transparency for effective it governance v1.0
DESCRIPTION
TRANSCRIPT
Transparency
for effective IT Governance
1
By Ahmed Buhazza
E-Government Authority
2
Lack of hidden agendas and conditions, accompanied by the availability of full
information required for collaboration, cooperation and
collective decision making. (Source: businessdictionary.com)
3
Transparency
What
4
360⁰ Transparency
What
The framework for the leadership, organizational
structures and business processes, standards and
compliance to these standards, which ensures that the
organization's information systems support and
enable the achievement of its strategies and
objectives.
IT Governance
5
What
6
Internal Controls & Audit demands
Government Policies & Regulations
Compliance
Drivers
Risk
Mitigation
Quality
Assurance
Managing
Corporate
Compliance Active
regulators
Risk
Drivers
Governance Drivers
Business as usual - “Firefighting”
Legislation - “Forced”
Best Practice Focused
What
Without IT Governance & Transparency
Why
7
•Many Failures
•Financial Loses
•Bad Reputation
•Closed Business
•Legal Actions
•Bad planning
•Misused budgets and resources.
•Random and Wrong decisions
•Misunderstandings
No Transparency
Why
8
Avoiding the Blame
Hidden Agenda
Lack of Awareness
Tight Control Many
Restrictions
Require Additional
Effort
Additional Unnecessary
hassle Not Credited Not worthy
Not in culture … …
9
The Treatment
How
10
Transparency
Measurability Accountability
Principles
How
Mission
Strategy Vision
Integrated Strategy
How
11
Management Engagement
How
12
Weill, P. & Ross, J.W. (2004)
Active Engagement
Top Management Involvements
Formal Committees
Solid, Flexible Practical Governance
How
13
Weill, P. & Ross, J.W. (2004)
Limited Renegade exceptions Fewer annual
changes
Resource Management
How
14
Key Performance
Indicators
Key Risk Indicators
Impact
On-time Delivery Key Personnel
Turnover
A turnover rate greater than three per month in identified key positions impacts critical system stability and efficiency leading to compliance issues and possible failure to meet service level agreements.
Service Performance
IT Change Variance
Greater than six lost hours per month due to IT change negatively impacts critical service level agreements.
Service Accuracy ERP Control
Failures Greater than 10 system control failures per month impacts application output integrity.
Agreement Effectiveness
Compliance Gap Closure
Greater than five open compliance gaps negatively impacts partner compliance attestations and may result in violated agreements and loss of business.
Forming
Storming
Norming
Performing
Appropriate Skills
Clear Objectives
Suitable Tools
Code of Ethics Disclosures & Work Ethics Training
Selection
Top Down Hierarchy
Define your required
transparency
SMART, focused and Mapped Objectives
How
15
Key Performance
Indicators
Key Risk Indicators
Impact
On-time Delivery Key Personnel
Turnover
A turnover rate greater than three per month in identified key positions impacts critical system stability and efficiency leading to compliance issues and possible failure to meet service level agreements.
Service Performance
IT Change Variance
Greater than six lost hours per month due to IT change negatively impacts critical service level agreements.
Service Accuracy ERP Control
Failures Greater than 10 system control failures per month impacts application output integrity.
Agreement Effectiveness
Compliance Gap Closure
Greater than five open compliance gaps negatively impacts partner compliance attestations and may result in violated agreements and loss of business.
“If you want people to pay attention to something, measure them on it,” Mitchell said. “It sends a serious message.”
SMART
Built-in (i.e. JD)
Focused
Mapped (i.e. KPIKRI)
Performance Review
Set your own social and environmental
performance targets. Define what
transparency means to you and build a
case for your approach.
Monitoring; the Built-in Assurance
IT Governance Structure
Audit Committee
Audit (Internal/External)
Assessment (i.e. Risk-based planning)
How
16 Actively monitor and regularly review risks on a constructive, ‘no-blame’ basis.
17
C-GRID
Global Regulatory
Information Database
Query: SIC/NAICS,
Geography…
Relevant
Regulations
Relevant Regulations
IT Compliance
Policies/Procedures
Gap Analysis
Updates
Goal: Automated Detection of New Regulatory Requirements and
Rule-Based Generation of Policies
Other
Stake-holders
Vendors Auditors
Regulators
Users
IT Strategy & Operations
Requirements
Rules
Rules
Automation – i.e. IT Compliance
How
Greater process efficiency
Convergence of GRC efforts
Consistency of processes and methodologies
Publish your corporate governance policies
on your Web site. (Very few companies do
this.)
Model General use
COBIT IT Control Objectives
Val IT Governance of IT investments
ISO 38500 Corporate Governance of Information and Communication Technology
ITIL, ISO 20000 IT Service and operations management
ISO 27001, 27002 Information Security Management System
PMBOK, PMMM, PRINCE2 for Project Management
BS 25999 Business Continuity Management (BCM)
Weill and Ross model decision making structure
ISO 9001, Six Sigma for Quality improvement
CMMI for System and Software development
People-CMM (P-CMM): for Human Asset Management
Balance Score Card (BSC) control and measurement scheme
E-Souring Capability Model Sourcing management for both service providers and customers
Wh
at
Ho
w
Adapting a solid framework
How
Annual IT Planning Surveys
Direct or Escalated Matters
Biyearly Service Survey
Correspondence Feedback
IT Governance
Business Demand
IT Services
Best Practices
Requirements and Suggestions
Biyearly IT Audit
Annual IT Review Forum
General Meetings
Communication & Awareness
How
19
“Rules are made to be broken”
“Tone at the top”
Not only “talk the talk”, but more “walk
the walk”
“The Wisdom of Crowds” and “Mistakes
were made…possibly by me”
Gradual Change
Cultural Audit
20
Cultural Change
How
1. Give it time—chalk up some early
“wins” to build momentum, but focus
long-term efforts on strategic issues
identified in your risk assessment—then
allow those controls to mature over time.
Symantec experience demonstrates that
it may take three to five years for IT Risk
Management controls to become
completely effective.
•Close alignment with the corporate
culture- Ensure the existence of an
organizational culture that supports well-
thought through risk taking and innovation.
Leadership by example
Culture of inclusiveness “The Wisdom of Crowds”
Culture of candor “Mistakes were made…possibly by me”
Culture of inclusiveness &
candor “The Wisdom of Crowds” and “Mistakes
were made…possibly by me”
10. Conduct a "culture audit" to ensure that
employees believe they are being
rewarded for positive behavior. At Enron,
every employee signed a code of ethics,
but the unwritten code was that managers
should push the limits of the law to
accomplish corporate goals.
Culture
Organization
Technology Communication
Process
21
Transparency Framework
How