Understanding about

IT Governance and Risk Management

Jiri Cejka,

Senior Manager, dipl.El.-Ing, CISA

jiri.cejka@is-governance.com

2Jiri J. Cejka

Outline

1. IT Governance Market Issues Business Management and dependence on IT Technology

IT Governance Situation;

2. Holistic Framework for IT Governance Approach; Scope

Objectives – IT Processes: Alignment Business and IT

– IT Risks: Value/Cost Relationship and Risk measurement

– Operational Excellence

Client Benefits

3. Benefits of IT Governance framework

4. IT Governance Services & Methodologies Risk Management Services

Methodologies and Tools

3Jiri J. Cejka

1. IT Governance

Market Issues

4Jiri J. Cejka

Business Management and dependence on IT Technology

Today’s management: More dependent on IT technology to run its business to

achieve competitive advantage

The IT responsibility of corporate executive is growing:

to ensure that systems and processes are properly controlled

required level of governance is in place

Businesses are continuously looking towards lower costs and value-for-money – from all aspects of business

IT is becoming a significant expenditure – second after staff costs.

5Jiri J. Cejka

Example: What management need to know before investing into SW development

Are funds available?

Will the investment save us money? What is project payback period and ROI? Is this ROI higher then those who propose the alternative uses for money?

What are the implications to business? (business processes, tax)

Can SW be depreciated? If so can be used declining balance or straight depreciation schedules?

How can the development engineer answer these questions?

Solution by using the method to measure to produce numbers in terms of: productivity improvement cost reduction/avoidance quality improvements, and/or time-to-market reduction strategies

6Jiri J. Cejka

Situation

The requirement coming from businesses: IT processes must be appropriately controlled

Management is under pressure from regulators and the capital markets:

Competitive advantage is gained from IT investment

As a result companies seek incremental advantages from use of cutting edge technology:

By turning to the third party providers

By implementing optimising programs

7Jiri J. Cejka

Issues to be solved

The reliance IT raises number of issues: How can management effectively manage its

organisation?

How can management understand the control structure?

How can the external auditor gain sufficient audit evidence?

“How could Business understand the impact of IT?”

8Jiri J. Cejka

2. IT Governance

Holistic Framework

9Jiri J. Cejka

Outline

Approach Value of IT to Business - Examples, View

What do we need

Framework IT Governance - Objectives Objective 1: Business - IT Alignment; IT Processes Analysis

Objective 2: Value /Cost Relationship; Risks Measures

Objective 3: Operational excellence

Implementation of Infrastructure, Outsourcing

Condition of success

Benefits Communication channels

Summary of benefits

10Jiri J. Cejka

Value of IT to Business: ExamplesTo measure value of IT is not a new idea - Examples:

1. What Added Value is your IT giving?– IT involvement in the business imperatives

– Vision of IT that could be shared by business and IT leaders

2. More money wasted in IT that created?– IT System will pay off only if design and management are based upon culture and politics

that are intended to support

3. Focus on strategic instinct of Business Mgrs?– Evaluating IT based on ability to improve operations?

Right ideas but:

business does not derive benefits it needs from spending on IT

required level of business-IT alignment and integration not good enough.

As a result the Business leaders still have difficulties:

lack of understanding of how IT could contribute to business

difficult to reconcile IT costs with the value received.

11Jiri J. Cejka

Value of IT to Business: View 1

Since decades business-IT alignment has been emphasized - with focus on management of IT projects

however they represent normally 25-30% of IT Budget only

To manage IT properly Value/Cost relationship need to be focused on other IT components that project development:

operation of business applications

support service - marketing, sales, utility application

Example: operational and support services are production phase of IT project

project not ready with acceptance tests but following maintenance, operation support are included: project costs less relevant

Framework with value metrics to organize project, operation and support phase:

integrated Project portfolio with development and production activities

accounting perspective: capital vs. operating expense

12Jiri J. Cejka

Value of IT to Business - View 2

Business value of new functionality delivered by IT project

created by both development nor production

shared and consistent approach to manage value/costs

Project management: post-implementation phase to be extended

continuing relevance/value to business

efficient and reliable operation is part of project

Benefit of this holistic approach:

limited focus on project as an “investment” is stopped:

– success/failure of project measured with operational work

– management has continuous cost/value overview

– the monitoring results are applicable to future projects

13Jiri J. Cejka

What do we need?

Challenge of governing enterprise’s IT is recognized since years, however the results do not give the required level of alignment and integration.

An approach is needed that is inclusive – with a scope reflecting range of activities and responsibilities of IT – and specific.

Holistic Framework addressing three Primary Objectives:

1. Fosters strategic and tactical alignment of IT with Business

2. Relates costs of IT with the value brought to business

3. Support drive toward operational excellence

14Jiri J. Cejka

Objective 1: How to align IT Business?

Goal:

“Identify the strategic important elements of business value towhich IT can significantly contribute:”

Two classical views of IT for businesses, i.e. providing of information vs. supporting information services has changed

– Examples: Implementing new sales strategy, planning responsive technology push of internet

Information is now an integral part of the business:

– Role of IT expands: alignment even more important for business

Step 1. Identify main value-adding activities and linked strategies

Identify the opportunities to use information services to support business strategy

Add new activities as a part of IT portfolio - basis for alignment

Metrics for business value have to be identified and implemented by both business and IT

15Jiri J. Cejka

Objective 1: How to align IT-Business?

Step 2. Ensure involvement of senior management: strategic planning

Ongoing dialogue necessary

Full understanding of planned use and impact of IT technology

Formal decision making - critical decision fully committed

Step 3. Organize the environment to optimise IT Processes

Implement process to perform planning by both IT and business mgr

– Business leader develop IT fluency

– IT leaders business fluency

Implement process of managing execution

– division in phases, definition of decisions stages

– Management commitments, contracts, project teams, deliverables

– develop of process to maintain and tune the strategy

16Jiri J. Cejka

Objective 2: How to manage Value- Cost Relationship and IT portfolio?Goal: “How to institutionalise the developed way of alignment Business

- IT?”

Focus on active management of IT portfolio

Initial development of IT portfolio needs adaptations with changed needs, opportunities and priorities

Step 1. Find way how to characterize the IT portfolio for management

Collection of techniques that provide understanding

– Risk-Business Transformation - Volume of value measurement

– Interpretation allows Management to make decisions

– further views: Net present Value

Result balanced portfolio aligned with Strategy

17Jiri J. Cejka

Objective 2: How to manage Value- Cost Relationship and IT portfolio?

Step 2. Clarify process for managing the IT portfolio

Annual review, reviews depending on changes

Checkpoints, balance resources

Step 3. Make sure that decisions are based on organisation’s needs

Example: Resources allocated on relative strategic value of competing projects is better than even allocation across all units

using different tools to describe projects and analysing both

– risk profiles

– potential business value

Result:

– Business-visible impact of alternative decisions

18Jiri J. Cejka

Objective 3: Service management and Operational Excellence

Goal: “By selection of right metrics that drive the performance provide better understanding for management”

Step 1. Identify Elements of Business value

Step 2. Transform the Qualitative measures into Quantitative by setting thresholds or targets

Step 3. Use metrics that are tied closely with business performance

predefined set of “interesting metrics” is not the right way.

Example 1: Install program where chosen measure is “higher yield”

Metric is ratio of products with higher quality: target financial benefit

19Jiri J. Cejka

Objective 3: Service management and Operational Excellence

Example 2: Improve customer focus with installed support sales system

Metric is ratio assessment of customer satisfaction

Example 3: Implementation of Cost / Performance with preventive measurement system

Several metrics needed (depreciation, maintenance cots, lease)

If scope of system changes slowly (list of equipment) - total costs fine

If changes are rapid: volume adjustment and unit cost are relevant

20Jiri J. Cejka

Objective 3: Service management and Operational Excellence

Required Implication for the organization:

Define formal organization structure responsible for service

– Assigning product / service management

– Positive effect: tightly focused responsibility and accountability

Operation for business users requires both business and technical expertise:

– business and technical aspects correct evaluated

– ensure accuracy, completeness, consistency

Ideal Goal: “Creating product-management organization including both skills”

21Jiri J. Cejka

Objective 3: Operational Excellence

Goal : “Achieve the measurable efficiency, productivity and reliability of services in terms of business value”

Step 1. Divide the overall budget for IT operations and support into a set of defined products/services

Step 2. All costs to be mapped into valuable business services

Step 3. Measure the productivity in terms of total organization business orientation:

Classic technical orientation: costs of mainframe, desktop, split into parts that are difficult to follow by senior management

New approach: Costs directly oriented with business results: cost per transaction, cost of SCM, personal action.

Benefits Result: Only a few metrics are used, however they are compelling for senior management:

1-2 value metrics, 1 cost metric and 1-2 service metrics

22Jiri J. Cejka

Implication for Outsourcing

Benchmarking measurement of IT services with external providers

measurement of costs, volumes and quality of services

Further factors - dependency, hidden costs, flexibility

Two frequent factors for outsourcing:

The internal IT organization has failed to achieve cost/value relationship required by management

Expectation that outsourcer performs task better

However two risks are frequent

the data to support these decision are missing

the approach to evaluate the outsourcer is not existing

Holistic approach developed can help to

Develop appropriate metrics to support necessary analysis

The same tool to be used to measure internal and external service

Management of outsourcing relationship and contracts

Business view: combination of costs, service level and quality

23Jiri J. Cejka

Implementing the IT Governance Framework

Two aspects for successful implementation of IT Governance framework:

1. Behavioural and procedural aspect

Disciplines involved in managing programs/projects must be accepted

New practises of management ad reporting must be adopted

– Approach: starting with visible project

– Training new methods

2. Automation of data collection

Relying upon ad hoc methods is time and resources consuming

Automating allows more time to analyse and to communicate

24Jiri J. Cejka

3. Benefits IT Governance

Benefits of IT Governance framework

25Jiri J. Cejka

Benefit 1: Communication between Business and IT groups

Senior Business management

Business improvement that results from their knowledge participation in IT decision making

Mid-level Business manager position not sure that IT function will justify given resources

1. Win: IT governance management framework and tool to communicate with senior management

2. Win: to help communicate with IT management to ensure that business services they are responsible will meet commitments

Senior IT manager

1. Win: Communicate with senior business managers

2. Win: Communication with IT staff

Clear focus on important strategic and operational issues

Project and Product Service managers - proposed framework helps to

explain the IT issue in business terms

develop realistic “service contracts”

26Jiri J. Cejka

Benefit 2: Communication between Business and IT groups

Senior Business Management

Senior ITManagement

Middle levelBusinessManagement

Middle IT ManagementIT Projects, Products & Services

27Jiri J. Cejka

Summary of Benefits of IT Governance framework in place

Benefits extend business and IT functions

Facilitating communication about how IT contributes to the business across levels and functions improves coordination and cooperation-

Managers learns more about effort that they affect

Communication to leaders clear

Result

Synergy will increase

Duplication of effort reduced

Effectiveness of project delivery grows

28Jiri J. Cejka

4. IT Governance and Risk Management Services, Methodologies

Services

Methodologies and Tools

29Jiri J. Cejka

IT Governance Environment

Value for money:

is management getting value for money from their IT spend / IT skills? is IT addressing the business strategy?; IT accountability;

KPIs in the business; managing constant change in IT; and project directors increasingly being major budget holders.

Internal audit:

Internal IT audit skills

outsourcing of internal audit

Technology:

imaging, data capture and electronic document management; use of the internet; and knowledge management.

Corporate Governance:

Governance of controls and risk self assessment

Initiatives on control and risk self assessment.

30Jiri J. Cejka

Governance Services

Either in terms of the target of the review/advice, or the readership of the report

Outsourcing:

continued outsourcing of IT (service level agreements);

outsourcing security administration; third party reviews.

Regulation:

Regulatory authority reviews; privacy/data protection laws;

Software licensing laws; Ethical IT; and health, safety and environment issues.

Transactions:

Transaction Services, Corporate Finance;

Increased focus on IT security in commercial sector - new security techniques.

31Jiri J. Cejka

Governance Methods and Tools

Process Assessment and Improvement Tools

Business Management Process BMP

Strategic Analysis, Performance Analysis

Process Performance Improvement (BPI)

– Balance Score Card (BSC)

– Active Based Costing (ABM)

Risk Management Tools

Environment:

– IT Risk Management Benchmarking (ITRMB)

Project:

– Project Risk Assessment: Project management Methodology (PMM)

– Project management Control Method: Rational Unified Process (RUP)

32Jiri J. Cejka

Business Management Process BMP

BMP is about assessing the risk our clients face. Business risks are diverse and constantly changing:

as the business world becomes more and more reliant on technology, technology risks become critical to manage

there are many points within the BMP audit in which the technology component of business risk are addressed

Equations:

Business risk = Audit risk

Technology Risk = Audit risk

BMP‘s added value: by assessing of client risk in all its forms and delivering more valuable business solutions to meet the client's diverse needs.

33Jiri J. Cejka

Strategic Analysis

Strategic Analysis is the framework to process

the fundamental business risks associated with the client's strategy

and their ability to execute that strategy

ReviewBackgroundInformation

UnderstandBus. Objectives

Strategy& Technology

Use

IdentifySignificantStrategic

Risks

ReviewFindings andConclusions

DocumentFindings and

Conclusions inWorkpapers

34Jiri J. Cejka

Business Performance Analysis BPA

Focused area:

risk assessment and process analysis,

utilising information on key performance indicators.

Strategic and Process analysis, Testing control.

Approach

involves identifying and gaining an understanding of the client's key processes for identifying business risks,

understanding how the client mitigates risk.

Assist in BPAfor Key

Processes that are Technically

Dependent

Perform BPAFor Key

Processes thatare Highly

Techn. Dependent

ReviewFindings andConclusions

DocumentFindings and

Conclusions inWorkpapers

35Jiri J. Cejka

Business Performance Improvement BPI

Strategic Plan

ITAssessment

New Org. Structure

New Performance Measurement

Certification

Enhance

Build

DesignDetails

DesignHighLevel

Focus

Envision

Awaken

Envision

Focus

Design Solution Details

Enhance

DesignConceptual

Solution

Build and Test

DeployPerformance Management

Program Management

PerformanceManagement

ProgramManagement

36Jiri J. Cejka

BPI: Visualization of Perspective using Balanced Score Card (BSC)

How do we appear to our shareholders?What financial outcomesdo we need to generate?

Are we able to sustaininnovation, change andimprovement? How willwe maintain our ability tomeet customer expectations?

What business processes must we excel at to satisfy our

customers and owners? Are theseprocesses effective (i.e. adding

value for customers)? Arethey efficient?

How should we appearto our customers?

Customer Perspective

Visionand

Strategy

• Critical SuccessFactors• Performance Indicators• Targets

FinancialPerspective

Organizational Learning Perspective

Process/ Product Perspective

• Critical SuccessFactors• Performance Indicators• Targets

• Critical SuccessFactors• Performance Indicators• Targets

• Critical SuccessFactors• Performance Indicators• Targets

37Jiri J. Cejka

BPI Approach: Process Improving

Total Elapsed Time

This SegmentElapsed Time

This SegmentElapsed Time

This SegmentElapsed Time

Customer

Process Impact Analysis

Critical Success Factors

Weighted average

Identify focused areas

Process Workflow

Visualization of bottlenecks

Estimating of Risks and Costs

Benefits of Priority Opportunities

Risks or constraints

associated with implementing

Develop

Produce

Market

Service

Account

Rapiddevelopmentand launch ofnew products

Long-term customer

loyalty andsatisfaction

“Best-in-class”productdeliverytimes

Highlyaccuratecustomer

orders

Consistentlycompetitive

pricing

2 5 2 3 4

9 3 8 7 8

2 8 5 2 4

2 9 1 2 2

8 2 3 9 6

BusinessProcesses

CriticalSuccessFactors

Define9 7 1 6 9

Opportunities Benefits Costs Risks/ Constraints

• Establish an Electronic Funds Transfer (EFT) system in order to eliminate the need togenerate cheques.

• Eliminates cost of cutting acheque. Savings of $1/claim($110,000 a month)

• Increased customer satisfaction

• Comp-Sys can be used for change at no cost; Time /Resources required to revise forms

• Need to create a link to Banks; Banks require leadtime (3 and 15 days) to clear payments

• Implement a Document Imaging Systemscanning andprocessing to allow of forms,receipts and related documentation.The new system must process over30,000 documents/year.

• Reduced time delays• Reduced errors and inaccurate

payments to customers• Reduced learning curve for new

staff• Reduced hand-offs

• ~ $1,000,000 ;Resources required to handlethe large volume of documents

• Enable Assembly Clerks to sortand classify claim forms

• Reduced bottlenecks• Greatly increased productivity

• Requires retraining of staff • May require additionalresources

• Create an electronic catalogueof existing reports. (Comp-Sys could be used to enable this change).

• Improved quality of reports• Improved customer service

• The cost of enabling this change with Comp-Sys is$200,000.

• Requires method for updating the catalogue; Use of differentplatforms makes access for alldifficult

• Process ID cards in Sales Offices (may require additionalprinters)

• Reduced delays to process andprint cards

• Cost of forty new printers forID cards at a cost of $2,000each, plus installation/tests(~$10,000).

• Requires additional time toinstall printers in offices

38Jiri J. Cejka

Risk Assessment Methods

Risk Assessment considers management's perceptions, assumptions, and judgments about business risks and controls. It delivers audit evidence through substantive audit procedures.

IT Risk Management Benchmarking (ITRMB)

Project Management Methodology (PMM) Project Risk Assessment

Project management and control: Rational Unified Process (RUP)

39Jiri J. Cejka

IT Risk Management BenchmarkITRMB

Scope:

provide an objective means of reviewing the risks in relation to use of IT, and ensure that they are being controlled

provide a means of benchmarking organisation’s key IT Risks and Controls against other organisations;

review organisations' IT Controls against the BS7799.

Benefits:

Substantiate issues reported to management

Allow management to benchmark corporate performance in the fields of IT risk and IT controls.

Provide a high level assurance to management of their compliance with the British Standard on IS Management;

Allow management to benchmark internally. i.e. between different operations.

40Jiri J. Cejka

Project Risk Assessment

Scope of Process:

involves the identification, analysis, management and monitoring of risk

Approach after identification of potential risks:

determine the relative exposure in terms of time and cost, to reduce the level of risk to an acceptable level.

identify both preventive actions and contingency actions (to mitigate the impact of the risk if it materializes)

Benefits of Risk Management Process :

Is proactive, focusing on prevention rather than cure

Includes periodic risk assessments throughout the work lifecycle