governance tools boyd carter 2006
DESCRIPTION
An Overview of Governance ToolsTRANSCRIPT
Elegantsolutions.ca
Introduction to Governance Frameworks
A selection of governance tools and how they may be used.
Elegant Solutions
Boyd Carter - 2006
Copyright © 2006 elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca) www.elegantsolutions.ca
Elegantsolutions.ca
Governance – OECD
A working definition of corporate governance
Grant Kirkpatrick, Corporate Affairs Division, OECD Corporate governance … involves a set of relationships between a
company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the
objectives (i.e. strategy) of the company are set, and the means of obtaining those objectives and monitoring performance are determined.
Elegantsolutions.ca
Governance – CIMA
CIMA – Chartered Institute of Management Accountants Enterprise governance is the set of responsibilities and practices
exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.
Elegantsolutions.ca
Governance – itSMF
itSMF – IT Service Management Forum IT governance is the system by which IT within enterprises is directed and
controlled. The IT governance structure specifies the distribution of rights and responsibilities among different participants, such as the board, business and IT managers, an spells out the rules and procedures for making decision on IT. By doing this, it also provides the structure through which the IT objectives are set, and the means of attaining those objectives and monitoring progress.
Elegantsolutions.ca
Governance In Context
Relationships Rights and Responsibilities Structure (framework) which facilitates
Setting objectives attaining those objectives monitoring performance
Elegantsolutions.ca
Governance Cycles
OECD Balanced Scorecard Deming on Quality ITIL COBIT
Elegantsolutions.ca
Cycles – Quality (Deming)
Plan Do Check Act
Plan
DoCheck
Act
Elegantsolutions.ca
Cycles – Quality (Deming)
Plan Goals and Targets Methods to Achieve
Do Education & Training Implement Work
Check Act
Ishikawa expanded Deming's four steps into the following six:
Source: http://dtiinfo1.dti.gov.uk/mbp/bpgt/m9ja00001/m9ja0000110.html#ishikawa
Elegantsolutions.ca
Cycles – OECD
Political Agenda Issue Analysis Policy Making Implementation Monitoring
A. Macintosh. Using information and communication technologies to enhance citizen engagement in the policy process. In Promises and Problems of E-Democracy: Challenges of Online Citizen Engagement. OECD, Paris, 2004.
Elegantsolutions.ca
Cycles – Balanced Scorecard
Cause & Effect Future Orientation Operational Excellence Meet Stakeholder
Expectations Corporate Contribution
Measuring and Improving IT Governance Through the Balanced Scorecard By Wim Van Grembergen and Steven De Haes Copyright © 2005 Information Systems Audit and Control Association. All rights reserved.
Elegantsolutions.ca
Cycles – ITIL
Service Strategies Design Transition Operations Continuous Improvement
ITIL.org · ITIL V3 - Service Life Cycle · Service Strategy
Elegantsolutions.ca
Cycles – TOGAF
The US Federal CIO Council’s perspective
How EA Processes fit within the Enterprise Life Cycle
Engineering Program Mgmt. Capital Planning
& Investment Control Processes
From TOGAF version 8.1, and The US Federal CIO Council’s "A Practical Guide to Federal Enterprise Architecture”
Elegantsolutions.ca
Cycles – COBIT
Objectives Direct Create Protect Act Monitor
From Article: IT Governance Hands-on: Using COBIT to Implement IT Governance1By Luc Kordel, CISA, RE, CISSP, CIA, RFA
Governance– Alignment– Value Delivery– Risk Mgmt.– Resource Mgmt.– Performance
Mgmt.
Elegantsolutions.ca
Cycles – Buffalo City
Planning Implementation Review Evaluation Reporting The public
participates in everything except the actual implementation
From a thesis by Quinton Walter Williams, January 2006, Masters of Business Administration, Rhodes Investec Business School, RHODES UNIVERSITY, entitled: IMPLEMENTING PERFORMANCE MANAGEMENT AT LOCAL GOVERNMENT LEVEL IN SOUTH AFRICA: A CASE STUDY ON THE IMPACT OF ORGANISATIONAL CULTURE.
Elegantsolutions.ca
Cycles – Quality Governance
Relationships, Rights & Responsibilities Structure (Framework) which facilitates
Setting Objectives Plan
Goals and Targets Methods to Achieve
Attaining those objectives Do
Education & Training Implement Work
Monitoring Performance Check Act
Elegantsolutions.ca
Frameworks – COSO
PWC Presentation: COSO 1 COSO 2 PWC ERM-SET.pdf
Elegantsolutions.ca
Frameworks – COSO COSO for Smaller Public Companies (COSO 3)
Image from Volume 2 of COSO’s Internal Control over Financial Reporting –Guidance for Smaller Public Companies
Elegantsolutions.ca
Frameworks – COSO
Image from COSO’s ERM – Integrated Framework
Elegantsolutions.ca
Frameworks – COSO
Image from COSO’s ERM – Integrated Framework
Elegantsolutions.ca
Frameworks – COSOExample of Framework Content
Image from Resolver’s Compliance Framework
Elegantsolutions.ca
Frameworks – COBIT
COBIT Products
Image from the IT Governance Institute’s COBIT4
Elegantsolutions.ca
Frameworks – COBIT
The COBIT Cube
Image from the IT Governance Institute’s research-PMBOK-Mapping-COBIT
Elegantsolutions.ca
Frameworks – COBITCOBIT Mapped to PMBOKCOBIT is also Mapped to SEI-CMM, Prince2, ITIL, COSO, TOGAF & ISO 17799
Image from the IT Governance Institute’s research-PMBOK-Mapping-COBIT
Elegantsolutions.ca
Frameworks – COBIT
COBIT Quickstart to Estimate Scope
Image from the IT Governance Institute’s COBIT Quickstart
In this example, the small company is very dependent on its Information Technology. This would indicate the use of COSO for Smaller Public Companies for the Business Framework and either a complete COBIT Framework for IT or an extended COBIT Quickstart with applicable portions of the complete COBIT Framework added to the project.
SEG = Segregation of Duties
SCS = Simple Command Structure
SCP = Short Communications Path
SOC = Span Of Control
ITL = IT Level (of Sophistication)
ITS = IT Strategic Importance
ITE = IT Expenditures
Elegantsolutions.ca
Frameworks – COBIT
VALIT To Optimize IT Investments
Image from the IT Governance Institute’s VALIT-Framework
Elegantsolutions.ca
Image from the IT Governance Institute’s VALIT-Framework
Frameworks – COBIT
VALIT To Optimize IT Investments
Elegantsolutions.ca
Frameworks – COBITExample of Framework Content
Image from Resolver’s Compliance Framework
Elegantsolutions.ca
Frameworks – ITILFrom a GC IT Services PerspectiveWith COBIT for Program Management
Image from The Treasury Board Profile of GC Information Technology Serviceshttp://www.tbs-sct.gc.ca/cio-dpi/webapps/technology/profil/profil05_e.asp
Elegantsolutions.ca
Frameworks – ITIL
From an HP IT Services Planning Perspective
A common ITIL Image, this one from HP’s IT Service Management and IT Governance: Review, Comparative Analysis and their Impact on Utility Computing
Elegantsolutions.ca
Frameworks – ITIL
From an Application Services Library Perspective
Another common ITIL Image, this one from ASLfoundation.org
Planning to Implement Service Management
Service Management
ServiceSupport
ServiceDelivery
The
Business
The Business Perspec-
tive
Applications Management
ICTInfra-
structureMgt
The
Technology
Security Management
Elegantsolutions.ca
A common ITIL Image, this one from HP’s IT Service Management and IT Governance: Review, Comparative Analysis and their Impact on Utility Computing
Frameworks – ITIL
From an HP IT Services Operations Perspective
Elegantsolutions.ca
Frameworks – BSC
From an IT Governance Perspective
Image from the IT Governance Institute’s Information Systems Control Journal The Balanced Scorecard and IT Governance By Wim Van Grembergen, Ph.D.
Elegantsolutions.ca
Frameworks – BSC
From an IT Governance Perspective
Image from the IT Governance Institute’s Information Systems Control Journal The Balanced Scorecard and IT Governance By Wim Van Grembergen, Ph.D.
Elegantsolutions.ca
Frameworks – BSC
Financial Internal
Business Processes
Learning & Growth
Customer
To succeed financially,how should we appear to our shareholders?
initiativestargets
measuresobjectives Financial
initiativestargets
measuresobjectives
initiativestargets
measures
objectives
initiativestargets
measuresobjectives
To achieve our vision , how should we appear to our customers ?
To satisfy our shareholders and customers what business processes must we aim at?
Customer Internal Business Process
To achieve our vision, how will we sustain our ability to change and improve ?
Learning and Growth
The balanced scorecard provides a framework to translate a strategy into operational terms
Visionand
strategy
From a Performance Measurement Presentation in the archives of the Faculty of Technology, Policy and Management, TBM.tudelft.nl, slide context attributed to: R.S. Kaplan, The balanced scorecard, 1996
Strategy to Operational Terms
Elegantsolutions.ca
Frameworks – TOGAF
From TOGAF version 8.1
Elegantsolutions.ca
Frameworks – TOGAF
From TOGAF version 8.1
Elegantsolutions.ca
Frameworks – Zachman
From TOGAF version 8.1, Framework image from ZIFA.com
Elegantsolutions.ca
Standards – AcSOC & PSAB
AcSOC’s primary function is to serve the public interest by overseeing the activities of the Accounting Standards Board (AcSB) and the Public Sector Accounting Board (PSAB). The AcSB and the PSAB both develop and establish standards and guidance governing financial accounting and reporting in Canada. The AcSB sets standards for profit-oriented enterprises and not-for-profit organizations, while the PSAB sets standards for public sector entities.
Elegantsolutions.ca
Standards – PSAB
Focus: Accounting Standards for Public Sector entities
Consider PSAB when you need “to maintain the financial integrity of the entity” (Council role “e”)
Elegantsolutions.ca
Standards – ISO/IEC 17799
ISO 17799 Information Technology
Code of Practice for Information Security Management Published by the International Organisation for Standardisation
(http://www.iso.org) and International Electrotechnical Commission (http://www.iec.org)
Elegantsolutions.ca
Standards – CMMI
Best-known Maturity Model
Initial Repeatable Defined Measurable Optimized
1
initial
Project management
Process definition
Process measurements
Process control
Ad hoc, chaotic
4
quantitatively managed
Proces performance is predictable
2
managed
Projects perform according to plan
5
optimizing
Continually improving of process performance
3
defined
Projects are more consistent across the organization
CMMI as described by:
Elegantsolutions.ca
Standards – ISO 17799 Domains
Security Policy Security Organization Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Management Access Control Access Control Systems Development & Maintenance Systems Business Continuity Management Compliance
Elegantsolutions.ca
Standards – ISO 17799
Focus: Controls need to be established to ensure that the specific security objectives of the
organization are met
Consider it when:
You need guidance regarding the establishment and operation of security controls
Elegantsolutions.ca
Standards – PMBOK®
Project Management Body of Knowledge
Planning and controlling projects Broadly applicable; Small to large scale Different domains or industries Globally recognized ANSI American National Standard IEEE Standard
Elegantsolutions.ca
Standards – PMBOK®
Focus: Planning and controls of projects Commonly accepted framework Not a ‘how’, but ‘what’
Consider it when: You are leading a small or large project or initiative
Elegantsolutions.ca
Processes – Six SigmaSix Sigma was invented by Motorola in 1986 as a way to measure defects and improving quality. Since then, it has evolved to a business improvement methodology that focuses an organization on customer requirements, process alignment, analytical rigor and timely execution.
Elegantsolutions.ca
Processes – Six Sigma
Focus: Quality is defined by customer requirements for the chosen
process Defects are defined and counted Inconsistencies in the process, known as variation, are studied
Consider it when: process involves producing a product or service for a customer
and you want to measure improvements.
Elegantsolutions.ca
Processes – LEAN (Kaizen)
Lean is about reducing or eliminating all activities that do not add value. It reduces or eliminates 8 principle sources of waste:
Waiting - set-up, changeover, no work, no operator, downtime
Inventory - stagnant Work-in-Process, spare parts, just-in-case
Overproduction - batch runs, minimum run rates
Extra Processing - rework, conditioning
Motion - non-adjacent processing, go-fer
Transportation - moving product
Defects - rejects
Underutilized People - THE GREATEST WASTE OF ALL!
From a TechHelp presentation, www.techhelp.org
Elegantsolutions.ca
Integration Matrix
What was the One Common Denominator for Frameworks and Standards? Right! COBIT! COBIT has been mapped to
COSO ITIL SEI-CMMI PMBOK & Prince2 TOGAF ISO 17799
Elegantsolutions.ca
Integration Matrix
DIRECTIVES-
REQUIREMENTS
FRAMEWORKSSTANDARDSPROCESSES
ITPOLICY-BASED
INITIATIVES
Corporate………...• Orders in Council• Directives• Policy
ITSUSTAINMENT
Social………......• Conservation• Environment• Health & Safety
ITDEVELOPMENT
Government……• Federal• Provincial• Regional• Bill 198*
ITGOVERNANCE
INTEGRATING FRAMEWORK IS COBIT
COSOISO 17799
ITIL BSC PMBOCTOGAF
PSABCMMI
TOOLS FOR SUCCESS – SIX-SIGMA / LEAN /
OTHER INITIATIVES
* See note on Bill 198 – next slide
Elegantsolutions.ca
BILL 198
An Act to implement Budget measures and other initiatives of the Government
Bill 198 enables Ontario Municipal Statutes Bill 198 also enables OSC regulations, but that’s not
germane to this presentation…yet.It may be in the future. In the context of “a public sector entity”, there is the possibility that public sector entities may, at some point in time, be required to satisfy “OSC-type” regulations in a manner similar to public companies listed on the TSX and other exchanges. This is beginning to happen voluntarily in some places as a “matter of good governance”.
Elegantsolutions.ca
Why is this document so important?
Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley
Elegantsolutions.ca
Auditing Standard 2 (AS2)
COBITCOBITControl ObjectivesControl Objectives
ITILITILActivitiesActivities
ISO 17799ISO 17799SecuritySecurity
Internal ControlsInternal Controls--
Integrated FrameworkIntegrated Framework
(Not ERM)(Not ERM)
Version 2.0 benefits from lessons learned during the first two years.
Sarbanes-Oxley Act of 2002
Bill 198
Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.)
Elegantsolutions.ca
Why is this document so important? The first edition has been downloaded more than a quarter of a
million times* De facto standard for evaluating information technology (IT)
controls in support of compliance Governance More than 100 expert reviewers provided input to second edition. The second edition incorporates many of the lessons learned
since the first edition of the publication was issued. De facto Road Map for designing a governance initiative based
on COBIT, which is already integrated with much of COSO, ITIL & ISO17799
Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.)
* From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp
Elegantsolutions.ca
* From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp
Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.)
Elegantsolutions.ca
* From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp
Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.)
Elegantsolutions.ca
* From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp
Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.)
1. Plan and Scope
2. Assess Risk
Elegantsolutions.ca
* From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp
Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.)
3 Document Controls
4.1 Evaluate Design
4.2 Evaluate Operational Effectiveness
Elegantsolutions.ca
* From the InsideSarbanesOxley.com blog http://www.insidesarbanesoxley.com/sarbanes_oxley_blog/archive/2006_10_01_index.asp
Integration – How to Integrate IT Control Objectives for Sarbanes-Oxley (Cont.)
5. Evaluate and Remediate Deficiencies
6. Build Sustainability
Elegantsolutions.ca
Integration – How to Integrate
IT Governance Based on COBIT4 Follow the Compliance Road Map Use all of COBIT4’s Control Objectives initially Scale back where not applicable Scale up with other frameworks where applicable. For example:
ITIL in COBIT4 is to ensure compliance with regulations, add more ITIL where appropriate
Same for ISO 17799, PMBOK, TOGAF & CMMI Customize to fit your environment, as you did with the Tailored PM
Framework
Elegantsolutions.ca
Questions?