Whitepaper - Practical Information Technology Governance
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Whitepaper - Practical Information Technology Governance as PDF for free.
More details
- Words: 3,180
- Pages: 12
Practical Information Technology Governance Creating an Environment for Business Driven Effective IT Management, Decision Making and Operations
Alan McSweeney
Practical Information Technology Governance
Contents IT Governance as a Means to an End ...............................................................3 Benefits of IT Governance................................................................................3 IT Governance Drivers and Principles ..............................................................5 IT Governance and Best Practice Standards.....................................................6 IT Governance Architecture Framework ..........................................................6 Implementing Effective IT Governance............................................................7 IT Governance with COBIT .............................................................................8 COBIT Domain and Process Structure .........................................................8 COBIT Information Measurement Criteria ...................................................9 COBIT Process Goals and Metrics.................................................................9 Implementing IT Governance ........................................................................ 11 Lessons Learned From Implementing IT Governance..................................... 11
63% of organisations feel that IT is very important to the delivery of the overall organisation strategy. Yet only 33% of general management within organisations see the alignment between business and IT as being very good. The need to bridge this disconnect between business and IT is one of the fundamental reasons for IT Governance. IT Governance creates a framework where IT management can be performed effectively and IT-related decision making focuses on the effective and efficient running of IT operations and services. Underlying the idea of IT Governance is the concept of IT and business alignment. Implementing IT Governance is good for both the organisation and for IT. It ensures that IT delivers value and that the value of IT is understood. Appropriate IT Governance can yield real business benefits. IT Governance imposes a standard that ensures IT is aligned to business strategy and objectives. COBIT provides a ready-made flexible IT Governance framework that can subsume other more detailed and specific best-practice frameworks. Implementing IT Governance is similar to any other IT or business project and should be approached and managed in the same way. Some “quick wins” from IT Governance can be achieved by implementing the following: • • • • • •
Ensure that IT project priorities are based on business priorities Audit existing IT processes and modify to ensure they are effective Ensure that IT projects are lead by the business and strongly supported by IT Developing an IT scorecard designed for a business audience that includes details on how IT creates and delivers business value Implementing a standard process for or determining the business value (both financial and non-financial) and risk of IT-enabled business investments Create an IT Strategy Committee with business involvement
Page 2
Practical Information Technology Governance
IT Governance as a Means to an End IT Governance creates a framework where IT management can be performed effectively and IT-related decision making focuses on the effective and efficient running of IT operations and services. IT Governance can be seen as one more non-value adding overhead that is part How would you rate your of the ever increasing compliance overhead imposed on organisations. There can organisation’s maturity level on be a real reluctance to considering IT Governance programmes because of IT Governance? “compliance fatigue” associated with the many compliance requirements that have arisen in the past years. However the adoption of appropriate and relevant IT Governance will yield real business benefits. Appropriate is the key word here: there are no prizes for excessive controls. Information Technology is investment-intensive. Change is both common and frequent. The speed with which an organisation correctly adopts innovation and deployment is critical in developing and maintaining competitive advantage. The core function of IT is to serve the business. Alignment of IT with organisational goals and objectives and the management of IT to serve and support the business in its pursuit of success all require clear governance. Conversely, this also needs a business that is engaged with IT. In making a decision to implement an IT Governance framework, it is important to be practical and realistic. Appropriate governance is what is required and governance for a reason rather than for its own sake.
Benefits of IT Governance Underlying the idea of IT Governance is the concept of IT and business alignment. The linkage of IT with business objectives remains a key issue for IT management. The implementation of IT Governance is designed to deliver real benefits: • • • • • • • • •
Better IT to business alignment built on a business focus Improved maintenance and operations planning Establishment of data and information standards Management view of what IT does and increased visibility of IT spending Clear ownership and responsibilities, based on process orientation General acceptability with third parties and regulators Shared understanding amongst all stakeholders based on a common language Fulfilment of the governance requirements for the IT control environment A comprehensive IT Governance model for managing all IT resources
IT Governance fits into an increasingly crowded landscape of corporate governance, regulation and compliance rules and standards.
Page 3
Source: IT Governance Global Status Report—2008
How would you describe the fit or alignment between your corporate governance practices and IT Governance practices?
Source: IT Governance Global Status Report—2008
Practical Information Technology Governance
How would you describe the fit or alignment between your IT strategy and your organisation’s overall business strategy?
However there are tangible financial advantages to implementing IT Governance. Analyses and comparisons demonstrate that companies with effective IT Governance have profits that are 20% higher than similar companies without an IT Governance framework. IT Governance assists IT meet the expectations placed on it by business by: • • •
Delivering quality IT solutions on time and on budget Employing and exploiting IT to deliver business value Leveraging IT to increase efficiency and productivity while managing IT risks
Source: IT Governance Global Status Report—2008
How would you describe the level of engagement by business management in the governance of IT-enabled business initiatives?
There are two aspects to IT controls: 1. IT must implement internal controls around how it operates 2. The systems IT provides to the business and the underlying business processes these systems implement must be controlled – these are controls external to IT IT is impacted by business requirements as IT drives the business process and manages the information that such governance seeks to control. IT is at the core of most complex businesses. IT is required to manage itself more effectively and reliably in order to respond to these requirements.
Source: IT Governance Global Status Report—2008
The twin drivers of increasing complexity and the need for greater cost controls will exert continuous pressure on IT operations and make using best practice frameworks to implementing governance solutions the only real answer available. Appropriate IT Governance can yield real business benefits. IT Governance imposes a standard that ensures IT is aligned to business strategy and objectives.
Page 4
Practical Information Technology Governance
IT Governance Drivers and Principles 63% of organisations feel that IT is very important to the delivery of the overall organisation strategy. Yet only 33% of general management within organisations see the alignment between business and IT as being very good. The need to bridge this disconnect between business and IT is one of the fundamental reasons for IT Governance. The drivers of IT Governance include: • • • • •
How would you describe the fit or alignment between your corporate governance practices and IT Governance practices?
The search for competitive advantage through more effective use of information and IT The need to align technology projects with strategic organisational goals, ensuring they deliver planned value through greater project governance Operational risk management and the proliferation of threats (internal and external) to information and IT The governance requirements of various compliance obligations Increasing regulatory compliance and information and privacy legislation
IT Governance is important for all organisations. Those without an IT Governance strategy face risks; those with one perform better.
Source: IT Governance Global Status Report—2008
In the current corporate governance environment, where the value and importance of information assets are sizeable, core governance principles must be extended to information and IT. These principles include establishing strategic aims, providing strategic leadership, overseeing and monitoring the performance of executive management and reporting to shareholders on their stewardship of the organisation. The IT function must be aligned to the larger organisation. A lack of openness within IT is simply not consistent with the expectation of pro-activity and governance transparency. IT Governance should be focussed on four key areas, divided into two groups: Goals of IT Governance 1. IT Value Delivery: focus on optimising cost and the value of IT 2. Risk Management: focus on safeguarding IT assets, disaster recovery and continuity of operations Means to Achieve IT Governance Goals 3. IT Strategic Alignment: focus on aligning IT with the business and collaborative solutions 4. Performance Measurement: focus on tracking project delivery and monitoring delivery of IT services.
How important do you consider IT to be to the successful delivery of the business strategy or vision?
Source: IT Governance Global Status Report—2008
Page 5
Practical Information Technology Governance
IT Governance and Best Practice Standards How regularly does your IT department inform the business about potential business opportunities enabled by new technologies?
In translating IT Governance from theory to practice, there are a number of IT best practice frameworks and standards such as Control Objectives for Information and related Technology (COBIT), ISO17799, IT Infrastructure Library (ITIL), Capability Maturity Model (CMM) available to assist IT functions to help them improve their accountability, governance and management. COBIT is designed as a high-level umbrella framework and it works very well with other lower-level frameworks like ITIL and ISO27002 which focus on specific aspects of IT Governance. Clearly the structure of IT Governance depends on the IT structure and focus of the organisation.
Source: IT Governance Global Status Report—2008
To what extent does your IT department understand and support the business user needs?
Source: IT Governance Global Status Report—2008
Business can obtain a value from the implementation of appropriate best practice frameworks through the reduction of the number of ad-hoc processes. This brings discipline to IT activities and improves accountability.
IT Governance Architecture Framework This framework depicts how strategy, governance structures and performance goals are synchronised. The “Whats” link overall strategy, governance structures and performance goals so they are aligned and drive an organisation to achieve its vision or steer in the strategic direction in which they are trying to move.
Page 6
Practical Information Technology Governance
How would you describe the fit or alignment between your IT strategy and your organisation’s overall business strategy?
Source: IT Governance Global Status Report—2008
The “Hows” translate the theory into practice: • • •
The organisation’s strategy defines the behaviours required. The organisation’s governance arrangements are implemented through its governance processes. The organisation’s performance goals are measured through appropriate metrics.
Implementing Effective IT Governance
Rate the relative importance of IT-related problems based on impact and severity, frequency of occurrence, improvement or disimprovement and priority for resolution in the next 12 months.
Control Objectives for Information and related Technology (COBIT) has been referred to earlier in this paper. COBIT has become the de facto framework for the management of Information Technology standards and processes. COBIT aims to be different from other quality and governance approaches in two key ways: 1. It is an IT Governance framework and supporting set of tools that IT can use to bridge the gap between control requirements, technical issues and business risks 2. It provides a detailed implementation structure and toolset that translates the framework theory into a practical and achievable deliverables Like all governance standards and methodologies, their implementation can be long and painful. Implementation of and adherence to these compliance standards can seem to represent wasted effort as it does not add value to the business. COBIT removes at least some of the pain and reduces the execution time by going some way towards translating general principles to realisable specifics. Because COBIT has a detailed implementation framework, the project to implement it and the associated time and cost can be defined more exactly.
Page 7
Source: IT Governance Global Status Report—2008
On a scale from 1, not at all serious, to 3, very serious, rate the severity of problems experienced?
Practical Information Technology Governance
The framework can be customised and simplified to suit the requirements of the organisation. In order to deliver and be seen to deliver quick wins from IT Governance, the following areas should be given attention: • • • • • •
Source: IT Governance Global Status Report—2008 Has the situation regarding these problems deteriorated, stayed the same or improved during the past 12 months?
Ensure that IT project and service priorities are based on business priorities Audit existing IT processes and modify to ensure they are effective Ensure that IT projects are lead by the business and strongly supported by IT Develop an IT scorecard designed for a business audience that includes details on how IT creates and delivers business value Implement a standard process for determining the business value (both financial and non-financial) and risk of IT-enabled business investments Create an IT Strategy Committee with business involvement
COBIT has a broad coverage and a business focus. It seeks to ensure that IT delivers what the business needs. COBIT focuses on the “what” rather than on the “how”. It is a control and management framework, linking IT practices to business requirements. COBIT is based on the principle that to provide the information that the enterprise requires to achieve its objectives, the enterprise needs to manage and control IT resources using a structured set of processes to deliver the required information services. COBIT is integrated with other standards and thus can become an umbrella framework for IT Governance: • •
It assists in understanding and managing the risks and benefits associated with IT The process structure of COBIT and its business-oriented approach provides an end-to-end view of IT
COBIT provides a ready-made flexible IT Governance framework that can subsume other more detailed and specific best-practice frameworks.
IT Governance with COBIT COBIT Domain and Process Structure The COBIT process model of four domains contains processes that manage the IT resources to deliver information to the business according to business and governance requirements. Each of the processes contains a set of objectives.
When implemented, the governance Processes within the Domains can be regarded as an engine to deliver information and fulfil objectives. Source: IT Governance Global Status Report—2008
Page 8
Practical Information Technology Governance
Which of any of the following practices does your organisation’s current approach to IT Governance include?
The implementation of these COBIT processes within the toolset is divided into four parts: 1. High-level control objectives – this is a process summary identifying business requirement being satisfied, focus, achievement and measurement principles 2. Detailed process-specific control objectives 3. Process inputs and outputs, responsibilities, goals and metrics. 4. Process maturity model
Source: IT Governance Global Status Report—2008
Each of these processes consists of a number of specific control objectives. It is COBIT’s execution-oriented template approach and structure makes it useful and implementable.
COBIT Information Measurement Criteria COBIT defines criteria to measure how the information delivered by the processes meets business objectives. Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Concerned with the provision of the information through the Efficiency optimal use of resources Concerned with the protection of sensitive information from Confidentiality unauthorised disclosure Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and Integrity expectations Relates to the information being available when required by Availability the business process now and in the future Deals with complying with laws, regulations and contractual Compliance arrangements Relates to the provision of appropriate information for the Reliability workforce of the organisation Effectiveness
COBIT Process Goals and Metrics Page 9
Have you implemented, are you in the process of implementing or are you considering implementing improved IT Governance practices?
Source: IT Governance Global Status Report—2008
Practical Information Technology Governance
Each process has three sets of goals measured by corresponding sets of metrics: Goals Activity Goals Process Goals IT Goals How valuable do you think COBIT is in your IT Governance efforts/initiatives?
Source: IT Governance Global Status Report—2008
Delivery Measured By
Metrics Key Performance Indicators Process Key Goal Indicators IT Key Goal Indicators
In addition to the process-specific control objectives, COBIT includes a set of generic process controls that are applied to all processes. Control PC1 Process Owner PC2 Repeatability PC3 Goals and Objectives PC4 Roles and Responsibilities PC5 Process Performance PC6 Policy, Plans and Procedures
Description Assign an owner for each COBIT process such that responsibility is clear. Define each COBIT process such that it is repeatable. Establish clear goals and objectives for each COBIT process for effective execution. Define unambiguous roles, activities and responsibilities for each COBIT process for efficient execution. Measure the performance of each COBIT process against its goals. Document, review, keep up to date, sign off on and communicate to all involved parties any policy, plan or procedure that drives a COBIT process.
COBIT includes a set of generic application control groups and detailed controls that are applied to all processes:
Which IT-related investment principles deliver the greatest value to the organisation?
• • • • •
Data Origination/Authorisation Controls Data Input Controls Data Processing Controls Data Output Controls Boundary Controls
Because COBIT has a detailed implementation framework, the project to implement it and the associated time and cost can be defined more exactly.
Source: IT Governance Global Status Report—2008
Page 10
Practical Information Technology Governance
Implementing IT Governance Implementing IT Governance is similar to any other IT or business project and should be approached and managed in the same way. The roadmap to implementing IT Governance consists of the following general phases and activities:
Which of the following ITrelated investment principles applies or is planned to be applied in your organisation?
Source: IT Governance Global Status Report—2008 What do you see as the greatest obstacles/constraints to organisations adopting the ITrelated investment?
Implementing IT Governance should be treated like any other project.
Lessons Learned From Implementing IT Governance The lessons learned from implementing IT Governance relate to avoiding the all too common problems associated with business and IT being disconnected: • •
• • •
Management see a value from investments made in IT and see that IT is an investment rather than a cost. IT is no longer seen as a barrier to implementing new strategies. IT becomes a strategic enabler rather than being seen as restricting the ability of the business to respond to new opportunities. IT decision-making mechanism is open and transparent rather than slow, cumbersome and not apparent. Management understand and appreciate how IT is governed within the organisation. IT projects are completed on time and on budget and deliver on the committed benefits. Good project management is part of good IT Governance.
Source: IT Governance Global Status Report—2008 Which of the following measures have you implemented, or are you in the process of implementing, to improve IT management and governance?
Implementing IT Governance is good for both the organisation and for IT. Governance ensures that IT delivers value and that the value of IT is understood. Source: IT Governance Global Status Report—2008 Page 11
Practical Information Technology Governance
For more information, please contact: [email protected]
Page 12
Alan McSweeney
Practical Information Technology Governance
Contents IT Governance as a Means to an End ...............................................................3 Benefits of IT Governance................................................................................3 IT Governance Drivers and Principles ..............................................................5 IT Governance and Best Practice Standards.....................................................6 IT Governance Architecture Framework ..........................................................6 Implementing Effective IT Governance............................................................7 IT Governance with COBIT .............................................................................8 COBIT Domain and Process Structure .........................................................8 COBIT Information Measurement Criteria ...................................................9 COBIT Process Goals and Metrics.................................................................9 Implementing IT Governance ........................................................................ 11 Lessons Learned From Implementing IT Governance..................................... 11
63% of organisations feel that IT is very important to the delivery of the overall organisation strategy. Yet only 33% of general management within organisations see the alignment between business and IT as being very good. The need to bridge this disconnect between business and IT is one of the fundamental reasons for IT Governance. IT Governance creates a framework where IT management can be performed effectively and IT-related decision making focuses on the effective and efficient running of IT operations and services. Underlying the idea of IT Governance is the concept of IT and business alignment. Implementing IT Governance is good for both the organisation and for IT. It ensures that IT delivers value and that the value of IT is understood. Appropriate IT Governance can yield real business benefits. IT Governance imposes a standard that ensures IT is aligned to business strategy and objectives. COBIT provides a ready-made flexible IT Governance framework that can subsume other more detailed and specific best-practice frameworks. Implementing IT Governance is similar to any other IT or business project and should be approached and managed in the same way. Some “quick wins” from IT Governance can be achieved by implementing the following: • • • • • •
Ensure that IT project priorities are based on business priorities Audit existing IT processes and modify to ensure they are effective Ensure that IT projects are lead by the business and strongly supported by IT Developing an IT scorecard designed for a business audience that includes details on how IT creates and delivers business value Implementing a standard process for or determining the business value (both financial and non-financial) and risk of IT-enabled business investments Create an IT Strategy Committee with business involvement
Page 2
Practical Information Technology Governance
IT Governance as a Means to an End IT Governance creates a framework where IT management can be performed effectively and IT-related decision making focuses on the effective and efficient running of IT operations and services. IT Governance can be seen as one more non-value adding overhead that is part How would you rate your of the ever increasing compliance overhead imposed on organisations. There can organisation’s maturity level on be a real reluctance to considering IT Governance programmes because of IT Governance? “compliance fatigue” associated with the many compliance requirements that have arisen in the past years. However the adoption of appropriate and relevant IT Governance will yield real business benefits. Appropriate is the key word here: there are no prizes for excessive controls. Information Technology is investment-intensive. Change is both common and frequent. The speed with which an organisation correctly adopts innovation and deployment is critical in developing and maintaining competitive advantage. The core function of IT is to serve the business. Alignment of IT with organisational goals and objectives and the management of IT to serve and support the business in its pursuit of success all require clear governance. Conversely, this also needs a business that is engaged with IT. In making a decision to implement an IT Governance framework, it is important to be practical and realistic. Appropriate governance is what is required and governance for a reason rather than for its own sake.
Benefits of IT Governance Underlying the idea of IT Governance is the concept of IT and business alignment. The linkage of IT with business objectives remains a key issue for IT management. The implementation of IT Governance is designed to deliver real benefits: • • • • • • • • •
Better IT to business alignment built on a business focus Improved maintenance and operations planning Establishment of data and information standards Management view of what IT does and increased visibility of IT spending Clear ownership and responsibilities, based on process orientation General acceptability with third parties and regulators Shared understanding amongst all stakeholders based on a common language Fulfilment of the governance requirements for the IT control environment A comprehensive IT Governance model for managing all IT resources
IT Governance fits into an increasingly crowded landscape of corporate governance, regulation and compliance rules and standards.
Page 3
Source: IT Governance Global Status Report—2008
How would you describe the fit or alignment between your corporate governance practices and IT Governance practices?
Source: IT Governance Global Status Report—2008
Practical Information Technology Governance
How would you describe the fit or alignment between your IT strategy and your organisation’s overall business strategy?
However there are tangible financial advantages to implementing IT Governance. Analyses and comparisons demonstrate that companies with effective IT Governance have profits that are 20% higher than similar companies without an IT Governance framework. IT Governance assists IT meet the expectations placed on it by business by: • • •
Delivering quality IT solutions on time and on budget Employing and exploiting IT to deliver business value Leveraging IT to increase efficiency and productivity while managing IT risks
Source: IT Governance Global Status Report—2008
How would you describe the level of engagement by business management in the governance of IT-enabled business initiatives?
There are two aspects to IT controls: 1. IT must implement internal controls around how it operates 2. The systems IT provides to the business and the underlying business processes these systems implement must be controlled – these are controls external to IT IT is impacted by business requirements as IT drives the business process and manages the information that such governance seeks to control. IT is at the core of most complex businesses. IT is required to manage itself more effectively and reliably in order to respond to these requirements.
Source: IT Governance Global Status Report—2008
The twin drivers of increasing complexity and the need for greater cost controls will exert continuous pressure on IT operations and make using best practice frameworks to implementing governance solutions the only real answer available. Appropriate IT Governance can yield real business benefits. IT Governance imposes a standard that ensures IT is aligned to business strategy and objectives.
Page 4
Practical Information Technology Governance
IT Governance Drivers and Principles 63% of organisations feel that IT is very important to the delivery of the overall organisation strategy. Yet only 33% of general management within organisations see the alignment between business and IT as being very good. The need to bridge this disconnect between business and IT is one of the fundamental reasons for IT Governance. The drivers of IT Governance include: • • • • •
How would you describe the fit or alignment between your corporate governance practices and IT Governance practices?
The search for competitive advantage through more effective use of information and IT The need to align technology projects with strategic organisational goals, ensuring they deliver planned value through greater project governance Operational risk management and the proliferation of threats (internal and external) to information and IT The governance requirements of various compliance obligations Increasing regulatory compliance and information and privacy legislation
IT Governance is important for all organisations. Those without an IT Governance strategy face risks; those with one perform better.
Source: IT Governance Global Status Report—2008
In the current corporate governance environment, where the value and importance of information assets are sizeable, core governance principles must be extended to information and IT. These principles include establishing strategic aims, providing strategic leadership, overseeing and monitoring the performance of executive management and reporting to shareholders on their stewardship of the organisation. The IT function must be aligned to the larger organisation. A lack of openness within IT is simply not consistent with the expectation of pro-activity and governance transparency. IT Governance should be focussed on four key areas, divided into two groups: Goals of IT Governance 1. IT Value Delivery: focus on optimising cost and the value of IT 2. Risk Management: focus on safeguarding IT assets, disaster recovery and continuity of operations Means to Achieve IT Governance Goals 3. IT Strategic Alignment: focus on aligning IT with the business and collaborative solutions 4. Performance Measurement: focus on tracking project delivery and monitoring delivery of IT services.
How important do you consider IT to be to the successful delivery of the business strategy or vision?
Source: IT Governance Global Status Report—2008
Page 5
Practical Information Technology Governance
IT Governance and Best Practice Standards How regularly does your IT department inform the business about potential business opportunities enabled by new technologies?
In translating IT Governance from theory to practice, there are a number of IT best practice frameworks and standards such as Control Objectives for Information and related Technology (COBIT), ISO17799, IT Infrastructure Library (ITIL), Capability Maturity Model (CMM) available to assist IT functions to help them improve their accountability, governance and management. COBIT is designed as a high-level umbrella framework and it works very well with other lower-level frameworks like ITIL and ISO27002 which focus on specific aspects of IT Governance. Clearly the structure of IT Governance depends on the IT structure and focus of the organisation.
Source: IT Governance Global Status Report—2008
To what extent does your IT department understand and support the business user needs?
Source: IT Governance Global Status Report—2008
Business can obtain a value from the implementation of appropriate best practice frameworks through the reduction of the number of ad-hoc processes. This brings discipline to IT activities and improves accountability.
IT Governance Architecture Framework This framework depicts how strategy, governance structures and performance goals are synchronised. The “Whats” link overall strategy, governance structures and performance goals so they are aligned and drive an organisation to achieve its vision or steer in the strategic direction in which they are trying to move.
Page 6
Practical Information Technology Governance
How would you describe the fit or alignment between your IT strategy and your organisation’s overall business strategy?
Source: IT Governance Global Status Report—2008
The “Hows” translate the theory into practice: • • •
The organisation’s strategy defines the behaviours required. The organisation’s governance arrangements are implemented through its governance processes. The organisation’s performance goals are measured through appropriate metrics.
Implementing Effective IT Governance
Rate the relative importance of IT-related problems based on impact and severity, frequency of occurrence, improvement or disimprovement and priority for resolution in the next 12 months.
Control Objectives for Information and related Technology (COBIT) has been referred to earlier in this paper. COBIT has become the de facto framework for the management of Information Technology standards and processes. COBIT aims to be different from other quality and governance approaches in two key ways: 1. It is an IT Governance framework and supporting set of tools that IT can use to bridge the gap between control requirements, technical issues and business risks 2. It provides a detailed implementation structure and toolset that translates the framework theory into a practical and achievable deliverables Like all governance standards and methodologies, their implementation can be long and painful. Implementation of and adherence to these compliance standards can seem to represent wasted effort as it does not add value to the business. COBIT removes at least some of the pain and reduces the execution time by going some way towards translating general principles to realisable specifics. Because COBIT has a detailed implementation framework, the project to implement it and the associated time and cost can be defined more exactly.
Page 7
Source: IT Governance Global Status Report—2008
On a scale from 1, not at all serious, to 3, very serious, rate the severity of problems experienced?
Practical Information Technology Governance
The framework can be customised and simplified to suit the requirements of the organisation. In order to deliver and be seen to deliver quick wins from IT Governance, the following areas should be given attention: • • • • • •
Source: IT Governance Global Status Report—2008 Has the situation regarding these problems deteriorated, stayed the same or improved during the past 12 months?
Ensure that IT project and service priorities are based on business priorities Audit existing IT processes and modify to ensure they are effective Ensure that IT projects are lead by the business and strongly supported by IT Develop an IT scorecard designed for a business audience that includes details on how IT creates and delivers business value Implement a standard process for determining the business value (both financial and non-financial) and risk of IT-enabled business investments Create an IT Strategy Committee with business involvement
COBIT has a broad coverage and a business focus. It seeks to ensure that IT delivers what the business needs. COBIT focuses on the “what” rather than on the “how”. It is a control and management framework, linking IT practices to business requirements. COBIT is based on the principle that to provide the information that the enterprise requires to achieve its objectives, the enterprise needs to manage and control IT resources using a structured set of processes to deliver the required information services. COBIT is integrated with other standards and thus can become an umbrella framework for IT Governance: • •
It assists in understanding and managing the risks and benefits associated with IT The process structure of COBIT and its business-oriented approach provides an end-to-end view of IT
COBIT provides a ready-made flexible IT Governance framework that can subsume other more detailed and specific best-practice frameworks.
IT Governance with COBIT COBIT Domain and Process Structure The COBIT process model of four domains contains processes that manage the IT resources to deliver information to the business according to business and governance requirements. Each of the processes contains a set of objectives.
When implemented, the governance Processes within the Domains can be regarded as an engine to deliver information and fulfil objectives. Source: IT Governance Global Status Report—2008
Page 8
Practical Information Technology Governance
Which of any of the following practices does your organisation’s current approach to IT Governance include?
The implementation of these COBIT processes within the toolset is divided into four parts: 1. High-level control objectives – this is a process summary identifying business requirement being satisfied, focus, achievement and measurement principles 2. Detailed process-specific control objectives 3. Process inputs and outputs, responsibilities, goals and metrics. 4. Process maturity model
Source: IT Governance Global Status Report—2008
Each of these processes consists of a number of specific control objectives. It is COBIT’s execution-oriented template approach and structure makes it useful and implementable.
COBIT Information Measurement Criteria COBIT defines criteria to measure how the information delivered by the processes meets business objectives. Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Concerned with the provision of the information through the Efficiency optimal use of resources Concerned with the protection of sensitive information from Confidentiality unauthorised disclosure Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and Integrity expectations Relates to the information being available when required by Availability the business process now and in the future Deals with complying with laws, regulations and contractual Compliance arrangements Relates to the provision of appropriate information for the Reliability workforce of the organisation Effectiveness
COBIT Process Goals and Metrics Page 9
Have you implemented, are you in the process of implementing or are you considering implementing improved IT Governance practices?
Source: IT Governance Global Status Report—2008
Practical Information Technology Governance
Each process has three sets of goals measured by corresponding sets of metrics: Goals Activity Goals Process Goals IT Goals How valuable do you think COBIT is in your IT Governance efforts/initiatives?
Source: IT Governance Global Status Report—2008
Delivery Measured By
Metrics Key Performance Indicators Process Key Goal Indicators IT Key Goal Indicators
In addition to the process-specific control objectives, COBIT includes a set of generic process controls that are applied to all processes. Control PC1 Process Owner PC2 Repeatability PC3 Goals and Objectives PC4 Roles and Responsibilities PC5 Process Performance PC6 Policy, Plans and Procedures
Description Assign an owner for each COBIT process such that responsibility is clear. Define each COBIT process such that it is repeatable. Establish clear goals and objectives for each COBIT process for effective execution. Define unambiguous roles, activities and responsibilities for each COBIT process for efficient execution. Measure the performance of each COBIT process against its goals. Document, review, keep up to date, sign off on and communicate to all involved parties any policy, plan or procedure that drives a COBIT process.
COBIT includes a set of generic application control groups and detailed controls that are applied to all processes:
Which IT-related investment principles deliver the greatest value to the organisation?
• • • • •
Data Origination/Authorisation Controls Data Input Controls Data Processing Controls Data Output Controls Boundary Controls
Because COBIT has a detailed implementation framework, the project to implement it and the associated time and cost can be defined more exactly.
Source: IT Governance Global Status Report—2008
Page 10
Practical Information Technology Governance
Implementing IT Governance Implementing IT Governance is similar to any other IT or business project and should be approached and managed in the same way. The roadmap to implementing IT Governance consists of the following general phases and activities:
Which of the following ITrelated investment principles applies or is planned to be applied in your organisation?
Source: IT Governance Global Status Report—2008 What do you see as the greatest obstacles/constraints to organisations adopting the ITrelated investment?
Implementing IT Governance should be treated like any other project.
Lessons Learned From Implementing IT Governance The lessons learned from implementing IT Governance relate to avoiding the all too common problems associated with business and IT being disconnected: • •
• • •
Management see a value from investments made in IT and see that IT is an investment rather than a cost. IT is no longer seen as a barrier to implementing new strategies. IT becomes a strategic enabler rather than being seen as restricting the ability of the business to respond to new opportunities. IT decision-making mechanism is open and transparent rather than slow, cumbersome and not apparent. Management understand and appreciate how IT is governed within the organisation. IT projects are completed on time and on budget and deliver on the committed benefits. Good project management is part of good IT Governance.
Source: IT Governance Global Status Report—2008 Which of the following measures have you implemented, or are you in the process of implementing, to improve IT management and governance?
Implementing IT Governance is good for both the organisation and for IT. Governance ensures that IT delivers value and that the value of IT is understood. Source: IT Governance Global Status Report—2008 Page 11
Practical Information Technology Governance
For more information, please contact: [email protected]
Page 12
Related Documents
Information Technology (it) Governance
June 2020 6
Practical Information
April 2020 5
European Governance Whitepaper
December 2019 4
Information Technology
June 2020 15
Information Technology
June 2020 21More Documents from "Ryhanul Islam"
Business Cases And Benefits Management
June 2020 8
