Upload
lamtuyen
View
216
Download
0
Embed Size (px)
Citation preview
Evaluation
Audit
Alignment
Steering
Training
Change
IT Governance Jean-Pierre Palante19 March 2013 Patrick Soenen
2
What is [IT] Governance
COBIT 5 - Principles
COBIT 5 - Enablers
COBIT 5 - Implementation
COBIT 5 – BSC / Capability
Un monde en mutation
Leadership & Change management
• 7 milliards d’habitants aujourd’hui• 9 milliards d’habitants en 2050• Une classe moyenne mondiale qui va doubler en 10 ans
pour atteindre 3 milliards de personnes• Des enjeux considérables :
– Économiques– Énergétiques– Écologiques– Climatiques– De nutrition
Si nous continuons notre modèle de développement la survie de la planète est en jeu.
3
• Quelles solutions?– Changement individuel de manière de vivre « Soyez le changement que vous voulez dans le monde » Gandhi
– Innovation Destruction créative (Joseph Schumpeter: 1883-1950) « ouragan perpétuel » pour les entreprises Les entreprises qui ne s’adaptent pas assez vite sont remplacées par
d’autres plus innovantes Entreprises sont en mutation extrêmement rapide Elles doivent être agiles
4
Les trois vecteurs de l’organisation agile:• La motivation rationnelle des ressources humaines -> intelligence
collective – potentiel humain• Utilisation intensive des nouvelles technologies -> réponse à l’évolution
de l’organisation – potentiel technologique• Maîtrise formalisée des processus améliorés en continu -> optimisation
des moyens utilisés – potentiel d’efficience/d’efficacité
AgilitéLEAN BPM
NTIC
Motivation rationnelledes ressources humaines
Usage intensifdes nouvellestechnologies
Configurationcontinue desprocessus
5
Défis en gouvernance del’information• Prolifération des
informations• BYOD• Failles de sécurité• Interruptions de service• Risques des réseaux
sociaux• Respect de la vie privée
6
• L’informatiqueEst un outil clé au service d’une stratégie d’entreprise• L’informatique n’est pas une fin en soi• L’informatique a besoin d’être « gouvernée »
– pour assurer son alignement sur la stratégie de l’entreprise
– Pour qu’elle offre toute sa valeur ajoutée
– Pour maîtriser les risques qu’elle peut engendrer
– Pour gérer au mieux les ressources disponibles
– Pour suivre et évaluer ses performances
Nécessité d’un cadre, d’un référentiel en matière de Gouvernanceinformatique
7
8
9
Corporate Governance provides the structure throughwhich
• the objectives of an organisation are set;• the means of attaining those objectives are implemented;• the risks are mitigated;• and the monitoring performance guidelines are determined
Corporate Governance= set of processes, customs, policies, regulations, managementpractices, affecting the way an organisation is managed and controlled.
Providesstructure
Mitigate risks
Objectives Monitorperformance
Means
10
IT Governance delivers value to the business by• Aligning IT and enterprise/business objectives;• Ensuring the IT resources are used in an optimal way;• Establishing the IT risks are mitigated;• Determining the IT performance (thru a Balanced Scorecard)
IT governance is part of enterprise governance. It is defined as astructure of relationships and processes to direct and control theenterprise toward achieving its goals by adding value while balancingrisk versus return over IT and its processes.
Providesstructure
Mitigate risks
Objectives Monitorperformance
Means
11
Stakeholders and their concerns
12
IT Auditor
How do we provideindependentassuranceof IT value deliveryand risk mitigation?
Risk and ComplianceManager
How do we ensure thatpolicies, regulations, and
laws are complied with andnew risks identified?
Board, Executive, andBusiness Manager
How do we define businessdirection for IT, deliver value,and manage risks?
IT Manager
How do we deliver ITservices, as required by the
business and directed by theboard?
Internal stakeholders and their concerns
13
ExternalStakeholders
External Auditor
I need to know whether ornot the automated
banking reconciliationsystem works in order to
clear the audit.
Regulators
How can we be assuredthat the organization
has a businesscontinuity plan? If itdoes not, regulators
may retract thebanking license.
Suppliers
Do we have assurancethat confidentialinformation about ourcompany is not sentto our competitors?
Customers
I need you to keep mybanking details secure onyour computer system.
External stakeholders and their concerns
14
Enterprises and their executives strive to:• Maintain quality information to support business decisions.• Generate business value from IT-enabled investments, i.e., achieve
strategic goals and realise business benefits through effective andinnovative use of IT.
• Achieve operational excellence through reliable and efficient application oftechnology.
• Maintain IT-related risk at an acceptable level.• Optimise the cost of IT services and technology.
How can these benefits be realised to create enterprisestakeholder value?
15
16
Control Objectives for Informationand related Technologies
CobiT® is an evolutionary frameworkderived from 15 years of internationalIT, business, security, risk, assuranceand consulting professionals providingtheir input into what a IT governanceand management framework mustprovide.COBIT 5 was released in April 2012.
ISACAProfessionalorganisation forIT professionals
17
COBIT 5 is based on 5 principles :
18
Principles 1 – Meeting stakeholders needs
• Enterprises exist to create valuefor their stakeholders
• Value creation: realizingbenefits at an optimal resourcecost while optimizing risk.
19
Principles 2 – Covering the enterprise end-to-end
• COBIT 5 addresses thegovernance and managementof information and relatedtechnology from an enterprise-wide, end-to-end perspective;
• Governance enablers comprisethe organisational resources forgovernance and the enterpriseresources;
• Governance scope comprisesthe whole enterprise;
• Governance roles (RACI)– Who is involved– How they are involved– What they do– How they interact
20
Principles 3 – Applying a single framework
• Provides a simple architecture for structuring guidancematerials and producing a consistent product set
21
Principles 4 – Enabling a Holistic Approach
• COBIT 5 defines a set of enablers to support theimplementation of a comprehensive governance andmanagement system for enterprise IT.
22
Principles 5 – Governance and Management Defined
• A clear distinction between governance and management• Governance ensures that stakeholders needs are (EDM)
– Evaluated to determine balanced enterprise objectives to be achieved– Directing through prioritisation and decision making– Monitoring performance, compliance and progress against objectives
• Management plans, builds, runs and monitors activities (PBRM)
23
The 7 IT governance enablers• COBIT 5 defines a set of enablers to support the
implementation of a comprehensive governance andmanagement system for enterprise IT.
24
Enabler 1: Principles, Policies and Frameworks• They are instruments to communicate the rules of the
enterprise, in support of the governance objectives andenterprise values as defined by the board and executivemanagement
• Limited number of principles i.e. general guidelines• Policies are more detailed guidance on how to put
principles into practice• Policies should have a mechanism (framework) in place
where they can be effectively managed
25
Enabler 2: Processes• A detailed reference guide to the processes that are
defined in the COBIT 5 process reference model• The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct andmonitor (EDM) practices are defined.
• The four MANAGEMENT domains are in line with theresponsibility areas of plan, build, run and monitor (PBRM)
26
Enabler 2: Processes Enabler 2: Processes
27
Enabler 3: Organisational structuresGood practices for organisational structures• Operating principles – The practical arrangements
regarding how the structure will operate, such as meetingfrequency documentation and other rules
• Span of control – The boundaries of the organisationstructure’s decision rights.
• Level of authority – The decisions that the structure isauthorised to take.
• Delegation of responsibility – The structure can delegate asubset of its decision rights to other structures reporting toit.
• Escalation procedures – The escalation path for a structuredescribes the required actions in case of problems inmaking decisions.
28
Enabler 4: Culture, Ethics and BehaviourGood practices for creating, encouraging and maintainingdesired behaviour• Code of ethics : Communication throughout the enterprise
of desired behaviours and corporate values.• Awareness of desired behaviour, strengthened by senior
management example.• Incentives to encourage and deterrents to enforce desired
behaviour: HR payment and reward schemes.• Rules and norms which provide more guidance.• Values by which the enterprise want to live.• Individual behaviours which collectively determine the
culture of the enterprise– Behaviour towards risk taking– Behaviour towards the enterprise’s principles and policies– Behaviour towards negative outcomes, e.g. loss events
29
Enabler 5: Information7 Key Information criteria
Effectiveness Deals with information being relevant and pertinent to the businessprocess as well as being delivered in a timely, correct, consistent, andusable manner.
Efficiency Concerns the provision of information through the optimal ─ mostproductive and economical ─ use of resources.
Confidentiality Concerns the protection of sensitive information from unauthorizeddisclosure.
Integrity Relates to the accuracy and completeness of information as well as toits validity in accordance with business values and expectations.
AvailabilityRelates to information being available ,when required by the businessprocess, at present and in the future. It also concerns the safeguardingof necessary resources and associated capabilities.
ComplianceDeals with complying with those laws, regulations, and contractualarrangements to which the business process is subject, that is,externally imposed business criteria as well as internal policies.
ReliabilityRelates to the provision of appropriate information for the managementto operate the entity and to exercise its fiduciary and governanceresponsibilities.
SECURITY
30
Enabler 6: Services, Infrastructure and ApplicationsThe five architecture principles that govern theimplementation and use of IT-Related resources• Reuse – Common components of the architecture should
be used when designing and implementing solutions aspart of the target or transition architectures.
• Buy vs. build – Solutions should be purchased unless thereis an approved rationale for developing them internally.
• Simplicity – The enterprise architecture should be designedand maintained to be simple as possible while still meetingenterprise requirements.
• Agility – The enterprise architecture should incorporateagility to meet changing business needs in an effective andefficient manner.
• Openness - The enterprise architecture should leverageopen industry standards.
31
Enabler 7: People, Skills and Competencies
• Described by different skill levels for different roles.• Defining Skill requirements for each role• Mapping skill categories to COBIT 5 process domains
(APO; BAI etc.)
32
What are the drivers? Where are we now and where
do we want to be? What needs to be done? How do we get there? Did we get there and how do we
keep the momentum going?
Challenges to success
33
From business toIT balanced scorecard
User perspective Business contribution Adequate systems delivery to the business Deliver good service: Conformity to the
service level agreements (SLA) An IT-user partnership IT service quality
Align: Contribution to the strategic objectives Deliver value: Adequate IT project and
investment management Manage cost: IT expense management Manage risks: Risk mitigation
Operational Excellence Orientation future Effective IT Operations User support effectiveness Excellence of IT processes Effective and efficient systems development Information secured Service continuity
IT staff competency IT staff experience within the organisation The renewal of the application portfolio Service capacity improvement The evaluation of emerging technologies
34
Level 0 Incomplete processLevel 0 Incomplete process IncompleteThe process is not implemented or fails toachieve its purpose
Level 1 Performed processPA.1.1 Process Performance attribute
Level 1 Performed processPA.1.1 Process Performance attribute
PerformedThe process is implemented andachieves its process purpose
Level 2 Managed ProcessPA.2.1 Performance Management attributePA.2.2 Work Product Management attribute
Level 2 Managed ProcessPA.2.1 Performance Management attributePA.2.2 Work Product Management attribute
ManagedThe process is managed and workproducts are established,controlled and maintained.
Level 4 Predictable ProcessPA.4.1 Process Measurement attributePA.4.2 Process Control attribute
Level 4 Predictable ProcessPA.4.1 Process Measurement attributePA.4.2 Process Control attribute
PredictableThe process is enacted consistentlywithin defined limits
Level 5 Optimizing processPA.5.1 Process Innovation attributePA.5.2 Process Optimization attribute
Level 5 Optimizing processPA.5.1 Process Innovation attributePA.5.2 Process Optimization attribute
OptimizingThe process is continuously improved to meet relevantcurrent and projected business goals
Level 3 Established ProcessPA.3.1 Process Definition attributePA.3.2 Process Deployment attribute
Level 3 Established ProcessPA.3.1 Process Definition attributePA.3.2 Process Deployment attribute
EstablishedA defined process is used based on astandard process.
5
Slide 34
5 Je peux préparer des exemplesJean-Pierre Palante; 11/03/2013
Leadership:
• Le vrai leader est celui pour qui on a envie de s’engager avec toute sonénergie
• Il inspire et fédère autour d’un projet commun
• Il soude et entraine ses équipes
• Il les développe par la guidance, l’exemple et le coaching
35
Pour être un bon leader :
Quotient Intellectuel, mais aussi..
Quotient émotionnel: l’habilité à percevoir et à exprimer les émotions, àles intégrer pour faciliter la pensée, à comprendre et à raisonner avec lesémotions, ainsi qu’à réguler les émotions chez soi et chez les autres(Mayer & Salovay, 1997)
Capacité d’empathie et de « résonnance » avec soi-même et sonentourage
Quotient spirituel: capacité à accéder aux niveaux les plus élevés desens, valeurs, motivations ainsi qu’à sa propre inconscience et d’intégrerces éléments dans une vie plus riche et créative (Danah Zohar:http://dzohar.com)
Capacité de trouver ou d’alimenter sa motivation personnelle (etcelle des autres) dans la création de Sens et l’expression d’Ethique.
36
Management versus leadership:
Management Leadership
Certitude Confiance
Commandement Partage
Contrôle Co-production
Communication Discussion
Communication: partage une vision donnée
Discussion: crée une vison partagée
37
La symbolique du mur de briques:
Briques: Technologies, les processus, la comptabilité,..
Ciment: les hommes et les femmes qui forment l’entreprise
Sans l’aspect humain, le mur s’effondre…
38
L’Entreprise rencontre des défis sans précédents
elle doit produire des produits et services innovants et de haute qualitéavec des ressources matérielles et humaines de plus en plus limitées.
• L’informatique peut aider à relever ce défi
à condition que l’organisation soit consciente des changements àopérer.
la nature humaine n’aime pas le changement, source d’inconnue et doncde nombreuses peurs.
Le changement doit donc être encadré et accompagné.
Pour ce faire …
39
• Sensibiliser les équipes à l’urgence de la nécessité de changer la manièrede travailler
• Ecouter leurs craintes et les rassurer autant que possible.• Trouver des avantages générés par les changements pour les travailleurs
eux mêmes.• Définir des objectifs (SMART) permettant de réaliser certains progrès
rapides (quick win)• Lancer des projets pilotes pour valider la faisabilité et le bien fondé des
nouvelles méthodes de travail et convaincre le personnel de l’intérêt duchangement.
• Célébrer les succès réalisés et valoriser les personnes qui les ontobtenus.
• Il faudra aussi veiller à planifier le changement pour qu’il soit assezrapide afin que des résultats soient rapidement visibles mais en laissantle temps aux personnel de s’adapter tout en leur permettant decontinuer à fournir le travail qui leur est attribué.
40
Jean-Pierre Palante Patrick Soenen+32.478.32.26.99 [email protected] [email protected]
Champ des Pétrales, 61332 Genvalwww.qap.eu
Evaluation
Audit
Alignment
Steering
Training
Change
41