WIXLIB

Value InsightsUnlocking IT Value – Transforming IT Enabled Investments into Business ValueImplementing Enterprise Governance of IT Using COBIT 5‘A Business Driven Approach’Beyond Excellence

Value InsightsUnlocking IT Value – Transforming IT Enabled Investments into Business ValuePresentedAt Auditor General Pretoria02 May 2013byTichaona ZororoCIA, CRMA, CISA, CISM, CRISC, CGEITB.Sc. Hons. Information Systems(MSU), P.G.D. Computer Auditing (WITS)Beyond Excellence

Emerging Technology – The Irrevocable Forces - The BIG 6Increased MobilityInternet of ThingsConsumerisationCloud ComputingTechnology has evolved the waybusiness is contacted. More andmore companies are using socialmedia, mobile phones, andtablets to do their business.Big DataSocial MediaBeyond Excellence

Legal and Regulatory Drivers for Enterprise Governance of IT“External legal, regulatory and contractualcompliance requirements related toenterprise use of information and technologyare increasing, threatening value if breached”Huge reputational risksBeyond Excellence

The Familiar IT EnvironmentBeyond Excellence

The Business Case for Implementing Enterprise Governance of ITPain PointsBoard or senior management who are reluctant to engage with IT/IT mattersSignificant business incidents related to ITHefty regulatory and contractual penaltiesRepeat findings and qualified auditsOutsourcing problems leading to business failing to meets its goalsCostly failed IT initiativesSignificant business incidents related to ITIT Projects that do not address business needsIT enabled investments often delivered late and out of budgetBeyond Excellence

Business Drivers for Enterprise Governance of ITTrigger EventsMergers, Acquisitionsor DivestituresAn enterprise widegovernance focus orprojectNew appointment orchanges at enterpriseC- LevelDesire to optmisevalue creation from ITenabled businesschangesChange in businessoperating or sourcingarrangementsSignificant technologychange or paradigmshiftA shift in the market,economy orcompetitive positionNew regulations orcompliancerequirementsNew business focusExternal audit orconsultantassessmentsBeyond Excellence

A Business Framework for the Governance & Management of Enterprise ITIT Is Complicated.Governance of EnterpriseIT Does Not Have To Be.An Anatomy of COBIT 5Beyond Excellence

The Evolution of COBIT – 16 Years of Existence201220072005COBIT 5 – Governance of Enterprise IT FrameworkIntegrate all other ISACA frameworks – Val IT, BMIS,RISK ITCOBIT 5COBiT 4.1 - An IT Governance Framework –Governance and Compliance processes added,Assurance processes removedCOBiT 4.1COBiT 4.0 - An IT Governance Framework –Governance and Compliance processes added,Assurance processes removed – Introduction ofGoals CascadeCOBiT 42000COBiT 3rd Edition - An IT Management Framework– Management Guidelines addedCOBiT 31998COBiT 2nd Edition - An Audit and ControlFramework – Focus on Control ObjectivesCOBiT 2COBiT 1 - An Audit and Control Framework – Focus onControl ObjectivesCOBiT 11996Beyond Excellence

COBIT 4.1 An IT Governance Framework – 2007 to 2012Governance and Compliance processesadded, Assurance processes removedFocus on processes as the key enablers4 Domains [PO, AI, DS, ME]34 Processes208 Control ObjectivesCMMI /PAM ISO ISO/IEC 15504Beyond Excellence

Introduction to COBIT 5 – An integrated frameworkA business framework for the Governance and Management of Enterprise ITCOBIT 5 builds on previous versions of COBIT, BMIS, Val IT and Risk IT. Aligned withcurrent best practices, e.g., ITIL, ISO2007 1/2, TOGAFBeyond Excellence

Business Based / Driven Framework1. Stakeholder needs have to be transformed into anenterprise’s actionable strategy.2. The COBIT 5 goals cascade translates stakeholderneeds into specific, actionable and customised goalswithin the context of the enterprise,IT-relatedgoals and enabler goals. These enterprise goals havebeen developed using the Balanced Scorecard (BSC)dimensions. (Kaplan, Robert S.; David P. Norton; TheBalanced Scorecard:Translating Strategy intoAction, Harvard University Press, USA, 1996)3. The enterprise goals (Financial, Customer, Internal,Learning and Growth) are a list of commonly usedgoals that an enterprise has defined for itself.4. Enterprise-specific goals can be easily mapped ontoone or more of the generic enterprise goals.Beyond Excellence

Goals Cascade Enterprise Goals Driving IT GoalsIT BSC DimensionFinancialEnterprise GoalCustomerCustomer-oriented service cultureAlignment of IT & business strategyIT compliance and support for business compliance with externallawsCommitment of executive management for making IT relateddecisionsManaged IT related business riskRealised benefits from IT-enabled investments and servicesportfolioTransparency of IT costs, benefits and riskHow we appear to ourcustomers to achieveour vision?Business service continuity and availabilityDelivery of IT services in line with business requirementsAgile responses to a changing businessenvironmentInformation based strategic decision makingOptimisation of service delivery costsInternal BusinessProcessesOptimisation of business process functionalityAdequate use of applications, information and technologysolutionsIT agilitySecurity of information, processing infrastructure andapplicationsOptimisation of IT assets, resources and capabilitiesHow should we appearto our shareholders tosucceed financially?What businessprocesses must weexcel at to satisfy ourstakeholders andcustomers?Learning & GrowthHow will we sustain ourability to change andimprove to achieve ourvision?Stakeholder value of business investmentsPortfolio of competitive products & servicesInformation & Related Technology GoalManaged business risk (safeguarding ofassets)Compliance with external laws and regulationsFinancial TransparencyOptimisation of business process costsEnablement and support of business processes by integratingapplications and technology into business processesManaged business change programmesDelivery of programmes delivering benefits, on time, on budgetand meeting requirements and quality standardsOperational and staff productivityAvailability of reliable and useful information for decision makingCompliance with internal policiesIT compliance with internal policiesSkilled and motivated peopleCompetent and motivated business and IT personnelProduct and business innovation cultureKnowledge, expertise and initiatives for business innovationBeyond Excellence

Principles and EnablersCOBIT 5 brings together the five principles that allow the enterprise to build an effectivegovernance and management framework based on a holistic set of seven government andmanagement enablers that optimises information and technology investment and use for thebenefit of stakeholders.PrinciplesEnablers

Separating Governance from ManagementGovernance processes—Governance processes deal with the stakeholder governanceobjectives — value delivery, risk optimisation and resource optimisation—and includepractices and activities aimed at evaluating strategic options, providing direction to IT andmonitoring the outcome (Evaluate, direct and monitor [EDM]—in line with the ISO/IEC38500 standard concepts).Management plans, builds, runs and monitors activities in alignment with the direction set bythe governance body to achieve the enterprise objectives (PBRM).Beyond Excellence

Process Reference ModelBeyond Excellence

Process Anatomy1.2 main process domains (Governance (EDM), Management (Plan, Build, Run andMonitor))2.5 Domains (EDM, Plan (APO), Build/implementation (BAI), Run/execution (DSS),Monitor (MEA))3.37 processes (5 Governance and 32 Management)4.The disappearance of control objectives5.210 practices (15 EDM, 195 PBRM (72 APO, 68 BAI, 38 DSS, 17 MEA))6.Process assessment model (PAM) / ISO 15504Beyond Excellence

Governance Domain – Evaluate, Direct, Monitor (Accountability)5 processes, 15 practices:1.EDM01Establishing and Maintaining a Governance Framework2.EDM02Benefits Realisation (Ensure Benefits Delivery)3.EDM03Ensure Risk Optimisation (Value Preservation)4.EDM04Ensure Resource Optimisation5.EDM05Ensure Stakeholder TransparencyBeyond Excellence

Management Domain – PBRM (Responsibility - Execution)Align, Plan & Organise1. Manage the IT managementframework2. Manage Strategy3. Manage enterprisearchitecture4. Manage Innovation5. Manage Portfolio6. Manage budget and costs7. Manage human resources8. Manage relationships9. Manage service agreements10. Manage suppliersBuild, Acquire & Implement1. Manage programmes and projects2. Manage requirements definition3. Manage solutions identification &build4. Manage availability and capacity5. Manage change enablement6. Manage changes7. Manage change acceptance andtransitioningDeliver, Service & Support1. Manage operations2. Manage service requestsand incidents3. Manage problems4. Manage continuity5. Manage security servicesMonitor, Evaluate & Assess1. MEA performance andconformance2. MEA system of internalcontrols3. MEA compliance withexternal requirements6. Manage businesscontrols8. Manage knowledge9. Manage assets10. Manage Configuration11. Manage quality12. Manage Risk13. Manage SecurityBeyond Excellence

The Benefits of Implementing GEIT Using COBIT 5A common language for executives, business and IT staffA view, understandable to management, of what IT doesA better understanding of how the business and IT can work together for successfuldelivery of IT enabled initiativesBetter alignment, based on a business focus and quality IT servicesImproved efficiency and optimization of costMore effective management of IT and reduced operational riskClear policy development and more efficient and successful auditsClear ownership and responsibilities, based on process orientationBeyond Excellence

Rolling out COBIT 5 the Enterprise ContextFit For Purpose:Key Enterprise Factors to Consider:Organisations operate in differentcontext as determined by external andinternal factors. The concepts shouldbe clearly understood and consideredwhen adopting COBIT 5.Every organization needs to formulateits own implementation plan or roadmap, depending on factors in theenterprise’s specific environmentEthics and cultureLegal and regulatory requirementsGovernance, policies and practicesMission, vision and valuesBusiness plan and strategic intentionsOperating model and level of maturityRisk appetiteCapabilitiesRoles and responsibilities – structures –Governance Officer, Risk Officer,Compliance OfficerFrom fire fighting/reactive/audit findings focused approach to a proactive approachOne size does not fit allCut your own sizeBeyond Excellence

Key Success FactorsTone at the top:1. The board should mandate adoption and adaption of a GEIT framework as an integralpart of enterprise governance development2. Top management should provide the direction and mandate for initiative as well asvisible on-going commitment and supportUnderstanding of the business and IT objectives by all parties supporting the initiativeEffective communicationCreating an enabling environmentFit for purpose to optimize on the unique context of the enterpriseFocusing on quick wins and prioritising the most beneficial improvements that are theeasiest to implementOvercoming human behavioral and cultural barriersStakeholders Involvement:1. Board and executive management2. Executive business management, IT management and process owners3. Business management, IT management and process owners4. Risk, compliance and legal experts5. AuditBeyond Excellence

A Life Cycle ApproachBeyond Excellence

Implementation Life Cycle PhasesThe 7 phases of the implementation life cycleWhat are the drivers?Where are we now?Where do we want to be?What needs to be done?How do we get there?Did we get there?How do we keep the momentum going?Programme management phasesInitiate programmeDefine problems and opportunitiesDefine road mapPlan programmeExecuteRealise benefitsReview effectivenessBeyond Excellence