Upload
tracey-jennings
View
215
Download
2
Embed Size (px)
Citation preview
1
IT GOVERNANCE FRAMEWORK
Mark Makepeace Mike Thorn
Director Audit Director
Business Standards & Improvement Group Internal Audit
Business Information Systems
27 January 2005
2
Agenda
• Where we were
• Why we needed to change
• Where we are now
• How we got there and what we got from it
• Where next
• Lessons Learned
3
Definitions of IT Governance
BIS takes its definitions of governance from those supplied by the IT Governance Institute (ITGI)
‘A structure of relationships and processes to direct and control the enterprise in order to
achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its
processes.’
4
Where we were
• Cascaded objectives
• IT “bricks” (RAG status)
• Balanced Scorecard and supporting MI
• Benchmarking for IT services
• Internal Audit assurance
• Organisational governance structure
• Turnbull reporting
5
Why we needed to change
• FSA regulated company and Stock Exchange Listed
• Publication of ITGI Board Briefing on IT governance
• Demonstrable framework to satisfy External Audit and FSA supervision regime
• Credibility issue of internal framework versus industry standard
• Share common understanding with IA of IT processes and risks to improve control and risk framework
6
Regulatory timeline
1999
2000
2001
2002
2003
2004
2005
Key Regulatory Drivers
TurnbullReport Barings
(1995)
Combined Code
ITGI Board Briefingon IT Governance
Basel II CapitalAdequacy
Higgs Review onCorporate Governance
Smith Report -Guidance for Audit Cttes
Turnbull II / Flint
Enron(2002)
2006
Worldcom(2002)
AIB/Allfirst(2002)
Approved PersonsRegime (CP53)
New FSA regulatoryproposals announced
IPSB re-draft(CP140)
Financial services &Markets Act 2000
FSA single regulator(N2)
IPSB draft(CP 97)
IPSB(PS04/16)
SYSC
Sarbanes-Oxley
GI Mortgage(M day)
7
Where we are now
• CobiT Heat Map: identifies priority processes for risk management and improvement
investment
• IT balanced scorecard: reports on IT capability and performance
• Governance roles and responsibilities wheel: identifies what, how and who
• MI Reporting Flow:reports on aspects of IT to top level within organisation to ensure no
surprises
8
How we got there
IT
IA
Using IA’s strong relationship with IT senior management
• Facilitate corporate and IT governance initiatives
• Selling benefits of joint approach
• External credibility of existing IT bricks
• De-mystify regulatory “jargon”
• Commitment of time and resources in “trusted” environment
9
Adopting CobiT - 1Cobit
processes v L&G Bricks
mappingCobiT Control
Objectives
2002
Assessment of process
Current and Goal maturity ratings
CobiT management guidelines
IT Balanced IT Balanced scorecard scorecard aligned aligned
CobiT framework
Initial Heat Initial Heat Map Map
publishedpublished
FSA inherent risk
assessment CobiT framework
Process Process ownership ownership assignedassigned
CobiT CobiT processes processes
aligned to IT aligned to IT objectivesobjectivesCobiT control
objectives
Note: internal audit involvement; CobiT module referenced
10
2003 / 2004
Moved to process based risk
management CobiT framework
Half-yearly Half-yearly Heat Maps Heat Maps publishedpublished
CobiT framework
Governance database
developed CobiT Control objectives
Governance Governance Management Management Committee Committee
formedformed
Half-yearly process Half-yearly process Current and Goal Current and Goal maturity ratings maturity ratings
assessmentassessmentCobiT management
guidelines
Note: internal audit involvement; CobiT module referenced
Adopting CobiT - 2
11
Where Next - IT Governance
Existing Process
Based on CobiT Guidelines covering risk controls
Include the 5 IT Governance Focus Areas
Process Improvement
Number of duplicate risks – variations on a theme
Consolidate risks & underlying data
Monthly balanced scorecard reporting focuses on risk
Realign to the 5 IT governance focus areas
Implementation of Governance Database
Monthly MI easily produced
12
Lessons Learned - 1
• Essential to obtain and sustain senior management sponsorship across all relevant parties
• In our view of FS sector, homegrown governance framework not sufficiently credible
• Organisation and existing management structure has finite capacity for change
13
Lessons Learned - 2
• Do not underestimate volume of work or difficulty of getting buy-in from business owners of IT processes i.e. manage facilities
• Maintain regular communication to keep topic “alive”
• Implementation should be planned around existing capability
14
Questions?