Building Acceptance & Governance of Enterprise IT

ISACA Edmonton Chapter – March 8, 2012

2

AGENDA

• The ‘Pitch’• Setting the stage

– Enterprise governance: Then and Now– The Auditor General is our friend– Progress in Alberta’s post-secondary sector

• Key concepts • Implementation• Discussion

3

THE PITCHBuilding Acceptance & Governance of Enterprise IT

4

To Begin….

All organizations, public and private, large or small, are facing a paradigm shift

with respect to the governance and management of information and related

technology

5

Catch-22

• a situation in which a desired outcome or solution is impossible to attain because of a set of inherently illogical rules or conditions;

• circular logic that prevents resolution of a problem;

• an unsolvable logical dilemma

6

Today’s Thesis (‘What’)

• IT is a critical enabler of most organizations & requires a special governance focus

• Effective governance & management of IT on an enterprise basis requires engagement of the Board of Directors & executive management

• Most Boards/executive teams remain largely unaware of their responsibilities re: enterprise IT, the inherent risks or potential rewards, or the existence of relevant standards and best practices

7

‘So What’

• IT investments are often not aligned with the organization’s strategic objectives

• IT-related risks are not appropriately managed

• The enterprise does not optimize the value of its investment in IT

8

How Did We Get Here?

• Talking to the wrong audiences– Auditors – Records managers– IT folks– Risk managers

• Pushing the ‘wrong’ message• Normal resistance to new roles/expectations• Implementation issues once we do get started

9

About the Message

“Alberta Government needs to better identify and mitigate IT risks.

Government departments as a whole need to do a better job

identifying risks to their systems and data. Then they need to

implement well-designed, efficient, and effective IT controls to

mitigate these risks and provide secure services and programs to

Albertans.”

– Auditor General, April 2008

10

SETTING THE STAGEBuilding Acceptance & Governance of Enterprise IT

11

In a Galaxy Far, Far Away(Really?)

• Executives had no desktops• No discussion at Executive

table re: IM/IT• No IT performance measures;

little or no reporting• No IM framework• No enterprise IT steering

committee• Major gaps in IT functionality• Ad hoc HR planning for IT• No IT business cases • No position description for CIO

• No IT strategic plan; MANY IT projects

• Acute dissatisfaction re: IT service levels

• No discussion re: IT-related risks

• IT projects with no ‘business’ owners

• No IT-service continuity plan• No portfolio management• Inadequate end-user training• Rudimentary supplier

management practices

12

Do These Scenarios Sound Familiar?

• Million-dollar projects, which may or may not match the company’s objectives, are awarded to business units headed by the squeakiest executives

• Weak IT governance structures mean that business executives don’t have clear ideas of what they’re approving and why

• The CIO ends up selling projects that should be generated and sold by line-of-business heads

• The company doesn’t build good business cases for IT projects or it doesn’t do them at all

• There are redundant projects(1).

(1) Todd Datz, CIO Magazine, 2003

• Rising expectations for organizational governance • Concern over generally increasing level of IT expenditure & demand

for better return on IT investments• Regulatory requirements• Significance of selection of service provider & management of

outsourcing to organizational effectiveness • Increasingly complex IM/IT risk • Need for assessment against standards and peer organizations• Growing maturity and acceptance of frameworks and standards

New (and Old) Business Drivers for IT Governance

13

14

Rx: IT Control Frameworks

“Implementing good IT governance is almost impossible without engaging an effective governance framework.”

- ISACA 2009

15

Benefits• Helps organizations:

– Better align their IT activities to their business needs

– Ensure that management understands IT’s role and relevance in the organization

– Fulfill their responsibilities for a sound internal control environment & demonstrate progress to regulators, business partners & external stakeholders

– Ensure that Boards/management can meet their quality, fiduciary & security requirements

– Clarify ownership, responsibilities and accountabilities for information and related technology

16

Alberta’s AG Weighs In…

“We recommend that the Department of Advanced Education and Technology give

guidance to public post-secondary Institutions on using an IT control

framework to develop control processes that are well-designed, efficient, and

effective.”

- April 2008 Auditor General’s Report

• Collaboratively develop a system-wide control framework for managing information and related technology

• Common best practice controls that are modifiable, scalable and implementable

• A shared content management system to enable ongoing collaboration and effectively manage the control life cycle

Alberta PSS ITM Control Framework Program

17

Legislation

COBIT

ISO

PMBOK ITIL

IM/IT Control Framework

WHAT HOW

SCOPE OF COVERAGE

BABOK

TOGAF

IM Industry

Best Practices

Can’t We Just Implement CoBIT?

Source: ISACA & Alberta PSS ITM Control Framework Program

Alignment Map

19

20

Governance & Management Policy

The Institution manages its information and related technology

assets and services through effective governance structures and

processes that provide leadership, accountability and transparency

and engage key stakeholders to support the achievement of

positive outcomes and facilitate strategic oversight and decision

making.

Controls

WHAT needs to be controlled

(COBIT, legislation, ITIL, ISO)

HOW(Project Deliverables)

Procedures

Structures

Guidelines

Standards Examples from client or other organizations, &

best practices

21

IT Governance & Management

Controls(64)

Foundation Pieces

(17)

Strategic Alignment

(4)

Risk Management

(8)

Financial Management

(6)

Service Management

(26)

Human Resources

Management(3)

Controls Summary

22

23

KEY CONCEPTS Building Acceptance & Governance of Enterprise IT

Integrated Governance Structure

24

Programs

Board of Governors

Academic Council

President

Provost(VP Academic)

VP Research

VP University Services

VP Finance &

Admin

CIO (2)(3)

VP Student Services

Board Committees- Audit & Finance

- HR- Risk Mgmt.

- ITM(1)

Dean

Dean

CIO (2) (3)

Dean

ITM Steering CommitteeChief

Technology Officer

(1) Institution may address responsibilities through a special purpose committee, through existing committees or in plenary(2) Depending on institution, CIO may not sit as a member of the executive team, but must sit as a full member of the ITM Steering Committee(3) CIO sits ex officio on Board ITM Committee and/or in Board discussions of ITM(4) Depending on size/complexity of ITM activities(5) Project governance and fit within ITM governance as per Business Case

Technology Committee(4)

Architecture Review

Committee(4)

1 3

2 n

Portfolio Oversight(4)

Change Advisory Board(4)

Executive Committee

PortfolioMgmt. Cttee.

Portfolio

PortfolioMgmt. Cttee.

PortfolioMgmt. Cttee.

PortfolioMgmt. Cttee.

Project Oversight(5)

Organization Role ResponsibilityBoard • Oversight regarding strategic alignment, risk

management and value delivery of IT

Executive Committee • Approval of enterprise-level investment decisions, including adequate funding for development, implementation, communication and training re: IT controls

IT Steering Committee • Approval of IT Control Framework• Ensures control environment aligns with institution’s

management philosophy and operating style• Regular assessment of the maturity of the institution’s

control processesCIO • Overall development and implementation of the control

environment• Reporting on progress/results

Business Managers • Input to development of the control environment• Responsibility for operation of many controls

High-level Roles & Responsibilities

25

More about Boards

26

Have a fiduciary(1) responsibility to ensure the organization’s information resources and

related technology are managed to support and enable the organization’s strategic plan

(1) Specifically, a legal or ethical relationship of confidence or trust regarding the management of money or property

27

How Do They Do this?• Making sure information and IT are on the Board agenda• Asking the right questions about management’s activities • Helping management align IT initiatives with the institution’s

strategic direction• Ensuring it understands the potential impact of information

and IT-related risk• Requiring that IT performance be measured and reported

through a balanced scorecard or similar mechanism• Requiring that the organization implement an ITM control

framework• Monitoring the contribution of ITM to the institution

• Work with Executive Committee to obtain a clear understanding of the institution’s strategic and business objectives

• Create a vision for information management and technology in the future and sell it

• Implement information systems architecture that supports the institution’s comprehensive business plan

• Establish credibility of the IT Management Department

– Work with business units through the IT Steering Committee to establish standards and service levels

– Ensure these are met or exceeded• Increase the technical maturity of the organization

Key CIO Responsibilities

28

Not Your Father’s CIO

29

“One of the primary differences between today's CIOs and the

previous generation of IT leaders is the idea of transformational

change. Thirty years ago, nobody seriously believed that IT

would be called upon to lead enormous transformational efforts

affecting every aspect of a global enterprise. Today, in addition

to making sure that IT runs smoothly, the CIO is expected to

provide strategic leadership and high-level guidance. That is a

big difference indeed..”

- The Practical CIO: A Common Sense Guide for Successful IT Leadership, Jose Carlos Eiras

• Organization needs to appoint a ‘custodian’ or manager of the framework and maintain a log of all compliance requirements

• Comprehensive procedure required for:– Identifying externally generated requirements in a timely manner– Identifying internally generated requirements– Escalating and resolving issues identified through

implementation/operation of the IT Control Framework• Framework needs to be regularly reviewed

– Internal audit– Periodic 3rd party reviews

• Provide for approved and documented exceptions to compliance with controls

Lifecycle Management of ITControls

30

• Strategic IT Plan is an integral element of the organization’s strategic plan….not an afterthought!– Clearly articulated organization mission, vision and priorities– Planning is considered important and closely linked to

organization budget– Strategic IT plan is published– Formal communication strategy specific to IT stakeholders

developed

– Performance is measured using an IT Balanced Scorecard

• IT investments should be managed across the organization in portfolios

Strategic Alignment

31

Strategic Alignment

(4)

• ITM risk is business risk• ITM risk always exists, whether it is detected or recognized• Management of IT-related risk is an essential and strategic

component of responsible administration and should be integrated into overall enterprise risk management

• Who should be involved?– Board members and senior executives who need to set direction

& monitor risk at the enterprise level– Managers of IT and business departments who define risk

management processes– Risk management professionals– External stakeholders

Risk Management

32

• IT risk management always connects to business objectives; focus is on the business outcome

• IT risk governance aligns the management of IT-related risk with overall ERM

• IT governance should balance the costs and benefits of managing IT risk

• There should be open communication regarding IT risk• Establishment of well-defined risk tolerance levels by the Board and

executive management should be coupled with definition and enforcement of personal accountability for operating within tolerance levels

• IT risk management is continuously improved

Risk Management Principles

33

• Institution must establish a financial management framework for information and related technology– Approved by the IT Steering Committee– CIO responsible for implementing and monitoring the

effectiveness of the framework and ensuring integration with enterprise policies, standards etc.

– Should be formally evaluated based on schedule determined by IT Steering Committee

• Focused on ensuring accountability and transparency re: value contribution and total cost of ownership of information and related technology

Financial Management

34

What is Service Mgmt.?

35

“Service management is a set of specialized

organizational capabilities for providing value to

customers in the form of services(1)

These capabilities take the form of functions

and processes for managing services over their

lifecycle.”(1) ITIL, Office of Government Commerce, 2007

Service Lifecycle

36

Continual Service

Improvement

Service Strategy

Service Design

Service Transition

Service Operation

Envisioning & conceptualizing the set of services required to achieve business objectives

Designing the services to meet utility & warranty objectives

Moving services into live production

Managing services to ensure utility &

warranty objectives are achieved

Evaluating services & identifying ways to

improve their utility & warranty in support of

business objectives

• Processes for the management of IT human resources are an essential part of an IT Control Framework

• CIO (not HR) is responsible for ensuring the institution has an IT workforce with the skills necessary to achieve organizational and IT goals

• Main tasks:– Define, monitor and supervise execution of IT roles &

responsibilities– Provide appropriate and sufficient training (technical, internal

control and security)– Minimize dependency on key staff– Ensure compliance with organizational policies– Report to the IT Steering Committee on key issues

Human Resources Management

37

38

IMPLEMENTATIONBuilding Acceptance & Governance of Enterprise IT

Create AwarenessAssess Current StateDefine Desired Future StateDevelop PlanExecute PlanMeasure ResultsSustain Momentum

IT Control Framework – Implementation Lifecycle

39

Use of maturity models

40

Implementation ChallengesPhase Challenge

Create awareness • Lack of senior management buy-in• Lack of enterprise policy & decision making structures

Assess current state • Cost of improvements outweighs perceived benefits• Lack of trust/good relationships between IT & business units

Define future state • Scarcity of good ‘role models’

Develop plan • Resistance to change• Defining the ‘critical path’• Failure to consider corporate culture & capacity

Execute plan • Trying to do too much at once• Lack of appropriate skills• Underestimating the level of effort required

Measure results • Starting out with too many performance measures• Too much complexity, precision• Lack of balance between ‘performance driver’ & ‘outcome’

measuresSustain momentum • IT governance ‘fatigue’

• Difficulty in proving benefits

41

Critical Success Factors

1. Identify a champion2. Shared understanding and vision

– Not implementing CoBIT, but improvements to how it governs & manages the IT contribution to the enterprise

– Tailor to fit the organization

3. Use the CoBIT umbrella but incorporate other standards as required

4. Ensure IT governance is integrated with enterprise governance

5. Stay focused– It’s a journey, not a destination– Recognize and celebrate progress