it governance in banks, may, 2014
TRANSCRIPT
USAID Finance for Economic Development (FED) Program
Workshop: “IT Governance in Banks”
May 27, 2014
IT Governance: Why, How, When…
Komitas Stepanyan, PhD, CRISC, CMRM
CobIT Foundation Certificate
YEREVAN - 2014
Framework
Implementation Guidance
Introduction
The problem
Management Expectations of IT
IT management challenges
Key risk
Agenda
Is IT Works as needed??? Statistics…
The IT aspects of CG are one of things that CEO’s think they don’t have to understand-until it bites them! (Piter Morriss - KPMG)
Over 80% of IT project are delivered late and over budget. (Standish
Group – Oct 2006)
Nearly 60% of all IT projects are delivered with less functionality that
originally promised. (Standish Group – Mar 2007)
Less than 5% of project fail due to technical reasons – Nearly all
obstacles are related to poorly defined requirements, poor
sponsorship, weak management controls or all of the above. (Gartner
Group – May 2006)
More than 25% of the IT projects usually fail (Gartner Group – May 2006)
Facts…
“ IT Governance is the responsibility of the Board of Directors and executive management.
It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organizations strategies and objectives.”
IT Governance Institute Board Briefing, Second Edition, 2003
Strategic Alignment
Value Creation
Risk Management
Resource Management
Performance Measurement
Plan &
Organize
Acquire & Implement
Deliver &
Support Monitor
Management/Business Expectations of IT
InformationTechnologies
- What does management expect from IT?
- What is an IT at all?
- How to use it?
- How to manage it?
- How to be sure everything works as needed?
- How to measure results?
It’s the time to open “Black Box” …
?
It’s the time to recognize and manage complexity
Information management challenges
Information systems are only successful if they are used.
How the organization will operate
How the information systems themselves will work.
Apply good IT(and not only) risk management to ensure success
Key risk
Time and budget overruns
Ineffective IT Investments
Misalignment between IT and Business
Useless IT systems
Anachronism IT systems
Framework
Implementation Guidance
Introduction
The problem
Management Expectations of IT
Information management challenges
Key risk
Agenda
The psychology/ sociology of Failed Systems
Inconsistentmaterials
Workoverloads
Lack ofmeasures& definedprocesses
Cascadingrework
Soloedfunctionalprocesses
Inconsistentprocedures foridentical tasks
Unintegratedbest practices
CobIT Framework
Management’s IT
Expectations
Management’s IT
Responsibilities
To Benchmark Existing and Future IT Environment
Management Needs COBIT
To Evaluate IT Investment Decisions
To Balance Risk and Control of Investment
76% of various CEOs and CIOs are aware of the
benefits offered by IT governance frameworks, yet
only 42% of them had any intention of implementing
such a framework” (Loggerenberg 2006)
Business RequirementsIT
Pro
ce
sse
s
MDSAIPODomains
Processes
Activities
CobIT Cube
Pe
op
le
Ap
plic
ation
Info
rma
tion
Infr
astr
uctu
re
Who Benefits from More Effective and Sustainable IT Governance?
What Executives Get – Business improvements that result from knowledgeable participation in IT decision-making from an enterprise
perspective
– Ensures that key IT investments support the business and provide optimum returns to the business
– Ensures compliance with laws regulations
What Mid-Level Business Managers Get – Convinces senior business managers that their combined business -IT resources are being managed effectively
– Helps to ensure that business services for which they are responsible will meet commitments
What Senior IT Managers Get – Obtains sponsorship and support and a clear focus on important strategic and operational initiatives
– Improves customer relationships by delivering results in a more predictable and consistent manner, with the involvement of the customer
What Program/Project and Operations Managers Get Helps in resolving issues, review progress and, enable faster decisions
What Everyone Gets
– Facilitates communications about how IT contributes to the business
– Improves coordination, cooperation, communications and synergy across the organization
– Less stress
Framework
Implementation Guidance
Introduction
The problem
Management Expectations of IT
Information management challenges
Key risk
Agenda
Top Down Approach
Audit Committee Approach
Audit and IT Management Consensus Approach
Regulation/Legislation
How To Implement CobIT in an Organization
Getting Started – Board and Executive Questions for IT
Does the IT strategy align with the business strategy?
Is the IT investment justified based on its contributions to the business?
How likely will IT meet or exceed its plans, objectives and initiatives?
Is IT being managed prudent, effectively? How is that measured?
How is IT delivering value?
Is IT developing and maintaining constructive relationships with customers, vendors and others?
Is IT delivering projects and services on time, within scope, within budget and with high quality?
Is IT staffed adequately, wit the right skills and competencies?
How does IT management and operations compare to other best practice organizations
How is IT managing and planning for contingencies, disasters, security, and back- up?
How is IT measuring its performance? What key performance measures?
Does the Board review and possibly approve the IT strategy?
Is a risk management policy, assessment and mitigation practice followed for IT?
To Adopt CobIT, Who Needs To Be Influenced?
Chief Executive (e.g., CEO)
Senior IT Executive (CIO or VP of IT)
IT Steering Committee
IT Management
Business managers
CobIT Maturity Model
0 1 2 3 4 5
Nonexistent Initial Repeatable Defined Managed Optimised
How do you know where you are?
CB RA Case
Before CobIT Implementation
CB RA Case
After CobIT Implementation
CB RA Case
After CobIT Implementation - 2011
Process Maturity By CobIT
IT Processes
Matu
rity
level
AVRG IT
AVRG IT &
IT Audit
IT Audit
Benchmark
Summary
• IT governance is a broad and complex topic with many parts
• Clearly defined roles, ownership and accountability
• IT governance is integral part of corporate governance
• IT governance is a journey and not only destination
D I s c u s s I o n
To be or NOT to be?
IT Governance or NOT IT Governance?
Business and IT’s Perpetual Disconnect
AT Kearney, from a survey conducted in December 2001, report that only 17% of businesses had IT strategies that were "fully aligned and developed simultaneously" with corporate strategy.
Furthermore, 45% of participants did not feel that their IT strategies were developed to support or align with their corporate strategy.
Fact: The Corporate Alignment Profile most often shows IT as the most unaligned group.
CEOs Seeking a Solution
The IT Governance Global Status Report (2004) found that 80%+ of CEOs recognised that “IT Governance or some form thereof is required” to resolve “IT issues”.
The Report also found that 57% of CEOs looked to IT Governance to align IT strategy (and 53% to manage IT risks).
However the Report concluded that “solutions in this domain are not yet available”.
What CIOs Want ?
The top benefits CIOs were hoping to achieve:
Increased IT credibility with the business (81%);
Closer alignment between IT and business objectives (69%);
Improved teamwork between IT and internal business partners (68%);
Improved ability for CIO to influence the business (46%).
#CIO Research Reports. June 1, 2005. Turning IT Doubters into True Believers
http://www2.cio.com/research/index.cfm
Executive Summary - Senior Executives (CEO, CIO)
Framework - Senior Operational Management (Directors of IT)
Control Objectives - Middle Management (Mid-Level IT Management)
Audit Guidelines - Line Management (Applications or Operations
Management)
Management Guidelines - Operational Management, Director of IS, Mid-
Level IT Management
Implementation Tool Set - Director of IS, Mid-Level IS Management
The Pieces of CobIT
For additional information:
www.isaca.org; www.itgi.org