Jiri Cejka, Senior Manager, Dipl - El.-Ing, CISA
Jiri Cejka, Senior Manager, Dipl - El.-Ing, CISA
Jiri Cejka, Senior Manager, Dipl - El.-Ing, CISA
about
IT Governance and Risk Management
Jiri Cejka,
Senior Manager, dipl.El.-Ing, CISA
jiri.cejka@is-governance.com
Outline
1. IT Governance Market Issues
Business Management and dependence on IT Technology
IT Governance Situation;
2. Holistic Framework for IT Governance
Approach; Scope
Objectives
– IT Processes: Alignment Business and IT
– IT Risks: Value/Cost Relationship and Risk measurement
– Operational Excellence
Client Benefits
3. Benefits of IT Governance framework
4. IT Governance Services & Methodologies
Risk Management Services
Methodologies and Tools
Jiri J. Cejka 2
1. IT Governance
Market Issues
Jiri J. Cejka 3
Business Management and
dependence on IT Technology
Today’s management:
More dependent on IT technology to run its business to
achieve competitive advantage
The IT responsibility of corporate executive is growing:
to ensure that systems and processes are properly
controlled
required level of governance is in place
Businesses are continuously looking towards lower costs
and value-for-money – from all aspects of business
IT is becoming a significant expenditure – second after
staff costs.
Jiri J. Cejka 4
Example: What management need to know
before investing into SW development
Will the investment save us money? What is project payback period and ROI?
Is this ROI higher then those who propose the alternative uses for money?
What are the implications to business? (business processes, tax)
Jiri J. Cejka 5
Situation
Jiri J. Cejka 6
Issues to be solved
Jiri J. Cejka 7
2. IT Governance
Holistic Framework
Jiri J. Cejka 8
Outline
Approach
Value of IT to Business - Examples, View
What do we need
Framework IT Governance - Objectives
Objective 1: Business - IT Alignment; IT Processes Analysis
Objective 2: Value /Cost Relationship; Risks Measures
Objective 3: Operational excellence
Implementation of Infrastructure, Outsourcing
Condition of success
Benefits
Communication channels
Summary of benefits
Jiri J. Cejka 9
Value of IT to Business: Examples
To measure value of IT is not a new idea - Examples:
1. What Added Value is your IT giving?
– IT involvement in the business imperatives
– Vision of IT that could be shared by business and IT leaders
Jiri J. Cejka 12
What do we need?
Challenge of governing enterprise’s IT is recognized since
years, however the results do not give the required level of
alignment and integration.
Jiri J. Cejka 15
Objective 2: How to manage Value-
Cost Relationship and IT portfolio?
Goal: “How to institutionalise the developed way of alignment
Business - IT?”
Focus on active management of IT portfolio
Initial development of IT portfolio needs adaptations with changed
needs, opportunities and priorities
Jiri J. Cejka 16
Objective 2: How to manage Value-
Cost Relationship and IT portfolio?
Step 2. Clarify process for managing the IT portfolio
Annual review, reviews depending on changes
Checkpoints, balance resources
Jiri J. Cejka 17
Objective 3: Service management and
Operational Excellence
Goal: “By selection of right metrics that drive the performance provide
better understanding for management”
Step 1. Identify Elements of Business value
Step 3. Use metrics that are tied closely with business performance
predefined set of “interesting metrics” is not the right way.
Jiri J. Cejka 18
Objective 3: Service management and
Operational Excellence
Example 2: Improve customer focus with installed support sales
system
Metric is ratio assessment of customer satisfaction
Jiri J. Cejka 19
Objective 3: Service management and
Operational Excellence
Jiri J. Cejka 20
Objective 3: Operational Excellence
Step 1. Divide the overall budget for IT operations and support into a
set of defined products/services
Step 2. All costs to be mapped into valuable business services
Step 3. Measure the productivity in terms of total organization business
orientation:
Classic technical orientation: costs of mainframe, desktop, split into
parts that are difficult to follow by senior management
New approach: Costs directly oriented with business results: cost per
transaction, cost of SCM, personal action.
Benefits Result: Only a few metrics are used, however they are
compelling for senior management:
1-2 value metrics, 1 cost metric and 1-2 service metrics
Jiri J. Cejka 21
Implication for Outsourcing
Benchmarking measurement of IT services with external providers
measurement of costs, volumes and quality of services
Further factors - dependency, hidden costs, flexibility
Two frequent factors for outsourcing:
The internal IT organization has failed to achieve cost/value
relationship required by management
Expectation that outsourcer performs task better
However two risks are frequent
the data to support these decision are missing
the approach to evaluate the outsourcer is not existing
Holistic approach developed can help to
Develop appropriate metrics to support necessary analysis
The same tool to be used to measure internal and external service
Management of outsourcing relationship and contracts
Business view: combination of costs, service level and quality
Jiri J. Cejka 22
Implementing the IT Governance
Framework
Jiri J. Cejka 23
3. Benefits IT Governance
Benefits of IT Governance
framework
Jiri J. Cejka 24
Benefit 1: Communication between
Business and IT groups
Senior Business management
Business improvement that results from their knowledge participation
in IT decision making
Mid-level Business manager position not sure that IT function will
justify given resources
1. Win: IT governance management framework and tool to
communicate with senior management
2. Win: to help communicate with IT management to ensure that
business services they are responsible will meet commitments
Senior IT manager
1. Win: Communicate with senior business managers
2. Win: Communication with IT staff
Clear focus on important strategic and operational issues
Project and Product Service managers - proposed framework helps to
explain the IT issue in business terms
develop realistic “service contracts”
Jiri J. Cejka 25
Benefit 2: Communication between
Business and IT groups
Jiri J. Cejka 26
Summary of Benefits of
IT Governance framework in place
Jiri J. Cejka 27
4. IT Governance and Risk Management
Services, Methodologies
Services
Methodologies and Tools
Jiri J. Cejka 28
IT Governance Environment
Value for money:
is management getting value for money from their IT spend / IT
skills? is IT addressing the business strategy?; IT accountability;
KPIs in the business; managing constant change in IT; and project
directors increasingly being major budget holders.
Internal audit:
Internal IT audit skills
outsourcing of internal audit
Technology:
imaging, data capture and electronic document management; use of
the internet; and knowledge management.
Corporate Governance:
Governance of controls and risk self assessment
Initiatives on control and risk self assessment.
Jiri J. Cejka 29
Governance Services
Either in terms of the target of the review/advice, or the readership
of the report
Outsourcing:
continued outsourcing of IT (service level agreements);
outsourcing security administration; third party reviews.
Regulation:
Regulatory authority reviews; privacy/data protection laws;
Software licensing laws; Ethical IT; and health, safety and
environment issues.
Transactions:
Transaction Services, Corporate Finance;
Increased focus on IT security in commercial sector - new security
techniques.
Jiri J. Cejka 30
Governance Methods and Tools
Project:
– Project Risk Assessment: Project management Methodology (PMM)
– Project management Control Method: Rational Unified Process (RUP)
Jiri J. Cejka 31
Business Management Process BMP
BMP is about assessing the risk our clients face. Business risks
are diverse and constantly changing:
as the business world becomes more and more reliant on
technology, technology risks become critical to manage
there are many points within the BMP audit in which the
technology component of business risk are addressed
Equations:
Business risk = Audit risk
Technology Risk = Audit risk
BMP‘s added value: by assessing of client risk in all its forms and
delivering more valuable business solutions to meet the client's diverse
Jiri J. Cejka
needs. 32
Strategic Analysis
Understand Document
Identify
Review Bus. Objectives Review Findings and
Significant
Background Strategy Findings and Conclusions in
Strategic
Information & Technology Conclusions Workpapers
Risks
Use
Jiri J. Cejka 33
Business Performance Analysis BPA
Focused area:
risk assessment and process analysis,
utilising information on key performance indicators.
Strategic and Process analysis, Testing control.
Approach
involves identifying and gaining an understanding of the client's key
processes for identifying business risks,
understanding how the client mitigates risk.
Perform BPA
Assist in BPA Document
For Key Review
for Key Findings and
Processes that Findings and
Processes that Conclusions in
are Highly Conclusions
are Technically Workpapers
Techn. Dependent
Dependent
Jiri J. Cejka 34
Business Performance Improvement BPI
Jiri J. Cejka 35
BPI: Visualization of Perspective
using Balanced Score Card (BSC)
How do we appear to our
How should we appear Financial shareholders?
to our customers? Perspective What financial outcomes
• Critical SuccessFactors
• Performance Indicators
do we need to generate?
• Targets
Process/Product
Perspective
• Critical SuccessFactors
What business processes must • Performance Indicators Are we able to sustain
• Targets
we excel at to satisfy our innovation, change and
customers and owners? Are these improvement? How will
processes effective (i.e. adding we maintain our ability to
value for customers)? Are meet customer expectations?
they efficient?
Jiri J. Cejka 36
BPI Approach: Process Improving
“Best-in-class” Long-term Rapid Highly Consistently Critical
product customer development accurate competitive Success
delivery loyalty and and launch of customer pricing Factors
times satisfaction new products orders Business
Processes
9 7 1 6 9 Define
Process Impact Analysis Develop
2 5 2 3 4
2 8 5 2 4 Market
8 2 3 9 6 Account
Identify focused areas
Total Elapsed Time
Customer
Process Workflow
Visualization of bottlenecks
documentation. staff
The new system must process over • Reduced hand-offs
Risks or constraints
30,000 documents/year.
• Enable Assembly Clerks to sort • Reduced bottlenecks • Requires retraining of staff • May require additional
and classify claim forms • Greatly increased productivity resources
• Create an electronic catalogue • Improved quality of reports • The cost of enabling this • Requires method for updating
• Process ID cards in Sales • Reduced delays to process and • Cost of forty new printers for • Requires additional time to
Offices (may require additional print cards ID cards at a cost of $2,000 install printers in offices
printers) each, plus installation/tests
Jiri J. Cejka 37 (~$10,000).
Risk Assessment Methods
Jiri J. Cejka 38
IT Risk Management Benchmark
ITRMB
Scope:
provide an objective means of reviewing the risks in relation to use
of IT, and ensure that they are being controlled
provide a means of benchmarking organisation’s key IT Risks and
Controls against other organisations;
review organisations' IT Controls against the BS7799.
Benefits:
Substantiate issues reported to management
Allow management to benchmark corporate performance in the
fields of IT risk and IT controls.
Provide a high level assurance to management of their compliance
with the British Standard on IS Management;
Allow management to benchmark internally. i.e. between different
operations.
Jiri J. Cejka 39
Project Risk Assessment
Scope of Process:
involves the identification, analysis, management and monitoring of
risk
Approach after identification of potential risks:
determine the relative exposure in terms of time and cost, to reduce
the level of risk to an acceptable level.
identify both preventive actions and contingency actions (to mitigate
the impact of the risk if it materializes)
Benefits of Risk Management Process :
Is proactive, focusing on prevention rather than cure
Includes periodic risk assessments throughout the work lifecycle
Jiri J. Cejka 40