itm governance & management controls
DESCRIPTION
ITM Governance & Management Controls. CANHEIT Overview Presentation - June 2012 Clark Ferguson, CIO, University of Lethbridge. Agenda. Program Overview. Governance & Management Controls Overview Session. Program. Alberta … Post secondary sector … Information & Technology Management … - PowerPoint PPT PresentationTRANSCRIPT
ITM Governance & Management Controls
CANHEIT Overview Presentation - June 2012
Clark Ferguson, CIO, University of Lethbridge
Agenda
2
Program Overview
Implementation Overview
Section 1 – Foundation Elements
Section 2 – Strategic Alignment
Section 3 – Risk Management
Section 4 – Value Delivery: IT Financial Management
Section 5 – Value Delivery: IT Human Resources Management
Section 6 – Value Delivery: IT Service Management
Wrap Up
Program OverviewGovernance & Management Controls Overview Session
3
Alberta … Post secondary sector … Information & Technology Management … Control Framework Program
Program
4
Provincial Office of the Auditor General increasing attention to governance & management controls across public sector
Alberta Advanced Education & Technology (AET) initiated program and enlisted support of post secondary leaders
Recognition that all post secondary institutions would need to comply
Quality of institutional systems would vary based on size of institution and capacity to allocate scarce resources
Province-wide program with contributions by AET & institutions
Leveraged program management and specialized consultants to harvest industry and institutional best practices
Introduction
5
26 post secondary institutions (all but 1 or 2) engaged 2 years of projects have been successfully completed with 1
project rescheduled due to quality problems Significant involvement of business leaders and IT experts in
projects Team approach, high quality project deliverables, and strong
communications & training have led to rapid adoption
Achievements
6
Dedicated program management and expert project consultants freed participating institutions to focus on contribution
Governance and approval of project and program materials tricky but with minor rework, successful process achieved
Procurement process to contract project experts and careful oversight of their work extremely important
Joint approach has yielded very high quality deliverables and commitment amongst institutions share best practices
Lessons Learned
7
Rising expectations regarding organizational governance Concern over generally increasing level of IT expenditure &
demand for better return on IT investments Need to meet regulatory requirements Significance of selection of service provider & management
of outsourcing Increasingly complex risk associated with information
management & related technology Need to optimize costs by following standards and best
practices Growing maturity and acceptance of frameworks and
standards Need for assessment against standards and peer
organizations
Business Drivers
8
1. Proper Governance2. Strategic Alignment3. Value Realization4. Risk Management5. Resource Optimization
There are 5 Points Really!
9
Collaboratively develop a system-wide control framework for managing information and related technology that will assist with the implementation of strategic priorities, policies and principles through:◦ Common best practice controls that are modifiable,
scalable and implementable◦ A shared content management system that will foster
ongoing collaboration and effectively manage the control life cycle
Initiated a Program to…
10
Standards
11
Legislation
COBIT
ISO 2700xPMBOK
ITIL
ITM Control Framework
WHAT HOW
SCOPE OF COVERAGE
Translating Theory into Reality!
Program DesignControl
Framework & Policies
Project (June 2010)
Privacy Project
(November 2010)
Change Managemen
t Project(October 2010)
Governance Project
(April 2011)
Content Mgmt. System Project
(April 2012)
13Post-Secondary System ITM Control Framework
Year 1(2010)
Information & Technical
Management (December
2011)
Enterprise Architecture(Resched. to Yr
3)
Identity Managemen
t & Information
Security(December
2011)
Year 2(2011)
Information Management
(February 2013)
Technology Managemen
t(February
2013)
Enterprise Architecture
(February 2013)
Year 3(2012)
Information Management
... Continued (August 2013)
Wrap-up Project
(December 2013)
Complete
In progress
Year 4(2013)
Volunteers from the Institutions Program designed to provide opportunity to
volunteer:◦ Working Group = 6-12 hours/month◦ Key Stakeholders = 2-4 hours/month◦ Project Steering Committee = 2 hours/month
Composition impacts legitimacy of deliverables Committed participants who see the bigger
picture
Participation
14
Collaboration Benefits PSS expert body of knowledge Relationships Synergy Sharing and capture of knowledge Bleeding edge Ongoing support Common foundation for future opportunities
15
Look at the framework as a whole Determine what pieces you need and how ‘deep’ you want
to go in each area Know your capabilities, capacity, current maturity, resource
availability Be realistic in your planning Assign dedicated people to manage, communicate, train
and assist with organizational change Don’t underestimate the commitment that's required Don’t forget to collaborate Keep your eye on the end game
Moving Forward (aka implementation)
16
U of L Status
17
Program Two business and 3 IT participants in the program work
Section 1 – Foundation Elements
ITM Control Framework leader assigned;ITM policy approved by the Board in May 2012
Section 2 –Strategic Alignment
Developing Fiscal 2014 budget in conjunction with University Strategic alignment
Section 3 – Risk Management
Initiated PCI improvement program;Planning external review of IT Security
Section 4 –Financial Management
Strengthening portfolio management;Developing a consolidated view of full IT spend
Section 5 –HR Management
Conducting key skills review and gap analysis
Section 6 – IT Services Management
Documenting service portfolio;Establishing business relationship management processes
Implementation Overview
Governance & Management Controls Overview Session
18
Alignment Map
19
ITM Governance
& Management
Controls(64)
Foundation Pieces
(17)
Strategic Alignment
(4)
Risk Manageme
nt(8)
Financial Manageme
nt(6)
Service Manageme
nt(26)
Human Resources Manageme
nt(3)
Controls Summary
20
Cobit 4.1◦ Risk IT◦ Val IT
ITIL◦ Service Strategy◦ Service Design◦ Continual Service Improvement
ISO/IEC 20000, ISO 31000 Web research
Development of Controls
21
Controls derived through ~3,000 hours of synthesis, discussion and adaptation to the post-secondary
environment
Identify DriversAssess Current StateDefine Desired Future StateDevelop PlanExecute PlanMeasure ResultsSustain Momentum
ITM Control Framework – Implementation Lifecycle
22
Use of maturity models
(next slide)
1 Initial/Ad Hoc
2 Repeatable but Intuitive
3 Defined Process
4 Managed and Measurable
5 Optimized
Cobit Maturity Scale
23
Program Objective:To increase the maturity level of all participating Institutions to a COBIT Maturity Level 3 by June 2014 in the areas where the
controls have been implemented within the Institution.
Section 1 – Foundation Elements
Governance & Management Controls Overview Session
24
An ITM control framework is a critical part of every institution’s internal control program to mitigate risks and ensure:◦ Management understands ITM’s role and relevance in the
organization ◦ Alignment of investment with the institution mandate and
strategic direction◦ Value delivery◦ Compliance with external requirements◦ Continuous improvement re: ITM processes
It is the responsibility of the Board of Governors & executive management to communicate ITM investment objectives and expectations re: control environment and to provide training
Planning and adequate resourcing are essential
Key Concepts
25
Foundation Pieces
(17)
26
ITM Governance Questions
Are we doing the right things?
Are we doing them the right
way?
Are we getting them done well?
Are we getting the benefits?
The delivery question
The architecture question
The strategic question
The value question
Foundation Pieces
(17)
Organization Role ResponsibilityBoard of Governors • Oversight regarding strategic alignment, risk
management and value delivery of ITM
Executive Committee • Approval of enterprise-level investment decisions, including adequate funding for development, implementation, communication and training re: ITM controls
ITM Steering Committee • Approval of ITM Control Framework• Ensures control environment aligns with
institution’s management philosophy and operating style
• Regular assessment of the maturity of the institution’s control processes
CIO • Overall development and implementation of the control environment
• Reporting on progress/resultsBusiness Managers • Input to development of the control
environment• Responsibility for operation of many controls
Roles & Responsibilities
27
Foundation Pieces
(17)
Institution needs to appoint a ‘custodian’ or manager of the framework and maintain a log of all compliance requirements
Comprehensive procedure required for:◦ Identifying externally generated requirements in a timely
manner◦ Identifying internally generated requirements◦ Escalating and resolving issues identified through
implementation/operation of the ITM Control Framework Framework needs to be regularly reviewed
◦ Internal audit◦ Periodic 3rd party reviews
Provide for approved and documented exceptions to compliance with controls
Lifecycle Management of Controls
28
Foundation Pieces
(17)
Section 2 – Strategic Alignment
Governance & Management Controls Overview Session
29
Strategic ITM Plan is an integral element of the comprehensive institution plan….not an afterthought!
Performance is measured using an ITM Balanced Scorecard ITM investments should be managed across the institution
in portfolios Outcomes
◦ Alignment of business, ITM and risk management objectives◦ Organization, services, application portfolios, technologies,
competencies, processes & methodologies are in place to maximize ITM contribution
◦ Bi-directional education & involvement in ITM and business planning
◦ Regular assessment re: ITM contribution to business objectives◦ Roadmap for addressing future needs
Key Concepts
30
Strategic Alignment
(4)
Clearly articulated institutional vision and priorities Planning is considered important and closely linked to
institutional budget ITM plan is published
◦ Formal communication strategy specific to ITM stakeholders developed with communication strategy for comprehensive institution plan
ITM governance practices are seen to be effective◦ Close relationships between ITM and non-ITM organizations and
staff◦ Informal and formal◦ Communication with and involvement of key constituents,
especially faculty and deans
Critical Success Factors
31
Strategic Alignment
(4)
32
Comprehensive Institution Plan
Strategic Priorities
Goals & Expected Outcomes
Performance Measures
Financial Plan
ITM Plan
Capital Plan
Institutional Access Plan
Institutional Research
Plan
Plan to Plan• Purpose• Process• Scope
Assess Current ITM capability &
performance
Describe Desired ITM Future
Conduct Gap Analysis
Articulate Goals, Objectives, Strategies &
Measures
Develop Business Cases
for Individual Initiatives
Categorize by Portfolio and
Prioritize
Adjust Plan as Required
Strategic Alignment
(4)
ITM Planning in Context
33
Strategic Alignment
(4)
Comprehensive Institution Plan
Business Goals for IT IT Goals Enterprise
ArchitectureBalancedScorecard
Governance Requirements
Business Requirements
Information Services
Information Criteria*
Information
ApplicationsIT Processes
deliver
run
needInfrastructure
& People
require influence
imply
* effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability
Section 3 – Risk ManagementGovernance & Management Controls Overview Session
34
ITM risk is business risk ITM risk always exists, whether it is detected or recognized Management of ITM-related risk is an essential and
strategic component of responsible administration and should be integrated into overall enterprise risk management
Who should be involved?◦ Board members and senior executives who need to set direction
& monitor risk at the enterprise level◦ Managers of ITM and business departments who define risk
management processes◦ Risk management professionals◦ External stakeholders
Key Concepts
35
Risk Mgmt.
(8)
ITM benefit risk◦ Missed opportunities to use technology to improve efficiency of
effectiveness of business processes or as an enabler for new business initiatives
IT program and project delivery risk◦ Failure to realize the expected contribution of ITM to new or
improved business solutions IT operations and service delivery risk
◦ Where performance of IT systems and services does not meet service level expectations
ITM Risk Categories
36
Risk Mgmt.
(8)
ITM risk management always connects to business objectives◦ Focus is on the business outcome
ITM risk governance aligns the management of ITM-related risk with overall ERM
ITM governance should balance the costs and benefits of managing ITM risk
There should be open communication regarding ITM risk Establishment of well-defined risk tolerance levels by the
Board and executive management should be coupled with definition and enforcement of personal accountability for operating within tolerance levels
ITM risk management is continuously improved
Risk Mgmt. Principles
37
Risk Mgmt.
(8)
Risk EvaluationEnsure ITM-related risks and opportunities are identified, analyzed and presented in business terms.
Collect Data
Risk ResponseEnsure ITM-related risk issues, opportunities and events are addressed in a cost-effective manner, in line with business priorities.
Articulate Risk
Risk GovernanceEnsure ITM risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return
Manage Risk
React to Events
Establish & Maintain
a Common Risk View
Make Risk-Aware
Business Decisions
Integrate with ERM
Analyze Risk
Maintain Risk
Profile
BusinessObjectives
Communication
ITM Risk Management Framework
38
Risk Mgmt.
(8)
Risk appetite◦ Amount of risk the institution is willing to accept in pursuit of its
mission “What level of risk are we comfortable living with?”
◦ Provides context for analysis and response to individual risks by management
◦ Defined/approved by the Board of Governors in terms of frequency and impact No absolute norm or standard of what constitutes acceptable
risk◦ Should be clearly communicated to stakeholders and staff
through policies and standards Consider objective capacity to absorb loss & management
culture
Risk Appetite
39
Risk Mgmt.
(8)
Scoping ITM Risk Management Activities
40
Very High
High
Medium
Low
• Detailed scenario development and frequent maintenance of the risk register
• Independent review of risk analysis results• Quarterly detailed reporting on risk profile• ...
• Detailed scenario development and frequent maintenance of the risk register
• Independent review of risk analysis results• Semi-annual detailed reporting on risk profile• ...
• Detailed scenario development for analysis• Self-assessment and review• Yearly update and quarterly summary reporting• ...
• Self-assessment and review• Generic scenarios• Less frequent reporting• ...
ITM Risk Management Scoping Based on Risk Assessment Results
Risk Mgmt.
(8)
Section 4 – Value Delivery: ITM Financial Management
Governance & Management Controls Overview Session
41
Institution must establish a financial management framework for information and related technology◦ Approved by the ITM Steering Committee◦ CIO accountable to the ITM Steering Committee for
implementing and monitoring the effectiveness of the framework and ensuring integration with enterprise policies, standards etc.
◦ Should be formally evaluated based on schedule determined by ITM Steering Committee
Focused on ensuring accountability and transparency re: value contribution and total cost of ownership of information and related technology
3 main elements: ◦ ITM budget management, portfolio mgmt. and cost/benefit
management
Key Concepts
42
Financial Manageme
nt(6)
Comprehensive Institution Plan
Enterprise Architecture
Information Security Plan
Strategic ITM Plan ITM Tactical Plans
Budget Actual
Expenditures vs. Budget Reports
Updated portfolios Accountability &
Transparency re: Value Contribution & TCO through Cost/Benefit Reports
ITM Financial Mgmt. as Process
43
Inputs
Financial Management Framework
Outputs
Financial Manageme
nt(6)
44
Portfolio Management
ITM Financial Mgmt. Framework
ITM Governance
Business Case Development & Use
ITM Budget Management
Cost/Benefit Management
Application Assets
Infra-structure Assets
Information Assets
People Assets + + +
Process
Assets+
Investment Prioritization within Portfolios
Finan
cial M
anag
emen
t Fra
mew
ork
Financial Manageme
nt(6)
Service
Assets+
Budget Management
1. Define strategic business objectives and determine high-level budget envelopes
2. Develop ITM budget
3. Monitor and report on actual results
4. Develop ITM budget recommendations
High-Level Process Elements
45
Financial Manageme
nt(6)
Portfolio Management1. Define portfolios and sub-categories2. Determine the investment ‘weight’ of each portfolio or
sub-category3. Develop and use ITM business cases for ITM investment4. Prioritize investments within portfolios5. Identify HR needs across portfolios6. Review and report on project, program and portfolio
performance
High-Level Process Elements
46
Financial Manageme
nt(6)
Section 5 – Value Delivery: Human Resources
ManagementGovernance & Management Controls Overview Session
47
Processes for the management of IT human resources are an essential part of an ITM Control Framework
CIO (not HR) is responsible for ensuring the institution has an ITM workforce with the skills necessary to achieve organizational and ITM goals
Main tasks:◦ Define, monitor and supervise execution of ITM roles &
responsibilities◦ Provide appropriate and sufficient training (technical, internal
control and security)◦ Minimize dependency on key staff◦ Ensure compliance with organizational policies◦ Report to the ITM Steering Committee on key issues
Key Concepts
48
Human Resources
Management
(3)
Labour costs 30% - 60% of the ITM budget Quality of ITM personnel has enormous impact on
effectiveness of the service provider organization, end-user satisfaction, optimizing value and proactive use of technology
Market for highly proficient IT resources is competitive and will get more so – hiring and retaining the best resources will continue to be a critical success factor for the CIO
Unique aspects to management of IT professionals (pool characteristics, diverse career expectations, training requirements) exacerbates need for involvement of ITM managers
Turnover costs are enormous (e.g., 1 – 2 times annual salary)
Why ITM HR Mgmt. is Important
49
Human Resources
Management
(3)
Integrated Governance Structure
ITM Organization Chart
ITM Strategic & Tactical Plans
ITM Budget Business
Requirements
IT HR policy and procedures
IT skills matrix Job descriptions Staff skills and
competencies, including individual training logs
Training plans
HR Management as Process
50
Inputs
IT Human Resource
Management
Outputs
Human Resources
Management
(3)
IT Human Resources Life Cycle
51
Human Resources
Management
(3)
Determine Personnel Needs
• Develop organization chart• Perform swap analysis &
identify personnel gaps• Determine staffing strategy
– contract, permanent, contract-to-hire
• Create final hiring plan
Sourcing• Permanent & contract
candidate sourcing• Additional screening for
permanent hires• Recruiting funnel• Working with agencies
& technical recruiters
Interviewing• Interviewing techniques• Interview team• Best practices for
conducting interviews• High-volume interviewing• Interviewing contractors
Hiring• Finalizing an offer
decision• Checking references• Ramping up new
hires quickly
Managing• 10% attrition model• IT staff career development• Key drivers of staff retention• Compensation• Handling layoffs• Management coaching• Creating performance plans
Start
Section 6– Value Delivery: IT Service Management
Governance & Management Controls Overview Session
52
Key Concept
53
Service Manageme
nt(26)
“The idea of strategic assets is important in the context of good practice in service management. It encourages IT organizations to think of investments in service management in the same way businesses think of investing in production systems, distribution networks R&D laboratories.
Strategic assets provide the basis for core competence, distinctive performance, durable advantage and qualifications to participate in business opportunities. IT organizations can transform their service management capabilities into strategic assets.”
- ITIL Service Strategy, OGC, 2011
Service Lifecycle
54
Continual Service
Improvement
Service Strategy
Service Design
Service Transition
Service Operation
Envisioning & conceptualizing the set of services required to achieve business objectives
Designing the services to meet utility & warranty objectives
Moving services into live production
Managing services to ensure utility &
warranty objectives are achieved
Evaluating services & identifying ways to
improve their utility & warranty in support of
business objectives
ITSM FrameworkService Strategy
Strategy Management Service Portfolio Management
Financial Mgmt. for IT Services
Service Demand Management
Business Relationship Mgmt.
Service Design
Identify BusinessRequirements & Drivers
Define Services & Develop Service Catalogue Educate & Train Users
Service Level Management
Develop SLA Framework, SLAs & OLAs
Monitor Service Performance & Produce
Service Reports
Review Service,Instigate Improvements & Update
SLAs/OLAs
Supplier Management
Develop & Align Procurement Controls& Select Suppliers
Develop/Manage Contracts & Relationships & Protect Enterprise Interests
Monitor Supplier Performance
Service Continuity
Develop Service Continuity Framework
Develop & Maintain Continuity Plans
Test Continuity Plans
Provide Training on
ITM Continuity PlansReview Plan
Effectiveness
ITSM Framework Element
Description
IT Service Strategy • Defining a strategy to deliver services to meet the institution’s business outcomes
IT Service Design • Procedures for determining, documenting and agreeing upon requirements for new services and documenting in a service catalogue
Service Level Mgmt. • Defining SLAs based on customer requirements and IT capabilities, service metrics, roles & responsibilities
Supplier Mgmt. • Aligning procurement controls with those of the institution, identification & categorization of supplier relationships, developing and managing contracts, protecting IP & monitoring performance
Service Continuity • Developing a service continuity framework consistent with institution business continuity
ITSM Standard Elements
56
Service Manageme
nt(26)
Wrap UpQuestions?
57