IT Governance Overview - ISACA · · 2015-12-14while balancing risk versus return over IT and its...

IT Governance Overview

December 7, 2015

© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

1


2

Here with you today

Tom Johnston, CISA, CISM, CGEIT, CRISCDirector – IT Audit and Assurance (216) 875 [email protected]

Brian Greenberg, CISADirector, IT Advisory(216) [email protected]

www.kpmg.com


3

By the end of this session, you should be better able to:

● Define IT governance including its supporting components and frameworks

● Understand how stakeholder expectations from IT are changing and how these changing expectations are impacting the IT organization

● Describe the benefits of effective IT governance

● Identify pain points and triggers that indicate a need for IT governance improvements or change

● Describe characteristics and use of governance models and RACI for decision-making

● Understand how CIO’s can overcome this disruption with a new operating model for IT

● Recognize the characteristics of top performers in IT governance

Today’s Objectives


4

The framework of rules and practices by which a board of directors ensures

accountability, fairness, and transparency in a company’s relationship with all its

stakeholders (financiers, customers, management, employees, government and the

community.

Corporate Governance


5

Information and technology (IT) governance is a subset discipline of corporate

governance, focused on information and technology (IT) and its performance and risk

management. The interest in IT governance is due to the ongoing need within

organizations to focus value creation efforts on an organization's strategic objectives and

to better manage the performance of those responsible for creating this value in the best

interest of all stakeholders.

IT Governance


6

Data governance is a control that ensures that the data entry by an operations team

member or by an automated process meets precise standards, such as a business rule, a

data definition and data integrity constraints in the data model. The data governor uses

data quality monitoring against production data to communicate errors in data back to

operational team members, or to the technical support team, for corrective action. Data

governance is used by organizations to exercise control over processes and methods

used by their data stewards and data custodians in order to improve data quality.

Data Governance


7

Defining IT GovernanceThere are many definitions, but consistent themes throughout

IT Governance is a process for managing and controlling the use of technology to

create value for the organization. Effective IT Governance improves IT quality, which

affects every business process in the organization.

- AMR Research

An integral part of enterprise governance and consists of the leadership and

organizational structures and processesthat ensures the organization's IT sustains and extends the organization's strategies

and objectives.

- IT Governance Institute

Structure of relationships and processes to direct and control the

enterprise in order to achieve the enterprise's goals by adding value

while balancing risk versus return over IT and its processes.

- ISACA

The assignment of decision rights and the accountability framework to

encourage desirable behavior in the use of IT.

- Peter Weill and Marianne Broadbent, MIT Sloan School of Business


8

Three Primary Drivers for IT Governance Design

OrganizationalAlignment

StrategicAlignment

Returns onIT Investment

The need to align control of IT with decision making authority in the business

The need to engender the behaviors for IT to deliver the enterprise vision and associated strategies

The need to ensure that the returns on IT investments are maximized across the enterprise


9

IT Governance

Governance Framework

Operational IS Processes

Organisational Fram

ework

Strategic Planning

Managem

ent comm

ittees

Policies & Standards

Solution Dev

Project Mgt

Security Mgt

Availability Mgt

Service Mgt

Financial Mgt

Operations M

gt

IS Audit

Support Mgt

Change M

gt

Performance Management

Process Elements

Risk Management

Resource Management

Communications

Compliance

:

The IT governance framework, operational processes and governance activities can be represented as follows:


10


The governance framework assists in the implementation of the IS Strategy and the governance of IS.

Organizational Framework – The structures whereby IT reports into / takes direction from the business as well as the organizational structures, roles and responsibilities within IT

Strategic Planning – The process whereby the IT Strategy is developed

Management Structures - The various management structures responsible for deploying the strategy and management of IT – most of these should have participation by representatives of the business

Policies & Standards - The development and implementation of policies and standards for the organization that allow for the standardization and managed development of the IT function



11

Operational IT processes

These are processes whereby IT is managed on a daily basis. These processes should be designed in such a way as to include IT governance activities that would assist them in operating as designed.

• Solution Development – planning and implementing systems (including applications, databases, and infrastructure)

• Project Management - management of all projects and monitoring system development lifecycles

• Security Management - security tailored to the organization, ongoing assessments, anti-virus, firewalls, intrusion detection

• Availability Management - Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP)

• Service Management - Service Level Agreements (SLA’s), managing third-parties, user satisfaction surveys

• Financial Management - budgeting across IT as well as for projects, timekeeping systems

• Operations Management – application, database, network management, back-ups & recovery, batch processing, shift handovers

• IS Audit - integration into internal audit function, IT audit plan, how quickly the organization responds to issues, keeping up to date with audit regulations

• Support Management - service / help desk, incident management, first, second and third line support

• Change Management – change management process, configuration management, authorization, change advisory boards and release management

Operational IT


12

IT Process Elements

The day-to-day IT governance actions that occur (usually within the operational processes).

• Performance Management – measuring the performance of resources within the organization by means of collating and communicating metrics

• Risk Management - activities to ensure that risks specific to the process are identified and mitigated

• Resource Management - activities to ensure that the correct resources (both people and technology) are assigned to the correct tasks. Recruiting and training of staff, capacity planning

• Communications - activities to ensure that adequate communication takes place both between IT processes as well as between IT and the business

• Compliance - with both external legislation/regulations and internal policies, procedures and standards

IT Process Elements


13

The ability to sponsor, make and enforce the right IT decisions

What is the source of leadership?How will progress to desired outcomes be promoted or evangelized?

What are our core beliefs?What are the policies by which we must abide?

How are decisions made?Who plays what role?What processes are used?

What accountabilities and authorities exist?What is measured and by whom?What incentive system is used?How is non-compliance addressed?How are justified exceptions considered?

Defining IT GovernanceA simple and straightforward definition


14

Defining IT GovernanceComponents include principles, structure, processes and accountabilities

IT Governance components include principles, structures, processes, and accountability mechanisms employed to guide IT efforts and decision making toward achieving organizational objectives.

IT GovernancePrinciples

What are the core beliefs and assumptions?

StructureHow are we organized?

ProcessesHow are decisions

made?

AccountabilityWho makes decisions

and how are they enforced?

●Statements of belief that are the foundation for directing decision making

●Include policies, standards and guidelines

●Governing bodies●Reporting structures●Operating charters

●Key types of decisions●Key inputs and

outputs and who supplies and receives input

●Decision processes●Appeals mechanisms●Communications

●Roles and responsibilities for IT and business stakeholders

●Performance management and incentives

●Performance reporting


15

IT Governance Considerations

Principles Accountability

Processes Structure

What are the core beliefs and assumptions?■ Statements of belief that are the

foundation for directing decision making■ Include policies, standards and

guidelines

How are decisions made?■ Key types of decisions■ Key inputs and outputs and who

supplies and receives input■ Decision processes■ Appeals mechanisms■ Communications

How are we organized?■ Governing bodies■ Reporting structures■ Operating charters

Who makes decisions and how are they enforced?■ Roles and responsibilities for IT and

business stakeholders■ Performance management and incentives■ Performance reporting

15


16

Example IT Governance ComponentsPrinciples

CLIENT SAMPLE

A set of overarching principles will guide our IT governance efforts

• Create major strategic cross-division investments• Exploit leverage and synergy across the group• Make the whole greater than the sum of the parts

• Reduce duplication and redundancy• Manage risks across the group• Create and manage shared utilities

• Inject new ideas and stimulate fresh thinking• Create stretching targets to build skills• Prepare the organization as a whole for the new world

Achieve a powerful

growth strategy

Operate effectively at low cost

Stimulate innovation

and “stretch”

EXAMPLE


17

Example IT Governance ComponentsStructure

CLIENT SAMPLE

Our new IT governance structure is comprised of three tiers to manage funding, prioritization and delivery

Governance Structure

I. Investment Committee (Quarterly)♦ Govern budgeting and ongoing approval of new funding (IT

spend)♦ Approve and re/prioritize project pipeline that crosses

multiple Program♦ Provide a receiver view

II. Steering Committee (Monthly)♦ Govern ongoing approval and re/prioritization of project

pipeline within assigned budget, and new requests of $250K (IT spend) and over within each Program; If additional funding is required, requests are escalated to the Investment Committee

♦ Aligned to a business lead at the Program or Initiative level and prioritization takes place within the business’ budget

♦ Address issues escalated from Working Groups♦ Monitor performance and value realization of work effort♦ Offer a provider view

III. Working Groups (Weekly/biweekly as necessary)

♦ Current meetings that allow business sponsors, IT leads and Project Managers to define IT priorities, short term project efforts and address any tactical delivery issues

♦ Manage incoming requests of under $250K within the established budget

♦ Necessary if the Steering Committee is too broad

Investment CommitteeBy Division

Sponsor

SteeringCommitteeBy Program

Working GroupPeriodic Review and Prioritization Meetings

Between Business and ITBy Initiative, or Project

New Governance

Bodies

Ad-hoc meetings in

practice

EXAMPLE


18

Example IT Governance ComponentsProcesses

CLIENT SAMPLE

We’ve designed a comprehensive planning and approval process for managing newly submitted requests

Manage Delivery of Projects

Steering Committee

PM

Program Lead

Project Planning and Approval Process

Estimate Costs and Duration

Staff/Schedule Projects

AdequateInformationProvided?

BA

Business & IT

Submit New

Request

Notes: • The planning process is outside of the annual budget process.• Does not include detailed SDLC processes during “Manage Delivery of Projects.”

Request Closed

Accept forScheduling?

Is theRequest Within

Budget?

ReallocateFunding?

Request Closed

ReallocateFunding?

ProvideAdditionalFunding?

Reallocate

Yes

No

Reject

Investment Committee

Request Closed

Request Closed

Additional Funding

Approved

Additional Funding Rejected

YesYes

No No

No

Accept forDefinition?

Yes

Request Closed

Define Business

Requirements

AdequateInformationProvided?

CapabilityEnhancement

/Support

Reject

Yes Yes

NoNo

EXAMPLE


19

Example IT Governance ComponentsAccountability

CLIENT SAMPLE

Project Manager

Prioritize IT Project Pipeline Across

Projects

Manage Budget

and Headcount

Develop IT Budget

(for Program)

Define IT Strategic Direction

(for Program)

CTO

Business Sponsor

Individual Roles and Responsibilities – RACI Diagram

Program (X) Lead

C C I C R C R C R R

R R R R C R A A & R A A

A A R C C A C C C C

C I C C A I I C C I

C C A A C C I I I I

Resource Hiring

Develop Project

Plan and Execute IT

Projects

Clear definition of standardized roles and responsibilities is a key characteristic of a high performance IT operating model

Line of Business Lead & COO

Prioritize IT Project Pipeline Within

Projects

Accountable

The individual who is ultimately accountable for a decision or action; includes yes/no and power of veto. Only one accountable person is assigned to a task.

Responsible

Individuals who perform a task (doer responsible for execution / action). The degree of responsibility is defined by the accountable person. Responsibilities can be shared.

RA C Consulted / Participated

Individuals to be consulted prior to a final decision or action being taken. Two way communication.

I Informed

Individuals to be Informed after a decision or action is taken.

Define Resource Allocation

Across Portfolio

Staff Time Sheet

Review and

Approval

Fund IT Budget

(for Program)

Business and IT Collaborate IT Line Management

- Key relationships

CLIENT SAMPLESuper Initiative: Business Sponsor:Technology Manager: Business Head:CTO: COO:

Actuals Budget Var Forecast Budget VarX X




Current Orig Current Prior

Desk Name 3-Feb-07 27-Jan-07 Green Green 90% High

Hiring additional developers to focus on release xxx.

Desk Name 3-Feb-07 27-Jan-07 Red Red 20%

Desk Name 3-Feb-07 27-Jan-07 Amber Amber 90%

Desk Name 24-Feb-07 24-Feb-07 Amber Green 25%

Green Green

Green Green

Green Green

Desk Name 18-Nov-06 18-Nov-06 Complete Complete 100% Req Date Effort (Days) Comments

Desk Name 29-Jan-07 29-Jan-07 Complete Complete 100%Desk Name 29-Jan-07 29-Jan-07 Complete Complete 100% XXXXXXXX

XXXX XXXXXXXX

XXXXXXXXX

YTDTotal

Full Year

Description

This super initiative is focused on….

Project 2

Project 3

XXXXXXXXX

YTD Full Year

Full YearYTD

YTD

New Development

Project 1

Project 4

% Complete RAG Explanation / AccomplishmentsDeliverable DateSponsor Desk

Desk 1Desk 2Desk 3

RAG StatusKey Projects

Scope Change

Full Year

XXX

Mitigation ActionGrade

Lights On

New Funding Requests

Potential delay of release xxx.

Description of Risk

XXXX

Discretionary Enhancements

Comments

Projects Delivered on Time (x/y)

XXXX

Completed Milestones / Deliverables

XXXX

XXXX

Business Drivers

In the past month we released…and…accomplished…Highlights from the Past

Month

Projects Reprioritized

Dates changed in the last period

Metric #

Financial Summary (thousand of $)

Deliverables

on track to meet potential for slippage exists; managing issues & mitigating slippage exists or near certain--escalation RAG Legend:

Monthly Change Request Activity

Super Initiative Overview

Issues & Risk

Super Initiative Scorecard


20

Defining IT GovernanceA sample of the many frameworks and guides to address components of IT governance

ISO 38500ISO’s IT Governance Framework for Board and C-level executives and decisions.

COBIT 5.0ISACA’s Control Objectives for IT. Relevant to audit of IT management, controls and operations related to financials.

VAL IT 2.0ISACA’s framework for the governance of IT investments. Principles and processes are used for IT portfolio management.

Balanced ScorecardStrategic Management System developed by Kaplan/Norton. Involves joint strategy development and performance metrics.

Applied Information EconomicsUses value ranges and probabilities to rank investments within an IT system/application portfolio.

Earned Value ManagementA way of comparing what work is completed against time and budget. Used at NASA and all Federal government agencies on external projects.

ITILa set of concepts and practices for IT services management, development and operations. Provides a comprehensive checklists, tasks and procedures.

PMBOKPMI’s Project Management Body of Knowledge. A tactical guide for planning and executing projects.

Prince2A structured, process-driven approach to project management (not just for IT).

FISMAA framework for managing information security that must be followed for all information systems used or operated by or on behalf of a U.S. federal government agency

Total Quality ManagementSeeks to put quality awareness in all organizational processes. Focus is on satisfaction, continuous improvement and long term results.

Six SigmaA business management strategy which seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors).

Lean ITPrinciples for which central concern, applied in the context of IT, is the elimination of waste, where waste is work that adds no value to a product or service.

ISO 20000Promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements. Compliments ITIL and COBIT.

RISK ITISACA’s framework to assist enterprises to identify, govern and manage IT-related risks.

ISACA’s IT GovernanceTwo guides which provide guidance over the implementation and continuing improvement of IT governance

20


21

Benefits of IT GovernanceIt’s about more than just control

Managing / Controlling

Improved accountability over IT

More transparency of risk, return and performance for IT decision-making

Efficient management of IT processes and resources

Encourages desired behaviors in the use of IT

Value Better alignment of business and IT

goals

Increased buy-in from executives for IT direction and investments

Improved business value of IT

Enables higher levels of IT service and enterprise performance


22

Typical IT Governance Pain Points The need for improved IT governance can manifest itself in many ways

Poor Investment Management

• Increasing costs

• Lack of business value of IT (real or perceived)

• Hidden or rogue IT spending

Performance Issues

• Failing initiatives – over budget, behind schedule or not meeting objectives

• Significant incidents related to IT risk, such as data loss or network outages

• Failure to meet regulatory or contractual requirements

• Limited IT innovation and business agility

• Business dissatisfaction or a reluctance to engage with IT

Ineffective Use of Resources

• Duplication or overlap between initiatives or wasting of resources

• Insufficient IT resources, staff with inadequate skills, staff burnout, or dissatisfaction

• Vendor service delivery problems, such as agreed service levels consistently not being met


23

IT Governance ModelsNot one size-fits-all, but benefited by a balanced approach

Some divisional

needs unmet

No divisional control of

central overhead costs

No divisional ownershipof systems

Enterprise priorities over divisional

prioritiesScale

economies

Control of standards

Criticalmass of

skills

Pooling of divisionally responsive

competencies

Responsive to divisional

needs

Reinvention of wheels

Inconsistent competence and quality across the enterprise

Balance ofIT priorities

Enterprise perspective

Missed synergies and scale

economies

Excessive overall costs to the enterprise

Centralized Federated DecentralizedIT Governance Model


24

IT Governance ModelsRethinking the IT Governance Model – an Example (1/4) CASE

EXAMPLE

5

The current divisional approach to governing IT has served Juno adequately in the past but is no longer sustainable

● There is substantial overlap and duplication of IT activities, resources and spend− Reuse and sharing of IT assets are the exception

● Multiple, incompatible application systems have been built to support similar products and business processes across different divisions

− Major new investments are being made in overlapping areas ● Infrastructure solutions have been locally optimised, ignoring potential

efficiencies at the regional and group level− Significant potential to achieve economies of scale are not being exploited

●There is no common IT strategy or architecture around which to align projects and investments

● Processes to align divisional and enterprise priorities are missing● No mechanisms exist to identify, encourage and where necessary, enforce cross

divisional collaboration

Note that “Juno” is a fictitious name

These are as many issues for the business as there are for IT.


25

IT Governance ModelsRethinking the IT Governance Model – an Example (2/4)

Today’s IT governance issues are serious. Economic performance is being negatively impacted, and effective execution of enterprise business strategies is at risk.

Implications for Juno

Missing opportunities to exploit economies of

scale

Struggling to implement enterprise

strategies

Wasting money through duplicating

solutions

516-May-01 Draft – For Discussion Purposes

The current local approach to governing IT has served Junoadequately in the past but is no longer sustainable.

• There is substantial overlap and duplication of IT activities, resource and spend

– Reuse and sharing of IT assets are the exception

• Multiple, incompatible application systems have been built to support similar products and business processes across different divisions

– Major new investments are being made in overlapping areas • Infrastructure solutions have been locally optimised, ignoring potential

efficiencies at the regional and group level– Significant potential to achieve economies of scale are not being exploited

• There is no common IT strategy or architecture around which to align projects and investments

– Processes to align divisional and enterprise IT priorities are missing

• No mechanisms exist to identify, encourage and where necessary, enforce cross-division IT collaboration

These are as much issues for the business as they are for IT. These are as much issues for the business as they are for IT.


26


A three-point approach will address these issues and position Juno IT to enable implementation of key business strategies and deliver greater value.

Put in place the enablers to allow an increasing number of common IT solutions to be conceived, created, rolled out and managed

Convergethrough common

solutions

Speed up solution delivery, and reduce IT development and operational costs by exploiting economies of scale and introducing best-in-class practices at a enterprise level

Exploit our Scale

Introduce the governance and organization to ensure resources and investments are effectively leveraged across the group in line with business strategies

Collaborateto leverage assets

& resources

• Agreed architectures and standards

• Aligned local & enterprise IT strategies

• Leveraged development through IT solution centers

• Rationalized IT operations and procurement

• Collaborative IT governance by IT executives with a mandate for achieving shared goals

• An issues-driven agenda• Divisions with IT representation

and guidance

CASE EXAMPLE


27


Three primary options exist for how IT may be governed in the future.

Divisional

Flexibility Model

Collaborative

Model

Enterpise

Consistency Model

• Centrally-managed assets and resources

• A forum to institutionalise collaboration

• Rewarded collaboration & discouraged divergence

• Knowledge and resource sharing encouraged

• Solution delivery centrally-managed

• IT operations centrally-managed

• Vendor relationships and procurement centrally-managed

• Shared IT solution centres for common solutions

• Shared IT operations managed on enterprisebasis

• Enterprise vendor contracts

• Solutions delivered through division-managed IT units

• IT operations division managed

• Vendor relationships locally-managed

• Single Juno IT strategy• Architecture & standards

centrally mandated• Solution design centrally-

driven

• Aligned IT strategies• Common, agreed

architecture & standards• Divisional IT for divisional

solutions & common solution integration

• Division-developed IT strategies & architectures with suggested group standards


solutions

Collaborate to leverage assets and resources

Exploit our Scale

Primary IT Governance Models

CASE EXAMPLE


28

Positioning IT to Enable Execution of Key Business Strategies

Approach to Address Key Governance Issues

Put in place the enablers to allow an increasing number of common IT solutions to be conceived, created, rolled out and managed


solutions

Speed up solution delivery, and reduce IT development and operational costs by exploiting economies of scale and introducing best-in-class practices at a regional level

Exploit our Scale

Introduce the governance and organisation to ensure resources and investments are effectively leveraged across the group in line with business strategies

Collaborateto leverage assets &

resources

• Agreed architectures and standards

• Aligned local & regional IT strategies

• Leveraged development through shared facilities

• Rationalized IT operations and procurement

• Collaborative IT governance by IT executives with a mandate for achieving shared goals

• An issues-driven agenda• IT standards with IT

representation and guidance

ILLUSTRATIVE


29

Three Primary Options for Global IT Governance

Primary IT Governance Models

Local Flexibility Model

CollaborativeModel

EnterpriseConsistency Model


• A forum to institutionalise collaboration

• Rewarded collaboration & discouraged divergence


• Solution delivery centrally-managed

• IT operations centrally-managed

• Vendor relationships and procurement centrally-managed

• Shared IT solution centres for common solutions (may be MF-hosted)

• Shared IT operations managed on regional basis

• Regional vendor contracts

• Solutions delivered through locally-managedIT units

• IT operations locally managed


• Single IT strategy• Architecture & standards

centrally mandated• Solution design centrally-

driven

• Aligned IT strategies• Common, agreed

architecture & standards• Local IT for local solutions

& common solution integration

• Locally-developed IT strategies & architectures with suggested group standards


solutions

Collaborate to leverage assets and resources

Exploit our Scale

ILLUSTRATIVE


30

Primary Global Governance Models for IT

• Locally-developed technology strategies

• Local architectures with suggested enterprise standards

• Technology solutions delivered through locally-managed units

• Technology operations locally managed



• Aligned technology strategies• Common, agreed architecture & standards• Local technology for local solutions &

common solution integration• Shared solution centers for common

technology solutions• Shared technology operations managed on

global basis• Combination of local and global vendor

contracts• Institutionalized collaboration• Discouraged divergence

Representative Practices

Local Governance“Local Flexibility Model”

Optimize for:•Local responsiveness•Flexibility and choice

Hybrid Governance“Collaborative Model”

Optimize for a sensible and pragmatic balance

• Single ITS@KPMG strategy• Architecture & standards

centrally-mandated• Technology solution design

centrally-driven• Technology solution delivery

centrally-managed• Technology operations

centrally-managed• Vendor relationships and

procurementcentrally-managed


Enterprise-driven Governance“Enterprise Consistency Model”

Optimize for:• Economies of scale• Lowest enterprise risk• Global synergies


31

Primary Global Governance Models for IT (Further details)

Illustrative Governance ModelsLocal Flexibility

Optimizes local control and responsiveness

Enterprise Consistency

Optimizes for enterprise scale and synergies

Traditional Federated

Optimizes for balance of enterprise scale/ synergy and response to local needs

• Locally-developed technology strategies considering enterprise priorities

• Locally-managed business and IT relationships

• Local architecture and standards, considering global suggestions

• Global standards limited to enterprise systems and firm-wide mandates

• Solutions delivered by locally-managed firms, e.g., member firm or regional collective

• Technology solutions designed and developed locally for local needs and priorities

• Solution IP owned locally• Locally-managed technology operations

and services• Vendor relationships and procurement

locally-managed• Knowledge and resource sharing

encouraged

• Single, global strategy• Centrally-managed relationships with

functional representatives• Centrally-mandated architecture &

standards• Solutions delivered centrally; consistent

globally• Centrally designed and developed

technology for globally-represented needs• Solution IP owned at global level• Globally-managed service level

agreements with limited flexibility for local preferences and willingness to pay

• Globally-managed vendor relationships and procurement


• Aligned technology strategies• Primarily local business and IT

relationships, coordinated globally• Common, agreed architecture &

standards; limited global mandates• Local technology for local solutions• Enterprise solutions delivered by global

directly or via globally-managed regional facilities

• Global design for common and enterprise solution; local design and development for local

• Shared solutions delivered by global directly or via globally-managed regional facilities

• Combination of local and global vendor relationships and procurement

• Leverage global vendor contracts for local use

• Institutionalized collaboration, with global coordination

• Discouraged divergence


32

Representative Leading Global IT Governance Practices (1/2)

IT strategy and planningClear and globally-consistent process for annual IT planning integrated with a clear and globally-consistent business

planning process (including roles, responsibilities, accountabilities)Globally-consistent and centrally enforced business case process

Business liaison and relationshipBusiness-knowledgeable yet IT-savvy representatives from IT to serve as trusted advisors to the businessBalance of corporate, process-owner, regional and local liaisons

Architecture and tools standardizationGlobal business architecture with clearly definition of elements that are common, shared or localGlobally-defined standards for all levels of data, infrastructure, applications and methods (e.g., development)Exception process defined and waivers approved by central groupMigration plans to standards approved by senior management and funded to reduce first-mover penalties

Demand and service managementFormal, regular process for prioritizing systems modifications and major enhancementsClear guidelines on release scope (to prevent over enhancing older applications)User-driven process to review demand backlog, priorities, and make tradeoffsUser-driven signoff on scope, charter, acceptable completionProject post-mortem reviews, including peer review (e.g., cross-BU, cross-region)Globally defined and management of IT performance metrics

ILLUSTRATIVE


33

Representative Leading Global IT Governance Practices (2/2)

Resource allocation and prioritizationFormal annual process, integrating global IT investments and spendingForced prioritization of highest priority and returning projects and investmentsIdentification of scope overlap and integration issuesCentrally-controlled program management for common or cross-BU investments and initiativesStraight-forward yet fair mechanism to share costs across BU’s (e.g., shared development, solution centers)

People skills and capacity managementFull global view of skills and functions by geography, business, central and vendorActivity utilization of all employees and service providersConsistent training and development programActive sharing of people for skills transfer and development

Vendor and procurement managementGlobally consistent performance metrics for providers, aligned with corporate objectivesCentralized negotiation of software, services, hardware, and network contracts for common or shared elementsGlobal inventory of all contracts with targeted expiration dates and plans to centralize

Knowledge ManagementCentrally-managed knowledge capture and sharingCentrally funded and managed incentives to share

ILLUSTRATIVE


34

Sample Company Example

Example


35

Business Information (BI) – Governance Operating Approach


36

Thorough Integration Of The Reporting Framework Thorough integration of financial and management reporting domains Streamlined reporting and analysis process Automated workflow Automation of manual activities (where appropriate).

VISION

1

5

4

3

2

Reporting Strategy Is Aligned To The Enterprise

Business Needs And Value Drivers

Vision and strategy is widely understood and accepted Key Metrics are defined, mapped to key business driver s and include leading indicators Reporting information drives decision making System investments are fully aligned with defined business drivers and priorities.

Information Oversight Is Clearly Defined And Managed

Clear ownership and accountability for information, processes,

and business rules Formalized change management Systematic controls and governance Sound data quality and integrity Standardization of business rules and

calculations.

Information Is Utilized To Predict Economic

Performance And Engineered To help manage Threats

Insight into execution of strategy with visibility into cause and effect relationships Performance is predictable Risks are identified and reported early Leading indicators provide diagnostic perspective of the business.

Single, Integrated Repository For Facts And Data

Single version of the truth with common, consistent

taxonomy Standard reporting views Standard metrics / key performance

indicators (KPIs) Centralized, enterprise wide reporting

framework / platform that is scalable Consistent, timely, accurate information Help maximize the value of aggregating

customer -specific information.

1

2

3

5

4

Reporting Governance is one element of the larger Reporting Strategy


37

The following components should be implemented to create a strong reporting governance model

Enables JCI to centrally control change requests which will proactively drive continuous improvement

Drives business decisions and actions to achieve desired results

Establishes a process to coordinate and manage reports across multiple systems and business units

Manages maintenance and best practices to ensure complete and accurate reports that can be utilized across the organization

Reporting GovernanceRepresentation from Business, IT, Process, and Report Owners

Clear and transparent processes for the maintenance of the reporting strategyReporting Demand Management Reporting Standard Operating Procedures

Clear Criteria for Prioritization

Escalation Paths and Timeliness (SLA)

Reporting and Data Usage Policies

Reporting Continuous Improvement

Ensuring agreed to prioritization and consistent communication with stakeholders

Program Buy-In

Communication Plan

Program Communication Communication

Automated Workflow Escalation ProceduresChange Champions

Roles and ResponsibilitiesGoverning Body Roles and Responsibilities

Formalized Interactive Relationships

Governance Program

Vision and Objectives Charter Meetings, Artifacts, and Cadence

Governance Organization

Processes and Procedures

Change Management


38

Governing bodies reinforce efforts for consistent systems and processes

Standard Reports

Availability and Use of Data

Reporting Systems

Metric Alignment Across JCI Business Units

Reporting Definitions, Terminology and Rules

Departmental Reporting Processes

Reporting Controls

Reporting Elements

In process

To be completed

Governance Organization

Maintain the integrity of enterprise

reporting while ensuring renewed alignment to JCI decision priorities

■ Reporting strategy■ Business requirements■ Standard tool set■ Standards enforcement policy■ Change management process and exceptions

Establish…

■ Purpose■ Guiding principles ■ Authority■ Scope■ Mission■ Ownership

■ Accountability■ Performance

measurements■ Operating

procedures and rhythms

Define…

Key


39

Executive Sponsors

Reporting Governance Board (RGB)

Data Super Users

Data Users

Executive SponsorsWho Financial/Operational Reporting, BU Leadership and Internal Audit

Manage Reporting Governance Board; Certification of financial statements; Funding; Escalated change requests

Govern Executive decisions

Data Super UsersWho Department data super users as identified by program stakeholders

Manage Report execution; Staff productivity and report quality; User access to reporting system

Govern Control compliance; Materiality thresholds; Policy adherence

Data Users Who Reporting users within AE, BE, PS, and Corp

Manage Report creation; Ad-hoc reporting

Govern Control and task execution

Reporting Governance Board (RGB)Who Department Leaders, Information Security, IT/Infrastructure, MDM, EBPOs

Manage Master listing of reports; Responsibility roster; Listing of reporting activity by department and role (w/ priority and alternate); Change communication plan

Govern Business rule compliance; Consistency; Calculation and standardization policies

Governance roles and responsibilities permeate the organization at all levels


40

Roles and responsibilities clearly define ownership and expectations of the governing bodies

Set policy, champion policy compliance, serve as ultimate authority

Review and prioritize requests/issues. Approve with Enterprise constituents; Communicate changes; Help manage Change

Gatekeeper of the Department; Determine validity of requests, Qualify the need, escalate to RGB if need is appropriate

Report/Data user, communicate needs/issues.

Executive SponsorsReporting Governance BoardData Super UsersBusiness Data Users

■ Request additional reports/report modifications using defined criteria from the RGB

■ Participate in the report development process (requirements gathering, user testing)

■ Communicate reporting and data issues to assigned Data Super User; provide documentation as required.

■ Determine if user requests have business value and escalate to appropriate governing body as needed

■ Prioritize reporting and data requests within their departments

■ Consistently interact and collaborate with RGB, technical architects, developers and testing teams

■ Be able to communicate business requirements to technical developers and be able to translate technical solutions to the business user community.

■ Meet regularly to review change requests submitted by Data Super Users

■ Prioritize incoming requests based on business need and identify if impact analysis needs to be done; assign tasks as needed

■ Approve or deny requests based on the reporting governance policy defined by Executive Sponsors

■ Escalate requests to Executive Sponsors when a consensus cannot be reached or the change conflicts with existing policies

■ Communicate request status, impact, and priority to all affected parties in accordance with the reporting communication policy

■ Update governance and communication policies in accordance with Executive direction

■ Maintain central repository of requests and provide tracking statistics (i.e., total number of requests, number open, number approved, etc.).

■ Provide vision and direction for reporting governance

■ Provide high level definition of enterprise reporting governance and communication policies

■ Assist with Communicate policy changes across the enterprise

■ Approve or deny escalated change requests by the Reporting Governance Board

Role

Primary ActivitiesResponsibilities


41

Data Super Users and the Reporting Governance Board use objective-driven criteria for the prioritization of request from Data Users

Future Focused

Efficient

Effective

Responsive

Materiality of Risk

Reporting Objective Can respond to changing information needs in a rapidly growing and changing organization

Request Criteria How will this impact the way we manage our global business to execute our future vision?

Reporting Objective Recognizes needs of internal customers both at Corporate and local level and balances priorities of multiple stakeholders

Request Criteria Will the change enhance reporting flexibility to meet the needs of multiple parties not just one BU?

Reporting Objective Determines the level of significance which considers risk and impact of instituting change

Request Criteria Will not making the change, jeopardize data integrity causing management to make decisions based on inaccurate information?

Reporting Objective Drives availability of information needed for business decisions across business units and projects to deliver results quickly

Request Criteria Does the benefits of instituting the change outweigh future costs?

Reporting Objective Able to drive change balancing the needs of a range of stakeholders

Request Criteria Does this increase accuracy and productivity through automation reducing manual processes?


42

MIT Governance StudyCharacteristics of Top Performers

Top IT governance performers had: More managers in leadership positions

who could accurately describe governance arrangements

More involvement of senior leaders in IT governance

Clearer business objectives for IT investment

Business strategies focused on customer intimacy and/or product innovation

Fewer renegade exceptions More exceptions through a formal

exception process Fewer changes in governance

from year to year


43

Top IT governance performers had highly effective:

MIT Governance StudyGovernance Mechanisms of Top Performers

6

7

8

9

10

Process teams with IT members

IT leadership committees comprising IT executives

Service level agreements

Web based portals

Executive and senior management committees (i.e., CxOs)

Formal tracking of the business value of IT

Business/IT relationship managers

Capital approval committees

Tracking of IT projects and resources consumed

IT council with business and IT executives

1

2

3

4

5


44

Tom Johnston, CISA, CISM, CGEIT, CRISC

Director – IT Audit and Assurance

KPMG

[email protected]

Brian Greenberg

Director – Advisory Services

KPMG

[email protected]

IT Governance Overview - ISACA · · 2015-12-14while balancing risk versus return over IT and its...

Documents

Transcript of IT Governance Overview - ISACA · · 2015-12-14while balancing risk versus return over IT and its...