1 / 0

Building Acceptance & Governance of Enterprise IT

Building Acceptance & Governance of Enterprise IT. ISACA Edmonton Chapter – March 8, 2012. AGENDA. The ‘Pitch’ Setting the stage Enterprise governance: Then and Now The Auditor General is our friend Progress in Alberta’s post-secondary sector Key concepts Implementation Discussion.

gale
Download Presentation

Building Acceptance & Governance of Enterprise IT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building Acceptance & Governance of Enterprise IT

    ISACA Edmonton Chapter – March 8, 2012
  2. AGENDA The ‘Pitch’ Setting the stage Enterprise governance: Then and Now The Auditor General is our friend Progress in Alberta’s post-secondary sector Key concepts Implementation Discussion
  3. Building Acceptance & Governance of Enterprise IT The pitch
  4. To Begin…. All organizations, public and private, large or small, are facing a paradigm shift with respect to the governance and management of information and related technology
  5. Catch-22 a situation in which a desired outcome or solution is impossible to attain because of a set of inherently illogical rules or conditions; circular logic that prevents resolution of a problem; an unsolvable logical dilemma
  6. Today’s Thesis (‘What’) IT is a critical enabler of most organizations & requires a special governance focus Effective governance & management of IT on an enterprise basis requires engagement of the Board of Directors & executive management Most Boards/executive teams remain largely unaware of their responsibilities re: enterprise IT, the inherent risks or potential rewards, or the existence of relevant standards and best practices
  7. ‘So What’ IT investments are often not aligned with the organization’s strategic objectives IT-related risks are not appropriately managed The enterprise does not optimize the value of its investment in IT
  8. How Did We Get Here? Talking to the wrong audiences Auditors Records managers IT folks Risk managers Pushing the ‘wrong’ message Normal resistance to new roles/expectations Implementation issues once we do get started
  9. About the Message “Alberta Government needs to better identify and mitigate IT risks. Government departments as a whole need to do a better job identifying risks to their systems and data. Then they need to implement well-designed, efficient, and effective IT controls to mitigate these risks and provide secure services and programs to Albertans.” – Auditor General, April 2008
  10. Building Acceptance & Governance of Enterprise IT Setting the stage
  11. In a Galaxy Far, Far Away(Really?) Executives had no desktops No discussion at Executive table re: IM/IT No IT performance measures; little or no reporting No IM framework No enterprise IT steering committee Major gaps in IT functionality Ad hoc HR planning for IT No IT business cases No position description for CIO No IT strategic plan; MANY IT projects Acute dissatisfaction re: IT service levels No discussion re: IT-related risks IT projects with no ‘business’ owners No IT-service continuity plan No portfolio management Inadequate end-user training Rudimentary supplier management practices
  12. Do These Scenarios Sound Familiar? Million-dollar projects, which may or may not match the company’s objectives, are awarded to business units headed by the squeakiest executives Weak IT governance structures mean that business executives don’t have clear ideas of what they’re approving and why The CIO ends up selling projects that should be generated and sold by line-of-business heads The company doesn’t build good business cases for IT projects or it doesn’t do them at all There are redundant projects(1). (1) Todd Datz, CIO Magazine, 2003
  13. New (and Old) Business Drivers for IT Governance Rising expectations for organizational governance Concern over generally increasing level of IT expenditure & demand for better return on IT investments Regulatory requirements Significance of selection of service provider & management of outsourcing to organizational effectiveness Increasingly complex IM/IT risk Need for assessment against standards and peer organizations Growing maturity and acceptance of frameworks and standards
  14. Rx: IT Control Frameworks “Implementing good IT governance is almost impossible without engaging an effective governance framework.” - ISACA 2009
  15. Benefits Helps organizations: Better align their IT activities to their business needs Ensure that management understands IT’s role and relevance in the organization Fulfill their responsibilities for a sound internal control environment & demonstrate progress to regulators, business partners & external stakeholders Ensure that Boards/management can meet their quality, fiduciary & security requirements Clarify ownership, responsibilities and accountabilities for information and related technology
  16. Alberta’s AG Weighs In… “We recommend that the Department of Advanced Education and Technology give guidance to public post-secondary Institutions on using an IT control framework to develop control processes that are well-designed, efficient, and effective.” - April 2008 Auditor General’s Report
  17. Alberta PSS ITM Control Framework Program Collaboratively develop a system-wide control framework for managing information and related technology Common best practice controls that are modifiable, scalable and implementable A shared content management system to enable ongoing collaboration and effectively manage the control life cycle
  18. Can’t We Just Implement CoBIT? IM/IT Control Framework IM Industry Best Practices Legislation COBIT BABOK ISO ITIL PMBOK TOGAF HOW WHAT SCOPE OF COVERAGE Source: ISACA & Alberta PSS ITM Control Framework Program
  19. Alignment Map
  20. Governance & Management Policy The Institution manages its information and related technology assets and services through effective governance structures and processes that provide leadership, accountability and transparency and engage key stakeholders to support the achievement of positive outcomes and facilitate strategic oversight and decision making.
  21. Controls HOW (Project Deliverables) Structures Standards WHAT needs to be controlled (COBIT, legislation, ITIL, ISO) Examples from client or other organizations, & best practices Procedures Guidelines
  22. Controls Summary
  23. Building Acceptance & Governance of Enterprise IT Key Concepts
  24. Integrated Governance Structure
  25. High-level Roles & Responsibilities
  26. More about Boards Have a fiduciary(1) responsibility to ensure the organization’s information resources and related technology are managed to support and enable the organization’s strategic plan (1) Specifically, a legal or ethical relationship of confidence or trust regarding the management of money or property
  27. How Do They Do this? Making sure information and IT are on the Board agenda Asking the right questions about management’s activities Helping management align IT initiatives with the institution’s strategic direction Ensuring it understands the potential impact of information and IT-related risk Requiring that IT performance be measured and reported through a balanced scorecard or similar mechanism Requiring that the organization implement an ITM control framework Monitoring the contribution of ITM to the institution
  28. Key CIO Responsibilities Work with Executive Committee to obtain a clear understanding of the institution’s strategic and business objectives Create a vision for information management and technology in the future and sell it Implement information systems architecture that supports the institution’s comprehensive business plan Establish credibility of the IT Management Department Work with business units through the IT Steering Committee to establish standards and service levels Ensure these are met or exceeded Increase the technical maturity of the organization
  29. Not Your Father’s CIO “One of the primary differences between today's CIOs and the previous generation of IT leaders is the idea of transformational change. Thirty years ago, nobody seriously believed that IT would be called upon to lead enormous transformational efforts affecting every aspect of a global enterprise. Today, in addition to making sure that IT runs smoothly, the CIO is expected to provide strategic leadership and high-level guidance. That is a big difference indeed..” The Practical CIO: A Common Sense Guide for Successful IT Leadership, Jose Carlos Eiras
  30. Lifecycle Management of ITControls Organization needs to appoint a ‘custodian’ or manager of the framework and maintain a log of all compliance requirements Comprehensive procedure required for: Identifying externally generated requirements in a timely manner Identifying internally generated requirements Escalating and resolving issues identified through implementation/operation of the IT Control Framework Framework needs to be regularly reviewed Internal audit Periodic 3rd party reviews Provide for approved and documented exceptions to compliance with controls
  31. Strategic Alignment Strategic Alignment (4) Strategic IT Plan is an integral element of the organization’s strategic plan….not an afterthought! Clearly articulated organization mission, vision and priorities Planning is considered important and closely linked to organization budget Strategic IT plan is published Formal communication strategy specific to IT stakeholders developed Performance is measured using an IT Balanced Scorecard IT investments should be managed across the organization in portfolios
  32. Risk Management ITM risk is business risk ITM risk always exists, whether it is detected or recognized Management of IT-related risk is an essential and strategic component of responsible administration and should be integrated into overall enterprise risk management Who should be involved? Board members and senior executives who need to set direction & monitor risk at the enterprise level Managers of IT and business departments who define risk management processes Risk management professionals External stakeholders
  33. Risk Management Principles IT risk management always connects to business objectives; focus is on the business outcome IT risk governance aligns the management of IT-related risk with overall ERM IT governance should balance the costs and benefits of managing IT risk There should be open communication regarding IT risk Establishment of well-defined risk tolerance levels by the Board and executive management should be coupled with definition and enforcement of personal accountability for operating within tolerance levels IT risk management is continuously improved
  34. Financial Management Institution must establish a financial management framework for information and related technology Approved by the IT Steering Committee CIO responsible for implementing and monitoring the effectiveness of the framework and ensuring integration with enterprise policies, standards etc. Should be formally evaluated based on schedule determined by IT Steering Committee Focused on ensuring accountability and transparency re: value contribution and total cost of ownership of information and related technology
  35. What is Service Mgmt.? “Service management is a set of specialized organizational capabilities for providing value to customers in the form of services(1) These capabilities take the form of functions and processes for managing services over their lifecycle.” (1) ITIL, Office of Government Commerce, 2007
  36. Service Lifecycle Envisioning & conceptualizing the set of services required to achieve business objectives Evaluating services & identifying ways to improve their utility & warranty in support of business objectives Managing services to ensure utility & warranty objectives are achieved Designing the services to meet utility & warranty objectives Moving services into live production
  37. Human Resources Management Processes for the management of IT human resources are an essential part of an IT Control Framework CIO (not HR) is responsible for ensuring the institution has an IT workforce with the skills necessary to achieve organizational and IT goals Main tasks: Define, monitor and supervise execution of IT roles & responsibilities Provide appropriate and sufficient training (technical, internal control and security) Minimize dependency on key staff Ensure compliance with organizational policies Report to the IT Steering Committee on key issues
  38. Building Acceptance & Governance of Enterprise IT Implementation
  39. IT Control Framework – Implementation Lifecycle Use of maturity models
  40. Implementation Challenges
  41. Critical Success Factors Identify a champion Shared understanding and vision Not implementing CoBIT, but improvements to how it governs & manages the IT contribution to the enterprise Tailor to fit the organization Use the CoBIT umbrella but incorporate other standards as required Ensure IT governance is integrated with enterprise governance Stay focused It’s a journey, not a destination Recognize and celebrate progress
More Related