Charlotte ISACA Chapter The Next Evolution of IT Governance · · 2013-09-18Charlotte ISACA Chapter The Next Evolution of IT Governance ... The Next Evolution of IT Governance ...

Charlotte ISACA Chapter

The Next Evolution of IT Governance

September 17, 2013

Dan Manley

Managing Director

1 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The Next Evolution of IT Governance

IT Governance continues to evolve in parallel with: • Technology Innovation…inclusive of the consequences that result (i.e.,

new threats) • Changing business models • Dynamic regulatory environment

Historical View

• CEO • CFO • CIO

Execution

Recent Norm

• Security • IT Change

Management • Architecture

Integration

Emerging Trend

• Portfolio Management

• Vendor Management

• Risk & Compliance

Transparency


Business Drivers Include financial, non-financial and regulatory considerations

Legal and Regulatory Obligations

• HIPAA and HITECH • GLBA and FFIEC • PCI-DSS • Sarbanes-Oxley • FISMA • FTC Enforcements • FIPS • Others….

Market and Operational Considerations

• Dynamic business models

– M&A , divestiture and consolidation – Distributed Operations – Remote / Mobile Workforce – Increased scrutiny – Decreasing budgets

• Increasing Consumer Expectations – Services – Availability – Privacy

• Evolving threats (e.g., cybercrime)


Defining IT Governance There are many definitions, but consistent themes throughout

IT Governance is a process for managing and controlling the use of technology to

create value for the organization. Effective IT Governance improves IT quality, which

affects every business process in the organization.

- AMR Research

An integral part of enterprise governance and consists of the leadership and

organizational structures and processes that ensures the organization's IT sustains and extends the organization's strategies

and objectives.

- IT Governance Institute

Structure of relationships and processes to direct and control the

enterprise in order to achieve the enterprise's goals by adding value

while balancing risk versus return over IT and its processes.

- ISACA

The assignment of decision rights and the accountability framework to

encourage desirable behavior in the use of IT.

- Peter Weill and Marianne Broadbent,

MIT Sloan School of Business


The ability to sponsor, make and enforce the right IT decisions

What is the source of leadership? How will progress to desired outcomes be promoted or evangelized?

What are our core beliefs? What are the policies by which we must abide?

How are decisions made? Who plays what role? What processes are used?

What accountabilities and authorities exist? What is measured and by whom? What incentive system is used? How is non-compliance addressed? How are justified exceptions considered?

Defining IT Governance A simple and straightforward definition


Defining IT Governance Components include principles, structure, processes and accountabilities

IT Governance components include principles, structures, processes, and accountability mechanisms employed to guide IT efforts and decision making toward achieving organizational objectives.

IT Governance Principles

What are the core beliefs and assumptions?

Structure How are we organized?

Processes How are decisions

made?

Accountability Who makes decisions

and how are they enforced?

• Statements of belief

that are the foundation for directing decision making

• Include policies, standards and guidelines

• Governing bodies • Reporting structures • Operating charters

• Key types of decisions • Key inputs and

outputs and who supplies and receives input

• Decision processes • Appeals mechanisms • Communications

• Roles and

responsibilities for IT and business stakeholders

• Performance management and incentives

• Performance reporting


Defining IT Governance A sample of the many frameworks and guides to address components of IT governance.

ISO 38500 ISO’s IT Governance

Framework for Board and C-level executives and decisions.

COBIT 4.1 ISACA’s Control Objectives for

IT. Relevant to audit of IT management and operations

related to financials.

VAL IT 2.0 ISACA’s framework for the

governance of IT investments. Principles and processes are used for IT

portfolio management.

Balanced Scorecard Strategic Management

System developed by Kaplan/Norton. Involves joint

strategy development and performance metrics.

Applied Information Economics

Uses value ranges & probabilities to rank

investments within an IT system/application portfolio.

Earned Value Management A way of comparing what work

is completed against time & budget. Used at NASA and

all Federal government agencies on external

projects.

ITIL a set of concepts and practices for IT services management, development and operations. Provides a comprehensive

checklists, tasks and procedures.

PMBOK PMI’s Project Management

Body of Knowledge. A tactical guide for planning and executing projects.

Prince2 A structured, process-driven

approach to project management (not just for IT).

FISMA A framework for managing

information security that must be followed for all

information systems used or operated by or on behalf of a

U.S. federal government agency

Total Quality Management Seeks to put quality awareness

in all organizational processes. Focus is on satisfaction, continuous

improvement and long term results.

Six Sigma A business management

strategy which seeks to improve the quality of

process outputs by identifying and removing the causes of defects (errors).

Lean IT Principles for which central

concern, applied in the context of IT, is the elimination of

waste, where waste is work that adds no value to a product

or service.

ISO 20000 Promotes the adoption of an

integrated process approach to effectively deliver managed

services to meet the business and customer requirements.

Compliments ITIL and COBIT.

RISK IT ISACA’s framework to assist enterprises to identify, govern and manage IT-related risks.

ISACA’s IT Governance Two guides which provide

guidance over the implementation and continuing improvement of IT governance


Benefits of IT Governance It’s about more than just control

Managing / Controlling • Improved accountability over IT • More transparency of risk, return and

performance for IT decision-making • Efficient management of IT processes

and resources • Encourages desired behaviors in the

use of IT

Value • Better alignment of business and IT

goals

• Increased buy-in from executives for IT direction and investments

• Improved business value of IT

• Enables higher levels of IT service and enterprise performance


Typical IT Governance Pain Points The need for improved IT governance can manifest itself in many ways

Poor Investment Management • Increasing costs • Lack of business value of IT (real or perceived) • Hidden or rogue IT spending

Performance Issues • Failing initiatives – over budget, behind schedule or not meeting objectives • Significant incidents related to IT risk, such as data loss or network outages • Failure to meet regulatory or contractual requirements • Limited IT innovation and business agility • Business dissatisfaction or a reluctance to engage with IT

Ineffective Use of Resources • Duplication or overlap between initiatives or wasting of resources • Insufficient IT resources, staff with inadequate skills, staff burnout, or dissatisfaction • Vendor service delivery problems, such as agreed service levels consistently not being met


Potential IT Governance Models

Centralized Hybrid De-Centralized

Structure and standards are developed at corporate and directed down to operating locations. Enables consistent process and conformity.

Structure and parameters are developed collaboratively and followed by operating locations, where relevant. Operating locations are able to act independently so long as decisions follow the outlined parameters and are drive toward a common vision.

Structure and guidelines are developed independently at corporate and each operating location. Characterized by inconsistent processes and procedures and restricts the organizations ability to realize a common vision.


IT Governance Models Not one size-fits-all, but benefited by a balanced approach

IT Governance Model

Some

divisional needs unmet

No divisional control of

central overhead costs

No divisional ownership of systems

Enterprise priorities over divisional

priorities Scale

economies

Control of standards

Critical mass of

skills

Pooling of divisionally responsive

competencies

Responsive to divisional

needs

Reinvention of wheels

Inconsistent competence and quality across the enterprise

Balance of IT priorities

Enterprise perspective

Missed synergies and scale

economies

Excessive overall costs to the enterprise

Centralized Federated Decentralized


IT Decision Rights Governance benefits many aspects of IT decision-making

Strategic • IT Strategy • IT Governance • IT Technology Direction • IT Investment & Portfolio Prioritization • IT Methods and Frameworks • IT Policies • IT & Information Architecture

Operational • IT Program Management • Managing, Monitoring and Evaluating

SLAs • IT Application Management • IT Infrastructure Management • IT Security • Procurement & Contracts • IT Compliance


RACI Charting A valuable governance tool for defining stakeholder roles

RACI charting is a process of systematically assigning the role that stakeholder groups play in major activities and decisions. In addition to assigning accountability, it aims to reduce duplication of efforts, encourage teamwork, and improve communication. RACI Defined

R Responsible The individual(s) who actually complete the task, the doer. This person is responsible for action/implementation. Responsibility can be shared. The degree of responsibility is determined by the individual with the “A”.

A Accountable The individual who is ultimately responsible. Includes yes or no authority and veto power. Only one “A” can be assigned to a function.

C Consulted The individual(s) to be consulted prior to a final decision or action. This incorporates two-way communication.

I Informed The individual(s) who needs to be informed after a decision or action is taken. This includes one-way communication.


Charter (“the what”) Scope of policies & decisions Mgmt expectations Authority/impact of decisions

Rules (“the how”) Freq and method of interaction Interaction triggers Agenda setting Interdependencies & conflict resolution

IT Risk Governance Structures

Effective Governance structures establish structure and discipline that can help an organization recognize their desired value.

• Enable IT leadership to understand its operational risks and manage them in a manner consistent with the organization’s risk appetite

• Promote a sound control environment, complying with applicable laws and regulations and in line with the organization’s risk management framework.

Reporting (“the metrics”) Metrics for transparency Strategic and tactical performance (Value and cost) Adequacy of controls (risk) Scorecard and reporting

Metrics & Reporting

Rules & Operation Enablement

Charter & Structure

Governance Structure

Operation Enablement (“the who”) Resources e.g., funding, training Operational support and staff needs

Structure (“the who”) Membership (who, number,

commitment, term, etc. Chair or lead Roles & Responsibilities

Typical membership of an IT Risk Governance Structure includes:

• Enterprise IT Risk Management Executive • Chief Information Officer (CIO) • Business Unit CIOs • Chief Technology Officer • Chief Information Security Officer • Operational Risk Management Executive(s) • Legal Liaison to IT • Compliance Liaison to IT • Supplier Management Liaison to IT • IT Chief Finance Officer • Director of IT Audit


Metrics and Measurements

Developing an metrics and reporting capability requires an organization to carefully consider certain key topics as they define their requirements in the context of the broader organizational reporting capabilities and culture.

Timing Thresholds

Audience

Data

Where will the metrics be pulled from (source) and

calculated?

Who are the constituents (Board,

Committees, individuals) within the organization that will

use the metrics?

What are the tolerances to be used in defining the level

of performance?

How will the metrics be used to provide value to the

business ? For example, operational, historical,

compliance, regulatory.

Common Challenges Ownership and Accountability

Organizational Consensus

– Agreement on the “key” risk attributes

– Agreement on tolerances or thresholds that align with the company’s risk appetite

– Contextual correlations

Data

– Quality

– Lineage

Operational Enablement

Automation

Key Topics for Consideration

Purpose

What is the requirement related to frequency and timing of the metrics? For

example, daily and on demand versus quarterly when

available.


Hierarchical Levels of Reporting

Organizations should work to develop industry leading reporting that align with the relevant constituents, stakeholders and their respective business needs. The following provides an example

In developing these capabilities data management must be contemplated to ensure data quality is sufficient to meet the desired business analytical need and enable informed decision making.


Characteristics of Top IT Governance Performers1

Research reveals that top IT governance performers have: • More managers in leadership positions who could accurately describe the

governance arrangements • More involvement of senior leaders in IT governance • Clearer business objectives for IT investment (e.g., reduce costs vs.

improving flexibility vs. improve customer service) • Fewer renegade exceptions (i.e., not through a sanctioned exception

process) • More exceptions through a formal exception process • Fewer changes in governance from year to year

1 Statistically significant relationship with governance performance in approximate order of impact. 2002 MIT Sloan Center for Information Systems Research (Weill).


IT Governance – Key Takeaways

• No one, single “right” definition or framework

• Decision making and enforcement are central themes

• Principles, accountability, structure and process are all essential considerations

• Optimizing business value is the objective

• There are multiple indications that IT governance needs to be changed or improved

• How to change or improve IT governance depend on the desired outcomes

• Considering specific decision rights helps getting clarity around roles, responsibilities and accountabilities

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

© 2013 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 121179

The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International Cooperative ("KPMG International").

Charlotte ISACA Chapter The Next Evolution of IT Governance · · 2013-09-18Charlotte ISACA Chapter The Next Evolution of IT Governance ... The Next Evolution of IT Governance ...

Documents