Transparency

for effective IT Governance

1

By Ahmed Buhazza

E-Government Authority

2

Lack of hidden agendas and conditions, accompanied by the availability of full

information required for collaboration, cooperation and

collective decision making. (Source: businessdictionary.com)

3

Transparency

What

4

360⁰ Transparency

What

The framework for the leadership, organizational

structures and business processes, standards and

compliance to these standards, which ensures that the

organization's information systems support and

enable the achievement of its strategies and

objectives.

IT Governance

5

What

6

Internal Controls & Audit demands

Government Policies & Regulations

Compliance

Drivers

Risk

Mitigation

Quality

Assurance

Managing

Corporate

Compliance Active

regulators

Risk

Drivers

Governance Drivers

Business as usual - “Firefighting”

Legislation - “Forced”

Best Practice Focused

What

Without IT Governance & Transparency

Why

7

•Many Failures

•Financial Loses

•Bad Reputation

•Closed Business

•Legal Actions

•Bad planning

•Misused budgets and resources.

•Random and Wrong decisions

•Misunderstandings

No Transparency

Why

8

Avoiding the Blame

Hidden Agenda

Lack of Awareness

Tight Control Many

Restrictions

Require Additional

Effort

Additional Unnecessary

hassle Not Credited Not worthy

Not in culture … …

9

The Treatment

How

10

Transparency

Measurability Accountability

Principles

How

Mission

Strategy Vision

Integrated Strategy

How

11

Management Engagement

How

12

Weill, P. & Ross, J.W. (2004)

Active Engagement

Top Management Involvements

Formal Committees

Solid, Flexible Practical Governance

How

13

Weill, P. & Ross, J.W. (2004)

Limited Renegade exceptions Fewer annual

changes

Resource Management

How

14

Key Performance

Indicators

Key Risk Indicators

Impact

On-time Delivery Key Personnel

Turnover

A turnover rate greater than three per month in identified key positions impacts critical system stability and efficiency leading to compliance issues and possible failure to meet service level agreements.

Service Performance

IT Change Variance

Greater than six lost hours per month due to IT change negatively impacts critical service level agreements.

Service Accuracy ERP Control

Failures Greater than 10 system control failures per month impacts application output integrity.

Agreement Effectiveness

Compliance Gap Closure

Greater than five open compliance gaps negatively impacts partner compliance attestations and may result in violated agreements and loss of business.

Forming

Storming

Norming

Performing

Appropriate Skills

Clear Objectives

Suitable Tools

Code of Ethics Disclosures & Work Ethics Training

Selection

Top Down Hierarchy

Define your required

transparency

SMART, focused and Mapped Objectives

How

15

Key Performance

Indicators

Key Risk Indicators

Impact

On-time Delivery Key Personnel

Turnover

A turnover rate greater than three per month in identified key positions impacts critical system stability and efficiency leading to compliance issues and possible failure to meet service level agreements.

Service Performance

IT Change Variance

Greater than six lost hours per month due to IT change negatively impacts critical service level agreements.

Service Accuracy ERP Control

Failures Greater than 10 system control failures per month impacts application output integrity.

Agreement Effectiveness

Compliance Gap Closure

Greater than five open compliance gaps negatively impacts partner compliance attestations and may result in violated agreements and loss of business.

“If you want people to pay attention to something, measure them on it,” Mitchell said. “It sends a serious message.”

SMART

Built-in (i.e. JD)

Focused

Mapped (i.e. KPIKRI)

Performance Review

Set your own social and environmental

performance targets. Define what

transparency means to you and build a

case for your approach.

Monitoring; the Built-in Assurance

IT Governance Structure

Audit Committee

Audit (Internal/External)

Assessment (i.e. Risk-based planning)

How

16 Actively monitor and regularly review risks on a constructive, ‘no-blame’ basis.

17

C-GRID

Global Regulatory

Information Database

Query: SIC/NAICS,

Geography…

Relevant

Regulations

Relevant Regulations

IT Compliance

Policies/Procedures

Gap Analysis

Updates

Goal: Automated Detection of New Regulatory Requirements and

Rule-Based Generation of Policies

Other

Stake-holders

Vendors Auditors

Regulators

Users

IT Strategy & Operations

Requirements

Rules

Rules

Automation – i.e. IT Compliance

How

Greater process efficiency

Convergence of GRC efforts

Consistency of processes and methodologies

Publish your corporate governance policies

on your Web site. (Very few companies do

this.)

Model General use

COBIT IT Control Objectives

Val IT Governance of IT investments

ISO 38500 Corporate Governance of Information and Communication Technology

ITIL, ISO 20000 IT Service and operations management

ISO 27001, 27002 Information Security Management System

PMBOK, PMMM, PRINCE2 for Project Management

BS 25999 Business Continuity Management (BCM)

Weill and Ross model decision making structure

ISO 9001, Six Sigma for Quality improvement

CMMI for System and Software development

People-CMM (P-CMM): for Human Asset Management

Balance Score Card (BSC) control and measurement scheme

E-Souring Capability Model Sourcing management for both service providers and customers

Wh

at

Ho

w

Adapting a solid framework

How

Annual IT Planning Surveys

Direct or Escalated Matters

Biyearly Service Survey

Correspondence Feedback

IT Governance

Business Demand

IT Services

Best Practices

Requirements and Suggestions

Biyearly IT Audit

Annual IT Review Forum

General Meetings

Communication & Awareness

How

19

“Rules are made to be broken”

“Tone at the top”

Not only “talk the talk”, but more “walk

the walk”

“The Wisdom of Crowds” and “Mistakes

were made…possibly by me”

Gradual Change

Cultural Audit

20

Cultural Change

How

1. Give it time—chalk up some early

“wins” to build momentum, but focus

long-term efforts on strategic issues

identified in your risk assessment—then

allow those controls to mature over time.

Symantec experience demonstrates that

it may take three to five years for IT Risk

Management controls to become

completely effective.

•Close alignment with the corporate

culture- Ensure the existence of an

organizational culture that supports well-

thought through risk taking and innovation.

Leadership by example

Culture of inclusiveness “The Wisdom of Crowds”

Culture of candor “Mistakes were made…possibly by me”

Culture of inclusiveness &

candor “The Wisdom of Crowds” and “Mistakes

were made…possibly by me”

10. Conduct a "culture audit" to ensure that

employees believe they are being

rewarded for positive behavior. At Enron,

every employee signed a code of ethics,

but the unwritten code was that managers

should push the limits of the law to

accomplish corporate goals.

Culture

Organization

Technology Communication

Process

21

Transparency Framework

How

22

Thank You