Making sense of IT – Governance the implications of King III
Making sense of IT Governance – the implications of King III Presenter: Marlene Badenhorst (ACIS) Content • Research objective and research question • Definitions of IT governance • Literature review of selected Codes, Frameworks, Standards and Best Practices • Assessment of the current industry application of governance concepts • A generic governance framework for IT governance and the governance of outsourcing • Conclusion Research objective & research question Research Objective: • Literature review; IT governance efficiency survey to assess: – Does known reference models, frameworks and standards address governance requirements of ICT outsourcing companies? – Current status of IT governance practices. Research Question: • Can a generic governance framework be formulated to address these requirements? What is ‘IT Governance’? It is ... the responsibility of the board and executive It consists of... The leadership, organisational structures & processes... to ensure that the enterprise’s IT... sustain and extend organisational strategies & objectives. Source: ITGI Enterprise governance drives IT governance Enterprise governance is about: • Conformance • Adhering to legislation, internal policies, audit requirements, etc. Performance • Performance • Improving profitability, efficiency, effectiveness, growth, etc. Conformance Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. Source: ITGI What is the ‘governance of outsourcing’? The responsibilities, roles, objectives, interfaces & controls required... to anticipate change and ... manage the introduction, maintenance, performance, costs and control of third-party provided services. Source: ITGI Literature review of selected codes, frameworks, standards and best practices King III requirements – the link between IT governance practices and law • Directors’ duty of care: ensure prudent and reasonable steps taken re IT governance. • Corporate governance practices, codes and guidelines lift the bar of what are regarded as appropriate standards of conduct. • Failure to meet a recognised standard of governance, albeit not legislated, may render a board or individual director liable at law. King III requirements: IT governance • IT governance... – is the responsibility of the board; – should be an integral part of enterprise governance structures; – should be owned by the board. • The board must set the management direction. Required to... – assume more significant role in terms of IT governance, and – insist on establishment of an IT governance management framework: • To be based on a common approach, eg. COBIT. King III requirements: IT Governance focus areas IT governance should focus on four key areas: • strategic alignment with business; • value delivery; • risk management; and • resource management. King III requirements: IT Governance focus areas IT governance should focus on four key areas: COBIT focus areas • strategic alignment with business; • value delivery; • risk management; and • resource management. www.itgi.org www.itgi.org RESOURCE MANAGEMENT Source: ITGI Context: Best Practices Corporate Governance King Reports Non-IT related governance elements IT related governance elements CobiT ITIL ISO 27002 Governance of outsourcing ISO 38500 management framework IT Governance Val IT Source: Own source Context: COBIT and VAL IT COBIT VAL IT The strategic question The value question. Are we doing the right things? Are we getting the benefits? Are we doing them the right way? Are we getting them done well? The architecture question The delivery question Source: Thorpe, cited by ITGI Industry application of governance concepts Status: IT Governance Best Practise Implementation Alignment between IT strategy and overall strategy 16% IT resource management 12% 18% IT Value Delivery 9% 9% IT Risk Management 9% 9% 10% 10% Actual IT performance measurement Active management of IT ROI 7% 8% 51% 21% 12% 20% 21% 16% 14% 13% 50% 61% 66% 66% 72% 0% Source: ITGI/Lighthouse survey 2005 100% Have implemented Implementing now Considering implementation Not considering implementation Generic governance framework for IT and outsourcing Generic governance model Service Provider IT Governance Framework Enterprise Governance of IT VAL IT Outsource Client IT Governance Framework VAL IT Compliance requirements COBIT Practitioner processes Compliance requirements COBIT Practitioner processes IT Governance Outsource Client Interface Service Provider Interface Source: own source Generic process model Service Provider Manage enterprise Develop Strategic enterprise management of strategy product portfolio Outsource Client (Buyer) Manage enterprise Strategic management of capacity Develop Strategic enterprise management of strategy product portfolio Support processes Support processes Client Interface Outsource Client 1 Outsource Client 2 Outsource Client 3 Outsource Client (n) Strategic management of capacity Service Provider Interface Service Provider 1 Service Provider 2 Service Provider 3 Service Provider (n) Source: own source IT governance interrelationships (service provider perspective) IT Strategy Committee CompenFinance sation Committee Committee Business Audit Strategy Committee Committee Board of Directors CEO CFO Compliance, Audit, Risk & Security(CARS) IT Steering Committee Sales & Marketing IT Architecture Review Board Technology Council Account Management . . Source: ITGI, own source Business Executives . . Process Oversight Committee . ‘IT’ CIO . HR Programme Management Office (PGMO) IT governance interrelationships (service provider perspective) IT Strategy Committee CompenFinance sation Committee Committee Business Audit Strategy Committee Committee Board of Directors CEO CFO Compliance, Audit, Risk & Security(CARS) Value Management Office (VMO) IT Steering Committee Sales & Marketing IT Architecture Review Board Technology Council Account Management . . Source: ITGI, own source Investment & Services Board (ISB) Business Executives . . Process Oversight Committee . ‘IT’ CIO . HR Programme Management Office (PGMO) Conclusion • Best practices not widely adopted • Significant room for improvement in most companies’ IT governance domain • Governance best practices address outsourcing governance only to limited extent • A focussed effort is required by SA companies to ensure compliance to the King III principles for good IT governance • The generic framework that has been formulated addresses the need for an integrated approach to IT governance Backup slides COBIT & Other IT Management Frameworks Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’). COSO ISO 27002 WHAT COBIT ISO 9000 ITIL HOW SCOPE OF COVERAGE Source: ITGI Where Does COBIT Fit? Drivers Enterprise Governance PERFORMANCE: Business Goals CONFORMANCE Basel II, SarbanesOxley Act, etc. Balanced Scorecard COSO COBIT IT Governance Best Practice Standards ISO 9001:2000 ISO 27002 ISO 20000 Processes and Procedures QA Procedures Security Principles ITIL Source: ITGI COBIT Framework BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES C ME1 ME2 ME3 ME4 Monitor and evaluate IT performance. Monitor and evaluate internal control. Ensure compliance with external requirements. Provide IT governance. O B I T FRAMEWORK Efficiency Effectiveness Compliance MONITOR AND EVALUATE DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 Define and manage service levels. Manage third-party services. Manage performance and capacity. Ensure continuous service. Ensure systems security. Identify and allocate costs. Educate and train users. Manage service desk and incidents. Manage the configuration. Manage problems. Manage data. Manage the physical environment. Manage operations. PO1 PO2 INFORMATION Integrity Availability Confidentiality Reliability DELIVER AND SUPPORT IT RESOURCES Applications Information Infrastructure People PLAN AND ORGANISE Define a strategic IT plan. Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. AI1 AI2 ACQUIRE AND IMPLEMENT AI3 AI4 AI5 AI6 AI7 Identify automated solutions. Acquire and maintain application software. Acquire and maintain technology infrastructure. Enable operation and use. Procure IT resources. Manage changes. Install and accredit solutions and changes. Source: ITGI Interrelationship of the COBIT Components Business Goals information requirements IT Goals IT Processes derived from Control Outcome Tests Key Activities Control Objectives based on Responsibility & Accountability Chart Performance Indicators Outcome Measures Maturity Models Control Design Tests Control Practices Source: ITGI Dimensions of Maturity HOW (capability) 5 4 3 2 IT Mission and Goals 1 Risk and Compliance 0 100% HOW MUCH (coverage) Return on Investment and Cost-efficiency WHAT (control) Primary Drivers Source: ITGI VAL IT domains & processes Value Governance (VG) Portfolio Management (PM) Develop and initiate the initial programme business case Investment Management (IM) Source: ITGI Establish informed and committed leadership Define and implement processes Define portfolio characteristics Align & integrate value management with enterprise financial planning Establish effective governance monitoring Continuously improve value management practices Establish strategic direction and target investment mix Determine the availability and sources of funds Manage the availability of human resources Evaluate and select programmes to fund Monitor and report on investment portfolio performance Optimise investment portfolio performance Understand the candidate programme & implementation options Develop the programme plan Develop full life-cycle costs and benefits Develop the detailed candidate programme business case Launch and manage the programme Update operational IT portfolios Update the business case Monitor and report on the programme Retire the programme Road map to IT governance Identify Needs Raise awareness & obtain management commitment Define scope Define risks Define resources and deliverables Plan programme Envision solution Assess actual performance Define target for improvement Analyse gaps and identify improvements Plan solution Define projects Define improvement plan Implement solution Implement the improvements Monitor implementation performance Review programme effectiveness Operationalise solution Build sustainability Identify new governance requirements Source: ITGI
© Copyright 2024