Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

Transcription

1 Principles Principle 1 - Meeting stakeholder needs The governing body is ultimately responsible for setting the direction of the organisation and needs to account to stakeholders specifically owners or shareholders of the organisation. Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests. Value creation = Stakeholder needs There are three main governance objectives: Benefits realization Risk optimization Resource optimization (all IT assets including resources and capabilities) Stakeholder drivers Strategy changes Changing business and regulatory environment New technologies Cascade (transform stakeholder needs into an actionable strategy) Stakeholder drivers cascade to Stakeholder needs cascade to Enterprise goals (BSC) cascade t0 IT-related goals (BSC) cascade to Enabler goals (e.g. process goals) Balanced scorecard (BSC) Financial Customer Internal Learning and growth 1

2 Principle 2 - Covering the enterprise end-to-end Components of a governance system Governance enablers (x 7) Governance scope (whole enterprise or part) Identifying responsibilities for governance: Owners and stakeholders (delegate) Governing body (set direction + accountable) Management (instruct and align + monitor) Operations and execution (report) Principle 3 - Applying a single integrated framework Integrated framework Aligns with other relevant standards and frameworks Is complete in enterprise coverage Provides a simple architecture Integrates different ISACA frameworks 2

3 Principle 4 - Enabling a holistic approach Enablers - Resources Principles, policies and frameworks Processes Organizational structures Culture, ethics and behavior Information Services, infrastructure and applications People, skills and competencies Enabler dimensions (allow an entity to manage its complex interactions) Stakeholders Goals Intrinsic quality - The extent to which enablers work accurately, objectively and provide accurate, objective and reputable results Contextual quality - The extent to which enablers and their outcomes are fit for purpose given the context in which they operate. For example, outcomes should be relevant, complete, current, appropriate, consistent, understandable and easy to use. Access and security - The extent to which enablers and their outcomes are accessible and secured, such as: Enablers are available when, and if, needed. Outcomes are secured, i.e., access is restricted to those entitled and needing it. Life cycle Good practices Enabler performance Lag indicators (achievement of goals) Are stakeholder needs addressed? Are enabler goals achieved? Lead indicators (functioning of enabler) Is the enabler lifecycle managed? Are good practices applied? 3

4 Principle 5 - Separating governance from management Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. Evaluate - Direct - Plan - Build - Run - Monitor - Monitor - Evaluate 4

5 Enablers Processes Information Organisational structures Principles, policies and frameworks Culture, ethics and behaviour People, skills and competencies Services, infrastructure and applications A distinction is made between governance and management processes, including specific sets of practices and activities for each. Information used for evaluating, directing and monitoring enterprise IT is exchanged between governance and management. Structures can sit in the governance space or the management space. Principles, policies and frameworks are the vehicle by which governance decisions are institutionalised within the enterprise. Is set at the top and is therefore an interaction. Governance and management activities require different skill sets. Services support the governance activities of evaluating, setting direction and monitoring. Enabler 1 - Principles, policies and frameworks Governance should set principles and policies. Principles, policies and frameworks communicate the rules of the enterprise in support of governance objectives and enterprise values. Principles, policies and frameworks are instruments to communicate the rules of the enterprise, in support of the governance objectives and enterprise values, as defined by the board and executive management. Policies should be aligned with the enterprise s risk appetite. Policies are a key component of an enterprise s system of internal control, whose purpose it is to manage and contain risk. As part of risk governance activities, the enterprise s risk appetite is defined, and this risk appetite should be reflected in the policies. A risk-averse enterprise has stricter policies than a risk-aggressive enterprise. Policies need to be revalidated and/or updated at regular intervals. Principles (express the core values of the enterprise) limited in number put in simple language Policies (provide detailed guidance on how to put principles into practice, guide decisions) Policies provide more detailed guidance on how to put principles into practice and they influence how decision making aligns with the principles. Good policies are: Effective - They achieve the stated purpose. Efficient - They ensure that principles are implemented in the most efficient way. Non-intrusive - They appear logical for those who have to comply with them, i.e., they do not create unnecessary resistance. Policy can exist at multiple levels of the organisation. Organisational structures can define and implement policies within their span of control, and their activities are also defined by policies. Frameworks Frameworks are key because they provide a structure to define consistent guidance. For 5

6 example, a policy framework provides the structure in which a consistent set of policies can be created and maintained, and it also provides an easy point of navigation within and between individual policies. Comprehensive Open and flexible Current Accessible for stakeholders Good practice Good practice requires that policies be part of an overall governance and management framework, providing a (hierarchical) structure into which all policies should fit and clearly make the link to the underlying principles. As part of the policy framework, the following items need to be described: Scope and validity Consequences of failing to comply Means for handling exceptions How compliance will be checked (compliance requirements) Generally, recognised governance and management frameworks can provide valuable guidance on the actual statements to be included in policies. Relationships Principles, policies and frameworks reflect the cultures, ethics and values of the enterprise Processes are the most important vehicle for executing policies Organizational structures can define and implement policies Policies are part of information. 6

7 Enabler 2 Processes For each COBIT 5 process, the governance/management practices provide a complete set of high-level requirements for effective and practical governance and management of enterprise IT. They are: Statements of actions to deliver benefits, optimise the level of risk and optimise the use of resources Aligned with relevant generally accepted standards and good practices Generic and therefore needing to be adapted for each enterprise Covering business and IT role players in the process (end-to-end) The enterprise governance body and management need to make choices relative to these governance and management practices by: Selecting those that are applicable and deciding on those that will be implemented Adding and/or adapting practices where required Defining and adding non-it-related practices for integration in business processes Choosing how to implement them (frequency, span, automation, etc.) Accepting the risk of not implementing those that may apply Sample RACI charts in COBIT is the suggested assignment of the type and level of involvement on process practices for specific roles and structures in the organisation. In COBIT, the main actions taken to operate the process are described in activities lactating to each of the practices. They are defined as guidance to achieve management practices for successful governance and management of enterprise IT. The COBIT 5 activities provide the how, why and what to implement for each governance or management practice to improve IT performance and/or address IT solution and service delivery risk. This material is of use to: Management, service providers, end users and IT professionals who need to plan, build, run or monitor enterprise IT Assurance professionals who may be asked for their opinions regarding current or proposed implementations or necessary improvements A complete set of generic and specific activities that provide one approach consisting of all the steps that are necessary and sufficient for achieving the key governance practice (GP)/management practice (MP). They provide high-level guidance, at a level below the GP/MP, for assessing actual performance and for considering potential improvements. For each COBIT process, the governance and management practices provide a complete set of high-level requirements for effective and practical governance and management of enterprise IT. They are statements of actions from governance bodies and management. More details guidance is provided for each practice as a set of activities. Process activities: Describe a set of necessary and sufficient action-oriented implementation steps to achieve a governance or management practice Consider the inputs and outputs of the process Are based on generally accepted standards and good practices Support establishment of clear roles and responsibilities Are non-prescriptive and need to be adapted and developed into specific procedures appropriate for the enterprise When executing a process, artefacts (documents, records, etc.) are created these become useful when evaluation a process. A process is defined as a collection of practices influenced by the enterprise s policies and procedures that takes input from a number of sources, manipulates the inputs and produces outputs. The Process Reference Model Governance Domain The processes in EDM (Evaluate, Direct Monitor) (5) 7

8 EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM03 Ensure Risk Optimization EDM04 Ensure Resource Optimization EDM05 Ensure Stakeholder Transparency The process Reference Model Management Domain The processes in APO ( Align, Plan Organize) (13) APO01 Manage the IT Management Framework APO02 Manage Strategy APO03 Manage Enterprise Architecture APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs APO07 Manage Human Relations APO08 Manage Relationships APO09 Manage Service Agreements APO10 Manage Suppliers APO11 Manage Quality APO12 Manage Risk APO13 Manage Security The processes in BAI ( Build, Acquire and Implement) (10) BAI01 Manage Programs and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI05 Manage Organizational Change Enablement BAI06 Manage Changes BAI07 Manage Changes Acceptance and Transitioning BAI08 Manage Knowledge BAI09 Manage Assets BAI10 Manage Configuration The processes in DSS (Deliver, Service and Support) (6) DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls The processes in MEA (Monitor, Evaluate and Assess) (3) MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Asses the System of Internal Control MEA03 Evaluate and Assess Compliance with External Requirements Stakeholders Internal: board, management, staff, business managers, business process owners External: customers, business partners, shareholders, regulators Goals Intrinsic goals: quality of the process, in line with good practice, compliant? Contextual goals: relevancy of the process, understandable, easy to apply? 8

9 Accessibility & Security goals: confidentiality of the process Life cycle (= generic practices for processes) Plan Design Build/acquire/create/implement Use/operate Evaluate/monitor Update/dispose Good practice Management/Governance practices (MP/GP) Statements of actions to deliver benefits Aligned with standards and good practices Generic, needing to be adapted Covering business and IT Activities Describe implementation steps to achieve GP/MP Consider the inputs and outputs of the process Based on standards and good practices Support establishment of clear roles and responsibilities (defined at the GP/MP level) Non-prescriptive Detailed activities: from ITIL, ISO 27000, PRINCE2 etc. Inputs and outputs: Are the process work products/artifacts Defined at the GP/MP level Relationships Processes need information as one form of input Processes need Organizational structure Processes produce and require service capabilities (infrastructure, applications, information..) Processes are dependent on other processes Processes produce and need policies and procedures to ensure consistent implementation. Enabler Process Guide Content Process identification and its components Process description Process purpose statement Goals cascade information Process goals and metrics Overview of process practices RACI Responsible: does the job Accountable: takes the blame Consulted: 2-way communication Informed: 1-way communication 9

10 Enabler 3 - Organizational structures Organisational structures are the key decision-making entities in an enterprise. Good Practice Operating principles - The practical arrangements regarding how the structure will operate, such as frequency of meetings, documentation and housekeeping rules Composition - Structures have members, who are internal or external stakeholders. Span of control - The boundaries of the organizational structure s decision rights, e.g. organisational structures can implement policies within their span of control. Level of authority - The decisions that the structure is authorized to take Delegation of authority - The structure can delegate (a subset of) its decision rights to other structures reporting to it. Escalation procedures -The escalation path for a structure describes the required actions in case of problems in making decisions. The responsibilities and characteristics of the following roles in an organization CIO: responsible for aligning the IT strategy with the business strategy Program and Project Management Office (PMO): responsible for supporting program and project managers 10

11 Enabler 4 - Culture, ethics and behavior Goals Organizational ethics: determined by the values which the enterprise wants to operate Individual ethics: determined by personal values Individual behaviors, which collectively determine the culture of an enterprise. Behavior towards taking risk Behavior towards following policy Behavior towards negative outcomes Good practice Communication of desired behaviors and the underlying corporate values Awareness of desired behavior, strengthened by the example behavior exercised by senior management and other champions Incentives to encourage and deterrents to enforce desired behavior. Rules and norms, which provide more guidance on desired organizational behavior. This links very clearly to the principles and policies that an enterprise puts in place. Relationships Processes can be designed to a level of perfection, but if the stakeholders of the process do not wish to execute the process activities as intended - i.e., if their behavior is one of noncompliance - process outcomes will not be achieved. Organizational structures can be designed and built according to the textbook, but if their decisions are not implemented - for reasons of different personal agendas, lack of incentives, etc. - they will not result in decent governance and management of enterprise IT. Principles and policies are a very important communication mechanism for corporate values and the desired behavior. 11

12 Enabler 5 - Information Information, infrastructure and applications are defined as service capabilities they are leveraged through processes to deliver internal and external services. Information criteria Effectiveness - Information is effective if it meets the needs of the information consumer who uses the information for a specific task. If the information consumer can perform the task with the information, then the information is effective. Efficiency - Whereas effectiveness considers the information as a product, efficiency relates more to the process of obtaining and using information, so it aligns to the information as a service view. If information that meets the needs of the information consumer is obtained and used in an easy way, then the use of information is efficient. This corresponds to the following information quality goals: believability, accessibility, ease of operation, reputation. Integrity - If information has integrity, then it is free of error and complete. Reliability - Reliability is often seen as a synonym of accuracy; however, it can also be said that information is reliable if it is regarded as true and credible. Compared to integrity, reliability is more subjective, more related to perception, and not just factual. Availability - Availability is one of the information quality goals under the accessibility and security heading. Confidentiality - Confidentiality corresponds to restricted access. Compliance - Compliance means that information must conform to specifications. Compliance to regulations is most often a goal or requirement of the use of the information, not so much an inherent quality of information. Information cycle Business and IT processes generate and process Data. Data is transformed into Information. Information is transformed into Knowledge. Knowledge creates Va lue. Value drives Business and IT processes Use of the Information Model (IM) For information specifications (e.g. of a new application or process by using attributes) To determine required protection (e.g. for security professionals by using attributes) To determine ease of data use (e.g. by using the quality criteria) 12

13 Enabler 6 - Services, infrastructure and applications Architecture principles Good practice for service capabilities includes the definition of architecture principles Architecture principles are overall guidelines that govern the implementation and use of IT-related resources within the enterprise. Examples of potential architecture principles are: Reuse - Common components of the architecture should be used when designing and implementing solutions as part of the target or transition architectures. Buy vs. build - Solutions should be purchased unless there is an approved rationale for developing them internally. Simplicity - The enterprise architecture should be designed and maintained to be as simple as possible while still meeting enterprise requirements. Agility - The enterprise architecture should incorporate agility to meet changing business needs in an effective and efficient manner. Openness - The enterprise architecture should leverage open industry standards. Relationships Information is one of the service capabilities, and service capabilities are leveraged through processes to deliver internal and external services. Cultural and behavioral aspects are also relevant when a service-oriented culture needs to be built. Relationships The inputs and outputs of the management processes could include service capabilities, which are required as inputs or delivered as outputs. Service capabilities are leveraged primarily through processes 13

14 Enabler 7 - People, skills and competencies Good practice Defining skill requirements for each role Using other external sources good practices e.g. SFIA Mapping skill categories to the COBIT 5 process domains: The skills in EDM ( Evaluate, Direct, Monitor) Governance of enterprise IT The skills in APO ( Align, Plan Organize) IT policy formulation IT strategy Enterprise architecture Innovation Financial management Portfolio management The skills in BAI ( Build, Acquire and Implement) Business analysis Project management Usability evaluation Requirements definition and management Programming System ergonomics Software decommissioning Capacity management The skills in DSS (Deliver, Service and Support) Availability management Problem management Service desk and incident management Security administration IT operations Database administration The skills in MEA (Monitor, Evaluate and Assess) Compliance review Performance monitoring Controls audit 14

15 Implementation Components of the life cycle model Management of the program Change enablement specifically addressing behavior and cultural aspects Core continual improvement life cycle. Question answered Program Management Change Enablement Continual Improvement 1 What are the drivers? Initiate programme Establish desire to change Recognise need to act 2 Where are we now? Define problems & opportunities Form implementation team Assess current state 3 Where do we want to be? Define road-map Communicate outcome Define target state 4 What needs to be done? Plan programme Identify role players Build improvements 5 How do we get there? Execute plan Operate & use Implement improvements 6 Did we get there? Realise benefits Embed new approaches Operate & measure 7 How do we keep on going? Review effectiveness Sustain Monitor & evaluate Seven phases of implementation Phase 1 starts with recognizing and agreeing to the need for an implementation or improvement initiative. It identifies the current pain points and triggers and creates a desire to change at executive management levels. (what are the drivers?) CE: establish desire to change. Phase 2 is focused on defining the scope of the implementation or improvement initiative using COBIT s mapping of enterprise goals to IT-related goals to the associated IT processes, and considering how risk scenarios could also highlight key processes on which to focus. High-level diagnostics can also be useful for scoping and understanding high-priority areas on which to focus. An assessment of the current state is then performed, and issues or deficiencies are identified by carrying out a process capability assessment. (Where are we now?) CE: form inmplementation team. During phase 3, an improvement target is set, followed by a more detailed analysis leveraging 15

16 COBIT s guidance to identify gaps and potential solutions. Some solutions may be quick wins and others more challenging and longer-term activities. (Where do we want to be?) CE: communicate outcomes. Phase 4 plans practical solutions by defining projects supported by justifiable business cases. A change plan for implementation is also developed. A well-developed business case helps to ensure that the project s benefits are identified and monitored. (What needs to be done?) CE: identify role players. The proposed solutions are implemented into day-to-day practices in phase 5. Measures can be defined and monitoring established, using COBIT s goals and metrics to ensure that business alignment is achieved and maintained and performance can be measured. Success requires the engagement and demonstrated commitment of top management as well as ownership by the affected business and IT stakeholders. (How do we get there?) CE: operate and use. Phase 6 focuses on the sustainable operation of the new or improved enablers and the monitoring of the achievement of expected benefits. (Did we get there?) CE: embed new approaches. During phase 7, the overall success of the initiative is reviewed, further requirements for the governance or management of enterprise IT are identified, and the need for continual improvement is reinforced. (How do we keep the momentum going?) CE: sustain. 16

17 Use of the implementation life cycle The internal and external environment factors as they apply to change management Ethics and culture Applicable laws, regulations and policies Mission, vision and values Governance policies and practices Business plans and strategic intentions Operating Model Management style Risk appetite Capabilities and available resources Industry practices Typical pain points Business frustration with failed IT initiatives resulting in increased costs & low business return on investment Outsourcing service delivery problems Duplicate projects Continuous poor audit findings Board members and senior management reluctant to engage with IT Typical Trigger Events Changes in an enterprises internal or external environments are seen as triggers examples are: Mergers, acquisitions and divestments New regulatory or compliance requirements A shift in the market demand for the company s products Significant technology change Business case Tool guiding the creation of business value Ongoing view of the viability of a program Contents of a good business case The business benefits that will be realized The business changes required The investments needed The on-going IT operating costs Constraints and dependencies derived from the risk assessment Roles, responsibilities and accountabilities relative to the initiative How the investment will be monitored 17

18 Process capability Assessment Model (PAM) Process capability assessments enables governance bodies to set process benchmarks and assist in measurement and monitoring capabilities. Based on this information improvement planning can be done that is supported by evidence and justifiable. Process capability assessments is not measuring performance or compliance. Terms and concepts of the PAM The COBIT Assessment Model includes: COBIT Assessor s Guide using COBIT 5.0 providing detailed guidance on how to do assessments using PAM, and COBIT Self Assessment Guide Using COBIT 5.0 explaining a simplified method that can easily be used for self-assessment The six Capability Levels based on ISO Level 0 Incomplete Process Level 1 Performed process - achieves its purpose Level 2 Managed process - managed implementation, work products managed Level 3 - Established Process - implemented using a defined process Level 4 - Predictable Process - operates within defined limits Level 5 Optimized Process - continuously improved The nine Attributes based on ISO PA 1.1 Process performance PA 2.1 Performance management PA 2.2 Work product management PA 3.1 Process definition PA 3.2 Process deployment PA 4.1 Process management PA 4.2 Process control PA 5.1 Process innovation PA 5.2 Process optimization The Rating Scale based on ISO N Not achieved 0 to 15% achievement - There is little or no evidence of achievement of the defined attribute in the assessed process. P Partially achieved 15% to 50% achievement - There is evidence of a sound systematic approach to an achievement of the defined attribute in the assessment approach L Largely achieved 50% to 85% achievement - There is evidence of a sound, systematic approach to the significant achievement of the defined attribute in the assessment F Fully achieved 85% to 100% achievement - There is evidence of a complete and systematic approach to and full achievement of the defined attribute in the assessed approach. To achieve a pass for a certain level, a process must be rated L Largely or F Fully at that level, and be rated F- Fully on the lower levels. To be able to move onto another capability level all Process Attributes must be F fully for that process (if not achieved, the organization needs to improve that particular process attribute to have a F rating before moving on) The definition of the following ISO terms A Process Purpose: high level objectives of performing the process and likely outcomes of successful implementation. A Process Outcome: observable result of a process (artifact, change of state, meeting of constraints) 18

19 A Base Practice: activities that contribute to achieving the process purpose. A Work Product: an artifact associated with the execution of the process (inputs and outputs) Understanding the PCM The Reasons for carrying out a Process Capability Assessment ISO identifies the purpose as an activity that can be performed either as a process assessment or as a process improvement initiative To continuously improve the enterprise s effectiveness To identify the strengths and weaknesses of selected processes based on business need To provide a logical, understandable, repeatable, reliable and robust methodology for assessing the capability of IT-related processes. The purpose of the 3 guides The Process Assessment Model (PAM) The Assessor Guide The Self-Assessment Guide: can also be used as preparation for a formal assessment The differences between a Maturity and a Capability Assessment A Process Assessment is one that examines the processes used by an organization to determine whether they are effective in achieving their goals. The assessment characterizes the current practice within an organizational unit in terms of the capability of the selected processes. Organizational maturity is an expression of the extent to which an organization consistently implements processes within a defined scope that contributes to the achievement of its business goals (current or projected). The purpose of a Process Reference Model Provides the basis for one or more Process Assessment Models Related the PAM to the measurement framework (ISO 15504) Provides the basis for the process dimension The differences between the two dimensions The capability dimension as outlined by the 6 capability levels A process dimension which deals specifically with the 37 specific COBIT processes outlined in the Process Reference Model (PRM) The differences between the Generic and Specific attributes. Base Practices (1) & Generic Base Practices (2-5) Specific Work Products (1) & Generic Work Products (2-5) The benefits of the COBIT Capability Assessment approach Improved reliability and repeatability Compliance with generally accepted standard Increased usability Is summary process performance indicators being useful in measuring level 1 whilst generic capability indicators apply to all levels of the PAM. 19