it governance - performance measures final
TRANSCRIPT
-
8/7/2019 IT Governance - Performance Measures Final
1/31
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
BOARDRESPONSIBILITIES
IT Governance is the Responsibility of the Board
IT Steering Committee Appoint an IT steering committee with the
CIO/CTO as the chairperson
Chair the IT Steering Committee
and:
yDetermine prioritisation of IT-
enabled investment programmes
in line with the enterprises
business strategy and priorities
y Track status of projects and
resolve resource conflictsyMonitor service levels and
service improvements
y Relevant representation is
required from business and IT to
assist with governance of IT
Oversight Bodies Established oversight bodies with clear terms of
reference and appropriate membership from
the business
These oversight authorities may
have accountability for:
yGovernance, Strategy,
Investment and Performance
y Service Management
y Solution Delivery
y Third-Party Managementy Architecture, Technical Support
and Operations
y Risk, Compliance and Internal
Controls
y Security and Business Continuity
y Relevant representation is
required from business and IT
IT Governance Project Initiate the IT Governance Project Treat the IT governance initiative
as a project activity with a series of
phases rather than a one-off step
Implement IT Governance
-
8/7/2019 IT Governance - Performance Measures Final
2/31
Leadership and
Direction
The board is to:
y Place IT on the board agenda
y Clarify business strategies and objectives,
and the role of IT in achieving them
y Delegate responsibility for implementing an
IT governance framework to management
y Determine and communicate levels of risk
tolerance/appetite
y Oversee the development of the information
security strategy and delegate its
implementation to IT management
y Assign accountability for the organisational
changes needed for IT to succeed.
-
8/7/2019 IT Governance - Performance Measures Final
3/31
Monitoring and
Evaluation
The board is to:
y Ensure that IT is aligned with strategic
objectives
yMonitor and evaluate the extent to which IT
actually sustains and enhances the
organisations strategic objectives
yUse the
R
isk and Audit committees to assistthe board fulfil its responsibilities
y Ensure that prudent and reasonable steps
have been taken in regard to IT governance
y Monitor and evaluate the acquisition and
appropriate use of technology, process and
people
y Ensure that an internal control framework
has been adopted, implemented and is
effective
y Ensure that information assets are managed
effectively
y Protect information and intellectual property
y Ensure personal information is treated by the
company as an important business asset
y Ensure information records provide adequate
evidence of business activity
yMonitor the application of King III
governance principles by all parties, at all
levels (starting with the board), at all stages
of business operations, across organisational
boundaries (including third parties) and for
the acquisition and disposal of IT goods and
services
yObtain project assurance from independent
experts that IT management apply all basic
elements of appropriate project
management principles to all IT projects
y Question the delivery of proper value inproportion to the investments made
y Ensure risk management includes IT risks
yMeasure and evaluate the amount spent on
and the value received from IT
yAssess the learning being retained from
experiences (post implementation reviews,
process refinement, improvements in
capability)
y
Assess the sharing and re-use being achievedyObtain independent assurance of the
governance and controls supporting
outsourced services.
-
8/7/2019 IT Governance - Performance Measures Final
4/31
IT Reporting to the
Board
Ensure IT reporting is adequate for their
purpose
Management must increase
transparency and provide the board
with complete, timely, relevant,
accurate and accessible information
about:
y The likelihood of IT achieving its
objectives?
y ITs resilience to learn and adapt?
y The judicious management of the
inherent risks from using IT,
including disaster recovery?y How well IT has recognised
opportunities and acted on them?
GOVERNANCE
FRAMEWORK
A IT governance framework assists those at the highest level of organisations ensure that IT use contributes positively to the performance of the
organisation and conforms with the organisational obligations (regulatory, legislation, common law, contractual) concerning the acceptable use of IT
IT Governance
Framework
Ensure that an IT Governance Framework is
adopted or developed
Adopt or developing an IT
Governance Framework
An IT governance framework
comprises definitions, principles and
a model for governing IT and broadlycovers all areas of IT activity:
y presents IT activities in a
manageable and logical structure
y is generally accepted as containing
good practices
y is business-orientated and capable
of linking IT activities to business
goals
yprovides management with controlobjectives suitable to uncover IT
issues
y fits with and supports risk
management
y incorporates a baseline of internal
controls for IT managers to
implement
-
8/7/2019 IT Governance - Performance Measures Final
5/31
y guides management in aligning IT
initiatives with real business needs
y contains performance measures to
judge success and failures
y assists with assurance activities
that confirm the achievement of
business objectives and
undesirable events are prevented,
detected and corrected
y assists companies to comply with
continually increasing regulatoryrequirements.
IT Governance
Framework to Deliver
Value and Manage Risk
Ensure that the IT Governance Framework
adopted or developed delivers value and
manages risk
Deliver value and manage risk
through adopting or developing an
IT Governance Framework
For the IT governance framework to
add value or manage risk it must:
y Establish a link to the business
requirements
yMake performance against
business requirements transparent
y Organise ITs activities into a
generally accepted process modely Be focused on both the process
and the outcomes to be achieved
y Identify the major IT resources to
be leveraged
y Define the management control
objectives to be considered
y Provide a common language.
IT Governance Charter The board is to ensure that a IT Governance
Charter is developed
Develop an IT Governance charter Organisational charter provides the
terms of reference for the ITorganisation. It ensures that those
with responsibility for actions also
have the authority to perform those
actions
-
8/7/2019 IT Governance - Performance Measures Final
6/31
Structure the
Organisation
Place the IT function in the overall
organisational structure with a business model
contingent on the importance of IT within the
organisation, specifically its criticality to
business strategy and the level of operational
dependence on IT.
The reporting line of the CIO is
commensurate with the
importance of IT within the
enterprise.
y The typical organisational
structure for IT governance starts
with the board, an IT steering
committee, a CIO and IT
management with delegated
responsibility to execute the IT
governance framework,
implemented to add value and
minimise risk, including business
continuity.
y A suitable organisation structurewith relevant representation from
the business and IT, appropriate
for the size needed to adequately
manage the IT organisation is to be
implemented. A top-down, layered
approach to IT governance is
required. To be effective, business
strategy and goals have to be
cascaded down into the ITorganisation and used as the basis
for measuring performance.
Processes Maintain oversight of the establishment and
maintenance of IT processes
Exercise control over the
establishment and maintenance of
IT processes
Establish and maintain IT Processes
as:
y Process serves as the foundation
for the definition of a management
system used to capture and
document details about
ownership, scope, responsibilities,
measurements, structured working
practices and interfaces.
y Processes describe the life-cycle of
activities (with feedback loops)
and enable the development and
implementation of a lean,
-
8/7/2019 IT Governance - Performance Measures Final
7/31
sustainable capability to achieve
the outcomes (business goals)
desired.
y Processes ensure a stable,
controlled, repeatable service that
can be objectively measured
against deliverables and outcomes
achieved.
Governance
Mechanisms
yMonitor that those given responsibility to
deploy governance mechanisms
acknowledge and understand theirresponsibilities.
yMonitor the performance of those given
responsibility in the governance of IT
Enforcing governance mechanisms Governance mechanisms include
strategies, goals, policies, steering
committees, oversight authorities,processes, procedures, roles, job
descriptions, plans, schedules,
contracts, proposals, authorisations,
standards and scorecards with a view
to deliver value and minimise risk.
Governance of
Information
Oversee the business requirement for
information
Ensure that information conforms
to the business requirements in
order for it to satisfy businessobjectives
To satisfy business objectives,
information needs to conform to the
business requirements that:y information is relevant and
pertinent to the business process,
and is
y delivered in a timely, correct,
consistent and usable manner
y Information is provided through
the optimal (most productive and
economical) use of resources
y Sensitive information is protected
from unauthorised disclosure
y Information is accurate and
complete, and its validity is in
accordance with business values
and expectations
y Information is available when
required by the business process
-
8/7/2019 IT Governance - Performance Measures Final
8/31
now and in the future as a result of
deploying the necessary resources
and associated capabilities
y Information provided complies
with the laws, regulations and
contractual arrangements to which
the business process is subject,
i.e., externally imposed business
criteria as well as internal policies
y Information provided is
appropriate for management tooperate the entity and exercise its
fiduciary and governance
responsibilities.
Accountability
Framework (Decision
Rights)
Ensure that decision-making occurs as a part of
a process with clearly defined roles and
accountabilities.
When assigning decision-making
authority:
y start by articulating the decision
that needs to be made, then
y determine the steps that must
be carried out to reach adecision
y identify who must provide input,
and what activities are required
to obtain such input, and how
y determine who will decide,
ensuring that the decision
makers are equipped with the
information to make a fact-
based decision
yMore granular assignment of
responsibilities and decision
rights is achieved through the
preparation of detailed process
workflow charts
IT Internal Controls
Framework
Ensure that an IT control framework is adopted
and implemented, and that the board receives
Exercise control over the adoption
and implementation of an IT
An IT controls framework to be
adopted or established comprising of
-
8/7/2019 IT Governance - Performance Measures Final
9/31
independent assurance of its effectiveness. control framework Accounting controls (General
controls, Application controls and
User controls) and Administrative
controls.
y General controls are found in the
infrastructure, technology and
system software.
y Application controls are specific to
business processes.
y User controls are the manual
checks performed by staff.y Administrative controls represent
the wider concerns of
management, particularly with
regard to efficiency and
effectiveness of administration,
and increased profitability.
The role of an internal control is to
be preventative, detective orcorrective regarding a particular risk.
Controls are made sustainable
through incorporation in the
operational process. The selection of
controls is risk-based.
The condition of controls depends on
the organisational structure, written
policies, systemisation, evidence of
controls operating and the
competence and integrity of the
people involved.
The Role and
Responsibilities Chief
Information Officers
Appoint a suitably qualified and experienced
individual as the chief information officer (CIO)
or chief technical officer (CTO)
The CIO/CTO to:
y Interact regularly on matters of
IT governance with the board, or
appropriate board committee, or
y Implement an IT Governance
framework to deliver value and
manage risk
y Implement IT processes and
-
8/7/2019 IT Governance - Performance Measures Final
10/31
both
yUnderstand the accountability
and responsibility of IT
y Take responsibility for the
implementation and monitoring
of IT governance
y Seek leadership from the board,
obtain direction and an
understanding of the ethics and
values that will influence and
guide practices and behaviourwithin IT to achieve sustainable
performance
y Implement an Accountability
framework to assign decision-
making rights
y Implement a suitable
organisational structure and
define terms of reference
y
Be a bridge between IT and thebusiness
y Ensure transparency through
regular reporting to the board
y Enable IT to add value to the
business and mitigate risks
y Incorporate IT into the business
processes in a secure,
sustainable manner
y Encourage the desirable use of IT
by requiring
y Create an awareness of the
maturity levels of governance
y Build management skills and
competencies to govern and
promote a common language
Incorporate IT governance in
governance mechanisms
y Implement IT frameworks, policies,
procedures and standards
y Develop and implement an IT
governance charter and policies
y managers to provide timely
information, comply with the
direction given and to conform to
the principles of good governance
y Adopt and implement an IT control
frameworky Implement an ethical IT
governance and management
culture
y Implement an ethical IT
governance and management
culture
y Implement an IT controls
framework
y
-
8/7/2019 IT Governance - Performance Measures Final
11/31
corporate governance
y Implement processes to ensure
that reporting to the board is
complete, timely, relevant,
accurate and accessible
y Obtain assurance on the
effectiveness of the IT control
framework
y Sustain and enhance the
strategic objectives
y Implement a strategic ITplanning process that is
integrated with the business
strategy development process
y Enable the improvement of the
companys performance and
sustainability
y Integrate IT plans with the
business plans
y
Define, maintain and validatethe IT value proposition
y Align IT operations with business
operations
y Align IT activities with
environmental sustainability
objectives
y Implement a robust process to
identify and exploit, where
appropriate opportunities to
improve performance and
sustainability of the company in
line with triple bottom line
objectives
y Include relevant representation
from the business in oversight
structures
-
8/7/2019 IT Governance - Performance Measures Final
12/31
yHave regard for the legislative
requirements that apply to IT
yUnderstand business
requirements and long-term
strategy
yHave a strategic approach and
facilitate the integration of IT
into business strategic thinking
y Translate business requirements
into efficient and effective IT
solutionsy Exercise care and skill over the
design, development,
implementation and
maintenance of sustainable IT
solutions
y Support the business and
governance requirements in a
timely and accurate manner
through the acquisition ofpeople, process and technology
y Optimise resources usage,
leverage knowledge
y Ensure that the business value
proposition is proportional to
the level of investment
yDeliver the expected return from
IT investments
yMeasure and manage the
amount spent on and the value
received from technology
y Protect information and
intellectual property
y Conduct post-implementation
reviews to learn from each
implementation
-
8/7/2019 IT Governance - Performance Measures Final
13/31
y Promote sharing and re-use of IT
assets
y Ensure all parties in the chain
from supply to disposal of IT
services and goods apply good
governance principles
yMonitor and enforce good
governance across all suppliers
y Obtain independent assurance
that outsourced service
providers have applied theprinciples of IT governance
y Obtain independent assurance of
the effectiveness of the IT
controls framework
implemented by service
providers
y Obtain independent assurance
that the basic elements of
appropriate projectmanagement principles are
applied to all IT projects
y Regularly demonstrate to the
board that the company has
adequate business resilience
arrangements in the event of a
disaster affecting IT
y Implement a risk management
process based on the boards risk
appetite
yDesign, implement and monitor
the IT risk management plan
yMaintain an IT risk register,
including IT legal risks
y Comply with applicable laws and
regulations
-
8/7/2019 IT Governance - Performance Measures Final
14/31
y Perform continual risk
assessments
y Select and use an appropriate
framework for managing risk
(Group BRMRisk Management
Framework)
y Consider and implement
appropriate risk responses
yMinimise risks
yManage information assets
effectivelyy Ensure the integrity and
availability of information and
information systems in a timely
manner
y Implement information records
management and ensure
information assets are identified,
classified, retained, stored,
archived, protected and madeavailable when required for
business and legal purposes
y Establish a business continuity
programme for the companys
information and successful
execution of the business
activities
y Identify all personal information
processed by the company and
treat this as an important
business asset, including being
processed in accordance with
applicable laws
y Implement an information
security strategy
y Implement an information
-
8/7/2019 IT Governance - Performance Measures Final
15/31
security management system in
accordance with an appropriateinformation security framework
(Group BRM Information
Security Framework)
y Provide the Audit and Risk
Committees with relevant
information about IT risks and
the controls in place
yMeasure, manage and
communicate IT performancey Report to the IT Steering
Committee on IT performance
y Consider using IT to aid the
companys risk management,
compliance and audit efforts.
STRATEGIC
ALIGNMENT
The Board should ensure that IT is Aligned with Business Objectives, including Economic, Social and Environmental Sustainability
Alignment With g
Objectives
Ensure that Business goals are cascaded to IT
goals, process goals and activity goals
Take responsibility for and cascade
Group objectives, IT goals, processgoals and activity goals to IT
management
y Ensure that Group objectives, IT
goals, process goals and activitygoals are understood and
achievable
y Deliver on the above goals
y Align IT activities with the
performance and sustainability
objectives of the company
y Strategic objectives are attained
through the effective and efficient
management of IT resources. Thisassists management understand
what is the outcome expected,
what does success look like and
who will recognise this success.
Integration of Strategic
IT Planning With the
Organisational
Ensure that IT achieves, sustains and extends
the companys strategic objectives
Exercise control ensuring that IT
achieves, sustains and extends the
strategic objectives
Implement a strategic IT planning
process that is integrated with the
business strategy development
-
8/7/2019 IT Governance - Performance Measures Final
16/31
Strategic and Business
Objectives
process, and:-
y IT plans are integrated with thebusiness plans
y IT operations are aligned with
business operations
y The IT function, roles and
reporting lines are structured to
reflect the integration of IT with
the business operations
y IT contributes towards the
companys objectives in aneffective and efficient manner
y The IT contribution towards the
attainment of the companys
objectives is monitored and
measured
y The IT value proposition has been
defined, maintained and validated
y The effect of IT on the
environment is consideredy There is a process in place to
identify and exploit opportunities
where IT can create value and
assist the company to gain
competitive advantage for the
company
y The IT steering committee contains
both business and IT
representation
y A business-oriented CIO is
appointed
y The CIO has an understanding of
the business strategy
y The CIO has access to the board
and executive management
y IT investment and expenditure
-
8/7/2019 IT Governance - Performance Measures Final
17/31
supports the business objectives
y The role of IT in achieving strategicbusiness objectives is clear
y IT spend is measured and managed
to deliver value to the business
y IT assurance is addressed as an
integral part of the normal
assurance activities
y IT risk is addressed as an integral
part of the normal risk
management activitiesy IT compliance with legal
requirements is addressed as an
integral part of the normal
compliance activities
y IT risks are understood and
managed from a business strategic
perspective
Direction From the Top Translate its leadership into clear statements of
direction that management of the organisationcan follow.
An example would be the policy
defined by the CIO for boardapproval as to the nature, extent
and accountability for
implementing information security
Define, Maintain and
Validate the IT Value
Proposition
Ensure that the value proposition of IT is
determined by clarifying the role of IT in
achieving business strategies. Oversee the
definition, maintenance and validation of the IT
value proposition
Within value chain analysis, there
are two generic strategies an
organisation can pursue to achieve
a competitive advantage by:
y Creating a low-cost competitive
advantage by reducing the cost
of an individual value chain
activity or reconfiguring the
value chain.
y Creating a value-added
competitive advantage by
increasing the value of an
individual chain activity or
Add business value by enabling the
organisation to differentiate its value
chain from each of its competitors
value chains.
IT activities to be prioritised in areas
where there is greater contribution
of value.
-
8/7/2019 IT Governance - Performance Measures Final
18/31
reconfiguring the value chain.
Aligning IT Operations
With Business
Operations
Ensure that IT activity goals are aligned with IT
process goals, which in turn are aligned to IT
organisational goals and business goals
Business goals cascaded down to
the activity level within IT providing
substance to the requirement of
aligning IT with strategic goals
Sustainability Ensure sustainable capability to perform asexpected.
Nurturing, protecting, capturing,retaining and developing human
capital is a vital ingredient in the
sustainable economic performance
of any enterprise
Sustainability is about maintainingthe capability to perform as
expected. Without investment,
capability within IT is certain to
diminish over time and dependency
would grow on external solution
providers. Without the necessary
skills the company will not be able to
exploit business opportunities that
may come their way in the future.
Performance and
Sustainability
Improvements
Monitor and evaluate the extent to which IT
actually sustains and enhances the
organisations strategic objectives
Implement improvements related
to IT performance and
sustainability
Implement a robust process to
identify and exploit, where
appropriate, opportunities to
improve performance and
sustainability of the company in line
with triple bottom line objectives.
Process orientation, with an element
of self-analysis, provides for
continuous improvement oftendescribed as the Deming cycle of
Plan-Do-Check-Act.
Concern For the
Environment
y Established environmental policy
y Ensure that green IT initiatives are aligned
with the overall strategy and corporate social
responsibility programme by aligning IT
y Align IT activities with
environmental sustainability
y Implement Green IT principles
based on the environmental
Aligning IT activities with
environmental sustainability
objectives requires management to
consider the environmental aspects
-
8/7/2019 IT Governance - Performance Measures Final
19/31
activities with environmental sustainability
y
policy established by the board.
These principles provide decisionmakers with predefined
preferences when alternative
options are available.
and significant Impacts of IT and IT
activities, including:y Energy saving
Switch and Data centre facilities
design
Switch and Data centre heat
recycling
Advanced cooling technologies
Processor design and server
efficiency
Energy management for theoffice environment
Integrated energy management
for the software environment
Combined heat and power
Use of modelling and
monitoring software
y Avoidance of wasteful expenditure
Recycling of infrastructure
Reusable code and services
Paperless reporting
Optimised software programs
Overly complex and tightly
integrated solutions
Unnecessarily large
infrastructure
Unnecessary data storage
Excessive security and disaster
recovery planning.
y Avoidance of unnecessary CO2
emissions
Disposal of inefficient
technology
Purchase greener energy
-
8/7/2019 IT Governance - Performance Measures Final
20/31
Purchase from companies
known to be greener Excessive data redundancy
Excessive feature
Records management
Avoiding travel and transport.
Value Delivery Executing on the Value Proposition of IT
Value Delivery Ensure that IT delivers the promised benefits
against the strategy, concentrating on
optimising costs and proving the intrinsic valueof IT
Direct and control efforts to prove
the value of IT
Deliver on the promised benefits
against the strategy, concentrating
on optimising costs and deliveringthe intrinsic value of IT
Ensure that the expected return on investment
from IT projects is delivered and that the
information and intellectual property contained
in the information systems are protected.
The CIO/CTO does so by:
y clarifying the role of IT in
achieving business strategies;
y measuring and managing the
amount spent on and the value
received from IT;
y assigning accountability for
organisational changes requiredto benefit IT capabilities;
y learning from each
implementation, becoming more
adept at sharing and reusing IT
assets;
y implementing balanced
scorecards as a tool for proving
the value of IT and measuring
performance.
Risk Management Risk Management seeks to provide Interventions that Optimise the Balance between Risk and Reward within the Organisation
IT Governance and Risk
Management
Ensure that regular opportunities for
information technology failures that disrupt
business and prevent the achievement of
operational and strategic objectives are
minimised
The CIO/CTO to monitor the
following causes carefully:
y Error
y Poor quality of service
yHigh-rate of obsolescence
-
8/7/2019 IT Governance - Performance Measures Final
21/31
yHigh-level of development
yHigh-level of dependence onvendors, service providers and
consultants
y Wasteful expenditure,
unnecessary features
y Inadequate architecture, limited
interoperability and poor
scalability
yUnproven, brittle and poorly
designed technologyy Limited capability to implement
and support solutions and end
users
yMonolithic, inflexible
applications with complex
integration
yMultiple contractual, regulatory
and legislated compliance
requirements
Ensure that IT risks form part of enterprise risk
management
Ensure that the following King III principles for
risk management are adhered to:
y accepting responsibility for the governance
of risk
y determining the levels of risk tolerance
y the risk committee or audit committee to
assist the board in carrying out its risk
responsibilities
y delegating to management the responsibility
to design, implement and monitor the risk
management plan
y performing of risk assessments are on a
continual basis
y Regularly demonstrate to the
board that the organisation has
adequate business resilience
arrangements in place to recover
from disaster
yDemonstrate that effective IT
risk management process is
place
yDemonstrate design,
implementation and monitoring
of the risk management plan
y Implement adequate business
resilience arrangements to
recover from disaster
y Considers and implements
appropriate risk responses
-
8/7/2019 IT Governance - Performance Measures Final
22/31
y implementing of frameworks and
methodologies to increase the probability ofanticipating unpredictable risks
y management considers and implements
appropriate risk responses
y monitoring risk by management continually
y obtaining assurance regarding the
effectiveness of the risk management
process
y ensuring processes are in place enabling
complete, timely, relevant, accurate andaccessible risk disclosure to stakeholders.
Responsibility For Risk
Management
y Accept responsibility for the process of risk
management
y Ensure that risk management is embedded in
its operations, decision-making processes
and the execution of strategy.
Direct and control implementation
of risk management
Responsible for managing risk which
must be reflected in individual letters
of appointment, key performance
areas and reward systems.
Risk Appetite y Set a risk appetite or tolerance level for the
organisation which must be determined in
accordance with the strategic objectivesy Ensure that the CIO uses the risk appetite as
the basis for implementing a risk
management process across the IT function
and for establishing an IT risk management
plan.
Use the risk appetite as the basis
for implementing a risk
management process across the ITfunction and for establishing an IT
risk management plan
Implement the IT risk management
plan
Risk Identification y Ensure that risk identification is directed
within the context of the organisations
purpose and focuses on strategic and
operational risks.
y Consideration must be given to reputation
risk and IT legal risks
Direct and control risk
identification and ensure that the
focus is on both strategic and
operational risks
Identify risks focusing on both
strategic and operational risks
Risk Quantification and
Response
y Ensure that key risks are quantified and are
responded to appropriately
y Decide with management which risks are
significant
y Classify risk as high, moderate or low
yDevelop a clear, shared
understanding of the risks that
are acceptable or likely to
become unacceptable and then
to decide how they will manage
y Develop a clear, shared
understanding of the risks that are
acceptable or likely to become
unacceptable and then to decide
how they will manage the risks and
-
8/7/2019 IT Governance - Performance Measures Final
23/31
y Develop a clear, shared understanding of the
risks that are acceptable or likely to becomeunacceptable and then decide how they will
manage the risks and control strategies
y Ensure that risks evaluated are prioritised
and ranked to focus risk response measures
on those risks outside the boards risk
tolerance limits.
y Ensure that management identifies and
consider the possible risk response options
the risks and control strategies
y Ensure that risks are validatedwith relevant stakeholders.
control strategies
y Risks must be validated withrelevant stakeholders to confirm
the:
accuracy and validity of risk
information recorded
assumptions made in
assessment of the risk
information provided
the need for any additional data
or information on theeffectiveness of the control
environment.
Risk Management Plan Adopt a risk management plan for achieving
risk management objectives
CIO/CTO to establish or adopt a
direct and control the
implementation of a risk
management plan with the
following requirements:
y Risk management plan must
include an implementation plan,
which must be monitored as a
medium-term project and have
scheduled reviews.
y The risk management plan must
outline the resources, tasks and
responsibilities for introducing
and developing the risk
management processes and
activities into the company
y Design or adopt the risk
management plan
The risk management plan must
state the objectives on risk
optimisation, how risk
management must support its
business strategy and how
regulatory requirements must
be managed. Risk management
processes must be incorporated
into budgeting and business
planning activities.
y Implement the risk management
plan
In designing the implementation
plan, management mustdetermine the sequence of
implementation, document
roles and responsibilities
determine the target dates for
implementation and decide on
the frequency and format of
-
8/7/2019 IT Governance - Performance Measures Final
24/31
-
8/7/2019 IT Governance - Performance Measures Final
25/31
investment in IT
y Take full accountability and be responsiblefor the decisions made where Technology, is
promising a major transformation of the
organisational business processes
Business Continuity Monitor and evaluate business resilience
arrangements in the event of a disaster
affecting IT
Demonstrate that there are
adequate business resilience
arrangements in the event of a
disaster affecting IT.
Implement adequate business
resilience arrangements in the event
of a disaster affecting IT
InformationManagement
D
elegate responsibility for informationmanagement
D
emonstrate that informationmanagement efforts are adequate
yEnsure the integrity and availabilityof information and information
systems in a timely manner
y Retain records
y Comply with security and privacy
requirements.
Data Privacy Monitor and evaluate processes for managing
personal information and relevant compliance
with the applicable laws
Ensure that resources are deployed
to manage personal information
and to ensure compliance with the
applicable laws
Implement the processes for
managing personal information to
ensure compliance with the
applicable laws
Information Security Delegate responsibility for Information Security
Management
Resources must be deployed to
develop, implement and manage
an appropriate Information
Security Management strategy and
system
Implement the information security
management strategy and required
systems
The Use of Technology
to Aid the
Management ofRisk
and Compliance
Obtain assurance that technology is being used
to aid business risk management functions
Consideration must be given to the
suitability, economy and
effectiveness of using technology
at various stages of the processes
to manage risk and compliance
Implementing suitable technology to
manage risk and compliance (e.g.
policies, standards, etc)
Financial/Resource
Management
Optimising Knowledge, IT Infrastructure and Relationships
ResourceManagement y Ensure that the economic, social and
environmental resources are treated
responsibly and that their performance is
reported on in an integrated report
y CIO/CTO responsibilities include:
monitoring and evaluating the
extent to which IT actually
Leverage knowledge and skill,
capture the lessons learnt and build
capability
-
8/7/2019 IT Governance - Performance Measures Final
26/31
y Direct management to focus on ensuring the
optimal use of available resources, includingknowledge, infrastructure and partnerships
y Consider any outsourced IT services as this
remains the responsibility of the Board and
external assurance regarding the governance
must be considered.
sustains and enhances the
strategic objectives monitoring and evaluating the
acquisition and use of IT
resources to ensure that they
support business
requirements
monitoring and evaluating the
acquisition and appropriate
use of technology, process
and people
overseeing IT investment to
ensure that IT expenditure is
in proportion to the delivery
of business value
ensuring good governance
principles apply to all parties
that provide IT resources. This
includes suppliers of
hardware, software, skills and
IT servicesy Remaining accountable for
ensuring that effective IT
governance is in place where a
resource has been outsourced.
The following outsourcing issues
are important:
Governance of outsourced
services Compliance in an outsourced
environment
Capability to outsource
Capability of service providers
to provide contracted
services.
-
8/7/2019 IT Governance - Performance Measures Final
27/31
Considerable additional risks
from outsourcing compliance, staff turnover,
control of costs
Nature of third-party contracts
(outsourced services or lease
agreements for equipment
and the hiring of staff)
Adequacy of service level
agreements
Pricing and charging practices
What capability is required at
termination of the outsourcing
contract?
The audit committee must
include these assurance tasks
within the normal assurance
activities.
Performance
Measurement
Proper IT Governance Assists the Board Ensure that IT Use Contributes Positively to The Performance of the Organisation
IT Governance and
Performance
Management
y Consider performance management which
underpins IT governance by proving the value
proposition and measuring the performance
of IT.
y Request reviews by independent experts to
ensure that appropriate project management
principles are applied.
The CIO/CTO must consider the
following in terms of performance
measurement:
y Outcomes expected by
stakeholders - key goal indicators
yMeasurement of the enablers
used to achieve these outcomes
yManagements control ofactivities critical to the success of
the enablers.
y IT goals and measures must flow
directly from strategic goals.
Report to the Board about IT:
y achieving its objectives
y being resilient and agile to adapt
to changing strategic needs
y judiciously managing risks
y recognising and acting on business
opportunities.
y IT managers and staff mustdevelop performance
management systems that
optimise operational customer
results from an organisational
perspective.
y IT goals and measures in support
-
8/7/2019 IT Governance - Performance Measures Final
28/31
of individual operational
customers must meet ITdepartment or business unit
objectives. In turn, IT function or
business unit objectives must map
directly to both programme and
organisation-wide strategic
directions and goals.
y IT goals and measures must be
tracked in a seamless fashion back
to the business objectives and
group goals.
Approach to
Performance
Measurement
Measure not only the outcomes of the
governance activities but also the relevance
and effectiveness of the applied governance
framework, processes and measurements.
Institutionalised a managed
process by doing the following:
y Assigning responsibility and
authority for performing the
process
y Adhering to organisational
policies
y Following established plans and
process descriptions
y Providing adequate resources
(including funding, people,
methods and tools)
y Training the people performing
and supporting the process
y Placing designated work
products under appropriate
levels of configurationmanagement
y Identifying and involving
relevant stakeholders
yMonitoring and controlling the
performance of the process
against the plans for performing
Implement a performance
management system for monitoring
and tracking the outcomes of the
governance activities and the
effectiveness of the applied
governance framework and
processes
-
8/7/2019 IT Governance - Performance Measures Final
29/31
the process and taking corrective
actionsy Objectively evaluating the
process, its work products, and
its services for adherence to the
process descriptions, objective
and standards, and
y addressing non-compliance
y Reviewing the activities, status,
and results of the process with
higher-level management and
taking corrective action.
Risk & Audit
Committees
Risk and Audit Committees should Assist the Board in Carrying out its IT Responsibilities
Risk Committee y Fully understand the overall exposure to IT
risks from a strategic and business
perspective
y Obtain assurance that all significant risks are
managed in an appropriate manner
Establish measures such as the
ones documented here, monitor
and evaluate these measures in
order to provide assurance on
effectiveness of the risk
management efforts to the risk
committee
Fully commit to the goal of
implementing, supporting and
maintaining an effective risk
committee
Audit Committee y Oversee the reporting and assurance
functions on behalf of the board and serve as
a link between the board and these functions
yMonitor the integrity and completeness of
the organisations financial reporting and
compliance with other regulatory
requirements
y Review aspects of risk and sustainability
issues where it is mandated to do so by theboard
y Obtain appropriate assurance that controls
are adequate to address the risks in areas
that are not appropriately governed (e.g.
outsourcing and ERP implementations) that
expose the organisation to higher levels of
As information technology often
provides the system of internal
controls, the CIO and IT
management are therefore
required to conduct suitable tests
and report back to the audit
committee.
y Fully commit to the goal of
supporting and maintaining an
effective audit committee.
y At least annually conduct a formal
documented review of the design,
implementation and effectiveness
of the system of internal financial
controls by conducting suitable
testing and report back to thechiefs and audit committee.
y Enables the audit committee to
perform its responsibilities to
oversee the integrity of the
financial information. (External
auditor attestation on internal
-
8/7/2019 IT Governance - Performance Measures Final
30/31
risk. financial controls is not a
requirement).Managing Information The Board is to Ensure Information Assets are Managed Effectively
Information
Management
y Ensure information assets are managed
effectively
Direct and control the effective
management of information assets
yManage information assets
effectively, ensuring the integrity
and availability of information and
information systems in a timely
manner.
yManage information throughout
the life cycle by implementing
suitable processesy Identify, classified, retained,
stored, archived, protect and make
available when required for
business and legal purposes any
Information records providing
evidence of business activity which
are important information assets
Information Privacy Ensure privacy of information where required Direct and control the appropriate
identification and treatment of all
personal information considered a
business asset and ensure
compliance with applicable laws.
Identify and treated all personal
information processed as an
important business asset, including
being processed in accordance with
applicable laws
Information Security y Ensure that an information security
management system is implemented
according to an applicable information
security framework.
y Oversee the development of the information
security strategy and delegate its
implementation to IT management.
Direct and control the strategy for,
and establishment and
implementation of information
security management framework
and systems
Implement the information security
strategy and an information security
management system in accordance
with an appropriate information
security framework.
Compliance Proper IT Governance Assists Directors in Assuring Conformance with Obligations (Regulatory, Legislation, Common Law, Contractual) concerning the
AcceptableUse of ITCompliance with
Obligations
y Establish a review process to ensure
compliance with laws, regulations and
contractual requirements.
y Ensure that all relevant IT laws are adhered
yDirect and control the process to
identify and comply with laws,
regulations and contractual
requirements
y Identify the IT laws, regulations
and contractual requirements that
the organisation must comply
with.
-
8/7/2019 IT Governance - Performance Measures Final
31/31
by ensuring that an effective compliance
framework is and processes areimplemented.
y Consider any standards, guidelines or
practices that would be relevant to the IT
organisation.
y Identify compliance
requirements, optimise andevaluate the response, obtaining
assurance that the requirements
have been complied with and,
finally, integrating ITs
compliance reporting with the
rest of the business.
y Implement systems to address the
compliance requirementsOptimise and evaluate the
compliance requirements and
report on any non compliance
A Single, Holistic
Approach to
Compliance
Ensure that all compliance efforts are
integrated across the organisation
Direct and control the process to
integrate all compliance initiatives
related to IT across the
organisation
y Find a practical way to deal with
compliance considering the ever-
increasing number of regulators,
regulations, legislation and
contractual obligations
y Adopt a process-orientated
approach, starting with a single,
generally accepted baseline of
controls to which additional
regulatory and statutory controls
are then added to achieve
compliance with external
regulators and internalrequirements
y Consider how IT can be used to
assist with managing its and
business compliance obligations
Compliance should be
made Sustainable
Ensure that all compliance efforts are
sustainable
Direct and control the process to
maintain and sustain all
compliance initiatives related to IT
y Sustainability comes through
controls being:
Enabled through documented
processes
Supported by the capability ofpeople
Made effective through
automation
Regularly monitored