The Corporate Governance of IT

(1)

ISO/IEC 38500

(2)

The Origins

The objective of this standard is

to provide a framework of

principles for Directors to use

when evaluating, directing and

monitoring the use of

information technology (IT) in

their organizations.

ISO/IEC 38500 was prepared by Standards Australia (as

AS8015:2005) and was adopted, under a “fast-track

procedure”, by Joint Technical Committee ISO/IEC JTC 1,

Information technology, in parallel with its approval by

national bodies of ISO and IEC.

ISO/IEC 38500 is a high level, principles based advisory

standard. In addition to providing broad guidance on the role

of a governing body, it encourages organizations to use

appropriate standards to underpin their governance of IT.

(3)

The Content

© ISO/IEC 2008 – All rights reserved

1.0 Scope, Application and Objectives

( Benefits – References – Definitions)

2.0 Framework for Good Corporate

Governance of IT

2.1 Principles

2.2 Model

(4)

The Principles

1. Responsibility

2.Strategy

3.Acquisition

4.Performance

5.Conformance

6 Human Behaviour

(5)

Principle 1 Responsibility

Individuals and groups within the

organization understand and accept their

responsibilities in respect of both supply of,

and demand for IT. Those with

responsibility for actions also have the

authority to perform those actions.

(6)

Principle 2 Strategy

The organization’s business strategy takes

into account the current and future

capabilities of IT; the strategic plans for IT

satisfy the current and ongoing needs of the

organization’s business strategy.

(7)

Principle 3 Acquisitions

IT acquisitions are made for valid reasons,

on the basis of appropriate and ongoing

analysis, with clear and transparent

decision making. There is appropriate

balance between benefits, opportunities,

costs, and risks, in both the short term and

the long term.

(8)

Principle 4 Performance

IT is fit for purpose in supporting the

organization, providing the services, levels

of service and service quality required to

meet current and future business

requirements.

(9)

Principle 5 Conformance

IT complies with all mandatory legislation

and regulations. Policies and practices are

clearly defined, implemented and enforced

.

(10)

Principle 6 Human Behaviour

IT policies, practices and decisions

demonstrate respect for Human Behaviour,

including the current and evolving needs of all

the ‘people in the process’.

(11)

Evolution and Revolution as Organisations Grow

Phase 1 2 3 4 5 Creativity Leadership Direction Autonomy Delegation Control Co-ordination Red Tape Collaboration ? Elapsed Time

6 Collaboration external – Outsourcing / Joint Ventures

Knowledge Information Data

The seeds of each crises lie in the style of management

prevailing at the time

The longer each period of evolutionary growth the more difficult it becomes to

recognise and respond to the growing crises

These cycles are equally

applicable to departments and workgroups

From HBR Reprint Larry E. Greiner Reprint 98308

(12)

ITGI Enables

Published

28/01/2009

All publications available

from www.isaca.org

Y

(13)

ITGI Guidance

Individuals and groups within the

organization understand and accept their

responsibilities in respect of both supply of,

and demand for IT. Those with

responsibility for actions also have the

authority to perform those actions.

© ISO/IEC 2008 – All rights reserved

Principle 1—Responsibility

What this means in practice

: The business (customer) and IT (provider)

should

collaborate in a partnership model utilising effective communications

based on a positive and trusted relationship and demonstrating clarity regarding

responsibility and accountability. For larger enterprises, an IT executive

committee (often referred to as the IT strategy committee) acting on behalf of

the board and chaired by a board member is a very effective mechanism for

evaluating, directing and monitoring the use of IT in the enterprise and for

advising the board on critical IT issues...cont.d

How ITGI’s guidance enables good practice:

– The

Board Briefing on IT Governance and Unlocking Value: An Executive

Primer on the Critical Role of IT Governance, 2nd Edition publications

provide guidance on the roles and responsibilities for IT governance in the

business and for the IT function, whether in-house or outsourced, and

describe how to establish an effective IT executive (strategy) committee.

– The COBIT and Val IT frameworks include RACI charts showing example

roles and responsibilities for board members and management for all key ...

(14)

www.isaca-london.org

_{© ISO/IEC 2008 – All rights reserved}

The Model

Business Processes

P

ro

p

o

sa

ls

Business

Pressures

Business

Needs

P

e

rf

o

rm

a

n

ce

C

o

n

fo

rm

a

n

ce

Monitor

Evaluate

Direct

(15)

Define strategy

Preserve value Create value

Good things to happen

Bad things not happening

Resolve problems

Continuous improvement

Measure results

Where and how

should IT be used in

meeting the

demands of Today

and preparing for

the

needs of

Tomorrow?

(16)

(17)

The Levers of Control

Core

Values

Belief Systems

Critical

Performance

Variables

Diagnostic

Control

Systems

Risks to be

Avoided

Strategic

Uncertainties

Interactive

Control

Systems

Boundary

Systems

(18)

Levers of Organisation Design

Customer

Definition

Unit Structure

Span of Control

Diagnostic

Control

System

Critical

Performance

Variables

Span of

Accountability

Interactive

Networks

Span of

Influence

Shared

Responsibilities

Span of Support

Creative

Tension

(19)

There are no such

things as the one right

organization.

There are only

organisations, each of

which has distinct

strengths

, distinct

limitations

and

specific

applications

A given organization structure fits

certain

tasks

, in certain

conditions

(20)

Execution - Larry Bossidy & Ram Charan

“No strategy delivers results unless

it’s converted into specific actions”

“

The gap nobody knows is the gap

between what a company’s leader’s want

to achieve and the ability of the

organisation to achieve it “

“

Most often today the difference

(21)

Execution - Larry Bossidy & Ram Charan

“Dialogue is the core of culture and the

basic unit of work. How well people talk

to each other determines how well the

organisation will function.”

“Is the dialogue stilted, politicised,

fragmented and butt covering?”

“Or is it candid and reality based, raising

the right questions, debating them, and

finding realistic solutions?”

(22)

Authority and Accountability

Business

Unit

Country

Regional

Global

What decisions need to be made?

When, where and how

will we reap the

benefits?

Where should they be made?

(23)

The Roots

Assurance

_v1

1996

IT Control

v2

1998

Management of IT Performance

v3

2000

Governance - IT Focus

v4.1

2005/2007

Business

Goals

IT Goals

IT Processes

IT Activities

The journey continues

(24)

Enterprise governance

is a set of

responsibilities and practices exercised by the board and

executive management with the goal of providing strategic

direction, ensuring that objectives are achieved, ascertaining that

risks are managed appropriately and verifying that the

enterprise’s resources are used responsibly.

IT governance

is the responsibility of the board of

directors and executive management. It is an integral part of

enterprise governance and consists of the leadership and

organisational structures and processes that ensure that the

organisation’s IT sustains and extends the organisation’s

strategies and objectives

.

(25)

Authority

Accountability

Transparency

What Are We Doing? – The Challenge

“Information theory tells us “every relay doubles the noise and cuts the message

in half”

(26)

Transparency

Authority

Accountability

“The best plans will not work unless the people do”

“None of us is smarter than all of us”

What Are We Doing?- The Process

(27)

The Organisation Challenge

C

OBI

T

MMA

COBIT Maturity Model attributes

What is the

purpose of this

organisation?

What are its

goals?

How will it

execute?

Where and how

should IT be used

to meet the

demands of Today

and prepare for

the needs of

Tomorrow?

Create value Preserve value Define strategy

Bad things not happening Resolve problems Continuous improvement Measure results Good things to

happen

C

OBI

T

RACI

(28)

Define strategy

Bad things not happening Resolve problems Continuous improvement Measure results

Risk

Management

Value

Delivery

The Five Focus Areas of IT Governance

What?

_{IT Alignment}

Are we doing the

right

things

?

How?

IT Resource

(29)

Identifying IT Governance Issues

Process

Area

Text taken from

pages 50-52

People

C

OBI

T

RACI

C

OBI

T

(30)

Never Seldom Often Mostly Always

C

E

O

B

u

si

n

e

ss

E

x

e

cu

ti

v

e

s

Align and integrate IT strategy with business

goals

Align IT operations with business operations

Cascade strategy and goals down into the

organisation

Mediate between imperatives of the

business and of the technology

Understand the enterprise’s IT organisation,

infrastructure and capabilities

Drive the definition of business requirements

and own them

Act as sponsor for major IT projects

“None of us is smarter than all of us”

_RACI

focuses on ensuring the linkage of business and IT plans; defining, maintaining

and validating the IT value proposition; and aligning IT operations with enterprise

operations

(31)

Enterprise Governance

IT

G

ov

er

na

nc

e

?

(32)

• To define the company’s purpose;

• To agree strategies and plans for

achieving that purpose

• To establish the company’s policies

• To appoint the chief executive

• To monitor and assess the

performance of the executive team

• To assess their own performance

(33)

Enterprise Governance in Practice

Enterprise Governance

Conformance

Performance

Corporate Governance

processes

Business Governance

processes

• Chairman / CEO

• Non-Executive Directors

• Audit Committee

• Resource and

Remuneration Committee

• Strategic Risk Management

for compliance

• Controls Assurance

Accountability

Assurance

Value Creation

Resource Utilisation

• Strategic Planning and

Alignment

• Strategic Decision Making

• Dashboards / Scorecards

• Strategic Enterprise Systems

• Continuous Improvement

(34)

The Key Principles of Evaluating and

Improving Governance in Organizations

A. The creation and optimization of sustainable stakeholder

value should be the objective of governance.

B. Good governance should appropriately balance the interests

of stakeholders.

C. The performance and conformance dimensions of governance

are both important to optimize stakeholder value.

D. Good governance should be fully integrated into the

organization.

E. The governing body should be properly constituted and

structured to achieve an appropriate balance between

performance and conformance.

F .The governing body should establish a set of fundamental

values by which the organization operates. All those

(35)

The Key Principles of Evaluating and

Improving Governance in Organizations

G. The governing body should understand the organization’s

business model, its operating environment, and how

sustainable stakeholder value is created and optimized.

H. The governing body should provide strategic direction and

oversight in both the performance and conformance

dimensions.

I. Effective and efficient enterprise risk management should

form an integral part of an organization’s governance system.

J. Resource utilization should align with strategic direction.

K. The governing body should periodically measure and evaluate

the organization’s strategic direction and business operations,

and follow up with appropriate actions to ensure appropriate

progress and continued alignment with objectives.

L. The governing body should ensure that reasonable demands

from stakeholders for information are met, and that the

(36)

Board Briefing Audit Director Baseline for IT Governance IT Assurance Guide using CobiT

HOW

Briefing CIO Baseline for IT Governance IT Governance Implementation Guide using CobiT

HOW

Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Approach Value Risk

WHAT

Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Approach Value Risk Control Objective Control Practices Assurance Approach Value Risk

WHAT

HOW

Board Briefing CIO Baseline for IT Governance IT Governance Implementation Guide using CobiT

Board Briefing Executive Baseline for IT Governance IT Governance Implementation Guide using CobiT

HOW

Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Steps Value Risk

WHAT

Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Steps Value Risk Control Objective Control Practices Assurance Steps Value

WHAT

Risk

To Summarise

Are we doing the right things

?

Are we doing them the right way? Are we getting them done well? Are we getting the benefits?

We know we have the resources , experience and

(37)

? Realism

? Relevance

? Results

Look

Act

Speak

Think

(38)

The Opportunity Clock is always

ticking……..

The demands

of Today

The needs

of Tomorrow

Maturity Model Attributes:

A&C Awareness and Communication

PSP Policies, Standards and Procedures

T&A Tools and Automation

S&E Skills and Expertise

R&A Responsibility and Accountability

GSM Goal Setting and Measurement

Requirements for

Information:

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

(39)

Define strategy

Bad things not happening Resolve problems Continuous improvement Measure results