e5c419967ce5aeb7677f94f177ae3ea4.ppt
- Количество слайдов: 27
1 IT Governance & IT Audit Ir Erica Rietveld October 16 th, 2007
2 Two subjects 1. IT Audit as an IT Governance instrument Purpose: being in control of IT 2. Audit of IT Governance Purpose: being in control of decision-making about IT IT-governance audit as a business instrument
3 Definition of IT Governance Elements: • Subject is the use of IT to achieve business objectives • It describes accountability and mandate / authority • It includes both structures and processes (who & how) • It is an organizational capacity (not an individual one) • It is an integral part of enterprise governance Performance Does IT deliver? Conformance Does IT deliver in conformity with relevant rules?
4 IT Governance includes command & control I decide what happens around here! Are you sure it really happens?
5 Command the power or authority to give direction or instruction to do something Control the methods of effecting the will of command Principles • Unity of command • Unity of direction • Chain of command • Responsibility must go with authority • Subordination of individual interest Principles • Formalization – of policies, plans, standards etc. – quantification • Feedback – periodical – consistent
6 When are we in control of IT? – When we can account for all investments in IT – When we have mitigation plans for all identified significant risks – When models & reports about IT are correct – When IT operations perform as expected / contracted – When forecasts are reliable Results of audit – Certificate: yes, you are (sufficiently) in control Or – List of issues to be improved
COBIT - Three viewpoints 1. IT processes 2. IT resources 3. Quality criteria Monitoring Processes Activities Planning & organization Delivery & support People Application Systems Data Technical Infrastructure Facilities Effectiveness Acquisition & implementation Quality criteria IT processes Domains IT resources 7 Efficiency Confidentiality Integrity Availability Compliance Reliability
8 When are we in control of IT Governance? • • When it is clear who decides about what When it is clear which rules the enterprise has to comply with – • External and internal rules When IT governance is sufficiently linked to business governance alignment • When sufficient feedback is organized to assess 1. the effectiveness of the accountability structure 2. the effectiveness of decision makers 3. the effectiveness of policies / rules / standards
9 COBIT processes Planning & Organization PO 1 Define a Strategic IT Plan PO 2 Define the Information Architecture PO 3 Determine Technological Direction PO 4 Define the IT Organization and Relationships PO 5 Manage the IT investment PO 6 Communicate Management Aims and Direction PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess and Manage Risks PO 10 Manage Projects PO 11 Manage Quality
10 Process model PO Business requirements Delivery & Support Acquisition & implementation External requirements Planning & Organization Domain Strategic Cluster Define Info. Arch Strategic IT plan Technological Direction Ensure compliance IT org + relationships General resource Assess & manage risks Manage projects Manage Quality Manage IT investment Communicate direction Delivery & Support Manage HR Acquisition & implementation Monitoring
11 My problem with “control” • Control is useless without command • Being in control does not imply that the business is doing well • Acting conform the book does not produce a sustainable competitive advantage • Controlling behaviour may endanger trust, creativity etc
12 Modelling accountability Ruler Contract Formalization & feedback Unity of command Unity of direction Area of accountability Accountable person All subjects & objects that the accountable person is held accountable for Employees, Policies, Services, Processes, Models, Information Systems, Buildings, Inventories, Knowledge, Rules, Data, Culture, etc.
13 Aof. A’s are nested Aof. A • Down to the level of “team” or individual • Everybody has rulers, everybody is a ruler
14 Accountability & the organogram • Hierarchy of accountable persons • “Chain of accountability” • Easier to draw than the nested structure of Aof. A’s communcation function of models
15 Case 1: in control of change? • • Large bank, department of Payments & Savings Bureaucratic, all processes in place, architecture External change: SEPA, Internet, etc 70 change programs – Qualified program managers – Standardized program management processes – Most involved line managers lead steering groups, others are members • Problems: – programs rarely meet the objectives esp. related to time (internal audit issue) – budget constraints have resulted in lagging maintenance of the basic payments infrastructure
16 Assessment • Line managers spend 80% of their time on programs • Line management authority is reduced to managing human resources (outside program roles) • No program manager ever gets satisfactory decisions from a steering group (there is always reason not to decide) • There is a high level of dependence between the programs • The coordination between the 70 programs is supported by architecture, but nobody is accountable (nor could any human being be) • Nobody is really held accountable for results, except the managing director of P&S • Collective inferiority complex: we just can’t get it right Conclusion: organizing change in programs has destroyed the change capability of this organization
17 A new set of principles is adopted • Change is ‘business as usual’, and thus the responsibility of line management • Every line manager manages the changes in his own “area of accountability” (Aof. A) • Every line managers renegotiates contracts with his context when changes in his Aof. A require changes in relationships / exchanges • The total orchestration of changes within his Aof. A and in contracts must be manageable for one human being (“management ergonomics”).
18 Practical rules • To effect change in contracts behave equally in horizontal and vertical relationships – The reason for change is not related to the hierarchy; all parties involved want to remain successful in the dynamic context, knowing they are highly dependent on each other. • Translate change first of all in concrete adjustments in your service catalogue. *) – If you will deliver the same service, why change? – If you need to deliver other services, then you may also need adjustments in strategy, processes, systems etc. *) Service catalogue: includes prices, conditions etc. The Service Catalogue should include all information that enables a client to conclude whether he wants your service and what are the relevant conditions for delivery.
19 Lessons case 1 • Having all processes in place etc. does not guarantee good performance (it does help!) • Information is always incomplete; the role of a manager is to decide anyway • Without people taking responsibility no structure will work
20 Case 2 In control of customer information • • Interpolis, insurance company 7 business units: “market organizations” per product Strategy: customer orientation (all-in-1 -policy) Shared application for basic customer data – Dissatisfied users – No innovation • Solution: new app (Siebel), steering committee with all MOs, customization & implementation program • Results: slow & tumultuous decision making, blocking progress • Who is accountable?
21 A new Area of Accountability • Accountabilty: provide customer information to Interpolis’ market organizations • Design: internal service center (KID) • The Aof A includes a. o. – – Customer data Applications, methodologies Knowledge about customer data and relevant laws/rules Service catalogue • The Aof. A has closed Service Level Agreements with the MO’s • Interpolis was acquired by Achmea; perception KID: market extension; Avero is now a client
22 Results • Quality and costs where benchmarked vs industry in 2005 top position in industry • Employee satisfaction and solidarity was measured in 2007 top position within Achmea • Implementation of Siebel was stopped; the old systems now deliver the new service • The service portfolio grows specialization, entrepreneurship, innovation Benchmarking customer data: costs per customer Interpolis € 2, 05 Large Dutch insurance company € 4, 50 Small Dutch savings bank € 9, -- Regional bank in the US (bron Forrester) $ 5, 95 Benchmarkt consumers Becnhmark business € 5, -€ 7, 70
23 Lessons case 2 • Do not share ownership of information nor applications • If you give people the mandate to change, they will • Internal markets work without a free price mechanism
24 An alternative for Command & Control? • Some management science theorists hold that the idea is now obsolete. • Dee Hock: "Purpose and principle, clearly understood and articulated, and commonly shared, are the genetic code of any healthy organization. To the degree that you hold purpose and principles in common among you, you can dispense with command control. People will know how to behave in accordance with them, and they'll do it in thousands of unimaginable, creative ways. The organization will become a vital, living set of beliefs. "
25 Not or/or but and/and My purpose and principles Ruler C & C Unity of command Unity of direction Area of accountability Accountable person My purpose and principles Contract Formalization & feedback Purpose and principles of collaboration
26 View on organizations • An organization is both a “designed” system and a “natural” / social system; Gesellschaft + Gemeinschaft. – People are its major strength and weakness; its most valuable asset and major risk
27 View on organizations • An organization is a “living” system, dependent on its interaction with a dynamic environment – We have to use and rely on the power of selforganization, but if we want to achieve specific performance & conformance we also need command control. – Only purpose & principles: religious sect