grcm presentation on aug 4 2009

September 2009

INTEGRATING GOVERNANCE, RISK, AND COMPLIANCE MANAGEMENT TO ENHANCE REQUIREMENTS ENGINEERING IN INFORMATION TECHNOLOGY PROJECTS

Prepared by: Mr. Richard Bett,

M.Sc. PM, PMP

September, 2009September, 2009

Copyright @ 2009 ABET Technologies Incorporated

Outline2

1. Research Objectives2. Performing Requirements Engineering

(RE) 3. Governance, Risk and Compliance Mgmt

(GRCM)4. Research Methodology5. Data Analysis6. Conclusion7. References

1. Research Objectives3

Challenges and Success Factors as to Practicing Requirements Engineering (RE) in Information Technology (IT) Projects.

Relevance of GRCM for RE.

2. Performing Requirements Engineering 4

Overview of RE RE Process RE in General RE Capability Measurement Framework

3. Governance, Risk and Compliance Management (GRCM)

5

Foundation of GRCM as Best Practices Governance

Overview of IT Governance IT Governance Focus Areas IT Governance Tools

COBIT ITIL ISO 17799

3. Governance, Risk and Compliance Management (GRCM)- cont.

Risk Management Overview of Risk Management Project Risk Management Minimize Risks

Compliance Overview Compliance with Legal Requirements Reviews of Security Policy and Technical

Compliance

6

3. Governance, Risk and Compliance Management (GRCM)

System Audit Considerations Relating GRCM to Other Software

Engineering Practices GRCM Measurement Framework Measuring the Level of Capability in the

Organizational Context

7

4. Research Methodology8

Positivist Case Study Research

Research Process Design of the Case Study Conduct of the Case Study Analysis of the Case Study Evidence Writing up the Case Study Report

Case Profiles

99

4.1 BETT - GRCM Conceptual Framework

Governance Elements:§ IT Strategic Planning§ IT Project Management§ IT Control Framework§ IT Asset Management§ IT ProcessesRisk Management Elements:§ Embed into the project an IT

governance structure§ Establish an audit

committee§ Monitor IT resources to

ensure project tasks are completed

§ Risk analysis part of ongoing monitoring of IT risks and controls

Compliance Elements:§ Brief project mandate to

committees involved§ Ensure IT Alignment with

business§ Comply with new

regulations§ Consider security in the

project

Governance

Risk

Compliance

Management

Requirements Engineering:

§ Elicitation§ Analysis§ Prioritization§ Validation § Documentation§ Management


§ Senior Management Leadership / Commitment

Correlation

5. Data Analysis

Capability Measurement Framework for GRCM and RE

Within-Case Analysis to Identify Key Relationships between GRCM and RE

Cross-Case Analysis to Identify Key Relationships between GRCM and RE

10

6. Case Studies11

6.1. Registration of Businesses on the Web

6.2. Corporate Intranet Revamp Project 6.3. Travel Automation Information

System 6.4. Financial Management Information

System (FMIS)

6.1. Case Study A Registration of Businesses on the Web

12

Who - Organization Where - Ottawa When - May 2008 What they did - Built a WEB application

(in-house) and made it available to organizations across Canada to register their business.

6.2. Case Study B Corporate Intranet Revamp Project

13

Who - Organization Where - Ottawa When - July 2007 What they did - Revamped their existing

Corporate intranet to better reflect the services offered to the internal users.

6.3. Case Study C Travel Automation Information System

14

Who - Organization Where - Ottawa When - February 2007 What they did - They went through an

exercise of identifying functional requirements and then met with technical to identify non-functional requirements.

An option analysis document was created and a recommendation was given as to whether they should opt for an in-house solution or go with COTS.

6.4. Case Study D Financial Management Information System15

Who - Organization Where - Ottawa When - September 2006 What they did - Upgraded their existing

financial application and needed to ensure all requirements were identified, prioritized and approved, before installing and configuring the application.

GRCM Capability Framework

16

GRCM Elements

Case Study

A B C D

Level of Capability

Governance

IT Strategic planning 32 2

3

IT Project Management 3 22

3

IT Control Framework 2 22

3

IT Asset Management 3 3 3 3

IT Processes 32 2

3

Risk Management

IT Governance Structure 2 3 2 3

Audit and Monitor 1 1 1 1

Monitor and Track Risks regularly 3 3 3 3

Perform risk analysis 3 2 2 3

Compliance

Brief project mandate to committees 3 3 2 3

Ensure IT Alignment with business2 2

2 3 Comply with regulations, policies and

procedures.3

3 3 3

Consider security in the project3

3 3 3Green (3) = Fully Integrated / full capabilityYellow (2) = Semi Integrated / poor capability Red (1) = Not Integrated /no capability

RE Capability Framework17

RE activities

Case Study

A B C D

Level of Capability

Elicitation 3 2 2 3

Analysis 3 3 23

Prioritization 3 2 23

Validation 3 3 23

Documentation2 2 2

3

Management2 2 2

3

Organizational Context Framework

18


Case Study

A B C D

Level of Capability

Senior Management Leadership - Commitment3 3 2 3

Case Study D – Observation #119

GreatIT Strategic

Planning

- Elicitation- Analysis- Prioritization- Validation-Documentation- Management

GRCM ↑ RE ↑

Great Senior Management Leadership

OC ↑

(Enhancement)


Great IT Project Management

GRCM ↑


OC ↑

(Enhancement)

- Elicitation- Analysis- Prioritization- Validation- Documentation- Management

RE ↑


IT GovernanceStructure

GRCM ↑


OC ↑

(Enhancement)


RE ↑


Perform Risk Analysis

GRCM ↑


OC ↑

(Enhancement)


RE ↑


IT aligned with Business

GRCM ↑


OC ↑

(Enhancement)


RE ↑

Case Study C – Observation #124

IT Strategic Planning


GRCM ↓ RE ↓

Lack of Senior Management Leadership

OC ↓

(Moderator)


IT Project Management


GRCM ↓ RE ↓


OC ↓

(Moderator)


IT Governance Structure


GRCM ↓ RE ↓


OC ↓

(Moderator)


Perform Risk Analysis


GRCM ↓ RE ↓


OC ↓

(Moderator)


Ensure IT Alignment with Business


GRCM ↓ RE ↓


OC ↓

(Moderator)

Conclusion 29

The results from the research supports the two objectives.

Develop and validate a new GRCM and RE Capability Measurement Framework

Explore to what extent GRCM capabilities are correlated with RE capabilities.

References30

1. Abran, A., Moore, J., Bourque, P., Dupuis, R. (2004). "Guide to the Software Engineering Body of Knowledge." IEEE Computer Society.

2. Basili, V.B.L. (2006). "Empirical Software Engineering An international journal.“3. Beecham, S., Hatt, T., Rainer, A. (2003). "Defining a requirement process

Improvement Model."4. Boehm, T.P., Wigle, G.B., Tsai, J.T. "Specification of software quality attributes."

(Report RADC-TR-85-37).5. Cheng, H.C.B., Atllee, M. J. (2007). "Research Directions in Requirement

Engineering." IEEE Computer Society.6. Dekkers, C. A. (2005). "Creating requirements-based estimates before

requirements are complete." CrossTalk(4): 13-15.7. I.T.G.I. (2000). "COBIT 3rd Edition: Executive Summary, COBIT Steering

Committee and the IT Governance Institute., Illinois, USA, ISBN 1-893209-15-16."8. ITGI (2005). "Aligning Cobit, ITIL and ISO 17799 for Business Benefit.“9. ISACA (2007). "COBIT 4.1."10. Larsen, H.M., Pedersen K.M., Andersen, V.K. (2006). "Reviewing 17 IT Governance

Tools and Analyzing the Case of Novozymes A/S." IEEE.

References – cont’d31

11. PMI, Ed. (2004). A Guide to the Project Management Body of Knowledge. Third Edition, Project Management Institute.

12. Pressman, R. (2000). "Software Engineering: a practitioner’s approach. 5th edition.“13. Rad, F., Ed. (2002). Project Estimating and Cost Management, Management Concepts. Vienna,

VA.14. Shank, G. (2002). Qualitative Research. A Personal Skills Approach. New Jersey, Merril

Prentice Hall.15. Smolander, K., Lyytinen, K., Tahvanainen, V.P., Marttiin, P., Meta-Edit (1991). "A Flexible

Graphical Environment for Methodology Modelling." Advanced Information System Engineering, 3rd International Conference, CAiSE '91, Vol. Lecture Notes in Computer Science, Vol. 498 (Springer, Trondheim, Norway, 1991): 168-193.

16. Sommerville, I., Ed. (2001). Software Engineering, Addison-Wesley, Harlow, England.17. Sommerville, I. (2005). "Integrated Requirements Engineering: A Tutorial." IEEE Software.18. Standish, T. G. (2003). “Latest Standish Group CHAOS Report Shows Project Success Rates

Have Improved by 50 Percent .“19. Winter, R., Schelp, J. (2008). "Enterprise Architecture Governance: The Need for a Business To

IT Approach." ACM 20. Yin, R. (1994). Case study research: Design and methods (2nd ed.). Beverly Hills, CA: Sage

Publishing.

Thank You! Any Questions ?

Richard [email protected]

613-884-3382

32

grcm presentation on aug 4 2009

Documents