an introduction to iso 38500 by basta group
TRANSCRIPT
BastaGroup bv 2010 ¥- -
MATS BEEM @ gmail.com+31 614 026 541
IT GOVERNANCE WITH ISO 38500
Gooimeer 41411 DC NaardenNetherlandsTel: +31 35 6783922Web: www.bastagroup.nlEmail: [email protected]
firms with effective IT governance have 20% higher profits than their competitors (MIT, 2009)
MATS BEEM @ gmail.com+31 614 026 541
MATS BEEM @ gmail.com+31 614 026 541
BastaGroup bv 2011
Content
- introduction
- the courses & workshops
- why should I have IT governance at all?
- why ISO 38500?
- ISO 38500: for whom?
- the 6 principles
- the model
- evaluating, directing and monitoring
BastaGroup bv 2011 3
- these are the supporting slides, used in a half-day introductory course on ISO 38500
- ISO 38500
‣ has a stakeholder rather than shareholder focus
‣ tells you what you should have, not how you should do it, but some have far reaching consequences
- some suggestions on how to implement are included.
- Our implementation guideline comes with an implementation workshop.
BastaGroup bv 2011 4
The courses and the workshops
introduction to IT governance with ISO 38500
ISO 38500 gap analysis training & workshops
ISO 38500 implementation training & workshop
½ day, max 15 participants
2 day training, 8 hours preparations + homework, 2 day workshop. 3-7 participants
2 day training, + homework, 2 day workshop. 3-7 participants
BastaGroup bv 2011 5
- IT is a business responsibility*- effective use of IT requires effective governance
for value delivery & IT impact risk management
- ISO 38500 compliance requires formalised governance as you need to be able to demonstrate that you comply
- existing IT governance frameworks (like BiSL)‣ do not address the board & director level or are
too complex (COBIT)‣ are more suited to a bottom up extension to ISO
38500, than to be used on their own‣ are more IT’ish
*According to ISO 38500: “Responsibility for specific aspects of IT may be delegated to managers within the organization. However, accountability for the effective, efficient and acceptable use and delivery of IT by an organization remains with the directors and cannot be delegated.:
BastaGroup bv 2011 6
Different studies show:- when true costs are added up only 20% of projects with a
positive ROI (Mercer, 2001, BASTA 2004-2010)
- only 32% succeeded (Standish Group 2009), even worse than 2002 with 34% successful
- estimated over $50 Billion write-offs per year on IT projects (Standish Group)
- after software development projects have been delivered:
- the estimated costs of software defects are still $60 Billion annually (USA, National Institute of Standards and Technology, 2002)but:
- results with very experience project managers and good governance are twice as good (Chris Sauer 2007, Mats Beem 2010)
- firms with effective IT governance have 20% higher profits than their competitors (MIT, 2009)
BastaGroup bv 2011 7
Failing IT can have major impact on the bottom line and can even cause the company to fail
example, case CETECO:
- during explosive growth, a software implementation failed
- as a result the company no longer had insight in who owed them money or who had payed
- the company is now bankrupt and all directors have been sentenced to pay damages to the shareholders (current estimation €190 Million)
BastaGroup bv 2011 8
ISO 38500: for whom?
Internal:
- all of senior management (all the way up to the supervisory and executive boards)
- auditors
- internal service providers
External:
- advisors/specialists
- service providers
- auditors
BastaGroup bv 2011 9
ISO 38500: what is it for?
Board of Directors:
- assurance that you can have confidence in your IT governance as part of your corporate governance
All directors:
- guidance in how to govern IT
Auditors and directors:
- basis for objective evaluation of IT governance
BastaGroup bv 2011 10
ISO 38500: the principles
1. responsibility
2. strategy
3. acquisition
4. performance
5. conformance
6. human behaviour
BastaGroup bv 2011 11
ISO 38500: responsibility
the responsibility principle:
- understanding (‘what is included’ and ‘what does the responsibility mean’) and accepting (‘I agree that I am responsible’ and ‘I feel responsible’) responsibility for supply and demand of IT
- those who have the responsibility also have the authority (explicit and well documented, part of the normal, overall command structure)
BastaGroup bv 2011 12
ISO 38500:strategy
the strategy principle:
- business strategy takes into account current and future capabilities of IT (does the strategy make appropriate use of what IT can and cannot do, does the strategy take into account what needs to be changed in IT in order to achieve the business goals)
- the IT strategy takes into account current and future business requirements (having been involved in establishing current requirements and being involved in regular evaluations, being involved in the processes of business planning and strategic planning)
BastaGroup bv 2011 13
ISO 38500:acquisition
the acquisition principle:
- IT is acquired for valid reasons (in line with business & IT planning) based on appropriate and current analysis (positive business case with regular evaluations), with clear (unambiguous) and transparent (process and reasoning are clear to all who need to know) decision making
- there is appropriate balance between benefits, opportunities, costs and risks, both in the short and long term (‘does the business case take all of the above into account?’)
BastaGroup bv 2011 14
ISO 38500:performance
the performance principle:
- IT is fit for purpose in supporting the organisation, providing the right services at the right service levels, for both current and future requirements (‘there is no such thing as a good car, a minivan, a truck, a sportscar all serve different purposes, there is no such thing as good IT, it needs to be ‘fit for purpose’)
BastaGroup bv 2011 15
ISO 38500:conformance
the conformance principle:
- IT complies with all mandatory legislation and regulations (e.g.: security standards, privacy legislation, spam legislation, trade practices legislation, record keeping requirements, environmental legislations, health and safety legislation, accessibility legislaton, social responsibility standards)
BastaGroup bv 2011 16
ISO 38500:human behaviour
the human behaviour principle:
- IT policies, practices and decisions demonstrate respect for human behaviour, including the current and evolving needs of all the people in the process
BastaGroup bv 2011 17
evaluate
direct monitor
IT projects IT operations
Business processes
Plans&
Policies
PerformanceConformance
Pro-posals
Business pressures
Businessneeds
BastaGroup bv 2011 18
Directors should govern IT through 3 main tasks:
✓ N.B.: not just the IT directors, but directors in general including the board(s) (one of the starting points of ISO 38500 is that the director responsible for IT is a business person).
✓ all three tasks are processes, that should be repeatable and that you should be able to demonstrate that you have them and that hey work
✓ if you organise the processes well, you get formal compliance (being able to demonstrate compliance) for free, if you don’t organise them well, it will be extra overhead, resulting in extra costs and lowered agility
1.give direction and manage, where should we go with IT: direct preparation and implementation of plans and policies, to ensure that the use of IT meets business objectives
2.check if it works, did we do what we planned: monitor conformance to policies and performance against plans
3.judgement, how are we doing with IT: evaluate current and future use of IT. Evaluation is beyond checking if you have done what you planned to do
BastaGroup bv 2011 19
ISO 38500 xample where/how to implement -1
- strategy:‣ have the IT director in on all meetings where you have business
directors & have actions & decisions documented of each meeting‣ at least once a year, organise a session, challenging the business
directors, IT director, BIM & architecture, to come up with ways to address strategic business issues, solving problems & coming up with possibilities to improve the competitive position
‣ make sure business and IT make it a common activity- business planning‣ have the IT director in on all meetings where you have business
directors & have actions & decisions documented of each meeting‣ organise a session (at least once a year), challenging the IT
director, BIM and architecture, to join forces with at least one business director and his delegates, to come up with concrete improvement plans based on the suggested ideas in the strategy sessions
BastaGroup bv 2011 20
ISO 38500 example where/how to implement -2
- portfolioplanning‣ have the IT director in on all meetings where you have business directors‣ have actions & decisions documented of each meeting‣ have 3-7 (preferable 3-5) business programmes that are to implement the
business goals from the business plan‣ have the business owners of the business goals be the business owners of
the programmes, be the chairpersons of the respective steering committees
‣ it is likely, that IT plays a role in all programmes, make sure sessions are organised, where the business programmes and ideas for implementation are confronted with the best specialists in IT* in order to get good estimates on consequences
‣ track progress on all programmes, document well- IT budget‣ have the IT director in on all meetings where you have business directors‣ who has the benefit will pay the cost‣ if benefit allocation is hard or impossible, who drives the cost will pay the
cost‣ if owners of cost drivers are (too) hard to find, allocate costs by generic
overhead rules‣ rule of thumb: maximum of 20% via general overhead**
BastaGroup bv 2011 21
ISO 38500 example where/how to implement -3
- business cases‣ have the IT director in on all meetings where you have business
directors‣ use discounted cashflows for each business case‣ use a risk adjusted interest rates for all calculations‣ close to your normal cost of capital for replacing something you
already have‣ 1% up to 15% risk adjustment for individual projects, depending
on the specifics of the project‣ calculating consequences for your financial accounts is a separate
exercise, that should not be the basis for decision making- ops review‣ have the IT director in on all meetings where you have business
directors‣ part of the agenda: tracking ops consequences of the portfolio, get
input from the portfolio-committee and give conclusions as feedback
BastaGroup bv 2011 22
The ‘responsibility principle’ in practice:- evaluate:‣ ‘what are the options for assigning responsibilities?’ taking into
account the way IT should support the business & the competencies of the people give those responsibilities
‣ business managers should be responsible, supported by IT specialists. In order for them to be responsible and successful, the business managers need to be IT savvy (be able to judge IT) and IT managers need to be business savvy (at least understanding business processes and values in the context of the business strategy)
‣ direct: directors should assure that plans are carried out in line with responsibilities and that they get the right information to carry their (director’s) responsibility
- monitor: ‘are the right mechanisms in place?’ ‘do all understand and take their responsiblity?’ ‘what is their performance?’
BastaGroup bv 2011 23
The ‘responsibility principle’ in practice -2:
- although the principle is clear, responsibilities in practice often aren’t, how to solve it*? An example of a pragmatic approach that works (a more detailed program is available):
- make 2 - 5 teams, 1-2 from IT, 1-3 from the business & a facilitator that knows corporate governance, IT governance, ISO 38500 and has hands on IT management and executive experience
- ask the IT teams to produce a list of their outputs for the business and the business for a list of their expected outputs from IT
- ditto for the processes: what are the processes that create the outputs according t IT and what according to the business
- create one list of outputs and processes in a combined IT/business workshop
- in a second workshop: define the responsibilities per step, make sure the authorities are aligned with the responsibilities
- confront the responsibility chart with the formal organisation and resolve issues where necessary
BastaGroup bv 2011 24
The ‘strategy principle’ in practice -1:
- evaluate:
‣ regularly look at how IT and the business (processes) are developing, ensuring that IT will provide for future business needs
‣ in all plans and policies, ensure that IT activities are in line with requirements (possibly changing due to changing circumstances) and risks are appropriately dealt with
- direct: directors must make sure that the organisation benefits from IT, including innovative use of IT that is necessary to respond to new challenges or opportunities
- monitor: directors should monitor progress of IT proposals (projects, renewals) in all their aspects, including the achievement of it’s intended benefits
BastaGroup bv 2011 25
The ‘strategy principle’ in practice -2:
(a more detailed program to set up IT-business alignment/integration is available):
‣ IT needs to be in the process of strategy development and understanding the strategy needs to be in the process of IT development*
‣ this requires business savvyness in IT and IT-savvyness in business, including the board
‣ Business Information Management and Architecture are the critical functions to get right
‣ to get these functions right, you need the right competencies
BastaGroup bv 2011 26
ISO 38500: strategy, about competencies- some competencies can be learned or improved significantly but
some competencies can’t, they are more or less ‘ hardwired’ in the individual’s brain
- if a competency that cannot be trained is essential for a certain role, be sure to treat this competence or these competencies separately (competence management frameworks typically do not distinguish between the two (can be trained/cannot be trained)!)
- 3 A’s and an F is still good on average, but an F for an essential competence that is not trainable will always lead to failure
- ideally, all competencies mentioned per role/function will be present in each employee with that role
- it is usually sufficient however, to have the competencies for the role rather than the individual, as that makes it easier (but still difficult) to get the right people
- in italics are the skills that everyone in the role should have (distinguishing between technical- and business architects)
- there are some extra conditions to be met, that will be different in each situation
BastaGroup bv 2011 27
ISO 38500: strategy, about competencies and business IT alignment/integration
- 60-80% of IT project failures* can be contri- buted to poor requirements, poor analysis, miscommunication. What to do:‣ put together a program for (at least) senior IT staff, to learn
about the business
‣ ditto for teaching non-IT managers & directors enough about IT (IT-savvyness programme)
‣ an IT ‘posting’ should be part of all career paths to the top‣ don’t compromise on quality when hiring Business Information
Managers and architects (see next two slides)
BastaGroup bv 2011 28
Business Information Management:
- can conceptualise operational, technical & business issues
- can operationalise concepts (NOT the same as the above!)
- oversees the whole and understands how things are connected and how they impact each other
- can explain a problem to different audiences, changes wording accordingly
- score high on the “in basket” test
- know the business domains
- can visualise concepts
BastaGroup bv 2011 29
Architecture:
- technical architects: ‣ can conceptualise technical issues‣ can operationalise technical concepts (NOT the same as the
above!)‣ oversees the whole of the technology architecture and understands
how things are connected and how they impact each other‣ know about construction by theory and experience
- business architects: ‣ can conceptualise business issues‣ can operationalise concepts (broader than just technical)‣ oversees the whole and understands how things are connected and
how they impact each other- translate business goals in technology solutions working with
technical architects and specialists- score high on the “in basket” test
BastaGroup bv 2011 30
The ‘acquisition principle’ in practice: - evaluate‣ professional judgement of business cases (treated like other
business cases)‣ look at IT alternatives for the proposed solution (there is always an
alternative)‣ use the appropriate interest rate/IRR (internal rate of return): cost
of money in the financial markets: when there is risk, you risk adjust (see SFB’s Return on IT presentation)
- direct‣ have the right people involved (judgement, professional skills & ‘the
numbers’ and use a professional process and documentation- monitor‣ make sure you can get the numbers from your financial system
exactly the way you made your business case‣ involve suppliers enough in the process to have a common
understanding of why and under what conditions you want to acquire
*our experience shows that responsibilities aren’t as well described as the board expects them to be
BastaGroup bv 2011 31
The ‘performance principle’ in practice✓ fit for purpose: being able to judge if IT is ‘fit for purpose’, requires
alignment to function properly (see ‘the strategy principle’ and the SFB presentation: ‘how to get business IT alignment right’)
✓ the focus on risk in ISO 38500‘s performance principle is best addressed by having proper processes for the whole of IT in place and get the risk management as a result. If all risk areas are addressed in isolation, the cost usually rises and the agility will suffer
- evaluate: are proposals for renewal or innovation addressing all relevant issues and if we agree on the proposals, does it provide us with the IT we need?
- direct: direct those responsible to make sure the business gets what it needs when it needs it and make sure the right resourcing is available
- monitor: can you actually conclude that you get the IT your organisations needs? (supporting the business, right priority resourcing, policies followed properly)
BastaGroup bv 2011 32
The conformance principle in practice:
- evaluate:‣ conformance to internal policies and guidelines, regulatory, legal and
contractual obligations and to professional guidelines where applicable‣ conformance to the (organisation’s own) system of governance of IT
- direct:‣ those responsible to establish mechanisms that ensure compliance
with relevant obligations‣ to ensure that policies exist and are enforced that enable the
organisation to comply with internal obligations‣ that IT staff follow relevant guidelines for professional behaviour and
development‣ actions relating to IT to be ethical
- monitor:‣ compliance and conformance using appropriate reporting and audit
practices‣ IT activities to ensure that all relevant obligations
are met
BastaGroup bv 2011 33
The human behaviour principle in practice:- evaluate: ensure that human behaviours are identified and considered
- direct:
‣ It activities to be consistent with human behaviours
‣ that any issue (risk, opportunity, concern, generic issue etc) can be raised by anyone at any time
‣ issues that are raised are addressed according to the rules (policies, procedures) and escalated to the right level of decision making
- monitor
‣ IT activities to ensure that identified hman behaviours are relevant and paid proper attention
‣ work practices, to ensure consistency with the right use of IT