Slide 1

Download Report

Transcript Slide 1 

John W. Lainhart IV
CISA, CISM, CGEIT, CIPP/G
Partner, Security, Privacy,
Wireless & IT Governance
IBM Global Business Services
Principal Advisory to IT
Governance Institute
[email protected]
301-803-2745
COBIT® as a Risk Management
Framework
In This Presentation...
The Governance Environment
An introduction to IT Governance
An introduction to Control Objectives for
Information and related Technology (COBIT®)
Overview of COBIT® Supporting Materials
COBIT® Mappings to Other Standards
An introduction to ValIT™
An introduction to RiskIT™
Recently Announced Certification Program – CGEIT
Questions
IT Governance, COBIT, ValIT and
RiskIT Are Brought to You by …
IT Governance Institute
IT Governance
Institute is a
non-profit
research think-tank
associated with
ISACA®
IT Governance Institute
Product Suite
Governance
Business and Technology
Management
Governance, Security and Assurance
Management
IT
Governance
C
OBI
T
Control
Board
Information
Briefing
on
IT
Assurance
Val
IT
COBIT 4.1
Implementation
Practices
Security
IT Governance
Governance
Guide
Guide
The Governance Environment
Forces Driving
IT Governance
Compliance
Business/IT
Alignment
ROI
Project
Execution
Security
What Makes IT Governance so
important?
Drivers
• Strategic importance of IT
• Extended Enterprise
• Regulatory requirements
• Cost optimisation
• Return on investment
• Gartner – more than 600
billion $ thrown away
annually on ill conceived or
ill executed IT projects
• Low return from high-cost IT investments, and transparency of IT’s
performance are two top issues
• More than 30% claim negative return from IT investments targeting
efficiency gains
• 40% do not have good alignment between IT plans and business
strategy
• Standish Group – about
20% of projects fail outright,
50% are challenged and
only 30% are successful
• ITGI 2005 Survey early
findings confirm concerns
• Interest in and use of active management of the return on IT investments
has doubled in 2 years (28% to 58%)
What makes IT Governance so
important?
Shareholders want protection for
the Enterprise’s Share Price
“…if not filed, auditor must include a
paragraph in its annual report that it
cannot vouch for the enterprise’s
ability as a going concern…”
“…financial reporting system is not
up to speed…”
“…the company has lost a third more of
its market value yesterday as it
revealed a virtual collapse of its
financial reporting system…”
“…data entry
problems…”
Global Business Services
The Premier IT Leaders polled by ComputerWorld Magazine put
these projects at the top of their to-do lists for 2008
# 1 on this list is IT Governance, including business alignment
From the Dec 10, 2007 issue of Computerworld Magazine (pg 74) Computerworld Magazine is a publication of International Data Group Inc.
IBM Confidential|
© Copyright IBM Corporation 2005
An Overview of IT Governance
What is IT Governance?
“IT governance is the responsibility of the
board of directors and executive management.
It is an integral part of enterprise governance
and consists of the leadership and
organisational structures and processes that
ensure that the organisation’s IT sustains and
extends the organisation’s strategies and
objectives.”
ITGI, Board Briefing on IT Governance
IT Governance Needs a
Management Framework
Driving Forces
Map Onto the
IT Governance
Focus Areas
IT
GOVERNANCE
RESOURCE
MANAGEMENT
IT Governance Focus Areas
Strategic alignment, focuses on ensuring the linkage of business and IT plan; on
defining, maintaining and validating the IT value proposition; on aligning IT operations
with the enterprise operations; and establishing collaborative solutions to
• Add value and competitive positioning to the enterprise’s products and services
• Contain costs while improving administrative efficiency and managerial effectiveness
Resource
Management
R
Man isk
agem
e
ance t
orm
n
Perf sureme
Mea
IT
Governance
Domains
nt
V
ic t D alu
g
eli e
te en
ve
a
r
ry
St ignm
l
A
IT
IT Governance Focus Areas
Value delivery is about executing the value proposition throughout the delivery cycle,
ensuring that IT delivers the promised benefits against the strategy, concentrating on
optimising expenses and proving the value of IT, and on controlling projects and
operational processes with practices that increase the probability of success (quality,
risk, time, budget, cost, etc)
Resource
Management
R
Man isk
agem
e
ance t
orm
n
Perf sureme
Mea
IT
Governance
Domains
nt
V
ic t D alu
g
eli e
te en
ve
a
r
ry
St ignm
l
A
IT
IT Governance Focus Areas
Risk management requires risk awareness of senior corporate officers, a clear understanding of the enterprise’s appetite for risk and transparency about the significant
risks to the enterprise; it embeds risk management responsibilities in the operation of
the enterprise and specifically addresses the safeguarding of IT assets, disaster
recovery and continuity of operations
Resource
Management
R
Man isk
agem
e
ance t
orm
n
Perf sureme
Mea
IT
Governance
Domains
nt
V
ic t D alu
g
eli e
te en
ve
a
r
ry
St ignm
l
A
IT
IT Governance Focus Areas
Resource management covers the optimal investment, use and allocation of IT
resources and capabilities (people, applications, technology, facilities, data) in servicing
the needs of the enterprise, maximising the efficiency of these assets and optimising
their costs, and specifically focusses on optimising knowledge and the IT infrastructure
and on where and how to outsource
Resource
Management
R
Man isk
agem
e
ance t
orm
n
Perf sureme
Mea
IT
Governance
Domains
nt
V
ic t D alu
g
eli e
te en
ve
a
r
ry
St ignm
l
A
IT
IT Governance Focus Areas
Performance measurement, tracking project delivery and monitoring IT services, using
balanced scorecards that translate strategy into action to achieve goals measur-able
beyond conventional accounting, measuring those relationships and knowledge-based
assets necessary to compete in the information age: customer focus, process efficiency
and the ability to learn and grow.
Resource
Management
R
Man isk
agem
e
ance t
orm
n
Perf sureme
Mea
IT
Governance
Domains
nt
V
ic t D alu
g
eli e
te en
ve
a
r
ry
St ignm
l
A
IT
IT Governance Life Cycle
IT Governance Control Cycle
Enforce
Assess
Environment
· Top-Down, Risk-based
Approach
· Process-based
· CobiT®-based
Maintain
IT Controls
Framework
Monitor
& Report
Measure
& Validate
Applications
Databases
Platforms
Networks
Plan
Develop
& Refine
Governing
Documents
Dept. Principles
Sustain
Run
Build
IT Processes
Tools
Process owners
operate and oversee
controls
Communicate
& Train
IT Division Policy
Compliance
Division Standards
(e.g. “How” to do
in every or any
instance)
IT Division Standard
Conformance
Repository
Implement &
Operate
Division Policies
(e.g. “What” IT
must do)
Procedures
(e.g. “How” to do
in anProcedures
instance)
Procedures
IT Governance Control Cycle
Assess Environment
•Based on COBIT®, develop an approach for improved
internal control to meet regulatory requirements that
incorporates business and IT mission, vision, and
strategy
•Establish risk management strategy
•Formally document existing processes
Enforce
Assess
Environment
· Top-Down, Risk-based
Approach
· Process-based
· CobiT®-based
Maintain
IT Controls
Framework
Monitor
& Report
Measure
& Validate
Applications
Databases
Platforms
Networks
Plan
Develop
& Refine
Governing
Documents
Dept. Principles
Sustain
Run
Build
IT Processes
Tools
Process owners
operate and oversee
controls
Communicate
& Train
IT Division Policy
Compliance
Division Standards
(e.g. “How” to do
in every or any
instance)
IT Division Standard
Conformance
Repository
Implement &
Operate
Division Policies
(e.g. “What” IT
must do)
Procedures
(e.g. “How” to do
in anProcedures
instance)
Procedures
IT Governance Control Cycle
Maintain IT Controls Framework
Enforce
•Develop controls framework to supports sound
business decisions
•Document integration points in the current
environment
•Create an organizational mechanism to support the
governance of IT
•Mitigate identified risks through the IT controls
framework
Assess
Environment
· Top-Down, Risk-based
Approach
· Process-based
· CobiT®-based
Maintain
IT Controls
Framework
Monitor
& Report
Measure
& Validate
Applications
Databases
Platforms
Networks
Plan
Develop
& Refine
Governing
Documents
Dept. Principles
Sustain
Run
Build
IT Processes
Tools
Process owners
operate and oversee
controls
Communicate
& Train
IT Division Policy
Compliance
Division Standards
(e.g. “How” to do
in every or any
instance)
IT Division Standard
Conformance
Repository
Implement &
Operate
Division Policies
(e.g. “What” IT
must do)
Procedures
(e.g. “How” to do
in anProcedures
instance)
Procedures
IT Governance Control Cycle
Develop & Refine Governing Documents
•Utilize a central repository for governing documents
•Develop a consistent approach for creating governing
documents
•Consistently apply processes and procedures
•Gain executive commitment for IT governance
frameworks and structure
Enforce
Assess
Environment
· Top-Down, Risk-based
Approach
· Process-based
· CobiT®-based
Maintain
IT Controls
Framework
Monitor
& Report
Measure
& Validate
Applications
Databases
Platforms
Networks
Plan
Develop
& Refine
Governing
Documents
Dept. Principles
Sustain
Run
Build
IT Processes
Tools
Process owners
operate and oversee
controls
Communicate
& Train
IT Division Policy
Compliance
Division Standards
(e.g. “How” to do
in every or any
instance)
IT Division Standard
Conformance
Repository
Implement &
Operate
Division Policies
(e.g. “What” IT
must do)
Procedures
(e.g. “How” to do
in anProcedures
instance)
Procedures
IT Governance Control Cycle
Communicate and Train
•Provide “Tone at the Top”
•Develop a strategic communication plan for mission
objectives and overall management direction
•Execute strategic communication plan
•Implement a standard training program to avoid
unnecessary and redundant training
Enforce
Assess
Environment
· Top-Down, Risk-based
Approach
· Process-based
· CobiT®-based
Maintain
IT Controls
Framework
Monitor
& Report
Measure
& Validate
Applications
Databases
Platforms
Networks
Plan
Develop
& Refine
Governing
Documents
Dept. Principles
Sustain
Run
Build
IT Processes
Tools
Process owners
operate and oversee
controls
Communicate
& Train
IT Division Policy
Compliance
Division Standards
(e.g. “How” to do
in every or any
instance)
IT Division Standard
Conformance
Repository
Implement &
Operate
Division Policies
(e.g. “What” IT
must do)
Procedures
(e.g. “How” to do
in anProcedures
instance)
Procedures
IT Governance Control Cycle
Implement and Operate
•Align staff responsibilities with IT control objectives
•Achieve sustainability of IT controls in the operational
environment
•Support continuous improvement of operational
effectiveness and accountability
Enforce
Assess
Environment
· Top-Down, Risk-based
Approach
· Process-based
· CobiT®-based
Maintain
IT Controls
Framework
Monitor
& Report
Measure
& Validate
Applications
Databases
Platforms
Networks
Plan
Develop
& Refine
Governing
Documents
Dept. Principles
Sustain
Run
Build
IT Processes
Tools
Process owners
operate and oversee
controls
Communicate
& Train
IT Division Policy
Compliance
Division Standards
(e.g. “How” to do
in every or any
instance)
IT Division Standard
Conformance
Repository
Implement &
Operate
Division Policies
(e.g. “What” IT
must do)
Procedures
(e.g. “How” to do
in anProcedures
instance)
Procedures
IT Governance Control Cycle
Measure and Validate
•Revise current metrics program to include newly
defined controls
•Verify the sustainability of defined controls
•Develop cost effective automated measurements
•Measure all processes to include Applications,
Databases, Platforms and Networks
Enforce
Assess
Environment
· Top-Down, Risk-based
Approach
· Process-based
· CobiT®-based
Maintain
IT Controls
Framework
Monitor
& Report
Measure
& Validate
Applications
Databases
Platforms
Networks
Plan
Develop
& Refine
Governing
Documents
Dept. Principles
Sustain
Run
Build
IT Processes
Tools
Process owners
operate and oversee
controls
Communicate
& Train
IT Division Policy
Compliance
Division Standards
(e.g. “How” to do
in every or any
instance)
IT Division Standard
Conformance
Repository
Implement &
Operate
Division Policies
(e.g. “What” IT
must do)
Procedures
(e.g. “How” to do
in anProcedures
instance)
Procedures
IT Governance Control Cycle
Monitor and Report
•Report on continued effectiveness of controls
•Increase transparency to auditors of issues and
actions taken
•Accurately attest to IT’s compliance with policy,
laws, and regulations
•Improve existing processes using metrics trending
Enforce
Assess
Environment
· Top-Down, Risk-based
Approach
· Process-based
· CobiT®-based
Maintain
IT Controls
Framework
Monitor
& Report
Measure
& Validate
Applications
Databases
Platforms
Networks
Plan
Develop
& Refine
Governing
Documents
Dept. Principles
Sustain
Run
Build
IT Processes
Tools
Process owners
operate and oversee
controls
Communicate
& Train
IT Division Policy
Compliance
Division Standards
(e.g. “How” to do
in every or any
instance)
IT Division Standard
Conformance
Repository
Implement &
Operate
Division Policies
(e.g. “What” IT
must do)
Procedures
(e.g. “How” to do
in anProcedures
instance)
Procedures
IT Governance Control Cycle
Enforce
•Reinforce required policy compliance and standards
conformance
•Define a consistent approach for enforcement
across all processes
Enforce
Assess
Environment
· Top-Down, Risk-based
Approach
· Process-based
· CobiT®-based
Maintain
IT Controls
Framework
Monitor
& Report
Measure
& Validate
Applications
Databases
Platforms
Networks
Plan
Develop
& Refine
Governing
Documents
Dept. Principles
Sustain
Run
Build
IT Processes
Tools
Process owners
operate and oversee
controls
Communicate
& Train
IT Division Policy
Compliance
Division Standards
(e.g. “How” to do
in every or any
instance)
IT Division Standard
Conformance
Repository
Implement &
Operate
Division Policies
(e.g. “What” IT
must do)
Procedures
(e.g. “How” to do
in anProcedures
instance)
Procedures
An Overview of COBIT
COBIT 4.1—The IT
Governance Framework
CCobiT
OBIT
best practices
repository for
IT Processes
IT Management Processes
IT Governance Processes
The only IT management
and control framework
that covers the end-to-end
IT life cycle
Internationally accepted good practices
Management-oriented
Freely available
Sharing knowledge and leveraging expert
volunteers
Continually evolving
Maintained by reputable not-for-profit
organisation
Maps 100% to COSO
Maps strongly to all major related standards
Is a reference, set of best practices, not an
“off-the-shelf” cure
Enterprises still needs to analyse their
control requirements and customise based
on:
Value drivers
Risk profile
IT infrastructure, organisation and
project portfolio
COBIT: An IT Control Framework
 Starts from the premise that IT needs to
deliver the information that the enterprise
needs to achieve its objectives
 Promotes process focus and process
ownership
 Divides IT into 4 domains and 34 processes,
with a total of 210 control objectives
 Looks at fiduciary, quality and security needs
of enterprises and provides for seven
information criteria that can be used to
generically define what the business requires
from IT
 Addresses the resources made available to
and built up by IT
Domains:
1. Plan & Organize
2. Acquire & Implement
3. Delivery & Support
4. Monitor & Evaluate
Information Criteria:
1. Effectiveness
2. Efficiency
3. Availability
4. Integrity
5. Confidentiality
6. Reliability
7. Compliance
IT Resources:
1. Applications
2. Information
3. Infrastructure
4. People
Key Driving Forces for COBIT
The resources
made available to—
and built up by—IT
IT
Resources
 Applications
 Information
 Infrastructure
 People
How IT is
organised to
respond to the
requirements
What the
stakeholders
expect from IT
Business
Requirements
IT
Processes
IT
Processes
 Plan and
Organise
 Aquire and
Implement
 Deliver and
Support
 Monitor and
Evaluate
IT
Resources
Business
Requirements







Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Information
reliability
COBIT
Framework
Business Objectives
Criteria
•
•
•
•
•
•
•
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
Monitor and
Evaluate
Deliver and
Support
•
•
•
•
Applications
Information
Infrastructure
People
Plan and
Organise
Acquire and
Implement
COBIT Processes
Plan and
Organise
Acquire and
Implement
PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
Define an IT Strategic Plan
Define the Information Architecture
Determine Technological Direction
Define the IT Processes, Organisation and Relationships
Manage the IT Investment
Communicate Management Aims and Direction
Manage IT Human Resources
Manage Quality
Assess and Manage IT Risks
Manage Projects
AI1
AI2
AI3
AI4
AI5
AI6
AI7
Identify Automated Solutions
Acquire and Maintain Application Software
Acquire and Maintain Technology Infrastructure
Enable Operation and Use
Procure IT Resources
Manage Changes
Install and Accredit Solutions and Changes
COBIT Processes
Deliver and
Support
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Define and Manage Service Levels
Manage Third-party Services
Manage Performance and Capacity
Ensure Continuous Service
Ensure Systems Security
Identify and Allocate Costs
Educate and Train Users
Manage Service Desk and Incidents
Manage the Configuration
Manage Problems
Manage Data
Manage the Physical Environment
Manage Operations
Monitor and
Evaluate
ME1
ME2
ME3
ME4
Monitor and Evaluate IT Performance
Monitor and Evaluate Internal Control
Ensure Compliance With External Requirements
Provide IT Governance
COBIT PC and AC Processes
Process
Controls
Application
Controls
PC1
Process Goals and Objectives
PC2
Process Ownership
PC3
Process Responsibility
PC4
Roles and Responsibilities
PC5
Policy, Plans and Procedures
PC6
Process Performance Improvement
AC1
Source Data Preparation and Authorization
AC2
Source Data Collection and Entry
AC3
Accuracy, Completeness and Authenticity Checks
AC4
Processing Integrity and Validity
AC5
Output Review, Reconciliation and Error Handling
AC6
Transmission Authentication and Integrity
Process Level
Navigating in COBIT
Control Objectives
P09.6 Maintenance and Monitoring of a Risk Action Plan
Prioritise and plan the control activities at all levels to implement the risk responses
identified as necessary, including identification of costs, benefits and responsibility for
execution. Obtain approval for recommended actions and acceptance of any residual
risks, and ensure that committed actions are owned by the affected process owner(s).
Monitor execution of the plans, and report on any deviations to senior management.
Management Guidelines
Management Guidelines
Maturity Model
Maturity Levels in COBIT
Non-existent
Initial
Repeatable
Defined
Managed
Optimised
0
1
2
3
4
5
0 - Management processes are not applied at all.
1 - Processes are ad hoc and disorganised.
2 - Processes follow a regular pattern.
3 - Processes are documented and communicated.
4 - Processes are monitored and measured.
5 - Best practices are followed and automated.
Dimensions of Process
Maturity in COBIT
We capture process maturity data on each of
six dimensions:
 Awareness and communication
 Policies, standards and procedures
 Tools and automation
 Skills and expertise
 Responsibility and accountability
 Goal setting and measurement
Leverage COBIT® Supporting
Materials ...
Implementation Guide
Implementation Guide
IT Governance Implementation Guide, 2nd
Edition
 Detailed, structured guidance to the
implementation of IT governance
 Generic IT governance implementation
guidance, not just COBIT
Control Practices
Control Practices
COBIT Control Practices, 2nd Edition
 Detailed guidance on each of the control
objectives
 Management-oriented
 From three to 12 control practices per
control objective
Assurance Guide
Assurance Guide
IT Assurance Guide: Using COBIT
 Detailed guidance to support assurance
practitioners in:
Financial statement audit
 Internal audit
 Value for money
 Operational improvement


Guidance on:
How to leverage COBIT for assurance
 Detailed assurance testing steps

Quickstart
Quickstart
For small and medium sized organizations and
larger organizations wanting to quickstart IT
governance
 Selection of components from the complete
COBIT framework
 Can be used as a baseline (set of “smart things to
do”) for small and medium-sized enterprises and
other entities where IT is not strategic or
absolutely critical for survival
 Can also be a starting point for larger enterprises
in their first moves toward an appropriate level
of control and governance of IT
COBIT Security Baseline
COBIT Security Baseline 44 Steps Toward Security
44 Steps Toward Security
Define the security strategy - 1
 Define the IT organisation and relationships - 1
 Communicate management aims and direction - 1
 Manage IT human resources - 4
 Assess and manage IT risks - 3
 Identify automated solutions - 1
 Acquire and maintain application and technology infrastructure - 3
 Enable operation and use - 1
 Manage changes - 2
 Install and accredit solutions and changes - 2
 Define and manage service levels - 1
 Manage third-party services - 3
 Ensure continuous service - 3
 Ensure systems security - 8
 Manage the configuration - 2
 Manage data - 3
 Manage the physical environment - 2
 Monitor and evaluate IT performance—assess internal control adequacy - 1
 Obtain independent assurance - 1
 Ensure regulatory compliance – 1

6 Information Security Survival Kits
Home Users
 Professional Users
 Managers
 Executives
 Senior Executives
 Board of Directors/Trustees

COBIT Mappings to Other
Frameworks and Standards
IT
IT
Management Governance
Layer
Layer
Governance
Layer
Where COBIT
Typically Sits
COSO
King
COBIT
ITIL
17799
CMM TickIT
How COBIT Relates to
Frameworks and Standards
Strategic
Process Control
COBIT
XY
XY
XY
XY
XY
##
##
##
##
##
CMM
Process Execution
Work Instruction
• Workinstruction
•2
•3
• 4,5,6….
• Workinstruction
•2
•3
• 4,5,6….
• Workinstruction
•2
•3
• 4,5,6….
ITIL
• Workinstruction
•2
•3
• 4,5,6….
• Workinstruction
•2
•3
• 4,5,6….
How COBIT Relates to
Frameworks and Standards
Strategic
Process Control
COBIT
XY
XY
XY
XY
XY
##
##
##
##
##
CMM
Process Execution
Work Instruction
• Workinstruction
•2
•3
• 4,5,6….
• Workinstruction
•2
•3
• 4,5,6….
• Workinstruction
•2
•3
• 4,5,6….
ITIL
• Workinstruction
•2
•3
• 4,5,6….
• Workinstruction
•2
•3
• 4,5,6….
An Overview of ValIT
The Information Paradox
The value of IT is being
increasingly questioned...
?
…yet organizations continue to
spend more and more on IT
60
The Fundamental Question
Are we maximizing the value of our ITenabled business investments such
that:

we are getting optimal benefits;

at an affordable cost; and

with an acceptable level of risk?
Over the full economic life-cycle
of the investment
Without Effective Governance
Situation
Leads to..
Reluctance to say no
to projects
Results in..
Too many projects
Lack of Strategic Focus
Can’t kill projects
Projects are “sold” on
emotional basis -- not
selected
No strong review process
Overemphasis on
Financial ROI
Quality of execution
suffers
Underestimation of
risks and costs
Projects not aligned
to strategy
No clear
strategic criteria
for selection
Budget overruns
Project delays
Business needs
not met
Benefits not
received
Increased
Complexity
Sub-optimal
use of
resources
Finger
pointing
Lack of
confidence (in
IT)
Source: Fujitsu
Continuously Need to Question
The strategic question. Is the investment:
In line with our vision?
Consistent with our business principles?
Contributing to our strategic objectives?
Providing optimal value, at affordable cost, at an
acceptable level of risk?
Some
fundamental
questions
In the value question. Do we have:
A clear and shared understanding of the expected
benefits?
Clear accountability for realising the benefits?
Relevant metrics?
An effective benefits realisation process?
Are we
doing
the right
things?
Are we
getting
the
benefits?
Are we
doing them
the right
way?
Are we
getting
them done
well?
The architecture question. Is the investment:
In line with our architecture?
Consistent with our architectural principles?
Contributing to the population of our
architecture?
In line with other initiatives?
about the
value enabled
by IT
The delivery question. Do we have:
Effective and disciplined delivery and change
management processes?
Competent and available technical and business
resources to deliver:
the required capabilities; and
the organisational changes required to leverage the
capabilities?
Source: The Information Paradox
Val IT
Processes & Key Management Practices
Ensure informed and committed leadership
Define and implement processes
Define roles & responsibilities
Ensure appropriate and accepted
accountability
VG5 Define information requirements
VG6 Establish reporting requirements
VG7 Establish organisational structures
VG8 Establish Strategic Direction
VG9 Define investment categories
VG10 Determine target portfolio mix
VG11 Define evaluation criteria by category
VG1
VG2
VG3
VG4
Value
Governance
(VG)
Portfolio
Management
(PM)
Investment
Management
(IM)
IM1 Develop a high-level definition of investment opportunity
IM2 Develop initial programme concept business case
IM3 Develop clear understanding of candidate programmes
IM4 Perform Alternatives Analysis
IM5 Develop Programme plan
IM6 Develop Benefits Realisation plan
IM7 Identify Full life cycle costs & benefits
IM8 Develop detailed programme business case
IM9 Assign clear accountability & ownership
IM10 Initiate, plan and launch the programme
IM11 Manage programme
IM12 Manage/track benefits
IM13 Update business case
IM14 Monitor and report on programme performance
IM15 Retire programme
PM1 Maintain human resource
inventory
PM2 Identify resource requirements
PM3 Perform gap analysis
PM4 Develop resourcing plan
PM5 Monitor resource requirements
and utilisation
PM6 Establish investment threshold
PM7 Evaluate initial programme
concept business case
PM8 Evaluate & assign relative score to
programme business case
PM9 Create overall portfolio view
PM10 Make and communicate
investment decision
PM11 Stage-gate (and fund) selected
programmes
PM12 Optimize portfolio performance
PM13 Re-prioritise portfolio
PM14 Monitor and report on portfolio
performance
P3M -Projects, Programs, and Portfolios
Portfolio
Management
Programme
Management
Project
Management
Portfolio – a suite of business
programmes managed to optimise
overall enterprise value
Programme – a structured
grouping of projects designed to
produce clearly identified
business value
Project – a structured set of
activities concerned with delivering
a defined capability based on an
agreed schedule and budget
Val IT
Relationship between Processes & Practices
Establish governance framework
VG
VG8
Establish
portfolio parameters
Provide strategic direction
PM1-5
Evaluate &
prioritize
investments
PM710
Move selected
investments to
active portfolio
PM
Identify
business
req’ts
IM1-2
IM
Define candidate
programme
Maintain
resource
profile
Manage
overall
portfolio
Monitor &
report on
portfolio
performance
Analyse alternatives
IM4
Manage
programme
execution
IM9
IM10
IM 1112
Monitor &
report on
programme
performance
IM14
PM14
Document
business case
Assign
accountability
IM8,
13
IM3, 5-7
Launch
programme
VG5,
9-11
PM6
Maintain
funding
profile
PM12-13
PM11
VG14, 6 -7
Retire
programme
IM15
Val IT Initiative …a value lens into C
Are we doing
the right
things?
V
De alue
gic
te ent
l
iv e
a
r
ry
St ignm
l
A
IT
Are we doing
them well?
ent
IM
VG
Are we getting
the benefits?
R
Man isk
agem
e
anc t
n
orm
Perf sureme
Mea
IT
Governance
Domains
Are we doing
them the right
way?
PM
Resource
Management
Are we doing
the right
things?
Are we doing
them the right
way?
Are we doing
the right
things?
COBIT
Governance & management
of a portfolio of technology
projects, services, systems
& supporting infrastructure
PO
Are we doing
them the right
way?
AI
Are we getting
the benefits?
Are we doing
them well?
Are we getting
the benefits?
ME
Are we doing
them well?
DS
OBIT™
Val IT
Governance & management of
a portfolio of business change
programmes
Val IT Initiative Status
DONE
Framework
Business Case
Case Study (initial)
IN PROCESS
Extend FW to services
& other IT assets/
resources & Simplify
Maturity Models
Management Guidelines
Taxonomy
QuickStart Guide
1st Qtr. of 2008
PLANNED
Business Case v2.0
Empirical Analysis
Benchmarking
Available for free download from:
www.isaca.org or www.itgi.org
The Business Challenge

Maximizing value and reducing risk made possible
by IT both enables and requires a through IT
governance approach that:





Ensures clarity of, and accountability for the desired
outcomes
Enables understanding of the full scope of effort
Breaks down the “silos” and “connects the dots”
Manage the full economic life-cycle
Senses and responds to changes and deviations
This is a significant leadership challenge,
opportunity and responsibility!
The RiskIT Initiative
RISKIT DESCRIPTION
A
risk management framework that provides the
missing link between enterprise risk
management and IT Management and control,
fitting in the overall IT Governance framework
of ITGI, and building upon all existing risk
related components within the current
frameworks, i.e., COBIT and Val IT
A
number of related services and products
(practical guides, reference data,
interfaces/mapping with other standards, …)
RISKIT ACTIONS
 ITGI Board discussion on this initiative and decision to proceed
with full business case development (July 2007)
 Business Case development, (October 2007) including
Market
survey
Feasibility study
High-level design of the product/service
Set-up project governance structure, incl. Core Team, expert team, identify
project manager(s) and potential resources
Define high-level development and roll-out plan
ITGI Board approved detailed business case and decision to
proceed with full project (November 2007)
 RiskIT Task Force members appointed (December 2007)
 First RiskIT Task Force meeting held in Ghent, Belgium on 18-19
January 2008
 First draft RiskIT planned to be issued by December 2008

RiskIT
Processes & Key Management Practices
Risk
Governance
As of 19 January 2008 first Task Force
meeting in Ghent, Belgium
Glossary
Risk
Management
Risk
Risk
Inventory Repository
Risk
Monitoring
&
Reporting
High Level Risk Management Guidance: COSO ERM, AS/NZS 4360, etc
RISK IT Product Family –
Proposed Content & Lifecycle
1
Define
Organisation Risk
Culture
Define Risk
Management
Principles
Risk Principles
Set Risk Appetite
Risk Tolerance
Description
4
Risk Categories
Risk Impact Categories
Risk Impact Levels
Risk/Reward
Loss Description
Likelihood description
Harmonise
Interface
2
Event
Classification
Risk Event
Identification
Impact
Assessment
4
Harmonise
Interface
Other Risk
Managament
Frameworks
Likelihood
Asessment
Risk Monitoring
Risk Mitigation
Planning
3
4
Risk Reporting
Communication
Stakeholder
Management
Harmonise
Interface
RELATIONSHIP OF COBIT/VALIT/RISKIT
ValIT
Evaluate
performance
Measure and
report
performance
IT GOVERNANCE
RiskIT
Set Objectives
• Align business and IT
• Enable the business and maximise benefits
• Ensure effective and efficient use of resources
• Manage IT risk as part of ERM
• Fulfil compliance requirements
Translate strategy into action
• Make the business effective
• Make the business efficient
• Manage risks (security, reliability & compliance)
• Manage service delivery consistency
CobiT
IT MANAGEMENT
Provide
direction
Translate
direction into
strategy
Certified in the Governance of Enterprise IT (CGEIT)
Questions