isaca indonesia - 9 sept 2013 - erik guldentops - reflections on value & risk enterprise in...
DESCRIPTION
ISACA Indonesia Special Technical Session, 9 September 2013 @ Gran Sahid, Jakarta, Indonesia, featuring Prof Erik Guldentops, CISA,CISMTRANSCRIPT
EG – Sep 20013 – page 1 of 60
REFLECTIONS ON RISK AND VALUE IN
ENTERPRISE GOVERNANCE OF IT
A story of risk, value, uncertainty, aircraft carriers,
racing cars and sailing trips.
ISACA Indonesia
Expert Event
September 2013
Erik Guldentops, Antwerp Management School, Belgium
EG – Sep 20013 – page 2 of 60
RISK AND VALUE
Positioning risk and value within enterprise
governance of IT
ISACA Indonesia
Expert Event
September 2013
EG – Sep 20013 – page 3 of 60 3
º Likely to achieve its objectives
º Resilient enough to learn and adapt
º Judiciously managing its resources
º Appropriately recognising opportunities
º Obtain enterprise value from IT enabled
business initiatives
º Applying “due care” about IT related risks
From “The IT Governance Briefing”, ITGI. www.isaca.org
Enterprise Governance of IT
Top management needs to know that IT is
Resource Management
IT IT GovernanceGovernance
DomainsDomains
Resource Management
Enterprise
Governance
of IT
EG – Sep 20013 – page 4 of 60 4
º Essentially two things
º Risk and Value
From “CobiT5 : A Business Framework, www.isaca.org
Enterprise Governance of IT
Resource Management
IT IT GovernanceGovernance
DomainsDomains
Resource Management
Enterprise
Governance
of IT
EG – Sep 20013 – page 5 of 60 5
º Essentially two things
º Risk and Value
º Entirelly intertwined
From “ValIT Governance of IT Investments, www.isaca.org
Enterprise Governance of IT
Value = (Benefits – Costs) adjusted for Risk
Resource Management
IT IT GovernanceGovernance
DomainsDomains
Resource Management
Enterprise
Governance
of IT
EG – Sep 20013 – page 6 of 60
Translate strategy into action• Increase automation (make the business
effective)• Decrease cost (make the enterprise efficient) • Manage risks (security, reliability & compliance)
Set Objectives• IT is aligned with the business• IT enables the business and maximises benefits• IT resources are used responsibly • IT-related risks are managed appropriately
Translate direction into
strategy
Measure and report
performance
Provide direction
Evaluate performance
IT GOVERNANCE
IT MANAGEMENT
IMPLEMENTING IT GOVERNANCE
www.isaca.org
EG – Sep 20013 – page 7 of 60
IMPLEMENTING IT GOVERNANCE
EG – Sep 20013 – page 8 of 60
IMPLEMENTING IT GOVERNANCE
Are we doing the
right things?
Are we doing them
the right way?
Are we doing
them well?
Are we getting the
benefits?
Are we governing
things properly?
EG – Sep 20013 – page 9 of 60
The Board
providing high
level direction
and control.
Line Management
translating plans
into action and
ensuring adequate
performance.
Executive
Management
translating
direction into
plans, focussing
on the bottom-line
results.
IMPLEMENTING IT GOVERNANCE
EG – Sep 20013 – page 10 of 60
The engines of IT Governance
Where do
we want to
be?
Objectives
IT Strategy
•Delivery Performance
•Service Quality
•Resource Utilisation
•Benefits Realisation
•Risk Reduction
IT Scorecards
How do we
know we are
progressing?
Portfolio
• Programmes
• Projects
• Services
• Resources
What are we
doing to
achieve them?
IT Business Cases
IMPLEMENTING IT GOVERNANCE
EG – Sep 20013 – page 11 of 60
+8% +20%%1
0 +2%
Ma
na
ge
me
nt
Pra
ctic
es
Sco
re
Intensity of IT deployment
McKinsey & London School of Economics surveying 100 companies – Oct 2005
Why invest in better governance of IT Risk and IT Value ?
IMPLEMENTING IT GOVERNANCE
EG – Sep 20013 – page 12 of 60
RISK AND VALUE
How well are we doing in respect of minimising
risk and optimising value of IT?
ISACA Indonesia
Expert Event
September 2013
EG – Sep 20013 – page 13 of 60
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT
One thousand 1000,-
EG – Sep 20013 – page 14 of 60
RISK AND VALUE
How well is the industry doing in respect of
minimising risk and optimising value of IT?
ISACA Indonesia
Expert Event
September 2013
EG – Sep 20013 – page 15 of 60
ITGI, ING and IBM – 2006 – in support of ValIT
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT
EG – Sep 20013 – page 16 of 60
ITGI, ING and IBM – 2006 – in support of ValIT
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT
EG – Sep 20013 – page 17 of 60
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT
IT Solution
Delivery
IT Operational
Implementation
Business changes
Business
integration
Business
Operation
Benefit Realisation
IT Service Delivery
Programme design
and initiation
ü
X
X
X
EG – Sep 20013 – page 18 of 60
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT
Hope is
not a
method!
EG – Sep 20013 – page 19 of 60
How are we doing about Value?
€200m
Expected Benefits
€114 m -€ 100 m
€ 100 mBudgeted ROI = * 100% =
Expected Budget
ROI as expected in the Business Case
+ 14%
Actual ROI = € 114 m x 84 % x
11.12
€ 100 m x 124 % * 100 %= - 38%
Budget Overrun+24%
Actual ROI allowing for typicalsolution delivery performanceActual ROI allowing for typicalsolution delivery performance
0.5
- € 100 m x 124 % + 14%
Functionality achieved-16%
Approximately 6 months delay, so benefits discounted
at 12% After - Tax Rate
Actual ROI after corrections SDP.
ROI= -38%
Expected. ROI = 14%
Cu
mu
lati
ve
cash
flo
w (€
)
Time à
Actual ROI after corrections SDP.
ROI= -38%
Expected. ROI = 14%
Cu
mu
lati
ve
cash
flo
w (€
)
Time à
We don’t learn from our past
EG – Sep 20013 – page 20 of 60
How are we doing about Value?
We don’t learn from our past
-5
0
5
10
15
20
1.5 3 1.5
Good fit
Theoretical curve
-5
0
5
10
15
20
4.5 4 3.5 3 2.5 2
Solution Delivery Performance
Good fit
Theoretical curve
Empirical curve
Co
rre
cti
on
in
th
e b
us
ine
ss
ca
se
EG – Sep 20013 – page 21 of 60 CIONet and ISACA – Survey of 56 CIO’s – Aug 2009
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT
EG – Sep 20013 – page 22 of 60
EG – Sep 20013 – page 23 of 60
CIO/CEO Discussion topics by priority – CIONet and ISACA Survey Aug 2012 of 90 CIO’s
Depth Frequency Mechanism
Cost
Effectiveness
Agile/Innovation
Risk
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT
EG – Sep 20013 – page 24 of 60
CIO/CEO Discussion topics by priority – CIONet and ISACA Survey Aug 2012 of 90 CIO’s
Depth Frequency Mechanism
Cost
Effectiveness
Agile/Innovation
Risk
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT
EG – Sep 20013 – page 25 of 60
How are we dealing with Risk and Value ?
List of IT Outsourcing Risks from one of the most
important academic sources on the subject
H d li ith Ri k d V l ?
Enterprise Governance of IT
EG – Sep 20013 – page 26 of 60
How are we dealing with Risk and Value ?
Lack of
appropriate
governance
Unhappy
users
Biased
portrayal by
vendor
Low process
maturity
Hidden costs
VULNERABILITY VULNERABILITYIMPACT IMPACTTHREAT
RISK = a important threat that applied to an applicable
vulnerability, results in an significant business impact
Risk
Scenarios
An important mechanism for risk management
and especially to debate and decide on risk
relevance and mitigation
H d li ith Ri k d V l ?
Enterprise Governance of IT
EG – Sep 20013 – page 27 of 60
Resource
Assessment
Threat
Assessment
Vulnerability
Assessment
Risk
Assessment
Determine
safeguards
Risk Management
Decision
Cost/Benefit
follow up
The right terminology?
EG – Sep 20013 – page 28 of 60
Resource
Assessment
Threat
Assessment
Vulnerability
Assessment
Risk
Assessment
Determine
safeguards
Risk Management
Decision
Cost/Benefit
follow up
I. Threata. Unintentional
5. Acts of Gods
6. Accidents
7. Errors of Omission
8. Errors of Commission
b. Intentional9. Fraud
10. Damage
11. Sabotage
The right terminology?
EG – Sep 20013 – page 29 of 60
II. Vulnerabilitya. Inherent Susceptibility
1. Type of Business (internal)
2. Environment (external)
b. Control Deficiency3. Absence of Controls
4. Ineffectiveness of Controls
Resource
Assessment
Threat
Assessment
Vulnerability
Assessment
Risk
Assessment
Determine
safeguards
Risk Management
Decision
Cost/Benefit
follow up
The right terminology?
EG – Sep 20013 – page 30 of 60
Resource
Assessment
Threat
Assessment
Vulnerability
Assessment
Impact
Assessment
Determine
safeguards
Risk Management
Decision
Cost/Benefit
follow up
III. Impacta. Tangible
12. Financial
13. People
b. Intangible14. Reputation
15. Business Continuity
16. Competitiveness
The right terminology?
EG – Sep 20013 – page 31 of 60
3
1
Resource
Assessment
Threat
Assessment
Vulnerability
Assessment
Impact
Assessment
Determine
safeguards
Risk Management
Decision
Cost/Benefit
follow up
I. Vulnerabilitya. Inherent Susceptibility
1. Type of Business (internal)
2. Environment (external)
b. Control Deficiency3. Absence of Controls
4. Ineffectiveness of Controls
II. Threata. Unintentional
5. Acts of Gods
6. Accidents
7. Errors of Omission
8. Errors of Commission
b. Intentional9. Fraud
10. Damage
11. Sabotage
III. Impacta. Tangible
12. Financial
13. People
b. Intangible14. Reputation
15. Business Continuity
16. Competitiveness
IT Risk Analysis
Threat
Assessment
Vulnerability
Assessment
Impact
Assessment
R
I
S
K
EG – Sep 20013 – page 32 of 60
InsidersCollusionOutsiders
70
25
5
Based on combined sources from 2006
•ISF, E&Y, CSI etc
Note: Within the largest group ‘Internal Errors & Omissions’ there are significantly more errors of commission than omission.
The right focus?
EG – Sep 20013 – page 33 of 60
1. Just over one third is theft either
◦ in collusion with outsiders (22%)
◦ by insiders (10%)
◦ by outsiders (3%)
2. Just under one third is errors by commission◦ no or bad instructions
◦ wrong instructions
◦ wrong examples
3. Well under one third is errors by omission◦ awareness, training & education
◦ discipline & motivation
◦ remuneration & enforcement
The right focus?
EG – Sep 20013 – page 34 of 60
How are we dealing with Risk and Value ?
Enterprise Governance of IT
EG – Sep 20013 – page 35 of 60
3
5
Developing IT Risk Scenarios
Scenario Pro
babilit
y o
f
Occurr
ence
Impact
Nr Description H, M, L H, M, L
<an important business impact caused by a significant threat exploiting an
applicable vulnerability>
Vandalism to the production chain (V) by
disgruntled employees (T) results in delivery of
faulty products (I)
Faulty products delivered to customers (T) is
followed by litigation (V) resulting in fines and
lawyer fees (I)
<an important business impact caused by a
significant threat exploiting an applicable
vulnerability>
EG – Sep 20013 – page 36 of 60
For both risk and value, accept uncertainty and deal with it!
How are we dealing with Risk and Value ?H d li ith Ri k d V l ?
Enterprise Governance of IT
EG – Sep 20013 – page 37 of 60
How should we be dealing with Risk and Value ?
º Simple model
º Clear responsibilities and accountabilities
º Monitor, direct and evaluate
º Tools: Scorecards and Business Cases
º Structured interactions
How should we be dealing with Risk and Va
Enterprise Governance of IT
EG – Sep 20013 – page 38 of 60
How should we be dealing with Risk and Value ?
º Manage uncerainty
º Portfolio management of all major inititiatives
º Business cases take into account past history, all activities
to achieve the benefits and the full economic lifecycle of
the initiative
º Business cases assign clear accountabilities and are
continuously kept up-to-date
º Focus on initiatives that fit with strategy, reuse resources
and have top management’s support
How should we be dealing with Risk and Va
Enterprise Governance of IT
EG – Sep 20013 – page 39 of 60
How should we be dealing with Risk and Value ?
º Accept and manage uncertainty
º Define risk tolerance at the top
º Continuous pragmatic approach
º Identification, awareness, responsiveness
º Less focus on big risks and more on day-to-day value
preservation
º Clarity of definitions and concepts and the use of risk
scenarios
º Awareness of bias (capability, subjectivity, sensational)
How should we be dealing with Risk and Va
Enterprise Governance of IT