itm governance & management controls

ITM Governance & Management Controls

CANHEIT Overview Presentation - June 2012

Clark Ferguson, CIO, University of Lethbridge

Agenda

2

Program Overview

Implementation Overview

Section 1 – Foundation Elements

Section 2 – Strategic Alignment

Section 3 – Risk Management

Section 4 – Value Delivery: IT Financial Management

Section 5 – Value Delivery: IT Human Resources Management

Section 6 – Value Delivery: IT Service Management

Wrap Up

Program OverviewGovernance & Management Controls Overview Session

3

Alberta … Post secondary sector … Information & Technology Management … Control Framework Program

Program

4

Provincial Office of the Auditor General increasing attention to governance & management controls across public sector

Alberta Advanced Education & Technology (AET) initiated program and enlisted support of post secondary leaders

Recognition that all post secondary institutions would need to comply

Quality of institutional systems would vary based on size of institution and capacity to allocate scarce resources

Province-wide program with contributions by AET & institutions

Leveraged program management and specialized consultants to harvest industry and institutional best practices

Introduction

5

26 post secondary institutions (all but 1 or 2) engaged 2 years of projects have been successfully completed with 1

project rescheduled due to quality problems Significant involvement of business leaders and IT experts in

projects Team approach, high quality project deliverables, and strong

communications & training have led to rapid adoption

Achievements

6

Dedicated program management and expert project consultants freed participating institutions to focus on contribution

Governance and approval of project and program materials tricky but with minor rework, successful process achieved

Procurement process to contract project experts and careful oversight of their work extremely important

Joint approach has yielded very high quality deliverables and commitment amongst institutions share best practices

Lessons Learned

7

Rising expectations regarding organizational governance Concern over generally increasing level of IT expenditure &

demand for better return on IT investments Need to meet regulatory requirements Significance of selection of service provider & management

of outsourcing Increasingly complex risk associated with information

management & related technology Need to optimize costs by following standards and best

practices Growing maturity and acceptance of frameworks and

standards Need for assessment against standards and peer

organizations

Business Drivers

8

1. Proper Governance2. Strategic Alignment3. Value Realization4. Risk Management5. Resource Optimization

There are 5 Points Really!

9

Collaboratively develop a system-wide control framework for managing information and related technology that will assist with the implementation of strategic priorities, policies and principles through:◦ Common best practice controls that are modifiable,

scalable and implementable◦ A shared content management system that will foster

ongoing collaboration and effectively manage the control life cycle

Initiated a Program to…

10

Standards

11

Legislation

COBIT

ISO 2700xPMBOK

ITIL

ITM Control Framework

WHAT HOW

SCOPE OF COVERAGE

Translating Theory into Reality!

Program DesignControl

Framework & Policies

Project (June 2010)

Privacy Project

(November 2010)

Change Managemen

t Project(October 2010)

Governance Project

(April 2011)

Content Mgmt. System Project

(April 2012)

13Post-Secondary System ITM Control Framework

Year 1(2010)

Information & Technical

Management (December

2011)

Enterprise Architecture(Resched. to Yr

3)

Identity Managemen

t & Information

Security(December

2011)

Year 2(2011)

Information Management

(February 2013)

Technology Managemen

t(February

2013)

Enterprise Architecture

(February 2013)

Year 3(2012)

Information Management

... Continued (August 2013)

Wrap-up Project

(December 2013)

Complete

In progress

Year 4(2013)

Volunteers from the Institutions Program designed to provide opportunity to

volunteer:◦ Working Group = 6-12 hours/month◦ Key Stakeholders = 2-4 hours/month◦ Project Steering Committee = 2 hours/month

Composition impacts legitimacy of deliverables Committed participants who see the bigger

picture

Participation

14

Collaboration Benefits PSS expert body of knowledge Relationships Synergy Sharing and capture of knowledge Bleeding edge Ongoing support Common foundation for future opportunities

15

Look at the framework as a whole Determine what pieces you need and how ‘deep’ you want

to go in each area Know your capabilities, capacity, current maturity, resource

availability Be realistic in your planning Assign dedicated people to manage, communicate, train

and assist with organizational change Don’t underestimate the commitment that's required Don’t forget to collaborate Keep your eye on the end game

Moving Forward (aka implementation)

16

U of L Status

17

Program Two business and 3 IT participants in the program work


ITM Control Framework leader assigned;ITM policy approved by the Board in May 2012

Section 2 –Strategic Alignment

Developing Fiscal 2014 budget in conjunction with University Strategic alignment

Section 3 – Risk Management

Initiated PCI improvement program;Planning external review of IT Security

Section 4 –Financial Management

Strengthening portfolio management;Developing a consolidated view of full IT spend

Section 5 –HR Management

Conducting key skills review and gap analysis

Section 6 – IT Services Management

Documenting service portfolio;Establishing business relationship management processes

Implementation Overview

Governance & Management Controls Overview Session

18

Alignment Map

19

ITM Governance

& Management

Controls(64)

Foundation Pieces

(17)

Strategic Alignment

(4)

Risk Manageme

nt(8)

Financial Manageme

nt(6)

Service Manageme

nt(26)

Human Resources Manageme

nt(3)

Controls Summary

20

Cobit 4.1◦ Risk IT◦ Val IT

ITIL◦ Service Strategy◦ Service Design◦ Continual Service Improvement

ISO/IEC 20000, ISO 31000 Web research

Development of Controls

21

Controls derived through ~3,000 hours of synthesis, discussion and adaptation to the post-secondary

environment

Identify DriversAssess Current StateDefine Desired Future StateDevelop PlanExecute PlanMeasure ResultsSustain Momentum

ITM Control Framework – Implementation Lifecycle

22

Use of maturity models

(next slide)

1 Initial/Ad Hoc

2 Repeatable but Intuitive

3 Defined Process

4 Managed and Measurable

5 Optimized

Cobit Maturity Scale

23

Program Objective:To increase the maturity level of all participating Institutions to a COBIT Maturity Level 3 by June 2014 in the areas where the

controls have been implemented within the Institution.



24

An ITM control framework is a critical part of every institution’s internal control program to mitigate risks and ensure:◦ Management understands ITM’s role and relevance in the

organization ◦ Alignment of investment with the institution mandate and

strategic direction◦ Value delivery◦ Compliance with external requirements◦ Continuous improvement re: ITM processes

It is the responsibility of the Board of Governors & executive management to communicate ITM investment objectives and expectations re: control environment and to provide training

Planning and adequate resourcing are essential

Key Concepts

25

Foundation Pieces

(17)

26

ITM Governance Questions

Are we doing the right things?

Are we doing them the right

way?

Are we getting them done well?

Are we getting the benefits?

The delivery question

The architecture question

The strategic question

The value question

Foundation Pieces

(17)

Organization Role ResponsibilityBoard of Governors • Oversight regarding strategic alignment, risk

management and value delivery of ITM

Executive Committee • Approval of enterprise-level investment decisions, including adequate funding for development, implementation, communication and training re: ITM controls

ITM Steering Committee • Approval of ITM Control Framework• Ensures control environment aligns with

institution’s management philosophy and operating style

• Regular assessment of the maturity of the institution’s control processes

CIO • Overall development and implementation of the control environment

• Reporting on progress/resultsBusiness Managers • Input to development of the control

environment• Responsibility for operation of many controls

Roles & Responsibilities

27

Foundation Pieces

(17)

Institution needs to appoint a ‘custodian’ or manager of the framework and maintain a log of all compliance requirements

Comprehensive procedure required for:◦ Identifying externally generated requirements in a timely

manner◦ Identifying internally generated requirements◦ Escalating and resolving issues identified through

implementation/operation of the ITM Control Framework Framework needs to be regularly reviewed

◦ Internal audit◦ Periodic 3rd party reviews

Provide for approved and documented exceptions to compliance with controls

Lifecycle Management of Controls

28

Foundation Pieces

(17)

Section 2 – Strategic Alignment


29

Strategic ITM Plan is an integral element of the comprehensive institution plan….not an afterthought!

Performance is measured using an ITM Balanced Scorecard ITM investments should be managed across the institution

in portfolios Outcomes

◦ Alignment of business, ITM and risk management objectives◦ Organization, services, application portfolios, technologies,

competencies, processes & methodologies are in place to maximize ITM contribution

◦ Bi-directional education & involvement in ITM and business planning

◦ Regular assessment re: ITM contribution to business objectives◦ Roadmap for addressing future needs

Key Concepts

30

Strategic Alignment

(4)

Clearly articulated institutional vision and priorities Planning is considered important and closely linked to

institutional budget ITM plan is published

◦ Formal communication strategy specific to ITM stakeholders developed with communication strategy for comprehensive institution plan

ITM governance practices are seen to be effective◦ Close relationships between ITM and non-ITM organizations and

staff◦ Informal and formal◦ Communication with and involvement of key constituents,

especially faculty and deans

Critical Success Factors

31

Strategic Alignment

(4)

32

Comprehensive Institution Plan

Strategic Priorities

Goals & Expected Outcomes

Performance Measures

Financial Plan

ITM Plan

Capital Plan

Institutional Access Plan

Institutional Research

Plan

Plan to Plan• Purpose• Process• Scope

Assess Current ITM capability &

performance

Describe Desired ITM Future

Conduct Gap Analysis

Articulate Goals, Objectives, Strategies &

Measures

Develop Business Cases

for Individual Initiatives

Categorize by Portfolio and

Prioritize

Adjust Plan as Required

Strategic Alignment

(4)

ITM Planning in Context

33

Strategic Alignment

(4)


Business Goals for IT IT Goals Enterprise

ArchitectureBalancedScorecard

Governance Requirements

Business Requirements

Information Services

Information Criteria*

Information

ApplicationsIT Processes

deliver

run

needInfrastructure

& People

require influence

imply

* effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability

Section 3 – Risk ManagementGovernance & Management Controls Overview Session

34

ITM risk is business risk ITM risk always exists, whether it is detected or recognized Management of ITM-related risk is an essential and

strategic component of responsible administration and should be integrated into overall enterprise risk management

Who should be involved?◦ Board members and senior executives who need to set direction

& monitor risk at the enterprise level◦ Managers of ITM and business departments who define risk

management processes◦ Risk management professionals◦ External stakeholders

Key Concepts

35

Risk Mgmt.

(8)

ITM benefit risk◦ Missed opportunities to use technology to improve efficiency of

effectiveness of business processes or as an enabler for new business initiatives

IT program and project delivery risk◦ Failure to realize the expected contribution of ITM to new or

improved business solutions IT operations and service delivery risk

◦ Where performance of IT systems and services does not meet service level expectations

ITM Risk Categories

36

Risk Mgmt.

(8)

ITM risk management always connects to business objectives◦ Focus is on the business outcome

ITM risk governance aligns the management of ITM-related risk with overall ERM

ITM governance should balance the costs and benefits of managing ITM risk

There should be open communication regarding ITM risk Establishment of well-defined risk tolerance levels by the

Board and executive management should be coupled with definition and enforcement of personal accountability for operating within tolerance levels

ITM risk management is continuously improved

Risk Mgmt. Principles

37

Risk Mgmt.

(8)

Risk EvaluationEnsure ITM-related risks and opportunities are identified, analyzed and presented in business terms.

Collect Data

Risk ResponseEnsure ITM-related risk issues, opportunities and events are addressed in a cost-effective manner, in line with business priorities.

Articulate Risk

Risk GovernanceEnsure ITM risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return

Manage Risk

React to Events

Establish & Maintain

a Common Risk View

Make Risk-Aware

Business Decisions

Integrate with ERM

Analyze Risk

Maintain Risk

Profile

BusinessObjectives

Communication

ITM Risk Management Framework

38

Risk Mgmt.

(8)

Risk appetite◦ Amount of risk the institution is willing to accept in pursuit of its

mission “What level of risk are we comfortable living with?”

◦ Provides context for analysis and response to individual risks by management

◦ Defined/approved by the Board of Governors in terms of frequency and impact No absolute norm or standard of what constitutes acceptable

risk◦ Should be clearly communicated to stakeholders and staff

through policies and standards Consider objective capacity to absorb loss & management

culture

Risk Appetite

39

Risk Mgmt.

(8)

Scoping ITM Risk Management Activities

40

Very High

High

Medium

Low

• Detailed scenario development and frequent maintenance of the risk register

• Independent review of risk analysis results• Quarterly detailed reporting on risk profile• ...

• Detailed scenario development and frequent maintenance of the risk register

• Independent review of risk analysis results• Semi-annual detailed reporting on risk profile• ...

• Detailed scenario development for analysis• Self-assessment and review• Yearly update and quarterly summary reporting• ...

• Self-assessment and review• Generic scenarios• Less frequent reporting• ...

ITM Risk Management Scoping Based on Risk Assessment Results

Risk Mgmt.

(8)

Section 4 – Value Delivery: ITM Financial Management


41

Institution must establish a financial management framework for information and related technology◦ Approved by the ITM Steering Committee◦ CIO accountable to the ITM Steering Committee for

implementing and monitoring the effectiveness of the framework and ensuring integration with enterprise policies, standards etc.

◦ Should be formally evaluated based on schedule determined by ITM Steering Committee

Focused on ensuring accountability and transparency re: value contribution and total cost of ownership of information and related technology

3 main elements: ◦ ITM budget management, portfolio mgmt. and cost/benefit

management

Key Concepts

42

Financial Manageme

nt(6)


Enterprise Architecture

Information Security Plan

Strategic ITM Plan ITM Tactical Plans

Budget Actual

Expenditures vs. Budget Reports

Updated portfolios Accountability &

Transparency re: Value Contribution & TCO through Cost/Benefit Reports

ITM Financial Mgmt. as Process

43

Inputs

Financial Management Framework

Outputs

Financial Manageme

nt(6)

44

Portfolio Management

ITM Financial Mgmt. Framework

ITM Governance

Business Case Development & Use

ITM Budget Management

Cost/Benefit Management

Application Assets

Infra-structure Assets

Information Assets

People Assets + + +

Process

Assets+

Investment Prioritization within Portfolios

Finan

cial M

anag

emen

t Fra

mew

ork

Financial Manageme

nt(6)

Service

Assets+

Budget Management

1. Define strategic business objectives and determine high-level budget envelopes

2. Develop ITM budget

3. Monitor and report on actual results

4. Develop ITM budget recommendations

High-Level Process Elements

45

Financial Manageme

nt(6)

Portfolio Management1. Define portfolios and sub-categories2. Determine the investment ‘weight’ of each portfolio or

sub-category3. Develop and use ITM business cases for ITM investment4. Prioritize investments within portfolios5. Identify HR needs across portfolios6. Review and report on project, program and portfolio

performance

High-Level Process Elements

46

Financial Manageme

nt(6)

Section 5 – Value Delivery: Human Resources

ManagementGovernance & Management Controls Overview Session

47

Processes for the management of IT human resources are an essential part of an ITM Control Framework

CIO (not HR) is responsible for ensuring the institution has an ITM workforce with the skills necessary to achieve organizational and ITM goals

Main tasks:◦ Define, monitor and supervise execution of ITM roles &

responsibilities◦ Provide appropriate and sufficient training (technical, internal

control and security)◦ Minimize dependency on key staff◦ Ensure compliance with organizational policies◦ Report to the ITM Steering Committee on key issues

Key Concepts

48

Human Resources

Management

(3)

Labour costs 30% - 60% of the ITM budget Quality of ITM personnel has enormous impact on

effectiveness of the service provider organization, end-user satisfaction, optimizing value and proactive use of technology

Market for highly proficient IT resources is competitive and will get more so – hiring and retaining the best resources will continue to be a critical success factor for the CIO

Unique aspects to management of IT professionals (pool characteristics, diverse career expectations, training requirements) exacerbates need for involvement of ITM managers

Turnover costs are enormous (e.g., 1 – 2 times annual salary)

Why ITM HR Mgmt. is Important

49

Human Resources

Management

(3)

Integrated Governance Structure

ITM Organization Chart

ITM Strategic & Tactical Plans

ITM Budget Business

Requirements

IT HR policy and procedures

IT skills matrix Job descriptions Staff skills and

competencies, including individual training logs

Training plans

HR Management as Process

50

Inputs

IT Human Resource

Management

Outputs

Human Resources

Management

(3)

IT Human Resources Life Cycle

51

Human Resources

Management

(3)

Determine Personnel Needs

• Develop organization chart• Perform swap analysis &

identify personnel gaps• Determine staffing strategy

– contract, permanent, contract-to-hire

• Create final hiring plan

Sourcing• Permanent & contract

candidate sourcing• Additional screening for

permanent hires• Recruiting funnel• Working with agencies

& technical recruiters

Interviewing• Interviewing techniques• Interview team• Best practices for

conducting interviews• High-volume interviewing• Interviewing contractors

Hiring• Finalizing an offer

decision• Checking references• Ramping up new

hires quickly

Managing• 10% attrition model• IT staff career development• Key drivers of staff retention• Compensation• Handling layoffs• Management coaching• Creating performance plans

Start

Section 6– Value Delivery: IT Service Management


52

Key Concept

53

Service Manageme

nt(26)

“The idea of strategic assets is important in the context of good practice in service management. It encourages IT organizations to think of investments in service management in the same way businesses think of investing in production systems, distribution networks R&D laboratories.

Strategic assets provide the basis for core competence, distinctive performance, durable advantage and qualifications to participate in business opportunities. IT organizations can transform their service management capabilities into strategic assets.”

- ITIL Service Strategy, OGC, 2011

Service Lifecycle

54

Continual Service

Improvement

Service Strategy

Service Design

Service Transition

Service Operation

Envisioning & conceptualizing the set of services required to achieve business objectives

Designing the services to meet utility & warranty objectives

Moving services into live production

Managing services to ensure utility &

warranty objectives are achieved

Evaluating services & identifying ways to

improve their utility & warranty in support of

business objectives

ITSM FrameworkService Strategy

Strategy Management Service Portfolio Management

Financial Mgmt. for IT Services

Service Demand Management

Business Relationship Mgmt.

Service Design

Identify BusinessRequirements & Drivers

Define Services & Develop Service Catalogue Educate & Train Users

Service Level Management

Develop SLA Framework, SLAs & OLAs

Monitor Service Performance & Produce

Service Reports

Review Service,Instigate Improvements & Update

SLAs/OLAs

Supplier Management

Develop & Align Procurement Controls& Select Suppliers

Develop/Manage Contracts & Relationships & Protect Enterprise Interests

Monitor Supplier Performance

Service Continuity

Develop Service Continuity Framework

Develop & Maintain Continuity Plans

Test Continuity Plans

Provide Training on

ITM Continuity PlansReview Plan

Effectiveness

ITSM Framework Element

Description

IT Service Strategy • Defining a strategy to deliver services to meet the institution’s business outcomes

IT Service Design • Procedures for determining, documenting and agreeing upon requirements for new services and documenting in a service catalogue

Service Level Mgmt. • Defining SLAs based on customer requirements and IT capabilities, service metrics, roles & responsibilities

Supplier Mgmt. • Aligning procurement controls with those of the institution, identification & categorization of supplier relationships, developing and managing contracts, protecting IP & monitoring performance

Service Continuity • Developing a service continuity framework consistent with institution business continuity

ITSM Standard Elements

56

Service Manageme

nt(26)

Wrap UpQuestions?

57

itm governance & management controls

Documents