Corporate governance of information technology
This presentation is the property of its rightful owner.
Sponsored Links
1 / 59

Corporate Governance of Information Technology PowerPoint PPT Presentation


  • 69 Views
  • Uploaded on
  • Presentation posted in: General

Corporate Governance of Information Technology. Mark Toomey Managing Director Infonomics Pty Ltd Chair, Standards Australia Committee IT-030 Member, ISO/IEC JTC-1 SC-7 WG1A. 0:00.

Download Presentation

Corporate Governance of Information Technology

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Corporate governance of information technology

Corporate Governance of Information Technology

Mark Toomey

Managing Director Infonomics Pty Ltd

Chair, Standards Australia Committee IT-030

Member, ISO/IEC JTC-1 SC-7 WG1A

0:00


Corporate governance of information technology

Use of this slideshow and copies thereof for the purpose of group knowledge transfer is restricted to personnel expressly approved by Infonomics and is subject to payment of a license fee.This material was prepared to provide general guidance and stimulate debate. It should not be construed as providing professional advice and services for any particular or specific situation. As such, it should not be used as a substitute for consultation with expert advisers. Before making any decision or taking any action you should consult with Infonomics Pty Ltd or other competent professionals.

This PowerPoint slideshow is provided ACS members attending the Education Across the Nation series on Governance of IT, during 2009.The slideshow is provided for the personal use of ACS members during and after the lecture, for the purpose of their own self-development, and for the purpose of facilitating conversations with their colleagues, including top level management and directors. Permission is hereby given for participants in the Education Across the Nation series on Governance of IT to copy this material for these purposes only.The Education Across the Nation series on Governance of IT does not necessarily equip its participants with the in-depth knowledge required to enable the participants to act as instructors for classroom delivery of the material.

0:00


Iso 38500 first glance australian guidance leads the world

ISO 38500: First GlanceAustralian guidance leads the world…

0:02


Iso 3500 first glance a model and six principles

Business

Needs

Business

Pressures

ISO 3500: First GlanceA Model, and Six Principles

Corporate

Governance

  • Responsibility;

  • Strategy;

  • Acquisition;

  • Performance;

  • Conformance;

  • Human Behaviour.

Evaluate

Monitor

Proposals

Direct

Performance

Conformance

Plans,

Policies

Corporate Management

IT

Operations

IT

Projects

0:04


Why do we need a standard

Why do we need a standard?

0:04


Why do we need a standard it keeps going wrong

Why do we need a standard?IT keeps going wrong:

July 2003

June 2004

October 2005

July 2006

0:06


Why do we need a standard the names and stories keep rolling on

Why do we need a standard?The names and stories keep rolling on…

2008. British Gas sued Accenture for £182Million. A failed billing system project resulted loss of a million customers and required 2,500 additional staff for two years.

2007. British Sky Broadcasting sued EDS for £709Million, following failure of its Customer Relationship Management (CRM) initiative. BSkyB claims it has lost significant anticipated benefits.

IT crash hits Virgin Blue: April 17, 2008

St George admits to security flaw. March 25, 2008

Late

Cancelled

0:08


Why do we need a standard investigations reveal the true cause of problems

Change Governance Problem

on a

Massive Scale.

Why do we need a standard?Investigations reveal the true cause of problems!

In the case of the ICS,there does not appear to have been an effective structure or process to direct and control the project, nor to make suitable risk decisions.

To fulfil this task, Customs has hadat least 10 bodies responsible for different aspects of the management and governance of the ICS, including the interactions with industry…

These bodies overlap in their responsibilities and accountabilities, and overall the program has no single business owner and accountabilities for its delivery are unclear.

We have been unable to locate a clear and quantified set of outcomes and benefits expected from the introduction of the ICS

Some changes have been the cause of severe disruptions and reduced process efficiency.

Source: The Australian IT (online) and

Booz Allan Hamilton Report “Review of the Integrated Cargo System”

0:10


Why do we need a standard the problem is not in the process

Why do we need a standard?The problem is not in the process!

The Gimli Glider. See

http://www.casa.gov.au/wcmswr/_assets/main/fsa/2003/jul/22-27.pdf

0:12


Why do we need a standard the cost of it failures

Why do we need a standard?The Cost of IT Failures

  • In Australia alone:

    • Failed Projects: $1.5b + per annum*

    • Foregone Benefits: $20b per annum*

    • Operational Losses: $Incalculable

    • Reputation damage: $Incalculable.

  • But isn’t this the tip of the iceberg?

    • Competitors respond

    • Predators descend

    • Regulators investigate

    • Lawyers litigate

  • Today’s IT failure can have a serious impact on the bottom line, and in the boardroom.

* Dr R C Young: What is the ROI for Project Governance? Macquarie University, November 2006.

1% – 3%

GDP!

0:14


But we ve already done it governance effort within it has not solved the problem

But we’ve already done IT Governance!Effort within IT has not solved the problem!

  • Investment ensures that IT is doing its job competently

    • Rigour

    • Process

    • Control

    • Reporting

  • But it’s not just in IT that problems develop:

    • Use of IT in achieving business goals involves business change

      • Process

      • People

      • Structure

      • Context

    • And necessarily requires that business leaders engage fully:

      • Being responsible

      • Setting direction

      • Planning and implementing

Polishing INSIDE the Kettle improves supply…

… but does not fully address the problem of use!

ITIL

Prince2

CoBIT

Delivery

CMMI

PMBOK

TOGAF

Etc.

Many issues arise here – outside IT’s sphere of control.

Use

Governance of IT has to deal with how organisations USE IT as well as with how IT departments operate.

0:16


The pressure for board oversight kpmg global it project management survey sep 05

The pressure for Board Oversight:KPMG Global IT Project Management Survey (Sep 05)

  • Traditional measures of success (time and budget) are being superseded:

    • “Achieving benefits – keeping commitments – is now the key determinant of project success.”

  • Since 2003, performance of projects has improved marginally:

    • Failure rates are still appalling;

    • Many organisations do not focus on realising or measuring benefits.

  • “The key element (that makes some organisations more successful) appears to be an appropriate governance framework – to complement planning and prioritisation of activities and to help ensure execution controls are in place until benefits are realised.”

  • “The board must put in place, through management, a rigorous oversight framework to monitor achievement of budgets, the meeting of timelines and to help ensure that the agreed benefits are realised. To achieve this, the board must receive the right information at the right time”.

Those responsible at the top of the organisation must govern…

0:17


Understanding corporate governance of it four key concepts

Understanding Corporate Governance of IT:Four key concepts

Corporate Governance

Business Systems and Change

The Business Cycle: Demand and Supply

The System for Governing IT

0:18


Corporate governance fundamentals

Corporate Governance:Fundamentals…

Definition from “Report of the Committee on the Financial Aspects of Corporate Governance” (Chair: Sir Adrian Cadbury), London, 1992

Ownership

“Appoint the Directors”

Corporate Governance: The System by which entities are directed and controlled.

(Cadbury)

Governance

“Protect owners interests”

Direct

Monitor

Establish

Strategy

Management

“Develop business capabilities”

“Run business operations”

Adapted from “Corporate Governance – A Working Definition”, Teresa Barger, Director IFC/World Bank Corporate Governance Department

0:20


Corporate governance fundamentals1

Large Business

Gov’tAgency

Micro Business

SME Business

Seamless participation in all 3 levels

Owner/Directors

Electors

Share-holders

Government or Board

Elected directors

Low discretion management

High discretion management

High discretion management

Corporate Governance:Fundamentals…

Ownership

“Appoint the Directors”

Governance

“Protect owners interests”

Direct

Monitor

Establish

Strategy

Management

“Develop business capabilities”

“Run business operations”

0:21


Corporate governance the information it domain

Business

Needs

Business

Pressures

Corporate Governance:The Information (IT) domain.

Corporate

Governance

Evaluate

Monitor

Proposals

Direct

Performance

Conformance

Plans,

Policies

Corporate Management

IT

Operations

IT

Projects

Governance Domains and Systems

Corporate Governance visibility and control

Humanassets

Physicalassets

IPassets

Information (IT) assets

Relationship assets

Management Responsibility

Financial assets

0:23


Corporate governance of it

Business

Needs

Business

Needs

Business

Pressures

Business

Pressures

Corporate Governance of IT.

Corporate

Governance

Corporate

Governance

Evaluate

Evaluate

Monitor

Monitor

Proposals

Proposals

Direct

Direct

Performance

Conformance

Performance

Conformance

Plans,

Policies

Plans,

Policies

Corporate Management

Corporate Management

IT

Operations

IT

Operations

IT

Projects

IT

Projects

Governance Domains and Systems

Corporate Governance visibility and control

Corporate Governance of IT:

The System by which the current and future use of IT is directed and controlled.

Humanassets

Physicalassets

IPassets

Information (IT) assets

Relationship assets

Management Responsibility

Financial assets

0:24


Business systems and change

Business Systems and Change

  • Operating context of the organisation

    • External

    • Internal.

  • Four key elements of operating organisations

    • People – who participate in business events

    • Process – what business events take place

    • Structure – where business events happen

    • Technology – enabling and recording events

  • IT intrinsic to day to day operations

    • Business process specific - Transactions, Customers, Etc

    • Generic - Email, Telephony, Information

People

The Business Context

Process

Structure

The Business System

Technology

This model is a variant on H.J. Leavitt’s Model of organisational change, published in 1965.

0:25


Business systems and change1

  • Operating context of the organisation

    • External

    • Internal.

  • Four key elements of operating organisations

    • People – who participate in business events

    • Process – what business events take place

    • Structure – where business events happen

    • Technology – enabling and recording events

  • IT intrinsic to day to day operations

    • Business process specific - Transactions, Customers, Etc

    • Generic - Email, Telephony, Information

  • When IT fails, whole organisations and extended organisations stop

    • Citylink Melbourne, Tuesday 20 Sept 2006

People

People

The Business Context

Process

Structure

The Business System

Process

Structure

The

Business System

Technology

Business Systems and Change

Technology

This model is a variant on H.J. Leavitt’s Model of organisational change, published in 1965.

0:26


Business systems and change2

People

People

Changed

People

The Business Context

The Business Context

Changed Business Context

Process

Process

Structure

Structure

The Business System

The Business System

People

Changed

Process

Changed

Structure

Changed Business System

Technology

Technology

Changed

Technology

Process

Structure

The

Business System

Technology

Business Systems and Change

  • Change Program

  • Business System

    • Process

    • Technology

    • Structure

    • People

  • Business Context

    • Process

    • Technology

    • Structure

    • People

  • Implementing IT enabled change involves attention to every facet of business models and practices

    • Internal and external factors

  • IT is now a fundamental enabler of change and is leading to new business models and new business practices

    • Eg e-Government

“Traditional” IT Change Project

  • Governing IT Enabled Change involves much more than governing technology activities.

0:28


The business cycle demand and supply

The Business Cycle:Demand and Supply

Current Use:

Run the Business

Future Use:

Plan the Business

Plan

Future Use:

Build the Business

Build

Run

0:29


The business cycle demand and supply1

The Business Cycle:Demand and Supply

The System of Management

Current Use:

Run the Business

Future Use:

Plan the Business

Strategic

Business

Future

Ongoing business operations

Business Domain: How IT is used to enable and operate the business

ValIT

Supply

Supply

Demand

Demand

Future Use:

Build the Business

IT Domain:

How IT is managed and delivered.

Effective IT enabled change

Reliable IT Service

ITIL, ISO 20000, ISO 27000, CoBiT etc

0:30


The system for governing it an integrated system o verseen by the board

The System for Governing IT:An integrated system overseen by the Board

The System of Management

Strategic

Business

Future

Ongoing business operations

Business Domain: How IT is used to enable and operate the business

The System of Management

ValIT

Strategic

Business

Future

Ongoing business operations

Business Domain: How IT is used to enable and operate the business

Supply

Supply

Demand

Demand

ValIT

Supply

Supply

IT Domain:

How IT is managed and delivered.

Demand

Demand

Effective IT enabled change

Reliable IT Service

IT Domain:

How IT is managed and delivered.

Effective IT enabled change

Reliable IT Service

ITIL, ISO 20000, ISO 27000, CoBiT etc

ITIL, ISO 20000, ISO 27000, CoBiT etc

0:31


The system for governing it an integrated system o verseen by the board1

The System for Governing IT:An integrated system overseen by the Board

Corporate

Governance Oversight

Board

oversight

ISO 38500

Performance,

Conformance

Rules, Direction,

Behaviour

The System of Management

Strategic

Business

Future

Ongoing business operations

Business Domain: How IT is used to enable and operate the business

The System of Governance

ValIT

Supply

Supply

Management

Responsibility

Demand

Demand

IT Domain:

How IT is managed and delivered.

Effective IT enabled change

Reliable IT Service

ITIL, ISO 20000, ISO 27000, CoBiT etc

0:32


The system of governance inside the system

The System of GovernanceInside the System

Vision

Plan

Strategy

Strategy

Plans

Portfolio

Build

Enterprise Architecture

Plan

Program

Information Security

Information Security

Initiatives

Asset

Project

Build

Run

Run

Operation

Operation

Adapted from a model developed by John Thorp, author of The Information Paradox.

0:34


The system of governance the system perspective

The System of GovernanceThe System Perspective

Vision

Vision

Vision

  • Corporate Governance

  • Evaluate, Direct

  • and Monitor

Strategy

Strategy

Strategy

Strategy

Strategy

Strategy

Top Management

- Plan, Supervise

and Realise

Plans

Plans

Plans

Portfolio

Portfolio

Portfolio

Enterprise Architecture

Enterprise Architecture

Enterprise Architecture

Program

Program

Program

Information Security

Information Security

Information Security

Information Security

Information Security

Information Security

Initiatives

Initiatives

Initiatives

Asset

Asset

Asset

Project

Project

Project

Operation

Operation

Operation

Operation

Operation

Operation

Adapted from a model developed by John Thorp, author of The Information Paradox.

Line Management

- Implement and Operate

0:36


Iso iec 38500 core elements

ISO/IEC 38500Core Elements

0:37


Evaluate

Business

Needs

Business

Pressures

Evaluate

Corporate

Governance

Evaluate

Monitor

Proposals

Direct

Proposals: plans and suggestions

Vision

Strategy

Detailed plans

Initiatives

Projects (and changes thereto)

BAU Operations (the oft-forgotten default)

Current and future use of IT

Supply

Governance

Performance

Conformance

Plans,

Policies

Corporate Management

IT

Operations

IT

Projects

0:39


Direct

Business

Needs

Business

Pressures

Direct

Corporate

Governance

Evaluate

Monitor

Proposals

Direct

Policy to guide management decisions.

Strategy to establish focus and direction.

Progressive allocation of resources.

Clear delegation of authority.

Appropriate incentives and rewards.

Performance

Conformance

Plans,

Policies

Corporate Management

IT

Operations

IT

Projects

0:41


Monitor

Business

Needs

Business

Pressures

Monitor

Corporate

Governance

Evaluate

Monitor

Proposals

Direct

Achieving intended results

And taking action if they are at risk

Assuring conformance

External and internal

Making adjustments for reality

Ensuring that management is doing its job properly.

Ensuring that the governance system is effective.

Performance

Conformance

Plans,

Policies

Corporate Management

IT

Operations

IT

Projects

0:43


Six principles for good governance of it

Business

Needs

Business

Pressures

Six principles for good governance of IT

Corporate

Governance

Evaluate

Monitor

Proposals

Direct

Responsibility

Strategy

Acquisition

Performance

Conformance

Human Behaviour

Performance

Conformance

Plans,

Policies

Corporate Management

IT

Operations

IT

Projects

0:45


Using iso 38500

Using ISO 38500

0:45


Using iso 38500 guide for assessment and improvement

Using ISO 38500Guide for assessment and improvement

What does each cell mean?

How do you perform?

What should you seek to improve?

What consequences of improvement should you seek?

0:47


Using iso 38500 benchmarking and comparing performance

Using ISO 38500Benchmarking and comparing performance

  • Human Communities:

  • Who are they?

  • How do they behave?

  • What do they need?

  • What motivates them?

Principles Responsibility Strategy Acquisition Performance Conformance Human

Behaviour

RMIT and Infonomics research 2006-7. Published in “Achieving Business Sustainability” (Infonomics), and “Information Technology Entrepreneurship and Innovation”, edited by Fang Zhao, published by IGI Global, 2008.

0:48


Using iso 38500 learning through evaluating patterns

Using ISO 38500Learning through evaluating patterns

Focusing on today - Insufficient attention given to the future?

I know nothing about the IT in my organisation…

IT not adequately integrated in corporate strategic thinking?

RMIT and Infonomics research 2006-7.

0:49


A typical assessment result poor performance in critical areas

Overall

Overall Corporate Governance of ICT

Planning 2.4

Responsibility

2.7

Acquire 3

Human

Factors 3

Conform 2.9

Perform 2.9

1

2

3

4

5

6

A Typical Assessment ResultPoor performance in critical areas.

  • Responsibility: there is neither clear nor appropriate allocation of responsibility for IT.

  • Strategy: there is no effective planning for IT in the context of business strategy and direction.

  • Acquisition: decisions to invest in new IT capability are not made in an appropriate framework.

  • Performance: demand for IT service are unlikely to be met.

  • Conformance: the rules for IT are inadequate.

  • Human Behaviour: human issues are given scant attention in IT planning and delivery.

0:50


Using iso 38500 closing the gaps in contemporary techniques

Using ISO 38500Closing the gaps in contemporary techniques

CobiT

ITIL

Prince2

PMBOK

Gateway

ValIT

People

Control & Direct the Business

Process

Structure

Control and Direct use of IT.

Technology

0:52


Using iso 38500 developing policy for control of it

Using ISO 38500 Developing Policy for control of IT

Your ISO 38500 Framework

  • Strategic Policies

  • Your posture relative to Principles

  • Board role: consultation and approval

  • Operating policies

  • Specify how projects and operations are conducted

  • Board role: awareness

  • Usage policies

  • Rules for how people use the business systems and technology resources

  • Board role: part of user community.

0:53


Responsibility the crucial strategic policy

ResponsibilityThe Crucial Strategic Policy

  • How is responsibility allocated for:

    • Allocating responsibility?

    • Developing business strategy and planning business use of (demand for) IT?

    • Developing strategies for supply and delivery of IT capability and service?

    • Making decisions to invest in IT?

    • Determining targets and measuring business and IT performance?

    • Ensuring that IT investment initiatives achieve agreed, appropriate success criteria?

    • Ensuring that business demand for operational supply of IT service is satisfied efficiently and effectively?

    • Understanding conformance requirements, establishing effective conformance rules, and assuring conformance?

    • Understanding and ensuring respect for human behaviours?

  • What are the responsibilities of each individual in respect of IT demand and supply?

0:54


Using the standard fundamental rules

Using the StandardFundamental Rules

  • Change Management Rule 0– Engage the right sponsor and involve

    the right people.

  • Change Management Rule 1– Communicate, Communicate,

    Communicate.

  • Change Management Rule 2– Measure, adjust, measure.

  • Change Management Rule 3– Start with the fundamentals.

  • Change Management Rule 4– Small steps, with clear objectives.

  • Change Management Rule 5– Keep communicating; keep

    measuring; keep improving.

0:55


Self assessment

Self Assessment

When and how

Branch feedback

Information Age Article

0:57


Additional material

Additional Material

0:59


Questions

Questions

0:60


What do you have to lose

What do you have to lose?

Seize the opportunity!

ISO/IEC 38500.

Thank you.

[email protected]

0:70


Additional material1

Additional Material


Responsibility

Responsibility

Who is responsible for what when it comes to current and future use of IT?

Does everybody understand their responsibility?

Do those with responsibility deliver?

If IT is responsible for supply, who is responsible for demand?

And who is responsible for results?


Strategy planning

Strategy (Planning)

Planning IT use (demand and supply) to best serve the organisation.

Who should determine the organisations strategy for USE of IT?

How are business strategy and IT strategy related?

How is strategy enacted?

Includes key planning disciplines

Portfolio

Project

Architecture


Acquisition

Acquisition

Decisions to invest in IT

Decisions to continue existing IT initiatives

Decisions to continue using operational IT

Decisions on sourcing of IT capabilities

Decisions on selection of technologies


Performance

Performance

Current performance

Operational objectives

Investment objectives

Future performance

Running the business

Delivering capability

Stable base for change

Implementing change

Wide scope

Systems and infrastructure

People

Management systems


Conformance

Conformance

Understanding the rules

Formulating the rules

Communicating the rules

Enforcing the rules

Identifying and sanctioning non-conformance


Human behaviour

Human Behaviour

Response to change

Response to pressure

Professional pride

Fear of discovery and consequences

Dedication and commitment

Partial disclosure

Good news


Key messages in the standard

Key messages in the standard

Directors should govern the use of Information Technology;

Governance and Management are separate concepts;

The standard is applicable to every organisation;

The people who should most use the standard are the managers;

Good governance of IT is a desirable attribute for stakeholders;

Behaviour is key;

Implementation is the responsibility of each organisation.


Directors should govern the use of information technology

Directors should govern the use of Information Technology.

Delegate their responsibility as appropriate.

Define intended use of IT in business strategy.

Establish policy to guide management decisions.

Monitor conformance and performance of strategy and policy.

Enforce discipline of control and supervision.

Obtain independent advice as and when necessary.


Governance and management are separate concepts

Governance and Management are separate concepts.

Management is what managers do.

Governance is oversight of management.

Much of what is called “IT Governance” is actually IT Management.

Giving IT Management a new name does not make it more effective.


The standard is applicable to every organisation

The standard is applicable to every organisation.

Private and public (government)

Small, medium and large

Listed and unlisted

For-profit and Not-for-profit

Scalable – no prescription of process or structure

Every organisation needs to determine how to adopt.


The people who should most use the standard are the managers

The people who should most use the standard are the managers.

Managers advise and support directors.

Managers provide information to directors and implement the direction given by directors.

Managers are the originators of most board decisions including strategy and systems of control.

Managers act on behalf of directors to perform some governance tasks under the board’s delegated authority.


Good governance of it is a desirable attribute for stakeholders

Good governance of IT is a desirable attribute for stakeholders.

Better strategic use of IT -> better corporate performance

Fewer failures of projects -> better return on investment

Higher reliability in operations -> premium for perceived quality


Behaviour is key

Behaviour is key.

Behaviour of the organisation

Behaviour of its managers

Doing the right things in respect of decisions about current and future use of IT

Business stepping up to its role in controlling demand

IT limiting itself to the role of supply

Business leaders taking true accountability for business outcomes.


Implementation is the responsibility of each organisation

Implementation is the responsibility of each organisation.

No specific implementation requirements -> no straight-jackets.

Governance is a system – people, process, structure and technology.

Many frameworks are available – choose what’s best for you.

Build on what you have – assess and improve – don’t just start from scratch.


  • Login