carolynn chalmers - isaca-events.org.za · cobit® 5 iso 38500, itil and iso 20000 cgictpf what’s...
TRANSCRIPT
King IV™and the
Corporate Governance of IT
Carolynn Chalmers
King IV™
What is it
What’s new
What’s changed
Impact of a changed standard
King III
COBIT® 5
ISO 38500, ITIL and ISO 20000
CGICTPF
What’s expected from you!
Gaining the Edge
Shaping the Future
King IV™ - What is it?
Apply or Explain
Apply and Explain
Draft report released 15 March 2016
FINAL report release date 1 November 2016
ALL organisations – ALL sizes
Sector Supplements:
Municipalities
State Owned Entities
Pension Funds
SME’s
Non-Profit Organisations
King IV™ Report on Corporate Governance for South Africa 2016King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500, ITIL, ISO20000
CGICTPF
What’s expected from you!
Must Do
Draft report released 15 March 2016
FINAL report release date 1 November 2016
ALL organisations – ALL sizes
Sector Supplements:
Municipalities
State Owned Entities
Pension Funds
SME’s
Non-Profit Organisations
King IV™ Report on Corporate Governance for South Africa 2016
Must Do
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500, ITIL, ISO20000
CGICTPF
What’s expected from you!
King IV™ - What is it?
Apply or Explain
Apply and Explain
King IV™ What’s NEW
More readable
King III - 2 separate documents = 185 pages
King IV - 1 document = 33 pages
Fewer principles
King III - 75 principles to be applied
King IV - 16 principles (17 for institutional investors)
Focusses on governance outcomes
King III - principles and recommended practices PRESCRIPTIVE doing
King IV - principles – practices – outcomes OBJECTIVE achieving
Introduces integrated thinking and the 6 capitals
King III - “people, planet, profit”
King IV - value creation using 6 capitals
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500, ITIL, ISO20000
CGICTPF
What’s expected from you!
King IV™ What’s NEW
More readable
King III - 2 separate documents = 185 pages
King IV - 1 document = 33 pages
Fewer principles
King III - 75 principles to be applied
King IV - 16 principles (17 for institutional investors)
Introduces integrated thinking and the 6 capitals
King III - “people, planet, profit”
King IV - value creation using 6 capitals
Focusses on governance outcomes
King III - principles and recommended practices PRESCRIPTIVE doing
King IV - principles – practices – outcomes OBJECTIVE achieving
King IV™
What is it
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500, ITIL, ISO20000
CGICTPF
What’s expected from you!
The International <IR> Framework
King IV™ What’s NEW
More readable
King III - 2 separate documents = 185 pages
King IV - 1 document = 33 pages
Fewer principles
King III - 75 principles to be applied
King IV - 16 principles (17 for institutional investors)
Introduces integrated thinking and the 6 capitals
King III - “people, planet, profit”
King IV - value creation using 6 capitals
Focusses on governance outcomes
King III - principles and recommended practices PRESCRIPTIVE doing
King IV - principles – practices – outcomes OBJECTIVE achieving
King IV™
What is it
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500, ITIL, ISO20000
CGICTPF
What’s expected from you!
The International <IR> Framework
Strategy formulation
King III - Board to play a prominent role in strategy formulation
King IV - Board to enable the strategy
King IV™ What’s CHANGED
Integrated Reporting
King III - report on 3 aspects: people, planet & profit
King IV - report on how the 6 capitals were assimilated to create value
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500, ITIL, ISO20000
CGICTPF
What’s expected from you!
Assurance
King III - three lines of defence : management, internal, external
King IV - five lines of assurance: management, internal, external, specialists, governing bodies
IT Governance
King III - 7 principles, 24 practices
King IV - 1 principle, 8 practices, single outcome
King IV™
Principle: The governing body should govern technology and information
in a way that supports the organisation in defining core purpose and to set and
achieve strategic objectives
Outcome: Adequate and effective control OBJECTIVE
Practices:
STRATEGY POLICY OVERSIGHT DISCLOSUREDirect
1. Provide strategic direction
Define
2. Approve policy3. Adopt standards
and frameworks
Supervise
4. Delegate5. Oversee6. Review
Communicate
7. Disclose
Governance of Technology and Information
King IV™Governance of Technology and Information
So what?
What will you need to differently?
1. Impact on King III Chapter 5
2. Impact on COBIT® 5
3. Impact on ISO 38500, ITIL and ISO 20000
4. Impact on CGICTPF
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500, ITIL, ISO20000
CGICTPF
What’s expected from you!
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500, ITIL, ISO20000
CGICTPF
What’s expected from you!
Impact on King III Chapter 5
King III King IV™
5.1. The board should be responsible for information
technology (IT) governance
5.2. IT should be aligned with the performance and
sustainability objectives of the company
CHAPTER 4 – PRINCIPLE 4.2
The governing body should govern technology and information in a way
that supports the organisation in defining core purpose and to set and
achieve strategic objectives.
5.3. The board should delegate to management the
responsibility for the implementation of an IT
governance framework
CHAPTER 4 - RECOMMENDED PRACTICE 15
The governing body should delegate to management responsibility for
implementing the policy on enterprise-wide technology and information
management, and for embedding it into the day-to-day, medium and
long-term decision-making, activities and culture.
5.4. The board should monitor and evaluate significant
IT investments and expenditure
CHAPTER 2 - RECOMMENDED PRACTICE 4
The governing body should oversee that policies and plans are
developed to give effect to the approved strategy and that they: (a)
drive the deployment of resources, structures and processes
5.5. IT should form an integral part of the company’s
risk management
5.6. The board should ensure that information assets
are managed effectively
5.7. A risk committee and audit committee should
assist the board in carrying out its IT responsibilities
CHAPTER 4 - RECOMMENDED PRACTICE 16
The governing body should oversee the adequacy and effectiveness of
technology and information management, including:…
King III King IV™
5.1. The board should be responsible for information
technology (IT) governance
5.2. IT should be aligned with the performance and
sustainability objectives of the company
CHAPTER 4 – PRINCIPLE 4.2
The governing body should govern technology and information in a way
that supports the organisation in defining core purpose and to set and
achieve strategic objectives.
5.3. The board should delegate to management the
responsibility for the implementation of an IT
governance framework
CHAPTER 4 - RECOMMENDED PRACTICE 15
The governing body should delegate to management responsibility for
implementing the policy on enterprise-wide technology and information
management, and for embedding it into the day-to-day, medium and
long-term decision-making, activities and culture.
5.4. The board should monitor and evaluate significant
IT investments and expenditure
CHAPTER 2 - RECOMMENDED PRACTICE 4
The governing body should oversee that policies and plans are
developed to give effect to the approved strategy and that they: (a)
drive the deployment of resources, structures and processes
5.5. IT should form an integral part of the company’s
risk management
5.6. The board should ensure that information assets
are managed effectively
5.7. A risk committee and audit committee should
assist the board in carrying out its IT responsibilities
CHAPTER 4 - RECOMMENDED PRACTICE 16
The governing body should oversee the adequacy and effectiveness of
technology and information management, including:…
Impact on King III Chapter 5
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500, ITIL, ISO20000
CGICTPF
What’s expected from you!
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500, ITIL, ISO20000
CGICTPF
What’s expected from you!
Impact on COBIT® 5Governance and Management Areas
King IV™ and COBIT® 5
King IV™ and COBIT® 5 Aligned
Impact on COBIT® 5
King IV™ Governance outcomes
No change
Principles – Practices – Outcomes
COBIT® 5 Goals Cascade
Step 3:
Enterprise Goals Cascade to IT-related Goals
Achievement of enterprise goals requires a
number of IT-related outcomes, which are
represented by the IT-related goals.
Impact on COBIT® 5
COBIT® 5 Enterprise Enablers
Increased
reporting
King IV™ Strategy formulation and enablement
Impact on COBIT® 5King IV™ Integrated thinking and 6 capitals
COBIT® 5 Governance Scope and Objective Setting
Governance Scope
Governance can be applied to the entire enterprise, an entity, a tangible or
intangible asset, etc. That is, it is possible to define different views of the
enterprise to which governance is applied, and it is essential to define the scope
of the governance system well.
Increased
scope
Summary
Practices (Enabling Processes) are equivalent and complete
References King III Principles - addressed in King IV in the form of Practices
Principles are positioned on an outcomes basis
Principles - Practices - Outcomes
Strategy is enabled through policy setting (Enterprise Enablers)
Strategy -> Policy -> Oversight -> Disclosure
Integrated thinking is supported
The 6 capitals considered when setting the Governance Scope and Objectives
Impact of King IV™ on COBIT® 5
Summary
Practices (Enabling Processes) are equivalent and complete
References King III Principles - addressed in King IV in the form of Practices
Principles are positioned on an outcomes basis
Principles - Practices - Outcomes
Strategy is enabled through policy setting (Enterprise Enablers)
Strategy -> Policy -> Oversight -> Disclosure
Integrated thinking is supported
The 6 capitals considered when setting the Governance Scope and Objectives
Impact of King IV™ on COBIT® 5
Alignment of King IV™ with ISO 38500
Corporate Governance of Information Technology
A high level, principles based advisory standard
The objective of the standard is to provide a framework of principles for Directors to
use when evaluating, directing and monitoring the use of information technology (IT) in
their organisations.
Principles
Principle 1: Responsibility - Responsibilities are understood and accepted
Principle 2: Strategy - Business strategy takes into account IT capabilities
Principle 3: Acquisition - Valid, appropriate and balances risks, opportunities, benefits and costs
Principle 4: Performance - Fit for purpose
Principle 5: Conformance - IT complies and polices and practices are defined
Principle 6: Human Behaviour - Respect for human behaviour
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO38500,ITIL,ISO20000
CGICTPF
What’s expected from you!
Alignment of King IV™ with ISO 38500
King IV™ ISO 38500
CHAPTER 4 – PRINCIPLE 4.2
The governing body should govern technology and information in a way
that supports the organisation in defining core purpose and to set and
achieve strategic objectives.
Principle 1: Responsibility
Principle 2: Strategy
CHAPTER 4 - RECOMMENDED PRACTICE 15
The governing body should delegate to management responsibility for
implementing the policy on enterprise-wide technology and information
management, and for embedding it into the day-to-day, medium and long-
term decision-making, activities and culture.
Principle 4: Performance
CHAPTER 2 - RECOMMENDED PRACTICE 4
The governing body should oversee that policies and plans are developed
to give effect to the approved strategy and that they: (a) drive the
deployment of resources, structures and processes
Principle 3: Acquisition
CHAPTER 4 - RECOMMENDED PRACTICE 16
The governing body should oversee the adequacy and effectiveness of
technology and information management, including:…
Principle 5: Conformance
Principle 6: Human Behaviour
Summary
Distinguishes between the Governing Body and Management
Positioned for application by the Governing Body
Provides 6 principles which are aligned with the King IV principle and practices
Principles are applied on an outcomes basis
Strategy is enabled through the Model
Integrated thinking is not fully supported
The 6 capitals are not considered other than through the business strategy
Alignment of King IV™ with ISO 38500
Summary
Distinguishes between the Governing Body and Management
Positioned for application by the Governing Body
Provides 6 principles which are aligned with the King IV principle and practices
Principles are applied on an outcomes basis
Strategy is enabled through the Model
Integrated thinking is not fully supported
The 6 capitals are not considered other than through the business strategy
Alignment of King IV™ with ISO 38500
Impact on ITIL and ISO 20000
The CGICTPF
Developed by Department of Public Service and Administration (DPSA) in cooperation
with the Government information Technology officer Council
Applicable to all National and Provincial Departments, Provincial Administrations, Local
Government, Organs of State and Public Entities
It places accountability for governance of ICT fully in the hands of Political Leadership
and Executive Management (equivalent to the Board).
To address the principles and practices required to institutionalize the corporate
governance of ICT, as well as an implementation approach
Based on King III, COBIT and ISO 38500
“is supported by international accepted good practice and standards in the form of
King III Code of Good Governance, ISO 38500 Standard for the Corporate
Governance of ICT and COBIT a comprehensive Governance ICT Process
Framework.”
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO 38500
CGICTPF
What’s expected from you!
The Corporate Governance of Information and Communications
Technology Policy Framework
The CGICTPF
Developed by Department of Public Service and Administration (DPSA) in cooperation
with the Government information Technology officer Council
Applicable to all National and Provincial Departments, Provincial Administrations, Local
Government, Organs of State and Public Entities
It places accountability for governance of ICT fully in the hands of Political Leadership
and Executive Management (equivalent to the Board).
To address the principles and practices required to institutionalize the corporate
governance of ICT, as well as an implementation approach
Based on King III, COBIT and ISO 38500
“is supported by international accepted good practice and standards in the form of
King III Code of Good Governance, ISO 38500 Standard for the Corporate
Governance of ICT and COBIT a comprehensive Governance ICT Process
Framework.”
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO 38500
CGICTPF
What’s expected from you!
The Corporate Governance of Information and Communications
Technology Policy Framework
A changing governance landscape
Governance is not compliance – governance exhibits levels of maturity
Governance is not red tape – practices should be adequate and effective
Governance is guiding a complex organisation to achieve defined outcomes
Governance is about creating sustainable value in an ethical manner
Governance is about Doing the Right Things
Management is about Doing these Things in the Right Way
Peter Drucker
King IV™
What is it?
What’s new?
What’s changed?
Impact of changes
King III
COBIT® 5
ISO 38500
CGICTPF
What’s expected from
you!
What is expected from you?
Doing the Right Things in the Right Way
An integrated approach to governance
CONTROL INFLUENCE
What is expected from you?
Codes, Frameworks and Standards - - Best practice
Reviews and Surveys - - Common practice
Research and Future Thinking - - Emerging trends
www.govn.co.za
Taking ownership of your governance
Policies and Processes
Doing the Right Things in the Right Way
An integrated approach to governance
What is expected from you?
Extending scope to the 6 capitals
Delegating not abdicating
Setting Policy – “the right things”
Assigning and contracting responsibilities
Monitoring and overseeing actions
Making decisions within authority
Appropriately resourcing
Reporting completely
Reviewing for continual improvement
Doing the Right Things in the Right Way
An integrated approach to governance
> Gain the Edge > Shape the Future
Take stock
Know where you are - use maturity assessments to assist you
Know what the right things are - consider training, join discussion groups
Take the initiative
Review your Policy principles – the “right things”
Review your Strategy and scope – address the 6 capitals
Review your Reports – Apply and Explain
Contribute responsibly
Make sure responsibilities are clear and agreed
Make sure authority has been delegated and resources have been provided
Applying King III and IV
> Gain the Edge > Shape the Future
Take stock
Know where you are - use maturity assessments to assist you
Know what the right things are - consider training, join discussion groups
Take the initiative
Review your Policy principles – the “right things”
Review your Strategy and scope – address the 6 capitals
Review your Reports – Apply and Explain
Contribute responsibly
Make sure responsibilities are clear and agreed
Make sure authority has been delegated and resources have been provided
www.govn.co.za
Applying King III and IV