it governance - performance measures final

8/7/2019 IT Governance - Performance Measures Final

1/31

DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES

Board CIO/CTO IT Management

BOARDRESPONSIBILITIES

IT Governance is the Responsibility of the Board

IT Steering Committee Appoint an IT steering committee with the

CIO/CTO as the chairperson

Chair the IT Steering Committee

and:

yDetermine prioritisation of IT-

enabled investment programmes

in line with the enterprises

business strategy and priorities

y Track status of projects and

resolve resource conflictsyMonitor service levels and

service improvements

y Relevant representation is

required from business and IT to

assist with governance of IT

Oversight Bodies Established oversight bodies with clear terms of

reference and appropriate membership from

the business

These oversight authorities may

have accountability for:

yGovernance, Strategy,

Investment and Performance

y Service Management

y Solution Delivery

y Third-Party Managementy Architecture, Technical Support

and Operations

y Risk, Compliance and Internal

Controls

y Security and Business Continuity

y Relevant representation is

required from business and IT

IT Governance Project Initiate the IT Governance Project Treat the IT governance initiative

as a project activity with a series of

phases rather than a one-off step

Implement IT Governance


2/31

Leadership and

Direction

The board is to:

y Place IT on the board agenda

y Clarify business strategies and objectives,

and the role of IT in achieving them

y Delegate responsibility for implementing an

IT governance framework to management

y Determine and communicate levels of risk

tolerance/appetite

y Oversee the development of the information

security strategy and delegate its

implementation to IT management

y Assign accountability for the organisational

changes needed for IT to succeed.


3/31

Monitoring and

Evaluation

The board is to:

y Ensure that IT is aligned with strategic

objectives

yMonitor and evaluate the extent to which IT

actually sustains and enhances the

organisations strategic objectives

yUse the

R

isk and Audit committees to assistthe board fulfil its responsibilities

y Ensure that prudent and reasonable steps

have been taken in regard to IT governance

y Monitor and evaluate the acquisition and

appropriate use of technology, process and

people

y Ensure that an internal control framework

has been adopted, implemented and is

effective

y Ensure that information assets are managed

effectively

y Protect information and intellectual property

y Ensure personal information is treated by the

company as an important business asset

y Ensure information records provide adequate

evidence of business activity

yMonitor the application of King III

governance principles by all parties, at all

levels (starting with the board), at all stages

of business operations, across organisational

boundaries (including third parties) and for

the acquisition and disposal of IT goods and

services

yObtain project assurance from independent

experts that IT management apply all basic

elements of appropriate project

management principles to all IT projects

y Question the delivery of proper value inproportion to the investments made

y Ensure risk management includes IT risks

yMeasure and evaluate the amount spent on

and the value received from IT

yAssess the learning being retained from

experiences (post implementation reviews,

process refinement, improvements in

capability)

y

Assess the sharing and re-use being achievedyObtain independent assurance of the

governance and controls supporting

outsourced services.


4/31

IT Reporting to the

Board

Ensure IT reporting is adequate for their

purpose

Management must increase

transparency and provide the board

with complete, timely, relevant,

accurate and accessible information

about:

y The likelihood of IT achieving its

objectives?

y ITs resilience to learn and adapt?

y The judicious management of the

inherent risks from using IT,

including disaster recovery?y How well IT has recognised

opportunities and acted on them?

GOVERNANCE

FRAMEWORK

A IT governance framework assists those at the highest level of organisations ensure that IT use contributes positively to the performance of the

organisation and conforms with the organisational obligations (regulatory, legislation, common law, contractual) concerning the acceptable use of IT

IT Governance

Framework

Ensure that an IT Governance Framework is

adopted or developed

Adopt or developing an IT

Governance Framework

An IT governance framework

comprises definitions, principles and

a model for governing IT and broadlycovers all areas of IT activity:

y presents IT activities in a

manageable and logical structure

y is generally accepted as containing

good practices

y is business-orientated and capable

of linking IT activities to business

goals

yprovides management with controlobjectives suitable to uncover IT

issues

y fits with and supports risk

management

y incorporates a baseline of internal

controls for IT managers to

implement


5/31

y guides management in aligning IT

initiatives with real business needs

y contains performance measures to

judge success and failures

y assists with assurance activities

that confirm the achievement of

business objectives and

undesirable events are prevented,

detected and corrected

y assists companies to comply with

continually increasing regulatoryrequirements.

IT Governance

Framework to Deliver

Value and Manage Risk

Ensure that the IT Governance Framework

adopted or developed delivers value and

manages risk

Deliver value and manage risk

through adopting or developing an

IT Governance Framework

For the IT governance framework to

add value or manage risk it must:

y Establish a link to the business

requirements

yMake performance against

business requirements transparent

y Organise ITs activities into a

generally accepted process modely Be focused on both the process

and the outcomes to be achieved

y Identify the major IT resources to

be leveraged

y Define the management control

objectives to be considered

y Provide a common language.

IT Governance Charter The board is to ensure that a IT Governance

Charter is developed

Develop an IT Governance charter Organisational charter provides the

terms of reference for the ITorganisation. It ensures that those

with responsibility for actions also

have the authority to perform those

actions


6/31

Structure the

Organisation

Place the IT function in the overall

organisational structure with a business model

contingent on the importance of IT within the

organisation, specifically its criticality to

business strategy and the level of operational

dependence on IT.

The reporting line of the CIO is

commensurate with the

importance of IT within the

enterprise.

y The typical organisational

structure for IT governance starts

with the board, an IT steering

committee, a CIO and IT

management with delegated

responsibility to execute the IT

governance framework,

implemented to add value and

minimise risk, including business

continuity.

y A suitable organisation structurewith relevant representation from

the business and IT, appropriate

for the size needed to adequately

manage the IT organisation is to be

implemented. A top-down, layered

approach to IT governance is

required. To be effective, business

strategy and goals have to be

cascaded down into the ITorganisation and used as the basis

for measuring performance.

Processes Maintain oversight of the establishment and

maintenance of IT processes

Exercise control over the

establishment and maintenance of

IT processes

Establish and maintain IT Processes

as:

y Process serves as the foundation

for the definition of a management

system used to capture and

document details about

ownership, scope, responsibilities,

measurements, structured working

practices and interfaces.

y Processes describe the life-cycle of

activities (with feedback loops)

and enable the development and

implementation of a lean,


7/31

sustainable capability to achieve

the outcomes (business goals)

desired.

y Processes ensure a stable,

controlled, repeatable service that

can be objectively measured

against deliverables and outcomes

achieved.

Governance

Mechanisms

yMonitor that those given responsibility to

deploy governance mechanisms

acknowledge and understand theirresponsibilities.

yMonitor the performance of those given

responsibility in the governance of IT

Enforcing governance mechanisms Governance mechanisms include

strategies, goals, policies, steering

committees, oversight authorities,processes, procedures, roles, job

descriptions, plans, schedules,

contracts, proposals, authorisations,

standards and scorecards with a view

to deliver value and minimise risk.

Governance of

Information

Oversee the business requirement for

information

Ensure that information conforms

to the business requirements in

order for it to satisfy businessobjectives

To satisfy business objectives,

information needs to conform to the

business requirements that:y information is relevant and

pertinent to the business process,

and is

y delivered in a timely, correct,

consistent and usable manner

y Information is provided through

the optimal (most productive and

economical) use of resources

y Sensitive information is protected

from unauthorised disclosure

y Information is accurate and

complete, and its validity is in

accordance with business values

and expectations

y Information is available when

required by the business process


8/31

now and in the future as a result of

deploying the necessary resources

and associated capabilities

y Information provided complies

with the laws, regulations and

contractual arrangements to which

the business process is subject,

i.e., externally imposed business

criteria as well as internal policies

y Information provided is

appropriate for management tooperate the entity and exercise its

fiduciary and governance

responsibilities.

Accountability

Framework (Decision

Rights)

Ensure that decision-making occurs as a part of

a process with clearly defined roles and

accountabilities.

When assigning decision-making

authority:

y start by articulating the decision

that needs to be made, then

y determine the steps that must

be carried out to reach adecision

y identify who must provide input,

and what activities are required

to obtain such input, and how

y determine who will decide,

ensuring that the decision

makers are equipped with the

information to make a fact-

based decision

yMore granular assignment of

responsibilities and decision

rights is achieved through the

preparation of detailed process

workflow charts

IT Internal Controls

Framework

Ensure that an IT control framework is adopted

and implemented, and that the board receives

Exercise control over the adoption

and implementation of an IT

An IT controls framework to be

adopted or established comprising of


9/31

independent assurance of its effectiveness. control framework Accounting controls (General

controls, Application controls and

User controls) and Administrative

controls.

y General controls are found in the

infrastructure, technology and

system software.

y Application controls are specific to

business processes.

y User controls are the manual

checks performed by staff.y Administrative controls represent

the wider concerns of

management, particularly with

regard to efficiency and

effectiveness of administration,

and increased profitability.

The role of an internal control is to

be preventative, detective orcorrective regarding a particular risk.

Controls are made sustainable

through incorporation in the

operational process. The selection of

controls is risk-based.

The condition of controls depends on

the organisational structure, written

policies, systemisation, evidence of

controls operating and the

competence and integrity of the

people involved.

The Role and

Responsibilities Chief

Information Officers

Appoint a suitably qualified and experienced

individual as the chief information officer (CIO)

or chief technical officer (CTO)

The CIO/CTO to:

y Interact regularly on matters of

IT governance with the board, or

appropriate board committee, or

y Implement an IT Governance

framework to deliver value and

manage risk

y Implement IT processes and


10/31

both

yUnderstand the accountability

and responsibility of IT

y Take responsibility for the

implementation and monitoring

of IT governance

y Seek leadership from the board,

obtain direction and an

understanding of the ethics and

values that will influence and

guide practices and behaviourwithin IT to achieve sustainable

performance

y Implement an Accountability

framework to assign decision-

making rights

y Implement a suitable

organisational structure and

define terms of reference

y

Be a bridge between IT and thebusiness

y Ensure transparency through

regular reporting to the board

y Enable IT to add value to the

business and mitigate risks

y Incorporate IT into the business

processes in a secure,

sustainable manner

y Encourage the desirable use of IT

by requiring

y Create an awareness of the

maturity levels of governance

y Build management skills and

competencies to govern and

promote a common language

Incorporate IT governance in

governance mechanisms

y Implement IT frameworks, policies,

procedures and standards

y Develop and implement an IT

governance charter and policies

y managers to provide timely

information, comply with the

direction given and to conform to

the principles of good governance

y Adopt and implement an IT control

frameworky Implement an ethical IT

governance and management

culture

y Implement an ethical IT

governance and management

culture

y Implement an IT controls

framework

y


11/31

corporate governance

y Implement processes to ensure

that reporting to the board is

complete, timely, relevant,

accurate and accessible

y Obtain assurance on the

effectiveness of the IT control

framework

y Sustain and enhance the

strategic objectives

y Implement a strategic ITplanning process that is

integrated with the business

strategy development process

y Enable the improvement of the

companys performance and

sustainability

y Integrate IT plans with the

business plans

y

Define, maintain and validatethe IT value proposition

y Align IT operations with business

operations

y Align IT activities with

environmental sustainability

objectives

y Implement a robust process to

identify and exploit, where

appropriate opportunities to

improve performance and

sustainability of the company in

line with triple bottom line

objectives

y Include relevant representation

from the business in oversight

structures


12/31

yHave regard for the legislative

requirements that apply to IT

yUnderstand business

requirements and long-term

strategy

yHave a strategic approach and

facilitate the integration of IT

into business strategic thinking

y Translate business requirements

into efficient and effective IT

solutionsy Exercise care and skill over the

design, development,

implementation and

maintenance of sustainable IT

solutions

y Support the business and

governance requirements in a

timely and accurate manner

through the acquisition ofpeople, process and technology

y Optimise resources usage,

leverage knowledge

y Ensure that the business value

proposition is proportional to

the level of investment

yDeliver the expected return from

IT investments

yMeasure and manage the

amount spent on and the value

received from technology

y Protect information and

intellectual property

y Conduct post-implementation

reviews to learn from each

implementation


13/31

y Promote sharing and re-use of IT

assets

y Ensure all parties in the chain

from supply to disposal of IT

services and goods apply good

governance principles

yMonitor and enforce good

governance across all suppliers

y Obtain independent assurance

that outsourced service

providers have applied theprinciples of IT governance

y Obtain independent assurance of

the effectiveness of the IT

controls framework

implemented by service

providers

y Obtain independent assurance

that the basic elements of

appropriate projectmanagement principles are

applied to all IT projects

y Regularly demonstrate to the

board that the company has

adequate business resilience

arrangements in the event of a

disaster affecting IT

y Implement a risk management

process based on the boards risk

appetite

yDesign, implement and monitor

the IT risk management plan

yMaintain an IT risk register,

including IT legal risks

y Comply with applicable laws and

regulations


14/31

y Perform continual risk

assessments

y Select and use an appropriate

framework for managing risk

(Group BRMRisk Management

Framework)

y Consider and implement

appropriate risk responses

yMinimise risks

yManage information assets

effectivelyy Ensure the integrity and

availability of information and

information systems in a timely

manner

y Implement information records

management and ensure

information assets are identified,

classified, retained, stored,

archived, protected and madeavailable when required for

business and legal purposes

y Establish a business continuity

programme for the companys

information and successful

execution of the business

activities

y Identify all personal information

processed by the company and

treat this as an important

business asset, including being

processed in accordance with

applicable laws

y Implement an information

security strategy

y Implement an information


15/31

security management system in

accordance with an appropriateinformation security framework

(Group BRM Information

Security Framework)

y Provide the Audit and Risk

Committees with relevant

information about IT risks and

the controls in place

yMeasure, manage and

communicate IT performancey Report to the IT Steering

Committee on IT performance

y Consider using IT to aid the

companys risk management,

compliance and audit efforts.

STRATEGIC

ALIGNMENT

The Board should ensure that IT is Aligned with Business Objectives, including Economic, Social and Environmental Sustainability

Alignment With g

Objectives

Ensure that Business goals are cascaded to IT

goals, process goals and activity goals

Take responsibility for and cascade

Group objectives, IT goals, processgoals and activity goals to IT

management

y Ensure that Group objectives, IT

goals, process goals and activitygoals are understood and

achievable

y Deliver on the above goals

y Align IT activities with the

performance and sustainability

objectives of the company

y Strategic objectives are attained

through the effective and efficient

management of IT resources. Thisassists management understand

what is the outcome expected,

what does success look like and

who will recognise this success.

Integration of Strategic

IT Planning With the

Organisational

Ensure that IT achieves, sustains and extends

the companys strategic objectives

Exercise control ensuring that IT

achieves, sustains and extends the

strategic objectives

Implement a strategic IT planning

process that is integrated with the

business strategy development


16/31

Strategic and Business

Objectives

process, and:-

y IT plans are integrated with thebusiness plans

y IT operations are aligned with

business operations

y The IT function, roles and

reporting lines are structured to

reflect the integration of IT with

the business operations

y IT contributes towards the

companys objectives in aneffective and efficient manner

y The IT contribution towards the

attainment of the companys

objectives is monitored and

measured

y The IT value proposition has been

defined, maintained and validated

y The effect of IT on the

environment is consideredy There is a process in place to

identify and exploit opportunities

where IT can create value and

assist the company to gain

competitive advantage for the

company

y The IT steering committee contains

both business and IT

representation

y A business-oriented CIO is

appointed

y The CIO has an understanding of

the business strategy

y The CIO has access to the board

and executive management

y IT investment and expenditure


17/31

supports the business objectives

y The role of IT in achieving strategicbusiness objectives is clear

y IT spend is measured and managed

to deliver value to the business

y IT assurance is addressed as an

integral part of the normal

assurance activities

y IT risk is addressed as an integral

part of the normal risk

management activitiesy IT compliance with legal

requirements is addressed as an

integral part of the normal

compliance activities

y IT risks are understood and

managed from a business strategic

perspective

Direction From the Top Translate its leadership into clear statements of

direction that management of the organisationcan follow.

An example would be the policy

defined by the CIO for boardapproval as to the nature, extent

and accountability for

implementing information security

Define, Maintain and

Validate the IT Value

Proposition

Ensure that the value proposition of IT is

determined by clarifying the role of IT in

achieving business strategies. Oversee the

definition, maintenance and validation of the IT

value proposition

Within value chain analysis, there

are two generic strategies an

organisation can pursue to achieve

a competitive advantage by:

y Creating a low-cost competitive

advantage by reducing the cost

of an individual value chain

activity or reconfiguring the

value chain.

y Creating a value-added

competitive advantage by

increasing the value of an

individual chain activity or

Add business value by enabling the

organisation to differentiate its value

chain from each of its competitors

value chains.

IT activities to be prioritised in areas

where there is greater contribution

of value.


18/31

reconfiguring the value chain.

Aligning IT Operations

With Business

Operations

Ensure that IT activity goals are aligned with IT

process goals, which in turn are aligned to IT

organisational goals and business goals

Business goals cascaded down to

the activity level within IT providing

substance to the requirement of

aligning IT with strategic goals

Sustainability Ensure sustainable capability to perform asexpected.

Nurturing, protecting, capturing,retaining and developing human

capital is a vital ingredient in the

sustainable economic performance

of any enterprise

Sustainability is about maintainingthe capability to perform as

expected. Without investment,

capability within IT is certain to

diminish over time and dependency

would grow on external solution

providers. Without the necessary

skills the company will not be able to

exploit business opportunities that

may come their way in the future.

Performance and

Sustainability

Improvements

Monitor and evaluate the extent to which IT

actually sustains and enhances the

organisations strategic objectives

Implement improvements related

to IT performance and

sustainability

Implement a robust process to

identify and exploit, where

appropriate, opportunities to

improve performance and

sustainability of the company in line

with triple bottom line objectives.

Process orientation, with an element

of self-analysis, provides for

continuous improvement oftendescribed as the Deming cycle of

Plan-Do-Check-Act.

Concern For the

Environment

y Established environmental policy

y Ensure that green IT initiatives are aligned

with the overall strategy and corporate social

responsibility programme by aligning IT

y Align IT activities with


y Implement Green IT principles

based on the environmental

Aligning IT activities with


objectives requires management to

consider the environmental aspects


19/31

activities with environmental sustainability

y

policy established by the board.

These principles provide decisionmakers with predefined

preferences when alternative

options are available.

and significant Impacts of IT and IT

activities, including:y Energy saving

Switch and Data centre facilities

design

Switch and Data centre heat

recycling

Advanced cooling technologies

Processor design and server

efficiency

Energy management for theoffice environment

Integrated energy management

for the software environment

Combined heat and power

Use of modelling and

monitoring software

y Avoidance of wasteful expenditure

Recycling of infrastructure

Reusable code and services

Paperless reporting

Optimised software programs

Overly complex and tightly

integrated solutions

Unnecessarily large

infrastructure

Unnecessary data storage

Excessive security and disaster

recovery planning.

y Avoidance of unnecessary CO2

emissions

Disposal of inefficient

technology

Purchase greener energy


20/31

Purchase from companies

known to be greener Excessive data redundancy

Excessive feature

Records management

Avoiding travel and transport.

Value Delivery Executing on the Value Proposition of IT

Value Delivery Ensure that IT delivers the promised benefits

against the strategy, concentrating on

optimising costs and proving the intrinsic valueof IT

Direct and control efforts to prove

the value of IT

Deliver on the promised benefits

against the strategy, concentrating

on optimising costs and deliveringthe intrinsic value of IT

Ensure that the expected return on investment

from IT projects is delivered and that the

information and intellectual property contained

in the information systems are protected.

The CIO/CTO does so by:

y clarifying the role of IT in

achieving business strategies;

y measuring and managing the

amount spent on and the value

received from IT;

y assigning accountability for

organisational changes requiredto benefit IT capabilities;

y learning from each

implementation, becoming more

adept at sharing and reusing IT

assets;

y implementing balanced

scorecards as a tool for proving

the value of IT and measuring

performance.

Risk Management Risk Management seeks to provide Interventions that Optimise the Balance between Risk and Reward within the Organisation

IT Governance and Risk

Management

Ensure that regular opportunities for

information technology failures that disrupt

business and prevent the achievement of

operational and strategic objectives are

minimised

The CIO/CTO to monitor the

following causes carefully:

y Error

y Poor quality of service

yHigh-rate of obsolescence


21/31

yHigh-level of development

yHigh-level of dependence onvendors, service providers and

consultants

y Wasteful expenditure,

unnecessary features

y Inadequate architecture, limited

interoperability and poor

scalability

yUnproven, brittle and poorly

designed technologyy Limited capability to implement

and support solutions and end

users

yMonolithic, inflexible

applications with complex

integration

yMultiple contractual, regulatory

and legislated compliance

requirements

Ensure that IT risks form part of enterprise risk

management

Ensure that the following King III principles for

risk management are adhered to:

y accepting responsibility for the governance

of risk

y determining the levels of risk tolerance

y the risk committee or audit committee to

assist the board in carrying out its risk

responsibilities

y delegating to management the responsibility

to design, implement and monitor the risk

management plan

y performing of risk assessments are on a

continual basis

y Regularly demonstrate to the

board that the organisation has


arrangements in place to recover

from disaster

yDemonstrate that effective IT

risk management process is

place

yDemonstrate design,

implementation and monitoring

of the risk management plan

y Implement adequate business

resilience arrangements to

recover from disaster

y Considers and implements



22/31

y implementing of frameworks and

methodologies to increase the probability ofanticipating unpredictable risks

y management considers and implements


y monitoring risk by management continually

y obtaining assurance regarding the

effectiveness of the risk management

process

y ensuring processes are in place enabling

complete, timely, relevant, accurate andaccessible risk disclosure to stakeholders.

Responsibility For Risk

Management

y Accept responsibility for the process of risk

management

y Ensure that risk management is embedded in

its operations, decision-making processes

and the execution of strategy.

Direct and control implementation

of risk management

Responsible for managing risk which

must be reflected in individual letters

of appointment, key performance

areas and reward systems.

Risk Appetite y Set a risk appetite or tolerance level for the

organisation which must be determined in

accordance with the strategic objectivesy Ensure that the CIO uses the risk appetite as

the basis for implementing a risk

management process across the IT function

and for establishing an IT risk management

plan.

Use the risk appetite as the basis

for implementing a risk

management process across the ITfunction and for establishing an IT

risk management plan

Implement the IT risk management

plan

Risk Identification y Ensure that risk identification is directed

within the context of the organisations

purpose and focuses on strategic and

operational risks.

y Consideration must be given to reputation

risk and IT legal risks

Direct and control risk

identification and ensure that the

focus is on both strategic and

operational risks

Identify risks focusing on both

strategic and operational risks

Risk Quantification and

Response

y Ensure that key risks are quantified and are

responded to appropriately

y Decide with management which risks are

significant

y Classify risk as high, moderate or low

yDevelop a clear, shared

understanding of the risks that

are acceptable or likely to

become unacceptable and then

to decide how they will manage

y Develop a clear, shared

understanding of the risks that are

acceptable or likely to become

unacceptable and then to decide

how they will manage the risks and


23/31

y Develop a clear, shared understanding of the

risks that are acceptable or likely to becomeunacceptable and then decide how they will

manage the risks and control strategies

y Ensure that risks evaluated are prioritised

and ranked to focus risk response measures

on those risks outside the boards risk

tolerance limits.

y Ensure that management identifies and

consider the possible risk response options

the risks and control strategies

y Ensure that risks are validatedwith relevant stakeholders.

control strategies

y Risks must be validated withrelevant stakeholders to confirm

the:

accuracy and validity of risk

information recorded

assumptions made in

assessment of the risk

information provided

the need for any additional data

or information on theeffectiveness of the control

environment.

Risk Management Plan Adopt a risk management plan for achieving

risk management objectives

CIO/CTO to establish or adopt a

direct and control the

implementation of a risk

management plan with the

following requirements:

y Risk management plan must

include an implementation plan,

which must be monitored as a

medium-term project and have

scheduled reviews.

y The risk management plan must

outline the resources, tasks and

responsibilities for introducing

and developing the risk

management processes and

activities into the company

y Design or adopt the risk

management plan

The risk management plan must

state the objectives on risk

optimisation, how risk

management must support its

business strategy and how

regulatory requirements must

be managed. Risk management

processes must be incorporated

into budgeting and business

planning activities.

y Implement the risk management

plan

In designing the implementation

plan, management mustdetermine the sequence of

implementation, document

roles and responsibilities

determine the target dates for

implementation and decide on

the frequency and format of


24/31


25/31

investment in IT

y Take full accountability and be responsiblefor the decisions made where Technology, is

promising a major transformation of the

organisational business processes

Business Continuity Monitor and evaluate business resilience

arrangements in the event of a disaster

affecting IT

Demonstrate that there are


arrangements in the event of a

disaster affecting IT.

Implement adequate business

resilience arrangements in the event

of a disaster affecting IT

InformationManagement

D

elegate responsibility for informationmanagement

D

emonstrate that informationmanagement efforts are adequate

yEnsure the integrity and availabilityof information and information

systems in a timely manner

y Retain records

y Comply with security and privacy

requirements.

Data Privacy Monitor and evaluate processes for managing

personal information and relevant compliance

with the applicable laws

Ensure that resources are deployed

to manage personal information

and to ensure compliance with the

applicable laws

Implement the processes for

managing personal information to

ensure compliance with the

applicable laws

Information Security Delegate responsibility for Information Security

Management

Resources must be deployed to

develop, implement and manage

an appropriate Information

Security Management strategy and

system

Implement the information security

management strategy and required

systems

The Use of Technology

to Aid the

Management ofRisk

and Compliance

Obtain assurance that technology is being used

to aid business risk management functions

Consideration must be given to the

suitability, economy and

effectiveness of using technology

at various stages of the processes

to manage risk and compliance

Implementing suitable technology to

manage risk and compliance (e.g.

policies, standards, etc)

Financial/Resource

Management

Optimising Knowledge, IT Infrastructure and Relationships

ResourceManagement y Ensure that the economic, social and

environmental resources are treated

responsibly and that their performance is

reported on in an integrated report

y CIO/CTO responsibilities include:

monitoring and evaluating the

extent to which IT actually

Leverage knowledge and skill,

capture the lessons learnt and build

capability


26/31

y Direct management to focus on ensuring the

optimal use of available resources, includingknowledge, infrastructure and partnerships

y Consider any outsourced IT services as this

remains the responsibility of the Board and

external assurance regarding the governance

must be considered.

sustains and enhances the

strategic objectives monitoring and evaluating the

acquisition and use of IT

resources to ensure that they

support business

requirements

monitoring and evaluating the

acquisition and appropriate

use of technology, process

and people

overseeing IT investment to

ensure that IT expenditure is

in proportion to the delivery

of business value

ensuring good governance

principles apply to all parties

that provide IT resources. This

includes suppliers of

hardware, software, skills and

IT servicesy Remaining accountable for

ensuring that effective IT

governance is in place where a

resource has been outsourced.

The following outsourcing issues

are important:

Governance of outsourced

services Compliance in an outsourced

environment

Capability to outsource

Capability of service providers

to provide contracted

services.


27/31

Considerable additional risks

from outsourcing compliance, staff turnover,

control of costs

Nature of third-party contracts

(outsourced services or lease

agreements for equipment

and the hiring of staff)

Adequacy of service level

agreements

Pricing and charging practices

What capability is required at

termination of the outsourcing

contract?

The audit committee must

include these assurance tasks

within the normal assurance

activities.

Performance

Measurement

Proper IT Governance Assists the Board Ensure that IT Use Contributes Positively to The Performance of the Organisation

IT Governance and

Performance

Management

y Consider performance management which

underpins IT governance by proving the value

proposition and measuring the performance

of IT.

y Request reviews by independent experts to

ensure that appropriate project management

principles are applied.

The CIO/CTO must consider the

following in terms of performance

measurement:

y Outcomes expected by

stakeholders - key goal indicators

yMeasurement of the enablers

used to achieve these outcomes

yManagements control ofactivities critical to the success of

the enablers.

y IT goals and measures must flow

directly from strategic goals.

Report to the Board about IT:

y achieving its objectives

y being resilient and agile to adapt

to changing strategic needs

y judiciously managing risks

y recognising and acting on business

opportunities.

y IT managers and staff mustdevelop performance

management systems that

optimise operational customer

results from an organisational

perspective.

y IT goals and measures in support


28/31

of individual operational

customers must meet ITdepartment or business unit

objectives. In turn, IT function or

business unit objectives must map

directly to both programme and

organisation-wide strategic

directions and goals.

y IT goals and measures must be

tracked in a seamless fashion back

to the business objectives and

group goals.

Approach to

Performance

Measurement

Measure not only the outcomes of the

governance activities but also the relevance

and effectiveness of the applied governance

framework, processes and measurements.

Institutionalised a managed

process by doing the following:

y Assigning responsibility and

authority for performing the

process

y Adhering to organisational

policies

y Following established plans and

process descriptions

y Providing adequate resources

(including funding, people,

methods and tools)

y Training the people performing

and supporting the process

y Placing designated work

products under appropriate

levels of configurationmanagement

y Identifying and involving

relevant stakeholders

yMonitoring and controlling the

performance of the process

against the plans for performing

Implement a performance

management system for monitoring

and tracking the outcomes of the

governance activities and the

effectiveness of the applied

governance framework and

processes


29/31

the process and taking corrective

actionsy Objectively evaluating the

process, its work products, and

its services for adherence to the

process descriptions, objective

and standards, and

y addressing non-compliance

y Reviewing the activities, status,

and results of the process with

higher-level management and

taking corrective action.

Risk & Audit

Committees

Risk and Audit Committees should Assist the Board in Carrying out its IT Responsibilities

Risk Committee y Fully understand the overall exposure to IT

risks from a strategic and business

perspective

y Obtain assurance that all significant risks are

managed in an appropriate manner

Establish measures such as the

ones documented here, monitor

and evaluate these measures in

order to provide assurance on

effectiveness of the risk

management efforts to the risk

committee

Fully commit to the goal of

implementing, supporting and

maintaining an effective risk

committee

Audit Committee y Oversee the reporting and assurance

functions on behalf of the board and serve as

a link between the board and these functions

yMonitor the integrity and completeness of

the organisations financial reporting and

compliance with other regulatory

requirements

y Review aspects of risk and sustainability

issues where it is mandated to do so by theboard

y Obtain appropriate assurance that controls

are adequate to address the risks in areas

that are not appropriately governed (e.g.

outsourcing and ERP implementations) that

expose the organisation to higher levels of

As information technology often

provides the system of internal

controls, the CIO and IT

management are therefore

required to conduct suitable tests

and report back to the audit

committee.

y Fully commit to the goal of

supporting and maintaining an

effective audit committee.

y At least annually conduct a formal

documented review of the design,

implementation and effectiveness

of the system of internal financial

controls by conducting suitable

testing and report back to thechiefs and audit committee.

y Enables the audit committee to

perform its responsibilities to

oversee the integrity of the

financial information. (External

auditor attestation on internal


30/31

risk. financial controls is not a

requirement).Managing Information The Board is to Ensure Information Assets are Managed Effectively

Information

Management

y Ensure information assets are managed

effectively

Direct and control the effective

management of information assets

yManage information assets

effectively, ensuring the integrity

and availability of information and

information systems in a timely

manner.

yManage information throughout

the life cycle by implementing

suitable processesy Identify, classified, retained,

stored, archived, protect and make

available when required for

business and legal purposes any

Information records providing

evidence of business activity which

are important information assets

Information Privacy Ensure privacy of information where required Direct and control the appropriate

identification and treatment of all

personal information considered a

business asset and ensure

compliance with applicable laws.

Identify and treated all personal

information processed as an

important business asset, including

being processed in accordance with

applicable laws

Information Security y Ensure that an information security

management system is implemented

according to an applicable information

security framework.

y Oversee the development of the information

security strategy and delegate its

implementation to IT management.

Direct and control the strategy for,

and establishment and

implementation of information

security management framework

and systems

Implement the information security

strategy and an information security

management system in accordance

with an appropriate information

security framework.

Compliance Proper IT Governance Assists Directors in Assuring Conformance with Obligations (Regulatory, Legislation, Common Law, Contractual) concerning the

AcceptableUse of ITCompliance with

Obligations

y Establish a review process to ensure

compliance with laws, regulations and

contractual requirements.

y Ensure that all relevant IT laws are adhered

yDirect and control the process to

identify and comply with laws,

regulations and contractual

requirements

y Identify the IT laws, regulations

and contractual requirements that

the organisation must comply

with.


31/31

by ensuring that an effective compliance

framework is and processes areimplemented.

y Consider any standards, guidelines or

practices that would be relevant to the IT

organisation.

y Identify compliance

requirements, optimise andevaluate the response, obtaining

assurance that the requirements

have been complied with and,

finally, integrating ITs

compliance reporting with the

rest of the business.

y Implement systems to address the

compliance requirementsOptimise and evaluate the

compliance requirements and

report on any non compliance

A Single, Holistic

Approach to

Compliance

Ensure that all compliance efforts are

integrated across the organisation

Direct and control the process to

integrate all compliance initiatives

related to IT across the

organisation

y Find a practical way to deal with

compliance considering the ever-

increasing number of regulators,

regulations, legislation and

contractual obligations

y Adopt a process-orientated

approach, starting with a single,

generally accepted baseline of

controls to which additional

regulatory and statutory controls

are then added to achieve

compliance with external

regulators and internalrequirements

y Consider how IT can be used to

assist with managing its and

business compliance obligations

Compliance should be

made Sustainable

Ensure that all compliance efforts are

sustainable

Direct and control the process to

maintain and sustain all

compliance initiatives related to IT

y Sustainability comes through

controls being:

Enabled through documented

processes

Supported by the capability ofpeople

Made effective through

automation

Regularly monitored

it governance - performance measures final

Documents