IT GovernancesIT GovernancesIT GovernancesIT Governances

Stewardship is extending to IT Stewardship is extending to IT as Boards question the depth of as Boards question the depth of their enterprise’s reliance on ITtheir enterprise’s reliance on IT

Stewardship is extending to IT Stewardship is extending to IT as Boards question the depth of as Boards question the depth of their enterprise’s reliance on ITtheir enterprise’s reliance on IT

BackgroundBackgroundBackgroundBackground

Some thoughts on how IT risk, control, Some thoughts on how IT risk, control, audit and assurance is evolving toward audit and assurance is evolving toward the broader concept of IT governance.the broader concept of IT governance.

Why IT governance should be on the Why IT governance should be on the Board of Directors’ agenda wherever IT Board of Directors’ agenda wherever IT is strategic to the business.is strategic to the business.

How it fits in the broader concepts of How it fits in the broader concepts of enterprise governance and how enterprise governance and how management and boards can address it.management and boards can address it.

Some thoughts on how IT risk, control, Some thoughts on how IT risk, control, audit and assurance is evolving toward audit and assurance is evolving toward the broader concept of IT governance.the broader concept of IT governance.

Why IT governance should be on the Why IT governance should be on the Board of Directors’ agenda wherever IT Board of Directors’ agenda wherever IT is strategic to the business.is strategic to the business.

How it fits in the broader concepts of How it fits in the broader concepts of enterprise governance and how enterprise governance and how management and boards can address it.management and boards can address it.

What IT problem?What IT problem?What IT problem?What IT problem?

• Are they doing the right things?• Are they doing them the right way?• Are they being done well?• Are we getting benefits?

• Are they doing the right things?• Are they doing them the right way?• Are they being done well?• Are we getting benefits?

What does the board do?What does the board do?

IT Governance is the responsibility of the Board of Directors and consists of the leadership, organizational structures and processes thatensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

IT Governance is the responsibility of the Board of Directors and consists of the leadership, organizational structures and processes thatensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

How does management How does management react?react?

How does management How does management react?react?

• Cascading strategy and goals • Organizational alignment• A control framework• Balanced business scorecard

• Cascading strategy and goals • Organizational alignment• A control framework• Balanced business scorecard

AgendaAgendaAgendaAgenda

• Stakeholders• Governance Framework• IT Alignment & Value Delivery• Performance Measurement• Risk Management• Security• Conclusions

• Stakeholders• Governance Framework• IT Alignment & Value Delivery• Performance Measurement• Risk Management• Security• Conclusions

StakeholdersStakeholdersStakeholdersStakeholders

Stakeholders Apply PressureStakeholders Apply Pressure

• Shareholders and Executive - Lower cost, Shareholders and Executive - Lower cost, higher profitability and increased market higher profitability and increased market shareshare

• Customers and Staff - More functionality at Customers and Staff - More functionality at lower cost and greater ease of uselower cost and greater ease of use

• Society - Greater accountability for officers Society - Greater accountability for officers and executives in both the and executives in both the privateprivate and and publicpublic sectors. sectors.

Stakeholders Apply PressureStakeholders Apply Pressure

• Shareholders and Executive - Lower cost, Shareholders and Executive - Lower cost, higher profitability and increased market higher profitability and increased market shareshare

• Customers and Staff - More functionality at Customers and Staff - More functionality at lower cost and greater ease of uselower cost and greater ease of use

• Society - Greater accountability for officers Society - Greater accountability for officers and executives in both the and executives in both the privateprivate and and publicpublic sectors. sectors.

What are customers saying?What are customers saying?What are customers saying?What are customers saying?

• Guarantee of deliveryGuarantee of delivery• Customer loyaltyCustomer loyalty• Ease of useEase of use• Customer serviceCustomer service• SecuritySecurity

• Guarantee of deliveryGuarantee of delivery• Customer loyaltyCustomer loyalty• Ease of useEase of use• Customer serviceCustomer service• SecuritySecurity

How about the Regulators?How about the Regulators?How about the Regulators?How about the Regulators?

The Federal Reserve, SEC The Federal Reserve, SEC and now Congress and the Treasuryand now Congress and the Treasury

• The focus is now on operational risks (in The focus is now on operational risks (in which security and IT are significant)which security and IT are significant)

• All major risk issues have been caused All major risk issues have been caused by breakdowns in by breakdowns in o Internal controlsInternal controlso OversightOversighto Information TechnologyInformation Technology

The Federal Reserve, SEC The Federal Reserve, SEC and now Congress and the Treasuryand now Congress and the Treasury

• The focus is now on operational risks (in The focus is now on operational risks (in which security and IT are significant)which security and IT are significant)

• All major risk issues have been caused All major risk issues have been caused by breakdowns in by breakdowns in o Internal controlsInternal controlso OversightOversighto Information TechnologyInformation Technology

• Concern for extreme dependence of Concern for extreme dependence of industry on ITindustry on IT

• Two recommendationsTwo recommendationso Awareness of senior company officersAwareness of senior company officerso Need to address three technical Need to address three technical

improvementsimprovements AuthenticateAuthenticate SegregateSegregate Make accountableMake accountable

• Concern for extreme dependence of Concern for extreme dependence of industry on ITindustry on IT

• Two recommendationsTwo recommendationso Awareness of senior company officersAwareness of senior company officerso Need to address three technical Need to address three technical

improvementsimprovements AuthenticateAuthenticate SegregateSegregate Make accountableMake accountable

The President’sThe President’sCommission on Critical Commission on Critical

Infrastructure ProtectionInfrastructure Protection

The President’sThe President’sCommission on Critical Commission on Critical

Infrastructure ProtectionInfrastructure Protection

• Transparency and ConnectednessTransparency and Connectedness

• Network NeutralityNetwork Neutrality

• Information SharingInformation Sharing

• Modern Communications InfrastructureModern Communications Infrastructure

• Modernize Public Safety NetworksModernize Public Safety Networks

• Employ Science, Technology and Innovation Employ Science, Technology and Innovation to address key issues, particularly in the to address key issues, particularly in the area of healtharea of health

• Transparency and ConnectednessTransparency and Connectedness

• Network NeutralityNetwork Neutrality

• Information SharingInformation Sharing

• Modern Communications InfrastructureModern Communications Infrastructure

• Modernize Public Safety NetworksModernize Public Safety Networks

• Employ Science, Technology and Innovation Employ Science, Technology and Innovation to address key issues, particularly in the to address key issues, particularly in the area of healtharea of health

President Obama’s views on President Obama’s views on ITIT

President Obama’s views on President Obama’s views on ITIT

How about standards?How about standards?How about standards?How about standards?

• Cadbury:Cadbury: “…strengthen internal control…Boards “…strengthen internal control…Boards need to set strategic aims, provide leadership, need to set strategic aims, provide leadership, supervise management and report to shareholders supervise management and report to shareholders on their stewardship.”on their stewardship.”

• Turnbull: Turnbull: “…Board to assure appropriate and “…Board to assure appropriate and effective processes to monitor risk and effectiveness effective processes to monitor risk and effectiveness of the system of internal control… broader corporate of the system of internal control… broader corporate governance role for audit committees...monitor and governance role for audit committees...monitor and report on risks...”report on risks...”

• BIS: BIS: “...governance arrangements for critical “...governance arrangements for critical systems should be effective, accountable and systems should be effective, accountable and transparent…”transparent…”

• Cadbury:Cadbury: “…strengthen internal control…Boards “…strengthen internal control…Boards need to set strategic aims, provide leadership, need to set strategic aims, provide leadership, supervise management and report to shareholders supervise management and report to shareholders on their stewardship.”on their stewardship.”

• Turnbull: Turnbull: “…Board to assure appropriate and “…Board to assure appropriate and effective processes to monitor risk and effectiveness effective processes to monitor risk and effectiveness of the system of internal control… broader corporate of the system of internal control… broader corporate governance role for audit committees...monitor and governance role for audit committees...monitor and report on risks...”report on risks...”

• BIS: BIS: “...governance arrangements for critical “...governance arrangements for critical systems should be effective, accountable and systems should be effective, accountable and transparent…”transparent…”

and what does management and what does management think?think?

and what does management and what does management think?think?

• “IT has been the longest running disappointment in business in the last 30 years!” - Jack Welch, CoB, GEJack Welch, CoB, GE

• “Technology can help fulfill a visionary dream, but often its use is closer to a sobering nightmare!” - Vesa Vaino, Vesa Vaino, CEO Merita BankCEO Merita Bank

• ““That must be why we are not shipping Windows yet!” That must be why we are not shipping Windows yet!” (and NT, 2000, XP, Vista, …) - (and NT, 2000, XP, Vista, …) - Bill Gates, CEO MicrosoftBill Gates, CEO Microsoft

• Insert your own CoB/BoD/CEO/CIO/CTO’s, comments here - Insert your own CoB/BoD/CEO/CIO/CTO’s, comments here - __________________________________________________________________________________________________________________

• “IT has been the longest running disappointment in business in the last 30 years!” - Jack Welch, CoB, GEJack Welch, CoB, GE

• “Technology can help fulfill a visionary dream, but often its use is closer to a sobering nightmare!” - Vesa Vaino, Vesa Vaino, CEO Merita BankCEO Merita Bank

• ““That must be why we are not shipping Windows yet!” That must be why we are not shipping Windows yet!” (and NT, 2000, XP, Vista, …) - (and NT, 2000, XP, Vista, …) - Bill Gates, CEO MicrosoftBill Gates, CEO Microsoft

• Insert your own CoB/BoD/CEO/CIO/CTO’s, comments here - Insert your own CoB/BoD/CEO/CIO/CTO’s, comments here - __________________________________________________________________________________________________________________

Why Get Into Governance?Why Get Into Governance?Why Get Into Governance?Why Get Into Governance?

• “Due diligence” • IT is critical to the business• IT is strategic to the business• Expectations and reality don’t match• IT hasn’t gotten the attention it deserves• IT involves huge investments and large

risks

• “Due diligence” • IT is critical to the business• IT is strategic to the business• Expectations and reality don’t match• IT hasn’t gotten the attention it deserves• IT involves huge investments and large

risks

Due DiligenceDue DiligenceDue DiligenceDue Diligence

• Infrastructure and productive functions• Skills, culture, operating environment• Capabilities, risks, process knowledge

and customer information• Service levels

• Infrastructure and productive functions• Skills, culture, operating environment• Capabilities, risks, process knowledge

and customer information• Service levels

IT Is Critical IT Is Critical to Most Businessesto Most Businesses

IT Is Critical IT Is Critical to Most Businessesto Most Businesses

This criticality arises from:This criticality arises from: • The increasing dependence on information and the The increasing dependence on information and the

systems/communications that deliver itsystems/communications that deliver it• The dependence on entities beyond the direct control of the The dependence on entities beyond the direct control of the

enterprise enterprise • IT failures increasingly impacting reputation and enterprise valueIT failures increasingly impacting reputation and enterprise value• The potential for technology to change business organizations The potential for technology to change business organizations

and practices, create new opportunities and reduce costsand practices, create new opportunities and reduce costs• The risks of doing business in an interconnected worldThe risks of doing business in an interconnected world• The need to build and maintain knowledge essential to sustain The need to build and maintain knowledge essential to sustain

and grow the businessand grow the business

This criticality arises from:This criticality arises from: • The increasing dependence on information and the The increasing dependence on information and the

systems/communications that deliver itsystems/communications that deliver it• The dependence on entities beyond the direct control of the The dependence on entities beyond the direct control of the

enterprise enterprise • IT failures increasingly impacting reputation and enterprise valueIT failures increasingly impacting reputation and enterprise value• The potential for technology to change business organizations The potential for technology to change business organizations

and practices, create new opportunities and reduce costsand practices, create new opportunities and reduce costs• The risks of doing business in an interconnected worldThe risks of doing business in an interconnected world• The need to build and maintain knowledge essential to sustain The need to build and maintain knowledge essential to sustain

and grow the businessand grow the business

IT Is StrategicIT Is Strategicto Most Businessesto Most Businesses

IT Is StrategicIT Is Strategicto Most Businessesto Most Businesses

If so, wouldn’t you want to know whether your If so, wouldn’t you want to know whether your organization’s IT is:organization’s IT is:

• Likely to achieve its objectives?Likely to achieve its objectives?• Resilient enough to learn and adapt?Resilient enough to learn and adapt?• Judiciously managing the risks it Judiciously managing the risks it

faces?faces?• Appropriately recognizing Appropriately recognizing

opportunities and acting on them?opportunities and acting on them?

If so, wouldn’t you want to know whether your If so, wouldn’t you want to know whether your organization’s IT is:organization’s IT is:

• Likely to achieve its objectives?Likely to achieve its objectives?• Resilient enough to learn and adapt?Resilient enough to learn and adapt?• Judiciously managing the risks it Judiciously managing the risks it

faces?faces?• Appropriately recognizing Appropriately recognizing

opportunities and acting on them?opportunities and acting on them?

ExpectationsExpectationsExpectationsExpectations

• Harness and exploit IT to deliver business value

• Provide fast development, with appropriate quality and with security

• Ascertain that IT investments have a quantitative return and IT does more with less

• Move from efficiency and productivity gains towards value creation and business effectiveness, especially in industries requiring that the focus move from the back office to the front office

• Harness and exploit IT to deliver business value

• Provide fast development, with appropriate quality and with security

• Ascertain that IT investments have a quantitative return and IT does more with less

• Move from efficiency and productivity gains towards value creation and business effectiveness, especially in industries requiring that the focus move from the back office to the front office

RealityRealityRealityReality

• Business losses, damage to reputation, or a weakened Business losses, damage to reputation, or a weakened competitive position competitive position

• Enterprise effectiveness and core processes directly Enterprise effectiveness and core processes directly impacted by the quality of IT deliverablesimpacted by the quality of IT deliverables

• The failure of IT initiatives intended to bring innovation The failure of IT initiatives intended to bring innovation to the enterprise to achieve their promiseto the enterprise to achieve their promise

• Technology that is inadequate for the enterprise or Technology that is inadequate for the enterprise or obsolete too soonobsolete too soon

• Poor support for the businessPoor support for the business• Deadlines that are not metDeadlines that are not met• Costs that are higher than expected vs.. quality and Costs that are higher than expected vs.. quality and

efficiency lower than anticipatedefficiency lower than anticipated

• Business losses, damage to reputation, or a weakened Business losses, damage to reputation, or a weakened competitive position competitive position

• Enterprise effectiveness and core processes directly Enterprise effectiveness and core processes directly impacted by the quality of IT deliverablesimpacted by the quality of IT deliverables

• The failure of IT initiatives intended to bring innovation The failure of IT initiatives intended to bring innovation to the enterprise to achieve their promiseto the enterprise to achieve their promise

• Technology that is inadequate for the enterprise or Technology that is inadequate for the enterprise or obsolete too soonobsolete too soon

• Poor support for the businessPoor support for the business• Deadlines that are not metDeadlines that are not met• Costs that are higher than expected vs.. quality and Costs that are higher than expected vs.. quality and

efficiency lower than anticipatedefficiency lower than anticipated

Why hasn’t IT received the Why hasn’t IT received the attention it merits?attention it merits?

Why hasn’t IT received the Why hasn’t IT received the attention it merits?attention it merits?

• IT requires more technical insight than do other IT requires more technical insight than do other disciplines to understand how it: disciplines to understand how it: o Enables the enterpriseEnables the enterpriseo Creates risks Creates risks o Gives rise to opportunitiesGives rise to opportunities

• IT has traditionally been treated as an entity IT has traditionally been treated as an entity separateseparate to the business to the business

• IT is complex, and even more so in the IT is complex, and even more so in the extended enterprise operating in a networked extended enterprise operating in a networked (i.e., GLOBAL) economy(i.e., GLOBAL) economy

• IT requires more technical insight than do other IT requires more technical insight than do other disciplines to understand how it: disciplines to understand how it: o Enables the enterpriseEnables the enterpriseo Creates risks Creates risks o Gives rise to opportunitiesGives rise to opportunities

• IT has traditionally been treated as an entity IT has traditionally been treated as an entity separateseparate to the business to the business

• IT is complex, and even more so in the IT is complex, and even more so in the extended enterprise operating in a networked extended enterprise operating in a networked (i.e., GLOBAL) economy(i.e., GLOBAL) economy

IT Involves Huge IT Involves Huge Investments and RisksInvestments and Risks

IT Involves Huge IT Involves Huge Investments and RisksInvestments and Risks

• October 1992: A new command and control system developed by the London ambulance service failed on the first day of operation.

• August 1997: UK investment managers, Save & Prosper, abandoned a major new IT system, having spent 2 million pounds on its design and implementation.

• 1997: Barings Bank collapsed as a result of unauthorized trading, in part enabled by the willful manipulation of management information.

• October 1998: UK Internet bank Egg launched a new online-only credit card, only to find its technical infrastructure was unable to cope with the demand.

• October 1992: A new command and control system developed by the London ambulance service failed on the first day of operation.

• August 1997: UK investment managers, Save & Prosper, abandoned a major new IT system, having spent 2 million pounds on its design and implementation.

• 1997: Barings Bank collapsed as a result of unauthorized trading, in part enabled by the willful manipulation of management information.

• October 1998: UK Internet bank Egg launched a new online-only credit card, only to find its technical infrastructure was unable to cope with the demand.

(Son of) IT Involves Huge (Son of) IT Involves Huge Investments and RisksInvestments and Risks

(Son of) IT Involves Huge (Son of) IT Involves Huge Investments and RisksInvestments and Risks

• Paypal: “Paypal: “Why is there still so many problems with Why is there still so many problems with PayPal? I thought that class action lawsuit against it PayPal? I thought that class action lawsuit against it a few years back settled all of this stuff!”a few years back settled all of this stuff!”

• eBay: Reputation and image deteriorates from both eBay: Reputation and image deteriorates from both the seller and buyer’s perspectives.the seller and buyer’s perspectives.

• Sept. 2008: Lehman Brothers filed for Chapter 11 Sept. 2008: Lehman Brothers filed for Chapter 11 bankruptcy protection; the filing marked the largest bankruptcy protection; the filing marked the largest bankruptcy in U.S. history.bankruptcy in U.S. history.

• Dec. 2008: ADec. 2008: A Federal Judge appointed Irving Picard Federal Judge appointed Irving Picard as Trustee for the liquidation of Bernard L. Madoff as Trustee for the liquidation of Bernard L. Madoff Investments Securities LLC (Investments Securities LLC (BBMISMIS)) pursuant to the pursuant to the Securities Investor Protection Act (Securities Investor Protection Act (SSIPAIPA))

• Paypal: “Paypal: “Why is there still so many problems with Why is there still so many problems with PayPal? I thought that class action lawsuit against it PayPal? I thought that class action lawsuit against it a few years back settled all of this stuff!”a few years back settled all of this stuff!”

• eBay: Reputation and image deteriorates from both eBay: Reputation and image deteriorates from both the seller and buyer’s perspectives.the seller and buyer’s perspectives.

• Sept. 2008: Lehman Brothers filed for Chapter 11 Sept. 2008: Lehman Brothers filed for Chapter 11 bankruptcy protection; the filing marked the largest bankruptcy protection; the filing marked the largest bankruptcy in U.S. history.bankruptcy in U.S. history.

• Dec. 2008: ADec. 2008: A Federal Judge appointed Irving Picard Federal Judge appointed Irving Picard as Trustee for the liquidation of Bernard L. Madoff as Trustee for the liquidation of Bernard L. Madoff Investments Securities LLC (Investments Securities LLC (BBMISMIS)) pursuant to the pursuant to the Securities Investor Protection Act (Securities Investor Protection Act (SSIPAIPA))

What Should Boards Do What Should Boards Do About It?About It?

What Should Boards Do What Should Boards Do About It?About It?

• Be driven by stakeholder valueBe driven by stakeholder value• Adopt an IT governance frameworkAdopt an IT governance framework• Ask the right questionsAsk the right questions• Focus on IT’s:Focus on IT’s:

o Alignment with the businessAlignment with the businesso Value deliveryValue deliveryo Risk managementRisk management

• Measure resultsMeasure results

• Be driven by stakeholder valueBe driven by stakeholder value• Adopt an IT governance frameworkAdopt an IT governance framework• Ask the right questionsAsk the right questions• Focus on IT’s:Focus on IT’s:

o Alignment with the businessAlignment with the businesso Value deliveryValue deliveryo Risk managementRisk management

• Measure resultsMeasure results

IT Value Delivery

Stakeholder Value Drivers

Performance Measurement

Risk Management

ITStrategic

Alignment

What Should Management Do About It?

What Should Management Do About It?

• Align IT strategy with business goalsAlign IT strategy with business goals

• Cascade strategy and goals down into the organizationCascade strategy and goals down into the organization

• Set up organizational structures that facilitate strategy Set up organizational structures that facilitate strategy implementationimplementation

• Adopt a control and governance frameworkAdopt a control and governance framework

• Provide IT infrastructures that facilitate creation and sharing of Provide IT infrastructures that facilitate creation and sharing of business informationbusiness information

• Embed responsibilities for risk management in the organizationEmbed responsibilities for risk management in the organization

• Focus on important IT processes and core IT competenciesFocus on important IT processes and core IT competencies

• Measure performance (balanced business scorecard)Measure performance (balanced business scorecard)

• Align IT strategy with business goalsAlign IT strategy with business goals

• Cascade strategy and goals down into the organizationCascade strategy and goals down into the organization

• Set up organizational structures that facilitate strategy Set up organizational structures that facilitate strategy implementationimplementation

• Adopt a control and governance frameworkAdopt a control and governance framework

• Provide IT infrastructures that facilitate creation and sharing of Provide IT infrastructures that facilitate creation and sharing of business informationbusiness information

• Embed responsibilities for risk management in the organizationEmbed responsibilities for risk management in the organization

• Focus on important IT processes and core IT competenciesFocus on important IT processes and core IT competencies

• Measure performance (balanced business scorecard)Measure performance (balanced business scorecard)

IT IT Governance DefinedGovernance Defined (1) (1)IT IT Governance DefinedGovernance Defined (1) (1)

Responsibility of the board of directors:• It protects shareholder value• It ensures risk transparency• It directs and controls IT investment, opportunity,

benefits and risks• It aligns IT with the business• It sustains the current operation and prepares for

the future• It’s an integral part of a global governance

structure

Responsibility of the board of directors:• It protects shareholder value• It ensures risk transparency• It directs and controls IT investment, opportunity,

benefits and risks• It aligns IT with the business• It sustains the current operation and prepares for

the future• It’s an integral part of a global governance

structure

IT IT Governance DefinedGovernance Defined (2) (2)IT IT Governance DefinedGovernance Defined (2) (2)

IT governance, like other governance subjects, IT governance, like other governance subjects, is the responsibility of executives and is the responsibility of executives and shareholders (represented by the Board of shareholders (represented by the Board of Directors). It consists of the leadership and Directors). It consists of the leadership and organizational structures and processes that organizational structures and processes that ensure that the organization’s IT sustains and ensure that the organization’s IT sustains and extends the organization’s strategies and extends the organization’s strategies and objectives.objectives.

IT governance, like other governance subjects, IT governance, like other governance subjects, is the responsibility of executives and is the responsibility of executives and shareholders (represented by the Board of shareholders (represented by the Board of Directors). It consists of the leadership and Directors). It consists of the leadership and organizational structures and processes that organizational structures and processes that ensure that the organization’s IT sustains and ensure that the organization’s IT sustains and extends the organization’s strategies and extends the organization’s strategies and objectives.objectives.

IT Governance FrameworkIT Governance FrameworkIT Governance FrameworkIT Governance Framework

Set Set measurable measurable goalsgoals

Compare Compare resultsresults

Measure Measure performanceperformance

Act if not Act if not alignedaligned

Deliver Deliver against the against the

goalsgoals

IT Governance FrameworkIT Governance FrameworkIT Governance FrameworkIT Governance Framework

Provide DirectionProvide Direction

CompareCompare

Measure Measure PerformancePerformance

IT ActivitiesIT Activities

1.1. Increase automation (make Increase automation (make the business effective)the business effective)

2.2. Decrease cost (make the Decrease cost (make the enterprise efficient) enterprise efficient)

3.3. Manage risks (security, Manage risks (security, reliability and compliance)reliability and compliance)

1.1. IT is aligned with the IT is aligned with the businessbusiness

2.2. IT enables the business IT enables the business and maximizes benefitsand maximizes benefits

3.3. IT resources are used IT resources are used responsibly responsibly

4.4. IT risks are managed IT risks are managed appropriatelyappropriately

Set ObjectivesSet Objectives

IT AlignmentIT AlignmentIT AlignmentIT Alignment

Business Strategy

Alignment Activities

IT Operations

IT StrategyBusiness

Operations

IT Value DeliveryIT Value DeliveryIT Value DeliveryIT Value Delivery

Business Unit Financial

Business Unit Operational

Business Unit IT Applications

Firm-wide IT Infrastructure

Time for Business Impact

Business Value DeliveredSample Measures

l Revenue growthl Return on assetsl Revenue per employee

l Time to bring a new product to market

l Sales from new productl Product or service quality

l Implementation time: new applicationl Implementation cost: new application

l Infrastructure availabilityl Cost per transactionl Cost per workstation

BusinessBusinessManagementManagement

ITITManagementManagement

Degree of influence

Business Unit Financial

Business Unit Operational

Business Unit IT Applications

Firm-wide IT Infrastructure

Time for Business Impact

Business Value DeliveredSample Measures

l Revenue growthl Return on assetsl Revenue per employee

l Time to bring a new product to market

l Sales from new productl Product or service quality

l Implementation time: new applicationl Implementation cost: new application

l Infrastructure availabilityl Cost per transactionl Cost per workstation

BusinessBusinessManagementManagement

ITITManagementManagement

Degree of influence

IT Risk ManagementIT Risk ManagementIT Risk ManagementIT Risk Management

The board should manage enterprise risk by: The board should manage enterprise risk by: • Ascertaining that there is Ascertaining that there is transparencytransparency about about

the significant risks to the organizationthe significant risks to the organization• Being aware that the final Being aware that the final responsibilityresponsibility for for

risk management rests with the board risk management rests with the board • Being conscious that risk mitigation can Being conscious that risk mitigation can

generate generate cost-efficienciescost-efficiencies• Considering that a proactive risk Considering that a proactive risk

management approach creates management approach creates competitive competitive advantageadvantage

• Insisting that risk management is Insisting that risk management is embedded embedded in the operationin the operation of the enterprise of the enterprise

The board should manage enterprise risk by: The board should manage enterprise risk by: • Ascertaining that there is Ascertaining that there is transparencytransparency about about

the significant risks to the organizationthe significant risks to the organization• Being aware that the final Being aware that the final responsibilityresponsibility for for

risk management rests with the board risk management rests with the board • Being conscious that risk mitigation can Being conscious that risk mitigation can

generate generate cost-efficienciescost-efficiencies• Considering that a proactive risk Considering that a proactive risk

management approach creates management approach creates competitive competitive advantageadvantage

• Insisting that risk management is Insisting that risk management is embedded embedded in the operationin the operation of the enterprise of the enterprise

Risk Management ExpandsRisk Management Expands……Risk Management ExpandsRisk Management Expands……

• Risk Allocation - contracts, SLAs, etc.

• Risk Mitigation - security & control practices

• Risk Transfer - insurance & liability

• Risk Assurance - audit & certification

• Risk Acceptance - formal, transparent

• Risk Allocation - contracts, SLAs, etc.

• Risk Mitigation - security & control practices

• Risk Transfer - insurance & liability

• Risk Assurance - audit & certification

• Risk Acceptance - formal, transparent

IT Balanced ScorecardIT Balanced ScorecardIT Balanced ScorecardIT Balanced Scorecard

Information

Financial

Customer ProcessGoals Measures

Goals Measures

LearningGoals Measures

Goals Measures

Example of IT measuresExample of IT measuresExample of IT measuresExample of IT measures

• # of IT customers• Cost per IT

customer• Cost-efficiency of

IT processes up• Delivery of IT value

per employee

Information

• Availability of systems & services

• Developments on schedule & budget

• Throughput & response times

• Amount of errors and rework

• Level of service delivery up

• Satisfaction of existing customers

• # of new customers reached

• # of new service delivery channels

FFinancial

CCustomer

• Staff productivity & morale• # of staff trained in new

techno/services• Value delivery per

employee up• Increased availability

knowledge systems

LLearning

PProcess

Scorecard ObjectivesScorecard ObjectivesScorecard ObjectivesScorecard Objectives

• Demonstrate the value added by the IT Demonstrate the value added by the IT organizationorganization

• Establish a balanced set of measures for Establish a balanced set of measures for determining the effectiveness of the IT organizationdetermining the effectiveness of the IT organization

• Set guidelines for creating the IT strategic plan and Set guidelines for creating the IT strategic plan and linking it into operational planslinking it into operational plans

• Communicate and motivate IT performance in key Communicate and motivate IT performance in key areas as required by the business and its areas as required by the business and its stakeholdersstakeholders

• Establish a framework for IT management reportingEstablish a framework for IT management reporting

• Demonstrate the value added by the IT Demonstrate the value added by the IT organizationorganization

• Establish a balanced set of measures for Establish a balanced set of measures for determining the effectiveness of the IT organizationdetermining the effectiveness of the IT organization

• Set guidelines for creating the IT strategic plan and Set guidelines for creating the IT strategic plan and linking it into operational planslinking it into operational plans

• Communicate and motivate IT performance in key Communicate and motivate IT performance in key areas as required by the business and its areas as required by the business and its stakeholdersstakeholders

• Establish a framework for IT management reportingEstablish a framework for IT management reporting

Information SecurityInformation SecurityInformation SecurityInformation Security

• Know what questions to askKnow what questions to ask• Know what is neededKnow what is needed• Raise the awareness at the topRaise the awareness at the top• Have clarity of purposeHave clarity of purpose• Measure your performanceMeasure your performance• Keep on doing itKeep on doing it

• Know what questions to askKnow what questions to ask• Know what is neededKnow what is needed• Raise the awareness at the topRaise the awareness at the top• Have clarity of purposeHave clarity of purpose• Measure your performanceMeasure your performance• Keep on doing itKeep on doing it

Samples from CobiTSamples from CobiTSamples from CobiTSamples from CobiT

The following slides, describing IT Security, are examples “borrowed” from the CobiT Framework

The following slides, describing IT Security, are examples “borrowed” from the CobiT Framework

Information SecuritySome Questions for the Board RoomSome Questions for the Board Room

Would people recognise a security incident when they saw one? Would they ignore it? Would they know what to do about it?

Does anyone know how many computers the company owns? Would management know if some went missing?

Does anyone know how many people are using the organisation’s systems? Does anybody care whether they are allowed or not, or what they are doing?

Did the company suffer from the latest virus attack? How many did it have last year? What are the most critical information assets of the enterprise? Does management

know where the enterprise is most vulnerable? Is management concerned that company confidential information can be leaked ? Has the organisation ever had its network security checked by a third party? Is IT security a regular agenda item on IT management meetings?

IT Security Requirements

Shorter business cycles

Need to involve/connect/tie in with more partners

Network centric business models

Leverage VPN, remote access, collaborative tools

Manage Risk

Internet - UNIX - TCP/IP

More hackers, more tools

Increased dependency on IT

Leverage Opportunities

E-cash, e-commerce, e-tc.

Open, modular, scalable

Security a commodity

Technology Drivers

Business Drivers

Managing networked c/s systems

“Provenance” control Non-sharable info Profiling users Trust….

How to sell to top managementDifferent styles depending on function

FUD Cost reduction Responsibility Differentiator

Cost of securityStrategic approach - benchmark - gap

analysis - choices

IT Security Awareness

Cost of IT Security

Cost of security and control vs. IT BudgetCost of security and control vs. IT Budget

5 - 10% 20 - 25% 45 - 50% 55%

Cost of noncompliance

Benchmarking

Leadership

“Cowboy”operation

Baselineoperation

GoodPractice

Industryreference

site

= driver for change

Tools & Technology

ProcessPolicy &

Procedures

Security Management

HumanBehaviour& Culture

SystemAccess Control

NetworkSegregati

on

Application

Security

11 22 33

6655 44

PolicyIT SecurityPerformance

0199619971998199920002001

20

40

60

80

100

9288

76

64

48

42

96Policies & procedures Security mgtHuman behav. & culture Application security System access control Network segregation

1.2.3.4.5.6.

10 10 20 20 20 20

100

0Verypoor

1

Poor

2

Fair

3

Good

4Verygood

5

Excel

Legend for ranking used

5 - Excellent: Best possible, highly integrated

4 - Very good: Advanced level of practice

3 - Good: Moderately good level of practice

2 - Fair: Some effort made to address issues

1 - Poor: Recognise the issues

0 - Very poor: Complete lack of good practice

Legend for symbols used

Average of best security performers in the financial industry (begin ‘96)

Company status — Feb ‘97

Company. objective for 2001

Perform Intrusion Testing

ŽPerform Active

Monitoring

ΠIssueSecurity Policy

Security Management

Design Security

Defenses

IT Security is a Continuous Effort

IT Governance SummarizedIT Governance SummarizedIT Governance SummarizedIT Governance Summarized

ObjectivesObjectives• To understand the issues and the strategic To understand the issues and the strategic

importance of ITimportance of IT• To ensure that the enterprise can sustain its To ensure that the enterprise can sustain its

operations andoperations and• To ascertain it can implement the strategies To ascertain it can implement the strategies

required to extend its activities into the futurerequired to extend its activities into the futureGoalGoal

• Ensuring that expectations for IT are met and Ensuring that expectations for IT are met and IT risks are mitigatedIT risks are mitigated

ObjectivesObjectives• To understand the issues and the strategic To understand the issues and the strategic

importance of ITimportance of IT• To ensure that the enterprise can sustain its To ensure that the enterprise can sustain its

operations andoperations and• To ascertain it can implement the strategies To ascertain it can implement the strategies

required to extend its activities into the futurerequired to extend its activities into the futureGoalGoal

• Ensuring that expectations for IT are met and Ensuring that expectations for IT are met and IT risks are mitigatedIT risks are mitigated

IT Governance SummarizedIT Governance SummarizedIT Governance SummarizedIT Governance Summarized

PositionPosition• Within broad governance arrangements that Within broad governance arrangements that

cover relationships between the entity's cover relationships between the entity's management and its governing body, its management and its governing body, its owners and its other stakeholders and owners and its other stakeholders and providing the structure through which: providing the structure through which: o The entity's overall objectives are setThe entity's overall objectives are seto The method of attaining those objectives is The method of attaining those objectives is

outlinedoutlinedo The manner in which performance will be The manner in which performance will be

monitored is describedmonitored is described

PositionPosition• Within broad governance arrangements that Within broad governance arrangements that

cover relationships between the entity's cover relationships between the entity's management and its governing body, its management and its governing body, its owners and its other stakeholders and owners and its other stakeholders and providing the structure through which: providing the structure through which: o The entity's overall objectives are setThe entity's overall objectives are seto The method of attaining those objectives is The method of attaining those objectives is

outlinedoutlinedo The manner in which performance will be The manner in which performance will be

monitored is describedmonitored is described