C OBI T ® as a Risk Management Framework John W. Lainhart IV CISA, CISM, CGEIT, CIPP/G Partner, Security, Privacy, Wireless & IT Governance IBM Global

COBIT® as a Risk Management Framework

John W. Lainhart IVCISA, CISM, CGEIT, CIPP/G

Partner, Security, Privacy,Wireless & IT Governance

IBM Global Business Services

Principal Advisory to IT Governance Institute

[email protected]

mailto:[email protected]

In This Presentation...The Governance EnvironmentAn introduction to IT GovernanceAn introduction to Control Objectives for

Information and related Technology (COBIT®)

Overview of COBIT® Supporting MaterialsCOBIT® Mappings to Other StandardsAn introduction to ValIT™An introduction to RiskIT™Recently Announced Certification Program –

CGEITQuestions

IT Governance, COBIT, ValIT and RiskIT Are Brought to You by …

IT Governance Institute

IT GovernanceInstitute is a

non-profitresearch think-

tankassociated with

ISACA®

IT Governance Institute Product Suite

Board Briefing onIT Governance

InformationSecurity Governance

COBIT 4.1Val ITIT Governance

ImplementationGuide

COBIT ControlPractices

IT AssuranceGuide

Governance, Security and Assurance Management

Business and Technology

Management

Governance

The Governance Environment

Forces Driving IT Governance

Compliance

Security

Business/IT

Alignment

ROI

ProjectExecution

What Makes IT Governance so important?

• Strategic importance of IT

• Extended Enterprise

• Regulatory requirements

• Cost optimisation

• Return on investment

Drivers

• Low return from high-cost IT investments, and transparency of IT’s performance are two top issues

• More than 30% claim negative return from IT investments targeting efficiency gains

• 40% do not have good alignment between IT plans and business strategy

• Interest in and use of active management of the return on IT investments has doubled in 2 years (28% to 58%)

• Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects

• Standish Group – about 20% of projects fail outright, 50% are challenged and only 30% are successful

• ITGI 2005 Survey early findings confirm concerns

What makes IT Governance so important?

Shareholders want protection for the Enterprise’s Share Price

“…if not filed, auditor must include a paragraph in its annual report that it cannot vouch for the enterprise’s ability as a going concern…”

“…financial reporting system is not up to speed…”

“…the company has lost a third more of its market value yesterday as it revealed a virtual collapse of its financial reporting system…”

“…data entry problems…”

IBM Confidential|

Global Business Services

© Copyright IBM Corporation 2005

The Premier IT Leaders polled by ComputerWorld Magazine put these projects at the top of their to-do lists for 2008

# 1 on this list is IT Governance, including business alignment

From the Dec 10, 2007 issue of Computerworld Magazine (pg 74) Computerworld Magazine is a publication of International Data Group Inc.

An Overview of IT Governance

“IT governanceIT governance is the responsibility of the

board of directors and executive management.

It is an integral part of enterprise governance

and consists of the leadership and

organisational structures and processes that

ensure that the organisation’s IT sustains and

extends the organisation’s strategies and

objectives.”

What is IT Governance?What is IT Governance?

ITGI, Board Briefing on IT Governance

IT Governance Needs a Management Framework

Driving Forces

Map Onto theIT

GovernanceFocus Areas

ITGOVERNANCE

VALUEDELIVERYSTRATEGIC

ALIGNMENT

RESOURCEMANAGEMENT

RIS

KM

AN

AG

EM

EN

T

PERFORM

ANCE

MEASUREM

ENT

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent

IT IT GovernanceGovernance

DomainsDomains

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strategic alignment, focuses on ensuring the linkage of business and IT plan; on defining, maintaining and validating the IT value proposition; on aligning IT operations with the enterprise operations; and establishing collaborative solutions to•Add value and competitive positioning to the enterprise’s products and services•Contain costs while improving administrative efficiency and managerial effectiveness

IT Governance Focus AreasIT Governance Focus Areas

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising expenses and proving the value of IT, and on controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc)


Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Risk management requires risk awareness of senior corporate officers, a clear under-standing of the enterprise’s appetite for risk and transparency about the significant risks to the enterprise; it embeds risk management responsibilities in the operation of the enterprise and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of operations


Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Resource management covers the optimal investment, use and allocation of IT resources and capabilities (people, applications, technology, facilities, data) in servicing the needs of the enterprise, maximising the efficiency of these assets and optimising their costs, and specifically focusses on optimising knowledge and the IT infrastructure and on where and how to outsource


Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Performance measurement, tracking project delivery and monitoring IT services, using balanced scorecards that translate strategy into action to achieve goals measur-able beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow.


IT Governance Life Cycle

IT Governance Control Cycle

Assess Environment

Implement & Operate

Monitor& Report

Maintain IT Controls Framework

Develop & Refine

Governing Documents

Process owners operate and oversee controls

Repository

Plan

BuildRunTools

Measure& Validate

Enforce

ApplicationsDatabasesPlatformsNetworks

IT Processes

· Top-Down, Risk-based Approach

· Process-based· CobiT®-based

Division Policies(e.g. “What” IT

must do)

Division Standards(e.g. “How” to do in every or any

instance)

ProceduresProcedures

Procedures(e.g. “How” to do in an instance)

IT Division Policy Compliance

IT Division Standard Conformance

Dep

t. Pr

inci

ples

Communicate & Train

Sustain


Assess Environment•Based on COBIT®, develop an approach for improved internal control to meet regulatory requirements that incorporates business and IT mission, vision, and strategy•Establish risk management strategy•Formally document existing processes

Assess Environment

Implement & Operate

Monitor& Report


Develop & Refine

Governing Documents


Repository

Plan

BuildRunTools

Measure& Validate

Enforce


IT Processes




must do)


instance)





Dep

t. Pr

inci

ples

Communicate & Train

Sustain


Maintain IT Controls Framework•Develop controls framework to supports sound business decisions•Document integration points in the current environment•Create an organizational mechanism to support the governance of IT•Mitigate identified risks through the IT controls framework

Assess Environment

Implement & Operate

Monitor& Report


Develop & Refine

Governing Documents


Repository

Plan

BuildRunTools

Measure& Validate

Enforce


IT Processes




must do)


instance)





Dep

t. Pr

inci

ples

Communicate & Train

Sustain


Develop & Refine Governing Documents•Utilize a central repository for governing documents•Develop a consistent approach for creating governing documents•Consistently apply processes and procedures•Gain executive commitment for IT governance frameworks and structure

Assess Environment

Implement & Operate

Monitor& Report


Develop & Refine

Governing Documents


Repository

Plan

BuildRunTools

Measure& Validate

Enforce


IT Processes




must do)


instance)





Dep

t. Pr

inci

ples

Communicate & Train

Sustain


Communicate and Train•Provide “Tone at the Top”•Develop a strategic communication plan for mission objectives and overall management direction•Execute strategic communication plan•Implement a standard training program to avoid unnecessary and redundant training

Assess Environment

Implement & Operate

Monitor& Report


Develop & Refine

Governing Documents


Repository

Plan

BuildRunTools

Measure& Validate

Enforce


IT Processes




must do)


instance)





Dep

t. Pr

inci

ples

Communicate & Train

Sustain


Implement and Operate•Align staff responsibilities with IT control objectives•Achieve sustainability of IT controls in the operational environment•Support continuous improvement of operational effectiveness and accountability

Assess Environment

Implement & Operate

Monitor& Report


Develop & Refine

Governing Documents


Repository

Plan

BuildRunTools

Measure& Validate

Enforce


IT Processes




must do)


instance)





Dep

t. Pr

inci

ples

Communicate & Train

Sustain


Measure and Validate•Revise current metrics program to include newly defined controls•Verify the sustainability of defined controls •Develop cost effective automated measurements•Measure all processes to include Applications, Databases, Platforms and Networks

Assess Environment

Implement & Operate

Monitor& Report


Develop & Refine

Governing Documents


Repository

Plan

BuildRunTools

Measure& Validate

Enforce


IT Processes




must do)


instance)





Dep

t. Pr

inci

ples

Communicate & Train

Sustain


Monitor and Report•Report on continued effectiveness of controls•Increase transparency to auditors of issues and actions taken•Accurately attest to IT’s compliance with policy, laws, and regulations•Improve existing processes using metrics trending

Assess Environment

Implement & Operate

Monitor& Report


Develop & Refine

Governing Documents


Repository

Plan

BuildRunTools

Measure& Validate

Enforce


IT Processes




must do)


instance)





Dep

t. Pr

inci

ples

Communicate & Train

Sustain


Enforce•Reinforce required policy compliance and standards conformance•Define a consistent approach for enforcement across all processes

Assess Environment

Implement & Operate

Monitor& Report


Develop & Refine

Governing Documents


Repository

Plan

BuildRunTools

Measure& Validate

Enforce


IT Processes




must do)


instance)





Dep

t. Pr

inci

ples

Communicate & Train

Sustain

An Overview of COBIT

Internationally accepted good practicesManagement-orientedFreely availableSharing knowledge and leveraging expert volunteersContinually evolvingMaintained by reputable not-for-profit organisationMaps 100% to COSOMaps strongly to all major related standardsIs a reference, set of best practices, not an “off-the-shelf” cureEnterprises still needs to analyse their control requirements and customise based on:

Value driversRisk profileIT infrastructure, organisation and

project portfolio

COBIT 4.1—The IT Governance Framework

The only IT managementand control framework

that covers the end-to-endIT life cycle

IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes

IT Governance ProcessesIT Governance Processes

CobiTCobiTbest practices repository for

IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes

IT Governance ProcessesIT Governance Processes

COBIT best practices repository for

Information Criteria:1. Effectiveness2. Efficiency3. Availability4. Integrity5. Confidentiality6. Reliability7. Compliance

Domains: 1. Plan & Organize2. Acquire & Implement3. Delivery & Support4. Monitor & Evaluate

COBIT: An IT Control Framework

IT Resources: 1. Applications2. Information3. Infrastructure4. People

Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives

Promotes process focus and process ownership

Divides IT into 4 domains and 34 processes, with a total of 210 control objectives

Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT

Addresses the resources made available to and built up by IT

The resources The resources made available to—made available to—and built up by—ITand built up by—IT

The resources The resources made available to—made available to—and built up by—ITand built up by—IT

What the What the stakeholders stakeholders

expect from ITexpect from IT

What the What the stakeholders stakeholders

expect from ITexpect from IT

How IT is How IT is organised to organised to

respond to the respond to the requirementsrequirements

How IT is How IT is organised to organised to

respond to the respond to the requirementsrequirements

Key Driving Forces for COBIT

IT Processes

IT Processes

IT Resources

IT Resources

Business Requirements

Business Requirements

Applications Informati

on Infrastructure People

Plan and Organise

Aquire and Implement

Deliver and Support

Monitor and Evaluate

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

reliability

IT Processes

BusinessRequirements

IT Resources

IT Processes

BusinessRequirements

IT Resources

Acquire andImplement

Deliver andSupport

Monitor and

Evaluate

Criteria• Effectiveness• Efficiency• Confidentialit

y• Integrity• Availability• Compliance• Reliability

• Applications• Information• Infrastructure• People

IT Resources

Business Objectives

Plan andOrganise

COBITFramework

IT Life Cycle

COBIT Processes

Plan andOrganise

Acquire andImplement

AI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes

PO1 Define an IT Strategic PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organisation and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects

COBIT Processes

Deliver andSupport

Monitor andEvaluate

DS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations

ME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Compliance With External RequirementsME4 Provide IT Governance

COBIT PC and AC Processes

PC1 Process Goals and Objectives

PC2 Process Ownership

PC3 Process Responsibility

PC4 Roles and Responsibilities

PC5 Policy, Plans and Procedures

PC6 Process Performance Improvement

Process Controls

ApplicationControls

AC1 Source Data Preparation and Authorization

AC2 Source Data Collection and Entry

AC3 Accuracy, Completeness and Authenticity Checks

AC4 Processing Integrity and Validity

AC5 Output Review, Reconciliation and Error Handling

AC6 Transmission Authentication and Integrity

Process LevelNavigating in COBIT

Control Objectives

P09.6 Maintenance and Monitoring of a Risk Action PlanPrioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed actions are owned by the affected process owner(s). Monitor execution of the plans, and report on any deviations to senior management.

Management Guidelines

Management Guidelines

Maturity Model

Maturity Levels in COBIT

0 1 2 3 4 5

Non-existent Initial Repeatable Defined Managed Optimised

0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.

Dimensions of Process Maturity in COBIT

Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement

We capture process maturity data on each of six dimensions:

Awareness and communication

Leverage COBIT® Supporting Materials ...

Implementation Guide

Implementation Guide

IT Governance Implementation Guide, 2nd Edition

Detailed, structured guidance to the implementation of IT governance

Generic IT governance implementation guidance, not just COBIT

Control Practices

Control Practices

COBIT Control Practices, 2nd Edition Detailed guidance on each of the

control objectives Management-oriented From three to 12 control practices

per control objective

Assurance Guide

Assurance Guide

IT Assurance Guide: Using COBIT Detailed guidance to support

assurance practitioners in: Financial statement audit Internal audit Value for money Operational improvement

Guidance on: How to leverage COBIT for assurance Detailed assurance testing steps

Quickstart

Quickstart

For small and medium sized organizations and larger organizations wanting to quickstart IT governance

Selection of components from the complete COBIT framework

Can be used as a baseline (set of “smart things to do”) for small and medium-sized enterprises and other entities where IT is not strategic or absolutely critical for survival

Can also be a starting point for larger enterprises in their first moves toward an appropriate level of control and governance of IT

COBIT Security Baseline

COBIT Security Baseline - 44 Steps Toward Security

44 Steps Toward Security Define the security strategy - 1 Define the IT organisation and relationships - 1 Communicate management aims and direction - 1 Manage IT human resources - 4 Assess and manage IT risks - 3 Identify automated solutions - 1 Acquire and maintain application and technology infrastructure - 3 Enable operation and use - 1 Manage changes - 2 Install and accredit solutions and changes - 2 Define and manage service levels - 1 Manage third-party services - 3 Ensure continuous service - 3 Ensure systems security - 8 Manage the configuration - 2 Manage data - 3 Manage the physical environment - 2 Monitor and evaluate IT performance—assess internal control adequacy - 1 Obtain independent assurance - 1 Ensure regulatory compliance – 1

6 Information Security Survival Kits Home Users Professional Users Managers Executives Senior Executives Board of Directors/Trustees

COBIT Mappings to Other Frameworks and Standards

King

TickIT

Where COBITTypically Sits

17799CMM

COSO

ITIL

Govern

an

ce

Layer

IT Govern

an

ce

Layer

IT Man

ag

em

en

tLayer

COBIT

• Workinstruction• 2• 3• 4,5,6….





XY

##

XY

##

XY

##

XY

##

XY

##

Strategic COBIT

ITILCMM

17

79

9

Process Control

Process Execution

Work Instruction

How COBIT Relates to Frameworks and Standards






XY

##

XY

##

XY

##

XY

##

XY

##

Strategic COBIT

ITILCMM

17

79

9

Process Control

Process Execution

Work Instruction

How COBIT Relates to Frameworks and Standards

An Overview of ValIT

The value of IT is being increasingly questioned...

?? ?

60

The Information ParadoxThe Information Paradox

…yet organizations continue to spend more and more on IT

Are we maximizing the value of our IT-enabled business investments such that: we are getting optimal benefits;

at an affordable cost; and

with an acceptable level of risk?

The Fundamental QuestionThe Fundamental Question

OverOver the full economic life-cycle the full economic life-cycle of the investmentof the investment

Source: Fujitsu

Can’t kill projects

Leads to..Leads to..

Too many projects

Quality of execution suffers

Underestimation of risks and costs

Projects not aligned to strategy

Budget overrunsProject delays

Business needs not met

Lack of confidence (in IT)

Results in..Results in..

Benefits not receivedIncreased ComplexitySub-optimal use of resourcesFinger pointing

SituationSituation

Reluctance to say no Reluctance to say no to projectsto projects

Lack of Strategic FocusLack of Strategic Focus

Projects are “sold” on Projects are “sold” on emotional basis -- not emotional basis -- not

selectedselected

No strong review processNo strong review process

Overemphasis on Overemphasis on Financial ROIFinancial ROI

No clear No clear strategic criteria strategic criteria

for selectionfor selection

Without Effective GovernanceWithout Effective Governance

SYMPTOMS

The strategic question. Is the investment:In line with our vision?Consistent with our business principles?Contributing to our strategic objectives?Providing optimal value, at affordable cost, at an acceptable level of risk?

In the value question. Do we have:A clear and shared understanding of the expected benefits?Clear accountability for realising the benefits?Relevant metrics?An effective benefits realisation process?

The architecture question. Is the investment:In line with our architecture?Consistent with our architectural principles?Contributing to the population of our architecture?In line with other initiatives?

The delivery question. Do we have:Effective and disciplined delivery and change management processes?Competent and available technical and business resources to deliver:

the required capabilities; andthe organisational changes required to leverage the capabilities?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?Some

fundamental questions

about thevalue enabledby IT

Continuously Need to QuestionContinuously Need to Question

Source: The Information Paradox

ValVal IT ITProcesses & Key Management PracticesProcesses & Key Management Practices

VG1 Ensure informed and committed leadershipVG2 Define and implement processesVG3 Define roles & responsibilitiesVG4 Ensure appropriate and accepted

accountabilityVG5 Define information requirementsVG6 Establish reporting requirementsVG7 Establish organisational structuresVG8 Establish Strategic DirectionVG9 Define investment categoriesVG10 Determine target portfolio mixVG11 Define evaluation criteria by category

PM1 Maintain human resource inventory

PM2 Identify resource requirementsPM3 Perform gap analysisPM4 Develop resourcing planPM5 Monitor resource requirements

and utilisationPM6 Establish investment thresholdPM7 Evaluate initial programme

concept business casePM8 Evaluate & assign relative score to

programme business casePM9 Create overall portfolio viewPM10 Make and communicate

investment decisionPM11 Stage-gate (and fund) selected

programmesPM12 Optimize portfolio performancePM13 Re-prioritise portfolioPM14 Monitor and report on portfolio

performance

IM1 Develop a high-level definition of investment opportunityIM2 Develop initial programme concept business caseIM3 Develop clear understanding of candidate programmesIM4 Perform Alternatives AnalysisIM5 Develop Programme planIM6 Develop Benefits Realisation planIM7 Identify Full life cycle costs & benefitsIM8 Develop detailed programme business caseIM9 Assign clear accountability & ownershipIM10 Initiate, plan and launch the programmeIM11 Manage programmeIM12 Manage/track benefitsIM13 Update business caseIM14 Monitor and report on programme performanceIM15 Retire programme

ValueGovernance

(VG)

PortfolioManagement

(PM)Investment

Management(IM)

VG1 Ensure informed and committed leadershipVG2 Define and implement processesVG3 Define roles & responsibilitiesVG4 Ensure appropriate and accepted

accountabilityVG5 Define information requirementsVG6 Establish reporting requirementsVG7 Establish organisational structuresVG8 Establish Strategic DirectionVG9 Define investment categoriesVG10 Determine target portfolio mixVG11 Define evaluation criteria by category

PM1 Maintain human resource inventory

PM2 Identify resource requirementsPM3 Perform gap analysisPM4 Develop resourcing planPM5 Monitor resource requirements

and utilisationPM6 Establish investment thresholdPM7 Evaluate initial programme

concept business casePM8 Evaluate & assign relative score to

programme business casePM9 Create overall portfolio viewPM10 Make and communicate

investment decisionPM11 Stage-gate (and fund) selected

programmesPM12 Optimize portfolio performancePM13 Re-prioritise portfolioPM14 Monitor and report on portfolio

performance

IM1 Develop a high-level definition of investment opportunityIM2 Develop initial programme concept business caseIM3 Develop clear understanding of candidate programmesIM4 Perform Alternatives AnalysisIM5 Develop Programme planIM6 Develop Benefits Realisation planIM7 Identify Full life cycle costs & benefitsIM8 Develop detailed programme business caseIM9 Assign clear accountability & ownershipIM10 Initiate, plan and launch the programmeIM11 Manage programmeIM12 Manage/track benefitsIM13 Update business caseIM14 Monitor and report on programme performanceIM15 Retire programme

ValueGovernance

(VG)

PortfolioManagement

(PM)Investment

Management(IM)

PortfolioPortfolioManagementManagement

ProgrammeProgrammeManagementManagement

Project Project ManagementManagement

Programme – a structured grouping of projects designed to produce clearly identified business value

Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget

Portfolio – a suite of business programmes managed to optimise overall enterprise value

PP33M -Projects, Programs, and PortfoliosM -Projects, Programs, and Portfolios

ValVal IT ITRelationship between Processes & PracticesRelationship between Processes & Practices

Provide strategic directionEstablish

portfolio parameters

Maintain resource profile

Maintain funding profile

Evaluate & prioritize

investments

Move selected investments to active portfolio

Manage overall

portfolio

Monitor & report on portfolio

performance

Identify business

req’tsDefine candidate

programme

Analyse alternatives Assign accountability

Manage programme execution

Document business case

Launch programme

Monitor & report on

programme performance

VG1-4, 6 -7

VG5, 9-11VG8

PM1-5 PM6

PM7-10

PM11 PM12-13

PM14

IM1-2 IM3, 5-7

IM4 IM9IM8, 13

IM10 IM 11-12 IM14

Establish governance framework

Retire programme

IM15

VG

PM

IM

COBIT

Governance & management of a portfolio of technology projects, services, systems & supporting infrastructure

Val IT

Governance & management of a portfolio of business change programmes

Are we doing the right things?

Are we doing them the right

way?

Are we doing them well?

Are we getting the benefits?



way?





way?





way?





way?



POPO

AIAI

MEME

DSDS

PMPMVGVG

IMIMStrate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent


ValVal IT Initiative IT Initiative …a value lens into …a value lens into CCOBIOBITT™

FrameworkBusiness CaseCase Study (initial)

DONEDONE

Business Case v2.0Empirical AnalysisBenchmarking

PLANNEDPLANNED

Extend FW to services & other IT assets/ resources & Simplify Maturity ModelsManagement GuidelinesTaxonomy QuickStart Guide1st Qtr. of 2008

IN PROCESSIN PROCESS

ValVal IT Initiative Status IT Initiative Status

Available for free download from:www.isaca.org or www.itgi.org

http://www.isaca.org/

http://www.itgi.org/

Maximizing value and reducing risk made possible by IT both enables and requires a through IT governance approach that: Ensures clarity of, and accountability for the

desired outcomes Enables understanding of the full scope of effort Breaks down the “silos” and “connects the dots” Manage the full economic life-cycle Senses and responds to changes and deviations

The Business ChallengeThe Business Challenge

This is a significant leadership challenge, opportunity and responsibility!

The RiskIT Initiative

RISKIT DESCRIPTION

A risk management framework that provides the missing link between enterprise risk management and IT Management and control, fitting in the overall IT Governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val IT

A number of related services and products (practical guides, reference data, interfaces/mapping with other standards, …)

RISKIT ACTIONS

ITGI Board discussion on this initiative and decision to proceed with full business case development (July 2007) Business Case development, (October 2007) including

Market surveyFeasibility studyHigh-level design of the product/serviceSet-up project governance structure, incl. Core Team, expert team, identify project manager(s) and potential resources

Define high-level development and roll-out plan

ITGI Board approved detailed business case and decision to proceed with full project (November 2007) RiskIT Task Force members appointed (December 2007) First RiskIT Task Force meeting held in Ghent, Belgium on 18-19 January 2008 First draft RiskIT planned to be issued by December 2008

RiskITProcesses & Key Management Processes & Key Management PracticesPractices

Risk Management

Risk Monitoring

& Reporting

Risk Governance

Glossary

Risk Inventory

Risk Repository

As of 19 January 2008 first Task Force meeting in Ghent, Belgium

High Level Risk Management Guidance: COSO ERM, AS/NZS 4360, etc

RISK IT Product Family – Proposed Content & Lifecycle

Define Organisation Risk

Culture

Define Risk Management

PrinciplesSet Risk Appetite

Risk PrinciplesRisk Tolerance

Description

Risk CategoriesRisk Impact CategoriesRisk Impact LevelsRisk/Reward Loss DescriptionLikelihood description

Risk Event Identification

Event Classification

Impact Assessment

Likelihood Asessment

Risk Mitigation Planning

Risk Monitoring

Other Risk Managament Frameworks

HarmoniseInterface

HarmoniseInterface

Risk Reporting CommunicationStakeholder Management

HarmoniseInterface

1

2

3

4

4

4

RELATIONSHIP OF COBIT/VALIT/RISKIT

IT GOVERNANCE

IT MANAGEMENT

Translate strategy into action• Make the business effective• Make the business efficient• Manage risks (security, reliability & compliance)• Manage service delivery consistency

Set Objectives• Align business and IT • Enable the business and maximise benefits• Ensure effective and efficient use of resources• Manage IT risk as part of ERM• Fulfil compliance requirements

Translate direction into

strategy

Measure and report

performance

Provide direction

Evaluate performance

IT GOVERNANCE

IT MANAGEMENT

Translate strategy into action• Make the business effective• Make the business efficient• Manage risks (security, reliability & compliance)• Manage service delivery consistency

Set Objectives• Align business and IT • Enable the business and maximise benefits• Ensure effective and efficient use of resources• Manage IT risk as part of ERM• Fulfil compliance requirements

Translate direction into

strategy

Measure and report

performance

Provide direction

Evaluate performance

ValIT RiskIT

CobiT

Certified in the Governance of Enterprise IT (CGEIT)

Questions