Christian feldbech nissen
-
Upload
dansk-it -
Category
Technology
-
view
214 -
download
1
Transcript of Christian feldbech nissen
© 2015
itSMF Danmark 2015Ten steps towards Governance of IT
Christian F. Nissen, CFN People, Denmark
© 2015 of CFN People unless otherwise stated
ITIL®, PRINCE2®, MSP®, MoP®, MoV® are Registered Trade Marks of AXELOS in the United Kingdom and other countries
COBIT®, Val IT®, Risk IT® and “Taking Governance Forward” are registered trademarks of the Information Systems Audit and Control Association (ISACA) and the
IT Governance Institute (ITGI)
Why IT governance?
3 © 2015
Th
e b
asic
s
4
Agenda
The basics
Governance means
1. Decision making
2. Organizational structures
3. Roles and responsibilities
4. Process framework
5. Strategy and goals management
6. Risk management
7. Control objectives
8. Portfolio management
9. Management of suppliers, contracts and agreements
10. Financial model
Governance approaches
Ag
en
da
© 2015
Governance – the basics
Definition?
“Governance of IT ensures that stakeholder needs, conditions
and options are evaluated to determine balanced, agreed-on
enterprise objectives to be achieved; setting direction through
prioritisation and decision making; and monitoring performance
and compliance against agreed-on direction and objectives.”
ISACA, 2012
MANAGEMENT of MANAGEMENT
Christian F. Nissen
5 © 2015
Th
e b
asic
s
Governance – the basics
6 © 2015
AssetSystem
(Architecture/configuration of
resources)
Value
Lifecycle
Th
e b
asic
s
An asset represents an investment !!!
Governance – the basics
Why?
7 © 2015
AssetOptimize
resources
Maximize return on investment
Optimize
risk
Meet preference
Th
e b
asic
s
Governance – the basics
Who?
How?
8 © 2015
Delegate
Accountable
Owner
Evaluate &
direct
Monitor
Gover-
nance
body
Plan-do-
check-act
Report
Operation
&
execution
Manage-
ment
Evaluate
Direct Monitor
Th
e b
asic
s
Governance – the basics
What?
❍ Principles, policies and plans (Boundaries, principles,
policies, decision models, strategies, plans, etc.)
❍ Goals (Performance and outcome goals)
❍ Controls (Control objectives, requirements, agreements, etc.)
❍ Resources (Money, time, competencies, skills, etc. etc.)
When?
9 © 2015
Asset value
Complexity of asset
(system/lifecycle)
Need for governance
Th
e b
asic
s
10
Governance – seize the moment
Triggers for Governance initiatives (‘stolen’ from the
COBIT5 Implementation Guide)
Merger, acquisition or divestiture
A shift in the market, economy or competitive position
Change in business operating model or sourcing
arrangements
New regulatory or compliance requirements
Significant technology change or paradigm shift
An enterprisewide governance focus or project
A new CIO, chief financial officer (CFO), chief executive
officer (CEO) or board member
External audit or consultant assessments
A new business strategy or priority
© 2015
Th
e b
asic
s
11
Agenda
The basics
Governance means
1. Decision making
2. Organizational structures
3. Roles and responsibilities
4. Process framework
5. Strategy and goals management
6. Risk management
7. Control objectives
8. Portfolio management
9. Management of suppliers, contracts and agreements
10. Financial model
Governance approaches
Ag
en
da
© 2015
Ten steps towards Governance of IT
Decision
Archetype
Princi-
ples
Archi-
tecture
Suppor-
ting
services
Customer
facing
services
Invest-
ments
Business
monarchy
IT monarchy
Feudal
Federal
IT duopoly
Anarchy
© 201512
1. Decision model
2. Organizational
structures
3. Roles
4. Processes
5. Goals and
metrics
6. Risks
8. Portfolio
9. Agreements
10. Financial
models
7. Controls and
maturity
Go
vern
an
ce m
eans
13
Decision modelling
Decision
Archetype
IT Principles IT Architecture Supporting
services
Customer
facing
services
IT Investments
Input Decision Input Decision Input Decision Input Decision Input Decision
Business
Monarchy
IT Monarchy
Feudal
Federal
Duopoly
Anarchy
Peter Weill & Jeanne W. Ross (2004)
© 2015
1. D
ecis
ion m
akin
g
Responsibility
IT principlesIT
architecture
Supporting
services
Customer
facing
services
IT
investments
InitiativeThe owner of
the principleArchitecture IT
LoB (Approved
by budget
owner)
IT
Develop basis for
decisions
(Business Case)
IT Architecture IT
IT Business
Relationship
Manager
IT
ConsultIT Steering
CommitteeIT IT IT
IT Steering
Committee
Decision
(Strategic or
tactical) Board of
Directors
Board of
Directors
Board of
Directors
Board of
Directors Board of
DirectorsDecision
(Operational )IT IT
Local IT
committee
Implementation
and follow-upIT
Board of
Directors
Board of
DirectorsSystem owner IT
Monitoring and
control
IT Steering
Committee IT IT IT
IT Steering
Committee
Documentation
and
communication
IT Architecture IT
Project
documentation
or SLAs
Minutes
Decision model
14
1. D
ecis
ion m
akin
g
15
IT governance forums
© 2015
Board of directors
Senior management
Business executives
IT management
Technology council
IT architecture review board
IT Steering committee
IT strategy committee
2. O
rganiz
ationalstr
uctu
res
From ISACA’s “Board Briefing on IT Governance”
16
IT governance organization
© 2015
2. O
rganiz
ationalstr
uctu
res
InvesteringskomiteInvesteringsprioritering
GOVERNANCE
MANAGEMENT
PMOKonsolidering
Projekt
IT-Porteføljestyregruppe
Styre-gruppe
Styrelser
Projektoplæg fra forretningen
Rapportering
KoncernledelsenStrategisk retning
Ramme Prioriteringskriterier
Ressourcer
Prioriteret portefølje
Forslag til budget
Driftsbevilling
Udkast til portefølje
17
Roles and responsibilities for IT Governance
Enterprise, entity and asset roles:
Owner (e.g. Change Management process owner or
project sponsor)
Governor (e.g. Change Management process
delegate or project steering committee)
Manager (e.g. Change Manager or project manager)
© 2015
3. R
ole
s a
nd r
esponsib
ilities
Roles, Activities and Relationships
Delegate
Accountable
Owners and
Stake-
holders
Set
Direction
Monitor
Governing
Body
Instruct and
Align
Report
Operations
and
Execution
Manage-
ment
ISACA, COBIT 5
18
Process
Process
Process
Servic
e lin
e
Servic
e lin
e
Servic
e lin
e
ProcessOwner
ProcessOwner
ProcessOwner
ServiceOwner
BRM
Supplier Relationship Manager
ServicePortfolioManager
ServiceCatalogueManager
ServiceManager
ServiceOwner
ServiceManager
ServiceOwner
ServiceSolutionArchitect
Business
IT ServiceLevelManager
Supplier Supplier
3. R
ole
s a
nd r
esponsib
ilities
Process integration
19 © 2015
4. P
rocess fra
mew
ork
IT organisation
Suppliers
Change
Management
Change
Management
SLM
Change
Management
Change
Management
Integrated Replicated Referenced
Process Reference Model
20
4. P
rocess fra
mew
ork
© 2015 ISACA, COBIT 5
Unified RACI – in a SIAM environment
Value
stream
Activity Business SIAM Supplier 1 Supplier 2
User Business
manager
Process
owner
Incident
Manager
Service
level
manager
1st line
analyst
2nd line
analyst
1st line
analyst
2nd line
analyst
Detect
to
correct
Prepare,
communicate and
train policies and
procedures
I R A R C C C C C
Identify and
qualify incidentC R A C
Raise incident
with all relevant
details / impact
R I A C I
Accept,
categorise and
prioritise incident
I A R C
Assign incidentA R R I I I
Investigate
incident / execute
model
A C R I I I
. . .
R = responsible, A = accountable, C = consulted, I = informed
© 2015
4. P
rocess fra
mew
ork
Service based strategy
© 201522
Strategic
position
Stakeholders, environment (PESTEL), market and competition (five forces) capabilities
(SWOT) etc.
ITSM as a
strategic asset
Business strategy and requirements
IT Service Management vision
IT Service Management mission
IT Service Management goals and success factors
IT Service Management governance
Service strategy Service portfolio management (business alignment, investments, relations and sourcing)
Services strategy (utility and warranty)
Service design criteria or principles
Pricing and charging
Service
Management
strategy
(resources and
capabilities)
Change of attitude, behavior, skills and competences
Process improvement, automation and governance
Knowledge management
Organizing (organization, functions, jobs, roles)
Leadership development
Partner management
Investments in and management of infrastructure, applications, integration and data
Tool support
Cost models and Funding
Execution Roadmap
5. S
trate
gy a
nd g
oals
managem
ent
Goals cascade
23 © 2015
5. S
trate
gy a
nd g
oals
managem
ent
Enterprise goals
IT-service goals
Enabler goals
ISACA, COBIT 5
Service based strategy
24 © 2015
5. S
trate
gy a
nd g
oals
managem
ent
IT-VISION, MISSION AND
OVERALL STRATEGY
BREAKDOWN IN
IT SUB-STRATEGIES
DEFINITION ON CAPABILITY BUILDING
STRATEGIES
ESTABLISH STRATEGY
MASTERPLAN
SHARED UNDERSTANDING
OF THE SITUATION
25
IT risk management
Risks may be managed in a cross organizational Risk
register
© 2015
6. R
isk m
anagem
ent
Assets ThreatsVulnera-
bilities
Countermeasures
Analysis
MitigationRisks
26
Control objective types
© 2015
7. C
ontr
ol obje
ctive
s Type Purpose Example
Directive Provide guidance on
required behaviour
Policies and
procedures
Preventive Deter noncompliance
with directive controls
Training programs,
penalty and reward
systems
Compensating Make up for a lack of
controls elsewhere
Alternative or backup
procedures
Detective Uncover violations of
internal control
procedures
Random checks of
compliance
Corrective Correct problems after
discovery
Training programs and
penalty systems
ISACA, COBIT 5
Processes and control objectives
© 201527
Policies
Processes
Procedures
Governance
Management
Legislation Standards . . .
Consolidated
control objective repository
Contracts
Risk registerFilter
7. C
ontr
ol obje
ctive
s
Control register
© 201528
Prioritet
ID COBIT Practice COBIT Practice description Kontrol Kontrolmål Tilsyn og rapportering
1 BAI06.01 Evaluate, prioritise and authorise change requests.
Evaluate all requests for change to
determine the impact on business
processes and IT services, and to assess
whether change will adversely affect the
operational environment and introduce
unacceptable risk. Ensure that changes
are logged, prioritised, categorised,
assessed, authorised, planned and scheduled.
Vurder, prioriter oggodkend ændringer
Vurder alle anmodninger om ændringer for at
fastslå konsekvensen for forretningsprocesser og
it-services, og for at vurdere, om ændringen vil
påvirke driftsmiljøet og introducere uacceptable
risici. Sørg for, at ændringerne registreres,
prioriteres, kategoriseres, vurderes, godkendes,
planlægges og gennemføres.
- Der skal foreligge en opdateret og kendt
ændringsstyringsproces, der omfatter registrering,
prioritering, kategorisering, vurdering,
godkendelse, planlægning og gennemførsel af it-
relaterede ændringer
- Ændringsstyringsprocessen skal omfatte alle de
organisatoriske ændringer, ændringer i
forretningsprocesser, ændringer i it-services, -
systemer og infrastruktur, der kan påvirke
informationssikkerheden
- Der skal foreligge politikker og retningslinjer for
softwareændringer, hardwareændringer og
ændringer i leverancer og services fra
leverandører
- Alle ændringer, der er omfattet afændringsstyringsprocessen skal følge processsen
Rapportering. Årligt.
2016: Ændringsstyringsprocessen inkl.
politikker, retningslinjer, roller og
aktiviteter er dokumenteret og udbredt.
2017: Ved stikprøver blandt udvalgte
ændringer i infrastruktur og
applikationer, skal der foreligge
registrerede og godkendte
ændringsanmodninger for alle
stikprøver.
Hvis målet ikke er nået, pålægges
institutionen at udarbejde en handleplan med passende kort frist.
1 BAI07.04 Establish a test environment. Define and establish a secure test
environment representative of the planned
business process and IT operations
environment, performance and capacity,
security, internal controls, operational
practices, data quality and privacy requirements, and workloads.
Etabler testmiljø Etabler et sikre testmiljøer, der er repræsentative
for virksomhedens forretningsprocesser og
produktionsmiljøer. Tag hensyn til ydeevne og
kapacitet, sikkerhed, intern kontrol, driftspraksis,
datakvalitet, og privacy og arbejdsbyrder.
- Udviklings-, test- og produktionsmiljøer skal være
adskilte
- Udviklingsmiljøer skal være sikrede, så der ikke
forekommer utilsigtede overskrivninger
- Hvis testdata indeholder fortrolig information, skaldenne beskyttes på samme måde som i produktion
Rapportering. Årligt.
Institutionen skal redegøre for antallet
af miljøer, hvordan de er adskilte og
hvordan de er beskyttede. Målet er 100
%, hvilket vil sige, at der ikke er afveget
fra nogen af kontrolmålene på nogen
miljøer. Hvis målet ikke er nået,
pålægges institutionen at udarbejde en handleplan med passende kort frist.
7. C
ontr
ol obje
ctive
s
The purpose of portfolio management
To protect and optimize the value of investments (VOI) in
IT assets
IT Assets
Projects and Programs
Services
Applications
Information and data
Technologies
Customers / relationships
People
Processes
Financial assets
IPR / Patents
© 201529
8. IT
port
folio
managem
ent
3030
Portfolio Management
A Portfolio
A set of assets that are
managed by an
organization.
Supports management of
investments in the assets
A Portfolio clarifies:
1. Value of each asset in the
portfolio
2. Internal relations between
assets
3. Criticality of each asset in
the portfolio
4. Investments in the asset:
How resources should be
allocated?
5. Asset strategies and
priorities
8. IT
port
folio
managem
ent
© 2015
Data Center and Facilities Services
31
IT service portfolio
© 2015
Communication and Network Services
Database Services
Integration Services
Server Hosting Services
Storage Services
Backup Services
Print Services
Application Platform Services
Application Management
Application Services
Desktop Services
Sales Operation Retail Finance . . .
8. IT
port
folio
managem
ent
Req. Man. Design Develop. Test . . .
Id
en
tity
Man
ag
em
en
t S
ervic
es
Mon
itorin
g s
ervic
es
Secu
rit
y a
nd
Co
mp
lian
cy S
ervic
es
En
d U
ser S
up
po
rt
Servic
es
Service orchestration
32 © 2015
Service
Level
Agreement
Service
Package 1a
Service
Service Service
Service
Global Service
Portfolio
Service
Service
Level
AgreementLocal ITExternal
providersLocal
LOB
Corpor-
ate IT
Service
Service A
Service Level
Package
Service
Package 1b
Service Package 1b
Service Level
Package
Service Package 2
Service Pack. 1a
Service C
Service Level
Package
Service
Package 2
Service
Package 3
Service
Level
Agreement
Service
Level
Agreement
Service Package 1a
Service B
Service Pack. 1b
8. IT
port
folio
managem
ent
33
SLA Framework - Multilevel SLA
Corporate level SLA
Customer level SLA
Customer 1
Customer level SLA
Customer 2
Service
specific
level SLA
Service A
Service
specific
level SLA
Service B
Service
specific
level SLA
Service A
Service
specific
level SLA
Service C
© 2015
9.
Supplie
rs, co
ntr
acts
& a
gre
em
ents
Availability
•Service Availability
•Service Performance
•Service Support
Capacity
• Capacity
Security
• IT Security Management
• Compliance
Continuity
• Backup
• Restore
Warranty
Agreed Service Time• Service hours
• Service provider maintenance windows• Support hours
• Back up windows• Customer maintenance windows
SLA content - warranties
34 © 2015
9.
Supplie
rs, co
ntr
acts
& a
gre
em
ents
Service level objective - example
Attribute Example
Service Level Objective Incident resolution time
Description Percentage of Incidents resolved within target resolution time by priority. Resolution time is the total time used to resolve an Incident from logging of theincident to the resolution, when the user is satisfied with the resolution except for time ‘waiting for user’.
Specification
Measurement Frequency Monthly
Correlation rule n/a
Service Level Option Gold Silver Bronze
Service Level Target Priority 1: 8hPriority 2: 16hPriority 3: 2dPriority 4: 5d
Priority 1: 8hPriority 2: 36hPriority 3: 5dPriority 4: agreed per case
Priority 1: 12hPriority 2: 48hPriority 3: 8dPriority 4: agreed per case
Quantile 0,95 0,95 0,95
Danger value 0,975 n/a n/a
Pre-requisite < 20,000 Incidents per monthAccess to customer representative
< 50,000 Incidents per month
n/a
Pre-conditions Depends on service x Depends on service x Depends on service x
Incidents
userforwaitingresolutiontorecordingIncidentfrom targetminmin
© 201535
9.
Supplie
rs, co
ntr
acts
& a
gre
em
ents
Multi-sourcing – integration and management
36 © 2015
Business
SIAM
Internal IT Supplier 1 Supplier 2
Business
Internal IT Supplier 1 Supplier 2
SIAM
Business
Internal IT Supplier 1 Supplier 2
Internal ITSIAM
Business
Internal IT Supplier 1 Supplier 2
SIAM
1. Separate function (Client) 2. Business function (Client)
3. IT function (Client) 4. Outsourced function (Supplier)
9.
Supplie
rs, co
ntr
acts
& a
gre
em
ents
37
Financial means
Power follows money:
Organization based costing
Project based costing
Activity based costing
Service based costing
. . .
© 2015
10
. F
ina
ncia
l m
od
el
38
Cost model – service based costing
Hardware Software Employ-
ment
Accommo-
dation
External
Service
Transfer
Cost Elements
Direct Costs Indirect Costs
Absorbed
Indirect Costs
Unabsorbed
Indirect Costs
Absorbed Costs X% Uplift %100costs Absorbed
costs Unabsorbed% X
Total cost of IT service
© 2015
10
. F
ina
ncia
l m
od
el
39
Charging
Pricing Methods
Cost, Cost-plus, Going rate, Market rate, Fixed price
Charging policy
No charging
Notional Charging
Charging
© 2015
10
. F
ina
ncia
l m
od
el
40
Agenda
The basics
Governance means
1. Decision making
2. Organizational structures
3. Roles and responsibilities
4. Process framework
5. Strategy and goals management
6. Risk management
7. Controls and maturity
8. Portfolio management
9. Management of suppliers, contracts and agreements
10. Financial model
Governance approaches
Ag
en
da
© 2015
41
Governance approaches
© 2015
Govern
ance a
ppro
aches
42
Three approaches to Governance
Plan, design and implement
Belief: IT management practices can be designed, implemented and
managed
The role of Best Practice: A cookbook or ideal model
The role of the consultant: Guru
Common language and continual improvement
Belief: IT management practices are social constructions that can be
managed and improved through continuous incremental improvement
cycles
The role of Best Practice: Common language and inspiration
The role of the consultant: Facilitator
Emergence, co-creation and communities of practice
Belief: IT management practices can not really be managed – they
emerge over time through complex responsive processes
The role of Best Practice: Narrative or propositional themes that
organize experience – a myth, ideology or virus
The role of the consultant: Disturber
© 2015
Govern
ance a
ppro
aches
43
Cynefin
© 2015
David Snowden, 2002, 2007, 2014
Disorder_
Complex
Probe
Sense
Respond
Emergent Practice _
Complicated
Sense
Analyze
Respond
Good Practice
Chaotic
Act
Sense
Respond
Novel Practice
Simple/obvious
Sense
Categorize
Respond
Best Practice
Complacency
Govern
ance a
ppro
aches
44
Questions
© 2015
The e
nd
Christian F. Nissen
+45 40 19 41 45
www.cfnpeople.com
Co
nta
ct
© 201545