15 - cobit for gcg

Conference Material

““The Implementation of IT Governance within the Corporation”” Case: Control Objectives for Information and Related Technology Richardus Eko Indrajit indrajit@post.harvard.edu

Regulatory Compliances for Companies with GCG

1

Table of Content

 The Needs of Good Corporate Governance

  Issues of Information Technology Governance

 Technology Governance in Action

 Case: CobiT from the Information Technology Governance Institute

2

Table of Content

 The Needs of Good Corporate Governance

  Issues of Information Technology Governance

 Technology Governance in Action

 Case: CobiT from the Information Technology Governance Institute

3

The Drivers

Surviving the economic crisis by maintain existing shareholders value

Perform necessary operational restructuring to ensure adequate controls

Improve corporate image and market perception toward management practices

Answer the requirements of partners and other related parties

Ensuring the alignment of all stakeholder expectations

Encourage multiple entities to perform as their roles and responsibilities

4

Investors Survey Source: McKinsey

5

Financial vs Governance Reporting

““In evaluating Asian companies, how important (in %) is the quality of their corporate governance compared to their financial reports?

33 30 22 20 19 17 24

48

36 4638 44

44

17 2242 34

43 39 33

50

Japan Taiwan Thailand Korea Indonesia Malaysia Total

More

Same

Less

Over 75% of investors in America, Europe and

Asia perceived corporate governance as equally, if not more, important

than financials

Source: McKinsey

6

How Investors Perceived Asia

Japan

Taiwan

Korea

Thailand

Malaysia

Very poor

Indonesia

Very good 1 2 3 4 5

1.7 Investors in U.S. and

Europe

2.0 Investors in Asia

American & European Investors Asian Investors

4 - 4.5 For US companies (estimated)

Investors in America & Europe perceives corp governance practices in Asia lower than their counterparts in Asia, mainly due to:

–  Less familiar with the market

–  Asian investors getting more used to existing conditions

–  Lack of local benchmarks

2.2

2.3

1.8

1.5

1.3

1.1

2.8

2.6

2.2

1.8

1.7

1.1

Source: McKinsey

7

Investors Perception about Corp Governance

American & European Investors Asian Investors Japan

Taiwan

Korea

Thailand

Malaysia

Premium investors are willing to pay %

Indonesia

18% U.S. avg

22% by investors in Asia

26% by investors in U.S. and Europe

  High premiums for companies with good corp. governance

  Perceptions depend on investor location

  Premium decreases if a country’’s corp. governance practices improves

Source: McKinsey

22

24

29

28

26

30

19

18

22

24

24

26

8

GCG in Indonesia

 Standards and benchmarks still in their infancy

 Code for Good Corporate Governance published by the National Committee, although regulatory reform to support it still needs to be stepped up:

i.  State-owned enterprises: rules published ii. Financial services industry: unclear, some even conflicting iii. Publicly-listed companies: getting there

 Application of rules, incl. self-assessments, remain compliance-based rather than performance driven

 Very few companies openly conduct assessment by independent parties, where worldclass best practice in similar industries can be used as benchmarks

 Self assessment results tend to be dominated by majority shareholders and management views

Source: Jos Luhukay

9

General Impediments

 Our systems tends to be based on regulations (corporate level), rather than performance & ethics (individual level)

 Hence governance and management more compliance-driven than based on performance improvement

1. Voluntary conformity needed to complement regulatory compliance 2. Business ethics need to be regarded as ““must-have”” rather than ““nice-to-have””

 The ““cost”” of good governance still regarded as much smaller than its ““benefits””

 Companies still preoccupied with survival issues. Unless direct benefits perceived in dealing with creditors and investors, corporate governance will continue to remain on backburner

Source: Jos Luhukay

10

Table of Content

 The Needs of Good Corporate Governance

  Issues of Information Technology Governance

 Technology Governance in Action

 Case: CobiT from the Information Technology Governance Institute

11

The Principles

Transparency Accountability Responsibility Independence Fairness

INFORMATION GOVERNANCE

Information-Related Processes

Information System Information Technology

Information Management

12

IT and Corporate Governance

Enterprise Governance

IT Governance and Principles IT

Str

ateg

ic P

lann

ing

Inve

stm

ent M

anag

emen

t

Ente

rpris

e A

rchi

tect

ure

Portfolio Management

Level 1

Level 2

Level 3

Level 4

Level 5

Internal Activities

Internal Processes

External Processes

External Collaboration

Self Correcting

Process Improvement

Complete IT Portfolios

Foundation

Awareness

Strategic Leverage of IT

Fund

ing

Stra

tegy

/Adv

ocac

y

Ann

ual B

udge

ting

Performance Measurement

Ris

k/Va

lue

Man

agem

ent

MMaatt

uurriittyy

Source: BCG

13

Issues on IT

Costs allocated do not justify the benefits

Do not align with business needs and strategy

Slow development and deployment processes

High failure rates on implementation stage

Changing so fast, as new technology emerges

Expensive by default, difficult to get supports

Complex in nature, avoid people to deal with it

14

Issues on IT Governance

?

Values and

Benefits

Costs and

Risks

Pro(s) and Con(s)

15

Table of Content

 The Needs of Good Corporate Governance

  Issues of Information Technology Governance

 Technology Governance in Action

 Case: CobiT from the Information Technology Governance Institute

16

Ultimate Values

time

serv

ice

qual

ity

supp

ort

busi

ness

time

serv

ice

cost

time de

liver

y tim

e

time

stakeholder value

Aligned

Better

Cheaper Faster

time

IT ri

sks

Secured Controlled

Source: ITGI

17

Business Value of IT

FINANCIAL CUSTOMERS

GROWTH INTERNAL

Business Value of

Information Technology

Source: Robert Kaplan

18

Value Perspective: FINANCIAL

Expand market share.

Increase revenue.

Return on investment.

Optimise asset utilisation.

Manage business risks.

Source: ITGI

19

Value Perspective: CUSTOMER

Improve customer orientation and service.

Offer competitive products and services.

Service availability.

Agility in responding to changing business needs.

Cost optimisation of service delivery.

Source: ITGI

20

Value Perspective: INTERNAL

Automate and integrate the enterprise value chain.

Improve and maintain business process functionalities.

Lower process costs.

Compliance with external laws and regulations.

Transparency.

Compliance with internal policies.

Improve and maintain operational and staff productivity.

Source: ITGI

21

Value Perspective: GROWTH

Product and business innovation.

Obtain reliable and useful information for strategic decision.

Acquire and maintain skilled and motivated personnel.

Source: ITGI

22

Table of Content

 The Needs of Good Corporate Governance

  Issues of Information Technology Governance

 Technology Governance in Action

 Case: CobiT from the Information Technology Governance Institute

23

What is IT Governance Source: ITGI

24

CobiT as Best Practice

 COBIT is globally accepted as being the most comprehensive work for IT governance, organisation, as well as IT process and risk management.

 COBIT provides good practices for the management of IT processes in a manageable and logical structure, meeting the multiple needs of enterprise management by bridging the gaps between business risks, technical issues, control needs and performance measurement requirements.

Source: ITGI

25

Philosophy of CobiT

In order to provide the information that the organisation needs to achieve its objectives,

IT resources need to be managed by a set of naturally

grouped processes.

COBIT’’s Golden Rule

Source: ITGI

26

IT Governance Paradigm Source: ITGI

27

The Relationship Aspects of IT Governance Source: ITGI

28

Components of IT Processes Source: ITGI

29

The Relationship with Enterprise IT Architecture Source: ITGI

30

IT Process Maturity Level Source: ITGI

31

Measurements and Indicators Relationships Source: ITGI

32

Examples of Maturity Assessment

2.21

1.55

2.141.35

1.55

0.770

1

2

3

4

5PO2

PO7

AI5

DS10

DS5

ME2

Best PracticeStandard Org.Score

33

Process Definition and Control Objectives

  Management of IT Security

  IT Security Plan

  Identity Management

  User Account Management

  Security Testing, Surveillance and Monitoring

  Security Incident Definition

  Protection of Security Technology

  Cryptographic Key Management

  Malicious Software Prevention, Detection and Correction

  Network Security

  Exchange of Sensitive Data

Source: ITGI

34

Activities and Responsibilities Source: ITGI

35

Performance Measures Source: ITGI

36

The IT Enterprise Architecture Source: Zachman

37

The Holistic IS Model

SCOPE

BUSINESS MODEL

SYSTEM MODEL

TECHNOLOGY MODEL

DETAIL REPRESENTATION

CONTEXT

CONTENT

LOGIC

PHYSICS

ENTITY

MOTIVATION PEOPLE DATA NETWORK FUNCTION TIME

WHY WHO WHAT WHERE HOW WHEN

PEOPLE

TECHNOLOGY

PROCESS

Source: Zachman

38

The Simplistic IS Model

Business

Information

Information System

Information Technology

Architecture

Alignment Security

Governance

5

4

3

2

1

6 7 8 9

10

11

12

Contextual Conceptual

Logical Physical

Transformational

Source: Cap Gemini

39

Go Back to GCG Characteristics

 Comprehensive policies, regulatory and legal frameworks to comply with and anticipate changes in regulations

 Improved communications and relationships with stakeholders, including the management of their perceptions of the company

 Improved corporate image

 Transparent and professional business practices

 Improved information governance

 Implementation of best practices in internal audit and control

 Proper risk management

Source: Jos Luhukay

The End