Upload
natalie-pearson
View
213
Download
1
Embed Size (px)
Citation preview
COBIT® as a Risk Management Framework
John W. Lainhart IVCISA, CISM, CGEIT, CIPP/G
Partner, Security, Privacy,Wireless & IT Governance
IBM Global Business Services
Principal Advisory to IT Governance Institute
In This Presentation...The Governance EnvironmentAn introduction to IT GovernanceAn introduction to Control Objectives for
Information and related Technology (COBIT®)
Overview of COBIT® Supporting MaterialsCOBIT® Mappings to Other StandardsAn introduction to ValIT™An introduction to RiskIT™Recently Announced Certification Program –
CGEITQuestions
IT Governance, COBIT, ValIT and RiskIT Are Brought to You by …
IT Governance Institute
IT GovernanceInstitute is a
non-profitresearch think-
tankassociated with
ISACA®
IT Governance Institute Product Suite
Board Briefing onIT Governance
InformationSecurity Governance
COBIT 4.1Val ITIT Governance
ImplementationGuide
COBIT ControlPractices
IT AssuranceGuide
Governance, Security and Assurance Management
Business and Technology
Management
Governance
The Governance Environment
Forces Driving IT Governance
Compliance
Security
Business/IT
Alignment
ROI
ProjectExecution
What Makes IT Governance so important?
• Strategic importance of IT
• Extended Enterprise
• Regulatory requirements
• Cost optimisation
• Return on investment
Drivers
• Low return from high-cost IT investments, and transparency of IT’s performance are two top issues
• More than 30% claim negative return from IT investments targeting efficiency gains
• 40% do not have good alignment between IT plans and business strategy
• Interest in and use of active management of the return on IT investments has doubled in 2 years (28% to 58%)
• Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects
• Standish Group – about 20% of projects fail outright, 50% are challenged and only 30% are successful
• ITGI 2005 Survey early findings confirm concerns
What makes IT Governance so important?
Shareholders want protection for the Enterprise’s Share Price
“…if not filed, auditor must include a paragraph in its annual report that it cannot vouch for the enterprise’s ability as a going concern…”
“…financial reporting system is not up to speed…”
“…the company has lost a third more of its market value yesterday as it revealed a virtual collapse of its financial reporting system…”
“…data entry problems…”
IBM Confidential|
Global Business Services
© Copyright IBM Corporation 2005
The Premier IT Leaders polled by ComputerWorld Magazine put these projects at the top of their to-do lists for 2008
# 1 on this list is IT Governance, including business alignment
From the Dec 10, 2007 issue of Computerworld Magazine (pg 74) Computerworld Magazine is a publication of International Data Group Inc.
An Overview of IT Governance
“IT governanceIT governance is the responsibility of the
board of directors and executive management.
It is an integral part of enterprise governance
and consists of the leadership and
organisational structures and processes that
ensure that the organisation’s IT sustains and
extends the organisation’s strategies and
objectives.”
What is IT Governance?What is IT Governance?
ITGI, Board Briefing on IT Governance
IT Governance Needs a Management Framework
Driving Forces
Map Onto theIT
GovernanceFocus Areas
ITGOVERNANCE
VALUEDELIVERYSTRATEGIC
ALIGNMENT
RESOURCEMANAGEMENT
RIS
KM
AN
AG
EM
EN
T
PERFORM
ANCE
MEASUREM
ENT
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strategic alignment, focuses on ensuring the linkage of business and IT plan; on defining, maintaining and validating the IT value proposition; on aligning IT operations with the enterprise operations; and establishing collaborative solutions to•Add value and competitive positioning to the enterprise’s products and services•Contain costs while improving administrative efficiency and managerial effectiveness
IT Governance Focus AreasIT Governance Focus Areas
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising expenses and proving the value of IT, and on controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc)
IT Governance Focus AreasIT Governance Focus Areas
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Risk management requires risk awareness of senior corporate officers, a clear under-standing of the enterprise’s appetite for risk and transparency about the significant risks to the enterprise; it embeds risk management responsibilities in the operation of the enterprise and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of operations
IT Governance Focus AreasIT Governance Focus Areas
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Resource management covers the optimal investment, use and allocation of IT resources and capabilities (people, applications, technology, facilities, data) in servicing the needs of the enterprise, maximising the efficiency of these assets and optimising their costs, and specifically focusses on optimising knowledge and the IT infrastructure and on where and how to outsource
IT Governance Focus AreasIT Governance Focus Areas
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Performance measurement, tracking project delivery and monitoring IT services, using balanced scorecards that translate strategy into action to achieve goals measur-able beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow.
IT Governance Focus AreasIT Governance Focus Areas
IT Governance Life Cycle
IT Governance Control Cycle
Assess Environment
Implement & Operate
Monitor& Report
Maintain IT Controls Framework
Develop & Refine
Governing Documents
Process owners operate and oversee controls
Repository
Plan
BuildRunTools
Measure& Validate
Enforce
ApplicationsDatabasesPlatformsNetworks
IT Processes
· Top-Down, Risk-based Approach
· Process-based· CobiT®-based
Division Policies(e.g. “What” IT
must do)
Division Standards(e.g. “How” to do in every or any
instance)
ProceduresProcedures
Procedures(e.g. “How” to do in an instance)
IT Division Policy Compliance
IT Division Standard Conformance
Dep
t. Pr
inci
ples
Communicate & Train
Sustain
IT Governance Control Cycle
Assess Environment•Based on COBIT®, develop an approach for improved internal control to meet regulatory requirements that incorporates business and IT mission, vision, and strategy•Establish risk management strategy•Formally document existing processes
Assess Environment
Implement & Operate
Monitor& Report
Maintain IT Controls Framework
Develop & Refine
Governing Documents
Process owners operate and oversee controls
Repository
Plan
BuildRunTools
Measure& Validate
Enforce
ApplicationsDatabasesPlatformsNetworks
IT Processes
· Top-Down, Risk-based Approach
· Process-based· CobiT®-based
Division Policies(e.g. “What” IT
must do)
Division Standards(e.g. “How” to do in every or any
instance)
ProceduresProcedures
Procedures(e.g. “How” to do in an instance)
IT Division Policy Compliance
IT Division Standard Conformance
Dep
t. Pr
inci
ples
Communicate & Train
Sustain
IT Governance Control Cycle
Maintain IT Controls Framework•Develop controls framework to supports sound business decisions•Document integration points in the current environment•Create an organizational mechanism to support the governance of IT•Mitigate identified risks through the IT controls framework
Assess Environment
Implement & Operate
Monitor& Report
Maintain IT Controls Framework
Develop & Refine
Governing Documents
Process owners operate and oversee controls
Repository
Plan
BuildRunTools
Measure& Validate
Enforce
ApplicationsDatabasesPlatformsNetworks
IT Processes
· Top-Down, Risk-based Approach
· Process-based· CobiT®-based
Division Policies(e.g. “What” IT
must do)
Division Standards(e.g. “How” to do in every or any
instance)
ProceduresProcedures
Procedures(e.g. “How” to do in an instance)
IT Division Policy Compliance
IT Division Standard Conformance
Dep
t. Pr
inci
ples
Communicate & Train
Sustain
IT Governance Control Cycle
Develop & Refine Governing Documents•Utilize a central repository for governing documents•Develop a consistent approach for creating governing documents•Consistently apply processes and procedures•Gain executive commitment for IT governance frameworks and structure
Assess Environment
Implement & Operate
Monitor& Report
Maintain IT Controls Framework
Develop & Refine
Governing Documents
Process owners operate and oversee controls
Repository
Plan
BuildRunTools
Measure& Validate
Enforce
ApplicationsDatabasesPlatformsNetworks
IT Processes
· Top-Down, Risk-based Approach
· Process-based· CobiT®-based
Division Policies(e.g. “What” IT
must do)
Division Standards(e.g. “How” to do in every or any
instance)
ProceduresProcedures
Procedures(e.g. “How” to do in an instance)
IT Division Policy Compliance
IT Division Standard Conformance
Dep
t. Pr
inci
ples
Communicate & Train
Sustain
IT Governance Control Cycle
Communicate and Train•Provide “Tone at the Top”•Develop a strategic communication plan for mission objectives and overall management direction•Execute strategic communication plan•Implement a standard training program to avoid unnecessary and redundant training
Assess Environment
Implement & Operate
Monitor& Report
Maintain IT Controls Framework
Develop & Refine
Governing Documents
Process owners operate and oversee controls
Repository
Plan
BuildRunTools
Measure& Validate
Enforce
ApplicationsDatabasesPlatformsNetworks
IT Processes
· Top-Down, Risk-based Approach
· Process-based· CobiT®-based
Division Policies(e.g. “What” IT
must do)
Division Standards(e.g. “How” to do in every or any
instance)
ProceduresProcedures
Procedures(e.g. “How” to do in an instance)
IT Division Policy Compliance
IT Division Standard Conformance
Dep
t. Pr
inci
ples
Communicate & Train
Sustain
IT Governance Control Cycle
Implement and Operate•Align staff responsibilities with IT control objectives•Achieve sustainability of IT controls in the operational environment•Support continuous improvement of operational effectiveness and accountability
Assess Environment
Implement & Operate
Monitor& Report
Maintain IT Controls Framework
Develop & Refine
Governing Documents
Process owners operate and oversee controls
Repository
Plan
BuildRunTools
Measure& Validate
Enforce
ApplicationsDatabasesPlatformsNetworks
IT Processes
· Top-Down, Risk-based Approach
· Process-based· CobiT®-based
Division Policies(e.g. “What” IT
must do)
Division Standards(e.g. “How” to do in every or any
instance)
ProceduresProcedures
Procedures(e.g. “How” to do in an instance)
IT Division Policy Compliance
IT Division Standard Conformance
Dep
t. Pr
inci
ples
Communicate & Train
Sustain
IT Governance Control Cycle
Measure and Validate•Revise current metrics program to include newly defined controls•Verify the sustainability of defined controls •Develop cost effective automated measurements•Measure all processes to include Applications, Databases, Platforms and Networks
Assess Environment
Implement & Operate
Monitor& Report
Maintain IT Controls Framework
Develop & Refine
Governing Documents
Process owners operate and oversee controls
Repository
Plan
BuildRunTools
Measure& Validate
Enforce
ApplicationsDatabasesPlatformsNetworks
IT Processes
· Top-Down, Risk-based Approach
· Process-based· CobiT®-based
Division Policies(e.g. “What” IT
must do)
Division Standards(e.g. “How” to do in every or any
instance)
ProceduresProcedures
Procedures(e.g. “How” to do in an instance)
IT Division Policy Compliance
IT Division Standard Conformance
Dep
t. Pr
inci
ples
Communicate & Train
Sustain
IT Governance Control Cycle
Monitor and Report•Report on continued effectiveness of controls•Increase transparency to auditors of issues and actions taken•Accurately attest to IT’s compliance with policy, laws, and regulations•Improve existing processes using metrics trending
Assess Environment
Implement & Operate
Monitor& Report
Maintain IT Controls Framework
Develop & Refine
Governing Documents
Process owners operate and oversee controls
Repository
Plan
BuildRunTools
Measure& Validate
Enforce
ApplicationsDatabasesPlatformsNetworks
IT Processes
· Top-Down, Risk-based Approach
· Process-based· CobiT®-based
Division Policies(e.g. “What” IT
must do)
Division Standards(e.g. “How” to do in every or any
instance)
ProceduresProcedures
Procedures(e.g. “How” to do in an instance)
IT Division Policy Compliance
IT Division Standard Conformance
Dep
t. Pr
inci
ples
Communicate & Train
Sustain
IT Governance Control Cycle
Enforce•Reinforce required policy compliance and standards conformance•Define a consistent approach for enforcement across all processes
Assess Environment
Implement & Operate
Monitor& Report
Maintain IT Controls Framework
Develop & Refine
Governing Documents
Process owners operate and oversee controls
Repository
Plan
BuildRunTools
Measure& Validate
Enforce
ApplicationsDatabasesPlatformsNetworks
IT Processes
· Top-Down, Risk-based Approach
· Process-based· CobiT®-based
Division Policies(e.g. “What” IT
must do)
Division Standards(e.g. “How” to do in every or any
instance)
ProceduresProcedures
Procedures(e.g. “How” to do in an instance)
IT Division Policy Compliance
IT Division Standard Conformance
Dep
t. Pr
inci
ples
Communicate & Train
Sustain
An Overview of COBIT
Internationally accepted good practicesManagement-orientedFreely availableSharing knowledge and leveraging expert volunteersContinually evolvingMaintained by reputable not-for-profit organisationMaps 100% to COSOMaps strongly to all major related standardsIs a reference, set of best practices, not an “off-the-shelf” cureEnterprises still needs to analyse their control requirements and customise based on:
Value driversRisk profileIT infrastructure, organisation and
project portfolio
COBIT 4.1—The IT Governance Framework
The only IT managementand control framework
that covers the end-to-endIT life cycle
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
COBIT best practices repository for
Information Criteria:1. Effectiveness2. Efficiency3. Availability4. Integrity5. Confidentiality6. Reliability7. Compliance
Domains: 1. Plan & Organize2. Acquire & Implement3. Delivery & Support4. Monitor & Evaluate
COBIT: An IT Control Framework
IT Resources: 1. Applications2. Information3. Infrastructure4. People
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives
Promotes process focus and process ownership
Divides IT into 4 domains and 34 processes, with a total of 210 control objectives
Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT
Addresses the resources made available to and built up by IT
The resources The resources made available to—made available to—and built up by—ITand built up by—IT
The resources The resources made available to—made available to—and built up by—ITand built up by—IT
What the What the stakeholders stakeholders
expect from ITexpect from IT
What the What the stakeholders stakeholders
expect from ITexpect from IT
How IT is How IT is organised to organised to
respond to the respond to the requirementsrequirements
How IT is How IT is organised to organised to
respond to the respond to the requirementsrequirements
Key Driving Forces for COBIT
IT Processes
IT Processes
IT Resources
IT Resources
Business Requirements
Business Requirements
Applications Informati
on Infrastructure People
Plan and Organise
Aquire and Implement
Deliver and Support
Monitor and Evaluate
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
reliability
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
Acquire andImplement
Deliver andSupport
Monitor and
Evaluate
Criteria• Effectiveness• Efficiency• Confidentialit
y• Integrity• Availability• Compliance• Reliability
• Applications• Information• Infrastructure• People
IT Resources
Business Objectives
Plan andOrganise
COBITFramework
IT Life Cycle
COBIT Processes
Plan andOrganise
Acquire andImplement
AI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes
PO1 Define an IT Strategic PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organisation and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects
COBIT Processes
Deliver andSupport
Monitor andEvaluate
DS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations
ME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Compliance With External RequirementsME4 Provide IT Governance
COBIT PC and AC Processes
PC1 Process Goals and Objectives
PC2 Process Ownership
PC3 Process Responsibility
PC4 Roles and Responsibilities
PC5 Policy, Plans and Procedures
PC6 Process Performance Improvement
Process Controls
ApplicationControls
AC1 Source Data Preparation and Authorization
AC2 Source Data Collection and Entry
AC3 Accuracy, Completeness and Authenticity Checks
AC4 Processing Integrity and Validity
AC5 Output Review, Reconciliation and Error Handling
AC6 Transmission Authentication and Integrity
Process LevelNavigating in COBIT
Control Objectives
P09.6 Maintenance and Monitoring of a Risk Action PlanPrioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed actions are owned by the affected process owner(s). Monitor execution of the plans, and report on any deviations to senior management.
Management Guidelines
Management Guidelines
Maturity Model
Maturity Levels in COBIT
0 1 2 3 4 5
Non-existent Initial Repeatable Defined Managed Optimised
0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.
Dimensions of Process Maturity in COBIT
Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement
We capture process maturity data on each of six dimensions:
Awareness and communication
Leverage COBIT® Supporting Materials ...
Implementation Guide
Implementation Guide
IT Governance Implementation Guide, 2nd Edition
Detailed, structured guidance to the implementation of IT governance
Generic IT governance implementation guidance, not just COBIT
Control Practices
Control Practices
COBIT Control Practices, 2nd Edition Detailed guidance on each of the
control objectives Management-oriented From three to 12 control practices
per control objective
Assurance Guide
Assurance Guide
IT Assurance Guide: Using COBIT Detailed guidance to support
assurance practitioners in: Financial statement audit Internal audit Value for money Operational improvement
Guidance on: How to leverage COBIT for assurance Detailed assurance testing steps
Quickstart
Quickstart
For small and medium sized organizations and larger organizations wanting to quickstart IT governance
Selection of components from the complete COBIT framework
Can be used as a baseline (set of “smart things to do”) for small and medium-sized enterprises and other entities where IT is not strategic or absolutely critical for survival
Can also be a starting point for larger enterprises in their first moves toward an appropriate level of control and governance of IT
COBIT Security Baseline
COBIT Security Baseline - 44 Steps Toward Security
44 Steps Toward Security Define the security strategy - 1 Define the IT organisation and relationships - 1 Communicate management aims and direction - 1 Manage IT human resources - 4 Assess and manage IT risks - 3 Identify automated solutions - 1 Acquire and maintain application and technology infrastructure - 3 Enable operation and use - 1 Manage changes - 2 Install and accredit solutions and changes - 2 Define and manage service levels - 1 Manage third-party services - 3 Ensure continuous service - 3 Ensure systems security - 8 Manage the configuration - 2 Manage data - 3 Manage the physical environment - 2 Monitor and evaluate IT performance—assess internal control adequacy - 1 Obtain independent assurance - 1 Ensure regulatory compliance – 1
6 Information Security Survival Kits Home Users Professional Users Managers Executives Senior Executives Board of Directors/Trustees
COBIT Mappings to Other Frameworks and Standards
King
TickIT
Where COBITTypically Sits
17799CMM
COSO
ITIL
Govern
an
ce
Layer
IT Govern
an
ce
Layer
IT Man
ag
em
en
tLayer
COBIT
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
XY
##
XY
##
XY
##
XY
##
XY
##
Strategic COBIT
ITILCMM
17
79
9
Process Control
Process Execution
Work Instruction
How COBIT Relates to Frameworks and Standards
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
XY
##
XY
##
XY
##
XY
##
XY
##
Strategic COBIT
ITILCMM
17
79
9
Process Control
Process Execution
Work Instruction
How COBIT Relates to Frameworks and Standards
An Overview of ValIT
The value of IT is being increasingly questioned...
?? ?
60
The Information ParadoxThe Information Paradox
…yet organizations continue to spend more and more on IT
Are we maximizing the value of our IT-enabled business investments such that: we are getting optimal benefits;
at an affordable cost; and
with an acceptable level of risk?
The Fundamental QuestionThe Fundamental Question
OverOver the full economic life-cycle the full economic life-cycle of the investmentof the investment
Source: Fujitsu
Can’t kill projects
Leads to..Leads to..
Too many projects
Quality of execution suffers
Underestimation of risks and costs
Projects not aligned to strategy
Budget overrunsProject delays
Business needs not met
Lack of confidence (in IT)
Results in..Results in..
Benefits not receivedIncreased ComplexitySub-optimal use of resourcesFinger pointing
SituationSituation
Reluctance to say no Reluctance to say no to projectsto projects
Lack of Strategic FocusLack of Strategic Focus
Projects are “sold” on Projects are “sold” on emotional basis -- not emotional basis -- not
selectedselected
No strong review processNo strong review process
Overemphasis on Overemphasis on Financial ROIFinancial ROI
No clear No clear strategic criteria strategic criteria
for selectionfor selection
Without Effective GovernanceWithout Effective Governance
SYMPTOMS
The strategic question. Is the investment:In line with our vision?Consistent with our business principles?Contributing to our strategic objectives?Providing optimal value, at affordable cost, at an acceptable level of risk?
In the value question. Do we have:A clear and shared understanding of the expected benefits?Clear accountability for realising the benefits?Relevant metrics?An effective benefits realisation process?
The architecture question. Is the investment:In line with our architecture?Consistent with our architectural principles?Contributing to the population of our architecture?In line with other initiatives?
The delivery question. Do we have:Effective and disciplined delivery and change management processes?Competent and available technical and business resources to deliver:
the required capabilities; andthe organisational changes required to leverage the capabilities?
Are wedoing
the rightthings?
Are wedoing
the rightthings?
Are wedoing them
the rightway?
Are wedoing them
the rightway?
Are wegetting
them donewell?
Are wegetting
them donewell?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wedoing
the rightthings?
Are wedoing
the rightthings?
Are wedoing
the rightthings?
Are wedoing
the rightthings?
Are wedoing them
the rightway?
Are wedoing them
the rightway?
Are wedoing them
the rightway?
Are wedoing them
the rightway?
Are wegetting
them donewell?
Are wegetting
them donewell?
Are wegetting
them donewell?
Are wegetting
them donewell?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wegetting
thebenefits?Some
fundamental questions
about thevalue enabledby IT
Continuously Need to QuestionContinuously Need to Question
Source: The Information Paradox
ValVal IT ITProcesses & Key Management PracticesProcesses & Key Management Practices
VG1 Ensure informed and committed leadershipVG2 Define and implement processesVG3 Define roles & responsibilitiesVG4 Ensure appropriate and accepted
accountabilityVG5 Define information requirementsVG6 Establish reporting requirementsVG7 Establish organisational structuresVG8 Establish Strategic DirectionVG9 Define investment categoriesVG10 Determine target portfolio mixVG11 Define evaluation criteria by category
PM1 Maintain human resource inventory
PM2 Identify resource requirementsPM3 Perform gap analysisPM4 Develop resourcing planPM5 Monitor resource requirements
and utilisationPM6 Establish investment thresholdPM7 Evaluate initial programme
concept business casePM8 Evaluate & assign relative score to
programme business casePM9 Create overall portfolio viewPM10 Make and communicate
investment decisionPM11 Stage-gate (and fund) selected
programmesPM12 Optimize portfolio performancePM13 Re-prioritise portfolioPM14 Monitor and report on portfolio
performance
IM1 Develop a high-level definition of investment opportunityIM2 Develop initial programme concept business caseIM3 Develop clear understanding of candidate programmesIM4 Perform Alternatives AnalysisIM5 Develop Programme planIM6 Develop Benefits Realisation planIM7 Identify Full life cycle costs & benefitsIM8 Develop detailed programme business caseIM9 Assign clear accountability & ownershipIM10 Initiate, plan and launch the programmeIM11 Manage programmeIM12 Manage/track benefitsIM13 Update business caseIM14 Monitor and report on programme performanceIM15 Retire programme
ValueGovernance
(VG)
PortfolioManagement
(PM)Investment
Management(IM)
VG1 Ensure informed and committed leadershipVG2 Define and implement processesVG3 Define roles & responsibilitiesVG4 Ensure appropriate and accepted
accountabilityVG5 Define information requirementsVG6 Establish reporting requirementsVG7 Establish organisational structuresVG8 Establish Strategic DirectionVG9 Define investment categoriesVG10 Determine target portfolio mixVG11 Define evaluation criteria by category
PM1 Maintain human resource inventory
PM2 Identify resource requirementsPM3 Perform gap analysisPM4 Develop resourcing planPM5 Monitor resource requirements
and utilisationPM6 Establish investment thresholdPM7 Evaluate initial programme
concept business casePM8 Evaluate & assign relative score to
programme business casePM9 Create overall portfolio viewPM10 Make and communicate
investment decisionPM11 Stage-gate (and fund) selected
programmesPM12 Optimize portfolio performancePM13 Re-prioritise portfolioPM14 Monitor and report on portfolio
performance
IM1 Develop a high-level definition of investment opportunityIM2 Develop initial programme concept business caseIM3 Develop clear understanding of candidate programmesIM4 Perform Alternatives AnalysisIM5 Develop Programme planIM6 Develop Benefits Realisation planIM7 Identify Full life cycle costs & benefitsIM8 Develop detailed programme business caseIM9 Assign clear accountability & ownershipIM10 Initiate, plan and launch the programmeIM11 Manage programmeIM12 Manage/track benefitsIM13 Update business caseIM14 Monitor and report on programme performanceIM15 Retire programme
ValueGovernance
(VG)
PortfolioManagement
(PM)Investment
Management(IM)
PortfolioPortfolioManagementManagement
ProgrammeProgrammeManagementManagement
Project Project ManagementManagement
Programme – a structured grouping of projects designed to produce clearly identified business value
Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget
Portfolio – a suite of business programmes managed to optimise overall enterprise value
PP33M -Projects, Programs, and PortfoliosM -Projects, Programs, and Portfolios
ValVal IT ITRelationship between Processes & PracticesRelationship between Processes & Practices
Provide strategic directionEstablish
portfolio parameters
Maintain resource profile
Maintain funding profile
Evaluate & prioritize
investments
Move selected investments to active portfolio
Manage overall
portfolio
Monitor & report on portfolio
performance
Identify business
req’tsDefine candidate
programme
Analyse alternatives Assign accountability
Manage programme execution
Document business case
Launch programme
Monitor & report on
programme performance
VG1-4, 6 -7
VG5, 9-11VG8
PM1-5 PM6
PM7-10
PM11 PM12-13
PM14
IM1-2 IM3, 5-7
IM4 IM9IM8, 13
IM10 IM 11-12 IM14
Establish governance framework
Retire programme
IM15
VG
PM
IM
COBIT
Governance & management of a portfolio of technology projects, services, systems & supporting infrastructure
Val IT
Governance & management of a portfolio of business change programmes
Are we doing the right things?
Are we doing them the right
way?
Are we doing them well?
Are we getting the benefits?
Are we doing the right things?
Are we doing them the right
way?
Are we doing them well?
Are we getting the benefits?
Are we doing the right things?
Are we doing them the right
way?
Are we doing them well?
Are we getting the benefits?
Are we doing the right things?
Are we doing them the right
way?
Are we doing them well?
Are we getting the benefits?
Are we doing the right things?
Are we doing them the right
way?
Are we doing them well?
Are we getting the benefits?
POPO
AIAI
MEME
DSDS
PMPMVGVG
IMIMStrate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
ValVal IT Initiative IT Initiative …a value lens into …a value lens into CCOBIOBITT™
FrameworkBusiness CaseCase Study (initial)
DONEDONE
Business Case v2.0Empirical AnalysisBenchmarking
PLANNEDPLANNED
Extend FW to services & other IT assets/ resources & Simplify Maturity ModelsManagement GuidelinesTaxonomy QuickStart Guide1st Qtr. of 2008
IN PROCESSIN PROCESS
ValVal IT Initiative Status IT Initiative Status
Available for free download from:www.isaca.org or www.itgi.org
Maximizing value and reducing risk made possible by IT both enables and requires a through IT governance approach that: Ensures clarity of, and accountability for the
desired outcomes Enables understanding of the full scope of effort Breaks down the “silos” and “connects the dots” Manage the full economic life-cycle Senses and responds to changes and deviations
The Business ChallengeThe Business Challenge
This is a significant leadership challenge, opportunity and responsibility!
The RiskIT Initiative
RISKIT DESCRIPTION
A risk management framework that provides the missing link between enterprise risk management and IT Management and control, fitting in the overall IT Governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val IT
A number of related services and products (practical guides, reference data, interfaces/mapping with other standards, …)
RISKIT ACTIONS
ITGI Board discussion on this initiative and decision to proceed with full business case development (July 2007) Business Case development, (October 2007) including
Market surveyFeasibility studyHigh-level design of the product/serviceSet-up project governance structure, incl. Core Team, expert team, identify project manager(s) and potential resources
Define high-level development and roll-out plan
ITGI Board approved detailed business case and decision to proceed with full project (November 2007) RiskIT Task Force members appointed (December 2007) First RiskIT Task Force meeting held in Ghent, Belgium on 18-19 January 2008 First draft RiskIT planned to be issued by December 2008
RiskITProcesses & Key Management Processes & Key Management PracticesPractices
Risk Management
Risk Monitoring
& Reporting
Risk Governance
Glossary
Risk Inventory
Risk Repository
As of 19 January 2008 first Task Force meeting in Ghent, Belgium
High Level Risk Management Guidance: COSO ERM, AS/NZS 4360, etc
RISK IT Product Family – Proposed Content & Lifecycle
Define Organisation Risk
Culture
Define Risk Management
PrinciplesSet Risk Appetite
Risk PrinciplesRisk Tolerance
Description
Risk CategoriesRisk Impact CategoriesRisk Impact LevelsRisk/Reward Loss DescriptionLikelihood description
Risk Event Identification
Event Classification
Impact Assessment
Likelihood Asessment
Risk Mitigation Planning
Risk Monitoring
Other Risk Managament Frameworks
HarmoniseInterface
HarmoniseInterface
Risk Reporting CommunicationStakeholder Management
HarmoniseInterface
1
2
3
4
4
4
RELATIONSHIP OF COBIT/VALIT/RISKIT
IT GOVERNANCE
IT MANAGEMENT
Translate strategy into action• Make the business effective• Make the business efficient• Manage risks (security, reliability & compliance)• Manage service delivery consistency
Set Objectives• Align business and IT • Enable the business and maximise benefits• Ensure effective and efficient use of resources• Manage IT risk as part of ERM• Fulfil compliance requirements
Translate direction into
strategy
Measure and report
performance
Provide direction
Evaluate performance
IT GOVERNANCE
IT MANAGEMENT
Translate strategy into action• Make the business effective• Make the business efficient• Manage risks (security, reliability & compliance)• Manage service delivery consistency
Set Objectives• Align business and IT • Enable the business and maximise benefits• Ensure effective and efficient use of resources• Manage IT risk as part of ERM• Fulfil compliance requirements
Translate direction into
strategy
Measure and report
performance
Provide direction
Evaluate performance
ValIT RiskIT
CobiT
Certified in the Governance of Enterprise IT (CGEIT)
Questions