Corporate Governance of I.T.

Category: Education

Presentation Description

Australian Computer Society, Inc. Event Name: Branch Forum - ICT Governance Event Date: 26 October 2009


Presentation Transcript


Corporate Governance of Information Technology Mark Toomey Managing Director Infonomics Pty Ltd Chair, Standards Australia Committee IT-030 Member, ISO/IEC JTC-1 SC-7 WG1A Page 1 0:00


This PowerPoint slideshow is provided ACS members attending the Education Across the Nation series on Governance of IT, during 2009. The slideshow is provided for the personal use of ACS members during and after the lecture, for the purpose of their own self-development, and for the purpose of facilitating conversations with their colleagues, including top level management and directors. Permission is hereby given for participants in the Education Across the Nation series on Governance of IT to copy this material for these purposes only. The Education Across the Nation series on Governance of IT does not necessarily equip its participants with the in-depth knowledge required to enable the participants to act as instructors for classroom delivery of the material. Page 2 Use of this slideshow and copies thereof for the purpose of group knowledge transfer is restricted to personnel expressly approved by Infonomics and is subject to payment of a license fee. This material was prepared to provide general guidance and stimulate debate. It should not be construed as providing professional advice and services for any particular or specific situation. As such, it should not be used as a substitute for consultation with expert advisers. Before making any decision or taking any action you should consult with Infonomics Pty Ltd or other competent professionals. 0:00


ISO 38500: First Glance Australian guidance leads the world… Page 3 0:02


ISO 3500: First Glance A Model, and Six Principles Page 4 0:04


Why do we need a standard? Page 5 0:04


Why do we need a standard? IT keeps going wrong: Page 6 0:06


Why do we need a standard? The names and stories keep rolling on… Page 7 0:08


Why do we need a standard? Investigations reveal the true cause of problems! In the case of the ICS, there does not appear to have been an effective structure or process to direct and control the project, nor to make suitable risk decisions. To fulfil this task, Customs has had at least 10 bodies responsible for different aspects of the management and governance of the ICS, including the interactions with industry… These bodies overlap in their responsibilities and accountabilities, and overall the program has no single business owner and accountabilities for its delivery are unclear. Source: The Australian IT (online) and Booz Allan Hamilton Report 'Review of the Integrated Cargo System' Page 8 0:10


Why do we need a standard? The problem is not in the process! Page 9 The Gimli Glider. See 0:12


Why do we need a standard? The Cost of IT Failures In Australia alone: Failed Projects: $1.5b + per annum* Foregone Benefits: $20b per annum* Operational Losses: $Incalculable Reputation damage: $Incalculable. But isn’t this the tip of the iceberg? Competitors respond Predators descend Regulators investigate Lawyers litigate Today’s IT failure can have a serious impact on the bottom line, and in the boardroom. Page 10 * Dr R C Young: What is the ROI for Project Governance? Macquarie University, November 2006. 1% – 3% GDP! 0:14


But we’ve already done IT Governance! Effort within IT has not solved the problem! Investment ensures that IT is doing its job competently Rigour Process Control Reporting But it’s not just in IT that problems develop: Use of IT in achieving business goals involves business change Process People Structure Context And necessarily requires that business leaders engage fully: Being responsible Setting direction Planning and implementing ITIL Prince2 CoBIT CMMI PMBOK TOGAF Governance of IT has to deal with how organisations USE IT as well as with how IT departments operate. Delivery Use Many issues arise here – outside IT’s sphere of control. Page 11 Etc. 0:16


The pressure for Board Oversight: KPMG Global IT Project Management Survey (Sep 05) Traditional measures of success (time and budget) are being superseded: 'Achieving benefits – keeping commitments – is now the key determinant of project success.' Since 2003, performance of projects has improved marginally: Failure rates are still appalling; Many organisations do not focus on realising or measuring benefits. 'The key element (that makes some organisations more successful) appears to be an appropriate governance framework – to complement planning and prioritisation of activities and to help ensure execution controls are in place until benefits are realised.' 'The board must put in place, through management, a rigorous oversight framework to monitor achievement of budgets, the meeting of timelines and to help ensure that the agreed benefits are realised. To achieve this, the board must receive the right information at the right time'. Page 12 Those responsible at the top of the organisation must govern… 0:17


Understanding Corporate Governance of IT: Four key concepts Corporate Governance Business Systems and Change The Business Cycle: Demand and Supply The System for Governing IT Page 13 0:18


Corporate Governance: Fundamentals… Page 14 Adapted from 'Corporate Governance – A Working Definition', Teresa Barger, Director IFC/World Bank Corporate Governance Department Definition from 'Report of the Committee on the Financial Aspects of Corporate Governance' (Chair: Sir Adrian Cadbury), London, 1992 0:20


Corporate Governance: Fundamentals… Page 15 0:21


Corporate Governance: The Information (IT) domain. Page 16 0:23


Corporate Governance of IT. Page 17 Corporate Governance of IT: The System by which the current and future use of IT is directed and controlled. 0:24


Business Systems and Change Page 18 Process Structure People Technology The Business System The Business Context Operating context of the organisation External Internal. Four key elements of operating organisations People – who participate in business events Process – what business events take place Structure – where business events happen Technology – enabling and recording events IT intrinsic to day to day operations Business process specific - Transactions, Customers, Etc Generic - Email, Telephony, Information This model is a variant on H.J. Leavitt’s Model of organisational change, published in 1965. 0:25


Business Systems and Change Page 19 Technology This model is a variant on H.J. Leavitt’s Model of organisational change, published in 1965. 0:26


Business Systems and Change Page 20 Governing IT Enabled Change involves much more than governing technology activities. 'Traditional' IT Change Project Change Program Business System Process Technology Structure People Business Context Process Technology Structure People 0:28


The Business Cycle: Demand and Supply Page 21 0:29


The Business Cycle: Demand and Supply Page 22 0:30


The System for Governing IT: An integrated system overseen by the Board Page 23 0:31


The System for Governing IT: An integrated system overseen by the Board Page 24 Management Responsibility Board oversight The System of Governance 0:32


The System of Governance Inside the System Page 25 Adapted from a model developed by John Thorp, author of The Information Paradox. 0:34


The System of Governance The System Perspective Page 26 Adapted from a model developed by John Thorp, author of The Information Paradox. 0:36


ISO/IEC 38500 Core Elements Page 27 0:37


Proposals: plans and suggestions Vision Strategy Detailed plans Initiatives Projects (and changes thereto) BAU Operations (the oft-forgotten default) Current and future use of IT Supply Governance Page 28 Evaluate 0:39


Policy to guide management decisions. Strategy to establish focus and direction. Progressive allocation of resources. Clear delegation of authority. Appropriate incentives and rewards. Page 29 Direct 0:41


Achieving intended results And taking action if they are at risk Assuring conformance External and internal Making adjustments for reality Ensuring that management is doing its job properly. Ensuring that the governance system is effective. Page 30 Monitor 0:43


Responsibility Strategy Acquisition Performance Conformance Human Behaviour Page 31 Six principles for good governance of IT 0:45


Using ISO 38500 Page 32 0:45


Using ISO 38500 Guide for assessment and improvement Page 33 0:47


Using ISO 38500 Benchmarking and comparing performance Page 34 Human Communities: Who are they? How do they behave? What do they need? What motivates them? Principles Responsibility Strategy Acquisition Performance Conformance Human Behaviour RMIT and Infonomics research 2006-7. Published in 'Achieving Business Sustainability' (Infonomics), and 'Information Technology Entrepreneurship and Innovation', edited by Fang Zhao, published by IGI Global, 2008. 0:48


Using ISO 38500 Learning through evaluating patterns Page 35 I know nothing about the IT in my organisation… RMIT and Infonomics research 2006-7. 0:49


Page 36 A Typical Assessment Result Poor performance in critical areas. Responsibility: there is neither clear nor appropriate allocation of responsibility for IT. Strategy: there is no effective planning for IT in the context of business strategy and direction. Acquisition: decisions to invest in new IT capability are not made in an appropriate framework. Performance: demand for IT service are unlikely to be met. Conformance: the rules for IT are inadequate. Human Behaviour: human issues are given scant attention in IT planning and delivery. 0:50


Using ISO 38500 Closing the gaps in contemporary techniques Page 37 CobiT ITIL Prince2 PMBOK Gateway ValIT 0:52


Using ISO 38500 Developing Policy for control of IT Page 38 0:53


Responsibility The Crucial Strategic Policy How is responsibility allocated for: Allocating responsibility? Developing business strategy and planning business use of (demand for) IT? Developing strategies for supply and delivery of IT capability and service? Making decisions to invest in IT? Determining targets and measuring business and IT performance? Ensuring that IT investment initiatives achieve agreed, appropriate success criteria? Ensuring that business demand for operational supply of IT service is satisfied efficiently and effectively? Understanding conformance requirements, establishing effective conformance rules, and assuring conformance? Understanding and ensuring respect for human behaviours? What are the responsibilities of each individual in respect of IT demand and supply? Page 39 0:54


Using the Standard Fundamental Rules Page 40 0:55


Self Assessment When and how Branch feedback Information Age Article Page 41 0:57


Additional Material Page 42 0:59


Questions Page 43 0:60