This presentation was given at GRC Conference in Boston (October 2010) and explains the interesting triad of not only People, Process & Technology but also Culture, Structure & Strategy. Besides, it moves beyond the 'alignment' idea and goes deep into the 'synchronization' needs of today's companies
1. Culture, Structure & Strategy for a GRC Program:
Moving from Alignment to Synchronization
Ramsés Gallego
CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt
General Manager
Entel Security & Risk Management
rgallego@entel.es
1
2. The need for IT to reinvent itself
Despite the projections of renewed economic health, the business
will continue to expect IT leadership to show strong financial
competencies, that IT projects realize tangible business value, and
that the IT organization demonstrates competitive effectiveness.
“..IT organizations that rise to the challenge will be rewarded with
substantial opportunities to develop a new type of service
organization. Those that don’t will face a grimmer future”
Gartner – CIO Update
2
3. Definitions
• Governance: “The set of responsibilities and
practices exercised by the board and executive
management with the goal of providing strategic
direction, ensuring that objectives are achieved,
ascertaining that risks are managed appropriately
and verifing that the enterprise’s resources are
used responsibly”
3
4. Definitions
• Risk: “the level of exposure to uncertainties that
an organization must understand and manage
effectively while performs its duties to achieve
objectives and create value
•
The uncertainty of an event happening (or not)
can have an impact on the achievement of
corporate goals
4
5. Definitions
• Compliance: “The act of adhering to, and
demonstrating adherence to external laws and
regulations as well as corporate policies and
procedures”
5
7. Business imperatives
Improve Align IT
Manage risk Manage cost service investments
• Compliance • IT Portfolio Management
• Optimize resources • Service Availability • Value Management
• Protect assets
• Automate processes • Service Management • Business Process
• Business Continuity
Management
Optimal value providing
Manage operational Better CAPEX and OPEX Align investments with
effective and efficient
and business risk management corporate goals
services
7
8. Best Practices for GRC
A proved methodology is needed to make GRC real:
§ Business-driven, project-oriented, results-focused
§ Mesured with indicators and metrics
§ SOI - Strategize, Implement, Operate
Capability Gap Analysis, Integrated IT Business Development
measurement RoI (RoN) Flows processes and execution
9
9. The best of both worlds
IT
Business
• Quality of services
• Cost reduction
• Visibility of IT projects
• Manage the financial
• Take correct business
perspective of IT
decisions
• Optimize assets and
• Innovation as a driver
resources
• Agility
• Manage risk and
change
10
10. Business Service Optimization
IT GOVERNANCE
Demand Pro
ces
ses
Life Cycle People and
Services Projects
Business IT
IT Portfolio
ces
Pra est
cti
B
Services Assets
IT Alignment?
Provide the best value with Enable IT to fulfill its promise Improve IT efficiency through/for
available resources for the business automated business processes
13
11. Lyfe Cycle Services Management
Demand Management
• Define and publish services
• Associating cost and Service
Cost of service Demand Level
• Charges based in the use Management
or cost of assignment
• Chargeback for SLA
violation Change Management
• Role-based support to Cost of Change • Apps and Operating
decisions Service Management System
Infrastructure
• Standardize and automate
Service
IT process flows
Service Level
Support Management
Service Support
• Incident & Problem
Management
Service Level Management
• Knowledge base
• Define and control the service level
centralized
agreed
• Operational metrics
• Prioritize activity based on SLA impact
14
12. People and Process Management
Resource Management
• Search capability on service
catalog
Process Management Resource • Planification depending on
• Creation of templates, Management
capability
best practices
• Report on services
utilization Processes
Projects &
Programs
Time & Cost Project Management
• Creation of trends, budget,
Billing by time and cost forecast
• Cost on every project • Follow-up of deliverables
• Provisioning resources based on cost • Incident and risk management
and capability
15
13. Asset Management
Asset Management and
Financial Management Inventory
• Budget and forecast • Understand the
• Obsolete resources to environment
replace • Historic detail of assets
Inventory &
Financial tracking
Management
Contract
Management Configuration Configuration
Contracts
• Lease Management Management
• Understanding TCO • Software and patch
to negotiate Software Licenses
management
• Migration support and
standardization
Software licenses management
• Understand the requirements
• Discover the gap (in excess or the
lacking of)
16
14. Managing the IT Portfolio
- Clear relation between IT Pro
ces
investment and ROI ses
- Alignment with the
Life Cycle
business through the Services People &
priorities selection Processes
IT
IT
ces
Pra est
Portfolio
cti
B
Assets
- Within business context Dashboard and BSC
- Clear and concise
communication
- Agility for business
priorities
17
15. Integrated processes
Service Change Operational Change
Request IT Portfolio Request
Management
Tasks assigned
to IT personnel
Life Cycle Life Cycle
Management People,
Process Management
Software Change Operational Change
Request Request
Software
delivery Configuration
Assets Change
18
16. Why Projects Fail
• According to “Darwin
Online”, projects fail for
six distinct reasons:
– Lack of Executive
sponsorship
– Lack of early stakeholder
input
– Poorly defined or
changing specifications
– Unrealistic expectations
– Uncooperative business
partners
– Poor or dishonest
communications
45
18. Project Portfolio Management
• Align IT investments and projects with business objectives
• Improve quality and speed of decision making for IT projects
• Bring strategic objectives to market faster with less risk
Demand Management Process Management Portfolio Management Resource Planning Project Management
Request 15:
New budget report
Request 215:
Security fix
Request 803:
Application
modification
19
19. Project Portfolio Management
• Provides a clear focus on
the business value of IT
projects and investments
facilitating alignment with
the business
• Demonstrates a clear
linkage between IT
projects and ROI
20
20. Project Portfolio Management
Improve quality and speed of decision making for IT projects
• Comprehensive, clear,
views of IT projects and
their value
• Increase the ability to
react to changes in
business priorities and
budgets
21
21. Project Portfolio Management
Bring Strategic objectives to market faster with less risk
• Logical views of IT
resources facilitate an
optimal allocation of
resources between day-
to-day and strategic IT
objectives.
• Capital and operational
IT costs are reduced
through optimization of IT
resource allocation
22
22. Effective GRC Requires an
Integrated System
emails Spreadsheets Microsoft Project
Requirements Document
Portfolio Mgmt Tools
Documents Management
Meeting Notes Manual Processes Custom Databases
Demand Management Process Management Portfolio Management Resource Planning Project Management
Request 15:
New budget report
Request 215:
Security fix
Request 803:
Application
modification
30. The New Role of IT
Increase the Decrease Costs /
Business Impact Improve Efficiency
• Align IT priorities
with business priorities • Cut Costs
• Deliver more on a smarter • Add flexibility to costs
budget Add Business
Value • Repurpose resources
• Improve time to delivery
on business requests • Reduce Headcount
• Improve quality
29
31. Synchronization – Merging of ‘two worlds’
CEO
BUSINESS
BUSINESS
FUNCTIONS
Manufacturing Operations HR Sales Finance
COO COO/CSO EVP Sales CFO
SVP Human Rsce
General Manager SVP Ops SVP Marketing SVP Finance
VP Procurement
SVP Product Dev. VP Purchasing General Manager VP IT Finance
VP Administration
VP Research Dir Purchasing VP Line of Business Dir. IT Finance
WHAT Information -- on processes, business needs, current IT states, future IT requirements
DOES
SYNCHRONIZATION Communication -- of performance levels, service levels, tradeoffs
REQUIRE?
Value Translation -- to the business, the organization, the bottom line
IT Development Deployment Provisioning Problem Mgmt Testing
FUNCTIONS
INFORMATION TECHNOLOGY
CIO
30
32. Adding Value through Strategic Alignment
CEO
BUSINESS
BUSINESS
FUNCTIONS
Manufacturing Operations HR Sales Finance
COO COO/CSO EVP Sales CFO
SVP Human Rsce
General Manager SVP Ops SVP Marketing SVP Finance
VP Procurement
SVP Product Dev. VP Purchasing General Manager VP IT Finance
VP Administration
VP Research Dir Purchasing VP Line of Business Dir. IT Finance
IT Supports the Business Process and is Run like a Business
WHAT
IS
SYNCHRONIZATION?
Deliver and support
Understand business Prioritize IT projects
IT to the service
processes, model based on
levels desired
and manage them business Value
by the business
IT Development Deployment Provisioning Problem Mgmt Testing
FUNCTIONS
INFORMATION TECHNOLOGY
CIO
31
33. Business Service Optimization
CEO
BUSINESS
BUSINESS
FUNCTIONS
Manufacturing Operations HR Sales Finance
COO COO/CSO EVP Sales CFO
SVP Human Rsce
General Manager SVP Ops SVP Marketing SVP Finance
VP Procurement
SVP Product Dev. VP Purchasing General Manager VP IT Finance
VP Administration
VP Research Dir Purchasing VP Line of Business Dir. IT Finance
IT Supports the Business Process and is Run like a Business
BUSINESS
SERVICE
OPTIMIZATION Business
Service
Process IT Governance
Management
Management
IT Development Deployment Provisioning Problem Mgmt Testing
FUNCTIONS
INFORMATION TECHNOLOGY
CIO
32
34. GRC Schema
…The IT projects, investments, activities and programs
SELECT
needed to successfully execute business strategies,
goals and objectives
IT Governance
…The IT Assets and resources (including people and
OPTIMIZE
technology) needed to support Business services,
providing strong financial stewardship throughout
…The successful delivery of Business Services by
EXECUTE
managing complex change processing and Business
Service deployment
33
35. Service Management and IT Governance
“Run IT Like a Business”
Service Management – Service Delivery
Service Management – Service Support
Project Portfolio Management
Provision and assure service quality
Prioritize IT projects based on business value
Centralized control of Project requests
IT Asset Management IT Financial Management
Assess resources required Activate service metering
Software Change Management
Initiate software change tasks and activities
34
36. IT Governance Provides Answers
• Can we accurately cost and budget for a new IT-
Business service?
• What risks are involved and how can we mitigate
against them?
• Is IT competitive? How does our service compare
to what’s provided by outsourcers?
• Are we in compliance of government and industry
regulations?
35
37. IT Governance Provides Answers
§ How do I prioritize an increasing number of projects and activities?
§ Can do I communicate the value IT brings to the business in clear,
unambiguous terms?
§ Do we have the staff and IT Assets and infrastructure to support my
new business initiative?
§ Can my department respond efficiently to changing business
requirements without disrupting existing services?
§ Do I know what technology assets I lease or own, where are they
located, and how are they being used?
§ Do I know the status of all my projects both from a time and cost
perspective?
36
38. CSFs, KGIs, KPIs: what are they?
• CSFs: Critical Success
Factors or “vital elements”
• KGIs: Key Goals
Indicators or “what” needs
to be accomplished
• KPIs: Key Performance
Indicators or “how good”
the process is behaving
37
39. Monitor vs. Manage
R A GE
ITO Refine, observe, MA
N
MON analize and
classify data
provided by
Value (and cost)
Act with business
systems knowledge, in a
Centralize single place
according to
access to data Apply business business needs
content and relevance to the
applications information to
determine
business
priorities
DATA INFORMATION KNOWLEDGE ACTION
Level 1
Level 1 Level 2
Level 2 Level 3 Level 4
21
45. A CONTINUOUS process for GRC
Demand Management Process Management Portfolio Management Resource Planning Project Management
Request 15:
New budget report
Request 215:
Security fix
Request 803:
Application
modification
46.
47.
48.
49.
50.
51.
52.
53.
54.
55. THANK YOU
Culture, Structure & Strategy for a GRC Program:
Moving from Alignment to Synchronization
Ramsés Gallego
CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt
General Manager
Entel Security & Risk Management
rgallego@entel.es
61