IT Governance: A Framework and Implementation Guide Marios Damianides Ernst & Young LLP ISACA Membership Drive April 20, 2006 –New Orleans, Louisianna 1 Agenda • • IT governance defined IT governance defined • • IT governance focus areas: theory IT governance focus areas: theory and practice and practice • • Roles and responsibilities for IT Roles and responsibilities for IT governance governance • • Implementation guidelines Implementation guidelines • • ITGI market research findings ITGI market research findings • • Top 10 Questions to ask Top 10 Questions to ask 2 Board Briefing on IT Governance, 2 nd Edition IT Governance Global Status Report 2003 and 2006 www.itgi.org Sources 3 Increasing Expectations of IT Function Cost Value • Cost-efficiency • Higher ROI • Reactive risk management • Implement regulatory requirements, e.g.: -Sarbanes-Oxley -HIPAA -Etc. • Decision support • IT governance & management • Financial reporting • Manage enterprise risk (ERM) • Transparent disclosure • Converged security • Program assurance • ROI • Value creation -New business -Competitive advantage • Project to process approach to regulatory requirements •CEO •Board of Directors •CFO •Audit Committee •COO •Shareholders •Head of IA •Regulators •Directors •Capital Markets •Business Partners •Employees •Others Internal & External Stakeholders Pre-1990s 1990s 2006—Post-Sarbanes-Oxley 4 IT Governance Global Status Report: Problems with IT (CPI) 44 60 72 74 81 85 88 117 0 50 100 150 IT not meeting compliance requirements Security/privacy incidents Disconnect business/IT strategies Outsourcing problems No view on IT performance Operational IT incidents High cost/low ROI IT staffing problems 5 IT Governance Global Status Report: Status of IT Governance Implementation 0%10%20%30%40%50%60%70%80%90%100 % Active management of ROI of IT Actual performance measurement of IT IT risk management IT value delivery aiming at a higher product or service leadership or innovation Costs IT value delivery aiming at better customer relationships IT resource management, meaning people, systems or financials Alignment between IT strategy and overall strategy Not considering implementing Considering implementing Implementing now Have implemented 6 The IT Governance Solution S t r a t e g i c A l i g n m e n t IT Governance V a l u e D e l i v e r y R e s o u r c e M a n a g e m e n t Risk Management P e r f o r m a n c e M e a s u r e m e n t 0%10%20%30%40%50%60%70%80%90%100 % Active management of ROI of IT? Actual performance measurement of IT? IT Risk Management? IT Value Delivery aiming at a higher product or service leadership or innovation? Costs? IT Value Delivery aiming at better customer relationships? IT resource management, by which we mean people, systems or financials? Alignment between IT strategy and overall strategy? Not considering implementation Considering implementation Implementing now Have implemented 7 Why Now? • • Australia: Corporate Law Economic Reform Australia: Corporate Law Economic Reform Program (CLERP 9) Program (CLERP 9) • • Proposed EU legislation to enforce international Proposed EU legislation to enforce international audit standards, create a registration regime and audit standards, create a registration regime and a regulatory body a regulatory body • • EU Data Protection Act EU Data Protection Act • • Basel II Basel II • • Canadian Privacy Act Canadian Privacy Act • • Canadian Securities Administrators Regulation Canadian Securities Administrators Regulation • • Health Insurance Portability and Accountability Health Insurance Portability and Accountability Act (US) Act (US) • • Sarbanes Sarbanes - - Oxley Act (US) Oxley Act (US) 8 IT Governance Defined “ IT governance IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisationalstructures and processes that ensure that the organisation’sIT sustains and extends the organisation’s strategies and objectives.” Board Briefing on IT Governance, 2 nd Edition IT Governance Institute www.itgi.org 9 IT Governance Focus Areas S t r a t e g i c A l i g n m e n t IT Governance Strategic Alignment • Linking business and IT plan • Defining, maintainingandvalidatingthe IT value proposition • Aligning IT operationswith the enterprise operations • Addingvalue andcompetitivepositioning to theenterprise’sproductsandservices • Containingcostswhileimproving administrative efficiencyandmanagerial effectiveness In 2003, 49% of respondents had implemented, were considering implementing or were in the process of implementing this phase of IT governance. In 2005, 70%. [...]... Operations Governance Bates Project Management, SEI-CMM, Enterprise Architecture, TeamPlay, SAP ITIL, CobiT, SAP COBIT, SAP Metrics & Rewards Development Co-responsibility for results with business (quality, risk, time, cost) Operations Co-responsibility for results with business (service, cost, problem management) Governance Accountability to executive committees (incidents, maturity, audits, initiative... ource agem ent ic eg ra t m e n t St n A lig Implementation Guide: Roles and Responsibilities Top-down Support Bottom-up Support Boards IT Strategy Comm CEOs Business Executives CIOs IT Steering Committee Technology Council IT Architecture Review Board Risk Councils 20 Implementation Guide: Framework Model Selection Matrix Specific TCO ITIL CMM COBIT IS /IT Relevance P.CMM General Six Sigma ISO 9000... Economy ò Governance improvements are structured as internal IS initiatives and compete for approval with business projects ò Scrutiny is also focused on the total expenditures on risk management activities Operations Support Methods & Tools Risk Management Security Disaster Recovery IS Governance Expenditures Formal Enterprise Risk Management Program COBIT, ISO 17799 COBIT, E & Y maturity framework. .. 24 30 IT Governance Global Status Report IT Investments Outcome 4.18 4.21 Achieve strategic goals 4.24 4.18 Produce relevant and pertinent information for the business Business-critical information is available when needed 4.06 4.17 Business-critical information is reliable 3.95 4.16 Business-critical information is accurate and complete 3.93 4.03 Business-critical information is compliant with applicable... Business-critical information is and remains confidential 25 2003 2005 IT Governance Global Status Report Communication from IT to the Business 41% 38% 14% 7% Never Sometimes Regularly 26 Always IT Governance Global Status Report IT Department’s Understanding of Business Users’ Needs 56% 36% 2% Not at all 6% Not really To some extent 27 To a large extent IT Governance Global Status Report Fit Between IT. .. Belief: “If you cannot measure it, you cannot manage it ò “Show me” culture, insistence on demonstrable results ò “We deliver on our commitments” 18 Measuring Progress—CMM ce r ma n P e rfo r e m e n t u Me a s How far we’ve come I.S Governance Assessment IT Governance Risk Management GLI Governance Maturity 5 Maturity Model Applied: CobiT 3 Management Guidelines 4 NonExistent Initial Repeatable Defined... risk 3.15 Outsourcing IT 1 2 3 29 4 5 IT Governance Global Status Report Effectiveness of IT Outsourcing, by Job Function General Management IT Management 31% 26% 20% 15% 11% Not at all effective 27% 19% 15% 13% Not very effective 11% Not sure 30 Somewhat effective Very effective IT Governance Global Status Report IT Governance Practices 90% Adequate business continuity and security measures taken 85%... Gartner Research, June 2003 21 High Product Set Implementation Guide: COBIT Free download at www.itgi.org 22 IT Governance Global Status Report Importance of IT for Overall Strategy Delivery 57% 52% 39% 30% 2003 2005 1% Not important at all 1% 3% Not very important 7% 10% Not sure Quite important Very important 23 IT Governance Global Status Report Frequency of IT on Board's Agenda 36% 22% 38% 37% 33% 25%... Strategy General Management IT Management 40% 41% 30% 28% 23% 19% 10% 4% 2% Very poor 2% Poor Average 28 Good Very good IT Governance Global Status Report Effectiveness of High-level Measures Better alignment of IT with strategy 3.93 Better management of IT resources 3.90 Better delivery of business value through IT 3.90 Better management of IT processes 3.87 Better measurement of IT performance 3.81 3.67... processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc.) y IT Governance In 2003, 39% of respondents had implemented, were considering implementing or were in the process of implementing this phase of IT governance In 2005, 69% 11 Value Delivery The Focus The Focus Value delivery is ensured on business projects and operations through co-responsibility with . Portability and Accountability Act (US) Act (US) • • Sarbanes Sarbanes - - Oxley Act (US) Oxley Act (US) 8 IT Governance Defined “ IT governance IT governance. responsibilities for IT Roles and responsibilities for IT governance governance • • Implementation guidelines Implementation guidelines • • ITGI market