologies Guidance and oversight Strategic planning IT governance and strategy Infrastructure and Asset Management o cesses ontrol Ac tivities o risks sk to IT objec tiv e ► Technology Direction ► System Disruptions

► Contracts/3rd Party Vendors -Outsourcing IT development and design Change Management Service Level Management Deliver superior systems and applications Technology enablement to achieve business k s to IT pr o ag em en t and C o b jectives t o fica nce of the

ris _{► Records Retention}

► Regulatory Compliance ► People Management ► Global Sourcing g Production Support to achieve business objectives Superior service support and delivery

Link ris k Evalua te Man a Link o b alua te the signi f ► Global Sourcing ► Business Continuity ► Asset and Portfolio

Management ► IT Infrastructure Capacity Problem and incident management Project/ program Optimize operating efficiency Continuity of services IT operations Protection of Ev a _{► IT Infrastructure Capacity} ► IT Security/Privacy ► Financial Reporting program management Protection of information Effectively manage security risk Information security and protection Customer Support

IT Audit (or IT Risk Management) can

bring more value to the organization

bring more value to the organization

►

Implementing measures for compliance has made organizational change

management a key skill of the IT auditor

►

The same skills used to facilitate compliance can now be used to facilitate

IT Effectiveness

IT Effectiveness

►

With the focus over the past five years on financial and compliance risk,

strategic and operational risk has been largely ignored

►

It is critical for organizations to refresh their IT risk universe to include all IT

risks

►

We are seeing a significant shift in the charter of IT auditors and a renewed

►

We are seeing a significant shift in the charter of IT auditors and a renewed

focus on assessing and reducing strategic and operational risk

What is the role of your IT Audit function?

►

Is IT Audit focused solely on financial and compliance risk?

►

What is needed to take IT Audit to the next level?

►

What is needed to take IT Audit to the next level?

►

CGEIT Certification

PMI/CMMI T i i

►

PMI/CMMI Training

►

ITIL Training

C

i

t ith k

l d

t

f

►

Co-sourcing agreement with knowledge transfer

►

How can IT Audit demonstrate more value to the organization?

M k

IT i k

t

l t

th

►

Make sure your IT risk assessment process evaluates the

impact of all major IT risks, including operational and

strategic risks

strategic risks

►

Measure the before and after impact of initiatives designed

to better manage strategic and operational risks

22 September 2010 Page 26 _{© Ernst & Young Corporate Services Limited 2010. All Rights Reserved.} IT governance: framework and case study

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve potential.

For more information, please visit www.ey.com.

Ernst & Yo ng refers to the global organi ation of member firms of Ernst & Yo ng Global Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.