IT Governance & IT AuditIr Erica RietveldOctober 16th, 2007

Two subjectsIT Audit as an IT Governance instrument Purpose: being in control of IT Audit of IT Governance Purpose: being in control of decision-making about IT IT-governance audit as a business instrument

Definition of IT GovernanceElements:Subject is the use of IT to achieve business objectivesIt describes accountability and mandate / authorityIt includes both structures and processes (who & how)It is an organizational capacity (not an individual one)It is an integral part of enterprise governancePerformanceDoes IT deliver?ConformanceDoes IT deliver in conformity with relevant rules?

IT Governance includes command & controlAre you sure it really happens?I decide what happens around here!

Commandthe power or authority to give direction or instruction to do something

PrinciplesUnity of commandUnity of directionChain of commandResponsibility must go with authoritySubordination of individual interest

Controlthe methods of effecting the will of command

PrinciplesFormalization of policies, plans, standards etc.quantificationFeedbackperiodicalconsistent

When are we in control of IT?When we can account for all investments in ITWhen we have mitigation plans for all identified significant risksWhen models & reports about IT are correctWhen IT operations perform as expected / contractedWhen forecasts are reliable

Results of auditCertificate: yes, you are (sufficiently) in controlOrList of issues to be improved

COBIT - Three viewpointsIT processes IT resourcesQuality criteriaIT resourcesQuality criteriaDomains

Processes

ActivitiesIT processesPlanning & organizationAcquisition & implementationDelivery & supportMonitoring

When are we in control of IT Governance? When it is clear who decides about whatWhen it is clear which rules the enterprise has to comply withExternal and internal rulesWhen IT governance is sufficiently linked to business governance alignmentWhen sufficient feedback is organized to assessthe effectiveness of the accountability structurethe effectiveness of decision makersthe effectiveness of policies / rules / standards

COBIT processes Planning & OrganizationPO1Define a Strategic IT PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Organization and RelationshipsPO5 Manage the IT investmentPO6 Communicate Management Aims and DirectionPO7 Manage Human ResourcesPO8 Ensure Compliance with External RequirementsPO9 Assess and Manage RisksPO10 Manage ProjectsPO11 Manage Quality

Process model POBusiness requirementsDelivery & SupportExternal requirementsAcquisition & implementationPlanning & Organization DomainStrategic Cluster

Ensure complianceStrategic IT planDefine InfoArchTechnological DirectionIT org +relationshipsManage IT investmentCommunicatedirectionManage HRDelivery & SupportAcquisition & implementationGeneral resourceAssess & manage risksManage projectsManage QualityMonitoring

My problem with controlControl is useless without commandBeing in control does not imply that the business is doing wellActing conform the book does not produce a sustainable competitive advantageControlling behaviour may endanger trust, creativity etc

Modelling accountabilityArea of accountabilityAccountable personRulerContractFormalization & feedbackAll subjects & objects that the accountable person is held accountable forEmployees, Policies, Services,Processes, Models, Information Systems, Buildings, Inventories, Knowledge, Rules, Data, Culture, etc. etc.

Unity ofcommandUnity ofdirection

AofAs are nestedAofAAofAAofAAofA Down to the level of team or individual Everybody has rulers, everybody is a ruler

Accountability & the organogramHierarchy of accountable personsChain of accountabilityEasier to draw than the nested structure of AofAs communcation function of models

Case 1: in control of change?Large bank, department of Payments & SavingsBureaucratic, all processes in place, architectureExternal change: SEPA, Internet, etc etc70 change programs Qualified program managersStandardized program management processesMost involved line managers lead steering groups, others are membersProblems: programs rarely meet the objectives esp. related to time (internal audit issue)budget constraints have resulted in lagging maintenance of the basic payments infrastructure

AssessmentLine managers spend 80% of their time on programsLine management authority is reduced to managing human resources (outside program roles)No program manager ever gets satisfactory decisions from a steering group (there is always reason not to decide)There is a high level of dependence between the programsThe coordination between the 70 programs is supported by architecture, but nobody is accountable (nor could any human being be)Nobody is really held accountable for results, except the managing director of P&SCollective inferiority complex: we just cant get it right

Conclusion: organizing change in programs has destroyed the change capability of this organization

A new set of principles is adoptedChange is business as usual, and thus the responsibility of line managementEvery line manager manages the changes in his own area of accountability (AofA)Every line managers renegotiates contracts with his context when changes in his AofA require changes in relationships / exchangesThe total orchestration of changes within his AofA and in contracts must be manageable for one human being (management ergonomics).

Practical rulesTo effect change in contracts behave equally in horizontal and vertical relationships The reason for change is not related to the hierarchy; all parties involved want to remain successful in the dynamic context, knowing they are highly dependent on each other.

Translate change first of all in concrete adjustments in your service catalogue. *)If you will deliver the same service, why change? If you need to deliver other services, then you may also need adjustments in strategy, processes, systems etc.

*) Service catalogue: includes prices, conditions etc. The Service Catalogue should include all information that enables a client to conclude whether he wants your service and what are the relevant conditions for delivery.

Lessons case 1Having all processes in place etc. does not guarantee good performance (it does help!)Information is always incomplete; the role of a manager is to decide anywayWithout people taking responsibility no structure will work

Case 2 In control of customer informationInterpolis, insurance company 7 business units: market organizations per productStrategy: customer orientation (all-in-1-policy) Shared application for basic customer data Dissatisfied usersNo innovationSolution: new app (Siebel), steering committee with all MOs, customization & implementation programResults: slow & tumultuous decision making, blocking progressWho is accountable?

A new Area of AccountabilityAccountabilty: provide customer information to Interpolis market organizationsDesign: internal service center (KID) The Aof A includes a.o.Customer dataApplications, methodologiesKnowledge about customer data and relevant laws/rulesService catalogueThe AofA has closed Service Level Agreements with the MOsInterpolis was acquired by Achmea; perception KID: market extension; Avero is now a client

Results Quality and costs where benchmarked vs industry in 2005 top position in industryEmployee satisfaction and solidarity was measured in 2007 top position within AchmeaImplementation of Siebel was stopped; the old systems now deliver the new service The service portfolio grows specialization, entrepreneurship, innovationBenchmarking customer data: costs per customer

Interpolis 2,05Large Dutch insurance company 4,50Small Dutch savings bank 9,--Regional bank in the US(bron Forrester)$ 5,95Benchmarkt consumers Becnhmark business 5,-- 7,70

Lessons case 2Do not share ownership of information nor applicationsIf you give people the mandate to change, they willInternal markets work without a free price mechanism

An alternative for Command & Control? Some management science theorists hold that the idea is now obsolete. Dee Hock: "Purpose and principle, clearly understood and articulated, and commonly shared, are the genetic code of any healthy organization. To the degree that you hold purpose and principles in common among you, you can dispense with command and control. People will know how to behave in accordance with them, and they'll do it in thousands of unimaginable, creative ways. The organization will become a vital, living set of beliefs."

Not or/or but and/andArea of accountabilityAccountable personC&CRulerContractFormalization & feedbackUnity ofcommandUnity ofdirectionMy purpose and principlesMy purpose and principlesPurpose and principles of collaboration

View on organizationsAn organization is both a designed system and a natural / social system; Gesellschaft + Gemeinschaft. People are its major strength and weakness; its most valuable asset and major risk

View on organizationsAn organization is a living system, dependent on its interaction with a dynamic environmentWe have to use and rely on the power of self-organization, but if we want to achieve specific performance & conformance we also need command and control.Only purpose & principles: religious sect