IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013, Donald E. Stephens Convention Center
@IIAChicago#IIACHI
Governing IT with ITIL and COBIT for Process Excellence
Pam Nigro, CRMA, CISA, CGEIT, CRISCManager Operational Assurance
Health Care Service Corporation(a Mutual Legal Reserve Company, an Independent Licensee
of the Blue Cross and Blue Shield Association)
- 2 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
AgendaIT Governance1
ITG’s Challenges2
Frameworks3
HCSC’s Journey Begins4
Measurements and Lessons Learned5
- 3 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.
Warren Buffet, CEO, Berkshire Hathaway
IT Governance
© 2013, Health Care Service Corporation, Pam Nigro
- 4 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Choose one…Definition of IT Governance
- 5 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
What IT decisions
need to be governed?
How are those
decisions governed?
What Who How Is simply the management of risk & compliance.
IT Governance
Who is assigned
accountability?
3 key pieces to the puzzleSimple Version
- 6 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
What IT decisions
need to be governed?
How are those
decisions governed?
What Who How Is simply the management of risk & compliance.
IT Governance
Who is assigned
accountability?
3 key pieces to the puzzleSimple Version
- 7 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
What IT decisions
need to be governed?
How are those
decisions governed?
What Who How Is simply the management of risk & compliance.
IT Governance
Who is assigned
accountability?
3 key pieces to the puzzleSimple Version
- 8 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
IT Governance
- 9 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
To open a shop is easy, to keep it open is an art.
Chinese Proverb
Challenges
© 2013, Health Care Service Corporation, Pam Nigro
- 10 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
HCSC ITG’S Challenges/DriversStrategic goals and to support key business objectives
Ensure Availability & Reliability in ITG Services1
Reinvest in Technology to Support Growth 2
Allow for Ease of Mergers and Acquisitions3
Simplify and Standardize ITG Processes4
Commitment to Regulatory Compliance5
- 11 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
HCSC ITG’S Challenges/DriversStrategic goals and to support key business objectives
Ensure Availability & Reliability in ITG Services1
Reinvest in Technology to Support Growth 2
Allow for Ease of Mergers and Acquisitions3
Simplify and Standardize ITG Processes4
Commitment to Regulatory Compliance5
- 12 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
HCSC ITG’S Challenges/DriversStrategic goals and to support key business objectives
Ensure Availability & Reliability in ITG Services1
Reinvest in Technology to Support Growth 2
Allow for Ease of Mergers and Acquisitions3
Simplify and Standardize ITG Processes4
Commitment to Regulatory Compliance5
- 13 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
HCSC ITG’S Challenges/DriversStrategic goals and to support key business objectives
Ensure Availability & Reliability in ITG Services1
Reinvest in Technology to Support Growth 2
Allow for Ease of Mergers and Acquisitions3
Simplify and Standardize ITG Processes4
Commitment to Regulatory Compliance5
- 14 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
HCSC ITG’S Challenges/DriversStrategic goals and to support key business objectives
Ensure Availability & Reliability in ITG Services1
Reinvest in Technology to Support Growth 2
Allow for Ease of Mergers and Acquisitions3
Simplify and Standardize ITG Processes4
Commitment to Regulatory Compliance5
- 15 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Every knowledge worker in modern organization is an "executive" if, by virtue of his position or knowledge, he is responsible for a contribution that materially affects the capacity of the organization to perform and to obtain results.
Peter Drucker in The Effective Executive (1966)
© 2013, Health Care Service Corporation, Pam Nigro
Frameworks
- 16 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Benefits• Enable effective governance• Align with business goals• Standardize process and
approach• Enable structured audit
and/or assessment• Control cost• Comply with external
requirements
Why Use a Framework?
- 17 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
What is the IT Infrastructure Library?An operational level of service management and the framework
Financial
What are my IT services?
Learning & Growth
Are we following best practices for our processes?
Customer
How do we monitor and measure our services?
Processes
What are best practices for managing my services?
- 18 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
The IT Infrastructure Library (ITIL)
ITIL Processes
Config Mgmt.
Service Level Mgmt.
Change Mgmt.
Release Mgmt.
Knowledge Mgmt.
Incident Mgmt.
Problem Mgmt.
Access Mgmt.
- 19 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Control Objectives for Information and Related Technologies – (COBIT)
To realize business goals IT solutions need to be developed or acquired and integrated into the business process
The strategy and domain of IT planning
Service delivery, management of security and continuity, service support for users, and management of data
Regular assessment of IT processes for quality and compliance with control requirements
- 20 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Key QuestionsPlan & Organize
Are Business and IT strategy aligned? Is business achieving
optimum use of its IT resources? Are the quality of IT
systems and services appropriate for business needs?
Acquire & Implement
Will the new or revised systems work properly when implemented?Will changes be made
without upsetting current business operations?
- 21 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Key QuestionsDelivery & Support
Are IT costs optimized? Is the work force able to
use IT systems productively?Are adequate performance
requirements such as security, integrity and availability in place?
Monitor & Evaluate
Can IT performance be measured?Can problems be detected
before it is too late? Is independent assurance
needed to ensure critical areas are operating as intended?
- 22 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
ITIL v3 and COBIT AlignmentOver 75% of ITIL v3 processes map to COBIT 4.1
Description COBIT ITILService Desk DS8 SO1, SO6
Incident Management DS8 SO4
Problem Management DS10 SO4
Change Management AI6, AI7 ST4.2, ST5.1
SDLC Process PO10 ST3, SD3
Physical Security DS12 ST3
Operations Management DS13 SO4, SO5
Release Management AI7 ST4
- 23 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
HCSC‘s Journey BeginsThere is nothing more difficult to carry out, nor more doubtful of success or dangerous to handle than to initiate a new order of things.
Nicolo Machiavelli, The Prince
© 2013, Health Care Service Corporation, Pam Nigro
- 24 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
The Process Excellence Program
…A new way for ITG to conduct its business!
• Consistent products and services • Predictable service delivery (“On-Time, On-Budget, and On-Quality”)• Integrated processes across ITG• Leveraging “best practices” to re-engineer, not “patch” processes • Customer focused service model• Organizational and strategic alignment• Achieve regulatory compliance
Multi-workstream program ensuring:
ProblemChangeConfig
Release
IncidentOperations SLM
PolicyRisk
Controls
- 25 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Organizational Challenges and Barriers
People
Lack of skills
People refusing
to change
Unrealistic customer
expectations
Closed culture
Poor governance
Poor leadership
Funding
Low morale
Poor customer
perception
Process
Inconsistent processes
Non-integrated processes
Poor process quality
Technology
Com
plex
ity o
f Bar
rier
Fragmented tools
No standards
Custom-made integration
Inappropriate tools
High
Low
- 26 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Communicate
Formal and Informal Communications Team Meetings Held “Coffee Clutches” Developed a slogan “Put PEP in Your Step”
Training Instructor Led Classroom Webinars
- 27 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Incentives
IT Process Framework Establish an IT Process Framework designed to
standardize and increase predictability of select ITG processes utilizing industry best practices
Regulatory Compliance Achieve and exceed compliance with mandated
security and controls Establish COBIT-compliant framework, and assess
IT controls
- 28 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Initial COBIT Maturity Assessment
• Intentionally left blank
- 29 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
ITIL Processes
Config Mgmt.
Service Level Mgmt.
Change Mgmt.
ReleaseMgmt.
Knowledge Mgmt.
Incident Mgmt.
Problem Mgmt.
Access Mgmt.
3 Key Drivers
- 30 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Service Level Management
Negotiating the SLA Contract
Report to the business and
ITG Sr. Management
Clearly document and outline the level of service
Results and operationaltrend reportscan be used to prioritize service improvement activities.
Service Level
Agreement(SLA)
- 31 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Change Management
GoverningIT
Changes
Change Advisory Board (CAB)
Production Operations Group (POG)
Reliability Committee
- 32 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Release Management
Multiple Tools Multiple source code
libraries Multiple release
methodologies
Ad Hoc
2006
CA Endevor All mainframe source
code libraries in Endevor Standard code
development lifecycle Standard release
methodology
Mainframe
2009
Serena Dimensions Distributed source
code for financially significant apps Standard code
development lifecycle Standard release
methodology
Distributed
2013
- 33 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Measurements and Lessons LearnedIt is not the strongest among the species that survive nor is it the most intelligent. It is those that are most adaptive to change.
Charles Darwin
© 2013, Health Care Service Corporation, Pam Nigro
- 34 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Increase in Availability
• Intentionally left blank
- 35 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Mean Time to Repair (in hours)
• Intentionally left blank
- 36 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
IT General Controls Maturity level
• Intentionally left blank
- 37 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Initial COBIT Maturity Assessment
• Intentionally left blank
- 38 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Current COBIT Maturity Assessment
• Intentionally left blank
- 39 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
PEP Program(ITIL/COBIT)
Make Tradeoffs - One size does not fit all. When is enough, enough?
Proactively Design and Manage - Take smaller steps
Avoid over engineering
Commitment & Provide the Right Incentives - 30% Process; 70% People
Assign Ownership & Accountability - Get and keep leadership commitment
Lessons LearnedKey Leadership Principles for Creating and Sustaining a Successful IT Governance
Culture and Environment
- 40 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
IT Governance
- 41 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Thank you for your attention!Any Questions?
- 42 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Contact Details
Pam Nigro, CRMA, CISA, CGEIT, CRISCManager, Internal Controls and IT Risk
Health Care Service Corporation, Health Care Service Corporation, (HCSC) is a
Mutual Legal Reserve Company, an Independent Licensee of the Blue Cross and Blue Shield Association operating
Blue Cross and Blue Shield of Illinois, Texas, New Mexico, and Oklahoma.
pam_nigro@ bcbsil.com
- 43 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Appendix
- 44 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Circle of Perspectives
1.Financial Perspective Operational excellence focus to drive down costs Bottom Line: IT can “do more, with less”
2.Customer Perspective Enable a single point of accountability Align internal metrics to reflect IT user experience
3.Business Perspective Manage increasing IT service complexity Create a common vocabulary for communication
4.Learn & Growth Perspective Break down organizational silos with process focus Leverage industry accepted “best practices” and do
not re-invent the wheel
Why Implement ITIL?
- 45 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro
Control MaturityControl Maturity People Process Technology Maturity ModelLevel 1 - Unreliable No Responsibility No Policy
No ProceduresMissing Control Design
Non Existent
Level 2 - Informal Informal ResponsibilityNew PersonnelNon-Routine
Informal/Ineffective PolicyInformal/Ineffective ProceduresInformal/Ineffective Control DesignInformal/Ineffective Control Activity
Manual Initial / Ad-Hoc
Level 3 -Standardized
Formal ResponsibilityAdequate Personnel Routine
Formal/Effective PolicyFormal/Effective ProceduresFormal/Effective Control DesignFormal/Effective Control Activity
Manual Repeatable But Intuitive
Level 4 - Monitored Limited AutomationPeriodic Compliance TestingPeriodic Reporting
Limited AutomationPeriodic Compliance TestingPeriodic ReportingPeriodic Update/Change Improvement
Automated Defined Processes
Level 5 - Optimized AutomationReal-Time MonitoringDaily Reporting
AutomationReal-Time MonitoringDaily ReportingAs Required Update/Change Improvement
Automated Managed And Measureable