introducing the it governance model urs fischer, cpa (swiss), cisa, cia head of it risk mgmt &...

Introducing the IT Governance Model

Urs Fischer, CPA (Swiss), CISA, CIA

Head of IT Risk Mgmt & Security, Vice President

Swiss Life Group

12. International Information System Audit

and Control Conference

Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004 2


Agenda

• Why is IT Governance important

implementing IT Governance

• IT Governance Life Cycle

• Where to Start

• Road Map for Implementing IT Governance using COBIT

• The Swiss Life Way

• Summary / Conclusions


Agenda




• Where to Start





IT Governance

• Dependence on IT for core business• The value of intangible assets• IT essential to their creation and maintenance

• Emerging accounting standards for recording intangible assets

• “A firm is inherently fragile if its value emanates more from conceptual as distinct from physical assets. Trust and reputation can vanish overnight. A factory cannot!”

Alan Greenspan


Governance Responsibilities• take stakeholder value into account• give direction to the processes• ensure they provide results• ensure they act on the results• get results and challenge them

directsdirects

ProcessesProcesses

reportreport

ResultsResults

confirmconfirmoror

changechange

assets

risks

outcome

performance

improveimprove

StakeholderValues

StrategyStrategy

drivedrive

Resources- knowledge- information- capability- …...

useuse

measuremeasure

Process & Responsibilities


Shared ResponsibilitiesAre they doing the right things?Are they doing it the right way?Are they being done well?Are we getting benefits?

What IT Problem?

Cascading strategy and goals Organisational alignmentA risk and control frameworkBalanced Business Scorecard

How does management

react?

What does the Board

do?

Ask tough questionsEstablish IT GovernanceFocus on risk and valueDirect IT strategy & measure results


Shareholders and ExecutiveLower cost, higher profitability andLower cost, higher profitability andincreased market shareincreased market share

Customers and Staff More functionality at lower cost andMore functionality at lower cost andgreater ease of usegreater ease of use

Society Greater accountability for executives inGreater accountability for executives inprivate and public sectorprivate and public sector

Increased Frequency (annual->quarterly)

Increased Depth ($->control->systems->risk)

More Relationships (enterprise->services->products)

Assurance EvolutionAssurance Evolution

Stakeholders apply pressure


“IT has been the longest running disappoinment in business in the last 30 Years!”

Jack Welch, Chairman General Electric,Jack Welch, Chairman General Electric,World Economic Forum, Davos, 1997World Economic Forum, Davos, 1997

“Technology can help fulfil a visionary dream, but often its use is closer to a

sobering nightmare!”Vesa Vaino, CEO Merita Bank,Vesa Vaino, CEO Merita Bank,

SIBOS, Helsinki, 1998SIBOS, Helsinki, 1998

“I am writing a book on the history of Information Technology …… in order to better understand

why it is such a mess!”Philippe Corniou, CIO, Renault, ISACA International Philippe Corniou, CIO, Renault, ISACA International

Conference, Paris, 2001Conference, Paris, 2001

Personal & visualPersonal & visualcontactcontact

Uncertainty,Uncertainty,Complexity &Complexity &

GrowthGrowth

What is Management Thinking ?


“Due diligence” infrastructure and productive functions skills, culture, operating environment capabilities, risks, process knowledge and customer

information service levels

Enterprises should be equally inquisitive about themselves.Enterprises should be equally inquisitive about themselves.

Why implementing IT Governance


IT entails huge investments and large risks The increasing dependence on information and the systems and

communications that deliver it The dependence on entities beyond the direct control of the

enterprise IT failures increasingly impacting reputation and enterprise value The potential for technologies to dramatically change

organisations and business practices, create new opportunities and reduce costs

The need to build and maintain knowledge essential to sustain and grow the business

Criticality


If so, wouldn’t you want to know If so, wouldn’t you want to know whether your organisation’s IT is:whether your organisation’s IT is:

Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognising opportunities

and acting upon them?

Why has IT not been Why has IT not been addressed:addressed: requires more

technical insight treated as separate

entity IT is complex

Strategic Importance


deliver business value

fast, secure with quality

efficiency and productivity

business effectiveness

IT does more with less

quantitative return

ExpectationsExpectations failure to achieve their promise effectiveness and processes directly

impacted by the quality of IT deliverables

poor support for the business deadlines that are not met costs are higher than expected quality and efficiency lower than

anticipated

RealityReality

Why is it not being addressed ?


EnvironmentEthics & CultureLaws & RegulationsMission & VisionRole ModelsIndustry Practices…...

Alignment

Value

Delivery

Manag

emen

t

of R

isk

Monitoring &Reporting

Eval

uatio

n

LifecycleLifecycleProvide Provide DirectionDirection

CompareCompare

Measure Measure PerformancePerformance

IT ActivitiesIT Activities Increase automation

(make the business effective) Decrease cost (make the enterprise

efficient) Manage risks (security, reliability and

compliance)

IT is aligned with the business, enables the business and maximises benefits IT resources are used responsibly IT related risks are managed

appropriately

Set ObjectivesSet Objectives

FrameworkFramework

The response is IT Governance


IT governance is the responsibility of the board of directors and executive management. It is an

integral part of enterprise governance and consists of the leadership and organisational structures and

processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies

and objectives.

IT Governance Defined


Stakeholders

Board & Executive

How to define appropriate IT Governance practices, to define business directions for IT and ensure that value is delivered and risks are managed, using the different CobiT components?

Board & Executive


Business Management

How to define my business requirements for IT Governance and ensure that value is delivered and risks are managed using the different CobiT components?

Business Management


IT Management

How to deliver the IT services as required by the business and directed by the Board using the different CobiT components ?

IT Management


IT Audit

How do I use the different CobiT components in my audit activities to assure that IT delivers what it needs to deliver?

IT Audit


Risk & Compliance

How do I use the different CobiT components in my compliance and risk advisory activities to ensure that IT complies with policy, laws & regulations, and that new risks are identified?

Risk & Compliance



IT Governance Framework

Objectives• IT is alignedwith the busi-ness and maxi-mises benefits.• IT resourceare usedresponsible• IT-relatedrisks aremanagementapproriately

CONTROL

PLAN/ORGANIZE

ACQUIRE/IMPLEMENT

DELIVER/SUPPORT

MONITOR

Manage risks

Realize benefits

-security-reliability-compliance

-increaseautomation-“effective”

-decreasecosts-“efficient”

IT Activities

DIRECT

REPORT

PLANDO

CHECKCORRECT


Agenda




• Where to Start





Direct

Mon

itor

Act

Protec

t

Create

EnvironmentEthics & CultureLaws & RegulationsMission & VisionRole ModelsIndustry Practices

Alignment

Value

Delivery

Risk M

anag

emen

t

Resource Management

Perfo

rman

cM

anag

emen

t

Business and IT

Key Goal Indicators

Framework,

CO,CP, KPI, CSF

Fram

ework

,

CO,CP, K

PI, CSF

Maturity Model,

CO,CP, CSF

IT B

SC

, Ben

chm

ark,

Mat

uri

ty M

od

el, A

ud

it G

uid

elin

es

Lifecycle (1)


Life Cycle (2)

Good Things tohappen

Create Value

ContinuousImprovement

Measure Results

ResolveProblems

Bad Things NotHappening

Preserve Value

Define Strategy IT Alignment

Focus

Value deliveryFocus

Risk MgmtFocus

IT resourcesMgmt Focus

PerformanceMgmt FocusHow ?

What ?


The Board should drive business alignment by:

Ascertaining that the IT strategy is aligned with the business strategy Ascertaining that IT delivers against the strategy through clear expectations and measurement Directing IT strategy to balance investments between supporting and growing the enterprise Making considered decisions about where IT resources should be focused

“IT alignment is a journey, not a destination.”

Business Strategy

Alignment Activities

IT Operations

IT StrategyBusiness

Operations

IT Alignment


The board should drive alignment to ensure that IT delivers value with the business strategy focussing on competitive advantage, elapsed time for order/service

fulfillment, customer satisfaction, customer wait time, employee productiveness and profitability supported by an IT strategy that delivers on time, within budget and with the benefits that were

promised

“IT value is in the eye of the beholder.”

Business Unit Financial

Business Unit Operational

Business Unit IT Applications

Firm-wide IT Infrastructure

Time for Business Impact

Business Value DeliveredSample Measures

Revenue growthReturn on assetsRevenue per employee

Time to bring a new product to market

Sales from new productProduct or service quality

Implementation time: new applicationImplementation cost: new application

Infrastructure availabilityCost per transactionCost per workstation

BusinessBusinessManagementManagement

ITITManagementManagement

Degree of influence

Value Delivery (Value Creation)


The board should manage enterprise risk by: Ascertaining that there is transparencytransparency about the significant

risks to the organisation Being aware that the final responsibilityresponsibility for risk management

rests with the board Considering that a proactive risk management approach creates

competitivecompetitive advantageadvantage Insisting that risk management is embeddedembedded in the operation of

the enterprise Obtaining assuranceassurance that management has put processes and

technology in place for information security

“It is the IT alligators that you do not see that will get you!”

Risk Management (Value Preservation)


Outsourcing Trusted Suppliers Training Competency Skills development Retention

Recognises the importance of people in addition to hardware and software”

Resource Management


ObjectivesObjectivesDemonstrate the value added by the IT OrganizationDemonstrate the value added by the IT OrganizationDetermine the effectiveness of the IT OrganizationDetermine the effectiveness of the IT OrganizationSet guidelines for the IT Strategic plan Set guidelines for the IT Strategic plan Communicate and motivate about IT performanceCommunicate and motivate about IT performanceEstablish IT Management reportingEstablish IT Management reporting

Key resultKey resultThe most effective means to achieve IT and Business alignmentThe most effective means to achieve IT and Business alignment

Critical success factorCritical success factorApproval of the IT Scorecard by key stakeholdersApproval of the IT Scorecard by key stakeholders

“If you are playing the enterprise game and not keeping IT’s score, you are only practicing.”

Performance Management


IT Balanced Scorecard

• # of IT customers• Cost per IT customer• Cost-efficiency of IT

processes up• Delivery of IT value per

employee

Information

• Availability of systems & services

• Developments on schedule & budget

• Throughput & response times

• Amount of errors and rework

• Level of service delivery up

• Satisfaction of existing customers

• # of new customers reached

• # of new service delivery channels

FFinancial

CCustomer

• Staff productivity & morale

• # of staff trained in new techno/services

• Value delivery per employee up

• Increased availability knowledge systems

LLearning

PProcess


BBooaarrdd aanndd//oorrMMaannaaggeemmeenntt

AAccttiivviittyy TTyyppee

Become informed of role and impact of IT on the enterprise B/M Plan

Set direction and expected return B Direct

Determine required capabilities and investments M Plan

Assign responsibilities B/M Direct

Sustain current operations M Organise

Make transformation happen B/M Direct

Define constraints within which to operate B Direct

Acquire and mobilise resources M Organise

Measure performance B Control

Manage risk B/M Control

Obtain assurance B Control

IT Governance Activities


Agenda




• Where to Start





Questions Boards and Management should askQuestions Boards and Management should ask

Business and IT Outcome DriversBusiness and IT Outcome Drivers

Best practices in IT GovernanceBest practices in IT Governance Business/IT Strategic alignment issuesBusiness/IT Strategic alignment issues Business and IT Performance MeasuresBusiness and IT Performance Measures IT Strategy CommitteeIT Strategy Committee Roles and ResponsibilitiesRoles and Responsibilities

It Governance MaturityIt Governance Maturity Find out where you are and where you want to beFind out where you are and where you want to be Translate the gap into a simple action planTranslate the gap into a simple action plan

Get informed about


To uncover IT Issues To Find Out How Management Addresses the IT Issues

How often do IT projects fail to deliver what they promised?

Are end users satisfied with the quality of the IT service?

Are sufficient IT resources, infrastructure and competencies available to meet strategic objectives?

How well are enterprise and IT objectives aligned?

How is the value deliver-ed by IT measured?

What strategic inititiaves has executive manage-ment taken toe manage IT’s criticality relative to maintenance and growth of the enterprise and are they appropriate?

Is the board regularly briefed on IT risks to which the enterprise is exposed?

Is IT a regular item on the agenda of the board and is it addressed in a structured manner?

Does the board articulate and communicate the business objectives for IT alignment?

To Self-assessIT GovernancePractices

Questions to Ask


assisting the Board in its IT Governance responsibilities

incorporating IT Governance into Corporate Governance

an industry best practice

advice on strategy

focus on IT value, risks and performance

IT Strategy Committee


Download from www.itgi.org

Get Documented (1)



Get Documented (2)



Get Documented (3)


Available from ISACA-Bookstoore:www.isaca.org

Get Documented (4)



Get Documented (4)


Agenda




• Where to Start





• Management-directed- Pluses

• Management support

• Approach not clear

• Audit respect of management

- Minuses

• Resources

• Possible resistance

• Lack of co-ordination

• Pressure

• IT-requested• Pluses

• IT/audit collaboration

• “Control conscience”

• More likely to succeed

• Minuses• Business users missing from

implementation

• Controls for manual processes may be missing


Implementation Strategies (1)


• Audit-mandated

- Pluses

• Control focus

• Improved process

- Minuses

• Resistance to audit directive

• IT and users not part of the process


• No understanding of resource need

• Organisationally Co-ordinated and Accepted• Pluses

• Process improvement

• Controls included

• All parts of organisation buy in

• Tools to measure and assess

• Controls implemented

• Minus• Resource and time

Implementation Strategies (2)


Post-implementation Review Measure success of change

projects. Provide feedback into other

improvement projects.Raise

awareness and make decision

Analyse values

and risks

Select processes

Identify needsIdentify needs

Define projects

Develop and

implement change plan

Plan the solutionPlan the solution

Integrate into day-to-

day practices

Integrate measures into ITBSC

Implement the solutionImplement the solution

Define where you

are

Define where you want to be

Analyse gaps

Envision the solutionEnvision the solution

Sustainable Solution Establish policy, objectives and targets. Implement policy, responsibilities, processes and procedures. Measure performance against policy and external best practice. Take corrective and preventive action and continuously improve.

The Road Map to IT Governance


LinkIT Governance Lifecycle

Alignment Value Delivery Risk Management

IT ResourceManagement

PerformanceManagement

Alignment

Value D

elivery

Risk

ManagementResourc

e

Managem

ent

Per

form

ance

M

easu

rem

ent

EnvironmentEthics & Culture

Laws & RegulationsMission & Vision

Role ModelsIndustry Practices

...

Business & IT Key Goal Indicators

Direct

Create

ProtectExec

ute

Mon

itor

Why?

Key Perform

ance Indicators,

Cobit¨Process F

ramew

ork

CSF

, CO

, CP

Key Performance Indicators,

Cobit¨Process Framework

CSF, CO, CPM

aturit

y Models

CSF, CO, C

P

IT B

SC C

obiT

Ben

chm

ark

Mat

urit

y M

odel

Aud

it G

uide

lines

Objective

How CobiTAssists

IT GovernancePhase

Alignment

Value D

elivery

Risk

ManagementResourc

e

Managem

ent

Per

form

ance

M

easu

rem

ent




...


Direct

Create

ProtectExec

ute

Mon

itor

Why?

Key Perform

ance Indicators,

Cobit¨Process F

ramew

ork

CSF

, CO

, CP



CSF, CO, CPM

aturit

y Models

CSF, CO, C

P

IT B

SC C

obiT

Ben

chm

ark

Mat

urit

y M

odel

Aud

it G

uide

lines

Objective

How CobiTAssists

IT GovernancePhase

IT Governance Lifecycle

Alignment Value Delivery Risk Management

IT ResourceManagement

PerformanceManagement

Alignment

Value D

elivery

Risk

ManagementResourc

e

Managem

ent

Per

form

ance

M

easu

rem

ent




...


Direct

Create

ProtectExec

ute

Mon

itor

Why?

Key Perform

ance Indicators,

Cobit¨Process F

ramew

ork

CSF

, CO

, CP



CSF, CO, CPM

aturit

y Models

CSF, CO, C

P

IT B

SC C

obiT

Ben

chm

ark

Mat

urit

y M

odel

Aud

it G

uide

lines

Objective

How CobiTAssists

IT GovernancePhase

Alignment

Value D

elivery

Risk

ManagementResourc

e

Managem

ent

Per

form

ance

M

easu

rem

ent




...


Direct

Create

ProtectExec

ute

Mon

itor

Why?

Key Perform

ance Indicators,

Cobit¨Process F

ramew

ork

CSF

, CO

, CP



CSF, CO, CPM

aturit

y Models

CSF, CO, C

P

IT B

SC C

obiT

Ben

chm

ark

Mat

urit

y M

odel

Aud

it G

uide

lines

Objective

How CobiTAssists

IT GovernancePhase

Business Management

IT Management

IT AuditBoard & Executive Risk & Compliance






Business Management

IT Management

IT AuditBoard & Executive Risk & Compliance






Implement Solution

Plan Solution

Envision Solution

Identify NeedsRaise

awareness & make

decision

Analyse values

Select processes

Define where you

are


Analyse gaps

Define projects

Develop & implement

change plan


day practices


Post Implementation

Review

Analyse risks

Implement Solution

Plan Solution

Envision Solution

Identify NeedsRaise

awareness & make

decision

Analyse values

Select processes

Define where you

are


Analyse gaps

Define projects

Develop & implement

change plan


day practices


Post Implementation

Review

Analyse risks Implementation

Roadmap

Implement Solution

Plan Solution

Envision Solution

Identify NeedsRaise

awareness & make

decision

Analyse values

Select processes

Define where you

are


Analyse gaps

Define projects

Develop & implement

change plan


day practices


Post Implementation

Review

Analyse risks

Implement Solution

Plan Solution

Envision Solution

Identify NeedsRaise

awareness & make

decision

Analyse values

Select processes

Define where you

are


Analyse gaps

Define projects

Develop & implement

change plan


day practices


Post Implementation

Review

Analyse risks Implementation

Roadmap


Navigation

Implement Solution

Plan Solution

Envision Solution

Identify NeedsRaise

awareness & make decision

Analyse values

Select processes

Define where you

are


Analyse gaps

Define projects

Develop & implement

change plan


day practices


Post Implementation

Review

Analyse risks

Implement Solution

Plan Solution

Envision Solution

Identify NeedsRaise


Analyse values

Select processes

Define where you

are


Analyse gaps

Define projects

Develop & implement

change plan


day practices


Post Implementation

Review

Analyse risks

Phase

Step

4.1

Process Step Set Scope and Objectives

Process Objective Refine and agree the scope and the objectives of the IT Governance Initiative.

ProcessDescription

Based on the understanding now obtained of the IT goals and the related valueand risk drivers, it is possible to refine the detailed scope and objectives of theinitiative, which can be recorded in the Project Initiation Sheet. To achieve this,the stakeholders’ expectations and perspectives, and the business reasons andjustifications for the improvement initiative should be clearly documented.From these elements, the technical and organisational scope of the project canbe defined and clear objectives and expectations determined and agreed upon byall stakeholders. It is important to translate these objectives into measurablesuccess criteria (goal indicators) as a necessary condition for monitoring overthe project during and after execution.

Tasks 1. Confirm stakeholder perceptions / expectations

2. Document business reasons and justifications for the initiative

3. Define scope (technical & organisational) of initiative

4. Define objectives and expectations

5. Define success criteria (Project KGIs)

Input IT Heat Maps, IT Goals, Project Definition

Using CobiTComponents

Output Project KGIs

Updated Project Initiation

Process Step


Example


Phase 1 - Identify Needs

Identify NeedsRaise


Raise awareness

& make decision

Analyse values

Analyse values

Select processes

Select processes

Implement Solution

Plan Solution

Envision SolutionDefine

where you are


Analyse gaps

Define projects

Develop & implement

change plan


day practices


Post Implementation

Review

Implement Solution

Plan Solution

Envision SolutionDefine

where you are


Analyse gaps

Define projects

Develop & implement

change plan


day practices


Post Implementation

Review

Analyse risks

Analyse risks


Phase 2 - Envision Solution

Envision SolutionEnvision SolutionDefine

where you are

Define where you

are



Analyse gaps

Analyse gaps

Implement Solution

Plan SolutionDefine

projects

Develop & implement

change plan


day practices


Post Implementation

Review

Implement Solution

Plan SolutionDefine

projects

Develop & implement

change plan


day practices


Post Implementation

Review

Identify NeedsRaise


Analyse values

Select processes

Analyse risks

Identify NeedsRaise


Analyse values

Select processes

Analyse risks


Phase 3 - Plan Solution

Plan SolutionPlan SolutionDefine

projectsDefine

projects

Develop & implement

change plan

Develop & implement

change plan

Implement Solution Integrate into day-to-

day practices


Post Implementation

Review

Implement Solution Integrate into day-to-

day practices


Post Implementation

Review

Envision Solution

Identify NeedsRaise


Analyse values

Select processes

Define where you

are


Analyse gaps

Analyse risks

Envision Solution

Identify NeedsRaise


Analyse values

Select processes

Define where you

are


Analyse gaps

Analyse risks


Phase 4 - Implement Solution

Implement SolutionImplement Solution Integrate into day-to-

day practices


day practices



Post Implementation

Review

Post Implementation

Review

Plan Solution

Envision Solution

Identify NeedsRaise


Analyse values

Select processes

Define where you

are


Analyse gaps

Define projects

Develop & implement

change plan

Analyse risks

Plan Solution

Envision Solution

Identify NeedsRaise


Analyse values

Select processes

Define where you

are


Analyse gaps

Define projects

Develop & implement

change plan

Analyse risks


Agenda




• Where to Start



- European Functional IT Governance

- Maturity Benchmark



Agenda




• Where to Start







Organisation


Group Directive on European Functional IT Governance (1)

• Defines the fundamental rules governing the functional

relationship (CTOs and Group IT Mgmt at Head Office)- Sets Leading governance principles

- Defines the Governing Bodies and Functions

- Assigns the responsibilities and authorities

- In the appendix

• Governance Principles per COBIT-Process

• Decision matrices


Leading Governance Principles

Functional IT governance is based on the principle of

subsidiarity: decisions shall be taken at the country level to the

maximum extent possible.

Decisions to be taken at Group level are those which- are either related to policies/standards in the area of operational IT

risk and IT security management or

- have material impact on IT costs of two or more countries.

Those decisions shall be taken after consultation of the involved

parties (Country CEOs and CTOs) and, if possible, on the

basis of consensus.


Governing Bodies and Functions

• IT Board• European IT Operations Panel• European IT Procurement Panel• European IT Risk & Security Panel• European IT Controlling and Reporting Panel


Responsibilities and Authorities

• Based upon five authority types (Definition / Recommendation;

Approval; Execution; Information Involvement; Monitoring and

Control)• Group CTO• Country CEOs• Country CTOs• Head of European Functional IT Management• Group Head of IT Risk & Security


Governance Principles per COBIT-Process (1)


Governance Principles per COBIT-Process (2)


Decision Matrices


Agenda




• Where to Start






59Urs Fischer, Head of IT Risk Management & Security, Swiss Life - September 21st, 2004

CobiT Maturity Model

The maturity model provided

by the CobiT Management

Guidelines for the 34 CobiT IT

processes is becoming an

increasingly popular tool to

manage the timeless issue of

balancing risk and control in a

cost-effective manner.



• The CobiT Maturity Model is an IT governance tool used to

measure how well developed the management processes are

with respect to internal controls.• The maturity model allows an organisation to grade itself from

non-existent (0) to optimised (5).• A fundamental feature of the maturity model is that it allows an

organisation to measure as-is maturity levels, and define to-be

maturity levels as well as gaps to fill. As a result, an

organisation can discover practical improvements to the

system of internal controls of IT.



• However, maturity levels are not a goal, but rather they are a

means to evaluate the adequacy of the internal controls with

respect to company business objectives. IT should support, for

example- Raising awareness

- Identifying weaknesses

- Identifying priority improvements


Benchmark Approach

• The most common approach of measuring maturity is a

multidisciplinary group of people who—in a facilitated

workshop style—debate and come to a consensus as to the

enterprise's current level of maturity.• The principle of not assigning a higher level when not all

elements of the lower level are being applied (threshold

approach) should be followed wherever possible but one

should not be too stringent about it.


Benchmark Approach

• Another very pragmatic approach adopted by some is to

decompose the maturity descriptions into a number of

statements to which management can provide their level of

agreement (e.g., "a lot," "largely," "somewhat," "marginally" or

"not at all").

Swiss Life Approach

=


The Method

• Based on a questionnaire derived from the COBIT Maturity Model • Relies on a "scenario" concept.• Questionnaire is intended to capture the compliance of an IT

organisation under investigation to the diverse scenarios.• An algorithm computes a "compliance" vector that describes the

compliance of the organisation to every scenario.• Then, it uses the vector to compute the maturity level as a weighted

average of the organisation's compliance with respect to each

scenario.


The Questionnaire


The Questionnaire (1)

• The figure displays an

example of how the

questionnaire statements

were derived for the maturity

model of process PO10

Managing Projects.


Compliance Value (2)


The Algorithm (2)


Total Maturity Level (2)


Conclusion

Because of its construction criteria, the questionnaire is aligned

completely with the maturity model and fairly detailed with

respect to the maturity requirements.

This will prove to be useful to support subsequent discussions

aimed at identifying the key points that will enable or preventing

the organisation to reach a given maturity level and therefore

mitigate the existing risks.


Agenda




• Where to Start





Is the responsibility of executive management and the board of directors protects shareholder value requires that risks are understood and made transparent directs and controls IT investment, to leverage opportunities,to obtain

benefits and to mitigate risks aligns IT with the business, accepting IT is critical to the enterprise and

a component of the strategic plan, influencing strategic opportunities sustains current operations and prepares for the future is an integral part of a global governance structure

Effective IT Governance


IT is integral and critical to the businessIT is integral and critical to the business

Shareholders are holding Boards accountableShareholders are holding Boards accountable

Boards are holding management responsibleBoards are holding management responsible

An immense shift from tangible to intangible An immense shift from tangible to intangible assets, the majority of the latter being informationassets, the majority of the latter being information

Boards and management will look for support to Boards and management will look for support to obtain assurance about the cost, return and risk obtain assurance about the cost, return and risk

of IT to the businessof IT to the business

Why should we care


IT is an integral part of IT is an integral part of the businessthe business

IT governance is an IT governance is an integral part of corporate integral part of corporate governancegovernance

Conclusions


For More Information:

Urs Fischer, CPA (Swiss), CISA, CIA

Group Head of IT Risk Mgmt & Security, Vice President

Swiss Life Group

[email protected]

introducing the it governance model urs fischer, cpa (swiss), cisa, cia head of it risk mgmt &...

Documents