©2009 Infonomics Pty Ltd EdXN: Governance of Information Technology Education Across the Nation Corporate Governance of Information Technology Mark Toomey

©2009 Infonomics Pty Ltd EdXN: Governance of Information Technology

Education Across the Nation

Corporate Governance of Information Technology

Mark ToomeyManaging Director Infonomics Pty Ltd

Chair, Standards Australia Committee IT-030Member, ISO/IEC JTC-1 SC-7 WG1A

Page 10:00


Education Across the NationThis PowerPoint slideshow is provided ACS

members attending the Education Across the Nation series on Governance of IT, during 2009.

The slideshow is provided for the personal use of ACS members during and after the lecture, for the purpose of their own self-development, and for the purpose of facilitating conversations with their colleagues, including top level management and directors. Permission is hereby given for participants in the Education Across the Nation series on Governance of IT to copy this material for these purposes only.

The Education Across the Nation series on Governance of IT does not necessarily equip its participants with the in-depth knowledge required to enable the participants to act as instructors for classroom delivery of the material.

Page 2

Use of this slideshow and copies thereof for the purpose of group knowledge transfer is restricted to personnel expressly approved by Infonomics and is subject to payment of a license fee.

This material was prepared to provide general guidance and stimulate debate. It should not be construed as providing professional advice and services for any particular or specific situation. As such, it should not be used as a substitute for consultation with expert advisers. Before making any decision or taking any action you should consult with Infonomics Pty Ltd or other competent professionals.

0:00


ISO 38500: First GlanceAustralian guidance leads the world…

Page 30:02


ISO 3500: First GlanceA Model, and Six Principles

• Responsibility;• Strategy;• Acquisition;• Performance;• Conformance;• Human Behaviour.

Page 4

Business

Pressures

CorporateGovernance

Corporate Management

Evaluate

Pla

ns,

Po

licie

s

P

erf

orm

ance

C

onfo

rmance

Direct Monitor

Pro

posa

ls

ITProjects

ITOperations

Busi

ness

Nee

ds

0:04



Why do we need a standard?

Page 50:04


Why do we need a standard?IT keeps going wrong:

Page 6

July 2006October 2005

June 2004July 2003

0:06


Why do we need a standard?The names and stories keep rolling on…

Page 7

2007. British Sky Broadcasting sued EDS for £709Million, following failure of its Customer Relationship Management (CRM) initiative. BSkyB claims it has lost significant anticipated benefits.

2008. British Gas sued Accenture for £182Million. A failed billing system project resulted loss of a million customers and required 2,500 additional staff for two years.

IT crash hits Virgin Blue: April 17, 2008Cancelled Late St George admits to security

flaw. March 25, 2008

0:08

http://en.wikipedia.org/wiki/Image:Sky_Logo_2004_Transparent.png

http://en.wikipedia.org/wiki/Image:Sky_Logo_2004_Transparent.png

http://www.britishgas.co.uk/

http://www.britishgas.co.uk/

http://www.virginblue.com.au/index.htm

http://www.virginblue.com.au/index.htm

http://en.wikipedia.org/wiki/Image:TCard_Logo.gif

http://en.wikipedia.org/wiki/Image:TCard_Logo.gif

http://www.myki.com.au/

http://www.myki.com.au/

http://en.wikipedia.org/wiki/Image:Stgeorge_logo.png

http://en.wikipedia.org/wiki/Image:Stgeorge_logo.png


Why do we need a standard?Investigations reveal the true cause of problems!

In the case of the ICS, there does not appear to have been an effective structure or process to direct and control the project, nor to make suitable risk decisions.

To fulfil this task, Customs has had at least 10 bodies responsible for different aspects of the management and governance of the ICS, including the interactions with industry…

These bodies overlap in their responsibilities and accountabilities, and overall the program has no single business owner and accountabilities for its delivery are unclear.

Source: The Australian IT (online) and Booz Allan Hamilton Report “Review of the Integrated Cargo System”

We have been unable to locate a clear

and quantified set of outcomes and

benefits expected from the introduction

of the ICS

Some changes have been the cause of

severe disruptions and reduced process

efficiency.

Change Governance

Problemon a

Massive Scale.

Page 80:10


Why do we need a standard?The problem is not in the process!

Page 9

The Gimli Glider. Seehttp://www.casa.gov.au/wcmswr/_assets/main/fsa/2003/jul/22-27.pdf

0:12


Why do we need a standard?The Cost of IT Failures • In Australia alone:

– Failed Projects: $1.5b + per annum* – Foregone Benefits: $20b per annum*– Operational Losses: $Incalculable– Reputation damage: $Incalculable.

• But isn’t this the tip of the iceberg?– Competitors respond– Predators descend– Regulators investigate– Lawyers litigate

• Today’s IT failure can have a serious impact on the bottom line, and in the boardroom.

Page 10

* Dr R C Young: What is the ROI for Project Governance? Macquarie University, November 2006.

1% – 3%GDP!

0:14


But we’ve already done IT Governance!Effort within IT has not solved the problem!

• Investment ensures that IT is doing its job competently– Rigour– Process– Control– Reporting

• But it’s not just in IT that problems develop:– Use of IT in achieving business goals involves business

change• Process• People• Structure• Context

– And necessarily requires that business leaders engage fully:• Being responsible• Setting direction• Planning and implementing

Polishing INSIDE the Kettle improves supply…

… but does not fully address the problem of use!

ITIL Prince2 CoBIT

CMMI PMBOK

TOGAF

Governance of IT has to deal with how organisations USE IT as well as with how IT departments operate.

Delivery

UseMany issues arise here – outside IT’s sphere of control.

Page 11

Etc.

0:16


The pressure for Board Oversight:KPMG Global IT Project Management Survey (Sep 05)

• Traditional measures of success (time and budget) are being superseded:– “Achieving benefits – keeping commitments – is now the key determinant of project

success.”

• Since 2003, performance of projects has improved marginally:– Failure rates are still appalling;– Many organisations do not focus on realising or measuring benefits.

• “The key element (that makes some organisations more successful) appears to be an appropriate governance framework – to complement planning and prioritisation of activities and to help ensure execution controls are in place until benefits are realised.”

• “The board must put in place, through management, a rigorous oversight framework to monitor achievement of budgets, the meeting of timelines and to help ensure that the agreed benefits are realised. To achieve this, the board must receive the right information at the right time”.

Page 12

Those responsible at the top of the organisation must govern…

0:17


Education Across the NationUnderstanding Corporate

Governance of IT:Four key concepts

Corporate GovernanceBusiness Systems and Change

The Business Cycle: Demand and SupplyThe System for Governing IT

Page 130:18


Corporate Governance: The System by which

entities are directed and controlled.

(Cadbury)

Corporate Governance:Fundamentals…

Page 14

Adapted from “Corporate Governance – A Working Definition”, Teresa Barger, Director IFC/World Bank Corporate Governance Department

Governance“Protect owners interests”

Management“Develop business capabilities”

“Run business operations”

Ownership“Appoint the Directors”

EstablishStrategy

DirectMonitor

Definition from “Report of the Committee on the Financial Aspects of Corporate Governance” (Chair: Sir Adrian Cadbury), London, 1992

0:20


Governance“Protect owners interests”

Management“Develop business capabilities”

“Run business operations”

Ownership“Appoint the Directors”

EstablishStrategy

DirectMonitor

Corporate Governance:Fundamentals…

Seam

less

part

icip

ati

on in

all

3 levels

Micro Business

Ow

ner/

Dir

ect

ors

SME Business

Low

dis

creti

on

m

an

ag

em

ent

Sh

are

-hold

ers

Large Business

Ele

cted

dir

ect

ors

Hig

h d

iscr

eti

on

m

an

ag

em

ent

Gov’t Agency

Ele

ctor

sG

overn

men

t or

Board

Hig

h d

iscr

eti

on

m

an

ag

em

ent

Page 150:21


Corporate Governance:The Information (IT) domain.

Page 16

Governance Domains and SystemsCorporate Governance visibility and control

Management Responsibility

Information (IT) assetsFinancial

assets

Relationship assets

Humanassets

IPassets

Physicalassets

Business

Pressures

CorporateGovernance


Evaluate

Pla

ns,

Po

licie

s

P

erf

orm

an

ce

C

on

form

an

ce

Direct Monitor

Pro

posa

ls

ITProjects

ITOperations

Bus

ines

sNee

ds

0:23


Governance Domains and SystemsCorporate Governance visibility and control

Management Responsibility

Information (IT) assetsFinancial

assets

Relationship assets

Humanassets

IPassets

Physicalassets

Corporate Governance of IT.

Page 17

Business

Pressures

CorporateGovernance


Evaluate

Pla

ns,

Po

licie

s

P

erf

orm

an

ce

C

on

form

an

ce

Direct Monitor

Pro

posa

ls

ITProjects

ITOperations

Bus

ines

sNee

ds

Business

Pressures

CorporateGovernance


Evaluate

Pla

ns,

Po

licie

s

P

erf

orm

ance

C

onfo

rmance

Direct Monitor

Pro

posa

ls

ITProjects

ITOperations

Busi

ness

Nee

ds

Corporate Governance of IT:The System by which the current and future use of IT is directed and controlled.

0:24


Business Systems and Change

Page 18

Process Structure

People

Technology

The Business System

The

Busin

ess C

onte

xt

• Operating context of the organisation– External– Internal.

• Four key elements of operating organisations– People – who participate in business events– Process – what business events take place– Structure – where business events happen– Technology – enabling and recording events

• IT intrinsic to day to day operations – Business process specific - Transactions,

Customers, Etc– Generic - Email, Telephony, Information

This model is a variant on H.J. Leavitt’s Model of organisational change, published in 1965.

0:25


• Operating context of the organisation– External– Internal.

• Four key elements of operating organisations– People – who participate in business events– Process – what business events take place– Structure – where business events happen– Technology – enabling and recording events

• IT intrinsic to day to day operations – Business process specific - Transactions,

Customers, Etc– Generic - Email, Telephony, Information

• When IT fails, whole organisations and extended organisations stop

– Citylink Melbourne, Tuesday 20 Sept 2006

Process Structure

People

Technology

The Business System

The

Busin

ess Con

text


Page 19

The Business System

Technology

People

StructureProcess

This model is a variant on H.J. Leavitt’s Model of organisational change, published in 1965.

0:26



• IT is now a fundamental enabler of change and is leading to new business models and new business practices

– Eg e-Government

• Implementing IT enabled change involves attention to every facet of business models and practices

– Internal and external factors

Page 20

• Governing IT Enabled Change involves much more than governing technology activities.

Process Structure

People

Technology

The Business System

The

Busin

ess C

onte

xt

Process Structure

People

Technology

The Business System

The

Busin

ess C

onte

xt

The Business System

Technology

People

StructureProcess

“Traditional” IT Change Project

Change Program• Business System

• Process• Technology• Structure• People

• Business Context• Process• Technology• Structure• People

ChangedProcess

ChangedStructure

ChangedPeople

ChangedTechnology

Changed Business System

Chang

ed B

usin

ess Con

text

0:28


Current Use:

Run the Business

Future Use:

Build the Business

Future Use:

Plan the Business

The Business Cycle:Demand and Supply

Page 21

Plan

Build Run

0:29


Th

e S

yst

em

of

Managem

en

t

Current Use:

Run the Business

Future Use:

Build the Business

Future Use:

Plan the Business

The Business Cycle:Demand and Supply

Page 22

StrategicBusinessFuture

Dem

and

Sup

ply

Effective IT enabled change

Ongoing business

operations

Dem

and

Sup

ply

Reliable IT Service

ITIL, ISO 20000, ISO 27000, CoBiT etc

Business Domain: How IT

is used to enable and operate the

business

IT Domain: How IT is

managed and delivered.

ValIT

0:30


The System for Governing IT:An integrated system overseen by the Board

Page 23

Th

e S

yst

em

of

Managem

en

tStrategicBusinessFuture

Dem

and

Sup

ply

Effective IT enabled change

Ongoing business

operations

Dem

and

Sup

ply

Reliable IT Service


Business Domain: How IT

is used to enable and operate the

business

IT Domain: How IT is

managed and delivered.

ValIT

The S

yst

em

of

Managem

ent

Ongoing business operations


Su

pply

Su

pply

Reliable IT ServiceEffective IT

enabled change

Business Domain: How IT is used to enable and operate the business

IT Domain: How IT is managed and

delivered.


Dem

and

Dem

and

ValIT

0:31


The S

yst

em

of

Managem

ent

Ongoing business operations


Su

pply

Su

pply

Reliable IT ServiceEffective IT

enabled change

Business Domain: How IT is used to enable and operate the business

IT Domain: How IT is managed and

delivered.


Dem

and

Dem

and

ValIT

CorporateGovernance Oversight

ISO 38500

Rules, Direction,Behaviour

Performance,Conformance

The System for Governing IT:An integrated system overseen by the Board

Page 24

Managem

en

tR

esp

onsi

bili

tyB

oard

overs

igh

t

Th

e S

yst

em

of

Govern

ance

0:32


Plan

Build

Run

Vision

Strategy

Plans

Initiatives

Operation

The System of GovernanceInside the System

Page 25

Strategy

Portfolio

Program

Project

Operation

En

terp

rise

A

rch

itect

ure

Ass

et

Info

rmati

on

Secu

rity

Info

rmati

on

Secu

rity

Adapted from a model developed by

John Thorp, author of The Information

Paradox.

Plan

Build Run

0:34


The System of GovernanceThe System Perspective

Page 26

Vision

Strategy

Plans

Initiatives

Operation

Strategy

Portfolio

Program

Project

Operation

Ente

rpri

se A

rchit

ect

ure

Ass

et

Info

rmati

on

Secu

rity

Info

rmati

on

Secu

rity

Line Management- Implement and Operate

Vision

Strategy

Plans

Initiatives

Operation

Strategy

Portfolio

Program

Project

Operation

Ente

rpri

se

Arc

hit

ect

ure

Ass

et

Info

rmati

on S

ecu

rity

Info

rmati

on S

ecu

rityCorporate Governance

- Evaluate, Direct and MonitorVision

Strategy

Plans

Initiatives

Operation

Strategy

Portfolio

Program

Project

Operation

Ente

rpri

se A

rchit

ect

ure

Ass

et

Info

rmati

on S

ecu

rity

Info

rmati

on S

ecu

rityTop Management

- Plan, Supervise and Realise

Adapted from a model developed by

John Thorp, author of The Information

Paradox.

0:36



ISO/IEC 38500Core Elements

Page 270:37


• Proposals: plans and suggestions– Vision– Strategy– Detailed plans– Initiatives– Projects (and changes thereto)– BAU Operations (the oft-forgotten

default)

• Current and future use of IT• Supply• Governance

Page 28

Evaluate

Business

Pressures

CorporateGovernance


Evaluate

Pla

ns,

Po

licie

s

P

erf

orm

ance

Confo

rmance

Direct Monitor

Pro

posa

ls

ITProjects

ITOperations

Busi

ness

Nee

ds

0:39


• Policy to guide management decisions.• Strategy to establish focus and direction.• Progressive allocation of resources.• Clear delegation of authority.• Appropriate incentives and rewards.

Page 29

Direct

Business

Pressures

CorporateGovernance


Evaluate

Pla

ns,

Po

licie

s

P

erf

orm

ance

Confo

rmance

Direct Monitor

Pro

posa

ls

ITProjects

ITOperations

Busi

ness

Nee

ds

0:41


• Achieving intended results– And taking action if they are at risk

• Assuring conformance– External and internal

•Making adjustments for reality• Ensuring that management is doing its job properly.• Ensuring that the governance system is effective.

Page 30

Monitor

Business

Pressures

CorporateGovernance


Evaluate

Pla

ns,

Po

licie

s

P

erf

orm

ance

Confo

rmance

Direct Monitor

Pro

posa

ls

ITProjects

ITOperations

Busi

ness

Nee

ds

0:43


• Responsibility• Strategy• Acquisition• Performance• Conformance• Human Behaviour

Page 31

Six principles for good governance of IT Business

Pressures

CorporateGovernance


Evaluate

Pla

ns,

Po

licie

s

P

erf

orm

ance

Confo

rmance

Direct Monitor

Pro

posa

ls

ITProjects

ITOperations

Busi

ness

Nee

ds

0:45



Using ISO 38500

Page 320:45


Using ISO 38500Guide for assessment and improvement

PrinciplesEvaluate Direct Monitor

Responsibility

Strategy

Acquisition

Performance

Conformance

Human Behaviour

Page 33

What does each cell mean?

How do you perform?

What should you seek to improve?

What consequences of improvement should you seek?

0:47


Using ISO 38500Benchmarking and comparing performance

Page 34

Principles Responsibility Plan Acquire Perform Conform Human Factors

Corporate Governance of ICT - Indicators

Exemplary

Good

Basic

Weak

None

No view

Human Communities:• Who are

they?• How do

they behave?

• What do they need?

• What motivates them?

Principles Responsibility Strategy Acquisition Performance Conformance Human Behaviour

RMIT and Infonomics research 2006-7. Published in “Achieving Business Sustainability” (Infonomics), and “Information Technology Entrepreneurship and Innovation”, edited by Fang Zhao, published by IGI Global, 2008.

0:48


Using ISO 38500Learning through evaluating patterns

Page 35

I know

noth

ing a

bout

the IT in m

y o

rganis

ati

on…

IT not adequately integrated in corporate strategic thinking?

Focusing on today - Insufficient attention given to the future?

RMIT and Infonomics research 2006-7.

0:49


Page 36

A Typical Assessment ResultPoor performance in critical areas.

• Responsibility: there is neither clear nor appropriate allocation of responsibility for IT.

• Strategy: there is no effective planning for IT in the context of business strategy and direction.

• Acquisition: decisions to invest in new IT capability are not made in an appropriate framework.

• Performance: demand for IT service are unlikely to be met.

• Conformance: the rules for IT are inadequate.

• Human Behaviour: human issues are given scant attention in IT planning and delivery.

A

cquire 3HumanFactors 3

Perform

2.9

Con

form

2.9

Responsibility2.7

Pla

nn

ing

2.4

1 2 3 4 5 6

0:50


Using ISO 38500Closing the gaps in contemporary techniques

Page 37

Process Structure

People

Technology

Control and Direct use of IT.Con

trol &

Dire

ct th

e Bus

ines

s

PrinciplesEvaluate

Direct

Monitor

Responsibility

Strategy

Acquisition

Performance

Conformance

Human Behaviour

Council

Chief Executive Officer

Executive Committee

Audit & Risk Committee

Corporate Committee

Advisory CommitteesICT Governance

Committee

Business System Steering Committee

Business Development

Education Programs

Education Services

Corporate Services

ICT Infrastructure Steering Committee

Reports

Participates

Informs

Owns

Legend

CobiTITILPrince2PMBOKGatewayValIT

0:52


Using ISO 38500 Developing Policy for control of IT

PrinciplesEvaluate Direct Monitor

Responsibility

Strategy

Acquisition

Performance

Conformance

Human Behaviour

Page 38

Usage policies • Rules for how people use the business systems and technology resources• Board role: part of user community.

Strategic Policies• Your posture relative to Principles• Board role: consultation and approval

Your ISO 38500 Framework

Operating policies• Specify how projects and operations are conducted• Board role: awareness

0:53


ResponsibilityThe Crucial Strategic Policy

• How is responsibility allocated for:– Allocating responsibility?– Developing business strategy and planning business use of (demand for) IT?– Developing strategies for supply and delivery of IT capability and service?– Making decisions to invest in IT?– Determining targets and measuring business and IT performance?– Ensuring that IT investment initiatives achieve agreed, appropriate success

criteria?– Ensuring that business demand for operational supply of IT service is

satisfied efficiently and effectively?– Understanding conformance requirements, establishing effective

conformance rules, and assuring conformance?– Understanding and ensuring respect for human behaviours?

• What are the responsibilities of each individual in respect of IT demand and supply?

Page 390:54


Using the StandardFundamental Rules

• Change Management Rule 0 – Engage the right sponsor and involve the right people.

• Change Management Rule 1 – Communicate, Communicate, Communicate.

• Change Management Rule 2 – Measure, adjust, measure.

• Change Management Rule 3 – Start with the fundamentals.

• Change Management Rule 4 – Small steps, with clear objectives.

• Change Management Rule 5 – Keep communicating; keep measuring; keep improving.

Page 400:55



Self Assessment

When and howBranch feedback

Information Age Article

Page 410:57



Additional Material

Page 420:59



Questions

Page 430:60


Education Across the NationWhat do you have to lose?

Seize the opportunity!

ISO/IEC 38500.

Thank you.

[email protected]

Page 440:70



Additional Material

Page 45


•Who is responsible for what when it comes to current and future use of IT?

• Does everybody understand their responsibility?

• Do those with responsibility deliver?

• If IT is responsible for supply, who is responsible for demand?

• And who is responsible for results?

Page 46

Responsibility


• Planning IT use (demand and supply) to best serve the organisation.•Who should determine the organisations strategy for USE of IT?• How are business strategy and IT strategy related?• How is strategy enacted?• Includes key planning disciplines

– Portfolio– Project– Architecture

Page 47

Strategy (Planning)


• Decisions to invest in IT

• Decisions to continue existing IT initiatives

• Decisions to continue using operational IT

• Decisions on sourcing of IT capabilities

• Decisions on selection of technologies

Page 48

Acquisition


• Current performance– Operational objectives– Investment objectives

• Future performance– Running the business– Delivering capability– Stable base for change– Implementing change

•Wide scope– Systems and infrastructure– People– Management systems

Page 49

Performance


• Understanding the rules

• Formulating the rules

• Communicating the rules

• Enforcing the rules

• Identifying and sanctioning non-conformance

Page 50

Conformance


• Response to change

• Response to pressure

• Professional pride

• Fear of discovery and consequences

• Dedication and commitment

• Partial disclosure

• Good news

Page 51

Human Behaviour



Key messages in the standard

Directors should govern the use of Information Technology;Governance and Management are separate concepts;

The standard is applicable to every organisation;The people who should most use the standard are the managers;Good governance of IT is a desirable attribute for stakeholders;

Behaviour is key;Implementation is the responsibility of each organisation.

Page 52


• Delegate their responsibility as appropriate.• Define intended use of IT in business strategy.• Establish policy to guide management decisions.•Monitor conformance and performance of strategy and policy.• Enforce discipline of control and supervision.• Obtain independent advice as and when necessary.

Page 53

Directors should govern the use of Information Technology.


•Management is what managers do.• Governance is oversight of management.•Much of what is called “IT Governance” is actually IT Management.• Giving IT Management a new name does not make it more effective.

Page 54

Governance and Management are separate concepts.


• Private and public (government)• Small, medium and large• Listed and unlisted• For-profit and Not-for-profit• Scalable – no prescription of process or structure• Every organisation needs to determine how to adopt.

Page 55

The standard is applicable to every organisation.


•Managers advise and support directors.•Managers provide information to directors and implement the direction given by directors.•Managers are the originators of most board decisions including strategy and systems of control.•Managers act on behalf of directors to perform some governance tasks under the board’s delegated authority.

Page 56

The people who should most use the standard are the managers.


• Better strategic use of IT -> better corporate performance• Fewer failures of projects -> better return on investment• Higher reliability in operations -> premium for perceived quality

Page 57

Good governance of IT is a desirable attribute for stakeholders.


• Behaviour of the organisation• Behaviour of its managers• Doing the right things in respect of decisions about current and future use of IT• Business stepping up to its role in controlling demand• IT limiting itself to the role of supply• Business leaders taking true accountability for business outcomes.

Page 58

Behaviour is key.


• No specific implementation requirements -> no straight-jackets.• Governance is a system – people, process, structure and technology.•Many frameworks are available – choose what’s best for you.• Build on what you have – assess and improve – don’t just start from scratch.

Implementation is the responsibility of each organisation.

Page 59

Documents

©2009 Infonomics Pty Ltd EdXN: Governance of Information Technology Education Across the Nation Corporate Governance of Information Technology Mark Toomey