1 / 14

IT GOVERNANCE FRAMEWORK

IT GOVERNANCE FRAMEWORK. Mark Makepeace Mike Thorn Director Audit Director Business Standards & Improvement Group Internal Audit Business Information Systems 27 January 2005. Agenda. Where we were Why we needed to change Where we are now

vera
Download Presentation

IT GOVERNANCE FRAMEWORK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT GOVERNANCE FRAMEWORK Mark Makepeace Mike Thorn Director Audit Director Business Standards & Improvement Group Internal Audit Business Information Systems 27 January 2005

  2. Agenda • Where we were • Why we needed to change • Where we are now • How we got there and what we got from it • Where next • Lessons Learned

  3. Definitions of IT Governance BIS takes its definitions of governance from those supplied by the IT Governance Institute (ITGI) ‘A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.’

  4. Where we were • Organisational governance structure • Cascaded objectives • Turnbull reporting • IT “bricks” (RAG status) • Benchmarking for IT services • Balanced Scorecard and supporting MI • Internal Audit assurance

  5. Why we needed to change • FSA regulated company and Stock Exchange Listed • Demonstrable framework to satisfy External Audit and FSA supervision regime • Credibility issue of internal framework versus industry standard • Publication of ITGI Board Briefing on IT governance • Share common understanding with IA of IT processes and risks to improve control and risk framework

  6. Regulatory timeline

  7. Where we are now • Governance roles and responsibilities wheel: identifies what, how and who • IT balanced scorecard: reports on IT capability and performance • CobiT Heat Map: identifies priority processes for risk management and improvement investment • MI Reporting Flow: reports on aspects of IT to top level within organisation to ensure no surprises

  8. IA IT How we got there Using IA’s strong relationship with IT senior management • Facilitate corporate and IT governance initiatives • Selling benefits of joint approach • External credibility of existing IT bricks • De-mystify regulatory “jargon” • Commitment of time and resources in “trusted” environment

  9. Adopting CobiT - 1 Assessment of process Current and Goal maturity ratings CobiT management guidelines Cobit processes v L&G Bricks mapping CobiT Control Objectives FSA inherent risk assessmentCobiT framework Initial Heat Map published 2002 Process ownership assigned IT Balanced scorecard aligned CobiT framework CobiT processes aligned to IT objectives CobiT control objectives Note: internal audit involvement;CobiT module referenced

  10. Adopting CobiT - 2 Half-yearly process Current and Goal maturity ratings assessment CobiT management guidelines Moved to process based risk management CobiT framework Governance database developed CobiT Control objectives 2003 / 2004 Governance Management Committee formed Half-yearly Heat Maps published CobiT framework Note: internal audit involvement;CobiT module referenced

  11. Based on CobiT Guidelines covering risk controls • Include the 5 IT Governance Focus Areas • Number of duplicate risks – variations on a theme • Consolidate risks & underlying data • Monthly balanced scorecard reporting focuses on risk • Realign to the 5 IT governance focus areas • Implementation of Governance Database • Monthly MI easily produced Where Next - IT Governance Existing Process Process Improvement

  12. Lessons Learned - 1 • In our view of FS sector, homegrown governance framework not sufficiently credible • Essential to obtain and sustain senior management sponsorship across all relevant parties • Organisation and existing management structure has finite capacity for change

  13. Lessons Learned - 2 • Implementation should be planned around existing capability • Do not underestimate volume of work or difficulty of getting buy-in from business owners of IT processes i.e. manage facilities • Maintain regular communication to keep topic “alive”

  14. Questions?

More Related