introducing the it governance model urs fischer, cpa (swiss), cisa, cia head of it risk mgmt &...
TRANSCRIPT
Introducing the IT Governance Model
Urs Fischer, CPA (Swiss), CISA, CIA
Head of IT Risk Mgmt & Security, Vice President
Swiss Life Group
12. International Information System Audit
and Control Conference
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 2
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 3
Agenda
• Why is IT Governance important
implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using COBIT
• The Swiss Life Way
• Summary / Conclusions
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 4
Agenda
• Why is IT Governance important
implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using COBIT
• The Swiss Life Way
• Summary / Conclusions
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 5
IT Governance
• Dependence on IT for core business• The value of intangible assets• IT essential to their creation and maintenance
• Emerging accounting standards for recording intangible assets
• “A firm is inherently fragile if its value emanates more from conceptual as distinct from physical assets. Trust and reputation can vanish overnight. A factory cannot!”
Alan Greenspan
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 6
Governance Responsibilities• take stakeholder value into account• give direction to the processes• ensure they provide results• ensure they act on the results• get results and challenge them
directsdirects
ProcessesProcesses
reportreport
ResultsResults
confirmconfirmoror
changechange
assets
risks
outcome
performance
improveimprove
StakeholderValues
StrategyStrategy
drivedrive
Resources- knowledge- information- capability- …...
useuse
measuremeasure
Process & Responsibilities
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 7
Shared ResponsibilitiesAre they doing the right things?Are they doing it the right way?Are they being done well?Are we getting benefits?
What IT Problem?
Cascading strategy and goals Organisational alignmentA risk and control frameworkBalanced Business Scorecard
How does management
react?
What does the Board
do?
Ask tough questionsEstablish IT GovernanceFocus on risk and valueDirect IT strategy & measure results
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 8
Shareholders and ExecutiveLower cost, higher profitability andLower cost, higher profitability andincreased market shareincreased market share
Customers and Staff More functionality at lower cost andMore functionality at lower cost andgreater ease of usegreater ease of use
Society Greater accountability for executives inGreater accountability for executives inprivate and public sectorprivate and public sector
Increased Frequency (annual->quarterly)
Increased Depth ($->control->systems->risk)
More Relationships (enterprise->services->products)
Assurance EvolutionAssurance Evolution
Stakeholders apply pressure
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 9
“IT has been the longest running disappoinment in business in the last 30 Years!”
Jack Welch, Chairman General Electric,Jack Welch, Chairman General Electric,World Economic Forum, Davos, 1997World Economic Forum, Davos, 1997
“Technology can help fulfil a visionary dream, but often its use is closer to a
sobering nightmare!”Vesa Vaino, CEO Merita Bank,Vesa Vaino, CEO Merita Bank,
SIBOS, Helsinki, 1998SIBOS, Helsinki, 1998
“I am writing a book on the history of Information Technology …… in order to better understand
why it is such a mess!”Philippe Corniou, CIO, Renault, ISACA International Philippe Corniou, CIO, Renault, ISACA International
Conference, Paris, 2001Conference, Paris, 2001
Personal & visualPersonal & visualcontactcontact
Uncertainty,Uncertainty,Complexity &Complexity &
GrowthGrowth
What is Management Thinking ?
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 10
“Due diligence” infrastructure and productive functions skills, culture, operating environment capabilities, risks, process knowledge and customer
information service levels
Enterprises should be equally inquisitive about themselves.Enterprises should be equally inquisitive about themselves.
Why implementing IT Governance
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 11
IT entails huge investments and large risks The increasing dependence on information and the systems and
communications that deliver it The dependence on entities beyond the direct control of the
enterprise IT failures increasingly impacting reputation and enterprise value The potential for technologies to dramatically change
organisations and business practices, create new opportunities and reduce costs
The need to build and maintain knowledge essential to sustain and grow the business
Criticality
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 12
If so, wouldn’t you want to know If so, wouldn’t you want to know whether your organisation’s IT is:whether your organisation’s IT is:
Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognising opportunities
and acting upon them?
Why has IT not been Why has IT not been addressed:addressed: requires more
technical insight treated as separate
entity IT is complex
Strategic Importance
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 13
deliver business value
fast, secure with quality
efficiency and productivity
business effectiveness
IT does more with less
quantitative return
ExpectationsExpectations failure to achieve their promise effectiveness and processes directly
impacted by the quality of IT deliverables
poor support for the business deadlines that are not met costs are higher than expected quality and efficiency lower than
anticipated
RealityReality
Why is it not being addressed ?
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 14
EnvironmentEthics & CultureLaws & RegulationsMission & VisionRole ModelsIndustry Practices…...
Alignment
Value
Delivery
Manag
emen
t
of R
isk
Monitoring &Reporting
Eval
uatio
n
LifecycleLifecycleProvide Provide DirectionDirection
CompareCompare
Measure Measure PerformancePerformance
IT ActivitiesIT Activities Increase automation
(make the business effective) Decrease cost (make the enterprise
efficient) Manage risks (security, reliability and
compliance)
IT is aligned with the business, enables the business and maximises benefits IT resources are used responsibly IT related risks are managed
appropriately
Set ObjectivesSet Objectives
FrameworkFramework
The response is IT Governance
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 15
IT governance is the responsibility of the board of directors and executive management. It is an
integral part of enterprise governance and consists of the leadership and organisational structures and
processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies
and objectives.
IT Governance Defined
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 16
Stakeholders
Board & Executive
How to define appropriate IT Governance practices, to define business directions for IT and ensure that value is delivered and risks are managed, using the different CobiT components?
Board & Executive
How to define appropriate IT Governance practices, to define business directions for IT and ensure that value is delivered and risks are managed, using the different CobiT components?
Business Management
How to define my business requirements for IT Governance and ensure that value is delivered and risks are managed using the different CobiT components?
Business Management
How to define my business requirements for IT Governance and ensure that value is delivered and risks are managed using the different CobiT components?
IT Management
How to deliver the IT services as required by the business and directed by the Board using the different CobiT components ?
IT Management
How to deliver the IT services as required by the business and directed by the Board using the different CobiT components ?
IT Audit
How do I use the different CobiT components in my audit activities to assure that IT delivers what it needs to deliver?
IT Audit
How do I use the different CobiT components in my audit activities to assure that IT delivers what it needs to deliver?
Risk & Compliance
How do I use the different CobiT components in my compliance and risk advisory activities to ensure that IT complies with policy, laws & regulations, and that new risks are identified?
Risk & Compliance
How do I use the different CobiT components in my compliance and risk advisory activities to ensure that IT complies with policy, laws & regulations, and that new risks are identified?
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 17
IT Governance Framework
Objectives• IT is alignedwith the busi-ness and maxi-mises benefits.• IT resourceare usedresponsible• IT-relatedrisks aremanagementapproriately
CONTROL
PLAN/ORGANIZE
ACQUIRE/IMPLEMENT
DELIVER/SUPPORT
MONITOR
Manage risks
Realize benefits
-security-reliability-compliance
-increaseautomation-“effective”
-decreasecosts-“efficient”
IT Activities
DIRECT
REPORT
PLANDO
CHECKCORRECT
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 18
Agenda
• Why is IT Governance important
implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using COBIT
• The Swiss Life Way
• Summary / Conclusions
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 19
Direct
Mon
itor
Act
Protec
t
Create
EnvironmentEthics & CultureLaws & RegulationsMission & VisionRole ModelsIndustry Practices
Alignment
Value
Delivery
Risk M
anag
emen
t
Resource Management
Perfo
rman
cM
anag
emen
t
Business and IT
Key Goal Indicators
Framework,
CO,CP, KPI, CSF
Fram
ework
,
CO,CP, K
PI, CSF
Maturity Model,
CO,CP, CSF
IT B
SC
, Ben
chm
ark,
Mat
uri
ty M
od
el, A
ud
it G
uid
elin
es
Lifecycle (1)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 20
Life Cycle (2)
Good Things tohappen
Create Value
ContinuousImprovement
Measure Results
ResolveProblems
Bad Things NotHappening
Preserve Value
Define Strategy IT Alignment
Focus
Value deliveryFocus
Risk MgmtFocus
IT resourcesMgmt Focus
PerformanceMgmt FocusHow ?
What ?
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 21
The Board should drive business alignment by:
Ascertaining that the IT strategy is aligned with the business strategy Ascertaining that IT delivers against the strategy through clear expectations and measurement Directing IT strategy to balance investments between supporting and growing the enterprise Making considered decisions about where IT resources should be focused
“IT alignment is a journey, not a destination.”
Business Strategy
Alignment Activities
IT Operations
IT StrategyBusiness
Operations
IT Alignment
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 22
The board should drive alignment to ensure that IT delivers value with the business strategy focussing on competitive advantage, elapsed time for order/service
fulfillment, customer satisfaction, customer wait time, employee productiveness and profitability supported by an IT strategy that delivers on time, within budget and with the benefits that were
promised
“IT value is in the eye of the beholder.”
Business Unit Financial
Business Unit Operational
Business Unit IT Applications
Firm-wide IT Infrastructure
Time for Business Impact
Business Value DeliveredSample Measures
Revenue growthReturn on assetsRevenue per employee
Time to bring a new product to market
Sales from new productProduct or service quality
Implementation time: new applicationImplementation cost: new application
Infrastructure availabilityCost per transactionCost per workstation
BusinessBusinessManagementManagement
ITITManagementManagement
Degree of influence
Value Delivery (Value Creation)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 23
The board should manage enterprise risk by: Ascertaining that there is transparencytransparency about the significant
risks to the organisation Being aware that the final responsibilityresponsibility for risk management
rests with the board Considering that a proactive risk management approach creates
competitivecompetitive advantageadvantage Insisting that risk management is embeddedembedded in the operation of
the enterprise Obtaining assuranceassurance that management has put processes and
technology in place for information security
“It is the IT alligators that you do not see that will get you!”
Risk Management (Value Preservation)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 24
Outsourcing Trusted Suppliers Training Competency Skills development Retention
Recognises the importance of people in addition to hardware and software”
Resource Management
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 25
ObjectivesObjectivesDemonstrate the value added by the IT OrganizationDemonstrate the value added by the IT OrganizationDetermine the effectiveness of the IT OrganizationDetermine the effectiveness of the IT OrganizationSet guidelines for the IT Strategic plan Set guidelines for the IT Strategic plan Communicate and motivate about IT performanceCommunicate and motivate about IT performanceEstablish IT Management reportingEstablish IT Management reporting
Key resultKey resultThe most effective means to achieve IT and Business alignmentThe most effective means to achieve IT and Business alignment
Critical success factorCritical success factorApproval of the IT Scorecard by key stakeholdersApproval of the IT Scorecard by key stakeholders
“If you are playing the enterprise game and not keeping IT’s score, you are only practicing.”
Performance Management
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 26
IT Balanced Scorecard
• # of IT customers• Cost per IT customer• Cost-efficiency of IT
processes up• Delivery of IT value per
employee
Information
• Availability of systems & services
• Developments on schedule & budget
• Throughput & response times
• Amount of errors and rework
• Level of service delivery up
• Satisfaction of existing customers
• # of new customers reached
• # of new service delivery channels
FFinancial
CCustomer
• Staff productivity & morale
• # of staff trained in new techno/services
• Value delivery per employee up
• Increased availability knowledge systems
LLearning
PProcess
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 27
BBooaarrdd aanndd//oorrMMaannaaggeemmeenntt
AAccttiivviittyy TTyyppee
Become informed of role and impact of IT on the enterprise B/M Plan
Set direction and expected return B Direct
Determine required capabilities and investments M Plan
Assign responsibilities B/M Direct
Sustain current operations M Organise
Make transformation happen B/M Direct
Define constraints within which to operate B Direct
Acquire and mobilise resources M Organise
Measure performance B Control
Manage risk B/M Control
Obtain assurance B Control
IT Governance Activities
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 28
Agenda
• Why is IT Governance important
implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using COBIT
• The Swiss Life Way
• Summary / Conclusions
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 29
Questions Boards and Management should askQuestions Boards and Management should ask
Business and IT Outcome DriversBusiness and IT Outcome Drivers
Best practices in IT GovernanceBest practices in IT Governance Business/IT Strategic alignment issuesBusiness/IT Strategic alignment issues Business and IT Performance MeasuresBusiness and IT Performance Measures IT Strategy CommitteeIT Strategy Committee Roles and ResponsibilitiesRoles and Responsibilities
It Governance MaturityIt Governance Maturity Find out where you are and where you want to beFind out where you are and where you want to be Translate the gap into a simple action planTranslate the gap into a simple action plan
Get informed about
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 30
To uncover IT Issues To Find Out How Management Addresses the IT Issues
How often do IT projects fail to deliver what they promised?
Are end users satisfied with the quality of the IT service?
Are sufficient IT resources, infrastructure and competencies available to meet strategic objectives?
How well are enterprise and IT objectives aligned?
How is the value deliver-ed by IT measured?
What strategic inititiaves has executive manage-ment taken toe manage IT’s criticality relative to maintenance and growth of the enterprise and are they appropriate?
Is the board regularly briefed on IT risks to which the enterprise is exposed?
Is IT a regular item on the agenda of the board and is it addressed in a structured manner?
Does the board articulate and communicate the business objectives for IT alignment?
To Self-assessIT GovernancePractices
Questions to Ask
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 31
assisting the Board in its IT Governance responsibilities
incorporating IT Governance into Corporate Governance
an industry best practice
advice on strategy
focus on IT value, risks and performance
IT Strategy Committee
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 32
Download from www.itgi.org
Get Documented (1)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 33
Download from www.itgi.org
Get Documented (2)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 34
Download from www.itgi.org
Get Documented (3)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 35
Available from ISACA-Bookstoore:www.isaca.org
Get Documented (4)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 36
Download from www.itgi.org
Get Documented (4)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 37
Agenda
• Why is IT Governance important
implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using COBIT
• The Swiss Life Way
• Summary / Conclusions
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 38
• Management-directed- Pluses
• Management support
• Approach not clear
• Audit respect of management
- Minuses
• Resources
• Possible resistance
• Lack of co-ordination
• Pressure
• IT-requested• Pluses
• IT/audit collaboration
• “Control conscience”
• More likely to succeed
• Minuses• Business users missing from
implementation
• Controls for manual processes may be missing
• Lack of co-ordination
Implementation Strategies (1)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 39
• Audit-mandated
- Pluses
• Control focus
• Improved process
- Minuses
• Resistance to audit directive
• IT and users not part of the process
• Lack of co-ordination
• No understanding of resource need
• Organisationally Co-ordinated and Accepted• Pluses
• Process improvement
• Controls included
• All parts of organisation buy in
• Tools to measure and assess
• Controls implemented
• Minus• Resource and time
Implementation Strategies (2)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 40
Post-implementation Review Measure success of change
projects. Provide feedback into other
improvement projects.Raise
awareness and make decision
Analyse values
and risks
Select processes
Identify needsIdentify needs
Define projects
Develop and
implement change plan
Plan the solutionPlan the solution
Integrate into day-to-
day practices
Integrate measures into ITBSC
Implement the solutionImplement the solution
Define where you
are
Define where you want to be
Analyse gaps
Envision the solutionEnvision the solution
Sustainable Solution Establish policy, objectives and targets. Implement policy, responsibilities, processes and procedures. Measure performance against policy and external best practice. Take corrective and preventive action and continuously improve.
The Road Map to IT Governance
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 41
LinkIT Governance Lifecycle
Alignment Value Delivery Risk Management
IT ResourceManagement
PerformanceManagement
Alignment
Value D
elivery
Risk
ManagementResourc
e
Managem
ent
Per
form
ance
M
easu
rem
ent
EnvironmentEthics & Culture
Laws & RegulationsMission & Vision
Role ModelsIndustry Practices
...
Business & IT Key Goal Indicators
Direct
Create
ProtectExec
ute
Mon
itor
Why?
Key Perform
ance Indicators,
Cobit¨Process F
ramew
ork
CSF
, CO
, CP
Key Performance Indicators,
Cobit¨Process Framework
CSF, CO, CPM
aturit
y Models
CSF, CO, C
P
IT B
SC C
obiT
Ben
chm
ark
Mat
urit
y M
odel
Aud
it G
uide
lines
Objective
How CobiTAssists
IT GovernancePhase
Alignment
Value D
elivery
Risk
ManagementResourc
e
Managem
ent
Per
form
ance
M
easu
rem
ent
EnvironmentEthics & Culture
Laws & RegulationsMission & Vision
Role ModelsIndustry Practices
...
Business & IT Key Goal Indicators
Direct
Create
ProtectExec
ute
Mon
itor
Why?
Key Perform
ance Indicators,
Cobit¨Process F
ramew
ork
CSF
, CO
, CP
Key Performance Indicators,
Cobit¨Process Framework
CSF, CO, CPM
aturit
y Models
CSF, CO, C
P
IT B
SC C
obiT
Ben
chm
ark
Mat
urit
y M
odel
Aud
it G
uide
lines
Objective
How CobiTAssists
IT GovernancePhase
IT Governance Lifecycle
Alignment Value Delivery Risk Management
IT ResourceManagement
PerformanceManagement
Alignment
Value D
elivery
Risk
ManagementResourc
e
Managem
ent
Per
form
ance
M
easu
rem
ent
EnvironmentEthics & Culture
Laws & RegulationsMission & Vision
Role ModelsIndustry Practices
...
Business & IT Key Goal Indicators
Direct
Create
ProtectExec
ute
Mon
itor
Why?
Key Perform
ance Indicators,
Cobit¨Process F
ramew
ork
CSF
, CO
, CP
Key Performance Indicators,
Cobit¨Process Framework
CSF, CO, CPM
aturit
y Models
CSF, CO, C
P
IT B
SC C
obiT
Ben
chm
ark
Mat
urit
y M
odel
Aud
it G
uide
lines
Objective
How CobiTAssists
IT GovernancePhase
Alignment
Value D
elivery
Risk
ManagementResourc
e
Managem
ent
Per
form
ance
M
easu
rem
ent
EnvironmentEthics & Culture
Laws & RegulationsMission & Vision
Role ModelsIndustry Practices
...
Business & IT Key Goal Indicators
Direct
Create
ProtectExec
ute
Mon
itor
Why?
Key Perform
ance Indicators,
Cobit¨Process F
ramew
ork
CSF
, CO
, CP
Key Performance Indicators,
Cobit¨Process Framework
CSF, CO, CPM
aturit
y Models
CSF, CO, C
P
IT B
SC C
obiT
Ben
chm
ark
Mat
urit
y M
odel
Aud
it G
uide
lines
Objective
How CobiTAssists
IT GovernancePhase
Business Management
IT Management
IT AuditBoard & Executive Risk & Compliance
How to define appropriate IT Governance practices, to define business directions for IT and ensure that value is delivered and risks are managed, using the different CobiT components?
How to define my business requirements for IT Governance and ensure that value is delivered and risks are managed using the different CobiT components?
How to deliver the IT services as required by the business and directed by the Board using the different CobiT components ?
How do I use the different CobiT components in my audit activities to assure that IT delivers what it needs to deliver?
How do I use the different CobiT components in my compliance and risk advisory activities to ensure that IT complies with policy, laws & regulations, and that new risks are identified?
Business Management
IT Management
IT AuditBoard & Executive Risk & Compliance
How to define appropriate IT Governance practices, to define business directions for IT and ensure that value is delivered and risks are managed, using the different CobiT components?
How to define my business requirements for IT Governance and ensure that value is delivered and risks are managed using the different CobiT components?
How to deliver the IT services as required by the business and directed by the Board using the different CobiT components ?
How do I use the different CobiT components in my audit activities to assure that IT delivers what it needs to deliver?
How do I use the different CobiT components in my compliance and risk advisory activities to ensure that IT complies with policy, laws & regulations, and that new risks are identified?
Implement Solution
Plan Solution
Envision Solution
Identify NeedsRaise
awareness & make
decision
Analyse values
Select processes
Define where you
are
Define where you want to be
Analyse gaps
Define projects
Develop & implement
change plan
Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Analyse risks
Implement Solution
Plan Solution
Envision Solution
Identify NeedsRaise
awareness & make
decision
Analyse values
Select processes
Define where you
are
Define where you want to be
Analyse gaps
Define projects
Develop & implement
change plan
Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Analyse risks Implementation
Roadmap
Implement Solution
Plan Solution
Envision Solution
Identify NeedsRaise
awareness & make
decision
Analyse values
Select processes
Define where you
are
Define where you want to be
Analyse gaps
Define projects
Develop & implement
change plan
Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Analyse risks
Implement Solution
Plan Solution
Envision Solution
Identify NeedsRaise
awareness & make
decision
Analyse values
Select processes
Define where you
are
Define where you want to be
Analyse gaps
Define projects
Develop & implement
change plan
Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Analyse risks Implementation
Roadmap
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 42
Navigation
Implement Solution
Plan Solution
Envision Solution
Identify NeedsRaise
awareness & make decision
Analyse values
Select processes
Define where you
are
Define where you want to be
Analyse gaps
Define projects
Develop & implement
change plan
Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Analyse risks
Implement Solution
Plan Solution
Envision Solution
Identify NeedsRaise
awareness & make decision
Analyse values
Select processes
Define where you
are
Define where you want to be
Analyse gaps
Define projects
Develop & implement
change plan
Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Analyse risks
Phase
Step
4.1
Process Step Set Scope and Objectives
Process Objective Refine and agree the scope and the objectives of the IT Governance Initiative.
ProcessDescription
Based on the understanding now obtained of the IT goals and the related valueand risk drivers, it is possible to refine the detailed scope and objectives of theinitiative, which can be recorded in the Project Initiation Sheet. To achieve this,the stakeholders’ expectations and perspectives, and the business reasons andjustifications for the improvement initiative should be clearly documented.From these elements, the technical and organisational scope of the project canbe defined and clear objectives and expectations determined and agreed upon byall stakeholders. It is important to translate these objectives into measurablesuccess criteria (goal indicators) as a necessary condition for monitoring overthe project during and after execution.
Tasks 1. Confirm stakeholder perceptions / expectations
2. Document business reasons and justifications for the initiative
3. Define scope (technical & organisational) of initiative
4. Define objectives and expectations
5. Define success criteria (Project KGIs)
Input IT Heat Maps, IT Goals, Project Definition
Using CobiTComponents
Output Project KGIs
Updated Project Initiation
Process Step
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 43
Example
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 44
Phase 1 - Identify Needs
Identify NeedsRaise
awareness & make decision
Raise awareness
& make decision
Analyse values
Analyse values
Select processes
Select processes
Implement Solution
Plan Solution
Envision SolutionDefine
where you are
Define where you want to be
Analyse gaps
Define projects
Develop & implement
change plan
Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Implement Solution
Plan Solution
Envision SolutionDefine
where you are
Define where you want to be
Analyse gaps
Define projects
Develop & implement
change plan
Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Analyse risks
Analyse risks
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 45
Phase 2 - Envision Solution
Envision SolutionEnvision SolutionDefine
where you are
Define where you
are
Define where you want to be
Define where you want to be
Analyse gaps
Analyse gaps
Implement Solution
Plan SolutionDefine
projects
Develop & implement
change plan
Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Implement Solution
Plan SolutionDefine
projects
Develop & implement
change plan
Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Identify NeedsRaise
awareness & make decision
Analyse values
Select processes
Analyse risks
Identify NeedsRaise
awareness & make decision
Analyse values
Select processes
Analyse risks
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 46
Phase 3 - Plan Solution
Plan SolutionPlan SolutionDefine
projectsDefine
projects
Develop & implement
change plan
Develop & implement
change plan
Implement Solution Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Implement Solution Integrate into day-to-
day practices
Integrate measures into ITBSC
Post Implementation
Review
Envision Solution
Identify NeedsRaise
awareness & make decision
Analyse values
Select processes
Define where you
are
Define where you want to be
Analyse gaps
Analyse risks
Envision Solution
Identify NeedsRaise
awareness & make decision
Analyse values
Select processes
Define where you
are
Define where you want to be
Analyse gaps
Analyse risks
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 47
Phase 4 - Implement Solution
Implement SolutionImplement Solution Integrate into day-to-
day practices
Integrate into day-to-
day practices
Integrate measures into ITBSC
Integrate measures into ITBSC
Post Implementation
Review
Post Implementation
Review
Plan Solution
Envision Solution
Identify NeedsRaise
awareness & make decision
Analyse values
Select processes
Define where you
are
Define where you want to be
Analyse gaps
Define projects
Develop & implement
change plan
Analyse risks
Plan Solution
Envision Solution
Identify NeedsRaise
awareness & make decision
Analyse values
Select processes
Define where you
are
Define where you want to be
Analyse gaps
Define projects
Develop & implement
change plan
Analyse risks
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 48
Agenda
• Why is IT Governance important
implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using COBIT
• The Swiss Life Way
- European Functional IT Governance
- Maturity Benchmark
• Summary / Conclusions
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 49
Agenda
• Why is IT Governance important
implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using COBIT
• The Swiss Life Way
- European Functional IT Governance
- Maturity Benchmark
• Summary / Conclusions
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 50
Organisation
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 51
Group Directive on European Functional IT Governance (1)
• Defines the fundamental rules governing the functional
relationship (CTOs and Group IT Mgmt at Head Office)- Sets Leading governance principles
- Defines the Governing Bodies and Functions
- Assigns the responsibilities and authorities
- In the appendix
• Governance Principles per COBIT-Process
• Decision matrices
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 52
Leading Governance Principles
Functional IT governance is based on the principle of
subsidiarity: decisions shall be taken at the country level to the
maximum extent possible.
Decisions to be taken at Group level are those which- are either related to policies/standards in the area of operational IT
risk and IT security management or
- have material impact on IT costs of two or more countries.
Those decisions shall be taken after consultation of the involved
parties (Country CEOs and CTOs) and, if possible, on the
basis of consensus.
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 53
Governing Bodies and Functions
• IT Board• European IT Operations Panel• European IT Procurement Panel• European IT Risk & Security Panel• European IT Controlling and Reporting Panel
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 54
Responsibilities and Authorities
• Based upon five authority types (Definition / Recommendation;
Approval; Execution; Information Involvement; Monitoring and
Control)• Group CTO• Country CEOs• Country CTOs• Head of European Functional IT Management• Group Head of IT Risk & Security
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 55
Governance Principles per COBIT-Process (1)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 56
Governance Principles per COBIT-Process (2)
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 57
Decision Matrices
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 58
Agenda
• Why is IT Governance important
implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using COBIT
• The Swiss Life Way
- European Functional IT Governance
- Maturity Benchmark
• Summary / Conclusions
59Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
CobiT Maturity Model
The maturity model provided
by the CobiT Management
Guidelines for the 34 CobiT IT
processes is becoming an
increasingly popular tool to
manage the timeless issue of
balancing risk and control in a
cost-effective manner.
60Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
CobiT Maturity Model
• The CobiT Maturity Model is an IT governance tool used to
measure how well developed the management processes are
with respect to internal controls.• The maturity model allows an organisation to grade itself from
non-existent (0) to optimised (5).• A fundamental feature of the maturity model is that it allows an
organisation to measure as-is maturity levels, and define to-be
maturity levels as well as gaps to fill. As a result, an
organisation can discover practical improvements to the
system of internal controls of IT.
61Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
CobiT Maturity Model
• However, maturity levels are not a goal, but rather they are a
means to evaluate the adequacy of the internal controls with
respect to company business objectives. IT should support, for
example- Raising awareness
- Identifying weaknesses
- Identifying priority improvements
62Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
Benchmark Approach
• The most common approach of measuring maturity is a
multidisciplinary group of people who—in a facilitated
workshop style—debate and come to a consensus as to the
enterprise's current level of maturity.• The principle of not assigning a higher level when not all
elements of the lower level are being applied (threshold
approach) should be followed wherever possible but one
should not be too stringent about it.
63Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
Benchmark Approach
• Another very pragmatic approach adopted by some is to
decompose the maturity descriptions into a number of
statements to which management can provide their level of
agreement (e.g., "a lot," "largely," "somewhat," "marginally" or
"not at all").
Swiss Life Approach
=
64Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
The Method
• Based on a questionnaire derived from the COBIT Maturity Model • Relies on a "scenario" concept.• Questionnaire is intended to capture the compliance of an IT
organisation under investigation to the diverse scenarios.• An algorithm computes a "compliance" vector that describes the
compliance of the organisation to every scenario.• Then, it uses the vector to compute the maturity level as a weighted
average of the organisation's compliance with respect to each
scenario.
65Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
The Questionnaire
66Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
The Questionnaire (1)
• The figure displays an
example of how the
questionnaire statements
were derived for the maturity
model of process PO10
Managing Projects.
67Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
Compliance Value (2)
68Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
The Algorithm (2)
69Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
Total Maturity Level (2)
70Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004
Conclusion
Because of its construction criteria, the questionnaire is aligned
completely with the maturity model and fairly detailed with
respect to the maturity requirements.
This will prove to be useful to support subsequent discussions
aimed at identifying the key points that will enable or preventing
the organisation to reach a given maturity level and therefore
mitigate the existing risks.
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 71
Agenda
• Why is IT Governance important
implementing IT Governance
• IT Governance Life Cycle
• Where to Start
• Road Map for Implementing IT Governance using COBIT
• The Swiss Life Way
• Summary / Conclusions
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 72
Is the responsibility of executive management and the board of directors protects shareholder value requires that risks are understood and made transparent directs and controls IT investment, to leverage opportunities,to obtain
benefits and to mitigate risks aligns IT with the business, accepting IT is critical to the enterprise and
a component of the strategic plan, influencing strategic opportunities sustains current operations and prepares for the future is an integral part of a global governance structure
Effective IT Governance
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 73
IT is integral and critical to the businessIT is integral and critical to the business
Shareholders are holding Boards accountableShareholders are holding Boards accountable
Boards are holding management responsibleBoards are holding management responsible
An immense shift from tangible to intangible An immense shift from tangible to intangible assets, the majority of the latter being informationassets, the majority of the latter being information
Boards and management will look for support to Boards and management will look for support to obtain assurance about the cost, return and risk obtain assurance about the cost, return and risk
of IT to the businessof IT to the business
Why should we care
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 74
IT is an integral part of IT is an integral part of the businessthe business
IT governance is an IT governance is an integral part of corporate integral part of corporate governancegovernance
Conclusions
Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 75
For More Information:
Urs Fischer, CPA (Swiss), CISA, CIA
Group Head of IT Risk Mgmt & Security, Vice President
Swiss Life Group