Christian feldbech nissen

© 2015

itSMF Danmark 2015Ten steps towards Governance of IT

Christian F. Nissen, CFN People, Denmark

© 2015 of CFN People unless otherwise stated

ITIL®, PRINCE2®, MSP®, MoP®, MoV® are Registered Trade Marks of AXELOS in the United Kingdom and other countries

COBIT®, Val IT®, Risk IT® and “Taking Governance Forward” are registered trademarks of the Information Systems Audit and Control Association (ISACA) and the

IT Governance Institute (ITGI)

Why IT governance?

3 © 2015

Th

e b

asic

s

4

Agenda

The basics

Governance means

1. Decision making

2. Organizational structures

3. Roles and responsibilities

4. Process framework

5. Strategy and goals management

6. Risk management

7. Control objectives

8. Portfolio management

9. Management of suppliers, contracts and agreements

10. Financial model

Governance approaches

Ag

en

da

© 2015

Governance – the basics

Definition?

“Governance of IT ensures that stakeholder needs, conditions

and options are evaluated to determine balanced, agreed-on

enterprise objectives to be achieved; setting direction through

prioritisation and decision making; and monitoring performance

and compliance against agreed-on direction and objectives.”

ISACA, 2012

MANAGEMENT of MANAGEMENT

Christian F. Nissen

5 © 2015

Th

e b

asic

s


6 © 2015

AssetSystem

(Architecture/configuration of

resources)

Value

Lifecycle

Th

e b

asic

s

An asset represents an investment !!!


Why?

7 © 2015

AssetOptimize

resources

Maximize return on investment

Optimize

risk

Meet preference

Th

e b

asic

s


Who?

How?

8 © 2015

Delegate

Accountable

Owner

Evaluate &

direct

Monitor

Gover-

nance

body

Plan-do-

check-act

Report

Operation

&

execution

Manage-

ment

Evaluate

Direct Monitor

Th

e b

asic

s


What?

❍ Principles, policies and plans (Boundaries, principles,

policies, decision models, strategies, plans, etc.)

❍ Goals (Performance and outcome goals)

❍ Controls (Control objectives, requirements, agreements, etc.)

❍ Resources (Money, time, competencies, skills, etc. etc.)

When?

9 © 2015

Asset value

Complexity of asset

(system/lifecycle)

Need for governance

Th

e b

asic

s

10

Governance – seize the moment

Triggers for Governance initiatives (‘stolen’ from the

COBIT5 Implementation Guide)

Merger, acquisition or divestiture

A shift in the market, economy or competitive position

Change in business operating model or sourcing

arrangements

New regulatory or compliance requirements

Significant technology change or paradigm shift

An enterprisewide governance focus or project

A new CIO, chief financial officer (CFO), chief executive

officer (CEO) or board member

External audit or consultant assessments

A new business strategy or priority

© 2015

Th

e b

asic

s

11

Agenda

The basics

Governance means

1. Decision making





6. Risk management

7. Control objectives



10. Financial model


Ag

en

da

© 2015

Ten steps towards Governance of IT

Decision

Archetype

Princi-

ples

Archi-

tecture

Suppor-

ting

services

Customer

facing

services

Invest-

ments

Business

monarchy

IT monarchy

Feudal

Federal

IT duopoly

Anarchy

© 201512

1. Decision model

2. Organizational

structures

3. Roles

4. Processes

5. Goals and

metrics

6. Risks

8. Portfolio

9. Agreements

10. Financial

models

7. Controls and

maturity

Go

vern

an

ce m

eans

13

Decision modelling

Decision

Archetype

IT Principles IT Architecture Supporting

services

Customer

facing

services

IT Investments

Input Decision Input Decision Input Decision Input Decision Input Decision

Business

Monarchy

IT Monarchy

Feudal

Federal

Duopoly

Anarchy

Peter Weill & Jeanne W. Ross (2004)

© 2015

1. D

ecis

ion m

akin

g

Responsibility

IT principlesIT

architecture

Supporting

services

Customer

facing

services

IT

investments

InitiativeThe owner of

the principleArchitecture IT

LoB (Approved

by budget

owner)

IT

Develop basis for

decisions

(Business Case)

IT Architecture IT

IT Business

Relationship

Manager

IT

ConsultIT Steering

CommitteeIT IT IT

IT Steering

Committee

Decision

(Strategic or

tactical) Board of

Directors

Board of

Directors

Board of

Directors

Board of

Directors Board of

DirectorsDecision

(Operational )IT IT

Local IT

committee

Implementation

and follow-upIT

Board of

Directors

Board of

DirectorsSystem owner IT

Monitoring and

control

IT Steering

Committee IT IT IT

IT Steering

Committee

Documentation

and

communication

IT Architecture IT

Project

documentation

or SLAs

Minutes

Decision model

14

1. D

ecis

ion m

akin

g

15

IT governance forums

© 2015

Board of directors

Senior management

Business executives

IT management

Technology council

IT architecture review board

IT Steering committee

IT strategy committee

2. O

rganiz

ationalstr

uctu

res

From ISACA’s “Board Briefing on IT Governance”

16

IT governance organization

© 2015

2. O

rganiz

ationalstr

uctu

res

InvesteringskomiteInvesteringsprioritering

GOVERNANCE

MANAGEMENT

PMOKonsolidering

Projekt

IT-Porteføljestyregruppe

Styre-gruppe

Styrelser

Projektoplæg fra forretningen

Rapportering

KoncernledelsenStrategisk retning

Ramme Prioriteringskriterier

Ressourcer

Prioriteret portefølje

Forslag til budget

Driftsbevilling

Udkast til portefølje

17

Roles and responsibilities for IT Governance

Enterprise, entity and asset roles:

Owner (e.g. Change Management process owner or

project sponsor)

Governor (e.g. Change Management process

delegate or project steering committee)

Manager (e.g. Change Manager or project manager)

© 2015

3. R

ole

s a

nd r

esponsib

ilities

Roles, Activities and Relationships

Delegate

Accountable

Owners and

Stake-

holders

Set

Direction

Monitor

Governing

Body

Instruct and

Align

Report

Operations

and

Execution

Manage-

ment

ISACA, COBIT 5

18

Process

Process

Process

Servic

e lin

e

Servic

e lin

e

Servic

e lin

e

ProcessOwner

ProcessOwner

ProcessOwner

ServiceOwner

BRM

Supplier Relationship Manager

ServicePortfolioManager

ServiceCatalogueManager

ServiceManager

ServiceOwner

ServiceManager

ServiceOwner

ServiceSolutionArchitect

Business

IT ServiceLevelManager

Supplier Supplier

3. R

ole

s a

nd r

esponsib

ilities

Process integration

19 © 2015

4. P

rocess fra

mew

ork

IT organisation

Suppliers

Change

Management

Change

Management

SLM

Change

Management

Change

Management

Integrated Replicated Referenced

Process Reference Model

20

4. P

rocess fra

mew

ork

© 2015 ISACA, COBIT 5

Unified RACI – in a SIAM environment

Value

stream

Activity Business SIAM Supplier 1 Supplier 2

User Business

manager

Process

owner

Incident

Manager

Service

level

manager

1st line

analyst

2nd line

analyst

1st line

analyst

2nd line

analyst

Detect

to

correct

Prepare,

communicate and

train policies and

procedures

I R A R C C C C C

Identify and

qualify incidentC R A C

Raise incident

with all relevant

details / impact

R I A C I

Accept,

categorise and

prioritise incident

I A R C

Assign incidentA R R I I I

Investigate

incident / execute

model

A C R I I I

. . .

R = responsible, A = accountable, C = consulted, I = informed

© 2015

4. P

rocess fra

mew

ork

Service based strategy

© 201522

Strategic

position

Stakeholders, environment (PESTEL), market and competition (five forces) capabilities

(SWOT) etc.

ITSM as a

strategic asset

Business strategy and requirements

IT Service Management vision

IT Service Management mission

IT Service Management goals and success factors

IT Service Management governance

Service strategy Service portfolio management (business alignment, investments, relations and sourcing)

Services strategy (utility and warranty)

Service design criteria or principles

Pricing and charging

Service

Management

strategy

(resources and

capabilities)

Change of attitude, behavior, skills and competences

Process improvement, automation and governance

Knowledge management

Organizing (organization, functions, jobs, roles)

Leadership development

Partner management

Investments in and management of infrastructure, applications, integration and data

Tool support

Cost models and Funding

Execution Roadmap

5. S

trate

gy a

nd g

oals

managem

ent

Goals cascade

23 © 2015

5. S

trate

gy a

nd g

oals

managem

ent

Enterprise goals

IT-service goals

Enabler goals

ISACA, COBIT 5

Service based strategy

24 © 2015

5. S

trate

gy a

nd g

oals

managem

ent

IT-VISION, MISSION AND

OVERALL STRATEGY

BREAKDOWN IN

IT SUB-STRATEGIES

DEFINITION ON CAPABILITY BUILDING

STRATEGIES

ESTABLISH STRATEGY

MASTERPLAN

SHARED UNDERSTANDING

OF THE SITUATION

25

IT risk management

Risks may be managed in a cross organizational Risk

register

© 2015

6. R

isk m

anagem

ent

Assets ThreatsVulnera-

bilities

Countermeasures

Analysis

MitigationRisks

26

Control objective types

© 2015

7. C

ontr

ol obje

ctive

s Type Purpose Example

Directive Provide guidance on

required behaviour

Policies and

procedures

Preventive Deter noncompliance

with directive controls

Training programs,

penalty and reward

systems

Compensating Make up for a lack of

controls elsewhere

Alternative or backup

procedures

Detective Uncover violations of

internal control

procedures

Random checks of

compliance

Corrective Correct problems after

discovery

Training programs and

penalty systems

ISACA, COBIT 5

Processes and control objectives

© 201527

Policies

Processes

Procedures

Governance

Management

Legislation Standards . . .

Consolidated

control objective repository

Contracts

Risk registerFilter

7. C

ontr

ol obje

ctive

s

Control register

© 201528

Prioritet

ID COBIT Practice COBIT Practice description Kontrol Kontrolmål Tilsyn og rapportering

1 BAI06.01 Evaluate, prioritise and authorise change requests.

Evaluate all requests for change to

determine the impact on business

processes and IT services, and to assess

whether change will adversely affect the

operational environment and introduce

unacceptable risk. Ensure that changes

are logged, prioritised, categorised,

assessed, authorised, planned and scheduled.

Vurder, prioriter oggodkend ændringer

Vurder alle anmodninger om ændringer for at

fastslå konsekvensen for forretningsprocesser og

it-services, og for at vurdere, om ændringen vil

påvirke driftsmiljøet og introducere uacceptable

risici. Sørg for, at ændringerne registreres,

prioriteres, kategoriseres, vurderes, godkendes,

planlægges og gennemføres.

- Der skal foreligge en opdateret og kendt

ændringsstyringsproces, der omfatter registrering,

prioritering, kategorisering, vurdering,

godkendelse, planlægning og gennemførsel af it-

relaterede ændringer

- Ændringsstyringsprocessen skal omfatte alle de

organisatoriske ændringer, ændringer i

forretningsprocesser, ændringer i it-services, -

systemer og infrastruktur, der kan påvirke

informationssikkerheden

- Der skal foreligge politikker og retningslinjer for

softwareændringer, hardwareændringer og

ændringer i leverancer og services fra

leverandører

- Alle ændringer, der er omfattet afændringsstyringsprocessen skal følge processsen

Rapportering. Årligt.

2016: Ændringsstyringsprocessen inkl.

politikker, retningslinjer, roller og

aktiviteter er dokumenteret og udbredt.

2017: Ved stikprøver blandt udvalgte

ændringer i infrastruktur og

applikationer, skal der foreligge

registrerede og godkendte

ændringsanmodninger for alle

stikprøver.

Hvis målet ikke er nået, pålægges

institutionen at udarbejde en handleplan med passende kort frist.

1 BAI07.04 Establish a test environment. Define and establish a secure test

environment representative of the planned

business process and IT operations

environment, performance and capacity,

security, internal controls, operational

practices, data quality and privacy requirements, and workloads.

Etabler testmiljø Etabler et sikre testmiljøer, der er repræsentative

for virksomhedens forretningsprocesser og

produktionsmiljøer. Tag hensyn til ydeevne og

kapacitet, sikkerhed, intern kontrol, driftspraksis,

datakvalitet, og privacy og arbejdsbyrder.

- Udviklings-, test- og produktionsmiljøer skal være

adskilte

- Udviklingsmiljøer skal være sikrede, så der ikke

forekommer utilsigtede overskrivninger

- Hvis testdata indeholder fortrolig information, skaldenne beskyttes på samme måde som i produktion

Rapportering. Årligt.

Institutionen skal redegøre for antallet

af miljøer, hvordan de er adskilte og

hvordan de er beskyttede. Målet er 100

%, hvilket vil sige, at der ikke er afveget

fra nogen af kontrolmålene på nogen

miljøer. Hvis målet ikke er nået,

pålægges institutionen at udarbejde en handleplan med passende kort frist.

7. C

ontr

ol obje

ctive

s

The purpose of portfolio management

To protect and optimize the value of investments (VOI) in

IT assets

IT Assets

Projects and Programs

Services

Applications

Information and data

Technologies

Customers / relationships

People

Processes

Financial assets

IPR / Patents

© 201529

8. IT

port

folio

managem

ent

3030

Portfolio Management

A Portfolio

A set of assets that are

managed by an

organization.

Supports management of

investments in the assets

A Portfolio clarifies:

1. Value of each asset in the

portfolio

2. Internal relations between

assets

3. Criticality of each asset in

the portfolio

4. Investments in the asset:

How resources should be

allocated?

5. Asset strategies and

priorities

8. IT

port

folio

managem

ent

© 2015

Data Center and Facilities Services

31

IT service portfolio

© 2015

Communication and Network Services

Database Services

Integration Services

Server Hosting Services

Storage Services

Backup Services

Print Services

Application Platform Services

Application Management

Application Services

Desktop Services

Sales Operation Retail Finance . . .

8. IT

port

folio

managem

ent

Req. Man. Design Develop. Test . . .

Id

en

tity

Man

ag

em

en

t S

ervic

es

Mon

itorin

g s

ervic

es

Secu

rit

y a

nd

Co

mp

lian

cy S

ervic

es

En

d U

ser S

up

po

rt

Servic

es

Service orchestration

32 © 2015

Service

Level

Agreement

Service

Package 1a

Service

Service Service

Service

Global Service

Portfolio

Service

Service

Level

AgreementLocal ITExternal

providersLocal

LOB

Corpor-

ate IT

Service

Service A

Service Level

Package

Service

Package 1b

Service Package 1b

Service Level

Package

Service Package 2

Service Pack. 1a

Service C

Service Level

Package

Service

Package 2

Service

Package 3

Service

Level

Agreement

Service

Level

Agreement

Service Package 1a

Service B

Service Pack. 1b

8. IT

port

folio

managem

ent

33

SLA Framework - Multilevel SLA

Corporate level SLA

Customer level SLA

Customer 1

Customer level SLA

Customer 2

Service

specific

level SLA

Service A

Service

specific

level SLA

Service B

Service

specific

level SLA

Service A

Service

specific

level SLA

Service C

© 2015

9.

Supplie

rs, co

ntr

acts

& a

gre

em

ents

Availability

•Service Availability

•Service Performance

•Service Support

Capacity

• Capacity

Security

• IT Security Management

• Compliance

Continuity

• Backup

• Restore

Warranty

Agreed Service Time• Service hours

• Service provider maintenance windows• Support hours

• Back up windows• Customer maintenance windows

SLA content - warranties

34 © 2015

9.

Supplie

rs, co

ntr

acts

& a

gre

em

ents

Service level objective - example

Attribute Example

Service Level Objective Incident resolution time

Description Percentage of Incidents resolved within target resolution time by priority. Resolution time is the total time used to resolve an Incident from logging of theincident to the resolution, when the user is satisfied with the resolution except for time ‘waiting for user’.

Specification

Measurement Frequency Monthly

Correlation rule n/a

Service Level Option Gold Silver Bronze

Service Level Target Priority 1: 8hPriority 2: 16hPriority 3: 2dPriority 4: 5d

Priority 1: 8hPriority 2: 36hPriority 3: 5dPriority 4: agreed per case

Priority 1: 12hPriority 2: 48hPriority 3: 8dPriority 4: agreed per case

Quantile 0,95 0,95 0,95

Danger value 0,975 n/a n/a

Pre-requisite < 20,000 Incidents per monthAccess to customer representative

< 50,000 Incidents per month

n/a

Pre-conditions Depends on service x Depends on service x Depends on service x

Incidents

userforwaitingresolutiontorecordingIncidentfrom targetminmin

© 201535

9.

Supplie

rs, co

ntr

acts

& a

gre

em

ents

Multi-sourcing – integration and management

36 © 2015

Business

SIAM

Internal IT Supplier 1 Supplier 2

Business


SIAM

Business


Internal ITSIAM

Business


SIAM

1. Separate function (Client) 2. Business function (Client)

3. IT function (Client) 4. Outsourced function (Supplier)

9.

Supplie

rs, co

ntr

acts

& a

gre

em

ents

37

Financial means

Power follows money:

Organization based costing

Project based costing

Activity based costing

Service based costing

. . .

© 2015

10

. F

ina

ncia

l m

od

el

38

Cost model – service based costing

Hardware Software Employ-

ment

Accommo-

dation

External

Service

Transfer

Cost Elements

Direct Costs Indirect Costs

Absorbed

Indirect Costs

Unabsorbed

Indirect Costs

Absorbed Costs X% Uplift %100costs Absorbed

costs Unabsorbed% X

Total cost of IT service

© 2015

10

. F

ina

ncia

l m

od

el

39

Charging

Pricing Methods

Cost, Cost-plus, Going rate, Market rate, Fixed price

Charging policy

No charging

Notional Charging

Charging

© 2015

10

. F

ina

ncia

l m

od

el

40

Agenda

The basics

Governance means

1. Decision making





6. Risk management

7. Controls and maturity



10. Financial model


Ag

en

da

© 2015

41


© 2015

Govern

ance a

ppro

aches

42

Three approaches to Governance

Plan, design and implement

Belief: IT management practices can be designed, implemented and

managed

The role of Best Practice: A cookbook or ideal model

The role of the consultant: Guru

Common language and continual improvement

Belief: IT management practices are social constructions that can be

managed and improved through continuous incremental improvement

cycles

The role of Best Practice: Common language and inspiration

The role of the consultant: Facilitator

Emergence, co-creation and communities of practice

Belief: IT management practices can not really be managed – they

emerge over time through complex responsive processes

The role of Best Practice: Narrative or propositional themes that

organize experience – a myth, ideology or virus

The role of the consultant: Disturber

© 2015

Govern

ance a

ppro

aches

43

Cynefin

© 2015

David Snowden, 2002, 2007, 2014

Disorder_

Complex

Probe

Sense

Respond

Emergent Practice _

Complicated

Sense

Analyze

Respond

Good Practice

Chaotic

Act

Sense

Respond

Novel Practice

Simple/obvious

Sense

Categorize

Respond

Best Practice

Complacency

Govern

ance a

ppro

aches

44

Questions

© 2015

The e

nd

Christian F. Nissen

[email protected]

+45 40 19 41 45

www.cfnpeople.com

Co

nta

ct

© 201545

mailto:[email protected]

http://www.cfnpeople.com/