IT Governance within Financial Institutions

Kirk Tyrell, CISAAssistant DirectorFinancial Institutions Supervisory DivisionBank of Jamaicawww.boj.org.jm

CARTAC & Caribbean Group of Banking SupervisorsIT Workshop for Regional Bank Examiners

June 23 – 25, 2009Georgetown, Guyana

Topics

What does IT Governance involve? Why is IT Governance Important What you must know about IT

Governance? Supervisory Expectation for IT

Governance ?

What is IT Governance?

“…is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.” (source www.wikipedia.com)

……

What is IT Governance?

“… the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.” (source www.ITGI.org)

Problems With IT Governance

Is IT governance different from IT management and IT controls? Why the confusion?

Does IT confers strategic advantage?

Are all the detailed process controls necessary?

Why the Increased Focus on IT Governance?

High profile collapse (e.g. Enron, Arthur Anderson, WorldCom, AIB, HSBC, etc.)

Maintaining (or Recapturing) public confidence and trust

Anchor for effective risk management

……

Why the Increased Focus on IT Governance?

Respond to call for greater transparency and closer oversight …prevent similar problems from

happening again Board and executive management

awareness of the challenges facing IT management

Sarbanes-Oxley and Basel II in Europe

……

Why the Increased Focus on IT Governance?

“…effective corporate governance is essential to maintaining public trust and confidence in the banking sector, and provides a crucial anchor for sound risk management practices." Mr Jaime Caruana, Chairman of the Basel Committee and Governor of the Bank of Spain

IT Governance Goals

Provide assurance that the investments in IT generate business value

Establish structures and controls to mitigate the risks that are associated with IT

A proactive and holistic approach to talent management within IT

IT Governance Frameworks

Enhancing Corporate Governance for Banking Organizations (BIS)

The IT Infrastructure Library (ITIL)

Control Objectives for Information and related Technology (COBIT)

The ISO/IEC 27001 (ISO 27001)

……

IT Governance Frameworks

ISO/IEC 38500:2008 Corporate Governance of Information Technology

Others: The IT Baseline Protection Catalogs, or IT-

Grundschutz Catalogs, ("IT Baseline Protection Manual" before 2005)

The Information Security Management Maturity Model ISM3

AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology

……

Non-IT Specific Frameworks

The Balanced Scorecard (BSC) - method to assess an organization’s performance in many different areas

Six Sigma - focus on quality assurance

Sub-Domains of IT Governance

Regulatory compliance Information governance and

information security IT Service Management Project governance Risk management

……

Sub-Domains of IT Governance

Knowledge Management, including Intellectual Capital

Business continuity and disaster recovery

Components of IT Governance Cycle

Create strategic alignment: SISP based on overall

plan

Manage system daily to ensure achievement of

targets

Structure/ Organize IT resources for

increased efficiency/ effectiveness

Risk management establish controls to ensure achievement

of goals

Determine and obtain input for achievement of goals/objectives

Audit/ Performance measurement: hold

persons accountable

Policies of Board of Directors and

Directives of top Management

Apply necessary corrective action to the results of the assessment

Create strategic alignment: SISP based on overall

plan

Manage system daily to ensure achievement of

targets

Structure/ Organize IT resources for

increased efficiency/ effectiveness

Risk management establish controls to ensure achievement

of goals

Determine and obtain input for achievement of goals/objectives

Audit/ Performance measurement: hold

persons accountable

Policies of Board of Directors and

Directives of top Management

Apply necessary corrective action to the results of the assessment

IT Governance Domain (COBIT)

RESOURCE MANAGEMENT

PE

RF

OR

MA

NC

E

ME

AS

UR

EM

EN

T

RIS

K

MA

NA

GE

ME

NT

VALUE DELIVERYSTRATEGIC

ALIGNMENT

ITGOVERNANCE

DOMAINS

IT Governance Domain (COBIT)

RESOURCE MANAGEMENT

PE

RF

OR

MA

NC

E

ME

AS

UR

EM

EN

T

RIS

K

MA

NA

GE

ME

NT

VALUE DELIVERYSTRATEGIC

ALIGNMENT

ITGOVERNANCE

DOMAINS

Domain 1 – Strategic Alignment

Achievement of IT alignment requires: Leadership and commitment from the

highest levels Proactive engagement

Domain 1 – Strategic Alignment

The board should take responsibility for:

Ensuring that IT strategy is aligned with business strategy

Ensuring that IT delivers against the strategy

Directing IT strategy to balance investments

Domain 1 – Strategic Alignment

Making informed decisions about the focus and priority for the use of IT resources

Ensuring that appropriate IT and related business resources are available

Domain 1 – Strategic Alignment

…there is a strong argument that ultimate responsibility for IT strategy setting and implementation should rest with the business leadership.

the right things are chosen in the first place

thing being done well

things being done the right

way

derive maximum benefits

Domain 1 – Strategic Alignment

Internal bodies in the form of: IT Investment Committee IT Policy Committee IT Steering Committee IT Strategy Committee

Domain 1 – Strategic Alignment

Domain 1 – Strategic Alignment

Examiners’ Expectation: Duties of IT Strategy and IT Steering

Committees are defined in a formal charter

Ensure that the financial institution is paying attention to the importance of IT strategic planning and its alignment with business objectives

IT Governance Domain (COBIT)

RESOURCE MANAGEMENT

PE

RF

OR

MA

NC

E

ME

AS

UR

EM

EN

T

RIS

K

MA

NA

GE

ME

NT

VALUE DELIVERY

STRATEGIC

ALIGNMENT

ITGOVERNANCE

DOMAINS

Domain 2 – Value Delivery

Essential components: IT governance overall is about

delivering value and managing risk Value delivery, which embodies the

concept of risk-related returns Value delivery is not possible

without strategic alignment and resource management

Domain 2 – Value Delivery

…it is impossible to provide transparency of success or failure without performance measurement

Domain 2 – Value Delivery

…value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT (source ITGI)

Domain 2 – Value Delivery

Key Board responsibilities: ensure that stakeholder value is

obtained allocation of resources

Domain 2 – Value Delivery

A study carried out within global financial services group, ING2, indicates that IT-related business investments have the potential to deliver far greater returns than almost any other conventional investment.Source: ITGI, 2008

Domain 2 – Value Delivery

IT-related spending or investment: Run the business Grow the business Transform the business

Source: The META Group

Domain 2 – Value Delivery

Key components of an IT investment approval process include:

Preparation of a comprehensive business case based upon a consistent corporate standard and agreed assumptions (e.g. tax rates and inflation rates)

Establish an approval board or committee

Domain 2 – Value Delivery

Consideration of key financial metrics (e.g. NPV, IRR and payback period, etc.)

Provision for proper accountability for the delivery of results

Definition of appropriate hurdle rates for IT investments

Domain 2 – Value Delivery

Providing assurance that: proper project management processes

will be followed, all parts of the business will be affected

by the outcome and Resources necessary to maximize the

chances of success will be committed Increase capability maturity model

(CMM) level for systems development and implementation

Domain 2 – Value Delivery

Realizing the Benefits: The clarity and precision of

anticipated benefits Ongoing tracking of the actual

benefits achieved Ensure appropriate accountability

Domain 2 – Value Delivery

Examiners’ Expectation Board monitors IT delivery against the

strategy through clear expectations and measurement

Management sets baselines for measuring capacity and growth planning, service improvement and utilizes industry standards and bench marking

Operation management measures and reports on budget achievement

IT Governance Domain (COBIT)

RESOURCE MANAGEMENT

PE

RF

OR

MA

NC

E

ME

AS

UR

EM

EN

T

RIS

K

MA

NA

GE

ME

NT

VALUE DELIVERYSTRATEGIC

ALIGNMENT

ITGOVERNANCE

DOMAINS

Domain 3 – Performance Delivery

Demonstrates the effectiveness and added business value of IT

Getting business value from IT and measuring that value are important governance domains

Domain 3 – Performance Delivery

IT performance management is aimed at: identifying and quantifying IT costs and IT

benefits. Limitations of traditional quantifiable

performance measures (financial terms) such as ROI, NPV, IRR and payback method

Overcome limitations of measuring “unquantifiable” values, i.e. IT balanced scorecard

Domain 3 – Performance Delivery

The Balanced Scorecard (BSc) is a performance management tool which began as a concept for measuring whether the smaller scale operational activities of a company are aligned with its larger scale objectives in terms of vision and strategy

Domain 3 – Performance Delivery

By focusing not only on financial outcomes but also on the operational, marketing and developmental inputs to these, the BSc helps provide a more comprehensive view of a business, which in turn helps organizations act in their best long-term interests(source Wikipedia)

Domain 3 – Performance Delivery

IT Governance Domain (COBIT)

RESOURCE MANAGEMENT

PE

RF

OR

MA

NC

E

ME

AS

UR

EM

EN

T

RIS

K

MA

NA

GE

ME

NT

VALUE DELIVERYSTRATEGIC

ALIGNMENT

ITGOVERNANCE

DOMAINS

Domain 4 – Risk Management

Requires: Risk awareness by senior corporate

officers A clear understanding of the financial

institution’s appetite for risk Understanding of compliance

requirements Transparency about the significant risks

to the enterprise Embedding of risk management

responsibilities into the organization

IT Governance Domain (COBIT)

RESOURCE MANAGEMENT

PE

RF

OR

MA

NC

E

ME

AS

UR

EM

EN

T

RIS

K

MA

NA

GE

ME

NT

VALUE DELIVERYSTRATEGIC

ALIGNMENT

ITGOVERNANCE

DOMAINS

Domain 5 – Resource Management

Optimal investment in, and the proper management of, critical IT resources (i.e. applications, information, infrastructure and people)

Key issues relate to the optimization of knowledge and infrastructure

Examiners’ Responsibilities

Review: IT strategies, plan and budgets Security policy documentation Organizational charts Job descriptions Steering committee reports Change management procedures

……

Examiners’ Responsibilities

Operation reports and procedures Quality assurance procedures

..Noting exceptions and absence of documentation

……

Examiners’ Responsibilities

Reviewing contractual commitments: Development of contractual

requirements Contract biding process Contract selection process Contract acceptance, maintenance

and compliance

Lessons Learnt

Each financial institution should have an IT Steering Committee with requisite board and management involvement

The board and management should ensure that policies and procedures are reviewed periodically for relevance

Financial institutions to adopt applicably industry best practices and rules to guide IT management.

Questions

Additional Resources

Executive Summary, COBIT v3.0 and COBIT v4.1 Retrieved from http://en.wikipedia.org/wiki/COBIT

ITIL for service delivery CMM for solution delivery ISO 17799 for information security PMBOK or PRINCE2 for project

management