governance tools boyd carter 2006

Elegantsolutions.ca

Introduction to Governance Frameworks

A selection of governance tools and how they may be used.

Elegant Solutions

Boyd Carter - 2006

Copyright © 2006 elegantsolutions.ca

(Permission is granted to use unchanged. elegantsolutions.ca) www.elegantsolutions.ca

Elegantsolutions.ca

Governance – OECD

A working definition of corporate governance

Grant Kirkpatrick, Corporate Affairs Division, OECD Corporate governance … involves a set of relationships between a

company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the

objectives (i.e. strategy) of the company are set, and the means of obtaining those objectives and monitoring performance are determined.

Elegantsolutions.ca

Governance – CIMA

CIMA – Chartered Institute of Management Accountants Enterprise governance is the set of responsibilities and practices

exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.

Elegantsolutions.ca

Governance – itSMF

itSMF – IT Service Management Forum IT governance is the system by which IT within enterprises is directed and

controlled. The IT governance structure specifies the distribution of rights and responsibilities among different participants, such as the board, business and IT managers, an spells out the rules and procedures for making decision on IT. By doing this, it also provides the structure through which the IT objectives are set, and the means of attaining those objectives and monitoring progress.

Elegantsolutions.ca

Governance In Context

Relationships Rights and Responsibilities Structure (framework) which facilitates

Setting objectives attaining those objectives monitoring performance

Elegantsolutions.ca

Governance Cycles

OECD Balanced Scorecard Deming on Quality ITIL COBIT

Elegantsolutions.ca

Cycles – Quality (Deming)

Plan Do Check Act

Plan

DoCheck

Act

Elegantsolutions.ca

Cycles – Quality (Deming)

Plan Goals and Targets Methods to Achieve

Do Education & Training Implement Work

Check Act

Ishikawa expanded Deming's four steps into the following six:

Source: http://dtiinfo1.dti.gov.uk/mbp/bpgt/m9ja00001/m9ja0000110.html#ishikawa

Elegantsolutions.ca

Cycles – OECD

Political Agenda Issue Analysis Policy Making Implementation Monitoring

A. Macintosh. Using information and communication technologies to enhance citizen engagement in the policy process. In Promises and Problems of E-Democracy: Challenges of Online Citizen Engagement. OECD, Paris, 2004.

Elegantsolutions.ca

Cycles – Balanced Scorecard

Cause & Effect Future Orientation Operational Excellence Meet Stakeholder

Expectations Corporate Contribution

Measuring and Improving IT Governance Through the Balanced Scorecard By Wim Van Grembergen and Steven De Haes Copyright © 2005 Information Systems Audit and Control Association. All rights reserved.

Elegantsolutions.ca

Cycles – ITIL

Service Strategies Design Transition Operations Continuous Improvement

ITIL.org · ITIL V3 - Service Life Cycle · Service Strategy

Elegantsolutions.ca

Cycles – TOGAF

The US Federal CIO Council’s perspective

How EA Processes fit within the Enterprise Life Cycle

Engineering Program Mgmt. Capital Planning

& Investment Control Processes

From TOGAF version 8.1, and The US Federal CIO Council’s "A Practical Guide to Federal Enterprise Architecture”

Elegantsolutions.ca

Cycles – COBIT

Objectives Direct Create Protect Act Monitor

From Article: IT Governance Hands-on: Using COBIT to Implement IT Governance1By Luc Kordel, CISA, RE, CISSP, CIA, RFA

Governance– Alignment– Value Delivery– Risk Mgmt.– Resource Mgmt.– Performance

Mgmt.

Elegantsolutions.ca

Cycles – Buffalo City

Planning Implementation Review Evaluation Reporting The public

participates in everything except the actual implementation

From a thesis by Quinton Walter Williams, January 2006, Masters of Business Administration, Rhodes Investec Business School, RHODES UNIVERSITY, entitled: IMPLEMENTING PERFORMANCE MANAGEMENT AT LOCAL GOVERNMENT LEVEL IN SOUTH AFRICA: A CASE STUDY ON THE IMPACT OF ORGANISATIONAL CULTURE.

Elegantsolutions.ca

Cycles – Quality Governance

Relationships, Rights & Responsibilities Structure (Framework) which facilitates

Setting Objectives Plan

Goals and Targets Methods to Achieve

Attaining those objectives Do

Education & Training Implement Work

Monitoring Performance Check Act

Elegantsolutions.ca

Frameworks – COSO

PWC Presentation: COSO 1 COSO 2 PWC ERM-SET.pdf

Elegantsolutions.ca

Frameworks – COSO COSO for Smaller Public Companies (COSO 3)

Image from Volume 2 of COSO’s Internal Control over Financial Reporting –Guidance for Smaller Public Companies

Elegantsolutions.ca

Frameworks – COSO

Image from COSO’s ERM – Integrated Framework

Elegantsolutions.ca

Frameworks – COSOExample of Framework Content

Image from Resolver’s Compliance Framework

Elegantsolutions.ca

Frameworks – COBIT

COBIT Products

Image from the IT Governance Institute’s COBIT4

Elegantsolutions.ca


The COBIT Cube

Image from the IT Governance Institute’s research-PMBOK-Mapping-COBIT

Elegantsolutions.ca

Frameworks – COBITCOBIT Mapped to PMBOKCOBIT is also Mapped to SEI-CMM, Prince2, ITIL, COSO, TOGAF & ISO 17799

Image from the IT Governance Institute’s research-PMBOK-Mapping-COBIT

Elegantsolutions.ca


COBIT Quickstart to Estimate Scope

Image from the IT Governance Institute’s COBIT Quickstart

In this example, the small company is very dependent on its Information Technology. This would indicate the use of COSO for Smaller Public Companies for the Business Framework and either a complete COBIT Framework for IT or an extended COBIT Quickstart with applicable portions of the complete COBIT Framework added to the project.

SEG = Segregation of Duties

SCS = Simple Command Structure

SCP = Short Communications Path

SOC = Span Of Control

ITL = IT Level (of Sophistication)

ITS = IT Strategic Importance

ITE = IT Expenditures

Elegantsolutions.ca


VALIT To Optimize IT Investments

Image from the IT Governance Institute’s VALIT-Framework

Elegantsolutions.ca

Image from the IT Governance Institute’s VALIT-Framework


VALIT To Optimize IT Investments

Elegantsolutions.ca

Frameworks – COBITExample of Framework Content

Image from Resolver’s Compliance Framework

Elegantsolutions.ca

Frameworks – ITILFrom a GC IT Services PerspectiveWith COBIT for Program Management

Image from The Treasury Board Profile of GC Information Technology Serviceshttp://www.tbs-sct.gc.ca/cio-dpi/webapps/technology/profil/profil05_e.asp

Elegantsolutions.ca

Frameworks – ITIL

From an HP IT Services Planning Perspective

A common ITIL Image, this one from HP’s IT Service Management and IT Governance: Review, Comparative Analysis and their Impact on Utility Computing

Elegantsolutions.ca

Frameworks – ITIL

From an Application Services Library Perspective

Another common ITIL Image, this one from ASLfoundation.org

Planning to Implement Service Management

Service Management

ServiceSupport

ServiceDelivery

The

Business

The Business Perspec-

tive

Applications Management

ICTInfra-

structureMgt

The

Technology

Security Management

Elegantsolutions.ca

A common ITIL Image, this one from HP’s IT Service Management and IT Governance: Review, Comparative Analysis and their Impact on Utility Computing

Frameworks – ITIL

From an HP IT Services Operations Perspective

Elegantsolutions.ca

Frameworks – BSC

From an IT Governance Perspective

Image from the IT Governance Institute’s Information Systems Control Journal The Balanced Scorecard and IT Governance By Wim Van Grembergen, Ph.D.

Elegantsolutions.ca

Frameworks – BSC

Financial Internal

Business Processes

Learning & Growth

Customer

To succeed financially,how should we appear to our shareholders?

initiativestargets

measuresobjectives Financial

initiativestargets

measuresobjectives

initiativestargets

measures

objectives

initiativestargets

measuresobjectives

To achieve our vision , how should we appear to our customers ?

To satisfy our shareholders and customers what business processes must we aim at?

Customer Internal Business Process

To achieve our vision, how will we sustain our ability to change and improve ?

Learning and Growth

The balanced scorecard provides a framework to translate a strategy into operational terms

Visionand

strategy

From a Performance Measurement Presentation in the archives of the Faculty of Technology, Policy and Management, TBM.tudelft.nl, slide context attributed to: R.S. Kaplan, The balanced scorecard, 1996

Strategy to Operational Terms

Elegantsolutions.ca

Frameworks – TOGAF

From TOGAF version 8.1

Elegantsolutions.ca

Frameworks – Zachman

From TOGAF version 8.1, Framework image from ZIFA.com

Elegantsolutions.ca

Standards – AcSOC & PSAB

AcSOC’s primary function is to serve the public interest by overseeing the activities of the Accounting Standards Board (AcSB) and the Public Sector Accounting Board (PSAB). The AcSB and the PSAB both develop and establish standards and guidance governing financial accounting and reporting in Canada. The AcSB sets standards for profit-oriented enterprises and not-for-profit organizations, while the PSAB sets standards for public sector entities.

Elegantsolutions.ca

Standards – PSAB

Focus: Accounting Standards for Public Sector entities

Consider PSAB when you need “to maintain the financial integrity of the entity” (Council role “e”)

Elegantsolutions.ca

Standards – ISO/IEC 17799

ISO 17799 Information Technology

Code of Practice for Information Security Management Published by the International Organisation for Standardisation

(http://www.iso.org) and International Electrotechnical Commission (http://www.iec.org)

Elegantsolutions.ca

Standards – CMMI

Best-known Maturity Model

Initial Repeatable Defined Measurable Optimized

1

initial

Project management

Process definition

Process measurements

Process control

Ad hoc, chaotic

4

quantitatively managed

Proces performance is predictable

2

managed

Projects perform according to plan

5

optimizing

Continually improving of process performance

3

defined

Projects are more consistent across the organization

CMMI as described by:

Elegantsolutions.ca

Standards – ISO 17799 Domains

Security Policy Security Organization Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Management Access Control Access Control Systems Development & Maintenance Systems Business Continuity Management Compliance

Elegantsolutions.ca

Standards – ISO 17799

Focus: Controls need to be established to ensure that the specific security objectives of the

organization are met

Consider it when:

You need guidance regarding the establishment and operation of security controls

Elegantsolutions.ca

Standards – PMBOK®

Project Management Body of Knowledge

Planning and controlling projects Broadly applicable; Small to large scale Different domains or industries Globally recognized ANSI American National Standard IEEE Standard

Elegantsolutions.ca

Standards – PMBOK®

Focus: Planning and controls of projects Commonly accepted framework Not a ‘how’, but ‘what’

Consider it when: You are leading a small or large project or initiative

Elegantsolutions.ca

Processes – Six SigmaSix Sigma was invented by Motorola in 1986 as a way to measure defects and improving quality. Since then, it has evolved to a business improvement methodology that focuses an organization on customer requirements, process alignment, analytical rigor and timely execution.

Elegantsolutions.ca

Processes – Six Sigma

Focus: Quality is defined by customer requirements for the chosen

process Defects are defined and counted Inconsistencies in the process, known as variation, are studied

Consider it when: process involves producing a product or service for a customer

and you want to measure improvements.

Elegantsolutions.ca

Processes – LEAN (Kaizen)

Lean is about reducing or eliminating all activities that do not add value. It reduces or eliminates 8 principle sources of waste:

Waiting - set-up, changeover, no work, no operator, downtime

Inventory - stagnant Work-in-Process, spare parts, just-in-case

Overproduction - batch runs, minimum run rates

Extra Processing - rework, conditioning

Motion - non-adjacent processing, go-fer

Transportation - moving product

Defects - rejects

Underutilized People - THE GREATEST WASTE OF ALL!

From a TechHelp presentation, www.techhelp.org

Elegantsolutions.ca

Integration Matrix

What was the One Common Denominator for Frameworks and Standards? Right! COBIT! COBIT has been mapped to

COSO ITIL SEI-CMMI PMBOK & Prince2 TOGAF ISO 17799

Elegantsolutions.ca

Integration Matrix

DIRECTIVES-

REQUIREMENTS

FRAMEWORKSSTANDARDSPROCESSES

ITPOLICY-BASED

INITIATIVES

Corporate………...• Orders in Council• Directives• Policy

ITSUSTAINMENT

Social………......• Conservation• Environment• Health & Safety

ITDEVELOPMENT

Government……• Federal• Provincial• Regional• Bill 198*

ITGOVERNANCE

INTEGRATING FRAMEWORK IS COBIT

COSOISO 17799

ITIL BSC PMBOCTOGAF

PSABCMMI

TOOLS FOR SUCCESS – SIX-SIGMA / LEAN /

OTHER INITIATIVES

* See note on Bill 198 – next slide

Elegantsolutions.ca

BILL 198

An Act to implement Budget measures and other initiatives of the Government

Bill 198 enables Ontario Municipal Statutes Bill 198 also enables OSC regulations, but that’s not

germane to this presentation…yet.It may be in the future. In the context of “a public sector entity”, there is the possibility that public sector entities may, at some point in time, be required to satisfy “OSC-type” regulations in a manner similar to public companies listed on the TSX and other exchanges. This is beginning to happen voluntarily in some places as a “matter of good governance”.

Elegantsolutions.ca

Why is this document so important?

Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley

Elegantsolutions.ca

Auditing Standard 2 (AS2)

COBITCOBITControl ObjectivesControl Objectives

ITILITILActivitiesActivities

ISO 17799ISO 17799SecuritySecurity

Internal ControlsInternal Controls--

Integrated FrameworkIntegrated Framework

(Not ERM)(Not ERM)

Version 2.0 benefits from lessons learned during the first two years.

Sarbanes-Oxley Act of 2002

Bill 198

Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.)

Elegantsolutions.ca

Why is this document so important? The first edition has been downloaded more than a quarter of a

million times* De facto standard for evaluating information technology (IT)

controls in support of compliance Governance More than 100 expert reviewers provided input to second edition. The second edition incorporates many of the lessons learned

since the first edition of the publication was issued. De facto Road Map for designing a governance initiative based

on COBIT, which is already integrated with much of COSO, ITIL & ISO17799


* From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp

Elegantsolutions.ca



Elegantsolutions.ca



1. Plan and Scope

2. Assess Risk

Elegantsolutions.ca



3 Document Controls

4.1 Evaluate Design

4.2 Evaluate Operational Effectiveness

Elegantsolutions.ca



5. Evaluate and Remediate Deficiencies

6. Build Sustainability

Elegantsolutions.ca

Integration – How to Integrate

IT Governance Based on COBIT4 Follow the Compliance Road Map Use all of COBIT4’s Control Objectives initially Scale back where not applicable Scale up with other frameworks where applicable. For example:

ITIL in COBIT4 is to ensure compliance with regulations, add more ITIL where appropriate

Same for ISO 17799, PMBOK, TOGAF & CMMI Customize to fit your environment, as you did with the Tailored PM

Framework

Elegantsolutions.ca

Questions?

governance tools boyd carter 2006

Business

governance oecd

governance structure

governance handson

cycles cobit objectives

oecd corporate governance

frameworks coso coso

frameworks coso image

pmbok cobit