1

IT GOVERNANCE FRAMEWORK

Mark Makepeace Mike Thorn

Director Audit Director

Business Standards & Improvement Group Internal Audit

Business Information Systems

27 January 2005

2

Agenda

• Where we were

• Why we needed to change

• Where we are now

• How we got there and what we got from it

• Where next

• Lessons Learned

3

Definitions of IT Governance

BIS takes its definitions of governance from those supplied by the IT Governance Institute (ITGI)

‘A structure of relationships and processes to direct and control the enterprise in order to

achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its

processes.’

4

Where we were

• Cascaded objectives

• IT “bricks” (RAG status)

• Balanced Scorecard and supporting MI

• Benchmarking for IT services

• Internal Audit assurance

• Organisational governance structure

• Turnbull reporting

5

Why we needed to change

• FSA regulated company and Stock Exchange Listed

• Publication of ITGI Board Briefing on IT governance

• Demonstrable framework to satisfy External Audit and FSA supervision regime

• Credibility issue of internal framework versus industry standard

• Share common understanding with IA of IT processes and risks to improve control and risk framework

6

Regulatory timeline

1999

2000

2001

2002

2003

2004

2005

Key Regulatory Drivers

TurnbullReport Barings

(1995)

Combined Code

ITGI Board Briefingon IT Governance

Basel II CapitalAdequacy

Higgs Review onCorporate Governance

Smith Report -Guidance for Audit Cttes

Turnbull II / Flint

Enron(2002)

2006

Worldcom(2002)

AIB/Allfirst(2002)

Approved PersonsRegime (CP53)

New FSA regulatoryproposals announced

IPSB re-draft(CP140)

Financial services &Markets Act 2000

FSA single regulator(N2)

IPSB draft(CP 97)

IPSB(PS04/16)

SYSC

Sarbanes-Oxley

GI Mortgage(M day)

7

Where we are now

• CobiT Heat Map: identifies priority processes for risk management and improvement

investment

• IT balanced scorecard: reports on IT capability and performance

• Governance roles and responsibilities wheel: identifies what, how and who

• MI Reporting Flow:reports on aspects of IT to top level within organisation to ensure no

surprises

8

How we got there

IT

IA

Using IA’s strong relationship with IT senior management

• Facilitate corporate and IT governance initiatives

• Selling benefits of joint approach

• External credibility of existing IT bricks

• De-mystify regulatory “jargon”

• Commitment of time and resources in “trusted” environment

9

Adopting CobiT - 1Cobit

processes v L&G Bricks

mappingCobiT Control

Objectives

2002

Assessment of process

Current and Goal maturity ratings

CobiT management guidelines

IT Balanced IT Balanced scorecard scorecard aligned aligned

CobiT framework

Initial Heat Initial Heat Map Map

publishedpublished

FSA inherent risk

assessment CobiT framework

Process Process ownership ownership assignedassigned

CobiT CobiT processes processes

aligned to IT aligned to IT objectivesobjectivesCobiT control

objectives

Note: internal audit involvement; CobiT module referenced

10

2003 / 2004

Moved to process based risk

management CobiT framework

Half-yearly Half-yearly Heat Maps Heat Maps publishedpublished

CobiT framework

Governance database

developed CobiT Control objectives

Governance Governance Management Management Committee Committee

formedformed

Half-yearly process Half-yearly process Current and Goal Current and Goal maturity ratings maturity ratings

assessmentassessmentCobiT management

guidelines

Note: internal audit involvement; CobiT module referenced

Adopting CobiT - 2

11

Where Next - IT Governance

Existing Process

Based on CobiT Guidelines covering risk controls

Include the 5 IT Governance Focus Areas

Process Improvement

Number of duplicate risks – variations on a theme

Consolidate risks & underlying data

Monthly balanced scorecard reporting focuses on risk

Realign to the 5 IT governance focus areas

Implementation of Governance Database

Monthly MI easily produced

12

Lessons Learned - 1

• Essential to obtain and sustain senior management sponsorship across all relevant parties

• In our view of FS sector, homegrown governance framework not sufficiently credible

• Organisation and existing management structure has finite capacity for change

13

Lessons Learned - 2

• Do not underestimate volume of work or difficulty of getting buy-in from business owners of IT processes i.e. manage facilities

• Maintain regular communication to keep topic “alive”

• Implementation should be planned around existing capability

14

Questions?