Charlotte ISACA Chapter The Next Evolution of IT Governance September 17, 2013 Dan Manley Managing Director
Charlotte ISACA Chapter
The Next Evolution of IT Governance
September 17, 2013
Dan Manley
Managing Director
1 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The Next Evolution of IT Governance
IT Governance continues to evolve in parallel with: • Technology Innovation…inclusive of the consequences that result (i.e.,
new threats) • Changing business models • Dynamic regulatory environment
Historical View
• CEO • CFO • CIO
Execution
Recent Norm
• Security • IT Change
Management • Architecture
Integration
Emerging Trend
• Portfolio Management
• Vendor Management
• Risk & Compliance
Transparency
2 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Business Drivers Include financial, non-financial and regulatory considerations
Legal and Regulatory Obligations
• HIPAA and HITECH • GLBA and FFIEC • PCI-DSS • Sarbanes-Oxley • FISMA • FTC Enforcements • FIPS • Others….
Market and Operational Considerations
• Dynamic business models
– M&A , divestiture and consolidation – Distributed Operations – Remote / Mobile Workforce – Increased scrutiny – Decreasing budgets
• Increasing Consumer Expectations – Services – Availability – Privacy
• Evolving threats (e.g., cybercrime)
3 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Defining IT Governance There are many definitions, but consistent themes throughout
IT Governance is a process for managing and controlling the use of technology to
create value for the organization. Effective IT Governance improves IT quality, which
affects every business process in the organization.
- AMR Research
An integral part of enterprise governance and consists of the leadership and
organizational structures and processes that ensures the organization's IT sustains and extends the organization's strategies
and objectives.
- IT Governance Institute
Structure of relationships and processes to direct and control the
enterprise in order to achieve the enterprise's goals by adding value
while balancing risk versus return over IT and its processes.
- ISACA
The assignment of decision rights and the accountability framework to
encourage desirable behavior in the use of IT.
- Peter Weill and Marianne Broadbent,
MIT Sloan School of Business
4 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The ability to sponsor, make and enforce the right IT decisions
What is the source of leadership? How will progress to desired outcomes be promoted or evangelized?
What are our core beliefs? What are the policies by which we must abide?
How are decisions made? Who plays what role? What processes are used?
What accountabilities and authorities exist? What is measured and by whom? What incentive system is used? How is non-compliance addressed? How are justified exceptions considered?
Defining IT Governance A simple and straightforward definition
5 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Defining IT Governance Components include principles, structure, processes and accountabilities
IT Governance components include principles, structures, processes, and accountability mechanisms employed to guide IT efforts and decision making toward achieving organizational objectives.
IT Governance Principles
What are the core beliefs and assumptions?
Structure How are we organized?
Processes How are decisions
made?
Accountability Who makes decisions
and how are they enforced?
• Statements of belief
that are the foundation for directing decision making
• Include policies, standards and guidelines
• Governing bodies • Reporting structures • Operating charters
• Key types of decisions • Key inputs and
outputs and who supplies and receives input
• Decision processes • Appeals mechanisms • Communications
• Roles and
responsibilities for IT and business stakeholders
• Performance management and incentives
• Performance reporting
6 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Defining IT Governance A sample of the many frameworks and guides to address components of IT governance.
ISO 38500 ISO’s IT Governance
Framework for Board and C-level executives and decisions.
COBIT 4.1 ISACA’s Control Objectives for
IT. Relevant to audit of IT management and operations
related to financials.
VAL IT 2.0 ISACA’s framework for the
governance of IT investments. Principles and processes are used for IT
portfolio management.
Balanced Scorecard Strategic Management
System developed by Kaplan/Norton. Involves joint
strategy development and performance metrics.
Applied Information Economics
Uses value ranges & probabilities to rank
investments within an IT system/application portfolio.
Earned Value Management A way of comparing what work
is completed against time & budget. Used at NASA and
all Federal government agencies on external
projects.
ITIL a set of concepts and practices for IT services management, development and operations. Provides a comprehensive
checklists, tasks and procedures.
PMBOK PMI’s Project Management
Body of Knowledge. A tactical guide for planning and executing projects.
Prince2 A structured, process-driven
approach to project management (not just for IT).
FISMA A framework for managing
information security that must be followed for all
information systems used or operated by or on behalf of a
U.S. federal government agency
Total Quality Management Seeks to put quality awareness
in all organizational processes. Focus is on satisfaction, continuous
improvement and long term results.
Six Sigma A business management
strategy which seeks to improve the quality of
process outputs by identifying and removing the causes of defects (errors).
Lean IT Principles for which central
concern, applied in the context of IT, is the elimination of
waste, where waste is work that adds no value to a product
or service.
ISO 20000 Promotes the adoption of an
integrated process approach to effectively deliver managed
services to meet the business and customer requirements.
Compliments ITIL and COBIT.
RISK IT ISACA’s framework to assist enterprises to identify, govern and manage IT-related risks.
ISACA’s IT Governance Two guides which provide
guidance over the implementation and continuing improvement of IT governance
7 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Benefits of IT Governance It’s about more than just control
Managing / Controlling • Improved accountability over IT • More transparency of risk, return and
performance for IT decision-making • Efficient management of IT processes
and resources • Encourages desired behaviors in the
use of IT
Value • Better alignment of business and IT
goals
• Increased buy-in from executives for IT direction and investments
• Improved business value of IT
• Enables higher levels of IT service and enterprise performance
8 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Typical IT Governance Pain Points The need for improved IT governance can manifest itself in many ways
Poor Investment Management • Increasing costs • Lack of business value of IT (real or perceived) • Hidden or rogue IT spending
Performance Issues • Failing initiatives – over budget, behind schedule or not meeting objectives • Significant incidents related to IT risk, such as data loss or network outages • Failure to meet regulatory or contractual requirements • Limited IT innovation and business agility • Business dissatisfaction or a reluctance to engage with IT
Ineffective Use of Resources • Duplication or overlap between initiatives or wasting of resources • Insufficient IT resources, staff with inadequate skills, staff burnout, or dissatisfaction • Vendor service delivery problems, such as agreed service levels consistently not being met
9 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Potential IT Governance Models
Centralized Hybrid De-Centralized
Structure and standards are developed at corporate and directed down to operating locations. Enables consistent process and conformity.
Structure and parameters are developed collaboratively and followed by operating locations, where relevant. Operating locations are able to act independently so long as decisions follow the outlined parameters and are drive toward a common vision.
Structure and guidelines are developed independently at corporate and each operating location. Characterized by inconsistent processes and procedures and restricts the organizations ability to realize a common vision.
10 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
IT Governance Models Not one size-fits-all, but benefited by a balanced approach
IT Governance Model
Some
divisional needs unmet
No divisional control of
central overhead costs
No divisional ownership of systems
Enterprise priorities over divisional
priorities Scale
economies
Control of standards
Critical mass of
skills
Pooling of divisionally responsive
competencies
Responsive to divisional
needs
Reinvention of wheels
Inconsistent competence and quality across the enterprise
Balance of IT priorities
Enterprise perspective
Missed synergies and scale
economies
Excessive overall costs to the enterprise
Centralized Federated Decentralized
11 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
IT Decision Rights Governance benefits many aspects of IT decision-making
Strategic • IT Strategy • IT Governance • IT Technology Direction • IT Investment & Portfolio Prioritization • IT Methods and Frameworks • IT Policies • IT & Information Architecture
Operational • IT Program Management • Managing, Monitoring and Evaluating
SLAs • IT Application Management • IT Infrastructure Management • IT Security • Procurement & Contracts • IT Compliance
12 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
RACI Charting A valuable governance tool for defining stakeholder roles
RACI charting is a process of systematically assigning the role that stakeholder groups play in major activities and decisions. In addition to assigning accountability, it aims to reduce duplication of efforts, encourage teamwork, and improve communication. RACI Defined
R Responsible The individual(s) who actually complete the task, the doer. This person is responsible for action/implementation. Responsibility can be shared. The degree of responsibility is determined by the individual with the “A”.
A Accountable The individual who is ultimately responsible. Includes yes or no authority and veto power. Only one “A” can be assigned to a function.
C Consulted The individual(s) to be consulted prior to a final decision or action. This incorporates two-way communication.
I Informed The individual(s) who needs to be informed after a decision or action is taken. This includes one-way communication.
13 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Charter (“the what”) Scope of policies & decisions Mgmt expectations Authority/impact of decisions
Rules (“the how”) Freq and method of interaction Interaction triggers Agenda setting Interdependencies & conflict resolution
IT Risk Governance Structures
Effective Governance structures establish structure and discipline that can help an organization recognize their desired value.
• Enable IT leadership to understand its operational risks and manage them in a manner consistent with the organization’s risk appetite
• Promote a sound control environment, complying with applicable laws and regulations and in line with the organization’s risk management framework.
Reporting (“the metrics”) Metrics for transparency Strategic and tactical performance (Value and cost) Adequacy of controls (risk) Scorecard and reporting
Metrics & Reporting
Rules & Operation Enablement
Charter & Structure
Governance Structure
Operation Enablement (“the who”) Resources e.g., funding, training Operational support and staff needs
Structure (“the who”) Membership (who, number,
commitment, term, etc. Chair or lead Roles & Responsibilities
Typical membership of an IT Risk Governance Structure includes:
• Enterprise IT Risk Management Executive • Chief Information Officer (CIO) • Business Unit CIOs • Chief Technology Officer • Chief Information Security Officer • Operational Risk Management Executive(s) • Legal Liaison to IT • Compliance Liaison to IT • Supplier Management Liaison to IT • IT Chief Finance Officer • Director of IT Audit
14 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Metrics and Measurements
Developing an metrics and reporting capability requires an organization to carefully consider certain key topics as they define their requirements in the context of the broader organizational reporting capabilities and culture.
Timing Thresholds
Audience
Data
Where will the metrics be pulled from (source) and
calculated?
Who are the constituents (Board,
Committees, individuals) within the organization that will
use the metrics?
What are the tolerances to be used in defining the level
of performance?
How will the metrics be used to provide value to the
business ? For example, operational, historical,
compliance, regulatory.
Common Challenges Ownership and Accountability
Organizational Consensus
– Agreement on the “key” risk attributes
– Agreement on tolerances or thresholds that align with the company’s risk appetite
– Contextual correlations
Data
– Quality
– Lineage
Operational Enablement
Automation
Key Topics for Consideration
Purpose
What is the requirement related to frequency and timing of the metrics? For
example, daily and on demand versus quarterly when
available.
15 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Hierarchical Levels of Reporting
Organizations should work to develop industry leading reporting that align with the relevant constituents, stakeholders and their respective business needs. The following provides an example
In developing these capabilities data management must be contemplated to ensure data quality is sufficient to meet the desired business analytical need and enable informed decision making.
16 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Characteristics of Top IT Governance Performers1
Research reveals that top IT governance performers have: • More managers in leadership positions who could accurately describe the
governance arrangements • More involvement of senior leaders in IT governance • Clearer business objectives for IT investment (e.g., reduce costs vs.
improving flexibility vs. improve customer service) • Fewer renegade exceptions (i.e., not through a sanctioned exception
process) • More exceptions through a formal exception process • Fewer changes in governance from year to year
1 Statistically significant relationship with governance performance in approximate order of impact. 2002 MIT Sloan Center for Information Systems Research (Weill).
17 © 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
IT Governance – Key Takeaways
• No one, single “right” definition or framework
• Decision making and enforcement are central themes
• Principles, accountability, structure and process are all essential considerations
• Optimizing business value is the objective
• There are multiple indications that IT governance needs to be changed or improved
• How to change or improve IT governance depend on the desired outcomes
• Considering specific decision rights helps getting clarity around roles, responsibilities and accountabilities
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.
© 2013 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 121179
The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International Cooperative ("KPMG International").