rp_it consulting and audit_121116_17_v1.0
TRANSCRIPT
Testing, evaluation and auditing of information systems
IT Consulting and IT Audit best practises
Index and Content• DEFINITIONS• CONSULTING AND THE MARKETSHARE• ICT MANAGEMENT CONSULTING• IT GOVERNANCE• IT SERVICE MANAGEMENT, ORGANISATION
AND PROCESSES• AUDIT, IS AUDIT, IT AUDIT• ADVISORY: WHEN AUDIT BECOMES
CONSULTING
13/11/2012 2
References• ITIL is a Registered Trade Mark and a Registered Community
Trade Mark of the Office of Governement Commerce (UK), and is Registered in the U.S. Patent and Trademark Office.
• IT Infrastructure Library is a Registered Trade Mark of the Office of Governement Commerce (UK).
• BSC is a Registered Trade Mark of R. S. Kaplan and D. P. Norton.• EVM is a Registered Trade Mark of Deloitte.• PRINCE2 is a Trade Mark of the Office of Governement
Commerce (UK).• PMI, PMP and PMBOK are registered marks of the Project
Management Institute Inc.• COBIT is a Registered Trade Mark of ISACA.• CMMI is a Registered Trade Mark of Carnegie Mellon University.• Six Sigma is a Registered Trade Mark of Motorola Inc.
Rosario PiazzeseWith about 23 years experience in the biggest Consulting Firms of IT Management Consulting, now I provide high value added professional services supporting companies needing help about:
– IT Management– IS Audit– Governance, Risk and Compliance (GRC)– Partner, technology and software selection– Outsourcing and Off Shoring Strategies– Regulatory Compliance– International standard (ISO 27001, ISO 20000, SAS 70, etc.)– Business Process Reenginering and Process Automation– Business Continuity and Disaster Recovery
Born in 1967, I began my consulting and audit experience in ICT consulting firms at beginning of '90, with Microsoft Certified Partners like Avanade (Accenture group). I joined IDC in 2001 as Manager in charge of the Management & Technology Practice of IDC EMEA Consulting, with a specific focus on IT Governance, IT Audit (Security and Risk Mgmt), Business Continuity and Disaster Recovery strategies and planning. I joined Key Partners in 2004 as Manager. In 2006, after the acquisition, I entered in the Deloitte network as Senior Manager. I took place to IT Audit, ICT Governance, Business Continuity,Disaster Recovery, Business Process Reengineering and analysis and organizational design projects, with a strong specialization in Audit, Governance, Risk Mgmt and Security. I was in charge of the IT Governance and Security Competence Centre of the Deloitte Consulting FSI Business Area in Italy.I was involved, as Partner at The Innovation Groupand CEO & Founder of ISAS Group, as project manager or subject matter expert in projects dealing with definition of ICT Governance and ICT Security functions role. I’m in charge as Consulting Director of THINK!, an Italian think tank focused on new technologies and their social impacts (www.thinkinnovation.org).As trainer and freelancer consultant I'm now I'm now focused on developing offering on new Cloud, Mobile & Social Strategies and delivering high value added support on IT Governance & Management topics, particularly related on ITIL and COBIT topics in Change and Release Management processes, BPR and sourcing model.My main skills are:
– ICT Governance (ITILV2 and V3, COBIT, CMMI)– Business Continuity and ICT Risk Management (BCI, NIST, BS 7799, ISO 27001)– Certified Information System Auditor (CISA)– Certified in Governance of Enterprise IT (CGEIT)– Lead Auditor 27001– CMMI SCAMPI Team Member
13/11/2012 4
DEFINITIONS
13/11/2012 5
Agenda
• STRATEGY CONSULTING• MANAGEMENT CONSULTING• IS CONSULTING vs ICT CONSULTING• ADVISORY, QUALITY ASSURANCE,
AUDIT
13/11/2012 6
Consultancy
Consultancy is the professional performance of a consultant, an individual with certified experience and practice in a field of knowledge, who advises and assists his client on his activities, through the provision of information and opinions.
13/11/2012 7
ConsultancyThe consultant’s duty is therefore, once the client delivers the elements at hand, to add those factors deriving from his competence, knowledge and professionalism that will allow for development in the desired direction; In this context the thrust between the parties is crucial. This thrust can be based on an established relationship, on the consultants reputation or academic and professional titles he acquired.
13/11/2012 8
IT Consulting• "IT Consulting" or "Business and Technology Consulting" is the is the professional
performance, of one or more field experts, who give companies suggestions on how to use Information Technology at best in order to achieve the business objectives. Besides pure consulting the professional, most of the times, implements, designs, administers and monitors the information system. The IT consulting sector can be divided in 3 main categories:
• Professional services. These are companies with many consultants and high billing tariffs. These companies look for work force especially in nations with a very low cost of labor.
• "Staffing" companies. These companies work by providing their clients with one ore more consultants on temporary basis. These companies are called «body shops» in negative terms. Such companies, although geographically limited by the clients location, are distinguished from others because of the fact that they usually don’t charge on the basis of projects or achieved goals, but on the days worked by their consultants at the customer site.
• Independent consultants that work on contract or totally autonomously, and are paid hourly or for project.
• The difference between the IT Consulting and Management Consulting is slight.There often overlaps, although IT Consultants generally have a degree in Informatics, electronics or engineering, while Management consultants have a degree in Business Administration, Economics, Commerce, Financial sciences or similar.
13/11/2012 9
Management ConsultingBy Management Consulting we mean consulting activities related to the improvement of company performance through processes of analysis, problem identification, planning and roadmap development that can regard the organization, the processes, policies, relations, etc. Management Consulting, depending on the scope of intervention, is divided in various subcategories, for example:• IT consulting• Business advisory services • Operations management• Strategy consulting • HR consulting
13/11/2012 10
What is IT Management Consulting?
1. It is a service based on knowledge (specialized or not) and experience the consultant accumulated , in order to solve business problems satisfying the client’s explicit or implicit needs.
2. IT Management Consulting can be divided in 2 great sub-categories: specialized consultancy that relates to specific content and process consulting, both based on replicable practices
3. In the following part we will focus on consulting related to businesses and executives (management consulting) rather than technical-specialized consultancy related to products and technologies.
13/11/2012 11
There are various types of consultancy:
• Strategic– Strategic Goal Management, Mid-long term plans– Strategy implementation levers– Bain & Co - BCG – McKinsey - Monitor– Other niches
• Operations– Operational functioning of processes/functions, achieve goals– Re-engineering, outsourcing, supply-chain etc.– Accenture - Deloitte– Cap Gemini - KPMG
13/11/2012 12
Segmentation by function
• IT– System design and requirements– Systems development, and implementation– IBM - Replay/ Engineering – Accenture - HP
• HRM– Strategic alignment of personal functions– training, culture change, skills management– Accenture - PWC– Mercer - AT Kearney
13/11/2012 13
Management Consulting & IT
• All IT management consultants must be knowleadgeableand capable in using IT in various business functions of the client company.
• IT is also an important tool for many aspects and activities that characterize management consulting, such as strategic planning analysis, projectmanagement, data analysis in marketing and commercial consulting, etc.
• The IT consulting industry has always been veryfragmented by competiton, and also after the growthperiod experienced during the internet bubble of the years 2000-2001, it remained an industry characterizedby low levels of concentration, if we marginally considerthe big companies.
13/11/2012 14
Strategy Consulting• By Strategy Consulting we mean that set of activities mainly
directed to understanding where the client company should position itself on the market (the strategy) and how to reach the placement that is considered optimal (strategic plan).
• For this reason Strategy Consultants directly work with company executives to support them in the most critical decision processes thanks to the competences they should posses, like the ability to identify evolving markets and technologies, environmental changes and other analytical skills with the objective of increasing stakeholders’ return.
• Examples of questions directed to Strategy Consultants are:– Should Tesco’s take over its nearest competitor?– Should Ford focus on high-value, niche, or cheap, mass-market cars?– Should Accenture sell off its Indian operations?– Should Nokia launch a disposable mobile phone?
13/11/2012 15
IS vs ICT Consulting• Information System Consultants analyze, design and develop business
solutions based on information systems. The pervasiveness of computer systems in the various company functions adds value to this professional figure.
• Information Systems Development mainly goes through the following 5 steps:
– Preliminary analysis– Detailed requirement and system analysis– System analysis and design– Development and system testing– System implementation, evaluation and maintenance.
• By ICT Consulting we mean all those consulting activities aimed at achieving business goals of the client company aided by Information and Communication Technologies. This activity is based on the evaluation of the client company’s IT strategy and development of an improvement plan regarding the information system at use, making sure the adopted technologies are alligned with business processes and needs, during the whole period from plan conception to implementation.
1613/11/2012
Advisory, Quality Assurance and Audit
• By Advisory we mean that set of professional services aimed at suggesting client companies on investments. The professional advisor possesses important knowledge regarding the investment field in question and assists his client on the basis of considerations about risk tolerance, scheduling requirements, performance objectives, etc. in order to evaluate which class of assets is best suited to satisfying a particular business need.
• Quality assurance is a process oriented approach aimed at assuring that quality requirements of the product/service are respected. It is therefore a process improvement activity, not to confuse with quality control which is instead preoccupied with output analysis.
• Audit is an activity that determines, through investigation, the adequacy and compliance of a process or organization to given procedures, operational instructions, specifics, standards and other functional requirements, and verify their application in practice.
1713/11/2012
CONSULTING AND THE MARKETSHARE
13/11/2012 18
Agenda
• ICT Consulting Business Models• ICT Consulting Service Models• Job Opportunities• Big Players, Regional/Local Players• Specialised vs General Purpose• What about System Integration• Audit and Advisory: Differences in
Business and Service Models on the Marketshare 1913/11/2012
Business – IT Maturity Model
13/11/2012 20
Consulting “products”Dates Product Consultant Organisation
1976 Portfolio Analysis Henderson BCG
1980 Five Forces Porter Monitor / Harvard
1985 Value Chain Analysis
Hamel & Prahalad
Strategos / Harvard
1998 TQM Peters & Waterman
MIT
1990 Core Competencies
Reichheld Bain & Co.
1993 BPR Hammer & Champy
CSC
1993 Economic Added Value
Stewart Stern Stewart
Products have a name, a methodology, an application and lots of
Consultants and Products are often “fads”
IT Governance & IT Service Mgmt (1/2)
R.Peterson, "Integration Strategies and Tactics for Information Technology Governance", in Strategies for Information Technology Governance, Ed. Wim Van Grembergen, Idea Group Publishing, 2003
• The evolution of IT organizations from technology providers into service providers requires taking a different perspective on IT management. IT Service Management put the services delivered by IT at the center of IT management and is commonly defined as
A set of processes that cooperate to ensure the quality of live IT services, according to the levels of service agreed to by the customer. It is superimposed
on management domains such as systems management, network management, systems development, and on many process domains like change
management, asset management and problem management
• The difference between IT Service Management and IT Governance has been subject to confusion and myths. Peterson provides us with a clear insight into the differences between these two notions:
Whereas the domain of IT Management focuses on the efficient and effective supply of IT services and products, and the management of IT operations, IT
Governance faces the dual demand of contributing to present business operations and performance, and transforming and positioning IT for meeting
future business challenges13/11/2012 22
IT Governance e IT Service Mgmt (2/2)
13/11/2012 23
Time Orientation
BusinessOrientation
External
Internal
Present Future
IT Service Management
IT Governance
Who is the Management Consultant?
1. Not always the best is the most brilliant or a superman.
2. Not all those with an MBA or a business and technology background become good consultants
3. They aren’t Magicians or Sorcerers, but curious persons that study and work hard.
Types of IT consulting projects
1. Advise Provisioning: which is the IT system/solution that best fits my needs?
2. Design: how do I structure the solution?
3. Implementation: make the system I built work in the best of ways for all the interested users.
4. Management Support: I help you manage the function and the persons that use the system..
The Client – Consultant Relationship
• What it is
• How to manage it
• Success criteria
The Consulting lifecycle• Initial Contact
• Project Definition
• Initial Analysis
• Formal Proposal
• Contract
• Project Implementation– Data Collection– Data Analysis– Decisions / Plan– Intervention
• Review
Initial Contact Definition Proposal & ContractData Collection
Data Analysis
Decision-making,PlanningIntervention
Disengaging
Review
Working with Clients• Define the project
– Stimulate, discover and qualify the client’s needs.– Individuate the Key Decision Makers and
stakeholders
• Build interest and “tempt” the Client
• Successful projects– Contracts, contracts, contracts– Clear Goals, roles and procedures– Boilerplating & reuse– Measurable Quick wins– Solid Conclusions– Not only the project, but also the person must be
remembered
Consultancy Marketing1. Identify an opportunity
• External threaths• Copy others• Lag behind: Benchmarks• New opportunities
2. Consultancy Marketing• Links with accademies/Business Schools (HBS, MIT, Sloan, etc.)• Links to institutional conferences• Pubblications: books, journals, press, web.
3. Be recognized• Free surveys / research• ‘Solution’ stories• References
Some basic consulting principles
• Focus on the relation: – Understand the client company’s and all
stakeholders’ expectations and personality• Clearly defined roles:
– Do a good job defining roles and responsabilities for the client, stakeholders and the consulting team
• Help the client see the end of works from the beginnig:– Clear goals
• The consultants suggests and the client decides• Always be result oriented
What an IT consultant must avoiddoing
Links to some websiteswww.accenture.comwww.mckinsey.com
www.reply.comwww.kpmg.comwww.ibm.com
www.capgemini.com
The role of skills
Hard Skills• Technical skills• Market skills• Methodological
skills
Soft Skills• Relational skills• Analytic skills• Standing• Interrelations• Evolving vision
Consulting company modelsPyramid
Companies (Big four)
Silos model: The pyramids repeat and overlap by LOB/Partner
CompetenceCentre
CompetenceCentre
CompetenceCentre
CompetenceCentre
Services companies
Matrix model: Skills vs markets
Prodotti
• Tecnologici• Soluzioni
Servizi Professionali
• System Integration• Gestione Prodotti
Consulenza
• Di prodotto• Di mercato
ICT companies
Product Company Model: Consulting as integrator / expander of the offering portfolio
Operational metrics of the consultancy company
IT Consulting Fee Levelsand Utilization Rates
•Book and realized fee rates•Target and actual utilization rates•Service type and career levels analyzed
Compensation in IT Consulting •Salary levels across the profession•Annual bonus analysis
IT Consulting FirmOperational Benchmarks(call for details)
•Revenue per professional•Leverage ratios•Firm operating costs
• Source Kenndy Research
Expertise depth: Skills and knowledge base
Wide range of general consultancy skills
Skills:• High interpersonal skills• Great ability in presenting content• Excellent report writing
Knowledge:• General or Specialized Business knowledge • Methods/Practices & Frameworks• In depth specific skills: Functional, technological or process based
Skills profile: breadth and depth
Average base salaries (UK – 2009)
• Graduate £20 – 26k• Junior Project Leader £30 – 35k• Team Leader £40 – 60k• Senior Consultant £60 – 80k• Principle Consultant £70 – 100k• Partner £100k +
+ 10 – 20% bonus+ car+ benefit
• Some niches can offer higher salaries
HOW THE CONSULTANTS JOB CHANGED
Problems with Consulting Today: the “Ivory Tower” Approach is Inefficient
The Internet has Opened up Research that was once the Domain of Consulting Firms
Level the Consultant Client Relationship
Don’t Dictate
Collaborate
ICT MANAGEMENT CONSULTING
13/11/2012 41
Agenda
• IS Strategy and Strategic Allignement Models
• From Business into IT: Balance Scorecard and Cascade Models
4213/11/2012
IS STRATEGY AND STRATEGIC ALLIGNEMENT MODELS
13/11/2012 43
Aligning IT to Business Strategy (1/3)
• The market context, the business needs and the organizational models typically represent a unitary model for businesses.
• IT, and more particularly the process of selection of an informatics solution, often act as independent variables with respect to this context, exclusively bounded by cost control logics.
• In reality the increasingly binding need of tying the IT strategic model to business strategies and consequent organizational implications, makes the presence of a model of constant strategic alignment between IT and business indispensable, one that may also address the choices of acquisition of new solutions.
Aligning IT to Business Strategy (2/3)
•With the notion of strategic alignment it isn’t intended to refer to the correct transfer of business requirements to IT functions to correctly address the decisions and choices, which is a relevant aspect but not a central one, it rather refers to need of guaranteeing the construction of a model that doesn’t simply derive IT strategies from business strategies but, on the contrary, allows to define them at the same time, in a non-hierarchical but synergistic context, functional to the identification and correct representation of the needs even before of the requirements.
Aligning IT to Business Strategy (3/3)
•The following graph shows how different business sectors perceive the importance of allignement between IT and corporate strategy.
IT Governance Status Report, 2008
Strategic Alignment Models (1/9)
•The identification of the relationship model that links the role of IT to business requires a clear definition of the same business strategies, critical success factors and metrics of measurement.
•It is complex to define precisely the role of IT in absence of a strategic and operative business analysis model, whether it is built in a Balanced Score Card (BSC) logic or with the support of tools of greater detail like the Enterprise Value Map (EVM)
Strategic Alignment Models (2/9)
•When it is possible to define the strategic business model with enough detail, it is also possible to define:
– The strategic alignment logics between IT and business;– the processes of alignment, transferring business objectives via
BSC or EVMTM and supporting the creation of an IT BSC.
•In order to establish IT's role with respect to the business in a proper and relatively simple manner, it is often useful to apply Henderson and Venkatraman Strategic Alignment Model (SAM).
Strategic Alignment Models (3/9)
•The Strategic alignment Model provides a structured mechanism for setting the alignment between business and IT according to different points of view. The model is based on the concepts of matching strategy and functional integration (see figure below). Strategic correspondence aims to emphasize that IT strategies should take into account the positioning of IT on the market and the way in which the IT infrastructure should be designed and managed. The concept of strategic correspondence could also be applied to the company’s business component.
Strategic Alignment Models (4/9)
•Functional integration can be observed both from a strategic point of view and from an operational point of view. Adopting a strategic perspective it constitutes the link between business strategy and IT strategy, and reflects the general belief that IT has emerged as a strategic competitive factor with respect to the market and competition.
•The operational integration addresses the links between infrastructure and organizational processes and between infrastructure and processes.
Strategic Alignment Models (5/9)
• Starting from a model of relationships between strategic components and operational, business and IT components, the Henderson-Venkatraman model allows us to identify several possible scenarios alignment, declining them in a number of organizational, functional and economic-financial characteristics, as shown in the following figure
Source: The Innovation Group
Business strategy
Needs
Answers
Business and Technology – External Environment
Stimulation Opportunity
Organizational infrastructure and
Business processes
IT Strategy
Technologic infrastructure and IT
processes and systems
Needs
Answers
IT placement guidelines (1/2)The Strategic Alignment Model considers four different approaches to the modes of interaction and alignment between the Business and IT components within the overall corporate framework.
DRIVER: BUSINESS STRATEGY
Business Strategy
Organisational Infrastructure
IT Infrastructure
IT as a business strategy executer<<Business strategy is the driver to both the definition of the organizational infrastructure and for the definition of the IT infrastructure In this scenario, the IT components are addressed to support the business objectives, researching for effective and efficient solutions based on the indications reported in the business strategy>> (*)The IT component serves as a cost center. (**)
IT as business alignment enabler<<Business strategy is the driver to which IT strategy is aligned in order to achieve business objectives. Compared to the previous approach, the organizational infrastructure is not binding and the IT strategy is free to set the IT infrastructure researching the best available solutions to support the business>> (*)The IT component serves as a profit center (**)
Business Strategy
IT Strategy
IT Infrastructure
(*) Fonte: Strategic alignment: Leveraging IT for transforming organisations - Henderson, Venkatraman, IBM System Journal, Vol32, No.1, 1993, pp. 4-16(**) Fonte: ITIL Application Management - Office of Government Commerce (OGC), settembre 2002 - ISBN 0113308663
IT placement guidelines (2/2)
IT as a business opportunityIn this perspective << IT strategy, through the use of new or emerging technologies, addresses the business strategy (which does not represent a constraint) and, therefore, decisions related to the business’s organizational aspects>> (*)The IT component serves as an investment center. (**)
IT as a service center (*)<< The business strategy, in this view, plays an indirect role, while IT strategy focuses on the creation of a range of services based primarily on meeting the needs of IT users. >>
Business Strategy
IT Strategy
Organisational Infrastructure
IT Strategy
Organisational Infrastructure
IT Infrastructure
DRIVER: IT STRATEGY
(*) Source: Strategic alignment: Leveraging IT for transforming organisations - Henderson, Venkatraman, IBM System Journal, Vol32, No.1, 1993, pp. 4-16(**) Source: ITIL Application Management - Office of Government Commerce (OGC), settembre 2002 - ISBN 0113308663
Strategic Alignment Models (6/9)
•Whatever perspective you adopt, the three elements are inseparable, since the strategic alignment model is based on a classical logic of construction of the preconditions for the representation of a value chain. Some typical examples:
– Cost Center – traditional point of view that uses the business strategy as driver and organizational infrastructure as a pivot to align IT to the business. In this situation, the IT acts as a cost center, interested in responding to the needs of automation of business processes focusing only on reducing the Total Cost of Ownership (TCO). As a result, applications are designed to be easily maintainable and are based on well-established technologies.
– Service Center – Using the business strategy as a driver, it is intended to build a centralized unit capable of providing excellent IT services to all its customers regardless of the definition of a proper possible business strategy (as outsourcers). An example of this approach is given when the IT acting as a corporate resource that delivers services to the whole corporation focuses on the quality of service. The infrastructure and applications are therefore designed to be cost-effective and of high availability.
Strategic Alignment Models (7/9)
– Profit center – In this case, the pivot to align IT to business is represented by the IT strategy, since IT strategy and business strategy almost overlap. This situation sees IT as a profit center, where all activities are focused to achieve maximum revenue provided by the implemented technology at an acceptable cost. This leads to performing applications characterized by high flexibility, and high adaptability to changing businesses and requirements
– Competitive center – In this case IT presents itself as a competitive advantage element. The IT function qualifies as an enabling factor for the qualification of new products or services or for the improvement of internal processes in terms of production efficiency and related ability to generate benefits on the income statement. In this scenario, IT, while not being configured as a profit center, has the ability to act directly on the income statement, resulting in savings or allowing for a reduction in operating costs.
Strategic Alignment Models (8/9)
•In the operative reality these schematic representations, typical of a theoretical model, tend to become contaminated, usually resulting in a bias towards one of the prevailing aspects of a model rather than another but without full adherence to it. At this point, when the role of IT is clear, the need of formalizing the communication model manifests in order to allow business functions to transfer their own requirements.
Strategic Alignment Models (9/9)
•The SAM model clearly recognizes the need for continuous alignment, but does not provide a practical scheme to achieve it. Over time various alignment mechanisms have been identified and applied in various companies, to obtain the convergence between IT and business: business system planning, critical success factors, Porter's value chain and business process reengineering.
•As we already mentioned, the business can transfer its IT objectives through tools that support strategic implementation. We will mainly take into consideration Norton and Kaplan's Balanced Scorecard
BALANCED SCORECARD
13/11/2012 58
Brief History• The Balanced Scorecard was developed by Robert Kaplan
and David Norton in a 1992 article ("The Balanced Scorecard -Measures That Drive Performance", Harvard Business Review), in which the authors proposed a holistic approach to measuring corporate performance that would allow overcoming the limits of traditional economic and financial accounting.
• In the following years (Kaplan and Norton, "The Balanced Scorecard: Translating Strategy into Action", Harvard Business Review, 1996) the emphasis shifted from measurement to strategic management, while the methodology was enriched through its integration in managerial processes, 'strategic alignment and communication.
• You can think of this stage as the transition from the Balanced Scorecard intended as measurement board to the Balanced Scorecard intended as a process of strategic management.
From the industrial age to the information age (1/2)
• Companies are now facing revolutionary transformations:– The industrial age competition is transforming in
the information age competition• During the industrial age, a company’s
success depended on their ability to extract the maximum possible profits from economies of scale and scope. Technology had its relevance but in the end success arose for those companies that were able to apply the new technology to real goods, therefore offering an efficient mass production of standardized products.
60
From the industrial age to the information age (2/2)
• The coming of the information era made many prerequisites fo competition of the industrial age obsolete. Companies wouldn’t be able any more to obtain constant competitive advantage with simple adoption of new technologies on real goods production and a solid management of financials.
• In the information era the company’s ability to deliver and exploit its material and immaterial goods became way more essential with respect to management and investment in real and tangible goods.
61
The new operative environment
Industrial Era Information Era
Crossed Functions They obtained competitive advantages by specializing functional qualities in the production, purchase, distribution, marketing and technology sectors
They operate with integrated business processes that proceed transversally to the traditional business functions, thus combining the extremely beneficial specialization resulting from the functional competence with the speed, efficiency and quality of integrated business processes
Relationship with clients and suppliers
They worked with customers and suppliers through direct transactions
Information technology enables today’s organizations to integrate supply, production and delivery so that the operations begin as soon as the order arrives
Client segmentation They offered lo cost but standardized products and services
They must offer personalized products and services to various customer segments
Global Scale The market and the competition was mostly confined to national borders
It is necessary to combine efficiency and the development of competitive global operations with the market sensitivity that applies to local customers
Innovation Companies could survive without innovating Product life cycles are continuously shrinking. Competitiveadvantages gained during a certain phase of a product’s life cycle doesn’t guarantee product leadership on the next competitive platform
Knowledge workers Employees were divided in 2 groups:!) Intellectual elite: managers and technicians2) Operators: The actual producers and service deliverers
All employees must contribute to the company’s value with what they know and the information they can provide. Investments in employees, their correct management and embracing the value of their knowledge has become essential to business success
Organizations that are active in the information age are founded on a new series of operative preconditions.
Traditional general accountability model
• Financial accounting– In most companies the financial billing and accounting
process remained the one that has been developedcenturies ago, to account for direct transactions betweenindependent parties.
• Needs in the information age– The ideal situation would that in which this financial
reporting model would expand to embrace the evaluationof society’s intangible and intellectual goods, like for example high quality products and services, specializedand motivated employees, reactive and reliable internalprocesses, loyal and satisfied clients.
– The evaluation of immaterial goods and capabilities wouldbe of particular usefulness because in the infrmation era because such goods are more important to achievesuccess than traditional, real and tangible goods.
Balanced Scorecard (1/2)
• Balanced Scorecard– The collision between the irresistible forces of long term
competitive capacity creation and the static financial accounting model gave birth to a new synthesis.
– The Balanced Scorecard integrates past financial-economic performance measures with measures of future performance drivers.
– Goals and measures of the Scorecard derive from the organization’s strategy and vision, by examining its performance under 4 perspectives:
• Financial-Economic;• Customers;• Internal Processes;• Learning and Growth.
Balanced Scorecard(2/2)
The Balanced Scorecard (BSC) is a strategic management support tool thatallows to translate the company’s mission and strategy in a coherent set of performance measures, allowing for overall business evaluation.
The Balanced Scorecard as a management system (1/1)
• The Balanced Scorecard shuld translate a business unit’s mission and strategy in tangible goals and measures. These measures represent an equilibrium between external measures (related to stakeholders and clients) and internal critical business processes, innovation, learning and growth measures.
• The measures are balanced between external measures (resulting from passed efforts) and measures that incentivize future performance.
• The Scorecard is balanced with objective (quantifiable measures) and subjective considerations, meaning that some measures are opinable and act as drivers of future outcomes.
The Balanced Scorecard as a management system (1/1)
• The most innovative companies use the balanced scorecard as a strategic evaluation system, to manage their long-term strategy, exploiting it to create management processes of vital importance:– clarify and translate vision and strategy;– communicate and connect strategic objectives and
measures with each other;– plan, set targets, and align strategic initiatives;– enhance feedback and strategic learning.
67
Balanced Scorecard creation (1/5)
Clarify and translate visionand strategy
• Clarify strategy• Build consensus
Communicate and relate• Communicate and
train• Define goals• Relate rewards to
performance measures
Feedback and strategiclearning
• Create a shared vision• Provide strategic
feedback• Ease reviews and
strategy learning
Business planning and goal setting
• Define goals• Allign strategic initiatives• Allocate resources• Establish milestones
Balanced Scorecard
Balanced Scorecardcreation (2/5)
• Clarify and translate strategy and vision– The process of building a balanced scorecard starts from
the collaboration of top executives in transforming the business unit’s strategy in precise strategic goals:
• Establish goals related to the economic-financial aspect of the business:
– Profit and Market growth;– Profitability;– Cash flow generation.
• Establish goals with respect to the customer base:
– Define the target customers and segment the market• Establish objectives and measures for internal processes
– The process of building a BSC allows to clarify strategic objectives and individuate their essential drivers.
Balanced Scorecardcreation (3/5)
• Communicate and connect with each other strategic objectives and measures.– Strategic objectives and measures of the BSC are communicated
at all levels of the organization– In some cases, strategic measures that are inserted at high levels of
the business unit’s scorecard are split in specific measures at operative levels.
• For example, the On Time Delivery (OTD) goal in the BSC of a business unit can be translated in reducing preparation time of a specific machine.
– The BSC encourages dialogue between business units, business executives and board of directors, not only with regard to short-term financial goals, but also for the formulation and implementation of a strategy to make a decisive step forward in future performance.
Balanced Scorecardcreation (4/5)
• Plan, define goals and align strategic initiatives– The BSC is used at its best when promoting changes in the
organization.– To achieve ambitious goals managers must identify flexible goals
for customers, internal processes, learning and growth.– The goal planning and management process allows the
organization to:• quantify the results it wants to achieve in the long term; • identify the mechanisms and provide resources for the achievement
of those results; • Establish short term milestones for financial and non-financial
measurements included in the BSC.
Balanced Scorecardcreation (5/5)
• Enhance feedback and strategic learning– The final management process includes the BSC in a
strategic learning structure• Today, managers have no way to receive
feedback relative to their strategy and to verify the validity of the assumptions on which the strategy is based. Conversely, the BSC enables them to follow the implementation of their strategy, to make some adjustments on the go or, if necessary, substantially change the strategy.
BSC creation process• Set goals for the BSC program:
– Guide the decision of objectives and measures for the BSC.– Get the participants' commitment to the project.– Clarify the structure of the implementation and
management processes that must follow the construction of the initial BSC.
• Examples of reasons that may lead to building a BSC:– achieve clarity and consensus around the strategy;– focus on the objectives;– decentralization and leadership development;– strategic intervention.
BSC creation process• The process of creating a BSC can be broken down into
four phases:– Define the architecture for measurement
• Select the appropriate business unit;• Identify correlations between SBU and headquarters.
– Build consensus around strategic goals• Conduct a first round of interviews;• Summary meeting;• Executives’ workshop: first round.
– Select and design Measures• Sub-group meetings;• Executives’ workshop: second round.
– Develop the implementation plan• implementation plan development;• Executives’ workshop: third round;• Complete the implementation plan.
Performance driversROI
(Return on investment)
Client loyalty
Punctualityin deliveries
Processquality
Processcycle timing
Employees’ skills and capabilities
Economic-financial
Customer base
Learning and growth
Soutce: The Innovation Group
Internal Business processes
Monetary cycle (1/2)• A measure of capital management efficiency is the cash to cash
cycle duration• Driver: measure of cash to cash cycle time, which is identified with the sum of days of
warehouse storage and days-sales in accounts receivable, less supplier debt duration.– Therefore the monetary cycle represents the time a company needs to convert cash
payments to suppliers of resources in cash payments received from customers.
Information Technology e Governance79
Acquisto materie prime o merci dal
fornitore
Vendita del prodotto
Ricevimento contanti dal
cliente
Pagamento fornitore per
materie prime (merci)
Giorni debiti Ciclo cash to cash
Giorni creditiGiorni magazzino
Source: The Innovation Group
Monetary cycle (2/2)• Although many business find it difficult, if not impossible,
to reach zero or negative cash to cash cycles, the objective of reducing this cycle with respect to current levels can be a great incentive to improve working capital efficiency.– The Rockwater (underwater construction company) had a
particular problem with accounts receivable: it had to wait for over one hundred days for customers’ final payments. One of the main financial objectives was therefore to significantly reduce the duration of this cycle, a goal that, once achieved, would result in a dramatic ROI improvements.
Customer Perspective• Managers identify customer and market segments in
which the business unit intends to compete and measure its performance in those segments.
• The customer perspective enables business unit managers to articulate a market and customer oriented strategy capable of ensuring higher financial profits in the future.
Primary measures• Market share
– Expresses (in terms of number of clients, overall revenues or unitary sales volumes) the total business turnover portion generated by a particular unit(the company, a business unit, size, etc.)
• Customer acquisition– Measures in absolute or relative terms, the rate at which a certain business unit
attracts or acquires new clients or commissions.• Customer loyalty
– Identifies in absolute or relative terms, the rate at which a certain business unit keeps itself in touch with the client.
• Customer satisfaction– Evaluates the customers’ satisfaction in relation to specific performance
criteria that fall within the company value proposition.• Customer profitability
– Measures net profits from single customers, or customer segments, once expences to support those customers have been subtracted.
Primary measuresAmong the consideredmeasures thereare:• Customer
satisfaction;• Customer
loyalty;• New
customeracquisition;
• Customerprofitability;
• Market share;
• Profitability of selectedsegments.
Source : The Innovation Group
Market share
New customer acquisition
Customer loyalty
Customer satisfaction
Customer profitability
Internal processesperspective (1/2)
• Executives individuate internal processes of crucial importance in which the organization must excel. These processes allow the business unit to:
• Present proposals capable of attracting clients within the pre-selected market segments and manage their loyalty;
• Satisfy the shareholders’ expectations of great economic returns.
– The BSC approach identifies totally new processes in which the organization must excel in order to satisfy the customers’ and the economic-financial expectations.
Internal processesperspective (2/2)
• The following generic measures can be found:– Quality;– Reaction time– Cost and introduction of new products.
• Traditional performance measurement systems are based on processes necessary to deliver today’s products and services to today’s clients, trying to control and enhance the existing operations that represent the short wave of value creation. For many companies, instead, the innovation process, long wave of value creation, is a much stronger driver of future economic performance with respect to the short term operative cycle.
Value Creation Chain•The following value chain generic model provides us
with a base that companies can adapt to their needs in preparing for the business process perspective:
– innovation: the business unit studies the latent or emerging needs of customers, then they create products or services that meet these needs. It represents the long wave of value creation in which companies first identify and cultivate new markets, customers and at the same time also emerging or latent needs of existing customers;
– operative: phase in which existing products and services are delivered to customers. It represents the short wave of a company’s value creation.
– Post-sale services: it consists in guaranteeing customer service after sale or delivery of the product or service.
source: The Innovation Group
Client need recognition
Market identification
Product / Service design
Creation of the offering
Level of customer’s
need satisfaction
Product delivery
Innovation process Operation management
Time-to-market Provisioning cycle
Customer care
Post sale services
Break-Even-Time• The break even time measures the product
development cycle efficiency .– It measures the time that separates the beginning of design with the
moment the product is introduced on the market and has generated enough profit to cover development costs invested.
Tempo (mesi)
Cost
i cum
ulat
ivi e
d en
trat
e (in
mili
oni)
Investimento
Break-Even_time (BET)
Indagine Time-to-marketSviluppo
Break-Even-After-ReleaseProduzione-Vendite
Source : The Innovation Group
Time Measures• Many customers give great value to quick reaction times, intended
as the time that
• Many customers place significant value on short response times, considered as the elapsed time from the moment they issue an order to the moment they receive the product or service they want and on response time reliability, in the sense of deliverypunctuality.
• Manufacturing Cycle Effectiveness is an indicators that many companies use to switch to a just-in-time production flux, and we define it as:
– MCE = work time / throughput time where throughput time = (work time) + (inspection time) + (movement time) + (waiting/ storage time).
– In many operations the work time, which means the time actually spent creating the product, is less than 5%. In an ideal production process, the throughput time for each unit is equal to the work time: therefore the ideal MCE is equal to 1.
Employees skills• Primary employees evaluation group
– The three essential employee related measurements are:• Person’s satisfaction:
– Goal: having satisfied employees is an essential condition for enhanced productivity, reactivity and quality of the offering.
• Person’s loyalty:– Goal: not to lose employees for which the company has long term interest
• Person’s productivity:– Goal: establish relationships between the final result obtained by the
employees and the number of individuals needed to produce the result.
Fonte: The Innovation Group
Results
Person’sproductivity
Person’ssatisfaction
Person’sloyalty
Staffcompetencies
Technologicalinfrastructures
Organizzationalclimate
Primarymeasurements
Incentives
Employees requalification• Many companies that use the BSC go through a phase of
radical changes and their employees must undertake completely new responsabilities. The need to requalifyemployees can be considered under two dimensions
• Required level of update;• Percentage of emplyees that require to be updated.
Strategic riqualification
General riqualification
Skills enhancement
high
highlowPercentage of employeesLe
vel o
f re
qual
ifica
tion
(pro
fess
iona
l gap
)
various requalification perspectives
The strategic plan's key theme is the need to requalifystaff, or improve their skills, in order to carry out the
vision
Strategic riqualification A precise staff segment must acquire new strategic skills ofhigh level
General riqualification A significant proportion of staff requires a general update
Skills enhancement A certain staff portion, large or small, must enhance its primary skills
source: The Innovation Group
IT GOVERNANCE
13/11/2012 88
Agenda• IT, Enterprise, Corporate Governance• Governance Risk and Compliance: The Consulting and
the Audit views• IT Financial Management: Business value and Company
value• Toolkit:
– SAM– BSC– COBIT– ROI– TCO– ROSI– MPV– IRR– Payback Period– Project Management
13/11/2012 89
IT Governance (1/3)•As for Enterprise Governance, IT Governance also refers
to the work of the board of directors, the executive management and the organization as a whole., the basic principles are different from the other two types of corporate governance and include: alignment with business strategy, the provision of added value through information technology and adequate technological risks management.
• According to the definition:– “IT Governance is the responsibility of the board of directors
and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives”. source: IT Governance Institute
IT Governance (2/3)
•The need for guarantees on the value of IT, IT-related risk management and the increasing requirements for control over information are finally included as key business management elements. Value, risk and control constitute the core of IT governance.
IT Governance (3/3)• To improve control over the organization, governance
and IT governance can no longer be considered separate and distinct disciplines. An effective corporate governance channels the experience, the skills of individuals and groups where they can be more productive, monitors and measures performance, and provides positive answers to the issues. IT governance is a formally recognized discipline and is considered an integral part of corporate governance. Although Information Technology is managed by the head of information systems, the responsibility for fails in achieving results by new technologies always falls on the top and executive management.
Enterprise Governance(1/2)
• Enterprise governance, or business governance, is usually depicted as an umbrella, sheltering on the inside the other two. It represents the management paradigm of all management processes, and is designed and developed by executive management under the patronage of senior management. These two corporate bodies strive together to optimize the use of resources, aligning all the organization's activities, in order to clarify and execute strategic and operational guidelines at best and on the basis of the firm's risk attitude.
• The Enterprise Governance refers to the work of the board of directors, the executive management and the organization as a whole. The basic principles regard the strategic alignment, the responsibility for dissemination of information, and organizational roles with related responsibilities.
Enterprise Governance(2/2)
• The key element is the proper management of business processes, which are of course responsibility of the board of directors and management. Nowadays the managerial figure that better than others fits in the context of enterprise governance is the CFO (Chief Financial Officer), in fact:
– «I am responsible for traditional accounting issues: cash flows, capital, and cost structures. But my role is increasingly linked with strategy and operations». ClaytonDaley-CFO Procter& Gamble;
– «I am involved in all operational and strategic group decisions, and I am a member of the executive board». Karl-GerhardEick-DeputyCEO and CFO DeutscheTelecom;
– «The CFO is now at the center of all governance issues…there is a much broader involvement in the overall business management of the company». ThierryMoulonguet-Executive Vice Presidentand CFO Renault;
– «The CFO stands in a special relationship to the chairman and the CEO which is why the three of them form the top team in a company. The basis of this relationship is the CFO’s independence». SirAdrianCadbury-ex ChairmanCadburySchweppes.
Corporate Governance• Corporate Governance is also based on the work of the directors
and of executive management, but also of the shareholders. The fundamental principles on which it focuses to give indications regarding governance are: shareholders' rights, management independence and even here the responsibility for the dissemination of information.
• Its fundamental goals are:– Assure the accounting and financial reporting system’s integrity– To have an appropriate control system for: the financial system, risk monitoring and
compliance with laws and regulations.
• Key elements in corporate governance are:– A majority of independent administrators;– The use of international accounting standards;– Independent audit actions;– Clear answers to the market’s informational needs.
IT Governance and IT Service Mgmt (1/2)
R.Peterson, "Integration Strategies and Tactics for Information Technology Governance", in Strategies for Information Technology Governance, Ed. Wim Van Grembergen, Idea Group Publishing, 2003
• The evolution of IT organizations from technology providers into service providers requires taking a different perspective on IT management. IT Service Management put the services delivered by IT at the center of IT management and is commonly defined as
A set of processes that cooperate to ensure the quality of live IT services, according to the levels of service agreed to by the customer. It is superimposed
on management domains such as systems management, network management, systems development, and on many process domains like change
management, asset management and problem management
• The difference between IT Service Management and IT Governance has been subject to confusion and myths. Peterson provides us with a clear insight into the differences between these two notions:
Whereas the domain of IT Management focuses on the efficient and effective supply of IT services and products, and the management of IT operations, IT
Governance faces the dual demand of contributing to present business operations and performance, and transforming and positioning IT for meeting
future business challenges
IT Governance and IT Service Mgmt (2/2)
BusinessOrientation
Time Orientation
BusinessOrientation
External
Internal
Present Future
IT Service Management
IT Governance
Source: The Innovation Group
The Framework
Support: e.g. PMI, Prince 2
Governance and Control: e.g. COBIT
Operations: e.g. ITIL
The main decisional areas in IT business: IT governance
IT Strategy Principles
How IT is used in the business : IT-Business alignment
IT infrastructure strategies
Strategies for the base foundation of budgeted-for IT capability (both technical and human), shared throughout the firm as reliable services, and centrally coordinated (e.g., network, help desk, shared data)
IT architectureOrganizing logic for data, applications, and technology infrastructure captured in a set of policies, relationships, and technical choices to achieve desired business and technical standardization and integration
IT investment and prioritization
Decisions about how much and where to invest in IT including project approvals and justification techniques
Businessapplication needs
Specifying the business need for purchased or internally developed IT applications
Source: The Innovation Group
ITGovernance
Model
Allignmentof
IT/BusinessStrategies
IT investmentsprioritation
IT Architectureand roadmapIT Sourcing
strategies
Service & deliveryand
developmentIT
Skills& Assets Fonte: The Innovation Group
IT Strategic Components & IT Governance
The importance of IT in the modern business
environment (1/3)• Information & Communication Technology
(ICT) has transformed, in the last years, from a mere support tool into a crucial competitive element to consolidate and improve the positioning of the company with respect to the market. The importance of the information system and communication business has grown in parallel with the evolution of technology, so, today, it is no longer just a simple tool for operational procedures automation, but it can make a substantial contribution to the pursuit and even redefinition of corporate strategy.
The importance of IT in the modern business
environment (2/3)• Information Technology requires
remarkable investments in the sector, but it is an element that directly contributes to determining market value of an organization, and is essential for the achievement of business objectives; think of banking services without IT support, it would be impossible to make money transfers from home through the internet, you would have to go to the bank for the withdrawal, and the same would happen with simple statement of accounts, etc..
The importance of IT in the modern business
environment (3/3)• It is also necessary to consider the other side
of the coin, one that brings out the need to adequately manage the risks associated with IT through increasingly efficient and sophisticated controls. In fact, IT, because of its important investment, increases the business risk . Consequently, management is carefully studying the market to highlight the differences with competitors and to ensure that investments reach a significant percentage of profit on the organization's turnover even if they grow with abnormal trends.
IT expenditure analysis(1/4)
• If the last 4 years IT spending has been trending strongly negative, in the previous five years there has been a steady growth in technology spending in companies around the world.
• According to the main market observers thisphenomena can be related to:– The haste of technological innovation that enabled the
production of new services and managerial models(Cloud, BYOD, etc.);
– The increase in obsolescence rates of technologicalcomponents;
– The constant evolution of operative systems and application softwares that result in increasing needs of elaboration resources, communication and storage.
The IT market (2009-2011)
4.874 5.012 4.559
755 718 678
4.307 4.268 4.226
8.750 8.432 8.212
2009 2010 2011
Services
Software
Technicalsupport
Hardware
18.686 18.430 17.675
+2.8%-9.0%
-4.9%-5.6%
-1.4% -4.1%Numbers in millions of Euro and %
-0.9% -1.0%
-3.6% -2.6%
IT market by firm size(2010-2011)
Mln €, % on total and % net of consumers
‐10,3%
‐7,3%
‐8,0%
‐4,6%
‐2,0%
‐2,2%
‐6,0%
‐3,3%
‐3,7%
Small
Medium
Big
11/10 10/09E 09/08E
9.480(57.4%)
4.237(25.7%)
2.793(16.9%)
IT expenditure analysis (2/4)
• Some recent investigations involving IT managers of large companies, indicate that, compared to five years ago, the use of technology among users has increased by 50% and this trend is growing, as shown in the following figure.
IT Services Spending in Industry Markets (Million of Euros)
0
10
20
30
40
50
60
Agr
icul
ture
, Min
ing
and
Con
stru
ctio
n
Com
mun
icat
ions
Dis
cret
e M
anuf
actu
ring
Edu
catio
n
Fina
ncia
l Ser
vice
s
Hea
lthca
re
Loca
l and
Reg
iona
lG
over
nmen
t
Nat
iona
l and
Inte
rnat
iona
lG
over
nmen
t
Man
ufac
turin
g
Ret
ail T
rade
Ser
vice
s
Tran
spor
tatio
n
Util
ities
Who
lesa
le T
rade
2005 2006 2007 2008 2009 2010
Gartner Industry IT Spending in EMEA
Forecast, 4Q06
source: The Innovation Group
IT expenditure analysis(3/4)
• The increased use of technology, however, drags a request for ever greater technical assistance, the latter needed to maintain the proper functioning of the various technological devices. In addition, support costs, as claimed by half of the respondents, are four times higher than the purchase price of the device and have increased since 2001 of at least 50%.
• According to IDC, in 2006 companies worldwide spent about 1,160 billion dollars in Information Technology and this level of spending would continue to grow at an average annual rate of 6.3% to reach 1.48 trillion U.S. dollars in 2012, net of economic crisis.
IT expenditure analysis(4/4)
• These analysis seem to suggest:– the centrality of the investment in Information Technology,
a market that still follows in some cases (BYOD growth) trends that are typical of the merchandise sectors with a high level of competitiveness and a high rate of innovation, with an almost anti-cyclical dynamic;
– The need to keep the growth of IT costs under control, favoring service oriented investments that are capable of making real contributions to the implementation of corporate strategies (Cloud).
– the need to intervene at different levels on the rationalization of current spending aiming at balancing the weight of "commodity" services spending on compared to those with high added value (moving from CAPEX to OPEX => Cloud).
Benefits and control in Information Technology
(1/7)• The market is undergoing a global competition, companies are
restructuring to improve their position, to be more adherent to their "core business" and at the same time exploit the competitive advantages offered by the most advanced technologies. These changes have and will continue to have, profound implications for the structures of management and control. The crisis in this case is a facilitator and an accelerator and not an inhibitor
• Automating the functions of an organization obliges, by its very nature, to incorporate increasingly powerful control mechanisms both hardware and software, on computers and networks. Furthermore, the basic and structural characteristics of these controls progress at the same pace of evolution and in the same way in which the underlying information technology evolves.
Benefits and control in Information Technology
(2/7)• Business activities demand information to the information system to meet
business objectives. Companies, therefore, must ensure interdependence between their strategic planning and their IT operations. IT and business strategies must be aligned, and IT must enable the enterprise to take full advantage of its information assets, maximizing benefits, capitalizing on opportunities and gaining competitive advantage. Information technology provides the organization with tools for:
– developing many strategic initiatives that generate a competitive advantage;– providing information based on fundamental analysis for decision-making,
including governance indicators;– recording the organization's performance, both financial and otherwise ;– monitoring the internal control system;– capturing and storing the company's intellectual capital;– supervising the development of the organization's information policies such as
security, privacy, consumerization, business continuity and disaster recovery.
Benefits and control in Information Technology
(3/7)•Many activities related to information technology
emphasize the need to better manage the risks associated with these technologies. The most critical business processes are supported by information managed by electronic systems. Within the legislative context increasingly tight information control are being introduced . This is reasoned in large part by the growing number of serious accidents caused by the malfunctioning of business information systems, which are made known to the market, resulting in a loss of credibility, the rise of electronic fraud, and the recent scandals that have occurred in Italy and abroad and have led to a growing lack of confidence on the part of customers.
Benefits and control in Information Technology
(4/7)• IT-related risk management is now seen as a key
element of corporate governance. Organizations, therefore, must ensure that their information assets, as all of its assets, meet requirements for quality, reliability and safety. Management must also optimize the use of available resources that include: data, application systems, technology, infrastructure and staff. To meet these responsibilities, as well as to achieve its objectives, management needs to know in depth the situation of their IT systems and decide what level of security and control they should provide.
Benefits and control in Information Technology
(5/7)•All of this suggests that the management must ensure that
it is operating a system of internal control or a methodology that supports the business processes; and for each control activity must be clearly indicated. the consequences it has on IT and how it can meet the business requirements These can be identified in the effectiveness, efficiency, confidentiality, integrity, availability, regulatory compliance, and reliability. Control, which includes policies, organizational structures, practices and procedures is responsibility of the management. Thus, an IT control goal is the indication of expected results or the purpose to pursue, implementing the specific control procedures within each informatics activity.
Benefits and control in Information Technology
(6/7)•Management, through organization governance, must
ensure that due diligence is exercised by all the people involved in the management, use, design, development, maintenance and operation of information systems. Factors that may highlight the critical nature and importance of information systems, are summarized below:
– an increasing dependence on information and the systems that manage them, as it happens for example in the banking environment;
– an increasing number of vulnerabilities and a wide spectrum of threats related to information systems, such as telematic ones and cyber warfare;
– the pervasiveness and the volume of current and future investments in data processing and information technologies;
– the potential of technology to radically transform organizations and business practices, create new opportunities and reduce costs.
Benefits and control in Information Technology
(7/7)•From all this it is increasingly clear that it is important
to have a framework with regard to security and control. IT Successful companies must have a basic knowledge and make an estimate of the risks and the constraints imposed by information technology within the enterprise, in order to combine effective management with appropriate controls. Therefore, the management needs a clear framework for security and control. IT in order to evaluate and compare both the existing environment and the planned one, and the cost - benefit tradeoff of a control system.
The need for a control framework in IT
governance(1/8)• Senior management needs to know if
the company manages information in order to:– have the chance to achieve their
objectives;– be flexible enough to learn and adapt;– manage the risks it meets flawlessly;– properly recognize opportunities and act
accordingly.
The need for a control framework in IT
governance(2/8)•The key elements of IT governance concern, with
regard to the information system as a whole: the strategic planning, internal control system, project management and asset management. Each of these must have among its fundamental principles:
– Governance – the ability to keep business processes under control
– Accountability – the ability to provide explanations regardingthe managerial operations;
– Transparency – clearness of provided information bothinternally and externally;
– Disclosure - make relevant information known to the externalenvironment;
– Independence – in the managerial activities.
The need for a control framework in IT
governance(3/8)
Relative importance of some business drivers, Forrester Reasearch,
2007
• A good business governance allows to:
• maximize revenues, and distribute the resources among activities with high added value;
• minimize business risks and negative publicity, through proper planning of the most important activities of the company;
• save money, streamlining the governance and control methods: reducing duplication and waste, reducing losses, penalties and damages;
• increase the confidence in the organization on the part of all stakeholders (employees, customers, suppliers, investors, shareholders);
• obtain continuous information to improve the response to the variable market conditions.
The need for a control framework in IT
governance(4/8)•IT governance is responsibility of executives and the Board of Directors and consists of a directive department, an organizational structure and processes that ensure that the company's IT supports and achieves business goals and strategies.
•The clear and unambiguous definition of the roles and responsibilities of all parties involved is a crucial prerequisite for the definition of a model for effective IT governance. It 'up to the Board of Directors to communicate these roles and make sure they are well understood
The need for a control framework in IT
governance(5/8)•An effective IT governance is obviously also determined
by the organizational structure of the IT function and the localization, within the organization, of the decision-making responsibility for IT.
• IT governance should be an integral part of corporate governance, and therefore one of the key elements brought to the Board of Directors' attention. The Board of Directors may carry out its duties of government through appropriate committees, and appoint for example an IT Strategy Committee. This is composed of both board members and top management, and should assist the Board in the governance and supervision of the business issues related to information technology, and solicit the Board of Directors to regularly deal with issues related to IT in a structured manner.
The need for a control framework in IT
governance(6/8)•IT governance is usually developed at different
levels: team leaders and corporate executives, who report and receive instructions from their managers, and managers, who report to the directors and the latter to the Board of Directors. The information flows and related report documents give information on deviations from the objectives, including recommendations for actions to be taken at the management level. Clearly, these activities will not be effective until strategies and objectives will not be dropped down the organization.
The need for a control framework in IT
governance(7/8)•Furthermore, IT governance integrates and institutionalizes best practices that ensure that IT supports business goals. The frameworks for governance and control are becoming thus part of IT management best practices and they are a facilitating factor for establishing IT governance and comply with ever-increasing normative requirements
The need for a control framework in IT
governance(8/8)• IT Best Practices have become important due to several factors:
– managers and the governing bodies of the company expect a greater return on investment in IT, so that IT may provide the services that the company needs to increase value for stakeholders;
– concern about the general increase in the level of IT spending; – the need to satisfy the legislative requirements for IT controls in areas such as privacy and
the preparation of financial statements (for example, the Sarbanes-Oxley Act, Basel II) and in specific sectors such as financial, pharmaceutical and health;
– the selection of service providers and the management of outsourcing and acquisition of services;
– the growing complexity of IT-related risks such as network security;– IT governance initiatives that include adoption of control frameworks and best practices
that help monitor and improve critical IT activities to increase business value and reduce risk;
– the need to optimize costs by following, where possible, standardized approaches rather than specifically developed methods;
– the growing maturity and consequent acceptance of established frameworks such as COBIT, ITIL, ISO 17799, ISO 9001, CMMI, PRINCE2 and PM Bok;
– the need for companies to evaluate and compare their own performance both with generally accepted standards and with its competitors (benchmarking).
It GovernanceFramework (1/4)
•According to a general definition, IT governance is the process through which IT investment decisions are made . This process evaluates how to make decisions, who is responsible for them and how the results are monitored and measured throughout the organization. Based on this definition, each company will have, of course, its own interpretation of IT governance. Unfortunately for many businesses, governance is an "ad hoc" and informal process, which means that there is no consistency between companies, the responsibilities are poorly defined and there are no formal mechanisms to measure and monitor the decisions' results
It GovernanceFramework (2/4)
•In today's companies optimizing investments in IT has become a priority. a growing trend was found among organizations to increase IT results to the levels of the board of directors.
•IT governance can not exist alone, but must be placed within the wider Enterprise Governance, and the responsibility does not fall only on the information systems area, but also on the board of directors and executive management.
It GovernanceFramework (3/4)
•To implement good IT governance a structure based on three main elements is required:
– Structure: who makes the decisions, such as which organizational structure should be created, who will take part within the organization and what responsibilities must be undertaken.
– Processes: how investment decisions should be taken _ and what are the processes of decision-making underlying the proposed investment, reviewed and sorted by priority. The activities that comprise the process of IT governance are: IT portfolio management (proactive management of the entire collection of projects, applications, systems, etc.), service-level agreements_ _ , chargeback mechanism (allocation of costs and services to different business units that consume them) and demand management (demand for iT resources).
It GovernanceFramework (4/4)
– Communication: how the results derived from these processes and decisions should be monitored, measured and communicated; which mechanism will be used to communicate the IT investment decisions made by the board of directors , the executive mangers, from corporate executives, IT responsible managers, its employees and shareholders. Sharing must be facilitated by using mechanisms such as parallel careers and job rotation (IT staff goes to businesS units and non-technical staff is assigned to the IT), continuous training, cross-training, etc.
•Once the concept of IT governance has been defined, the next step would be to establish the principles on which to build a good governance structure. These principles are made explicit in three main elements: understanding the level of governance maturity , knowledge about how the company's resources impact on IT governance, _ and deep understanding of the four IT governance objectives.
The 4 IT dimensions (1/2)• Finally, to conclude our analysis it is possible to identify 4
dimensions guiding IT governance, each of which may be addressed to a specific part f the IT governance process:
– IT value and strategic alignment - One of the primary objectives for IT governance is to ensure strategic alignment between business and IT. The creation of the necessary structure and processes around IT investment and management ensures that only projects aligned with the strategic objectives will be approved, implemented and made priority. Therefore, such an alignment increases the existing business and allows for its transformation, enhancing business value typically means increased revenues, improved customer satisfaction, reduced costs, and enables the development of new products or services.
– Risk management - The risk associated with IT is usually the same risk associated with the company, so managing it becomes a priority for the company. The risk includes security breaches by hackers, violations of privacy and access, errors, interruptions, and risks associated with project failure.
The 4 IT dimensions (2/2)– Accountability - IT governance is essentially based on the allocation of
responsibilities. The Sarbanes-Oxley act among all its obligations, also requires for the allocation of senior executive managers to ensure the integrity and credibility of financial information and controls. In order to align with this law, IT governance _ holds management responsible of missed returns on investment in Information Techonlogy, as well as of the credibility and transparency of IT controls.
– Performance Measurement - The heads of IT governance, measure results according to the four perspectives of the Balanced Scorecard (concept detail in the following chapters). The IT balanced scorecard is divided into four key concepts: value of IT, customer service, operational excellence and future orientation. Two of these perspectives contain measures to manage the key objectives of governance: the value of IT and risk management. The IT value perspective contains specific indicators to measure the alignment between IT objectives and strategic goals for the company, while the operational excellence provides indicators that measure the risk of IT.
Governance investments• According to a market survey conducted by Forrester in 2005, a growing
interest over the years towards IT governance methodologies was found. The customer base consists of the analyzed CIOs, CTOs i, the CFOs, VPs and executive managers of some major companies (more than 60% declare more than a billion in revenues) in the United States.
IT FINANCIAL MANAGEMENT: BUSINESS VALUE AND COMPANY VALUE
13/11/2012 132
Benefit analysis (1/3)• The need to quantify in economic-financial terms
investments in IT and to make a proper verification of the cost-benefit ratio is born, beyond contingent or special purposes of accounting, tax and internal control nature, within a wide perspective of the concept of corporate governance.
• The perspective of information systems governance, intended as the configuration of the types of decisions and responsibilities related to information systems, is particularly useful in order to induce certain behaviors in terms of users and business as a whole.
Benefit analysis (2/3)• In this respect, among the choices of the business ruler
are those that define which decisions must be made with respect to the information systems, who must take them and, more importantly, how they are measured and the results achieved.
• The evaluation of the convenience of an IT project, such as analysis that try to estimate the impact of the introduction of a new information system or a component thereof, is a central element for the proper management of its IT control model.
Benefit analysis (3/3)• The degree of success of this introduction is often only evaluated
on the basis of return on investment (ROI) in economic and financial terms. In fact, the adoption of standard models of ROI definition, is not always applicable or, worse, significant with respect to the value of the decision. The experience does say, therefore, that the financial analysis should be complemented with an analysis of the value of the choice that is based on an analysis of the impact that the application solution has on the process in its aspects of:
– execution times and crossing;– streamlining bureaucracy;– use of resources;– improvement of service levels;– volumes.
• The integration of the two levels, related to the value of the assets and the related impact on the process, help to qualify a genuine process of IT governance.
Monetary benefits• Many are the kinds of benefits that can be
extracted, and from an economic-financial point of view they can be classified in:– Higher returns;– Reduced operative costs– Reduced working capital or fixed assets and a consequent
reduction in borrowing costs.
Increased returns• The increase in revenues is the result of an IT project that
creates new products or services (the most obvious example is that of an e-commerce site to which an IT project allows to add new information or digital products), which allows to deploy into new areas or new customer segments, its products and services, or allows to enrich traditional services and products with information, increasing the value perceived by customers and therefore its average selling price (an example can be that of tracking systems via web of shipments in the past has led to the recognition of premium price).
• In summary, the benefits that should be included in an economic evaluation are equivalent to the hypothesized turnover (expected revenue) net operating costs of production.
Reduced operative costs
• The reduction in operating costs can be related to improvements in efficiency (lower fuel consumption with equal volumes, increased productivity), the elimination of activities or organizational units (reduction in personnel costs, elimination of fixed assets and related operating costs), greater coordination (and therefore a reduction of warehouse stocks or other cushion resources that covered coordination offcuts), and so on.
Reduced working capital or fixed assets (1/3)
• The third class relates to the possibility of reducing working capital, represented basically by storage and accounts receivable. This reduction results in a lower level of operating costs, because, for example, it reduces the need for staff to manage the inventory or buildings dedicated to storage are not longer necessary.
• The most important benefit, however, is the reduction of unproductive assets with a consequent reduction of onerous debts with third parties (bank loans and similar ). In summary, inventory decreases , debt is reduced, as well as interest expenses on these borrowings thus improving the annual margin.
Reduced working capital or fixed assets (2/3)
• But how is working capital reduced?– Supply Chain Management projects aimed at improved
integration with suppliers and customers and thus providing better access to information upstream and downstream of the supply chain, allowing for better alignment of plans for production and sale to other chain operators and thus the reduction of cushion stocks.
– The introduction of Sales Force Automation or ElettronicBilling systems allows for the reduction of time spent on sales force alignment and distribution channel management beisdes average credit collection period, because the days of physical delivery of the information and paper supports are reduced.
Reduced working capital or fixed assets (3/3)
• The resources freed up of unproductive fixed assets may alternatively be invested in a profitable way and therefore may not lead to a reduction of interest expense but rather an increase in financial income.
Limitations of financialmodels (1/3)
• When the financial analysis is applied to information systems many well known problems emerge . The financial models do not sufficiently express the risks and uncertainties associated with the estimates of costs and revenues. The costs and benefits do not occur in the same period of time: the costs tend to occur in the early stage and are tangible while the benefits tend to occur later and are, at least initially, mainly intangible and therefore difficult to quantify.
• Traditional approaches tend to examine the profitability levels of single implementations related to specific business functions, without tackling effectively:– Infrastructural investments– Transversal impacts with respect to functions, which do create value
for the company.
Limitations of financialmodels (2/3)
• They often neglet considering other factors such as the social and organizational implications of change, which can significantly alter the cost-benefit ratio concerning the choice of an application solution.
• Many investment decisions related to the adoption of a new application solution do not adequately consider the costs generated by organizational change (training, learning curves and diffusion, management commitment) and related benefits (acceleration of business processes and decision-making, increased by process and function capability), which may be over-or under-estimated.
Limitations of financialmodels (3/3)
• The presence of organizational variables and the temporal asymmetries between costs and benefits therefore require particular caution in the adoption of traditional approaches to estimating the investments and their returns regarding the adoption of application solutions.
• In particular, the financial analysis models must be calibrated to adequately take into account the actual timing of implementation, testing, production and obsolescence of application solutions and the underlying technological chains (basic infrastructure, processing systems, telecommunications equipment, operating systems , basic software, middleware).
• In particular, the speed of obsolescence determines, when defining the investment programs, the need to consider appropriate timeframes, which are certainly shorter than those of traditional industrial investments.
Investment planning (1/6)
• The return on investment represents the first object of interest of such analysis. The clearly generic term indicates that, in spite of a certain investment (usually intended in financial terms, but hopefully not exclusively) and related costs, some benefits that justify these expenses should arise.
• As already stated, the process is made complex by certain factors:– Benefits are hard to quantify and usually present various components
that aren’t directly quantifiable;– Some costs are spread across years and differently impact the
economic activity.– Other costs are tied together and are needed to set up the
infrastructure that supports the application solution that is object of analysis and other systems that are or can be introduced in the company.
Investment planning (2/6)
• This complexity and the presumption of objectivity of financial analysis models often allow the application of instrumental approaches aimed at guiding in one direction or another the decision on the basis of decision-makers' prejudice based approaches, making the process exclusively bureaucratic.
• The real benefit of such an analysis covers the whole life cycle of the project: objectives, expectations and impact hypothesis are declared during the assessment whose verification is carried out during the implementation and use of the solution.
Investment planning (3/6)
• Only then it is in fact possible to understand if the initial estimates were correct, if unexpected events occurred and if the estimates were influenced by individual prejudice in positive or negative terms.
• Quite simply, corporate knowledge is built only from the comparison between estimated and final values which allows to identify the main deviations and progressively through repeated implementations, to make the appropriate estimation models tuning.
Investment planning (4/6)
The evaluation can in any case onlyhappen with:
•Clear objectives in terms of business and system;
•Exact definition of functional specifics;•Exact definition of technical
pre-requirements;•Exact definition of organizational and
competitive effects;
The definition of the above mentionedelements is essential to determine:
•The types of cost:•investment;•operative;
•The benefits:•Monetary:
•Increased revenues;•Reduced operative costs;•Reduction of working capital and
assets and related reduction of financial obligations;
•Organizational or process related:•Execution and crossing times;•Bureocracy streamlining;•Resourse usage;•Improvement in service levels;•Volumes treated;•Normative obligations’ fulfillment.
Investment planning (5/6)
• With regard to the costs, if the estimate of investment costs is relatively simple (human and technological resources for implementation, licensing and acquisition of external expertise), the estimation of operating costs requires to consider several factors :
– Steady operation costs:• personnel;• licenses;• fees;• consumption;• Depreciation of project costs;.
– Maintenance costs:• personnel;• fees;• consumption
Investment planning (6/6)
• This clearly relates to differential costs, or costs that arise because the investment has been deliberated or why it was decided to allocate corporate resources that are no longer available for other activities.
• Speaking of costs, a profitability perspective is adopted, which detects the link between use of the productive factor and activity.
• An alternative is the financial perspective in which factors are observed in terms of disbursement values and disbursements timings .
The profitabilityperspective (1/3)
• In the profitability perspective there is the concept of multiannual cost (an asset that remains in the company for several years and whose contribution to economic activity takes place by depreciation.
• After determining the once-in-a-while costs of the project, the next step is the identification of annual impacts. It is usually after the introduction of the system that its benefit and costs are born it is therefore necessary to punctually hypothesize their rising.
• Changes in revenue net of changes in cost are the annual net margin (which may be either positive or negative) attributable to the decision to introduce the system that is object of evaluation. The estimate of annual changes in costs and revenues, and costs arising from the evaluated system is based on different classes of possible monetary benefits.
The profitabilityperspective (2/3)
• With regard to the operating costs it is necessary to estimate operating and maintenance costs. Among the costs of operation it is necessary to insert the portion of implementation cost amortization : in fact the development phase originates once-in-a-while costs involved in the economic activity starting from the moment in which the system is used in production. Therefore it's like imagining to acquire an asset from an external supplier and progressively depreciate it . Costs and revenues estimate should be made for the years in which it is assumed the system is used (useful life).
• Where the expected benefits outweigh the incremental costs, the project has a positive return, otherwise resulting in a lower business margin.
The profitabilityperspective (3/3)
• For internal reporting purposes it can be useful not only to work in differential terms, but with the direct comparison between the income statement with and without the project . In fact, the decision maker may thus enhance its sensitivity to the overall assessment of the project's impacts, comparing it to the forecasts available for the period in question.
• The operating income variation can then be included in the decision-making process in absolute value, as a percentage of estimated operating income without the project or as a percentage of company turnover expected in the period considered by the evaluation.
The financialperspective (1/2)
• The financial perspective, however, places over the entire life of the system all the project's expenses and financial incomes and then brings them back to a single point in time (usually the time of evaluation) thanks to the discounting process.
• In the financial perspective it is therefore possible to achieve indicators of financial investment convenience – Net Present Value (NPV) - Present value of the series of cash
inflows and outflows generated by the project;– Internal Rate of Return (IRR)- rate that indicates the project’s
return with respect to discounted cash inflows and outflows;– Pay Back Period (PBR) - time necessary for discounted cash
inflows to cover discounted cash outflows.
The financialperspective (2/2)
• All these indicators are widely used among the investment evaluation methodologies and business practices often state in a timely manner what are the values under which the projects will not be accepted (for example, an IRR of 5% or a PBR of 18 months).
• These indicators typically contribute to the composition of the ROI (Return On Investment), the measure of return that can be achieved by any investment.
ROI (1/4)• The return on investment rate calculates the rate of return the
investment is capable of generating relating annual cash flows to depreciation.
• This index gives an idea about the accounting returns the project would be able to yield.
• In order to obtain the ROI the average net benefit must be calculated as:
• The average net benefit is then divided by the total investment:
(Total benefits – Total costs – Depreciation)Investment life span
Average net benefit =
Total investment= ROI
Average net benefit
ROI (2/4)• The problem with ROI is that it doesn’t consider the cost of
money in time.• For this reason the Net Present Value is introduced.• The present value is the value in current currency of a
payment that will be received in the future.• It is needed to discount the investment’s returns and is
calculated as:
• Il Net Present Value is therefore calculated as:
Discounted expected future cash flow – initial cost of the investment = NPV
1 – (1+ interest rate)Interest rate
= Present Value-n
Payment x
ROI (3/4) • The Internal Rate of Return id an alternative to the NPV.
• The model does consider the value of money in time.
• The IRR is defined as the rate of return or profit that an investment is capable of generating.
• The IRR is the discount rate that will make equal the present value of expected future cash flows deriving from the investment and the initial cost of investment.
R (discount rate) is such that Present Value – Initial Cost = 0
ROI (4/4)• The Payback Period method is pretty simple:
– It represents the time required in order to pay back the project’s initial investment.• It is calculated as:
• The payback period is very diffused because:
– It is simple;– It is useful for a first screening of alternative
hypothesis;– It is particularly good in evaluating cases
characterized by high risk in which the project’s lifecycle is difficult to estimate.
Initial investment
Annual net cash flows= years needed to payback the investment
TCO• The Total Cost of Ownership of an information system
includes:– initial cost of acquisition and implementation;– the upgrade costs;– maintenance costs;– technical support costs;– training costs;– logistics costs.
• The TCO model is particularly useful to analyze real costs.• Considering all above elements, for example, the TCO of
a pc can be 3 times higher than the purchase price.• In fact acquisition costs generally range between 20%
and 30% of the purchase price.
Qualitative factors: an integrated approach (1/7)
• What about non-monetary benefits?• The adoption of an integrated governance
model allows us to integrate such an assessment with the identification of those factors that can be considered of interest or risk. The evaluation of convenience, if properly contextualized with respect to a model of strategic alignment between business and IT, can not disregard an assessment in which all the elements that are not immediately quantifiable are placed or for which quantification has excessive discretion margins.
Qualitative factors: an integratedapproach (2/7)
• If you think in a logic of dependencies between critical success factors at different levels of the corporate valuepyramid, you can not help but take into account the cost-benefit analysis (CBA ) also of indicators that are measurable and attributable to specific business goals, but whose financial assessment is not immediate (such as increased competitive ability or the fulfillment of legal requirements that may result in intangible damages, jeopardized image , rather than pecuniary quantifiable damages and penalties).
Qualitative factors: an integratedapproach (3/7)
• The value chain logic allows us to reconstruct the dependency relationships and define a chain by which you can weigh each specific benefit element that is not directly reconductable to monetary ones which clearly have a relative value to the company's strategic model but not discretionary as it is directly derived from the critical success factor and related indicators to which it binds.
Qualitative factors: an integratedapproach (4/7)
• Therefore looking at the representation that shows the close correlation between indicators for the evaluation of business objectives and success indicators of the IT world, you can better understand how also the benefit analysis can not be reduced to a mere economic and financial analysis, although it is necessary to bring it back to its measurable monetary value.
Correlations
Alignments
Company
IT Function
IT processes
Company Strategic
Objectives
Division Function
Objectives
IT Process objectives
IT Process KFS
CompanyCFS
IT FunctionCFS
Performance Indicators
Performance Indicators
Performance Indicators
Strategic Scorecard
IT Function Scorecard
IT Process Scorecard
Software Selection
requirementsSoftware Selection Process
IT System
Correlations
Alignments
Company
IT Function
IT processes
Company Strategic
Objectives
Division Function
Objectives
IT Process objectives
IT Process KFS
CompanyCFS
IT FunctionCFS
Performance Indicators
Performance Indicators
Performance Indicators
Strategic Scorecard
IT Function Scorecard
IT Process Scorecard
Software Selection
requirementsSoftware Selection Process
IT System
source: The Innovation Group
Qualitative factors: an integratedapproach (5/7)
• It is therefore desirable to identify the factors of interest and the risk factors that must be included in the evaluation process. The definition of these factors must follow a logic that cuts across the organizational logics but must associate factors to specific business processes, or better to the specific business processes that have created the need for automation. This association also allows you to embed comparative processes in terms of performance and feasibility of the process, highlighting the elements of advantage or disadvantage related to the adoption of a supporting application solution.
Qualitative factors: an integratedapproach (6/7)
• Among interest factors that can be mentioned for example are– Compliance with juridical (e.g. normative requirements like the
Sarbanes Oaxley Act), accounting (e.g. IAS) or holding requirements;
– The impact in competitive terms (image improvement, product innovativeness with respect to the market of reference, customer relationship, supply chain);
– Improvement of management’s decision making (reporting, business intelligence).
Qualitative factors: an integratedapproach (7/7)
• Similar considerations must be done in relation to risk factors. For example:– degree of technological innovation compared to the solution (the
first mover risk) and in relation to the skills the company can access (relative innovation rate );
– uncertainty of the requirements and their priority (cross process solution);
– level of dependence on other solutions that are already in the company, or to be introduced (waterfall effect);
– organizational dimension of the implementation project and of the induced change (crawling change induced by the solution).
• The relationship between factors of interest and risk factors must be properly formalized and weighed and, where possible, reduced to quantifiable variables, with the goal of building a coherent and comprehensive investment evaluation model.
TOOLKITS
13/11/2012 168
13/11/2012 169
SAM
Strategic Alignment Model: considers four different approaches to the mode of interaction and alignment between Business and IT components within the overall company framework.
BSCBalanced Scorecard: integrates the economic-financial measures of past performance with measures of future performance drivers
COBIT
Control Objectives For Information and Related Tecnology: is a Framework for ICT Governance that provides managers, auditors and users of IT systems a structure of processes and a set of indicators in order to assess whether effective management of the IT function it is in place an or to provide guidance to establish it
ROI
Ritorno dell’Investimento: The rate of return on investment calculates the rate of return that the investment is able to generate weighting the annual cash flows in relation to the depreciation.This index provides a relative indication of the accounting revenues that the project will be able to generate.
13/11/2012 170
TCO Total Cost of Ownership : analyzes real costs including:initial cost of acquisition and implementation;the upgrade costs;maintenance costs;technical support costs;training costs;logistics costs.
ROSI Return of Security InvestimentNPV Net Present Value : present value of cash inflows and outflows
generated by the project.
IRR Internal Rate of Return: rate that indicates the project’s returnwith respect to the set of discounted cash inflows and outflows.
PaybackPeriod
Time needed for discounted cash inflows to cover discountedexpenses.
Project Management
IT SERVICE MANAGEMENT, ORGANISATION AND PROCESSES
13/11/2012 171
Agenda
• BPR• ITIL• CMMI• SIX SIGMA
17213/11/2012
BUSINESS PROCESS REENGINERING (BPR)
13/11/2012 173
Process theory: Basic concepts (1/4)
• A business process is a correlated set of activities and decisions that intakes a certain number of inputs and produces an output with added value for the client, weather internal or external to the company.
• The advantages of assuming a process based approach are:– Improve control over final products/services;– Provide a clear visual over the activities to carry on to transform
inputs in output;– Obtain a better management of functional interrelations by
alligning individuals to the process objectives;– Allows to identify errors and solutions in complex systems.
Process theory: Basic concepts (2/4)
• The following graph recalls the basic elements of a business process.
ClientSupplier Process
Input Output
Process theory: Basic concepts (3/4)
• The elements that characterize a process, which were shown in the previous graph, can be identified as follows:– Suppliers: external parties or other business processes that
provide the necessary inputs– Input: physical and informative factors incoming from the outside
or other business processes, which are necessary to start the process activities.
– Activity: set of actions that transform the input in output for internal or external clients.
– Client: user of the process output, who can be internal (business unit of the same company that uses the provided output as input for its activities) or external (actual customer that buys the product or service).
Process theory: Basic concepts (4/4)
– Output: physical or informative factor addressed to the client whether internal or external. The identification of the output requires the definition of the performances that are associated to it, in terms of costs, qualitative characterisitcs and delivery or development timing.
– Added Value: additional characteristic with respect to the input (generated by a series of activities/processes and included in the output) that is perceived as an improvement by the client.
– Binding factors: events, procedures, rules, norms and guide lines that determine a efficacy and efficiency performance of an activity. If these conditions are not respected the process output may not be delivered because of its poor quality.
• Process analysis is divided in 2 phases: – Contextualization of all the regarded processes, by identifying the
links between the different processes and external factors *, other business processes and organizational structures. This information can be represented in a clear and structured manner by the Context Diagram.
– Decomposition of the regarded processes , through a progressively deeper understanding, level by level, until the last level of decomposition, with a description of each activity.
Process theory: Process Analysis
DECOMPOSITION OF THE REGARDED PROCESSES
CONTEXTUALIZATION OF ALL PROCESS REGARDED BY THE ANALYSIS
CONTEXT INDIVIDUATION• We define external agent a process, organization, application, or external role to the process under analysis with which the latter must interact and exchange information or materials.
• The Context Diagram is a graphical representation of the process boundaries that shows all known and relevant external agents and the main data flows between the process object of analysis the external agents.
• The Context Diagram’s goalsare to:– contextualize the scope of
subsequent process decompositions;
– document the process by highlighting external agents that interact with it;
– act as a communication tool.
Process theory: Context Diagram
INPUT DATA FLOW
OUTPUT DATA FLOW
EXTERNALAGENT
EXTERNAL AGENT
EXTERNAL AGENT
EXTERNAL AGENT
PROCESS
• To achieve the desired detail level, weoperate through an iterative approachthat decomposes the processesthrough subsequent refinings of greaterdetail.
– Mega process – Highest level for anyprocess identified by the company (mainprocesses through which a comopanypursues its mission).
– Major process – Represents the sub-divisionof the mega process.
– Sub process – Represents the sub-divisionof the major processes in an other set of sub-processes. The number of sub-processlevels is variable.
– Activity – Represents the last step in the process decomposition and consists of an elementary «portion» of work thattransforms input in output (e.g. compilare la richiesta di acquisto).
Process theory: Decomposition
Detailedactivity
Mega‐Process
Major‐Process
Sub‐Process 1
Sub‐Process 2
Sub‐Process n
• Examples:– Product families;– clients;– markets;– suppliers;– Geographical segments;– Distribution channels;– etc.
Domain: Definition
By process domain we mean a context/dimension with respect to which the process is differentiated
• oversees the project's overall objectives and the operative continuity ;
• is responsible to the customer;• promotes continuous
improvement;• is usually chosen in related
functions;• may differ from the boss;• can cover a wider range of
responsibilities than those of a single function.
Process Owner: DefinitionBy process owner we mean the process responsible who is in charge of ensuring its
overall efficacy and efficiency
Process Ownerexamples
PROCESS
• Development of new products and services• Go-to market and commercialization
planning• Sales monitoring
• Management of delivery to client• Production and assembly
PROCESS OWNER
• Product manager
• Contract manager (product/service supplier)
Definizione di Attività
• The main methods of activity definition are:– top-down (decomposition of sub-processes in single
activities);– bottom-up (Identification of all activities and
clusterization based the sub-process they belong to);– Hybrid or mixed.
Activity
• set of actions that transform an input in output by adding value to the recipient
• performed in a defined period of time• executed within a single organizational unit
Decomposition of Sub-processes in activites
Activity
Level 1 Sub-process
Level 2 Sub-process
Flux Diagram: Simbols
Government process
Core process
Support process
Organizational unit
Process inputProcess output
Manual activity
Activity supportedby a system
System activity
System activities or activites supported by
it require the specification of the
system in use
Flux Diagram: Conventions (1/2)• The source of the input must always be indicated whether the input came from a process that is internal or
external to the process in question, and whether it comes from an organizational unit or external party (Supplier).
• The input can enter both at the beginning of the process, or subsequently , when the related activity is about to be carried on,
• The destination of the output must always be indicated whether the output is addressed to a process that is internal or external to the process in question, and whether it is addressed to an organizational unit or external party (Customer).
• The output may be delivered both at the end of the process, or before, in the moment it is ready.
Flusso delle AttivitàFornitoreInput
DestinatarioOutput
Segnalazione materialeda approvvigionare
Segnalazione materialeda impegnare
Richiesta Kit Richiesta parametri entità logiche
Ordine approntamentomateriale
no
sì
sì
no
Ordinarie?
Kit Parametri entità logiche
SegnalareImpegnoprodotto
Verificaretipologiaprodotto
RilevareprioritàSTART
SOM/T-Systems/
ConfigurazioneEntità logiche
Emettere ordine diapprontamento
materiale
si
noSegnalazione materialepronto per la spedizione
APPROVVIGIONARE/Gestire Richieste
END
Completo? Sollecitareintervento
Sollecito
Segnalazionechiusura attività
Outsourcerpreconfigurazione e
logistica
APPROVVIGIONARE/Gestire Richieste
Verificare necessità richiedereKit di preconfigurazione/parametri entità logiche
Richiedere Kit eparametri
configurazione
E'necessario
?
Allegare Kit e parametri diconfigurazione all'ordine di
approntamento
APPROVVIGIONARE/Gestire Richieste
Sollecito
Richiestaapprontamento
materiale
AcquisireRichieste
SPAI
Segnalare prodottoda approvvigionare
APPROVVIGIONARE/Gestire Acquisti
SOM -T-Systems/
ConfigurazioneEntita' Logiche
Monitorarecompletamento
intervento
SPAIOutsourcer
preconfigurazione elogistica
SPAI
Segnalare chiusuraintervento
SPAI
Flux Diagram: Conventions (2/2)• The activities should be described as concisely as possible.• It is important to highlight the activities of the system or carried on supported by the system . These activities are
fundamental to the definition of user requirements in the case of implementation of an application to support the process in question.
• The decisional moment is always preceded by a verification activity.• The decisional moment only has a double exit: yes / no.• The decisional moment can not be followed by another one. Otherwise the two decision points must be
separated by an verification activity.
Flusso delle AttivitàFornitoreInput
DestinatarioOutput
Segnalazione materialeda approvvigionare
Segnalazione materialeda impegnare
Richiesta Kit Richiesta parametri entità logiche
Ordine approntamentomateriale
no
sì
sì
no
Ordinarie?
Kit Parametri entità logiche
SegnalareImpegnoprodotto
Verificaretipologiaprodotto
RilevareprioritàSTART
SOM/T-Systems/
ConfigurazioneEntità logiche
Emettere ordine diapprontamento
materiale
si
noSegnalazione materialepronto per la spedizione
APPROVVIGIONARE/Gestire Richieste
END
Completo? Sollecitareintervento
Sollecito
Segnalazionechiusura attività
Outsourcerpreconfigurazione e
logistica
APPROVVIGIONARE/Gestire Richieste
Verificare necessità richiedereKit di preconfigurazione/parametri entità logiche
Richiedere Kit eparametri
configurazione
E'necessario
?
Allegare Kit e parametri diconfigurazione all'ordine di
approntamento
APPROVVIGIONARE/Gestire Richieste
Sollecito
Richiestaapprontamento
materiale
AcquisireRichieste
SPAI
Segnalare prodottoda approvvigionare
APPROVVIGIONARE/Gestire Acquisti
SOM -T-Systems/
ConfigurazioneEntita' Logiche
Monitorarecompletamento
intervento
SPAIOutsourcer
preconfigurazione elogistica
SPAI
Segnalare chiusuraintervento
SPAI
The process based approach
• Taking a process approach means adopting the process "customer's" point of view . A measure of process evaluation is, therefore, the latter's satisfaction with the output of the process itself.
• The advantages of a process based approach are:– increase value for the end customer;– encourage process customer orientation ;– improve control over final products or services ;– obtain a better management of functional interrelationships, by aligning people to the
process objectives ;– allow for detection of errors and solutions in complex systems;– provide a clear overview of the activities to be carried out to transform input into output.
• The classical business organization by functions doesn’twelcome changes in terms of added value for clients and usually generates:– Managerial overlapping;– Lack of responsibles on interfunctional spaces
Organization by Processes
ORGANIZATION
SUPPLIERS CLIENTS
Funzione A
Funzione B
Funzione C
Funzione D
Funzione E
PROCESSES
=VALUE CREATION
Processes are, by definition, oriented to value creation
• The definition of a process orientedorganizational model requires:
– the definition of a reference framework, intended as a logical structure for classifying and organizing complex models of business processes;
– the identification and positioning within the framework, of the mega processes, intended, within the hierarchy of the decomposition processes, as the highest level of corporate ICT processes;
– the breakdown of each of the mega processes identified in the constituent major processes, intended as a sub-set of processes that enable the achievement of the specific objectives of the mega processes.
Methodological process based approach
FRAMEWORKdefinition
Guide lines
MEGA PROCESS identification
MAJOR PROCESS definition
The term "reference framework" means a logical structure for classifying and organizing complex models of business processes.The reference framework chosen as starting point for the definition of the ICT operation model is shown in the diagram below, which requires the segmentation of processes regarding ICT in three distinct types of areas within which processes of similar nature lie.
Framework of reference(1/4)
The choice of this framework is justified by the opportunity of identifying and justifying already at the macroscopic level the correct positioning and the correct significance of the model's main processes in the overall context of the business environment.
SUPPO
RT
CORE
GOVERNANCE
• The area called Governance includes the processes of strategic and managerial inprint which direct, supervise and control the remaining processes in the ICT context and that interface with business processes outside the ICT context. Examples of subjects that characterize the area are:– the definition of the ICT strategy;– ICT demand management;– management of ICT investments.
Framework of reference (1/4)
SUPPO
RTCORE
GOVERNANCE
• The area called Core consists of the processes aimed at the production, management and the technological delivery of IT services. Examples of subjects that characterize the area are:– ICT products and services life cycle management;– operations management;– anomaly management;– service levels management;– security management.
Framework of reference (3/4)
SUPPO
RTCORE
GOVERNANCE
• The area called Support includes those processes that do not add value that is directly perceivable by the output user of Core processes. Examples of subjects that characterize the area are:– purchase management;– human resources management;– standards and qualitymanagement.
Framework of reference (4/4)
SUPPO
RT
CORE
GOVERNANCE
INFORMATION TECNOLOGY INFRASTRACTURE LIBRARY (ITIL)
13/11/2012 196
THE ITIL SERVICE TEAM
13/11/2012 197
WHY ITIL
13/11/2012 198
The Purpose of V3
• Meet the needs of today and tomorrow• Evolve SM practices to next level of maturity• Address current practice gaps• Embed solid processes into a service lifecycle• Stronger connection to converging
frameworks– Governance– Standards– Management
13/11/2012 199
The need for change
• More practical ‘how to’ guidance• Improved consistency and
comprehensiveness• Extend the focus to measurable
business value• Visible links to other industry practices• Guidance in context to current needs
13/11/2012 200
THE ITIL SERVICE MANAGEMENT PRACTICES
13/11/2012 201
ITIL –At your Service
13/11/2012 202
Core Structure
13/11/2012 203
ISO 20000
CMMI
eSCM
ISO 27001
COBIT
Six Sigma
Why a Lifecycle?• Building on a great
practice base• Enabling integration with
business process• Managing services from
cradle to grave• Removing process silos• Reflecting the public
feedback for holistic lifecycle focus
13/11/2012 204
A lifecycle stage at work
13/11/2012 205
Non linear process
13/11/2012 206
ITIL Service Strategy
13/11/2012 207
NEW CONCEPTS FOR TODAY AND TOMORROW
13/11/2012 208
Value for Services
13/11/2012 209
The Service Portfolio
13/11/2012 210
Five Aspects of Service Design
1. Requirements, Resources, Capabilities2. Management Systems, Tools3. Technology and Management
architectures4. Processes5. Measurement systems
13/11/2012 211
Service Knowledge and Stability
13/11/2012 212
Wisdom
Knowledge
Information
Data
Continual Improvement
13/11/2012 213
7 Steps to Service Improvement
THE LIVING LIBRARY
13/11/2012 214
ITIL Complementary Portfolio
• Supports the ITIL Core• Topic Specific• Enhanced Guidance• Industry Developed• Research Supported• Living Library• Industry owned• ITIL Branded
215
NEW• Official Study Aids• Outsourcing Expertise• Scalable Adaptation• Public Sector • Knowledge System• Measurement• ITIL for Executives• ITIL in various sectors• ITIL in various platforms
Business Benefits of V3
• Improved use of IT investments• Integration of business and IT value• Portfolio driven service assets • Clear demonstration of ROI and ROV• Agile adaptation and flexible service
models • Performance and measures that are
business value based • IT Service Assets linked to business services
13/11/2012 216
BE A PART OF THE FUTURE TODAY!
Service Strategy
13/11/2012 217
From ITILv2 to ITILv3
13/11/2012 218
What do you see?
13/11/2012 219
There are no triangles
• We provide the edges as we provide our views of the world.
13/11/2012 220
• The “edge” of IT was once to be found solely in technology.
• ITIL rearranged the “edge” to include people and process.
• ITILv3 once again rearranges the “edge.” This time with a focus on services.
The future: A global service economy
13/11/2012 221
“Steps towards a Science of Service Systems”, Jim Sporhrer,et al. IBM
The past: “What ever happened to other process frameworks such as
TQM, BPR, QC, et al.?”
13/11/2012 222
What is the service strategy of ITILv2?
13/11/2012 223
• A model whereby the strategy is the optimization of work tasks.
• The parameters of value are contained within the walls of IT
• Value means making whatever you want more efficiently.
• Not wrong, but are you making the right things to begin with, or can you create more value by undertaking broader or narrower missions?
ITIL Service Strategy
13/11/2012 224
• It is a model whereby the strategy begins with the customer’s desired outcomes.
• “Customers don’t buy products, they buy the satisfaction of particular needs.”
• This means that what the customer values is often different from what the service provider thinks he or she provides.
• Acknowledges that every service provider is subject to competitive forces.
What is a Service?
Services are a ‘means of delivering value to customers by facilitating outcomes customers want to achieve, without the ownership of specific costs and risks’.
13/11/2012 225
What is a Service Strategy? A means to become not optional.
• The lifecycle begins with Service Strategy, the discernment of an IT organization’s strategic purpose; a topic that often gets short shrift in the pursuit of day-to-day practicalities.
• It service strategy helps senior managers understand how their organization will differ from competing alternatives and thereby satisfy both customers and stakeholders.
• Properly done, these core strategic concepts can and should lead to powerful and practical insights – where is the organization headed and what does it need to do to get there?
13/11/2012 226
Operational efficiency is necessary but not sufficient.
• IT services are now part of the fabric of the business and customers expect guaranteed levels of service:
13/11/2012 227
A few years ago, customers could only use ATMs to withdraw cash.
Service strategies are required to create long-term value for
Customers and Stakeholders. • IT services are now part of the fabric of
the business and customers expect guaranteed levels of service:
13/11/2012 228
Today, the entire customer experience may take place through ATMs:• withdraw cash;• pay in cheques and cash;• manage their accounts;• transfer money;• obtain quotes for loans;• top-up their mobile phones.
Service strategies are required to create long-term value for
Customers and Stakeholders. • IT services are now part of the fabric of
the business and customers expect guaranteed levels of service:
13/11/2012 229
Service strategies will shape the ATMs of tomorrow.
Why should CIOs care about ITILv3?
13/11/2012 230
Why should CIOs care about ITILv3?
…they will also need to understand how to shape service strategies that create value for Business and its Customers. The new Service Strategy volume deals with these ‘C-Level’ Business concepts. For example:• Defining Services;• Defining Strategy;• Value Networks, Value Creation and Value Capture;• Market Spaces and Solution Spaces;• Business and IT Service Management;• Service Portfolios;• Enterprise Architecture and Service Oriented Architecture;• Types of Service Providers;• The Business Case for building Service Assets and Service
Management Capabilities;• Measuring Service Performance.
13/11/2012 231
Business outcomes and performance of customer assets are the basis for valuing
services and service management
13/11/2012 232
Service management synchronizes the productive capacity of service assets with
business activity of customer assets
13/11/2012 233
Services and service level packages are tagged with the outcomes for which they have service potential
13/11/2012 234
On behalf of customers, Relationship Managers negotiate productive capacity
in the form of suitable services
13/11/2012 235
The Service Portfolio represents investments across the Service Lifecycle necessary to
implement strategy
13/11/2012 236
So, Service Strategy is not the exclusive concern of “strategists” who come to
work in specially marked cars!!
13/11/2012 237
SERVICE DESIGN
13/11/2012 238
A few citations
13/11/2012 239
IT Service Lifecycle
13/11/2012 240
Service Definition
'The design of appropriate and innovative IT services, including their architectures, processes, policies and documentation, to meet current and future agreed business requirements'
13/11/2012 241
13/11/2012 242
The five aspects of Service Design
• Design of the service solutions• Design of the Service Management
Tools (and other supporting systems)• Design of the technology architectures
and management systems• Design of the processes• Design of the measurement systems,
methods and metrics
13/11/2012 243
Service Design
• There is a requirement to design all processes
• Processes covered in detail:– Service Level Management– Availability Management– IT Service Continuity Management– Supplier Management– Information Security Management– Capacity Management– Service Catalogue Management ……….
13/11/2012 244
13/11/2012 245
13/11/2012 246
13/11/2012 247
13/11/2012 248
Summary
• “Design is so critical it should be on the agenda of every meeting in every single department.” Tom Peters
• “Design is not just what it looks like and feels like. Design is how it works.” Steve Jobs
• “Good design is the most important way to differentiate ourselves from our competitors.” Samsung CEO Yun Jong Yong
• “Your products run for election every day and good design is critical to winning the campaign.” Procter & Gamble CEO A.G. Lafley
• “Design's fundamental role is problem solver” Fast Company
13/11/2012 249
SERVICE TRANSITION
13/11/2012 250
Service Transition Taking ITIL forward
Value to the business• Integrate/align new or changed services with the
customer’s business• Ensure that the changed service can be used in a
way that maximizes value to the business operations
• Deliver more change successfully– Across the customer base – Reduce unpredicted impact and risks– Reduce variation - ‘estimated’ v. ‘actuals’– Services - fit for purpose, fit for use
13/11/2012 251
What is Service Transition?
• Taking the design and transitioning the Service into operations – focused on Service
• Delivering in the actual circumstances• Practices to:
– Make it easier for to adopt and manage change– Standardize transition activities– Maintain the integrity of configurations as they evolve– Expedite effective decisions– Ensure new / changed services will be deployable,
manageable, maintainable, cost-effective
13/11/2012 252
Key Processes
• Lots that isn’t new - but improved– Change management– Configuration management– Release and Deployment
• Nothing much there to upset your– Tools– Training– Practitioners
13/11/2012 253
Change Management Scope
13/11/2012 254
What’s improved Change & configuration
management• Change
– Normal, standard emergency change models– Change evaluation – More granular change authorization
• Design – Configuration structures, models, levels– Processes, procedures, workflows– Configuration management system
• Managing change to service assets and configurations– Optimisation and lifecycle management of service assets– Capturing baselines and releases– Minimizing issues due to improper configurations
13/11/2012 255
Configuration Management System - CMS
13/11/2012 256
What’s improved Release and Deployment
13/11/2012 257
What’s new Transition planning and support
• Integrated planning– Transition capacity and resources– Across all service transition
• With service operations and CSI• With the business, customer and users
• Proactive support– Maintain/ re-use transition models– Progress tracking & management– Course corrections– Transition closure
13/11/2012 258
What Else is New
13/11/2012 259
What’s new –Service V model
13/11/2012 260
What’s new – SKMS
13/11/2012 261
What’s new – Managing organizational change
• Strategies to manage organization, stakeholder, people change• People’s commitment, roles and emotions
13/11/2012 262
Service Transition –Moving ITIL forward
• Delivering what the business needs • Services fit for purpose, fit for use• Integrated, holistic, standard approach • Reduce variation predicted vs actual
– Quality, Cost, Time– Capabilities, Resources, Capacity – Risks, Errors and incidents
• More IT enabled change that adds value to the customer’s business
13/11/2012 263
SERVICE OPERATIONBusiness as usual
13/11/2012 264
Why Service Operation?
• Stability but not stagnation• Realizing value• Responding to operational needs in
Business and Technology• Great design is worth little if it can not
be delivered• Achieving balance
13/11/2012 265
What Were we Thinking?
• Service and Infrastructure are not different worlds
• Different service models will be operated differently – we limited ourselves to IT
• The “what” and the “who” are equally important
• The world of Operation does not stand alone
13/11/2012 266
MONITORING AND CONTROLContext
13/11/2012 267
Context - Monitor Control Loop
13/11/2012 268
Complex Monitor Control Loops
13/11/2012 269
Context - The ITSM Lifecycle
13/11/2012 270
PROCESSES
13/11/2012 271
Service Operation Processes
13/11/2012 272
Self Help
• Significant potential to:– Improved responsiveness– Reduced demands on IT staff– Reduced costs– Improved standardization– Improved quality
13/11/2012 273
Self Help
13/11/2012 274
Event Management Logging and Filtering
13/11/2012 275
Event Management Managing Exceptions
13/11/2012 276
Event Management Information & Warnings
13/11/2012 277
Service Operation Reactive Processes
13/11/2012 278
FUNCTIONS
13/11/2012 279
Service Operation Functions
13/11/2012 280
Common SO Activities• Mainframe Management• Server Management• Network Management• Storage and Archive• Database Administration• Directory Services Management• Desktop Management• Internet / Web Management• Etc.
13/11/2012 281
The Application Management Lifecycle
13/11/2012 282
The Application Management Lifecycle
13/11/2012 283
Questions?
13/11/2012 284
ITIL V3 CONTINUAL SERVICE IMPROVEMENT
13/11/2012 285
Organizations Have Always Talked About It
• CSI is not a new concept. Organizations have talked about it for many years; but, for most, the concept has not moved beyond the discussion stage.
• For many organizations, CSI becomes a project when something has failed and severely impacted the business.
• When the issue is resolved, the concept is promptly forgotten until the next major failure occurs
13/11/2012 286
What’s Different in v3
• Most everything• CSI was only addressed as part of
Service Level Management in v2• Addressed as part of the overall
Service Lifecycle• Improvement Model in v3• Continual Improvement Process in v3
13/11/2012 287
CSI Goals, Scope & Key Processes
• Goals– To identify and implement improvement activities on IT Services that support
the business processes as well as identify and implement improvements to IT Service Management processes. The improvement activities will support the Lifecycle approach through Service Strategies, Service Design, Service Transition, and Service Operations and should always be looking for ways to improve process effectiveness, efficiency as well as cost effectiveness
• Scope– Service and Service Management improvement– All of IT
• Key Processes– Service Level Management (monitor, report, review)– Problem Management (Proactive / trending / analysis)– Knowledge Management (DIKW)
13/11/2012 288
CSI Objectives• Review, analyze and make recommendations on
improvement opportunities in each lifecycle phase: Service Strategies, Service Design, Service Transition, and Service Operations
• Review and analyze Service Level Achievement results• Identify and implement improvement activities to
improve IT Service quality and improve the efficiency and effectiveness of ITSM processes
• Improve cost effectiveness of delivering IT Services• Identify and implement improvement activities of the
ITSM processes and supporting tools• Ensure applicable quality management methods are
used to support continual improvement activities
13/11/2012 289
Continual Service Improvement Model
13/11/2012 290
The Continual Improvement Process
13/11/2012 291
Service Lifecycle Improvement
13/11/2012 292
CSI Review
• Key Messages– Everyone has responsibility for continual improvement– Each handoff can provide an opportunity for
improvement – Relies on other service management processes
• Needs to be treated just like any other process– Policies– Roles and responsibilities (different for program,
project and production)– Procedures– Management information and reporting
13/11/2012 293
ITIL V3 QUALIFICATION SCHEME
13/11/2012 294
The Management Sturcture
13/11/2012 295
The Qualification Board
13/11/2012 296
The Global Senior Examiner Panel
13/11/2012 297
V3 Examiner Panel -Scope
• Development of Qualification structure for ITIL v3 • Design the certification elements required of the scheme• Produce the requirements for learning objectives and
knowledge competency• Produce the supporting accredited formal syllabi • Produce the requirements for delivery mechanism • Produce sample examinations in support of the syllabi• Provide recommendation on the required trainer and course
provider competency to deliver against the scheme• Manage Exam bank
13/11/2012 298
Guiding Principles• Must offer value to the career objectives of
the student• Allow innovation and flexibility and value for
Course Providers• Meets learning objectives and competency
outcomes• Blooms taxonomy for setting exams• Contribute to the maturity of ITSM
professionalism• Responsive to evolving market demand• Transitional V2 –V3 bridging
13/11/2012 299
Basic Features• Modular design• Official Study aids• Flexible Choice• Career path oriented• V2 to V3 bridging• Service Lifecycle• Service Capability• Classroom• E-learning• On Demand examination• Live Exam Bank
13/11/2012 300
The Structure
13/11/2012 301
13/11/2012 302
13/11/2012 303
Syllabus Features
13/11/2012 304
V3- A means to an end?
• Service Management is the means but not an end– A route guide and trip planner
• V3 Core practices are the seeds of future vision
• A community garden tended by fellow travelers
13/11/2012 305
Eating our own cooking
• Applied the service lifecycle to V3– Strategy
• Defined our market• Created the portfolio scope• Built the organizational structure
– Design• Gathered requirements• Designed the infrastructure• Delivered a SDP to the author team
13/11/2012 306
Eating our own cooking
• Transition– Built the practice– Tested and validated with QA– Established the SAC– Deployed the service
• Operation– Now in Early Life support– Begin monitoring and control
13/11/2012 307
Sites
• www.itil.co.uk• www.best-management-practice.com
13/11/2012 308
CAPABILITY MATURITY MODEL INTEGRATION (CMMI)
Misurazione dei Servizi 309
PROCESS IMPROVEMENT CONCEPTS AND CMMI
13/11/2012 310
General Definitions of Process
• Process – a sequence of steps performed for a given purpose (IEEE)
• Process – the logical organization of people, materials, energy, equipment, and procedures into work activities designed to produce a specified end result (From Pall, Gabriel A. Quality Process Management. Englewood Cliffs, N.J.: Prentice Hall, 1987.)
• Process – activities that can be recognized as implementations of practices in a model (CMMI glossary)
13/11/2012 311
The Process Management Premise
The quality of a system is highly influenced by the quality ofthe process used to acquire, develop, and maintain it.This premise implies a focus on processes as well as onproducts:• This is a long-established premise in
manufacturing.• Belief in this premise is visible worldwide in
quality movements in manufacturing and service industries (e.g., ISO standards).
• This premise is also applicable to development.
13/11/2012 312
Quality Leverage PointsWhile process is often described as a node of the process people-technology triad, it can also be considered the “glue” that ties the triad together.
13/11/2012 313
Everyone realizes the importance of having a motivated, quality work force but even our finest people cannot perform at their best when the process is not understood or operating at its best.
Process, people, and technology are the major determinants of product cost, schedule, and quality.
Ad Hoc ProcessesProcesses are ad hoc and improvised by practitioners and their management.Process descriptions are not rigorously followed or enforced.Performance is highly dependent on current practitioners.Understanding of the current status of a project is limited.Immature processes result in fighting fires:• There is no time to improve—instead, practitioners are
constantly reacting.• Firefighters get burned.• Embers might rekindle later.
13/11/2012 314
Improved Processes• Process descriptions are consistent with the
way work actually is done.• They are defined, documented, and
continuously improved.• Processes are supported visibly by
management and others.• They are well controlled—process fidelity is
evaluated and enforced.• There is constructive use of product and
process measurement.• Technology is introduced in a disciplined
manner.
13/11/2012 315
Institutionalized Processes
• “That’s the way we do things around here.”• The organization builds an infrastructure that
contains effective, usable, and consistently applied processes.
• The organizational culture conveys the process.
• Management nurtures the culture.• Culture is conveyed through role models and
recognition.• Institutionalized processes endure after the
people whooriginally defined them have gone.
13/11/2012 316
Benefits of Improving Processes
• Processes enable you to understand what is going on.
• People develop their potential more fully and are more effective within the organization.
• By defining, measuring, and controlling the process, improvements are more successful and sustained.
• The likelihood that appropriate technology, techniques, and tools are introduced successfully increases.
13/11/2012 317
Benefits in Terms of Predictability
13/11/2012 318
Early Process Improvement
• The theories of process management are a synthesis of the concepts of Deming, Crosby, Juran, and others.
• Over the past decades, these theories have been used to address problems common to many organizations.
• Solutions to some problems have been developed.
• Many of these solutions have been used to build process improvement models.
13/11/2012 319
What Is a Process Model?
• A process model is a structured collection of practices that describes the characteristics of effective processes.
• Practices included are those proven by experience to be effective.
13/11/2012 320
How Is a Process Model Used?
A process model is used• to help set process improvement
objectives and priorities• to help ensure stable, capable, and
mature processes• as a guide for improving project and
organizational processes• with an appraisal method to diagnose
the state of an organization’s current practices
13/11/2012 321
Why Is a Process ModelImportant?
A process model provides• a place to start improving• the benefit of a community’s prior
experiences• a common language and a shared vision• a framework for prioritizing actions• a way to define what improvement
means for an organization
13/11/2012 322
CMMI for Process Improvement
Use CMMI in process improvement activities as a• collection of best practices• framework for organizing and prioritizing activities• support for the coordination of multi-disciplined
activities that might be required to successfully build a product
• • means to emphasize the alignment of the process improvement objectives with organizational business objectives
CMMI incorporates lessons learned from use of the SWCMM ®, EIA-731, and other standards and models.
13/11/2012 323
THE CMMI PRODUCT SUITE
13/11/2012 324
The CMMI Framework• The CMMI Framework is the structure that organizes the
components used in generating models, training materials, and appraisal methods.
• The CMMI Product Suite is the full collection of models, training materials, and appraisal methods generated from the CMMI Framework.
• A constellation is the subset of the CMMI Product Suite relevant to improvement in a particular area of interest. Currently, there are several constellations:– Development– Acquisition– Services
13/11/2012 325
Development Constellation Models
13/11/2012 326
CMMI Model Representations
• There are two representations in CMMI models:– staged– continuous
• The two representations will be presented in a later module.
13/11/2012 327
Note
• A CMMI model is not a process.• A CMMI model describes the
characteristics of effective processes.“All models are wrong, but some are useful.” George Box (Quality and Statistics Engineer)
13/11/2012 328
The Appraisal Method
13/11/2012 329
Appraisal Method Classes
13/11/2012 330
The SEI Training for CMMI
13/11/2012 331
BUSINESS BENEFITS OF CMMI
13/11/2012 332
Benefits InformationInformation about CMMI benefits is available in the August 2006 SEI technical report, Performance Results of CMMI-Based Process Improvement (CMU/SEI-2006-TR-004).• This report is based on public reports, interviews,
supplementary materials, and comprehensive literature review.
• It is available on the SEI Web site at http://www.sei.cmu.edu/publications/documents/06.reports/06tr004.html.
• The following seven slides are adapted from this technical report.
• For more information, see the CMMI Performance Results Web site at http://www.sei.cmu.edu/cmmi/results.html.
13/11/2012 333
Impacts: Costs and Benefits of CMMI
13/11/2012 334
Costs May VaryThe cost of CMMI adoption is highly variable depending on many factors, including organizational• goals• size• culture• structure• processesRegardless of the investment, organizations generally experience a respectable return on their investment
13/11/2012 335
Performance Measures -CMMI
• The performance results in the following table are from 30 different organizations that achieved percentage change in one or more of the six categories of performance measures below.
13/11/2012 336
Example Benefit -1• The organization 3H Technology, with a little over
2 years of CMMI-based process improvement, showed significant improvement in average number of defects found.
13/11/2012 337
Example Benefit -2• Motorola Global Software Group Russia, a
maturity level 5 organization, improved the cost of quality while holding the cost of poor quality steady.
13/11/2012 338
Example Benefit -3• The Software Maintenance Group at Warner
Robins Air Logistics Center, a maturity level 5 organization, significantly reduced schedule variance.
13/11/2012 339
CMMI Can Benefit You
CMMI provides• guidance for efficient, effective
improvement across multiple process disciplines in an organization
• improvements to best practices incorporated from the earlier models
• a common, integrated vision of improvement for all elements of an organization
13/11/2012 340
The Bottom Line -1
• Process improvement should be done to help the business—not for its own sake.
“In God we trust, all others bring data.” W. Edwards Deming
13/11/2012 341
The Bottom Line -2
Improvement means different things to different organizations:• What are your business goals?• How do you measure progress?Improvement is a long-term, strategic effort:• What is the expected impact on the
bottom line?• How will impact be measured?
13/11/2012 342
OVERVIEW OF CMMI MODELCOMPONENTS
13/11/2012 343
CMMI for Development Model Document Contents
13/11/2012 344
Process Areas (PAs) -1The 22 process areas (in alphabetical order by acronym) are• Causal Analysis and Resolution (CAR)• Configuration Management (CM)• Decision Analysis and Resolution (DAR)• Integrated Project Management +IPPD (IPM+IPPD)• Measurement and Analysis (MA)• Organizational Innovation and Deployment (OID)• Organizational Process Definition +IPPD (OPD+IPPD)• Organizational Process Focus (OPF)• Organizational Process Performance (OPP)• Organizational Training (OT)
13/11/2012 345
Process Areas (PAs) -2• Product Integration (PI)• Project Monitoring and Control (PMC)• Project Planning (PP)• Process and Product Quality Assurance (PPQA)• Quantitative Project Management (QPM)• Requirements Development (RD)• Requirements Management (REQM)• Risk Management (RSKM)• Supplier Agreement Management (SAM)• Technical Solution (TS)• Validation (VAL)• Verification (VER)
13/11/2012 346
Continuous Representation: PAs by Category
13/11/2012 347
Staged Representation: PAs by Maturity Level
13/11/2012 348
PROCESS AREA COMPONENTS
13/11/2012 349
Process Area Components We Will Be Discussing
13/11/2012 350
Process and Process Area
Process – a sequence of steps performed for a given purpose (IEEE)• It is how you perform your work.CMMI Definition of a Process – activities that can be recognized as implementations of practices in a CMMI model.These activities can be mapped to one or more practices in CMMI process areas to allow a model to be useful for process improvement and process appraisal. (Glossary)
13/11/2012 351
Process AreaCluster of related practices in an area that, when implemented collectively, satisfy a set of goals considered important for making improvement in that area.All CMMI process areas are common to both continuous and staged representations.They are organized by• maturity level in the staged representation• process area category (i.e., Process
Management, Project Management, Support, and Engineering) in the continuous representation.
There are 22 process areas.
13/11/2012 352
Process Area Contents
All process areas contain the following:• Purpose• Introductory Notes• Related Process Areas• Specific Goal and Practice Summary• Specific Practices by Goal
– Specific Goals and Specific Practices• Generic Practices by Goal
– Generic Goals and Generic Practices13/11/2012 353
Process Area Components -1
13/11/2012 354
Purpose
Describes the purpose of the process areaProject Planning examplePurposeThe purpose of Project Planning (PP) is to establish and maintain plans that define project activities.
13/11/2012 355
Introductory Notes
This section describes the major concepts covered in the process area.Project Planning examplePlanning begins with requirements that define the product and project.
13/11/2012 356
Related Process Areas
This section lists references to related process areas and reflects the high-level relationships among the process areas.Project Planning exampleRefer to the Risk Management process area for more information about identifying and managing risks.
13/11/2012 357
Specific Goal and Practice Summary
The titles of the specific goals and specific practices for that process area are summarized at the beginning of each process area.Project Planning exampleSG 1 Establish Estimates
SP 1.1 Estimate the Scope of the ProjectSP 1.2 Establish Estimates of Work Product
and Task AttributesSP 1.3 Define Project LifecycleSP 1.4 Determine Estimates of Effort and Cost
13/11/2012 358
Process Area Components -2
13/11/2012 359
Specific Goals (SGs)A specific goal applies to a process area and describes some of the unique characteristics that must be present to satisfy the process area.Project Planning exampleSG 1: Estimates of project planning parameters are established and maintained.Specific goals are numbered starting with the prefix SG (e.g., SG 1). The number is only there to uniquely identify the goal.
13/11/2012 360
Specific Practices (SPs)Specific practices describe the activities expected to result in achievement of the specific goals of a process area.Project Planning exampleSP 1.4: Estimate the project effort and cost for the work products and tasks based on estimation rationale.Specific practices are of the form SP x.y where x is the same number as the goal to which the specific practice maps.y is the sequence number of the specific practice under the specific goal.
13/11/2012 361
Typical Work ProductsThis section lists sample output from a specific practice.Typical work products are samples of specific practices’ outputs and are not a complete list.For example, project cost estimates might be a typical work product for the Project Planning specific practice SP 1.4, “Estimate the project effort and cost for the work products and tasks based on estimation rationale.”
13/11/2012 362
SubpracticesSubpractices are detailed descriptions that provide guidance for interpreting and implementing a specific or generic practice.The following is an example of a subpractice from the “Identify and analyze project risks” specific practice (SP 2.2) in the Project Planning process area:3. Review and obtain agreement with relevant stakeholders on the completeness and correctness of the documented risks.
13/11/2012 363
Process Area Components -3
13/11/2012 364
Generic Goals (GGs) -1Generic goals describe the characteristics that must be present to institutionalize the processes that implement a process area.Achievement of a generic goal in a process area signifies improved control in planning and implementing the processes associated with that process area.Generic goals are called generic because the same goal statement appears in multiple process areas.Project Planning exampleThe process is institutionalized as a defined process.
13/11/2012 365
Generic Goals (GGs) -2
Generic goals are numbered starting with the prefix GG(e.g., GG 2). The number corresponds to the capability level of the GG.Note: We will talk more about generic goals in Module 4.
13/11/2012 366
Generic Practices (GPs)Generic practices are activities that ensure that the processes associated with the process area will be effective, repeatable, and lasting.Generic practices are called generic because the same practice appears in multiple process areas.Project Planning exampleGP 2.5: Train the people performing or supporting the project planning process as needed.Generic practices are of the form GP x.y wherex corresponds to the number of the generic goal.y corresponds to the sequence number of the generic practice.
13/11/2012 367
Generic Practice Elaborations
Generic practice elaborations appear after the generic practice to provide guidance on how the generic practice may be applied in the context of a process area.Project Planning process area example GP 2.9: Objectively Evaluate AdherenceExamples of activities reviewed include the following:• Establishing estimates• Developing a project plan• Obtaining commitment to the project plan
13/11/2012 368
SUPPORTING INFORMATIVE COMPONENTS
13/11/2012 369
Supporting InformativeComponents
There are many places in CMMI models where further information is provided.This further information is provided in the form of the following components:• Examples• Amplifications• References• Notes13/11/2012 370
ExamplesAn example is a component comprising text and often a list of items, usually in a box, that can accompany any other component and provides one or more examples to clarify a concept or described activity.Project Planning SP 1.2 example• Examples of size measures include the following:• Number of functions• Function points• Source lines of code• Number of pages
13/11/2012 371
Amplifications -1
Amplifications are informative material relevant to a particular discipline.Certain disciplines found in some organizations are explicitly identified in the models. Those disciplines are• Systems Engineering (SE)• Software Engineering (SW)• Hardware Engineering (HW)
13/11/2012 372
Amplifications -2
The Amplification example for Project Planning SP 2.7
For Hardware EngineeringFor hardware, the planning document is often referred to as a hardware development plan. Development activities in preparation for production may be included in the hardware development plan or defined in a separate production plan.
13/11/2012 373
References
References are pointers to additional or more detailed information in related process areas and can accompany nearly any other model component.Project Planning SP 2.2 example Refer to the Risk Management process area for more information about risk management activities.
13/11/2012 374
NotesA note is text that can accompany nearly any other model component. It may provide detail, background, or rationale.A note is an informative model component.The example below shows a note that accompanies the specific practice 1.3 in the Project Planning process area.Project Planning SP 1.3 exampleThe determination of a project’s lifecycle phases provides for planned periods of evaluation and decision making. . . .
13/11/2012 375
REQUIRED, EXPECTED, AND INFORMATIVE MODEL COMPONENTS
13/11/2012 376
Required, Expected, and Informative Model ComponentsProcess area components are grouped into three categories:• required• expected• informativeThese categories reflect how to interpret the process area components.
13/11/2012 377
Required Components
Required components describe what an organization must achieve to satisfy a process area. This achievement must be visibly implemented in an organization’s processes.Goal satisfaction is used in appraisals as the basis for deciding whether a process area has been achieved and satisfied.• Specific goals and generic goals are the
required components in CMMI models.
13/11/2012 378
Expected ComponentsExpected Components describe what an organization will typically implement to achieve a required component.Expected components guide• those who implement improvements• those who perform appraisalsSpecific practices and generic practices are the expected components in CMMI models.Before goals can be considered satisfied, either the practices as described or acceptable alternatives to them must be present in the planned and implemented processes of the organization.
13/11/2012 379
Informative ComponentsInformative components provide details that help organizations get started in thinking about how to approach the required and expected components.Examples of informative components include• subpractices• typical work products• amplifications• generic practice elaborations• goal and practice titles• goal and practice notes• references
13/11/2012 380
Summary of CMMI Model
Components
13/11/2012 381
Reviewing Process Area Components
13/11/2012 382
AdditionsAdditions can be a note, a reference, an example, a specific practice, a specific goal, or a process area. The model components that are additions extend the scope of a model or emphasizes a particular aspect of its use. In the CMMI for Development model, there is one group of additions that all apply to IPPD.An addition example for Project Planning SP 3.1IPPD AdditionWhen integrated teams are formed, their integrated work plans are among the plans to review.
13/11/2012 383
GlossaryThe CMMI glossary defines the basic terms used in CMMI models. It was designed to document the meaning of words and terms that should have the widest use and understanding by users of CMMI products.Definitions of terms were selected based on recognized sources that have a widespread readership (e.g., ISO, CMMI source models, IEEE).Glossary term exampleEstablish and maintain . . . This phrase means more than a combination of its component terms; it includes documentation and usage. . . .
13/11/2012 384
Typographical Conventions
Some components of the process areas are labeled Staged Only or Continuous Only.Components that are not marked apply to both representations.Components marked Staged Only apply only if you are using the staged representation.Components marked Continuous Only apply only if you are using the continuous representation.These restrictions appear in the Generic Practices by Goal section of every process area.
13/11/2012 385
MODEL REPRESENTATIONS
13/11/2012 386
CMMI Model Representations
There are two types of representations in CMMI models:• staged• continuousA representation in CMMI is analogous to a view into a data set provided by a database.Both representations provide ways of implementing process improvement to achieve business goals.Both representations provide essentially the same content and use the same model components but are organized in different ways.
13/11/2012 387
CMMI Model Structure
13/11/2012 388
Process Area Organization in the Two Representations
In the continuous representation, process areas are organized by process area category:• Process Management• Project Management• Engineering• SupportIn the staged representation, process areas are organized by maturity level.
13/11/2012 389
Continuous Representation: PAs by Category
13/11/2012 390
Staged Representation: PAs by Maturity Level
13/11/2012 391
UNDERSTANDING LEVELS
13/11/2012 392
Understanding Levels -1Levels are used in CMMI to describe an evolutionary path for an organization that wants to improve the processes it uses to develop and maintain its products and services.CMMI supports two improvement paths:• continuous - enabling an organization to
incrementally improve processes corresponding to an individual process area (or set of process areas) selected by the organization
• staged - enabling the organization to improve a set of related processes by incrementally addressing successive predefined sets of process areas
13/11/2012 393
Understanding Levels -2
These two improvement paths are associated with two types of levels that correspond to the two representations, staged and continuous.For the continuous representation, we use the term capability level or process area capability.For the staged representation, we use the term maturity level or organizational maturity.
13/11/2012 394
Understanding Levels -3Regardless of the representation you select, the concept of levels is the same.Levels characterize improvement from an ill-defined state to a state that uses quantitative information to determine and manage improvements that are needed to meet an organization’s business objectives.To reach a particular level, an organization must satisfy all of the appropriate goals of the process area or set of process areas that are targeted for improvement, regardless of whether the level is a maturity or a capability level.
13/11/2012 395
Capability Levels -1A capability level consists of a generic goal and its related generic practices that can improve the organization’s processes associated with a process area.Capability levels provide a scale for measuring your processes against each process area in a CMMI model.There are six capability levels.Each level is a layer in the foundation for continuous process improvement.Capability levels are cumulative (i.e., a higher capability level includes the practices of the lower levels).
13/11/2012 396
Capability Levels -2
13/11/2012 397
Representing Process Area Capability
13/11/2012 398
Capability Levels Are Cumulative
13/11/2012 399
Maturity Levels -1
The maturity levels are1: Initial2: Managed3: Defined4: Quantitatively Managed5: Optimizing
13/11/2012 400
Maturity Levels -2
13/11/2012 401
Maturity LevelsShould Not Be Skipped
• Each maturity level provides a necessary foundation for effective implementation of processes at the next level:– Higher level processes have a greater chance of
success with the discipline provided by lower levels.
– The effect of higher maturity innovations are more easily measurable.
• Higher maturity level processes may be performed by organizations at lower maturity levels with the risk of not being consistently applied in a crisis.
13/11/2012 402
Comparing Capability and Maturity Levels
13/11/2012 403
PROCESS INSTITUTIONALIZATION
13/11/2012 404
Process Institutionalization
Institutionalization means that the process is ingrained in the way the work is performed: “That’s the way we do things around here.”The organization builds an infrastructure that contains effective, usable, and consistently applied processes.The organizational culture conveys the process.Management nurtures the culture.Culture is conveyed through role models and recognition.Institutionalized processes endure after the people who originally defined them have gone.
13/11/2012 405
Generic Goals and Generic Practices: Building Blocks
• Generic goals and generic practices contribute to process institutionalization.
• The generic goals and generic practices are the model components that provide for commitment and consistency throughout an organization’s processes and activities.
13/11/2012 406
Generic Goals and Institutionalization
13/11/2012 407
Generic Goals EvolveEach generic goal provides foundation for the next. Therefore, the following conclusions can be made:• A managed process includes and builds
on a performed process.• A defined process includes and builds on
a managed process.• A quantitatively managed process
includes and builds on a defined process.• An optimizing process includes and builds
on a quantitatively managed process.13/11/2012 408
GG1: Performed ProcessGG 1: Achieve Specific GoalsThe process supports and enables achievement of the specific goals of the process area by transforming identifiable input work products to produce identifiable output work products.• A performed process accomplishes the work necessary
to produce work products.• All specific goals of the process area are satisfied.• Essential activities are performed and the work is
accomplished.• The definition, planning, monitoring, and controlling of
the process may be incomplete.• The process may be unstable and inconsistently
implemented.
13/11/2012 409
GG1 Generic Practices
GP 1.1: Perform Specific PracticesPerform the specific practices of the process area to develop work products and provide services to achieve the specific goals of the process area.
13/11/2012 410
GG 2: Managed ProcessGG 2: Institutionalize a Managed ProcessThe process is institutionalized as a managed process.• A managed process is a performed process that is
planned and executed in accordance with policy; employs skilled people having adequate resources to produce controlled outputs; involves relevant stakeholders; is monitored, controlled, and reviewed; and is evaluated for adherence to its process description.
• Management of the process is concerned with institutionalization and the achievement of specific objectives established for the process, such as cost, schedule, and quality objectives.
13/11/2012 411
GG 2 Generic Practices -1The generic practices for managed processes are the same for all process areas.GP 2.1: Establish an Organizational PolicyEstablish and maintain an organizational policy for planning and performing the <x> process.GP 2.2: Plan the ProcessEstablish and maintain the plan for performing the <x> process.<x> represents the name of a process area (e.g., Requirements Management)
13/11/2012 412
GG 2 Generic Practices -2GP 2.3: Provide ResourcesProvide adequate resources for performing the <x> process, developing the work products, and providing the services of the process.GP 2.4: Assign ResponsibilityAssign responsibility and authority for performing the process, developing the work products, and providing the services of the <x> process.GP 2.5: Train PeopleTrain the people performing or supporting the <x> process as needed.
13/11/2012 413
GG 2 Generic Practices -3GP 2.6: Manage ConfigurationsPlace designated work products of the <x> process under appropriate levels of control.GP 2.7: Identify and Involve Relevant StakeholdersIdentify and involve the relevant stakeholders of the <x> process as planned.GP 2.8: Monitor and Control the ProcessMonitor and control the <x> process against the plan for performing the process and take appropriate corrective action.
13/11/2012 414
GG 2 Generic Practices -4
GP 2.9: Objectively Evaluate AdherenceObjectively evaluate adherence of the <x> process against its process description, standards, and procedures, and address noncompliance.GP 2.10: Review Status with Higher Level ManagementReview the activities, status, and results of the <x> process with higher level management and resolve issues.13/11/2012 415
GG 3: Defined ProcessGG 3: Institutionalize a Defined ProcessThe process is institutionalized as a defined process.• A defined process is a managed process that is
tailored from the organization’s set of standard processes according to the organization’s tailoring guidelines.
• A defined process has a maintained process description.
• A defined process contributes work products, measures, and other process improvement information to the organizational process assets.
• The organization’s set of standard processes are established and improved over time.
13/11/2012 416
GG 3 Generic PracticesThe generic practices for defined processes are the same for all process areas.GP 3.1: Establish a Defined ProcessEstablish and maintain the description of a defined <x> process.GP 3.2: Collect Improvement InformationCollect work products, measures, measurement results, and improvement information derived from planning and performing the <x> process to support the future use and improvement of the organization’s processes and process assets.
13/11/2012 417
GG 4: Quantitatively Managed Process
GG 4: Institutionalize a Quantitatively Managed ProcessThe process is institutionalized as a quantitatively managed process.• A quantitatively managed process is a defined process
that is controlled using statistical and other quantitative techniques.
• Quantitative objectives for product quality, service quality, and process performance are established and used as criteria in managing the process.
• People performing the process are directly involved in quantitatively managing the process.
• Statistical predictability is achieved.
13/11/2012 418
GG 4 Generic PracticesThe generic practices for quantitatively managed processes are the same for all process areas.GP 4.1: Establish Quantitative Objectives for the ProcessEstablish and maintain quantitative objectives for the <x> process that address quality and process performance based on customer needs and business objectives.GP 4.2: Stabilize Subprocess Performance Stabilize the performance of one or more subprocesses to determine the ability of the <x> process to achieve the established quantitative quality and process-performance objectives.
13/11/2012 419
GG 5: Optimizing Process
GG 5: Institutionalize an Optimizing ProcessThe process is institutionalized as an optimizing process.• An optimizing process is a quantitatively managed
process that is improved based on an understanding of the common causes of variation inherent in the process.
• The focus is on continually improving the range of process performance through both incremental and innovative technological improvements.
• Quantitative process improvement objectives are established.
• Process improvement is inherently part of everybody’s role, resulting in cycles of continual improvement
13/11/2012 420
GG 5 Generic PracticesThe generic practices for optimizing processes are the same for all process areas.GP 5.1: Ensure Continuous Process ImprovementEnsure continuous improvement of the <x> process in fulfilling the relevant business objectives of the organization.GP 5.2: Correct Root Causes of ProblemsIdentify and correct the root causes of defects and other problems in the <x> process.
13/11/2012 421
Critical Distinctions Among Processes
13/11/2012 422
Summarizing Generic Goals and Practices
13/11/2012 423
Achieving Capability Levels (CLs) fora Process Area
13/11/2012 424
Requirements Management (REQM) - Capability Levels 1 & 2
13/11/2012 425
REQM - Capability Level 3
13/11/2012 426
REQM - Capability Levels 4 & 5
13/11/2012 427
Achieving Maturity Levels
To achieve a maturity level• All process areas at that level and all
levels below it must be satisfied or determined to be not applicable.
And to achieve a maturity level 3 or higher• The generic goal 3 for each applicable
maturity level 2 PA must also be rated satisfied for maturity level 3 or higher.
Note: A process area is satisfied if and only if all of the process area’s relevant specific and generic goals are rated as satisfied.13/11/2012 428
Achieving Maturity Levels (ML)
13/11/2012 429
REQM - Maturity Levels 1 & 2
13/11/2012 430
REQM - Maturity Level 3
13/11/2012 431
REQM - Maturity Levels 4 & 5
13/11/2012 432
Applying Generic Practices
All process areas have generic practices that apply to them.• Generic practices ensure sustainability of
the specific practices in the processes over time.
• For example, GP 2.2, “Establish and maintain the plan for performing the project planning process,” when applied to Project Planning, ensures that you planned the activities for creating the plan for the project.
13/11/2012 433
SIX SIGMA
13/11/2012 434
Automation and continuous improvement
(Deming Cycle – ISO IEC 17799:2005)
Automate
Improve
Organize
Measure
Fonte: The Innovation Group
What is Six Sigma:Some of the most common
definitions (1/3)• Quality standard equal to the generation of a number of
defects lower than 3.4 per million in performing production or service delivery operations. (Online Learning Center - McGraw Hill).
• A tool that allows to significantly improve customer satisfaction and shareholder value by reducing inefficiencies in business activities. Through a structured approach, Six Sigma supports a better understanding of customer needs and the design and / or modification of processes and products in order to make them more consistent with the customers' expectations. (The quality portal).
What is Six Sigma:Some of the most common
definitions (2/3)• Movement, methodology and set of techniques focused
on improving business processes and based on the use of statistical concepts for performance measurement. (Business Process Trends).
• Structured quality program for the limitation of the defects within the value of 6 standard deviations from the mean. One of the major aspects on which Six Sigma focuses is the reduction of process variations. (Overall Equipment Effectiveness - OEE).
What is Six Sigma:Some of the most common
definitions (2/3)• It 'a process improvement methodology based on
statistical concepts, aimed at reducing the defects to a rate of 3.4 per million through the identification and elimination of the causes that result in business process variations. To properly define the concept of defect, Six Sigma focuses on the development of a clear understanding of customer requirements. (Mekong Capital)
It is a rigorous and systematic methodology based on the use of data and statistical analysis aimed at measuring and improving the company's operational performance by identifying and eliminating "defects" in the processes of production or service provision
. (iSixSigma)
The impact of quality on the company’s income statement
• In the case of a rejection rate of 10% on finished products, the company, in order to be able to sell 1,000 products (for $ 1.000/unit) must produce 1111 units.
• Volumes sold being equal (1,000), the elimination of manufacturing defects would lead to a 10% reduction in operating costs resulting in 120% increase of profit.
• To achieve the same profit goal, a company that works at 10% of defects should increase revenues by 15%.
• Working with higher quality means anticipating the breakeven point (revenues = costs) and thus represents a better protection against recessions and demand contractions.
• The produced quality usually introduces additional positive impacts on both the costs (eg, reducing warranty costs) and on revenues (eg.: Increase in sales due to the increase of standing in the market).
• The cost of quality (COPQ *) causes direct effects on the overall company profit and its economic stability.• The economic benefits resulting from the reduction of defects and COPQ can be reached both in manufacturing and services
companies
Ricavi $ 1.000.000
Costi Variabili $ 600.000
Margine di Contribuzione $ 400.000
Costi Fissi $ 350.000
Profitti $ 50.000
$ 1.000.000
$ 540.054
$ 495.946
$ 350.000
$ 109.946
Ricavi [$K]
-400
-300
-200
-100
100
500 1000 1149
0% di difetti nel processo
10% di difetti nel processo
Variazione dei Ricavi
Profitti [$K]
Ricavi [$K]
-400
-300
-200
-100
100
500 1000 1149
0% di difetti nel processo
10% di difetti nel processo
Variazione dei Ricavi
Profitti [$K]
Source: The Innovation Group
Complexity and Performance
Although each analyzed process observed alone may present acceptable quality levels (for example 99% of cases satisfy requirements), when the various processes are integrated for the production of a product or a service destined to the end customer, the overall performance of processes turns out to be much lower.
Numero di operazioni o componenti Rendimento complessivo (*)
1 99,00%
50 60,50%
100 36,60%
200 13,40%
500 0,66%
1000 0,00%
Processo 2Processo 2Processo 1Processo 1
Fornitore
Processo nProcesso n
Processo jProcesso j
…
Cliente
Processo iProcesso i
Input
O1;R1=99% Oi;Ri=99%
Oj;Rj=99%O2;R2=99%
On;RnProcesso 2Processo 2Processo 1Processo 1
Fornitore
Processo nProcesso n
Processo jProcesso j
…
Cliente
Processo iProcesso i
Input
O1;R1=99% Oi;Ri=99%
Oj;Rj=99%O2;R2=99%
On;Rn
• Il rendimento del processo n (Rn) è influenzato dalla numerosità e dal rendimento degli altri processi: Rn<< 99%
• Il 99% di rendimento sulle singole operazioni non riesce a garantire la qualità per prodotti o servizi molto complessi in quanto il rendimento complessivo degrada velocemente.
(*) nel caso di rendimento delle singole operazioni o componenti pari a 99%Fonte: The Innovation Group
The statistical principle on whichSix Sigma is based
Principi di base• Il termine six sigma deriva dalla
teoria probabilistica sviluppata da Gauss per definire il comportamento di alcuni fenomeni aleatori (fenomeni a distribuzione normale).
• Sigma (σ) rappresenta la deviazione standard della variabile aleatoria X rispetto al suo valor medio X.
• Nel caso di distribuzione normale la probabilità che un’osservazione della variabile rientri nell’intervallo (X ± σ) è del 31% mentre che rientri nell’intervallo (X ± 6 σ) è di 99,9997 %.
• Il teorema del limite centrale dimostra che sotto opportune condizioni una variabile aleatoria al crescere del numero di osservazioni tende ad assumere una distribuzione normale rendendo tale teoria largamente applicabile.
• Come regola generale più la campana è stretta e minore è la variabilità rispetto al suo valore medio X.
X +1 +2 +3 +4 +5 +6-1-2-3-4-5-6
Distribuzione normale (odi Gauss)
Livello sigma Probabilità che l’osservazione rientri nell’intervallo(*)
1 31 %
2 69,2 %
3 93,32 %
4 99,379 %
5 99,977 %
6 99,9997 %
(*) X ± livello sigmaFonte: The Innovation Group
The statistical concept and quality levels (1/2)
The statistical analysis isimplementable on any business process:
• Working in "Six Sigma" conditions means to produce outputs that are consistent with the addressed customer tolerances (Upper and Lower Specification Limits) 99.9997% of times, which means to respect the maximum number of defects equal to 3.4 cases per million.
From 3 process…
LSL
X +1 +2 +3 +4 +5 +6-1-2-3-4-5-6
X +2 +4 +6-2-4-6
Probabilityof defect
Range of acceptability(LSL-USL)
USL
…to 6 process
As the number of sigmas growswithin the specific process
tolerance, the probability of obtaining defects or errors
decreases.
Livello sigma Difetti per milione di opportunità Rendimento
1 690.000 31 %
2 308.537 69,2 %
3 66.807 93,32 %
4 6.210 99,379 %
5 233 99,977 %
6 3,4 99,9997 %
Source: The Innovation Group
The statistical concept and quality levels (2/2)
Using Six Sigma ensures an overall high process performance even in particularly complex systems.
Number of operations orcomponents
Overall performance Improvement: 99% 6
99 % 6
1 99,0000% 99,9997% ~ 1%
50 60,5006% 99,9850% ~ 65%
100 36,6032% 99,9700% ~ 173%
200 13,3980% 99,9400% ~ 646%
500 0,6570% 99,8501% > 15.000%
1000 0,0043% 99,7004% > 2 milions %
Com
plex
ity
Source: The Innovation Group
Value created by Six SigmaCustomer’s Value Line
2 3 4 5 6 Quality
COPQ (1)
25%
15%
5%
Profits per single sigma
Cost and value of quality
• The cost of quality (COPQ) decreasessignificantly with the increase in sigmasper process, allowing to achievegreater profits.
• Analysis conducted in manufacturing contexts demonstrate that the operativity at a six sigma level reducesthe COPQ by 1% of returns.
Sigma Level Defects per million of opportunity
COPQ (1)
3 66.807 25-40 %
4 6.210 15-25 %
5 233 5-15 %
6 3,4 < 1 %
(1) COPQ – Cost of poorquality % with respect toreturns in manufacturingcontexts. Source: Chiarini &Associati
Source: The Innovation Group
Evolution in the performance measurement systems
• The various quality systems evolve over time changing the focus with which they tackle the challange of improvingbusiness process performance.
Medioevo 1920 1960 1980 1990 Tempo
Efficacia
100%
75%
50%
In-line inspection
Qualitycontrol
Rate of improvement
In-process controls
Design for Mnfc (DFM)
System
6ProcessManagement
In-Process statisticalcontrols
e.g.: ISO 9000, TQM,…
Source : The Innovation Group
• Continuous focus on customer requirements (concentrate on VOC – voice of customer)
• Usage of quantitative data and statistical techniques to identify and measure process variations, both productive and business ones, with respect to expected values.
• Identification of primary causes of encountered problems.
• Emphasis on process improvement in order to reduce defects and improve customer satisfaction
• Management's proactive contribution to problem prevention, continuous improvement and constant perfection pursuit.
• Cross-functional business collaboration• Definition of ambitious improvement targets
Six Sigma basic principles
• The merger of the underlying principles of both methods was designed to meet the needs of companies that provide services and operate in a market where customers expect high quality, speed of delivery and reduced price.
• Therefore establishing a model characterized by the mixture of the basic principles of cycle times reduction, for Lean production, and the reduction of variations for the Sigma method
The Lean 6 Sigma modelEvolution towards the service
deployment society
Lean Principles
Six Sigma Principles
Lean Six Sigma
Customer
Satisfaction
ProcessImprovement
Qu
alit
y
Sp
eed
Def
ect
and
V
anri
ance
Pro
cess
Flu
x
Data and Facts
Team-workTransversal Principles
Source: The Innovation Group
The Lean Six Sigma modelMain Characteristics
FROM LEAN MANUFACTURING
FROM SIX SIGMA
• Greater market competitivity
• Increased Return on Invested Capital (profit after tax / invested capital) throughpotential interventions on processes thatdetermine up to 50% cost savings poisitivelyimpacting profits
• Customer satisfaction improvement, bearingin mind the relationship between quality, speed and low prices.
• Elimination of losses/delays and costs from no added value jobs
• Quantification and elimination of costsderiving from complexities.
• Identification of quick improvement actions
• Evaluations based on the measurement of results and processes(customer satisfaction, financial results,, speed/lead time, quality/process defects)
Lean Six Sigma Direct relationshipbetween quality and speed
Cycle time reduction
No value added job analysis
Quick improvementactions (e.g. Kaizens)
Process flux analysis(every step)
Identification and measurement of waste
Variance reduction
Process goernancemeans of statistic control
Creation of culture and of a support organizational
structure
Focus on customer and supplier needs
Use of problem solvingtools
Quality improvement
Introduction of the projectsponsorship concept
Use of speedmeasurement tools
Source: The Innovation Group
• To answer these needs 5 main rules were defined as the model’s basis:
The Lean Six Sigma modelThe rules
Rule 1: the market
Customer needs define the quality and represent the top priority in orderto improve the company and market competitiveness
Rule 2: flexibility The speed of each process is proportional to that process’ flexibility
Rule 3: the focus
20% of the activities in a process lead to 80% of delays, it is necessary tofocus on the activities that determine the highest number of inefficiencies
Rule 4: speed The speed of each process is inversely proportional to the amount ofwork-in-process (WIP)
Rule 5: complexity and costs
The complexity of the service or product offered generally increases thecosts of non-value added work and of poor quality (low-sigma or lean)WIP
Source: The Innovation Group
• Combining the basic concepts of Data, Clients and Quality (6 Sigma), with the concepts of flux analysis, added value work and cost reduction (Lean), the Lean Six Sigma aims at creating high delivery quality, costreduction and greater competitiveness.
The Lean Six SigmaConclusions
Six Sigma - miglioramento qualità attività di valore aggiunto
Lean
–riduzi
one
attivi
tànon
a v
alor
e ag
giu
nto
# di attività
1
7
10
20
40
+_3σ +_4σ +_5σ +_6σ
93,32%
61,63%
50,08%
25,08%
6,29%
99,379%
95,733%
93,96%
88,29%
77,94%
99,9767%
99,839%
99,768%
99,535%
99,074%
99,99966%
99,9976%
99,9966%
99,9932%
99,9864%
Fonte: Six Sigma Research Institute – Motorola University
Six Sigma - miglioramento qualità attività di valore aggiunto
Lean
–riduzi
one
attivi
tànon
a v
alor
e ag
giu
nto
# di attività
1
7
10
20
40
+_3σ+_3σ +_4σ+_4σ +_5σ+_5σ +_6σ+_6σ
93,32%
61,63%
50,08%
25,08%
6,29%
99,379%
95,733%
93,96%
88,29%
77,94%
99,9767%
99,839%
99,768%
99,535%
99,074%
99,99966%
99,9976%
99,9966%
99,9932%
99,9864%
Fonte: Six Sigma Research Institute – Motorola University
Lean Six Sigma simultaneously governs quality, speed, and cost
AUDIT, IS AUDIT, IT AUDIT
13/11/2012 451
Agenda
• Audit, is audit, it audit• IT Roles and Responsibilities• Risk and compliance
– A Privacy Audit• Toolkits:
– Cobit– ISO 2700x– ISO 38500– Six Sigma
• COBIT 5
13/11/2012 452
Audit• Audit: Formal inspection and verification to check whether a standard or set of
guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met
• Audit accountability : Performance measurement of service delivery including cost, timeliness and quality against agreed service levels
• Audit authority : A statement of the position within the enterprise, including lines of reporting and the rights of access
• Audit charter: A document approved by the board that defines the purpose, authority and responsibility of the internal audit activity
• Audit evidence: The information used to support the audit opinion• Audit expert systems: Expert or decision support systems that can be used to
assist IS auditors in the decision-making process by automating the knowledge of experts in the field
– Scope Note: This technique includes automated risk analysis, systems software and control objectives software packages.
• Audit objective: The specific goal(s) of an audit– Scope Note: These often center on substantiating the existence of internal controls to
minimize business risk.
13/11/2012 453
• Audit plan : A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion
• Audit program: A step-by-step set of audit procedures and instructions that should be performed to complete an audit
• Audit responsibility : The roles, scope and objectives documented in the service level agreement (SLA) between management and audit
• Audit risk: The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred
• Audit sampling: The application of audit procedures to less than 100 percent of the items within a population to obtain audit evidence about a particular characteristic of the population
• Audit trail: A visible trail of evidence enabling one to trace information contained in statements or reports back to the originalinput source
• Audit universe: An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process
13/11/2012 454
IS Audit (1/5)Information systems audit is a part of the overall audit process, which is one of the facilitators for good corporate governance. While there is no single universal definition of IS audit, Ron Weber has defined it (EDP auditing--as it was previously called) as "the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently."Information systems are the lifeblood of any large business. As in years past, computer systems do not merely record business transactions, but actually drive the key business processes of the enterprise. In such a scenario, senior management and business managers do have concerns about information systems. The purpose of IS audit is to review and provide feedback, assurances and suggestions. These concerns can be grouped under three broadheads:Availability: Will the information systems on which the business is heavily dependent be available for the business at all times when required? Are the systems well protected against all types of losses and disasters?Confidentiality: Will the information in the systems be disclosed only to those who have a need to see and use it and not to anyone else?Integrity: Will the information provided by the systems always be accurate, reliable and timely? What ensures that no unauthorized modification can be made to the data or the software in the systems?
13/11/2012 455
IS Audit (2/5)Elements of IS AuditAn information system is not just a computer. Today's information systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the components are evaluated and secured. The proverbial weakest link is the total strength of the chain. The major elements of IS audit can be broadly classified:Physical and environmental review—This includes physical security, power supply, air conditioning, humidity control and other environmental factors.System administration review—This includes security review of the operating systems, database management systems, all system administration procedures and compliance.Application software review—The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed.
13/11/2012 456
IS Audit (3/5)All these elements need to be addressed to present to management a clear assessment of the system. For example, application software may be well designed and implemented with all the security features, but the default super-user password in the operating system used on the server may not have been changed, thereby allowing someone to access the data files directly. Such a situation negates whatever security is built into the application. Likewise, firewalls and technical system security may have been implemented very well, but the role definitions and access controls within the application software may have been so poorly designed and implemented that by using their user IDs, employees may get to see critical and sensitive information far beyond their roles.It is important to understand that each audit may consist of these elements in varying measures; some audits may scrutinize only one of these elements or drop some of these elements. While the fact remains that it is necessary to do all of them, it is not mandatory to do all of them in one assignment. The skill sets required for each of these are different. The results of each audit need to be seen in relation to the other. This will enable the auditor and management to get the total view of the issues and problems. This overview is critical.
13/11/2012 457
IS Audit (2/4)Network security review—Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.Business continuity review—This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan.Data integrity review—The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques).
13/11/2012 458
IS Audit (4/5)Risk-based ApproachEvery organization uses a number of information systems. There may be different applications for different functions and activities and there may be a number of computer installations at different geographical locations.The auditor is faced with the questions of what to audit, when and how frequently. The answer to this is to adopt a risk-based approach.While there are risks inherent to information systems, these risks impact different systems in different ways. The risk of nonavailability even for an hour can be serious for a billing system at a busy retail store. The risk of unauthorized modification can be a source of frauds and potential losses to an online banking system. A batch processing system or a data consolidation system may be relatively less vulnerable to some of these risks. The technical environments on which the systems run also may affect the risk associated with the systems.The steps that can be followed for a risk-based approach to making an audit plan are:Inventory the information systems in use in the organization and categorize them.Determine which of the systems impact critical functions or assets, such as money, materials, customers, decision making, and how close to real time they operate.Assess what risks affect these systems and the severity of impact on the business.Rank the systems based on the above assessment and decide the audit priority, resources, schedule and frequency.The auditor then can draw up a yearly audit plan that lists the audits that will be performed during the year, as per a schedule, as well as the resources required.13/11/2012 459
IS Audit (5/5)The Audit ProcessThe preparation before commencing an audit involves collecting background information and assessing the resources and skills required to perform the audit. This enables staff with the right kind of skills to be allotted to the right assignment.It always is a good practice to have a formal audit commencement meeting with the senior management responsible for the area under audit to finalize the scope, understand the special concerns, if any, schedule the dates and explain the methodology for the audit. Such meetings get senior management involved, allow people to meet each other, clarify issues and underlying business concerns, and help the audit to be conducted smoothly.Similarly, after the audit scrutiny is completed, it is better to communicate the audit findings and suggestions for corrective action to senior management in a formal meeting using a presentation. This will ensure better understanding and increase buy-in of audit recommendations. It also gives auditees an opportunity to express their viewpoints on the issues raised. Writing a report after such a meeting where agreements are reached on all audit issues can greatly enhance audit effectiveness.Key ChallengeIS audit often involves finding and recording observations that are highly technical. Such technical depth is required to perform effective IS audits. At the same time it is necessary to translate audit findings into vulnerabilities and businesses impacts to which operating managers and senior management can relate. Therein lies a mainchallenge of IS audit.
13/11/2012 460
IT Audit (1/3)An information technology audit is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
13/11/2012 461
IT Audit (2/3)• While a financial audit's purpose is to evaluate whether an
organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing
13/11/2012 462
IT Audit (3/3)• IT controls do not exist in isolation. They form an interdependent continuum of
protection, but they may also be subject to compromise due to a weak link. They are subject to error and management override, may range from simple to highly technical, and may exist in a dynamic environment.
• IT controls have two significant elements: the automation of business controls and control of IT. Thus, IT controls support business management and governance as well as provide general and technical controls over IT infrastructures.
• The internal auditor’s role in IT controls begins with a sound conceptual understanding and culminates in providing the results of risk and control assessments.
• Internal auditing involves significant interaction with the people in positions of responsibility for controls and requires continuous learning and reassessment as new technologies emerge and the organization’s opportunities, uses, dependencies, strategies, risks, and requirements change.
13/11/2012 463
IT Roles and Responsibilities (1/5)
Many different roles have emerged in recent years for positions within the organization with IT control responsibilities and ownership. Each position within the governance, management, operational, and technical levels should have a clear description of its roles, responsibilities, and ownership for IT controls to ensure accountability for specific issue.13/11/2012 464
IT Roles and Responsibilities (2/5)
Analyzing RiskIT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified, suitablerisk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying awide range of specific controls, including insurance. 13/11/2012 465
IT Roles and Responsibilities (3/5)
Monitoring and TechniquesThe implementation of a formal control framework facilitatesthe process of identifying and assessing the IT controlsnecessary to address specific risks. A control framework is astructured way of categorizing controls to ensure the wholespectrum of control is covered adequately. The frameworkcan be informal or formal. A formal approach will morereadily satisfy the various regulatory or statutory requirementsfor organizations subject to them. The process ofchoosing or constructing a control framework shouldinvolve all positions in the organization with direct responsibilityfor controls. The control framework should apply to,and be used by, the whole organization — not just internalauditing.13/11/2012 466
IT Roles and Responsibilities (4/5)
IT Control AssessmentAssessing IT controls is a continuous process. Businessprocesses are changing constantly as technology continuesto evolve. Threats emerge as new vulnerabilities are discovered.Audit methods improve as auditors adopt an approachwhere IT control issues in support of the business objectivesare near the top of the agenda.Management provides IT control metrics and reporting.Auditors attest to their validity and opine on their value.The auditor should liaise with management at all levels andwith the audit committee to agree on the validity and effectiveness of the metrics and assurances for reporting.
13/11/2012 467
IT Roles and Responsibilities (5/5)
The audit process provides a formal structure for addressingIT controls within the overall system of internal controls. Figure below divides the assessment into a logical series of steps.The internal auditor’s role in IT controls begins with asound conceptual understanding and culminates in providing the results of risk and control assessments. Internalauditors interact with the people responsible for controlsand must pursue continuous learning and reassessment asnew technologies emerge and the organization’s opportunities, uses, dependencies, strategies, risks, and requirements change.
13/11/2012 468
13/11/2012 469
13/11/2012 470
13/11/2012 471
13/11/2012 472
RISK AND COMPLIANCE
13/11/2012 473
Risk (1/4)IT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified through experience or formal risk assessment suitable risk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying a wide range of specific controls, including insurance.It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization. However, each control has a specific cost that may not be justified in terms of cost effectiveness when considering the type of business done by theorganization.
13/11/2012 474
Risk (2/4)Furthermore, no list of controls is universally applicable across all types of organizations.Although there is a lot of good advice available on the choice of suitable controls, strong judgment must be used.
Controls must beappropriate for the level of risk faced by the organization.The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization.
13/11/2012 475
Risk (3/4)In this respect, the risk appetite of the organization is defined by COSO as:“… the degree of risk, on a broad-based level, that a company or other organization is willing to accept in pursuit of its goals. Management considers the organization’s risk appetite first in evaluating strategic alternatives, then in setting objectives aligned with the selected strategy, and in developing mechanisms to manage the related risks.”
13/11/2012 476
Risk (4/4)In addition, the CAE should consider risk tolerance. COSO (The Committee of Sponsoring Organizations of the Treadway Commission) defines risk tolerance as:“… the acceptable level of variation relative to the achievement of objectives. In setting specific risk tolerances, management considers the relative importance of the related objectives and aligns risk tolerances with its risk appetite.”Thus, the CAE should consider whether or not:• The organization’s IT environment is consistent withthe organization’s risk appetite.• The internal control framework is adequate to ensurethat the organization’s performance remains withinthe stated risk tolerances.
13/11/2012 477
Baseline IT Controls (1/4)IT controls are to be applied when mitigating the risks is thebest option. While IT controls should be applied with dueregard to the relevant risks, there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene. For example, the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet, or between internal network domains, is abaseline control. The level of risk associated with the businessvalue and sensitivity of the network traffic, the servicesprovided, and the information stored in the infrastructuredetermines the extent to which firewalls restrict trafficcoming into and departing from an organization’s networks.Firewalls are a physical and logical manifestation of informationsecurity policy elements that dictate what is allowedinto or out of an organization.
13/11/2012 478
Baseline IT Controls (2/4)IT controls most widely applicable to all IT infrastructuresare known as baseline controls. There are many types ofbaseline controls. Two baselines that apply to IT securitycontrols are the Digital Dozen, from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive, from the Center for Internet Security The Fundamental Five and Digital Dozen complement each other.It is not easy to define the baseline IT controls, because thegeneral threats, such as malicious software and hacking,change and newer technologies and applications frequentlyare implemented across the organization. The followingquestions can be considered when selecting a suitable set ofbaseline controls:• Do IT policies — including for IT controls — exist?
13/11/2012 479
Baseline IT Controls (3/4)• Have responsibilities for IT and IT controls been
defined, assigned, and accepted?• Are IT infrastructure equipment and tools logically
and physically secured?• Are access and authentication control
mechanisms used?• Is antivirus software implemented and
maintained?• Is firewall technology implemented in
accordance with policy (e.g., where external connections such as the Internet exist and where separation between internal networks isneeded)?
13/11/2012 480
Baseline IT Controls (4/4)
• Are external and internal vulnerability assessments completed and risks identified and appropriately resolved?
• Are change and configuration management and quality assuranceprocesses in place?
• Are structured monitoring and service measurement processes in place?
• Are specialist IT audit skills available (either internally or outsourced)?
13/11/2012 481
Choosing a Control Framework (1/4)
The process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by the organization’s adoption of a formal control framework. Thisframework should apply to, and be used by, the wholeorganization — not just internal auditing. Although manyframeworks exist, no single framework covers every possiblebusiness type or technology implementation.A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control isadequately covered. The framework can be informal orformal. A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily .13/11/2012 482
Choosing a Control Framework (2/4)
Each organization should examine existing control frameworksto determine which of them — or which parts — mostclosely fit its needs. The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls. The CAEshould be involved in the decision process because the internalaudit function will assess the framework’s adequacy anduse it as a context for planning and performing audit work.The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controls.The CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk. Risk analysisand assessment cannot be viewed as a one-time process,
13/11/2012 483
Choosing a Control Framework (3/4)
especially when applied to IT, because technology changesconstantly and rapidly, as do the associated risks and threats.Categorizing IT controls according to their organizationalplacement, purpose, and functionality is useful in assessingtheir value and adequacy, as well as the adequacy of the systemof internal controls. Knowledge of the range of availableIT controls, the driving forces for controls, and organizationalroles and responsibilities allows for comprehensive riskanalysis and assessments. In assessing control effectiveness,it is also useful to understand whether the controls aremandated or voluntary, discretionary or nondiscretionary,manual or automated, primary or secondary, and subject tomanagement override.
13/11/2012 484
Choosing a Control Framework (4/4)
Finally, the assessment of IT controls involves selectingkey controls for testing, evaluating test results, and determiningwhether or not evidence indicates any significant controlweaknesses. Several existing frameworks and approaches can assist the CAE and other managers when determining IT controlrequirements. However, organizations should investigateenough frameworks to determine which one best fits theirown needs and culture. The COSO (The Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework(1992) is accepted by the U.S. Public Company AccountingOversight Board (PCAOB) for the purpose of reporting
13/11/2012 485
13/11/2012 486
Compliance
It is important to realize that compliance with applicable laws and regulations is a foundational issue that should be addressed when performing a comprehensive risk assessment and audit for an organization.
13/11/2012 487
A Case StudyA Privacy Audit (1/17)
When planning an audit, the auditors should:• Obtain a comprehensive understanding of the personal information collected and stored, its use by the organization, its processing by technology, and the jurisdictions/countries through which the data is processed.• Interview the individuals responsible for the organization’sprivacy policy and its enforcement and/or inhouse or outside legal experts to gain an understandingof the privacy laws and regulations governingthe business and the type of information handled,as well as the known risks, designed controls, andreported incidents.
13/11/2012 488
A Privacy Audit (2/17)• Identify the laws and regulations that govern personal information in the jurisdictions where the organization conducts business.• Determine the regulations and governmental bodies responsible for enforcing privacy rules. Ask the privacy officer or the individual responsible for privacy compliance how such rules are codified in the organization’s policies and procedures.
13/11/2012 489
A Privacy Audit (3/17)• Identify the customers’, employees’, and businesspartners’ personal information that the organizationcollects. If a data inventory of personal informationis available, that may provide a starting point forthe auditor. If there is no documented inventory,interviews with business process owners and theirIT counterparts may be necessary to identify whatpersonal information is collected. Also, automateddiscovery tools can assist the auditor in this phase.• Identify what, if any, personal information is sharedwith third parties. Determine how the data is sharedwith each of these third parties, including hard copy,file transfer, and portable electronic media.
13/11/2012 490
A Privacy Audit (4/17)The intent is to identify the formal and informal means by which personal information is shared within the organization and with other entities to identify potential threats, vulnerabilities, and overall risk.Determine whether agreements with third-party service providers and business partners include provisions on appropriate controls for handling personal information from receipt through disposal.Identify Privacy ThreatsInternal auditors should identify privacy threats to the organization through research, benchmarking, and brainstorming, and rank them according to the likelihood ofoccurrence and impact. Risk assessment meetings with business process owners also can ensure risks and threats to personal information are explored and identified thoroughly
13/11/2012 491
A Privacy Audit (5/17)Assigning values to threats and assets through aprivacy risk assessment highlights where the strongest controls or countermeasures should be and the areas on which the auditors should focus to identify vulnerabilities.A threat uses a vulnerability to exploit an asset. For the purposes of privacy management, the asset is protected personal information. So, who or what is the threat? The
13/11/2012 492
A Privacy Audit (6/17)threat is the individual or process that, intentionally ornot, makes an organization’s personal information publicor allows any unauthorized access to personal information.A legitimate threat could be a business partner violatingcontractual obligations or a hacker employed by organized crime. Empirically verified, threats posed by employees, contractors or temporary workers, competitors, developers, janitors, and maintenance staff — those who often have access to stores of confidential information — are very relevant. Whether through malice or carelessness, individuals with access to personal information have the ability to make that information public. If personal information is shared with business partners and contractors, the additional threats to and within their operations and processes should be evaluated.
13/11/2012 493
A Privacy Audit (7/17)Identify the Controls and CountermeasuresTo determine what the organization is doing to protect personalinformation from the worst threats, auditors should validate the basic infrastructure and general controls in place, as well as the specific application and internal controls throughout the organization that are active and relied on by the privacy program. Common steps to identify the controls include:• Requesting and reviewing documentation. Review the privacy program as it is implemented in policies, procedures, and other documentation. How do the policies match up with the high-risk areas defined in the privacy risk assessment? How often, if ever,are these policies reviewed? Do they incorporate the latest regulatory and legal guidance? Is the guidance consistent across divisions in the organization?
13/11/2012 494
A Privacy Audit (8/17)Identify any gaps for follow-up.• Interviewing and observing the processing of personalinformation in action. The gap between the written policy and the operational action can be significant.Sit with employees on the front lines in operations and IT to determine whether they are aware of the impact of their actions/processes in handling personal information. Determine whether the outrightrequirements, as well as the spirit or intent of theprivacy program, motivate the staff ’s decisions andactions.• Reviewing third-party contracts and contacts. Thedepth of the review will depend on how the contractorsand the personal information handled bythem rank in the threat matrix, but the auditor, ata minimum, should review for language compliantwith applicable laws and regulations.
13/11/2012 495
A Privacy Audit (9/17)If right-to audit clauses are included, are they exercised with appropriate frequency and depth? Another common technique that auditors can use in reviewing third parties is a security/privacy control survey or questionnaire. This will allow the auditor to obtain information about the controls the third party has in place to protect the organization’s personal information and help to identify areas that may require follow-up. Using a third-party provider’s controls wholly, or in conjunction with the organization’s own controls, may impact the organization’s ability to achieve its control objectives. A lack of controls or weakness in third parties’ control design, operation, or effectiveness could lead to such things as loss of personal information confidentiality and privacy. Hence, contracts with third-party providers are a critical element and should contain appropriate provisions for data and application privacy and confidentiality. By this point, the potential high-impact risks should comeinto sharper focus, but significant questions will remain unanswered. It is time to test the controls and countermeasures, hitting the highest impact assets and modeling the highestimpact threats.
13/11/2012 496
A Privacy Audit (10/17)Performing the AssessmentThe common steps throughout an audit are described in detail in The IIA’s International Professional Practices Framework (IPPF). When the auditor understands the organization’s privacy objectives, its privacy risks, the types of personal information handled, and the legal framework in which the organization conducts business, an audit program including scope, objectives, and timing of the audit can be developed and approved. The audit team will gather information, perform tests, and analyze and evaluate the test work to prepare the report and recommendations.Test Work MethodologiesAfter the risk assessment is completed, traditional test work is focused on general, application, and security controls.
13/11/2012 497
A Privacy Audit (11/17)Potential testing may include methods beyond the usually applied techniques such as vulnerability assessments and penetration tests, physical control tests, and social engineering tests.Vulnerability Assessments and Penetration TestsThese methods are often cited as assurance methods for network-accessibleapplications and infrastructure. Consultants often use terms such as “tiger team” or “ethical hacking” to describe this methodology of identifying and exploiting vulnerable services in a production environment. Vulnerability assessments generally focus on identifying potential vulnerabilities in information systems. The assessments identify and prioritize vulnerabilities in the configuration, administration, and architecture of information systems. Penetration tests take vulnerability assessments one step further, exploiting the identified vulnerabilities. Penetration tests generally require a higher degree of technical skill and could potentially disrupt productionsystems. Vulnerability assessments and penetration tests require a set of skills that the internal auditor may need to acquire, either through contracting third-party expertise or training.
13/11/2012 498
A Privacy Audit (12/17)Physical Control TestsPersonal information is not limited to digital data. If the organization’s modeled threat has access to the building, all the encryption, firewalls, and patched databases in the world cannot keep that individual from retrieving printed information from the trash or accessing data through an unlocked workstation. Digging through trash for protected information, identifying logged-in and unattended workstations, and reviewing secure information storage and handling processes may identify vulnerabilities in the handling of private information. This type of test can answer questions such as:• Is personal information being disposed of according to policy and
procedures?• Are documents containing personal information stored securely prior to
disposal or shredding?• Are working documents with personal information stored securely?• Are documents or monitors that display personal information viewable by
unauthorized personnel?• Are workstations locked when unattended?• Is the application of privacy controls consistent across various departments?
13/11/2012 499
A Privacy Audit (13/17)Social Engineering TestsSocial engineering, in the context of security, is the technique of gaining unauthorized access through nontechnical deception. In the scope of testing a privacy program, social engineering can be used to test the effectiveness of controls regarding release of personal information. In other words, can an individual obtain personal information by simply asking for it? The auditor could impersonate executives, network administrators, or other authorized users to “con” or “sweet talk” passwords or personal information from employees who act as key countermeasures.
13/11/2012 500
A Privacy Audit (14/17)Social engineering tests can help answer some of the following audit questions:• How effective are the organization’s privacy awareness and training programs?• Is the balance between customer service and restricting personal information appropriate?• Is the privacy program supported by the corporate culture?Organizations have different attitudes toward the conning of employees by internal auditors, so build a threat model and identify vulnerabilities carefully. Discuss the process with the human resources and legal teams to ensure the results will be used to improve privacy practices and not for random firing of tested employees.
13/11/2012 501
A Privacy Audit (15/17)Communicating and Monitoring ResultsMany privacy audits are evaluations of compliance programs, and the auditor should consult with legal counsel if potential violations are to be included in audit communications.Consultation and coordination with counsel can reduce the conflict between the auditor’s responsibilities to document the results of the engagement with the counsel’s legal obligation to defend the organization. Some of the challenges specific to reporting the results of a privacy audit include: • Getting all of the participants involved in the scope of the privacy audit. An
effective privacy program is practiced by nearly all areas of the organization. Be sure that key participants have input.
• Developing a common, understandable language to describe the risks.• Ensuring that legal counsel has reviewed the proposed audit plan and draft
audit report before issuance to ensure that compliance considerations are addressed appropriately. The CAE should be aware of IIA Performance Standard 2600: Resolution of Senior Management’s Acceptance of Risks in the event that he or she believes that senior management has accepted a level of residual risk that may be unacceptable to the organization related to its privacy program and practices.
13/11/2012 502
A Privacy Audit (16/17)Privacy and Audit ManagementThe IIA’s IPPF reminds auditors to take regulations and risks into account when planning, performing, and reporting assurance and consulting assignments. Many other professional bodies, legislators, and supervisory authorities issue a broad variety of guidance and regulations. The privacy of personal information and how the organization manages this asset should be considered when developing the risk-based audit plan.
13/11/2012 503
A Privacy Audit (17/17)The internal audit staff is a key part of the organization’s governance structure to address privacy. As such, training programs and policies should be in place to provide internal auditors with the necessary background and knowledge to conduct privacy engagements effectively. There also is a need for due diligence to ensure that auditors act in accordance with relevant laws and policies when using personal information during assurance or onsulting engagements. Internal auditors should understand that it may be inappropriate — and in some cases illegal — to access, retrieve, review, manipulate, or use personal information when conducting internal audit engagements. Before initiating an audit, the internal auditors should investigate these issues and request advice from legal counsel, if needed. Finally, internal auditors should consider related privacy regulations, regulatory requirements, and legal considerations when reporting information outside the organization.
13/11/2012 504
Toolkits
13/11/2012 505
COBIT ISACA’s globally accepted framework, providing an end‐to‐end business view of the governance of enterprise IT that reflects the central role of information and technology in creating value for enterprises. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from business, IT and governance experts around the world.
ISO 2700X A growing family of ISO/IEC Information Security Management Systems (ISMS) standards.The series provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
ISO 38500 Provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
SIX SIGMA Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors) and minimizing variability inmanufacturing and business processes
COBIT 5
Information!• Information is a key resource for all enterprises.• Information is created, used, retained,
disclosed and destroyed.• Technology plays a key role in these actions.• Technology is becoming pervasive in all
aspects of business and personal life.
What benefits do information and technology bring to enterprises?
507
Enterprise Benefits• Enterprises and their executives strive to:• Maintain quality information to support business
decisions.• Generate business value from IT-enabled investments,
i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT.
• Achieve operational excellence through reliable and efficient application of technology.
• Maintain IT-related risk at an acceptable level.• Optimise the cost of IT services and technology.
How can these benefits be realised to create enterprise stakeholder value?
508
Stakeholder Value• Delivering enterprise stakeholder value requires good
governance and management of information and technology (IT) assets.
• Enterprise boards, executives and management have to embrace IT like any other significant part of the business.
• External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached.
• COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
509
The COBIT 5 Framework• Simply stated, COBIT 5 helps enterprises create
optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.
• COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.
• The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.
510
COBIT 5 Principles
511
Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
COBIT 5 Enablers
512
Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
Governance and Management
• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives(EDM).
• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
513
In Summary …
COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
514
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
An business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
2005/720001998
Evo
lutio
n of
sco
pe
1996 2012
Val IT 2.0(2008)
Risk IT(2009)
COBIT 5: Now One Complete Business Framework for
515© 2012 ISACA® All rights reserved.
COBIT 5 FrameworkCOBIT 5:• The main, overarching COBIT 5 product• Contains the executive summary and the full
description of all of the COBIT 5 framework components:– The five COBIT 5 principles– The seven COBIT 5 enablers plus– An introduction to the implementation guidance
provided by ISACA (COBIT 5 Implementation)– An introduction to the COBIT Assessment Programme
(not specific to COBIT 5) and the process capability approach being adopted by ISACA for COBIT
516
COBIT 5 Product Family
517
Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved.
Five COBIT 5 Principles
The five COBIT 5 principles:1. Meeting Stakeholder Needs2. Covering the Enterprise End-to-end3. Applying a Single Integrated
Framework 4. Enabling a Holistic Approach5. Separating Governance From
Management518
1. Meeting Stakeholder Needs
• Principle 1. Meeting Stakeholder Needs• Enterprises exist to create value for their
stakeholders.
519Source: COBIT® 5, figure 3. © 2012 ISACA® All rights reserved.
1. Meeting Stakeholder Needs (cont.)
Principle 1. Meeting Stakeholder Needs:• Enterprises have many stakeholders, and ‘creating value’
means different—and sometimes conflicting—things to each of them.
• Governance is about negotiating and deciding amongst different stakeholders’ value interests.
• The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions.
• For each decision, the following can and should be asked: – Who receives the benefits? – Who bears the risk? – What resources are required?
520
1. Meeting Stakeholder Needs (cont.)
• Principle 1. Meeting Stakeholder Needs:
• Stakeholder needs have to be transformed into an enterprise’s actionable strategy.
• The COBIT 5 goals cascade translates stakeholder needs into specific, actionable and customised goals within the context of the enterprise, IT-related goals and enabler goals.
521Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.
1. Meeting Stakeholder Needs (cont.)
Principle 1. Meeting Stakeholder Needs:Benefits of the COBIT 5 goals cascade:• It allows the definition of priorities for implementation,
improvement and assurance of enterprise governance of IT based on (strategic) objectives of the enterprise and the related risk.
• In practice, the goals cascade:– Defines relevant and tangible goals and objectives at
various levels of responsibility.– Filters the knowledge base of COBIT 5, based on enterprise
goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects.
– Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals.
522
2. Covering the Enterprise End-to-end
Principle 2. Covering the Enterprise End-to-end:• COBIT 5 addresses the governance and management of
information and related technology from an enterprisewide, end-to-end perspective.
• This means that COBIT 5: – Integrates governance of enterprise IT into enterprise
governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance.
– Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.
523
2. Covering the Enterprise End-to-end (cont.)
Principle 2. Covering the Enterprise End-to-end
524
Key components of a governance
system
Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved.
Source: COBIT® 5, figure 8. © 2012 ISACA® All rights reserved.
3. Applying a Single Integrated Framework
• Principle 3. Applying a Single Integrated Framework: • COBIT 5 aligns with the latest relevant other standards
and frameworks used by enterprises: – Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000– IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF,
PMBOK/PRINCE2, CMMI– Etc.
• This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator.
• ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references.
525
4. Enabling a Holistic Approach
Principle 4. Enabling a Holistic Approach• COBIT 5 enablers are:• Factors that, individually and collectively,
influence whether something will work—in the case of COBIT, governance and management over enterprise IT
• Driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve
• Described by the COBIT 5 framework in seven categories
526
4. Enabling a Holistic Approach (cont.)
• Principle 4. Enabling a Holistic Approach
527Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
4. Enabling a Holistic Approach (cont.)
Principle 4. Enabling a Holistic Approach:• Processes—Describe an organised set of practices and activities to achieve certain
objectives and produce a set of outputs in support of achieving overall IT-related goals
• Organisational structures—Are the key decision-making entities in an organisation• Culture, ethics and behaviour—Of individuals and of the organisation; very often
underestimated as a success factor in governance and management activities• Principles, policies and frameworks—Are the vehicles to translate the desired
behaviour into practical guidance for day-to-day management• Information—Is pervasive throughout any organisation, i.e., deals with all
information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
• Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services
• People, skills and competencies—Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions
528
4. Enabling a Holistic Approach (cont).
• Principle 4. Enabling a Holistic Approach:• Systemic governance and management through
interconnected enablers—To achieve the main objectives of the enterprise, it must always consider an interconnected set of enablers, i.e., each enabler:– Needs the input of other enablers to be fully effective, e.g.,
processes need information, organisational structures need skills and behaviour
– Delivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient
• This is a KEY principle emerging from the ISACA development work around the Business Model for Information Security (BMIS).
529
4. Enabling a Holistic Approach (cont).
• Principle 4. Enabling a Holistic Approach• COBIT 5 Enabler Dimensions:• All enablers have a set of common dimensions. This set of
common dimensions:– Provides a common, simple and structured way to deal with
enablers– Allows an entity to manage its complex interactions – Facilitates successful outcomes of the enablers
530Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved.
5. Separating Governance From
ManagementPrinciple 5. Separating Governance From Management:• The COBIT 5 framework makes a clear distinction
between governance and management. • These two disciplines:
– Encompass different types of activities– Require different organisational structures– Serve different purposes
• Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.
• Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.
531
5. Separating Governance From
Management (cont.)Principle 5. Separating Governance From Management:• Governance ensures that stakeholders needs, conditions
and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
532
5. Separating Governance From
Management (cont.)Principle 5. Separating Governance From Management:• COBIT 5 is not prescriptive, but it advocates that organisations
implement governance and management processes such that the key areas are covered, as shown.
533Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.
5. Separating Governance From
Management (cont.)Principle 5. Separating Governance from Management:• The COBIT 5 framework describes seven categories of
enablers (Principle 4). Processes are one category.• An enterprise can organise its processes as it sees fit, as
long as all necessary governance and management objectives are covered. Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives.
• COBIT 5 includes a process reference model (PRM), which defines and describes in detail a number of governance and management processes. The details of this specific enabler model can be found in the COBIT 5: Enabling Processes volume.
534
COBIT 5: Enabling Processes
• COBIT 5: Enabling Processes complements COBIT 5 and contains a detailed reference guide to the processes that are defined in the COBIT 5 process reference model:– In Chapter 2, the COBIT 5 goals cascade is recapitulated
and complemented with a set of example metrics for the enterprise goals and the IT-related goals.
– In Chapter 3, the COBIT 5 process model is explained and its components defined.
– Chapter 4 shows the diagram of this process reference model.
– Chapter 5 contains the detailed process information for all 37 COBIT 5 processes in the process reference model.
535
COBIT 5: Enabling Processes (cont.)
536Source: COBIT® 5, figure 29. © 2012 ISACA® All rights reserved.
COBIT 5: Enabling Processes (cont.)
537
COBIT 5: Enabling Processes (Cont.)
COBIT 5: Enabling Processes:• The COBIT 5 process reference model subdivides the IT-
related practices and activities of the enterprise into two main areas—governance and management— with management further divided into domains of processes:• The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct and monitor (EDM) practices are defined.
• The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM).
•
538
COBIT 5 Implementation• The improvement of the governance of enterprise IT
(GEIT) is widely recognised by top management as an essential part of enterprise governance.
• Information and the pervasiveness of information technology are increasingly part of every aspect of business and public life.
• The need to drive more value from IT investments and manage an increasing array of IT-related risk has never been greater.
• Increasing regulation and legislation over business use of information is also driving heightened awareness of the importance of a well-governed and managed IT environment.
539
COBIT 5 Implementation (cont.)
• ISACA has developed the COBIT 5 framework to help enterprises implement sound governance enablers. Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework. Best practices and standards are also available to underpin COBIT 5.
• Frameworks, best practices and standards are useful only if they are adopted and adapted effectively. There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully.
• COBIT 5: Implementation provides guidance on how to do this.
540
COBIT 5 Implementation (cont.)
• COBIT 5: Implementation covers the following subjects:• Positioning GEIT within an enterprise• Taking the first steps towards improving GEIT • Implementation challenges and success factors• Enabling GEIT-related organisational and behavioural
change • Implementing continual improvement that includes
change enablement and programme management• Using COBIT 5 and its components
541
COBIT 5 Implementation (cont.)
542Source: COBIT® 5, figure 17. © 2012 ISACA® All rights reserved.
COBIT 5 Product Family
543
Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved.
COBIT 5 Future Supporting Products
• Future supporting products:• Professional Guides:
• COBIT 5 for Information Security• COBIT 5 for Assurance• COBIT 5 for Risk
• Enabler Guides:• COBIT 5: Enabling Information
• COBIT Online Replacement• COBIT Assessment Programme:
• Process Assessment Model (PAM): Using COBIT 5• Assessor Guide: Using COBIT 5• Self-assessment Guide: Using COBIT 5
544
ADVISORY: WHEN AUDIT BECOMES CONSULTING
13/11/2012 545
Agenda• Project Management• Quality Assurance:
– Strategies– Execution– Software Selection– Software Development– Architecture
• New Paradigms– Cloud– BYOD
13/11/2012 546
PROJECT MANAGEMENT
13/11/2012 547
Software Project Management
548
Management
ProjectManagement
SoftwareProject
Management
Software production projects
549
• They have specific characteristics thatdiversify them from other kinds of projects:
• Invisibilty – software is not as easy to see asa brisge or a chemical plant can be.
• Complexity – on average, costs beingequal, software projects are more complexeven because of the users strong involvement in the top phases of the project
• Flexibility – ease of modifying the productboth while in production and once it iscreated.
Software production projects
550
• Two main kinds of projects:• Information Sistems characterized by the
fact that they communicate with the organization
• Industrial Systems that interface with machines (operation systems, processcontrol systems)
• Production processes that are good for developing one system are ofteninefficent for the other
Set up
control
closing
planning
execution
Project phases
551
Identification of roles
Responsibility attribution
Resource allocation and Time estimation
Scheduling
Project WBS
WBS + organizational structure
Roles and Responsabilities matrix
Technical restraints, resources, W.P.
Logical ties, deadlines and milestones.
PERTH Diagram
Duration WP
Productive activiy planning
552
TimeInitial phase
Intermediate phase
Final phase
Possibility of influencing results
Managerial attention Resourses usedEffo
rt
The Project
• The project is a temporary effort oriented to the creation of a unique product or service(Project Management Institute)
The Project• A project’s scope is not limited to the design of
components that constitute a product, but it entails allthe phases that are involved in achieving a completeproduct service and delivering it, beginning from itsconception.
• The project is a temporary effort started to develop aproduct or services.
• It is temporary in the sense that it is located in time with aprecise beginning and ending date, it may last yearsand the created product or service is unique.
• The fundamental element to optimize these factors is theemployment of methodologies and tools that are findapplication within every business organization.
554
The Project• Project Management is a particular approach to contract
management (initially developed in the military environment) whoseprimary goal is to handle the project in a way that achieves itscompletion while respecting timings, costs and technic-qualitativeperformances contractually agreed upon with the client and withregard for the law.
• It’s a set of common sense rules to manage project planning andcontrol activities, to orient available resources towards achieving thegoals while respecting planned times, costs and requirementssatisfaction.
• A sound project management allows each company to meet themarket challenges by optimizing the costs of the various stagesleading to the completion of the project on schedule. marketplanning and control are becoming increasingly important,especially in market contexts of high competitiveness, along withrelated cost analysis and benefit evaluation which represent the keyfactors in order to achieve the predefined objectives.
555
Types of projects
• The variables according to whichprojects can be classified are:
1. Size of the project: need of human andfinancial resources, range andgeographical diffusion;
2. Project complexity: variety of goals andscope;
3. Degree of project risk: degree ofinnovativeness, scope and complexity.
556
Leve
l of e
ffort
Time
beginning planning execution closing
feasibility requirement definition and planning
development test implementation
maintenance
Project management phases
Technical cycle phases
Projects lifecycleAny project’s lifecycle entails:• Managerial issues• Tecnical issues.
557
Project ManagementA project is a temporary initiative (with a beginning and end) directed towards the creation of a product a service or a result characterized by uniqueness, under conditions of uncertainty.Projrect Management is the application in practice of knowledge, skills, tools and techniques to project activities to satisfy its requirements.
A project can be divided in 5 main phases, also called process groups:• Startup• Planning• Execution• Monitoring and Control• Closing
A new set of essential phases can be identified in IT projects:• Startup• Requirement definition and analysis• Architectural design• Development• Testing• Production• Closing
Project should be characterized by SMART goals: Specific, Measurable, Agreed upon, Realistic, Timed.
558
The activity of project management can be braken down in the following key processes: • Identify requirements• Keep stakeholders’ interest in consideration during the project planning and
development• Balance the project’s constraints that are in conflict (scope, quality, schedule,
budget, resources and risk)The Project Manager is the the responsible of the project’organization and successful goal achievement. A good Project Manager usually has knowledge, skills and personality.The Project Management Office (PMO) is the organizational unit that centrally manages and coordinates projects that fall under its responsability. Among activities that characterize this unit are:• Manage the shared resources of various projects• Identify and develop methodologies, standards and best practices• Train, form and supervise staff• Monitor compliance with the standards, requirements and policies.• Develop and maintain policies, procedures, documents and other organizational
process assets• Coordinate information flows
Project Management Elements
559
Project Management Elements
Business environmental factors: They generally represent inputs in the planning processes and influence the project in ways that can be positive or negative (+/-constraints) and are:• Culture, structure and organizational processes• government / industry standards (regulations, behavioural codes, technical
standards and quality)• infrastructure• Human resources management processes• Market conditions• Risk tolerance of the stakeholders• Political climate• Communication channels used by the organization• Database and Information Systems for Project ManagementRoles: Project team, customer, supplier, end user, sponsors, Project Manager, Client Project Manager, Project Management Office, Project Board or Steering Committee, Team Leader, Project Accountant, Program / Portfolio Manager, Team Member, Technical Expert / Analyst.Project Management Documents: Business Case, Project Charter, Offering, Organization chart, responsibility matrix, Contact List Request for Proposals, Project Plan, Risk Log (risk analysis), contingency plans, Communication Plans, Progress Report.
560
Projects vs operative workCommon characteristics:• Performed by individuals• Limited by constraints• Planned, executed, monitored and controlled• Performed to achieve organizational goals or strategic plansDifferences:• Operative activities are continuous, they produce ripetitive
products/services/results• Projects are temporary and produce unique outputs.Operative jobs support the business environment in which the projects are developed, therefore there are important interactions between the project team and the operative departments. The Project Manager will comminicate a lot with the operative department managers and often some of the latters resources will be redirected towards the project.
561
Project lifecycleBy project lifecycle we mean a set of project phases, sequential or overlapping, whose name and number depend on the project’s nature. This provides the basic framework for project management.Structure:• Starting the project• Organizing and preparing• Carrying out the work• Closing the project
Characteristics:• The level of costs and human resources (dotted line) starts low, then they have
a peak while carrying out the work, and decrease again during closure.• Stakeholder influence, risks and uncertainty are maximum at the beginning
and monotonously decrease overtime.• The costs of modifying or correcting mistakes are minimum at the beginning
and grow monotonously overtime.
562
Project phasesThe project phases consist of divisions within the same project that create checkpoints for evaluating intermediate deliverables. This allows the segmentation of the project in logical subsets for ease their management, planning and control. The applied division into phases depends on size, complexity and impact of the project.If the steps are sequential, the end of a phase means a deliverable is ready which serves as starting point of a new phase ( milestone or decisional block). These are natural moments of evaluation of the projects invested commitment, possible changes or termination.There is no unique way to define the ideal structure of a project, beyond the common industry or market practices . Therefore, this must be assessed from project to project depending on its particular characteristics and the management style of the project team and the organization.The phase usually ends with a review of the deliverables to determine completeness / acceptance and evaluation of the work to decide on possible changes, a process that brings to the beginning of a new phase. The key decisions are therefore:• Determine whether the project should continue to the next phase• Identify and correct mistakes based on efficiency considerations
(costs)Some projects can benefit from overlapping phases. Phases can therefore be sequential or overlapping. 563
The Project Manager is the supervisor or facilitator and must therefore:• Define and control the project's objectives;• Analyze the environment in which the project will be developed and regulations in force;• Define the end result and the main activities necessary for its achievement;• Plan and schedule the activities of the project (historical data for future projects);• Estimate the necessary resources (labor, materials, equipment, etc ...);• Formulate the project budget;• Allocate and control resources to the individual assets and authorize the beginning of work;• Integrate all the planning and control activities of the project and provide tutoring;• Define the progress of the project, in terms of both physical development and costs;• Measure the progress of the project during its implementation;• Enable corrective action in case of deviations (definition of risk tolerance );• Resolve conflicts with the customer, with suppliers and with the specialized functions (80-90% of
the time is used to communicate with stakeholders, source: Project Mngmt Inst.).The reasons for the inclusion of the logics of Project Management in enterprises are mainlyattributable to the causes of project failure, which according to a survey by the EuropeanCommunity in 2002, are: poor communication, poor project scoping, unfulfilled customerexpectations , inadequate planning, lack of leadership, lack of motivation in the team.The percentage of successfully completed projects with respect to time, cost and objectives is 26%.The proportion of unfinished projects, over budget, and that do not meet the objectives is 34%. Theremaining 40% of projects are canceled before completion.
The Project Manager’s role
564
low
high
highlowInstitutionalStakeholder
KeyStakeholder
MarginalStakeholder
Operative Stakeholder
Interest in the project
Pow
ers
over
the
proj
ect
• Project stakeholders are «persons and organizations that are actively involved in the project or whose interests can be influencedby the project’s outcome. On the other handthey can also influence the project and itsoutcome».
Project Stakeholders
565
Production planning techniques
566
Note: These techniques have been designed and developed forthe creation of highly complex works especially in the urban engineering ormilitary fields, and mainly on contractual production terms [relevanteconomic dimensions, long implementation times (over a year, classicmanagement period), management and organizational complexity(places physically distinct from the company), generally unique and nonripetitive products ].
• Work Breakdown Structure (W.B.S.)• Gantt diagram• CPM (Critical Path Method) • PERT (Program Evaluation and Review
Technique)
The Work Breakdown Structure
• It consists in the decomposition of the project into subprojects, ofthese in macroactivities and so on up to elementary activities whosesubsequent decomposition is no longer convenient.
• Each elementary activity should be easy to manage in terms ofplanning, execution, control and closure.
• It uses a to a tree diagram , that allows for the description anddisplay of all parts of a project at different levels of detail, in astructured and hierarchical manner.
• Includes all parts of a project that must be carried out, and all themajor functional tasks that must be performed to implement themcompletely.
• Activities at the lower levels are therefore necessary and sufficient tocomplete the parent element (top level).
• Every element is perfectly schedulable, with its own budget and canbe assigned to an operating unit (in terms of responsibility). They arealso easily reusable for future projects.
567
Problem: complex project entail houndreds or thousands of elements that result in overly complex management
Preparing a WBSThe Project Manager must structure the job in small elements that must be:• Manageable (possibility to determine authorities and responsibilities);• Independent (with minimum interfaces with other activities);• Integrated (to put them together in general packages);• Measurable (to estimate their development state and success).The WBS is a key element because:• It provides a clear description of the project as sum of its elements;• It allows for cost and budget estimation;• It allows for time, cost and performance control;• Goals are connected to business resources;• It simplifies planning, scheduling, reporting and management control
operations• It allows to assign responsible to each element
568
WBS organizationAt a first level the WBS can be organized in:• Product structure. The decomposition is done on the
basis of product components (physical/spatialdecomposition logic). For example, while developinga new car, component groups are established.
• Project Lifecycle. The decomposition is done on thebasis of logic stages or process phases: it can be donefollowing the technical process (requirement analysis,design/planning, production, etc.). This is also calleddivision by work processes.
• By deliverable and sub-projects. The subprojects aredeveloped by organizations that are external to theteam (decomposition by objectives).
569
The principles of decomposition may also be different: breakdown by objectives,work processes, the physical logic, the functional logic the spatial ...
In our example, the same building could have been decomposed first of all intoground floor, first and second floor, and so on. Time after time, we will try to identify thecriterion of the most functional decomposition with respect to productive goals.
Building
termiccabindistribution hydric
mechanicElectric
Urban works
Plants Construction site
WBS Organization
570
Work PackageSet of information relevant to the creation of one or more products.Must contain the following information:- What to do;- responsible and client;- Costs and schedule;- Input and output products;- Activities.
WBS- Software Development Project
Requirements
Analysis Design Development
Test
Software Specifics
Work Package: Requirements Cost: € 25.000,00Description: collection and analysis of customer and userrequirementsResponsibles: Mario Rossi Sponsor: Divis. AlfaInput: legal constraints, organization’s standards, client’sspecificsOutput: meeting reports, requirement analysis reportActivities: meetings with executives, analysis of existing systems,project draft, interviews and surveys, reviews, approval, finalformalization.
Definitions
571
DeliverableIt is any product, result or skill capable of delivering a unitary andverifiable service that must be created to complete a process, a phaseor a project.
Project
Work Package 1.1
Deliverable 1 Deliverable 2 … Deliverable n
Work Package 1.2
Definitions
EventSomething that happens which marks the beginning orthe end of one or more tasks or activities.
MilestoneEvents that represent decisive moments of the projectevolution, as intermediate checkpoints or moments ofcompletion of a significant portion of the project.Milestones are often contractually imposed (start andfinish timing) or self imposed by the project manager
Definitions
573
Rules for a correct WBS- The union of all the activities at the same level corresponds to
the same set of activities at the root;- Each work should be assigned to one and only one level;- There should be no overlap between tasks in different
branches;- Each level increase must be based on the same logic as the
previous and all of its siblings must follow the same logic;- Different levels can be developed according to different
logics;- As the size of the WBS decreases the responsible’s
management is simplified ,while project control becomesmore complicated ;
- The WBS parts must be filled by those responsible formanagement and control;
- The logics of aggregation-disaggregation is based on thedefined goals.
574
For the realization of the Gantt chart it is necessary to associate to theactivities, as identified by the WBS, their estimated lifetime.
This technique allows to describe the project through therepresentation of the durations of each activity on a chart (ahistogram).The horizontal axis shows the time scale; the vertical axis, notoriented, shows the activities that make up the project.The placement of activity "bars" along the time axis allows tohighlight not only the length, but also the moment of completion ofeach task.
The Gantt diagramm is said to have the defect of not accountingfor resources (although they indirectly are regarded in time lenghts)
Gantt diagram
575
Durations estimates can be obtained through different techniques thatpreferably use historic data:
• Expert’s opinion
• Estimation by analogy
• Quantitative duration, based on quantitative data for each workingcategory (number of designs, tons of steel, etc.) defined during theengineering/design phase multiplied for the unitary production rate (hoursof work per design, etc.)
Contingency time can be introduced to face unexpected events
Activity duration
576
The basic elements are
Activity duration;
Dependance relationships with other activities
Time schedule;
Possible milestones.
Project Design
577
578
• H.L. Gantt defined a technique of productive processrepresentation using time bars at the beginning of the lastcentury.
• in 1957 M. Walker defined the CPM (Critical Path Method) tocontrol project timings
• in1958 the PERT technique was developed while working onnuclear submarines projects (Polaris Project)
A bit of history
The Gantt diagram pitfall
• Time relationships among activities:
1. Why did we set a certain activity in a certain moment in time?2. Are there constraints of logic dependency?3. If the duration or starting time of an activity changes, what
happens to the others?
579
An evolved approach: reticular techniques
• Activity = characterized by duration (and usedresources).
• Events = instantaneous activities that mark thebeginning and/or end of one or more activites
• Time sequenciality= indicates succession constraintsdue to logical dependencies or opportunities.
Used to evaluate the total project duration and dates ofmilestone achievements in implementing the project . Incontrast with the Gantt chart, such techniques showlogical dependencies between tasks that must necessarilybe carried out in succession.
580
For the application of CPM and PERT techniques, special software isemployed (like MS Project) providing the following input data:
•Identification of activities which constitute the project (through WBS);•Identification of logical-temporal sequence constraints between theproject activities (which activities precede/follow the one in question, andwhat can be done in parallel?)•Estimate of the project activities duration (based on resources).•The sequential constraints of individual activities, should refer to logical ortechnical conditions that prevent the execution of a task if its beginningrequires the completion of one or more activities that are "work in progress".
Sequential constraints may rise also because of lack of resources.
PM and Automation
581
Preparing a CPM \ PERT
1. The Project Manager writes the list of activities;2. The PM arranges activities according to
sequentialiity criteria ;3. The PM reviews the diagram with line managers
(experts);4. The functional managers create the CPM \ PERT
entering durations (the schedule is not known yet, so estimates are based on infinite resources );
5. The PM looks at the CPM \ PERT and checks if itrespects the key dates and timetable the project;
6. The PM sets the reference dates on the calendarand reorganizes the CPM \ PERT on the basis ofreal resources (limited).
582
Differenze PERT e CPM• CPM: deterministically calculates the parameters "start as soon as
possible," "starts later" and " finish it" to identify activities that have less flexibility (critical path) based on the most common durations (experience): Gaussian distribution;
• PERT: Uses weighted estimates of durations to calculate the project duration (3 estimates approach): ß distribution with 1/6 Do, 1/6 Dp e 4/6 Dml;
Do + 4Dml + Dp
6D =
583
Differences betweenPERT and CPM
• PERT uses an evaluation of the time based on three estimates (optimistic, pessimistic, normal), while the CPM uses a single normal estimation.
Duration estimates with PERT are more accurate• PERT is of probabilistic nature based on the beta probability
function and allows to assess risk, while the CPM is deterministic.• Both allow the use of dummy activities (crucial activities with zero
duration; eg end of stage) to develop complex project logics;• PERT is used for estimating projects where timing is highly variable,
while the CPM is preferred for projects where time estimates are more accurate, as well as dependencies between resources;
• PERT is used for those projects into which the percentage of job completion can not be assessed before they end, while the CPM is used in projects where we can estimate the percentage of completion of a task and load costs on the customer .
PERT is good in R&D projectsCPM is good with construction projects
584
Differences betweenPERT and CPM
A major difference is that the PERT does not allow to estimate the percentage of completion, because the activities can't be estimated in percentage until completion (probabilistic estimate).PERT/CPM Advantages: Highlights where to focus efforts (logic-sequential); Allows to evaluate the changes effects on the project; Visualizes complex structures in a simple and clear
mannerPERT/CPM disadvantage: Is more complex and expensive than other systems; Requires more data; Not convenient for small projects.
585
QUALITY ASSURANCE
13/11/2012 586
Quality assurance• Quality assurance (QA) refers to the planned and
systematic activities implemented in a quality system so that quality requirements for a product or service will be fulfilled. It is the systematic measurement, comparison with a standard, monitoring of processes and an associated feedback loop that confers error prevention. This can be contrasted with quality control, which is focused on process outputs.
• Two principles included in QA are: "Fit for purpose", the product should be suitable for the intended purpose; and "Right first time", mistakes should be eliminated. QA includes management of thequality of raw materials, assemblies, products and components, services related to production, and management, production and inspection processes
13/11/2012 587
PROCUREMENT, SOURCING & SELECTION
Investment decision criteria (1/4)
• Assuming that the evolution of Demand Management processes (note) is able to lead to the formulation of real needs, whether they derive from business needs or regulatory limits, the effectiveness of a software selection is then anchored to:– the ability to define a response that is actually consistent
with the "needs" manifested by users;– the correct sizing of the investment and subsequent
operating costs;– the implementation of appropriate project and
technology "risk mitigation policies" ;– a solid identification and quantification of the tangible and
intangible benefits resulting from the investment made..
Investment decision criteria (2/4)
• In a usually complicated and articulated environmental context , we can not guarantee results "acceptable" in the absence of adequate organizational and methodological support. In other words, the quality of an application software investment depends strictly on the maturity level of the processes that govern the selection of software.
• The process must be repeated continuously because of the fact that the costs and benefits of a "solution" are closely related to its content and that "needs" can be satisfied through solutions of different content. The idea is to induce a virtuous cycle in which decisions are the result of the overall contributions of the different actors in the process, agents of a "single innovation committee" responsible, as a whole, of the obtained result.
Investment decision criteria (3/4)
• Such an approach requires that quality and robustness of the selection process "dramatically" limit spaces for discretion typical of "weak" organizations and address towards the formalization of "objective" evaluation elements, which means based on solid quantitative elements and clearly defined standards .
• It goes without saying that a number of critical issues, related to the investment capacity and the alignment of the outlined solutions to business and IT strategies must be taken care of during the process .
Investment decision criteria (4/4)
• These concepts move away from established practices in which the decision to invest, and often finding the solution to be adopted, follows a sequential and hierarchical path for analysis, in a context of strong discretion and opinability of the choices made. In these practices, the contribution of the IT department is carried out in a "degraded" organizational context which, in the absence of any real benefit analysis considers the cost as the key variable and thus exerts a strong pressure on those who ultimately "must" create what the customer demanded / required.
Needs and solutions (1/2)• «Needs» regard the rise of a requirement, a
problem or an opportunity. In general one can assume that «needs» are correctly indentified. The critical issue is which IT «solution» should lead to the satisfaction of the «need». In this sense, the correct determination of the net value(costs –benefits) created by the solution is the only element on which to discern the IT investment. This distinction between «need» and «solution» culd appear unnecessary. Actually noone can deny needs, while the opportunity to satisfy it or not is the key element in governing IT investments in applications.
Needs and solutions (2/2)• This interpretation of the selection processes'
objectives is extensive compared to a practice in which a solution is always searched . In other words, we believe that:– It is simply possible not to adopt a solution, which
means not investing when it is not possible to determine a positive net value to the need’s satisfaction;
– The identification of the right solution is a continuous process that searches for the best compromise between costs and benefits. Notice that serching for the best compromise doesn’t take value off the result, rather, this continuity has the objective of impacting on the research for benefits and the ambition of finding them.
Make or buy (1/4)• Needs can be satisfied by producing custom
solutions (make) or acquiring them and possibly personalizing the package (buy). Generally this decision can be taken at the software selecton phase.
• The fundamental questions when facing a make or buy decision are:– Do we have the know how?– What are we buying?– How much of what we are buying satisfies our
needs?
Make or buy (2/4)• The history of applications has been written in the last
thirty years. From the first mechanizations of elementary accounting processes on, the support provided by applications has become more invasive and complex. Traditionally Italian companies have invested poorly on the documentation of their knowledge: know-how was not transformed into a company's "intangible asset" and remained "trapped" in individuals. Sometimes the individual know how went lost, most of the time it exists in daily operational practices but it is not "recognizable and usable" unless significant investments are done. The "buy" has to do with this issue from two alternative points of view :– An organization buys a know-how it doesn’t have– An organization buys pieces at moderate prices a
know-how that it has but hasn’t capitalized upon.
Make or buy (3/4)• Obviously, in the first case, the intrinsic value of the "buy"
is potentially much higher. Sometimes, however, the greatest value of know-how acquired with software is distorted through heavy customization.
• Just like the buyer of a mobile phone ends up paying a significant number of functions that are not needed and which he neither knows to have , so when you buy a software is difficult to understand what was actually paid. This problem is in general stronger every time you proceed to customize the software. In this situation there is a tendency, in fact, not to use all the features that are not already part of existing operational practices.
Make or buy (4/4)• It is not always that easy to understand what you are
buying, or what you want to buy. The widespread practice heavily customizing acquired software in order to support unchanged processes, implies a substantial process of replacing the purchased service: the idea was to acquire a standard market product , with all the related guarantees on the evolution of the product , then it became implicitly to buy the realization of a "custom" product based on a semi-finished. This practice has been in some industrial sectors, such as financial services, so widespread that even the software industry was heavily conditioned (confusion between products and services, distorted business models , mispricing, poor quality, etc..).
The QEERB protocol (1/2)• The QEERB protocol means to represent a
methodologicaI approach to software selection, with the goal of reducing the risk of sub-optimal choices. QEERB gives guidelines to:– frame the issues involved;– identify the issues that really matter (and their prioritization);– define an effective and efficient process in the selection of
IT investments;– involve in the selection process the interested company
structures (stakeholders);– build a Knowledge Management system that capitalizes
on the knowledge, business skills and past experiences, providing the basis for improving efficiency and effectiveness in the process of investment decision making.
The QEERB protocol (2/2)• In particular the protocol categorizes and organizes the
set of evaluation elements of an applicative solution on 5 main areas:– Quality, meaning the individuation and description of the
solution’s content;– Effort, which determines project costs (internal and
external) for set up and production of the defined output, and its subsequent continuative management.
– Elapsed, estimating project timings (and possible system evolutions or of the structures associated to IT investments);
– Risk, defining the risk profile of the investment (project risk, supply risk, etc.) in terms of project and subsequent protection of the acquired value (risk of technological obsolescence;
– Benefit, describing the modes of identification of benefits related to the investment.
Quality (1/2)
• The protocol assumes to operate in a context in which:– The needs to be satisfied through selection
and implementation of new application solutions have been expressed;
– The needs are related to the requirements of supporting commercial initiatives management, the production of new services, the rationalization/redefinition of internal business processes, governance or compliance
Quality (2/2)• The definition of needs should be explicit and formalized
according to a predefined scheme that highlights:– The goals for which the informatics solution should be the
achievement enabler– The general requirements that unambiguously document
the activities to be supported by the application.• During the following selection process, these general
requirements should be transformed in specific requirements:– Functional;– User;– Technological;– Integration.
Functional Requirements(1/2)
• Functional requirements define in a more timely and specific manner the user functions, the data requirements and any calculation algorithms of the new application; the depth of these requirements will typically have to be linked to the discriminating fundamentals of cost and benefit. In other words, the need to define punctually significant customization or proceeding to levels of single operative functions comparability will inevitably affect the depth of analysis.
Functional Requirements(2/2)
• These requirements direct those needs that are regularly defined so as to adhere to the specific operational processes or the requirements of management analysis of the specific organization and this way enable a better calibration of the selection and related costs.
• It would be useful to associate to functional requirements a graded assessment (ranking) that reflects the importance of the described function.
User Requirements (1/2)
• The needs should include a specification of any user requirements conditioning the identification of compatible solutions.
• These user requirements are normally constrained by market practices, by regulatory constraints or organizational policies.
User Requirements (2/2)• In detail, user requirements are related to:
– means of interaction with the application by the end-user (online, off-line, batch);
– the characteristics and quality of user interfaces (graphical / character based, assisted - with help - / non-assisted, ...);
– system user documentation (user manuals, training courses, self study, classroom courses, ...);
– system performance (response time for on-line transactions, elapsed and batch scheduling, volumes of data to be processed, ...);
– the administration and parameterization of the system procedures (if the parameterization of the system should be maintained directly by the user or not and with which kind of functionality and interface: metabase, automatic documentation systems, navigation systems on metadata and data, possibility to define user functions, ....);
– the safety profiles both on portions of data and on functions.
TechnologicalRequirements (1/3)
• In an evolved organizational context, with respect to the maturity of managed processes, specific architectural standards should exist and be defined with the objective of:– Acquiring ex-ante significant cost synergies through
the definition of architectures and supporting technologies, consequently scoping the skills needed for the functioning of IT;
– Acquiring greater bargaining power against technological suppliers by explicitly concentrating on defined technologies, on which to direct the most significant investments;
– Limit technological risks related to the introduction of specific technologies.
TechnologicalRequirements (2/3)
• With the term technological standard we mainly refer to:– Environments, like operative systems, Z/OS
elaborators on IBM Mainframes, UNIX, MS WIN, Linux, etc.;
– DBMS per environment and kind of application;– Applicative architecture (Legacy/SOA/….);– Integration middleware (or robot);– ETL and BI tools;– Security, performance monitoring, system log,
anomaly signaling standards;– Change management processes (tests and
production management).
TechnologicalRequirements (3/3)
• Of course, the existence of technological standards does not imply a systematic adaptation of the solutions to these standards, the possible conflicts between existing standards and technologies used by the solutions under analysis should, however, engage in a specific process for estimating the extra costs linked to the adoption of any non-standard component. These costs would naturally affect the cost-benefit analysis.
Integration Requirements (1/2)
• The inclusion of any application in an existing information system, involves the implementation of appropriate and specific integration processes.
• These processes can be carried out through specific standard components of the application architecture or through the creation of "custom components".
• It is possible that the integration process and related planting costs are dependent on the specificity of alternative solutions under analysis and therefore their definition and quantification affects the choice of the application as well as the quantification of the investments.
Integration Requirements (2/2)
• In any case we expect that integration processes are described through specifics that highlight:– The data to be extracted/sent – from/to
which procedures;– The interexchange modes (synchronous –
real time, asynchronous – daily batch, etc.) with other applications and the use of standard components (middleware) or custom ones.
– The means of control of the flows between different applications (audit trial).
Quality evaluation (1/3)• The assessment of alternative solutions requires a rigorous
process that predefines methods of analysis, metrics and methods of equalization of the identified measures . The widely diffused practice of using check lists, packed from time to time in a contingent way, does not guarantee the quality nor the uniformity of assessments.
• The preparation of a structured interpretation scheme capable of covering all the elements of assessment for the qualitative part, sort them by homogeneous topics, synthesize them according to defined criteria, allows for a systematic comparison of alternative solutions. It is important, however, to compose an homogeneous comparability profile identifying and estimating uneven functions, once again through a specific and well-defined process of elaboration of the specific requirements.
Quality evaluation (2/3)• In fact the analysis of need satisfaction
and subsequent level of required customizations, allows to categorize solutions based on the following scenarios:– Need satisfaction when detailed estimations
and customization feasibility analysis are possible.
– Need modifications based on the absence of detailed intervention estimates.
– Solution exclusion when a fundamental functionality is missing
Quality evaluation (3/3)• The qualitative evaluation could allow for
a first screening and exclusion of solutionsthat are less alligned with the needs. However it does not allow to compare «acceptable» alternative solutions, thatare potentially capable of satisfying the defined needs, at least from a qualityperspective.
• It is infact necessary to complete the assessment on the basis of differentevaluation elements.
Effort (1/8)• The evaluation of economic efforts invested in
IT solutions should be based on well definedand solid processes which, for each solution in the short list, can estimate the following costs:– costs directly related to software acquisition;– costs associated with the project of making the
application operative ;– indirect costs of the associated technological
chain;– recurrent operation , application management
and facility management costs.
Effort (2/8)• In general terms, these costs can be real or
internal depending on whether we proceed with the acquisition of third party services rather than using internal capacity. In any case the valorization of internal resources should be made on the basis of defined and approved standards that enable an optimum allocation of resources, internal or external.
• In practice it is not uncommon that internal human resources and hardware overcapacity are not valorized. This logic could lead to a misallocation of available budgets ie the existing investment capacity .
Effort (3/8)• The costs referred to above should constitute the input
of a specific application software investment calculation model with the aim of defining the initiative's contribution to the ROI.
• The model should furthermore provide an accurate and comprehensive grid of the cost items to be estimated in order to limit the space for "discretion" of the project groups and reduce the tendency to underestimate the investment. For estimates to be reliable and acceptable it is necessary to supervise a process capable of producing, controlling and historicizing on an ongoing basis the basic information (KPIs) required by the same estimates, also considering the limited duration of a project of software selection.
Effort (4/8)• Normally the costs directly related to
software acquisition are defined correctly; they should not in fact be estimated but simply acknowledged from the suppliers.
• The project costs related to the application set up of must instead be estimated. It is possible that, especially in cases where major customization and integration interventions should be planned for the application under selection, these estimates are underestimated. During the software selection sufficient customization gap analysis are rarely performed: once you have selected the software and taken the investment decision, there should be a further phase of "go / no go" at the end of the customization design phase , so at the beginning of the project implementation.
Effort (5/8)• At this stage of the project it remains possible to
reevaluate the investment's real costs and eventually stop the work. Appropriate clauses in contracts with suppliers involved in the project could "protect" the investment by expressly allowing for a stop of activities within a limited and defined time period and consequential canceling of existing obligations.
• In practice it is rare that such options are present in the project plans, or that they are "forced" by the existing organizational processes. Once the investment and committed budget have been defined and approved stakeholders seem completely focused on meeting the project's deadlines . The rationale underlying this understandable attitude is the assumption that the project estimates are "correct" and that only operative execution activities are crucial.
Effort (6/8)• In reality, the most significant budget "overruns" of occur
due to poor estimates of required customization/integration activity commitment . During the software selection project it isn't always possible to carry out really reliable in depth analysis. This possibility exists, however, in the immediately subsequent phases to the choice, but obviously the implementation work plans should be configured to account for this option.
• The indirect hardware or software costs that come along with the choice of a certain investment aren’t always completely identified during the software selection. In general, there is no established standard that "conditions and constraints" the activities of estimation of all hardware and software components. In this case, investments are underestimated, and the choice between alternative applications may be distorted.
Effort (7/8)• Recurring application management and
facility operative costs directly tied to the adoption of a new solution are rarely estimated. These costs are not identified and end up with impacting current management. They however constitute an important part of IT costs. They are generated by:– The existence of a new solution;– The architecture in which the solution is installed;– The basic software it uses and the fact that they
may or may not be in line with the approved architectural standards;
– The intrinsic quality of the application.
621
Effort (8/8)
• Where possible, the drivers used during the software selection to estimate recurring costs (CPU consumption, etc.) should be stated by contract in order to allocate part of the estimation and quality risks on the supplier.
• Recalling the above mentioned cost categories it is possible to expose IT costs according to more detailed and specific voices.
Effort directly related to software purchase
• Costs that are directly related to software purchase are: – The license costs or periodic rental fees of the
software product naturally have a different impact on the Capital Budget and the yearly income statement; with the first the full cost is charged with the second only the current year. depreciation is charged. The license and maintenance costs would be replaced in situations where the software is managed through full outsourcing with a specific and unique fee.
EffortCosts related to the applications
regular functioning project• Costs related to the applications regular
functioning project:• Effort to parameterize the main software;• Effort of product customization;• Effort of product integration with the specific context.
• These costs are related to all the actions necessary to implement the selected software. These may vary, among the selected solutions in relation to the following variables:
• Covered functions;• Existence of native integration components;• Technological components of the solution.
• Indirect costs of the associated technological chain:– By_ "technological chain" we mean to refer to all those
requirements such as basic software, hardware and telecommunications directly related to the adoption of the "investigated" solution . We are therefore talking about costs of:
• licenses and related maintenance fees, accessories to your main software product, such as DBMS, operating systems, middleware, etc., in some cases it may be necessary to conduct a simple upgrade of existing licenses in others to go back to the first supply ;
• hardware infrastructure, these components may be purchased or leased. Alternatively, the requirements could be met through full outsourcing. In any case, the cost of installation and configuration of used components should be added
• elaborative resources, such as disks and other storage media, MIPS and CPU. In practice, these costs are not always estimated and explained, although they constitute a significant component of facility management costs . The estimate can not be improvised and can only take place in a particularly mature organizational context because of the need to acquire a significant and critical series of basic measures. Some KPIs used to make these estimates may, once defined, be included as a parameters of contractual licenses with the aim of governing the possible performance degradations these applications;
EffortIndirect costs of the associated
technological chain
• Recurring operative costs :– These costs regard the following operative issues:
• Maintenance fees of the main software and accessories (if not outsourced);
• Application management of the main software and accessories (if not outsourced);
• Maintenance fees of hardware components involved in the application (if not in facility management)
• Commitments related to the aggravation of operational management activities (if not outsourcing);
• Eventual pro quota facility management fee (if outsourced).
EffortRecurring operative costs
Global IT costs• The listed costs, once estimated, are the elements on which to calculate the "Global IT costs."
This cost allows:• to compare the various solutions and offerings of suppliers, in a context of actual usability; of
course the eventual prevalence of a solution implies the identification of a package and a supplier;
• to assess, through a comparison of the benefits associated with alternative solutions under investigation, the value created by the investment.
• The calculation of the Global IT cost must consider the project timings, define the moment of actual production of the solution and the average life of the related application procedure in order to proceed with the discounting of foreseeable cash flows , according to the rough schematization shown in the the following table.
source: The Innovation Group
Internal and externalproject costs (1/7)
• In terms of IT Global Cost , the missed valorization of internal costs can lead to misleading results whenever you should proceed towards comparisons among solutions requiring a mix of different skills.
• In practice, often the internal costs, human resources and hardware components are not considered or are underestimated and this leads to sub-optimal choices or even choices that destroy value. The possible internal overcapacity should not mislead the importance of estimating all the cost components . In the medium term, however, any overcapacity could be set to zero and implicit internal costs could become explicit external costs.
Internal and externalproject costs (2/7)
• Throughout time some IT governance methodologies have been developed which are directed towards the identification and estimation of IT sector’s costs and their subsequent allocation over projects, procedures and organizational structures.
• In particular these methodologies concentrate on the estimation of the internal staff costs and require for the following to be defined:– Existing internal professional figures and related competencies;– Internal resources’ skills;– Guidelines aimed at:
• Identifying which internal competences are needed for the project;• Quantifying project commitment (effort) and operative commitment
(continuous functioning) of each professional figure;• Structure and maintain a standard cost system associated to each internal
professional figure
Internal and externalproject costs (3/7)
• Personnel costs should eventually be charged for any expenses related to the "standard equipment" necessary to internal resources to work effectively. The daily standard cost of the resource should therefore consider an estimate of the portion of the fees (actual or imputed) related to:– the office (the feesincluding rent, utilities costs: _ heating,
lightg, cleaning)– the workstation (personal computer, application software,
telephony, etc. ..)– etc. ..
• All standard costs must be taken from the Cost Allocation system of the Management Control Office.
Internal and externalproject costs (4/7)
• Same logics, once developed on the internal structure, can be used for the evaluation of offers from suppliers. The implicit structure of analysis and classification can in fact be adopted to verify, for example, offers regarding development activities:– development, configuration and customization of the
application software;– operations management (both applicative and related to
the activities of business management;– maintenance.
• It is possible to adapt these methods to the process of software selection forcing its adoption by the supplier making the comparability of identified solutions more solid and improve the "reading" of terms and content of the proposed offering.
Internal and externalproject costs (5/7)
• In practice these procedures would allow to identify possible anomalies regarding:– Overestimation of man-days effort: presence of unnecessary
activities or use of excessively senior professional figures;– Underestimation of man-days effort; missed identification of
necessary activities or use of resources with lower than optimal skills.
• Furthermore the matching of professional profiles of external resources with respect to the internal specific ones and related standard costs can allow to:– Evaluate the supplier’s real experience;– Identify apparent dumpings that hide «anomalous» behaviors, like
for example:• The systematic over structuration of necessary man-days;• The employment of professional figures that aren’t coherent with project
requirements.
Internal and externalproject costs (6/7)
• On big projects it is possible to overestimate project efforts in order to over bill actually invested man-days: In these contexts it is really difficult to achieve complete control over the supply side.
• The daily fee indicator for a professional figure doesn’t discriminate supply services on its own; a different configuration of the project team can affect productivity.
Internal and externalproject costs (7/7)
• It is therefore suggested to base the choice on global costs, using unitary parameters of cost per professional figure to evaluate the supplier’s approach.
• This is that much more important in cases, which are frequent, in which the «supply costs» isn’t closed (turnkey) but recalculated on the basis of the actually performed activities; in these situations a «low» unitary price could distort the selection without allowing for actual savings.
Elapsed (1/2)• Any investment should be evaluated with regard
to its duration and usefulness with respect to availability of the underlying good/service. Investment in software is no exception to this logic, and it is necessary to consider:– the possible time-to-market of initiatives enabled by
the investment, for example in the case of production of new products and services;
– any deadlines set out in the business plan (normally communicated to the financial community), in particular for all savings operations;
– deadlines derived by regulatory requirements (such as the IAS accounting principles, the MiFID, Basel II, 262, and Solvency II).
Elapsed (2/2)
• In order for the programmed returns from IT investments to respect deadlines it is necessary for the project scheduling to be respected.
• We here recall some key elements for effective program management.
Project Deadline (1/2)• The deadlines of an IT project
implementation affect and constrain the alternative solution selection process.
• It is important to remember that implementation activities are actually:– Not compressible over a certain level;– Often conditioned by each other in ways
that define a critical path which is also not compressible.
– Constrained by the availability of certain skills in a specific timeframe.
Project Deadline (2/2)• For example, the production of an application:
– Is conditioned by the duration of operative processes of Change Management (that are themselves conditioned by the organizational structure’s productive capacity) and by the level of required customization;
• Ad esempio, la messa in produzione di un’applicazione:– è condizionata dalla durata dei processi operativi del Change
Management ( a loro condizionati dalla capacità produttiva della struttura organizzativa preposta) e dal livello di personalizzazioni previste;
– must be preceded by the testing activities , task that is usually assigned to very specific user resources, which in certain times of the year may not be available (e.g. General Accountability resources during the financial exercise closure)
• Every project solution is characterized by planning that entail different deadlines potentially incompatible with the defined project deadline.
Project planning (1/3)
• The deadlines verification is doneduring the project planning actvities.
• A mature organization should defineand approve a structured approachto project planning with which to support internal planners and guide possible external ones.
Project planning (2/3)• In this sense the Planning responsible should:
– Define project planning standard stereotypes identifying them and categorizing them as a function of:
• The kind of project or scope (new application installation, application replacement, change of technological-applicative architecture, etc.)
• Project size (small, medium, large project).– Identify and estimate for each project standard
stereotype:• Necessary activities and temporal ties (critical path)• Main milestones, including those related to estimating
customization activities (as the effort phase of the QEERB requires)• Skills (and therefore business structures that supply competencies)
– Keep historical series of estimates and related actual values in order to improve and refine the related KPIs.
Project planning (3/3)• These standards can ease and make planning processes solid,
allowing for:– customization of project standard stereotypes
• defining the estimates of effort with the corporate structures that provide skills;
• identifying resources (internal / external) that possess the necessary skills and verifying their availability;
• identifying and sharing the final project dead lines with the stakeholders of the IT solution to implement.
– directing and monitoring of eventual project schedules defined by suppliers:
• reviewing the project plans that do not meet the dead lines of internal project planning ;
• highlighting the faults of design schedules which differ from the stereotypes in terms of activity, type of resources and KPI of reference;
– A solid project planning activity requires for it to be engineered and organized in well-defined processes.
Evaluation indicators(1/2)
• The deadline satisfaction can be evaluated through a synthetic index that highlights the degree of fitting with the defined deadlines.
• The minimum requirements that a deadline fitting indicator should satisfy are:– It assumes maximum value (100%) when there is
perfect matching between the deadlines of the analyzed solution and those planned internally;
– Account for gaps between planned deadlines and solution deadlines (fitting errors) based on the duration of the activities of reference, allowing for:
• Highlighting the degree of deviation for each activity by comparing the deviation to the time leght of the activity (the error is more important if related to shorter activities);
• Compare deviations among different activities.
Evaluation indicators(2/2)
• The indicator has its own particular utility in situations in which several alternative solutions are to be compared in the context of a software selection process.
Risk (1/3)• In general terms, the ex-ante estimates of Quality, Effort, and
Elapsed involves risk-taking because of the possibility that the project predictions will not actually occur.
• A risk analysis must consider the main types of risks that exist, such as:– Supplier risk, deriving from the degree of current and potential
reliability of a certain supplier (size, competencies, methodological approach, history, market position, reputation, etc.);
– Technological risk, deriving from the use of obsolete or not mature technologies;
– Risks deriving by possible lack of internal skills;– Time risks, related to eventual short project durations (no
catch-up time);– Size risks, related to the number of activities, their complexity and
scope (project complexity risks).
Risk (2/3)• It is also necessary for risk analysis to accounts for
impacts on estimates regarding:– Quality:
• Solution unaligned with the defined needs (consequent invalidation of customization estimates); the impact of this risk should be reduced by a specific verification milestone of defined and planned performances in the first weeks of the project;
• Inadequate functionalities, unusable, or not compliant with user specifications;
– Effort (Costs)• unexpected and significant deviations between project and management
planned (budget) and real costs.• unexpected information system management cost increase determined by:
– Low quality of the application software;– Mismatching between implemented solution and the declared architectural and technological characteristics
(during selection)
– Elapsed• Missed respect of release or production dates of the new application.
Risk (3/3)
• Each project planning should highlight the risks associated with the initiative and argue about the existing contingencies and possible mitigation actions. Even more so this should be done during the software selection process, and for each solution analysis.
Benefit (1/3)• The assessment of the benefits resulting from an
investment in application software is quite complex. However, a careful conciliation of qualitative motivations with quantitative elements is essential in a process of investment appraisal that operates in a context of economic and time constraints
• In general terms the reasons that require the implementation of a new application solution are attributable to the following:– process, operational, governance or compliance
automation;– support the commercialization of new products / services;– internal / external communication;– technological obsolescence.
Benefit (2/3)• The value created by the investment in
applications is a function of the impact generated by the application solution on the corporate system. Not all the needs which they intend to address with the adoption of an application solution are directly relatable to quantifiable benefits. approximations are therefore needed to collect a set of sufficiently objective results, meaning capable of inducing a substantially conscious choice.
• It is possible to suppose that expected benefits from an IT investment are attributable to some typical categories. The following table shows some of these benefits.
Benefit (3/3)Qualitative Benefits Prevailing Organizational Implications Economic Impact
Decreased execution timeImproved service for the final customer
Improved human resource management
> Returns (products/services sold))
< Staff costs
Decreased crossing times Improved service for the final customer > Returns (products/services sold)
Decreased execution and crossing
timesGreater volumes treated > Returns (products/services sold)
More information availabilityImproved human resource management
Improved decision making
< Staff costs
< Risk (operative, market, credit)
Service improvement (internalImproved human resource management
Greater technological efficiency
< Staff and administration costs
< Risks (operative)
Source: The Innovation Group
The Return on Investment(1/3)
• The QEERB protocol, once applied in a software selection process, produces the following results:– It identifies one or more solutions that are
coherent with the needs that were established at the beginning of the process;
– It explicates the global IT cost, the estimated solution revenue and risks associated to each evaluated solution.
• The first result allows for a homogeneous comparison between different evaluated options allowing to compare costs and revenues associated to each alternative.
The Return on Investment(2/3)
• The methods used in calculating the Global IT costs and the Estimated Solution Revenue allow to calculate the investment margin and its return (Return on Solution) based on the following scheme:
• The ROS naturally highlights the relationship between IT investments costs and related benefits deriving from its implementation. In general it may be right to expect an allignment between the ROS and the company’s target ROE.
• An efficient organization should generally give up on alternatives with a negative ROS.
• In case of obliged initiatives, the ROS can be always negative. In this case the evaluation of differential benefits should guide towards the most convenient solution
ROS =( “Estimate Solution Global Revenue” – “Costo Globale IT” )
( “Estimate Solution Global Revenue” )ROS =
( “Estimate Solution Global Revenue” – “Costo Globale IT” )
( “Estimate Solution Global Revenue” )
The Return on Investment(3/3)
• As we said, the QEERB protocol, associates each investment to a specific risk profile, generally in qualitative terms. If facing the same ROS, the risks involved in each solution become the main decision driver, guiding towards the less risky solution.
• In cases in which the ROS and related risk profiles are particularly different it is necessary to weigh the ROS with the associated risk, using a standard scale, defined on the basis of historical experience.
NEW SCENARIOS
IT Staff (000) Servers (M) Mobile InternetUsers (M)
NonTraditionalDevices (M)
Information(EB)
UserInteractions (B
per Day)
WW Growth from 2008-2012Technology is a catalyst
1.1X1.9X
3.0X3.6X
5.1X
8.4X
EfficiencyResource Sharing
ComplexityEconomy of Scale
Off Premises
Fonte: The Innovation Group
“Traditional” Information Management
DataWarehouse
ReportingDSS
Enterprise Business Applications
DataWarehouse
DataWarehouse
Executive KPI
Dashboard
Source: The Innovation Group
0
1.000
2.000
3.000
4.000
5.000
6.000
7.000
8.000
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Computer
Nr. Of devices destined to Worldwide Communication
PhonesToys
GamesCars
Videocameras
VoIPGPS
BuildingsReaders
TVEquipment
Milions
“Pervasive” Computing
Source: The Innovation Group
Changing the Landscape• Blades Grid• Big Data Web Apps• Cloud Web 2.0• VoIP IP Networking• Fixed & Mobile Unified Commun.Conv.• Social Networks Virtual Worlds
Source: The Innovation Group
The software qualitybreakthrough
… from a comlexity crisis to…
– Web 2.0
– Software as a Service/CloudComputing
– “composite” Applications
– Service Oriented Architecture
– Open Source
Source: The Innovation Group
Value chain integration
Strategies that are only based on technology don’t workSource: The Innovation Group
next generation IT
Optimized Sourcing
Variable Cost Structure
Managed Likea Business
Service-Oriented,Loosely-Coupled
Web 2.0 Architecture
Extensive Leverage of Standard “Commodity” Components
Business Process-CenteredStrategy & Operations
Fonte: The Innovation Group
Utility/Cloud Computing Ecosystem
Direct
Direct
Channel
Users
Roaming devices
Wireless “smart” office
Wireless “smart” home
Networked “Internet” Data Centers
“Utility”/Cloud ServiceProvider
“Arms” Suppliers
HARDWAREStorage
Server
Network
SOFTWAREDigital MediaBusinessapplicationsSystems managementMiddleware
INFORMATION TECHNOLOGY
BUSINESSSTRATEGY
SUPPORTS
DETERMINES
Source : The Innovation Group
LESSON #1 – THE POWER OF IT: business pervasiveness
We need a new view of IS to become an intelligent enterprise• The goal is to increase the productivity of all business
processes:– Operative transitional structured/structurable processes: what
matters is the efficiency and focus of the enterprise applications.– Operative semi-structured processes, “information/knowledge
intensive managerial and decisional processes that aren’t structured/structurable which are present in many low volume functions resulting fragmented and with high levels of interaction and cooperation.
• The IS first focused on operative processes while they are now being redirected to individual productivity of knowledge workers.
• The new platforms for access and information use can disclose greater productivity of knowledge workers and improved efficiency of decision making processes of managers.
Building a social media strategy
• A strategy to interact…
Social Media/Networks
Corporate Website
Source: The Innovation Group
… we need a strategy to move towards the Social
Corporate Website
No social integration
Link away with no strategy
Link awaybut
encourage sharing
Brand integrated in social channels
Aggregate discussion
on site
Users stay on site
with social log‐in
Social log‐in
triggers sharing
Seamless Integration
Source: Altimeter Group
CIO: challanges for the IT division
CIO/IT Responsible
Internal IT Staff
CIOs must learn how to do IT «marketing»
IT governance is fundamental
Does the company already havethe necessary competencies?
Are the market and the offeringalligned with the customersrequirements?
55%
65%
75%
81%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Ottimizzare l’utilizzo delle risorse
Assicurare la governance dell’IT
Comunicare efficacemente
Interagire con i BU managers
50%
60%
52%
70%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Allineamento skills presenti rispetto acompetenze richieste
“”Do More with Less People”
Capacità di interazione con i BU managers
Meno Task Mgmt, più Project Mgmt
BusinessPriorities
Source: Indagine IDC sui CIO delle imprese italiane, 2008Risposte Multiple.
24%
37%
40%
50%
51%
54%
62%
83%
0% 20% 40% 60% 80% 100%
Corporate Social Responsibility
Organizzazione e Processi
Sviluppo Risorse Umane
Pianificazione & Forecasting
Efficienza economico-finanziaria
Aumento produttività interna
Time-To-Market
Customer Service
Business priorities
28%
40%
30%
40%
75%
70%
55%
70%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Corporate Social Responsibility
Organizzazione e Processi
Sviluppo Risorse Umane
Pianificazione & Forecasting
Efficienza economico-finanziaria
Aumento produttività interna
Time-To-Market
Customer Service
Business priorities
The role of IT
Source: Indagine IDC sui CIO delle imprese italiane, 2008Risposte Multiple.
7%
20%
5%
32%
10%
40%
15%
40%
25%
42%
25%
38%
47%
55%
35%
45%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Corporate Social Responsibility
Organizzazione e Processi
Sviluppo Risorse Umane
Pianificazione & Forecasting
Efficienza economico-finanziaria
Aumento produttività interna
Time-To-Market
Customer Service
Ruolo IT: Primario Ruolo IT: Determinante quanto altre strategie
8%
17%
6%
38%
15%
34%
18%
45%
22%
45%
29%
35%
44%
52%
38%
36%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Corporate Social Responsibility
Organizzazione e Processi
Sviluppo Risorse Umane
Pianificazione & Forecasting
Efficienza economico-finanziaria
Aumento produttività interna
Time-To-Market
Customer Service
Ruolo IT: Primario Ruolo IT: Determinante quanto altre strategie
Business and IT alignment and the CIO: the worse is yet to come?
• The crisis is having a negative impact but requires more speed to change for the CIO: The CIO as a "BOXER": defend then attack quickly
• It also takes an equivalent evolution of the Lob and Top Management • Compliance issues become a more important and strategic landscape• Supply and Demand = Customer Supplier Partnership??
31%
40%
43%
57%
70%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Il CIO/Responsabile IT è una presenzafissa nei comitati decisionali dell’azienda
Il rapporto con i vendors è ancoracliente-fornitore e non ha ancora un
profilo di partnership
Sta aumentando l’allineamento traBusiness e IT
Le competenze del CIO/Responsabile ITsulla gestione economico-finanziaria
degli assets IT e sui tema della“compliance” devono essere maggiori
Il CIO/Responsabile IT deve comunicaremeglio con le LOBs; le LOBs devono
capirne di piú di funzioni e processi IT
27%
50%
35%
65%
80%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Il CIO/Responsabile IT è una presenzafissa nei comitati decisionali dell’azienda
Il rapporto con i vendors è ancoracliente-fornitore e non ha ancora un
profilo di partnership
Sta aumentando l’allineamento traBusiness e IT
Le competenze del CIO/Responsabile ITsulla gestione economico-finanziaria
degli assets IT e sui tema della“compliance” devono essere maggiori
Il CIO/Responsabile IT deve comunicaremeglio con le LOBs; le LOBs devono
capirne di piú di funzioni e processi IT
Mobile, BI, data, and cloud are seen as the source of the most disruptive change
Forrester, 2011
How IS Add Valueto Intelligence
Leverage the Social Media
Seek Feedback on New Product Development
Create Buzz Marketing to Beat the Competition and Blogs
Fonte: The Innovation Group
Interactive EngagementThe Internet is an Organic Test Lab
IS don’t Need to Hole Up in their Ivory Tower
Fonte: The Innovation Group
Interactive EngagementCollaborate with Management in Real Time
Leverage the Social Media to Beta Test and Ask for Solutions
Fonte: The Innovation Group
Be Open to the Discovery Process
The Social Media Spawns Epiphanies
Real Time Conversations of Ideas
Can Move the Original Plan in an Entirely New Direction
Apply Zen
Fonte: The Innovation Group
Management and Consultant Must Resolve to Execute Iteratively
So Consulting doesn’t become a Navel Gazing Exercise
4. Level the IS – USER Relationship
Source: The Innovation Group
The role of skills
Hard Skills• Technical skills• Market skills• Methodological
skills
Soft Skills• Relational skills• Analytic skills• Standing• Interrelations• Evolving vision
Cloud compuntig : just the definition
“Cloud computing is an architectural model that enables on-demand access,
through networks, to a shared pool of configurable computing resources (e.g. networks, server storage, applications and services), that can be delivered and freed in a quick way while allowing for managerial activities.”
National Institute of Standards and Technology (U.S.)
Self serviceOn‐demand
Ubiquitousnetwork access
Resource sharing
Quickflexibility
Measurableservices
3 Delivery models
4 Distribution models
IaaS PaaS SaaS
Private, Community, Pubblic, Hybrid
Source: The Innovation Group
Why cloud computing is a structural change
• Technological factors– Growth and broadband availability– Diffused virtualization technology usage– Drastic reduction in computing and storage costs– Mobile revolution and the diffusion of smart devices
• Economic factors and managerial practices of the ICT industry– New ways to develop software (software design by components,
SOA, etc.)– The financial crisis and lack of liquidity make low fixed cost and
higher variable cost investment models more attractive.– Managerial mentality stating that models of access to services
and content rather than possession and ubiquity are more attractive
– Strong investments in ICT worldwide
Cloud economy and sociology1. Agglomeration economies:
– “ the total computing capacity of enterprises tends to be equal to the sum of peaks that must be sustained by single businesses "
– In Italy 70% of IT expenses are related to maintenance
– Through agglomeration, IT providers can achieve significant scale economies and users, exploiting territorial (business networks) and supply chain concentration logics, can benefit on management costs and choice flexibility
– HOW MUCH CAN WE SAVE WITH CLOUD COMPUTING? Remember that agglomeration is symmetrically related to diffusion effects.
2. Diffusion effects– If agglomeration exerts and manifests its effects
on basic system components in IaaS and PaaSviews, it also creates effects, it also creates a leverage effect in expanding the application and service offering spectrum , which then frees itself from the limitations of the technological infrastructure and becomes merely functional to business and process logics
– Under this perspective the obvious savings granted by consolidation are coupled with advantages in terms of simplification of selection criteria, which are freed from technological conditions, and with a widening of the range of opportunities of added value service fruition, which shouldn’t be accompanied by related infrastructural burdens
3. Homogeneization effect– Cloud Computing can allow to bypass the
system fragmentation in companies, favoring standardization, activating interoperability and finally unveiling resistances to applicative cooperation and the «data possession» syndrome.
4. Innovation’s effect:– A company that also invests some part of its
resources in innovative technologies, architectures and services, strongly contributes to the qualification of its Country System’s demand profile
5. Extension effect:– The Cloud is already accelerating. Part of the
PA entrepreneurial world is already migrating towards this technology. The problem remains on how to govern these processes.
Transforming an ICT services company in a
«Cloud Solution Provider»You must examine and evaluate a series of business activities and functions using a set of models as analytic tools to go on with an assessment useful for the identification of the transformation roadmap.1. service/offering model (IaaS, PaaS, AaaS, SaaS) and
(product, solution)2. product/production model (applicative, operative,
managerial)3. Governance model for the «Solutions Plant»
(organizational, processes) 4. Sale/channel model (direct, Reseller/Var agents,
Claps Community Partner/CloudApps catalog ) 5. Market model (end Market - cross/selected, two-sided
Market/Ecosystem) As it emerged from the meeting we will focus on point 3 using 1 and 2 as inputs and eventually develop 4 and 5.
Products
Services
Solutions
Offering
Identify/define supportive flows of the solutions offeringSource: The Innovation Group
Offering model (product, service, solution)
Provide Services aroundICT Cloud Services
Provide ICT asCloud Services
Provide ICT Products/Services to enable (public & private) Cloud
APs (Cloud Application Providers)
ServersStorage
Netw
ork Equipm
ent
IT/Netw
orkManagem
entSoftw
are
Netw
orkServices
App Development/
Deployment Softw
are
IT Services –Consulting, Integration, etc.
(Solution‐as‐a‐service)
Source IDC
Service/supply model(IaaS, PaaS, AaaS, SaaS)
Application To Be in Cloud
Application As Is Today
Client
Server
Applicative model:How is the Application structured/designed (elaborative logic, database, access methods, resources, network)
Operative model:Which OS environments are related to different C/S applicative modules(Server OS, Client/SmartT OS, Network OS - GLan, WiFi, Mobile)
Managerial model:where are Application execution, control, monitoring and security located (insourcing, outsourcing, coop.sourcing)
Decline the distribution model in
Product/production model(applicative, operative, managerial)
Goal:Understand the business offering through itsorganization
Products
Services
Solutions
Governing the business as a Solution Plant
PROCESSES
Func
tions
Flow
sA
ctiv
ities
Offering
Azienda
Source: The Innovation Group
Governance model of the ‘’solutionplant‘’ (organization, processes)
FROM SERVICES FACTORY… TO CLOUD PROVIDER
685
How ICT services work
Fonte: The Innovation Group
From the factory…
Fonte: The Innovation Group
… to the Cloud
Fonte: The Innovation Group
The process-system model
Fonte: The Innovation Group
Internal vs. Private Cloud
• Service Management• Charge Back system (Financial Mgmt)• Orchestration• Service Catalogue
Internal Cloud Private Cloud
First, drop processes into a framework, especially if operation or serviceoriented to verify both the preparation and the inward orientation rather than toward delivery, also in a Cloud perspective .Then you start to place this model with respect to the maturity model of reference contextualized to the needs of cloud computing
Source: The Innovation Group
• Virtual infrastructure• On-demand, elastic,
automated/dynamic
The maturity model
EVALUATION AND PROCUREMENT
PROCUREMENT AND CHANGE MGMT
AUDIT AND ACCOUNTING
MODELS
DEFINITION OF STANDARD IaaS
MODELS
PLANNING IAM OLICIES
LAB AUTOMATION PROVISIONING AND VM AUTOMATION
APPLICATIVE PROVISIONING AUTOMATION
SERVICE PROVISIONING AUTOMATION
«CLOUD BURSTING» AUTOMATION
SERVICE CLASS DEFINITION SERVICE POOLS CHARGE BACK SERVICE CATALOGUE
DEFINING IAM REQUIREMENTS OF SERVICE MGMT
DEFINITION OF STANDARD TEMPLATES
SERVICE MANAGEMENT
TOOLS DISTRIBUTION
QoS
APPLIANCE DISTRIBUTION FOR
THE VIRTUAL INFRASTRUCTURE
VIRTUAL DATA CENTRE
DISTRIBUTION
CONSOLIDATION AND
VIRTUALIZATION
HA SERVICES DISTRIBUTION
LOAD BALANCING DISTRIBUTION MULTINENANCY
OPTIMIZING FOR «CLOUD
PORTABILITY»
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
TECNOLOGY OPERATIONS APPLICATION MGMT SERVICES CLOUD
GOVERNANCE
AUTOMATION
SERVICE MGMT
CLOUD INFRASTRUCTURE
IaaS
Source: The Innovation Group
Stage 1• Consolidation and virtualization are the starting point with regard to which, however, CSI appears to be
already well prepared, together with the distinction between factory and service. The integration required between the architectural and technological themes and organizational and managerial insights (governance) are to be verified
Source: The Innovation Group
Stage 1
693
VIRTUALIZZAZIONE E PROCUREMENT
PROCUREMENT E CHANGE MGMT
MODELLI DI AUDIT E ACCOUNTING
DEFINIZIONE DI MODELLI IaaSSTANDARD
PIANIFICAZIONE DELLE POLICIES IAM
AUTOMAZIONE LABORATORI
AUTOMAZIONE DEL PROVISIONING
DELLE VM
AUTOMAZIONE DEL PROVISIONING APPLICATIVO
AUTOMAZIONE SERVICE
PROVISIONING
AUTOMAZIONE «CLOUD
BURSTING»
DEFINIZIONE DELLE CLASSI DI SERVIZIO SERVICE POOLS CHARGE BACK SERVICE
CATALOGUE
DEFINIZIONE DEI REQUISITI IAM DI SERVICE MGMT
DEFINIZIONE DEI TEMPLATE STANDARD
DISTRIBUZIONE DEGLI STRUMENTI
DI GESTIONE SERVIZI
QoS
DISTRIBUZIONE DI APPLIANCE PER
L’INFTRASTRUTTURA VIRTUALE
DISTRIBUZIONE DI DATA CENTRE VIRTUALI
CONSOLIDAMENTO E
VIRTUALIZZAZIONE
DISTRIBUZIONE DI SERVIZI IN HA
DISTRIBUZIONE IN LOAD BALANCING MULTINENANCY
OTTIMIZZAZIONE PER LA «CLOUD PORTABILITY»
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
TECNOLOGIA OPERATIONS APPLICATION MGMT SERVIZI CLOUD
GOVERNANCE
AUTOMAZIONE
SERVICE MGMT
INFRASTRUTTURA CLOUD
IaaS
Fonte: The Innovation Group
Stage 2• On this basis, we find the logic of provisioning services through the Cloud, first internally and in "captive"
environments , then on the market. The issue becomes less operational and more organizational and process related by starting to oversee the organizational issues of support and not just the operational and service ones.
Fonte: The Innovation Group
Stage 2
695
VIRTUALIZZAZIONE E PROCUREMENT
PROCUREMENT E CHANGE MGMT
MODELLI DI AUDIT E ACCOUNTING
DEFINIZIONE DI MODELLI IaaSSTANDARD
PIANIFICAZIONE DELLE POLICIES IAM
AUTOMAZIONE LABORATORI
AUTOMAZIONE DEL PROVISIONING
DELLE VM
AUTOMAZIONE DEL PROVISIONING APPLICATIVO
AUTOMAZIONE SERVICE
PROVISIONING
AUTOMAZIONE «CLOUD
BURSTING»
DEFINIZIONE DELLE CLASSI DI SERVIZIO SERVICE POOLS CHARGE BACK SERVICE
CATALOGUE
DEFINIZIONE DEI REQUISITI IAM DI SERVICE MGMT
DEFINIZIONE DEI TEMPLATE STANDARD
DISTRIBUZIONE DEGLI STRUMENTI
DI GESTIONE SERVIZI
QoS
DISTRIBUZIONE DI APPLIANCE PER
L’INFTRASTRUTTURA VIRTUALE
DISTRIBUZIONE DI DATA CENTRE VIRTUALI
CONSOLIDAMENTO E
VIRTUALIZZAZIONE
DISTRIBUZIONE DI SERVIZI IN HA
DISTRIBUZIONE IN LOAD BALANCING MULTINENANCY
OTTIMIZZAZIONE PER LA «CLOUD PORTABILITY»
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
TECNOLOGIA OPERATIONS APPLICATION MGMT SERVIZI CLOUD
GOVERNANCE
AUTOMAZIONE
SERVICE MGMT
INFRASTRUTTURA CLOUD
IaaS
Fonte: The Innovation Group
Stage 3• As always in maturity model models of source SEI - Carnegie Mellon, the transition from level 2 to 3 is not
linear but almost exponential as the process and organization issues begin to be coupled with measurement topics both internally on the systems and externally on services, in order to feed the service catalog and facilitate the enabling of a charge back model , even with the limits of the CSI context peculiarities
Fonte: The Innovation Group
Stage 3
VIRTUALIZZAZIONE E PROCUREMENT
PROCUREMENT E CHANGE MGMT
MODELLI DI AUDIT E ACCOUNTING
DEFINIZIONE DI MODELLI IaaSSTANDARD
PIANIFICAZIONE DELLE POLICIES IAM
AUTOMAZIONE LABORATORI
AUTOMAZIONE DEL PROVISIONING
DELLE VM
AUTOMAZIONE DEL PROVISIONING APPLICATIVO
AUTOMAZIONE SERVICE
PROVISIONING
AUTOMAZIONE «CLOUD
BURSTING»
DEFINIZIONE DELLE CLASSI DI SERVIZIO SERVICE POOLS CHARGE BACK SERVICE
CATALOGUE
DEFINIZIONE DEI REQUISITI IAM DI SERVICE MGMT
DEFINIZIONE DEI TEMPLATE STANDARD
DISTRIBUZIONE DEGLI STRUMENTI
DI GESTIONE SERVIZI
QoS
DISTRIBUZIONE DI APPLIANCE PER
L’INFTRASTRUTTURA VIRTUALE
DISTRIBUZIONE DI DATA CENTRE VIRTUALI
CONSOLIDAMENTO E
VIRTUALIZZAZIONE
DISTRIBUZIONE DI SERVIZI IN HA
DISTRIBUZIONE IN LOAD BALANCING MULTINENANCY
OTTIMIZZAZIONE PER LA «CLOUD PORTABILITY»
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
TECNOLOGIA OPERATIONS APPLICATION MGMT SERVIZI CLOUD
GOVERNANCE
AUTOMAZIONE
SERVICE MGMT
INFRASTRUTTURA CLOUD
IaaS
Fonte: The Innovation Group
Stage 4• From this point on the growth becomes geometric, merely establishing input - output
relationships between the processes of measurement, accounting and consuntivation, making this a set of attributes of the Service Catalogue, which is now fully evolved from internal tool to service delivery instrument.
Fonte: The Innovation Group
Stage 4
VIRTUALIZZAZIONE E PROCUREMENT
PROCUREMENT E CHANGE MGMT
MODELLI DI AUDIT E ACCOUNTING
DEFINIZIONE DI MODELLI IaaSSTANDARD
PIANIFICAZIONE DELLE POLICIES IAM
AUTOMAZIONE LABORATORI
AUTOMAZIONE DEL PROVISIONING
DELLE VM
AUTOMAZIONE DEL PROVISIONING APPLICATIVO
AUTOMAZIONE SERVICE
PROVISIONING
AUTOMAZIONE «CLOUD
BURSTING»
DEFINIZIONE DELLE CLASSI DI SERVIZIO SERVICE POOLS CHARGE BACK SERVICE
CATALOGUE
DEFINIZIONE DEI REQUISITI IAM DI SERVICE MGMT
DEFINIZIONE DEI TEMPLATE STANDARD
DISTRIBUZIONE DEGLI STRUMENTI
DI GESTIONE SERVIZI
QoS
DISTRIBUZIONE DI APPLIANCE PER
L’INFTRASTRUTTURA VIRTUALE
DISTRIBUZIONE DI DATA CENTRE VIRTUALI
CONSOLIDAMENTO E
VIRTUALIZZAZIONE
DISTRIBUZIONE DI SERVIZI IN HA
DISTRIBUZIONE IN LOAD BALANCING MULTINENANCY
OTTIMIZZAZIONE PER LA «CLOUD PORTABILITY»
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
TECNOLOGIA OPERATIONS APPLICATION MGMT SERVIZI CLOUD
GOVERNANCE
AUTOMAZIONE
SERVICE MGMT
INFRASTRUTTURA CLOUD
IaaS
Fonte: The Innovation Group
Service CatalogueRequirements
Service Design
OrganizationalReadiness
Service Life‐CyclePlan
• Initial business requirements• Service applicability (business, customer, user)• Service referents
• Functional requirements and expected deliverables• Service level requirements (SLR / SLA targets)• Exercibility requirements (monitoring, support, measurement and reporting)• Service topology
• Financial and technical evaluations• Assessment of needs in terms of resources (skill, volumes, ...)• Assessment of organizational needs
• Plan and implementation phases, exercise, subsequent updates• Transition plans (development, testing, migration, release ...)• Plan of operative acceptance (events, issues, changes, known errors ...)• Acceptance criteria to be used during transitions related to the Life‐Cycle
Source: The Innovation Group
Stage 5: Orchestration• The last step is perhaps the most important one because it defines in a single
Governance process the entire internal process orchestration functional to the operative machine's functioning , to the provision of services and, above all, to their measurement, and to tend to greater efficiency levels, even through lean logics.
Fonte: The Innovation Group
Stage 5
VIRTUALIZZAZIONE E PROCUREMENT
PROCUREMENT E CHANGE MGMT
MODELLI DI AUDIT E ACCOUNTING
DEFINIZIONE DI MODELLI IaaSSTANDARD
PIANIFICAZIONE DELLE POLICIES IAM
AUTOMAZIONE LABORATORI
AUTOMAZIONE DEL PROVISIONING
DELLE VM
AUTOMAZIONE DEL PROVISIONING APPLICATIVO
AUTOMAZIONE SERVICE
PROVISIONING
AUTOMAZIONE «CLOUD
BURSTING»
DEFINIZIONE DELLE CLASSI DI SERVIZIO SERVICE POOLS CHARGE BACK SERVICE
CATALOGUE
DEFINIZIONE DEI REQUISITI IAM DI SERVICE MGMT
DEFINIZIONE DEI TEMPLATE STANDARD
DISTRIBUZIONE DEGLI STRUMENTI
DI GESTIONE SERVIZI
QoS
DISTRIBUZIONE DI APPLIANCE PER
L’INFTRASTRUTTURA VIRTUALE
DISTRIBUZIONE DI DATA CENTRE VIRTUALI
CONSOLIDAMENTO E
VIRTUALIZZAZIONE
DISTRIBUZIONE DI SERVIZI IN HA
DISTRIBUZIONE IN LOAD BALANCING MULTINENANCY
OTTIMIZZAZIONE PER LA «CLOUD PORTABILITY»
Stage 1 Stage 2 Stage 3 Stage 4 Stage 5
TECNOLOGIA OPERATIONS APPLICATION MGMT SERVIZI CLOUD
GOVERNANCE
AUTOMAZIONE
SERVICE MGMT
INFRASTRUTTURA CLOUD
IaaS
Fonte: The Innovation Group
Governance• All of this must be the targeted towards the delivery model which is considered most
consistent with their own service model and its control needs. In fact, if the definition of the deployment model (Private, Public, Community Hybrid) is functional to the identification of market strategies, in this case defined also and especially by the corporate mission, the definition of the delivery model decisively addresses the governance and control model with a view to assigning roles and responsibilitieswithrespect to which work is specifically carried out.
GOVERNANCE
Client Supplier
IaaS
PaaS
SaaS
RESPONSIBILITY
SER
VIC
E M
OD
EL
• Machine government
• Organizationalmodels
• Accounting and Control models
• SLA/Roles and Responsabilitiesmodels
Fonte: The Innovation Group
The mobile revolution iscoming
• Cellular telephony• SMS• Mail• Forum• Chat• Blog• Social networks• Microblogging• IP telephony• Teleconference• Web radio/TV
70
2011 est:86.7%
Source: ITU, Measuring the Information Society, 2011
Cloud+Consumerization + Mobility = BYOD
COMPANY CAR
Fonte: The Innovation Group
The BYOD turnseverything around!
Fonte: TechMarketView LLP Intellect Regent Conference 2012
CLOUD and BYOD
Fonte: The Innovation Group
Why Cloud and BYOD are "disruptive“: Old market models do not work anymore
IT Services
ProjectServices
Outsourcing
Consulting App Dev SystemsIntegration Apps Os’g Infra Os’g BPO
•Short term•Time-and-materials•Flexible staffing
•Long term•Fixed price•People & assettransfer
Fonte: The Innovation Group
The future of Cloud and BYODCloudEverywhere!
Public CloudPrivate Cloud
Personal Cloud
DropBox
GmailE‐mail aziendale
Fonte: The Innovation Group
BYOD
13/11/2012 710
BYOD (1/17)• Many companies are considering adopting
personal devices for business applications. Their goal is to increase customer satisfaction and employee productivity through the use of new technologies, while reducing expenses for mobile. This BYOD trend is one of the most sensational results of IT's consumerization, in which the user preference and not the business initiatives drive the adoption of technology in businesses. However, many of these technologies were not built bearing business requirements in mind so that IT groups are often uncomfortable about security and solution sustainability.
BYOD (2/17)• But BYOD means much more than just moving the
property of a device to the worker. It has far more complex and hidden implications for which it is necessary to define a strategy in advance. Based on our customers’ experience, this document traces eight main components of successful BYOD strategies:
• Sustainability• Devices chosen• Loyalty model• Responsibility• Application design and management• Economic aspects• Internal marketing
BYOD (3/17)• BYOD is new for most organizations, and
consequently, established best practices are yet to be developed. One of the traps many fall in is to define a rigid set of policies which are unsustainable on the long term. In order to be sustainable BYOD policies must try to meet the needs of both IT and workers in order to:– Secure business data– Minimize implementation and adoption costs– Preserve native user experience– Stay in line with the user’s preferences and
technological innovations.
BYOD (4/17)• The primary catalyst for BYOD is the fact that
workers have personal preferences for different devices than those their company traditionally provides them with. The most common example is a worker having a BlackBerry for work provided by the company and an iPhone or Android for personal use at home and would prefer to only use one phone instead of two. However in a world in which a consumers preferences change every year or even quarterly, and the mobile devices and related application sectors are in continuous evolution, it is difficult to define how much to leave to the workers choice.
BYOD (5/17)• Building a policy regarding the choice of devices requires:
– To analyze worker preferences and understand which devices they have already bought: a BYOD program that doesn’t consider current or projected purchases will hardly be attractive.
– Define minimum security and supportability requirements that the device must respect. The goal is to include all the mobile platforms preferred by the workers, avoiding security gaps or complicated situations. Minimum requirements usually regard resource management, cryptography, password policies, remote block/reset and e-mail/Wi-Fi/VPN configurations. Without these fundamentals the mobile platform is not company friendly. The more advanced requirement list usually focuses on particular functionalities related to certain applications and on evolved security, like authentication based on certifications.
BYOD (6/17)– Understand the operating system, hardware and territorial variations with respect to
the minimum requirements: especially on Android, similar devices can support very different functionality based on the manufacturer and on the geographic area. Even the brand of the same device may vary according to the wireless operator, adding confusion.
– Develop an agile certification scheme for evaluating future devices: Most organizations invest in early certifications when casting their BYOD program. However, new devices are introduced into the market every three to six months so that the certification process should be growing and evolving. If the process is too rigid it will become expensive and possibly fail, since the speed and efficiency of the certification is essential.
– Establish clear communication with the user about what devices are allowed or not and why: the absence of these clarifications may cause users to purchase unsupported devices or to become frustrated because the level of IT service they expect is not met .
– Ensure that the IT team has the breadth necessary to keep up to date: the list of allowed devices is strongly influenced by user demand and can therefore change quickly, often several times a year. Someone in the IT team must become the expert of the devices and power the evolution of the system.
BYOD (7/17)Loyalty Model:• Trust is the foundation for enterprise security: which users do I trust, with which data
or applications, and under what circumstances? Larger organizations have gone through the classification of data to establish a base for their own security policies. But even without the introduction of BYOD, models of trust for the mobile environment add extra complexity as the devices easily oscillate within and outside of compliance. The trust level of a mobile device is dynamic and depends on its security positioning in a given time. For example it is easy to trust the CFO of a company with financial data on your tablet but not if it inadvertently download a risky application or disables encryption. As mobile devices can not be completely closed, as is the case with traditional laptops and desktops, they escape compliance more frequently.
• The BYOD adds another layer to the trust model, since the level of trust for personal devices can be different from that of enterprise devices. Privacy policies will vary as your expectations change. For example, users may agree to not be allowed to use social networking applications on enterprise devices, but that kind of policy is unacceptable for personal devices.
BYOD (8/17)• Building a loyalty model for BYOD requires to:
– Identify and evaluate the risk for security issues common on personal devices: employees use personal devices differently from those of the business, for example they download more applications. So with the BYOD, devices can exit the compliance of corporate policies more frequently or for different reasons.
– Define reparatory options (notification, access control, quarantine, selective deletion): These options may vary in severity from BYOD to business devices . For example, on a company device with a moderate risk of compliance, the remedy may be immediate and complete elimination. But on a personal device there may be initially a less severe action like blocking access to business content, followed by the selective elimination of only corporate data.
– Define a multilayer policy : the 'Property' is now a key element in the definition of policies. As a result, personal and company devices will have a different set of policies for security, privacy and application deployment.
– Establish the user's and device's identity : since the choice of the device becomes fluid, it is more important to verify the identity of the user and the device, normally through certificates.
– Take a critical look at the sustainability of security policies that were set up: what is the impact on the user experience? Will users accept the compromise in the long term? If the level of trust in personal devices is so low as to require extensive use restrictions for safety reasons, the employee's personal mobile experience will be damaged and neither policies nor the BYOD program will be sustainable.
BYOD (9/17)Responsibility:• All companies implement long consolidation
approaches to evaluate risks related to workers’ actions and related responsibilities. These actions range from insecure use of company data to access to unappropriatesited and applications. The BYOD introduces a new consideration: the device on which theseactions are carried out are not corporate property. So the question becomes: «movingthe property of a device from the company to the worker increases or reduces corporate responsibility?».
BYOD (10/17)• To evaluate BYOD responsibility you need to:
– Define the elements of a basic enterprise data protection on BYOD devices: all companies must protect corporate data on mobile devices. But different protections may be required on different devices. For example, extra protection may be necessary for ultra-privileged user applications on Android rather than on iOS. Employees will need clarity on what actions create and limit their responsibilities.
– Assess responsibility for using personal web sites and applications: the expectation of employees is that they can use their personal devices in any way they want.
– Does inappropriate use still constitute a liability to the company, even when it relates to not-corporate data?
– Assess the responsibility for use in and out of the office, and within and outside working hours: should use be monitored when you are at work, but not when you are away? The boundaries between work time and personal time are confused for many knowledge workers, so that companies avoid this additional complexity.
– Assess whether the nature of BYOD reimbursements affects responsibilities (partial salary or full payment of the services costs ): Many organizations have decided that the level of payment has no impact on the level of responsibility, but this is an area with regional variations. Financial responsibility may impose legal obligations.
– Quantify costs to monitor, strengthen and verify BYOD compliance: If the responsibility is lower than the corresponding compliance costs these will be low enough to potentially make significant contributions to cost reductions .
– Assess the risk and liability arising out of damage to personal data (for example, by mistake you operate full deletion instead of selective, by mistake ): Most organizations cover themselves legally in the agreements with the user, this possibility creates frutstrations related to privacy in the worker.
BYOD (11/17)Privacy and User experience:• The BYOD itself reflects the idea that user satisfaction is a primary goal
for IT. But many times the security and user experience were seen as conflicting interests: the usability of traditional enterprise applications has substantially lagged behind the consumer applications usability that are designed with user experience as a top priority. The fundamental principle of successful BYOD strategies is to preserve the user experience. These programs will not be sustainable if the user experience will be compromised when employees begin to use for email and business applications on personal devices. The user experience can be compromised in many ways: increased consumption of batteries, third-party email applications that do not provide the native experience, complex authentication, disabled useful features, interfaces that are not intuitive, lack of privacy.
• A social contract must be established between workers and company. This social contract is an agreement between the worker and employer related to the respective roles and responsibilities regarding BYOD.
BYOD (12/17)Application management and design• The considerations about trust model and device choice
described in the previous sections have a fundamental impact on the strategy of BYOD applications. Initially, the organizations believe that BYOD merely affects the properties of the devices with minimal impact on applications. But applications involve corporate data and if the level of confidence of a BYOD device is different from that of a traditional device, this will directly affect the application's design and deployment. In addition, employees will expect internal applications are supported on all approved BYOD devices , not only on a small set. This implies either a deeper investment in the application development and testing by the company , or a clear education and communication to employees about what applications are supported on which devices and why. User confusion will result in support calls for technical assistance.
BYOD (13/17)Economic aspects:• Short-term economic analysis of the BYOD phenomenon
generally revolve around the elimination of the device purchase cost and on the shift from paying the full service to paying a predictable monthly fee. But the economic implications in the long term may come from unexpected sources. In most organizations, _ strategies have not yet been implemented long enough to accurately assess their economic impact, but here are some key dimensions to consider (the BYOD ROI is a combination of the below listed variables weighted against the value of employee satisfaction and productivity . The hidden the economic value of this kind of programs depends essentially on its ability to increase productivity, to manage the cost of complexity and to achieve value thanks to a more responsible use of the devices by employees):
BYOD (14/17)• Device Hardware : no need to buy attractive hardware . However, many large companies have traditionally
bought highly subsidized smartphone so that the actual savings may be lower than expected.• Overspending: when employees have visibility about personal use of the device, their behavior tends to
become more responsible. They use the device less when in roaming and are more careful not to lose it. The BYOD encourages personal responsibility.
• Service Plans: some organizations continue to pay for the full service, while others are geared to a fixed monthly salary to the user, often based on seniority and position within the organization. However, the power to negotiate with the wireless carrier may be lost if the billing model does not provide for consolidation.
• Productivity is more difficult to quantify, but access to business functions on the device preferred by the employee instead of the preferred device from the company implies not only greater satisfaction but also increased productivity. Employees now have the tools they want to use for the job they have to do.
• Technical Support: traditional wisdom suggests that BYOD will increase the technical assistance costs due to device choice fragmentation . implementing new technical assistance policies, regarding full support and "best practices" can increase complexity. However, we found a balancing force in the fact that employees who use their own devices are likely to invest more time in solving problems on their own rather than calling for technical support. They gradually increase their technological knowledge and, most importantly, do not want IT to touch their personal device. With the right self-service tools, technical assistance can be a last resort rather than the first to BYOD users.
• Compliance and Audit: the previous section on liability posed the question: "Moving the property of a device from the company to the employee increases or decreases company liability?" The answer to this question will impact significantly on the costs of compliance. If the organization believes it is not responsible for actions beyond data protection, this could lead to substantial savings.
• Implications for taxation: Some regions have different implications for the taxation of personally paid devices . The cost of a BYOD program will be influenced by the fact that the company has an obligation to tie reimbursements to a percentage of estimated use for business purposes of the device and how detailed related controls should be.
BYOD (15/17)Internal Marketing• BYOD offers an opportunity to improve internal
perception of the company regarding the role and value of IT. This represents a great opportunity of internalmarketing both for the mobile strategy and for the team responsible for its implementation and support. Manyorganizations don’t recognize the value in this, until the BYOD program is established. BYOD gives IT the uniqueopportunity to strongly impact on opinions, productivityand culture of the organization. Thinking about the internal marketing strategy in advance will influencecommunication and decisions in a way that can enhance the IT staff’s status in front of internal clients. The components are:
BYOD (16/17)• Communicate why the company is going towards the BYOD:
The message you want to convey is that of «moving costs towards workers» or «let the workers use their favorite device for work»?
• Understand that BYOD is an HR initiative just as much as it is IT. What is its impact on the company culture, on communication or employment strategies?
• Define the IT team «brand»: is IT a user supporter, an innovator or a source of mobile best practices? IT can become the hero of end users and show its innovativeness and readiness through an appropriate BYOD program.
• Support the «brand» message through appropriate actions: BYOD requires IT to provide a positive end-to-end experience for users, who need the program to be simply understood, want to chose and customize their device, solve problems and potentially migrate to new devices every year. This is why BYOD must meet internal marketing.
BYOD (17/17)Conclusion:• The BYOD sounds simple but often it is not. Moving ownership
of mobile devices has many complex implications on the company's business . In this document we have discussed different elements to build a program that effectively addresses some of the main issues. The initial adoption of a BYOD program will depend on the actual preparation of the company, while its long-term sustainability will depend on the growing quality of the end-to-end user experience . The objective of this document is to provide a basic framework for the initial preparation needed to start. The BYOD makes huge promises across multiple dimensions. While many organizations are looking at BYOD as a possible mean of cost reduction , the real value of a well-studied BYOD programs is in the increased worker satisfaction and productivity , while at the same giving an important boost to the adoption of technologies in the company.