@iiachicago #iiachi governing it with itil and cobit … seminar presentations/c6...april 15, 2013,...

IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013, Donald E. Stephens Convention Center

@IIAChicago#IIACHI

Governing IT with ITIL and COBIT for Process Excellence

Pam Nigro, CRMA, CISA, CGEIT, CRISCManager Operational Assurance

Health Care Service Corporation(a Mutual Legal Reserve Company, an Independent Licensee

of the Blue Cross and Blue Shield Association)

- 2 -IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013/ Donald E. Stephens Convention Center © 2013, Health Care Service Corporation, Pam Nigro

AgendaIT Governance1

ITG’s Challenges2

Frameworks3

HCSC’s Journey Begins4

Measurements and Lessons Learned5


It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.

Warren Buffet, CEO, Berkshire Hathaway

IT Governance

© 2013, Health Care Service Corporation, Pam Nigro


Choose one…Definition of IT Governance


What IT decisions

need to be governed?

How are those

decisions governed?

What Who How Is simply the management of risk & compliance.

IT Governance

Who is assigned

accountability?

3 key pieces to the puzzleSimple Version


What IT decisions


How are those

decisions governed?


IT Governance

Who is assigned

accountability?



IT Governance


To open a shop is easy, to keep it open is an art.

Chinese Proverb

Challenges



HCSC ITG’S Challenges/DriversStrategic goals and to support key business objectives

Ensure Availability & Reliability in ITG Services1

Reinvest in Technology to Support Growth 2

Allow for Ease of Mergers and Acquisitions3

Simplify and Standardize ITG Processes4

Commitment to Regulatory Compliance5


Every knowledge worker in modern organization is an "executive" if, by virtue of his position or knowledge, he is responsible for a contribution that materially affects the capacity of the organization to perform and to obtain results.

Peter Drucker in The Effective Executive (1966)


Frameworks


Benefits• Enable effective governance• Align with business goals• Standardize process and

approach• Enable structured audit

and/or assessment• Control cost• Comply with external

requirements

Why Use a Framework?


What is the IT Infrastructure Library?An operational level of service management and the framework

Financial

What are my IT services?

Learning & Growth

Are we following best practices for our processes?

Customer

How do we monitor and measure our services?

Processes

What are best practices for managing my services?


The IT Infrastructure Library (ITIL)

ITIL Processes

Config Mgmt.

Service Level Mgmt.

Change Mgmt.

Release Mgmt.

Knowledge Mgmt.

Incident Mgmt.

Problem Mgmt.

Access Mgmt.


Control Objectives for Information and Related Technologies – (COBIT)

To realize business goals IT solutions need to be developed or acquired and integrated into the business process

The strategy and domain of IT planning

Service delivery, management of security and continuity, service support for users, and management of data

Regular assessment of IT processes for quality and compliance with control requirements


Key QuestionsPlan & Organize

Are Business and IT strategy aligned? Is business achieving

optimum use of its IT resources? Are the quality of IT

systems and services appropriate for business needs?

Acquire & Implement

Will the new or revised systems work properly when implemented?Will changes be made

without upsetting current business operations?


Key QuestionsDelivery & Support

Are IT costs optimized? Is the work force able to

use IT systems productively?Are adequate performance

requirements such as security, integrity and availability in place?

Monitor & Evaluate

Can IT performance be measured?Can problems be detected

before it is too late? Is independent assurance

needed to ensure critical areas are operating as intended?


ITIL v3 and COBIT AlignmentOver 75% of ITIL v3 processes map to COBIT 4.1

Description COBIT ITILService Desk DS8 SO1, SO6

Incident Management DS8 SO4

Problem Management DS10 SO4

Change Management AI6, AI7 ST4.2, ST5.1

SDLC Process PO10 ST3, SD3

Physical Security DS12 ST3

Operations Management DS13 SO4, SO5

Release Management AI7 ST4


HCSC‘s Journey BeginsThere is nothing more difficult to carry out, nor more doubtful of success or dangerous to handle than to initiate a new order of things.

Nicolo Machiavelli, The Prince



The Process Excellence Program

…A new way for ITG to conduct its business!

• Consistent products and services • Predictable service delivery (“On-Time, On-Budget, and On-Quality”)• Integrated processes across ITG• Leveraging “best practices” to re-engineer, not “patch” processes • Customer focused service model• Organizational and strategic alignment• Achieve regulatory compliance

Multi-workstream program ensuring:

ProblemChangeConfig

Release

IncidentOperations SLM

PolicyRisk

Controls


Organizational Challenges and Barriers

People

Lack of skills

People refusing

to change

Unrealistic customer

expectations

Closed culture

Poor governance

Poor leadership

Funding

Low morale

Poor customer

perception

Process

Inconsistent processes

Non-integrated processes

Poor process quality

Technology

Com

plex

ity o

f Bar

rier

Fragmented tools

No standards

Custom-made integration

Inappropriate tools

High

Low


Communicate

Formal and Informal Communications Team Meetings Held “Coffee Clutches” Developed a slogan “Put PEP in Your Step”

Training Instructor Led Classroom Webinars


Incentives

IT Process Framework Establish an IT Process Framework designed to

standardize and increase predictability of select ITG processes utilizing industry best practices

Regulatory Compliance Achieve and exceed compliance with mandated

security and controls Establish COBIT-compliant framework, and assess

IT controls


Initial COBIT Maturity Assessment

• Intentionally left blank


ITIL Processes

Config Mgmt.

Service Level Mgmt.

Change Mgmt.

ReleaseMgmt.

Knowledge Mgmt.

Incident Mgmt.

Problem Mgmt.

Access Mgmt.

3 Key Drivers


Service Level Management

Negotiating the SLA Contract

Report to the business and

ITG Sr. Management

Clearly document and outline the level of service

Results and operationaltrend reportscan be used to prioritize service improvement activities.

Service Level

Agreement(SLA)


Change Management

GoverningIT

Changes

Change Advisory Board (CAB)

Production Operations Group (POG)

Reliability Committee


Release Management

Multiple Tools Multiple source code

libraries Multiple release

methodologies

Ad Hoc

2006

CA Endevor All mainframe source

code libraries in Endevor Standard code

development lifecycle Standard release

methodology

Mainframe

2009

Serena Dimensions Distributed source

code for financially significant apps Standard code

development lifecycle Standard release

methodology

Distributed

2013


Measurements and Lessons LearnedIt is not the strongest among the species that survive nor is it the most intelligent. It is those that are most adaptive to change.

Charles Darwin



Increase in Availability



Mean Time to Repair (in hours)



IT General Controls Maturity level



Initial COBIT Maturity Assessment



Current COBIT Maturity Assessment



PEP Program(ITIL/COBIT)

Make Tradeoffs - One size does not fit all. When is enough, enough?

Proactively Design and Manage - Take smaller steps

Avoid over engineering

Commitment & Provide the Right Incentives - 30% Process; 70% People

Assign Ownership & Accountability - Get and keep leadership commitment

Lessons LearnedKey Leadership Principles for Creating and Sustaining a Successful IT Governance

Culture and Environment


IT Governance


Thank you for your attention!Any Questions?


Contact Details

Pam Nigro, CRMA, CISA, CGEIT, CRISCManager, Internal Controls and IT Risk

[email protected]

Health Care Service Corporation, Health Care Service Corporation, (HCSC) is a

Mutual Legal Reserve Company, an Independent Licensee of the Blue Cross and Blue Shield Association operating

Blue Cross and Blue Shield of Illinois, Texas, New Mexico, and Oklahoma.

pam_nigro@ bcbsil.com

mailto:[email protected]

http://www.linkedin.com/in/pnigro


Appendix


Circle of Perspectives

1.Financial Perspective Operational excellence focus to drive down costs Bottom Line: IT can “do more, with less”

2.Customer Perspective Enable a single point of accountability Align internal metrics to reflect IT user experience

3.Business Perspective Manage increasing IT service complexity Create a common vocabulary for communication

4.Learn & Growth Perspective Break down organizational silos with process focus Leverage industry accepted “best practices” and do

not re-invent the wheel

Why Implement ITIL?


Control MaturityControl Maturity People Process Technology Maturity ModelLevel 1 - Unreliable No Responsibility No Policy

No ProceduresMissing Control Design

Non Existent

Level 2 - Informal Informal ResponsibilityNew PersonnelNon-Routine

Informal/Ineffective PolicyInformal/Ineffective ProceduresInformal/Ineffective Control DesignInformal/Ineffective Control Activity

Manual Initial / Ad-Hoc

Level 3 -Standardized

Formal ResponsibilityAdequate Personnel Routine

Formal/Effective PolicyFormal/Effective ProceduresFormal/Effective Control DesignFormal/Effective Control Activity

Manual Repeatable But Intuitive

Level 4 - Monitored Limited AutomationPeriodic Compliance TestingPeriodic Reporting

Limited AutomationPeriodic Compliance TestingPeriodic ReportingPeriodic Update/Change Improvement

Automated Defined Processes

Level 5 - Optimized AutomationReal-Time MonitoringDaily Reporting

AutomationReal-Time MonitoringDaily ReportingAs Required Update/Change Improvement

Automated Managed And Measureable

@iiachicago #iiachi governing it with itil and cobit … seminar presentations/c6...april 15, 2013,...

Documents