SlideShare uma empresa Scribd logo

Culture structure strategy_for_a_grc_program

Ramsés Gallego
Ramsés Gallego

This presentation was given at GRC Conference in Boston (October 2010) and explains the interesting triad of not only People, Process & Technology but also Culture, Structure & Strategy. Besides, it moves beyond the 'alignment' idea and goes deep into the 'synchronization' needs of today's companies

1 de 55
Culture, Structure & Strategy for a GRC Program: Moving from Alignment to Synchronization Ramsés Gallego CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt General Manager Entel Security & Risk Management rgallego@entel.es 1
The need for IT to reinvent itself Despite the projections of renewed economic health, the business will continue to expect IT leadership to show strong financial competencies, that IT projects realize tangible business value, and that the IT organization demonstrates competitive effectiveness. “..IT organizations that rise to the challenge will be rewarded with substantial opportunities to develop a new type of service organization. Those that don’t will face a grimmer future” Gartner – CIO Update 2
Definitions • Governance: “The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifing that the enterprise’s resources are used responsibly” 3
Definitions • Risk: “the level of exposure to uncertainties that an organization must understand and manage effectively while performs its duties to achieve objectives and create value •  The uncertainty of an event happening (or not) can have an impact on the achievement of corporate goals 4
Definitions • Compliance: “The act of adhering to, and demonstrating adherence to external laws and regulations as well as corporate policies and procedures” 5
Envisioning GRC 6
Business imperatives Improve Align IT Manage risk Manage cost service investments • Compliance • IT Portfolio Management • Optimize resources • Service Availability • Value Management • Protect assets • Automate processes • Service Management • Business Process • Business Continuity Management Optimal value providing Manage operational Better CAPEX and OPEX Align investments with effective and efficient and business risk management corporate goals services 7
Best Practices for GRC A proved methodology is needed to make GRC real: § Business-driven, project-oriented, results-focused § Mesured with indicators and metrics § SOI - Strategize, Implement, Operate Capability Gap Analysis, Integrated IT Business Development measurement RoI (RoN) Flows processes and execution 9
The best of both worlds IT Business • Quality of services • Cost reduction • Visibility of IT projects • Manage the financial • Take correct business perspective of IT decisions • Optimize assets and • Innovation as a driver resources • Agility • Manage risk and change 10
Business Service Optimization IT GOVERNANCE Demand Pro ces ses Life Cycle People and Services Projects Business IT IT Portfolio ces Pra est cti B Services Assets IT Alignment? Provide the best value with Enable IT to fulfill its promise Improve IT efficiency through/for available resources for the business automated business processes 13
Lyfe Cycle Services Management Demand Management • Define and publish services • Associating cost and Service Cost of service Demand Level • Charges based in the use Management or cost of assignment • Chargeback for SLA violation Change Management • Role-based support to Cost of Change • Apps and Operating decisions Service Management System Infrastructure • Standardize and automate Service IT process flows Service Level Support Management Service Support • Incident & Problem Management Service Level Management • Knowledge base • Define and control the service level centralized agreed • Operational metrics • Prioritize activity based on SLA impact 14
People and Process Management Resource Management • Search capability on service catalog Process Management Resource • Planification depending on • Creation of templates, Management capability best practices • Report on services utilization Processes Projects & Programs Time & Cost Project Management • Creation of trends, budget, Billing by time and cost forecast • Cost on every project • Follow-up of deliverables • Provisioning resources based on cost • Incident and risk management and capability 15
Asset Management Asset Management and Financial Management Inventory • Budget and forecast • Understand the • Obsolete resources to environment replace • Historic detail of assets Inventory & Financial tracking Management Contract Management Configuration Configuration Contracts • Lease Management Management • Understanding TCO • Software and patch to negotiate Software Licenses management • Migration support and standardization Software licenses management • Understand the requirements • Discover the gap (in excess or the lacking of) 16
Managing the IT Portfolio - Clear relation between IT Pro ces investment and ROI ses - Alignment with the Life Cycle business through the Services People & priorities selection Processes IT IT ces Pra est Portfolio cti B Assets - Within business context Dashboard and BSC - Clear and concise communication - Agility for business priorities 17
Integrated processes Service Change Operational Change Request IT Portfolio Request Management Tasks assigned to IT personnel Life Cycle Life Cycle Management People, Process Management Software Change Operational Change Request Request Software delivery Configuration Assets Change 18
Why Projects Fail • According to “Darwin Online”, projects fail for six distinct reasons: – Lack of Executive sponsorship – Lack of early stakeholder input – Poorly defined or changing specifications – Unrealistic expectations – Uncooperative business partners – Poor or dishonest communications 45
A Word About Estimating … 44
Project Portfolio Management • Align IT investments and projects with business objectives • Improve quality and speed of decision making for IT projects • Bring strategic objectives to market faster with less risk Demand Management Process Management Portfolio Management Resource Planning Project Management Request 15: New budget report Request 215: Security fix Request 803: Application modification 19
Project Portfolio Management • Provides a clear focus on the business value of IT projects and investments facilitating alignment with the business • Demonstrates a clear linkage between IT projects and ROI 20
Project Portfolio Management Improve quality and speed of decision making for IT projects • Comprehensive, clear, views of IT projects and their value • Increase the ability to react to changes in business priorities and budgets 21
Project Portfolio Management Bring Strategic objectives to market faster with less risk • Logical views of IT resources facilitate an optimal allocation of resources between day- to-day and strategic IT objectives. • Capital and operational IT costs are reduced through optimization of IT resource allocation 22
Effective GRC Requires an Integrated System emails Spreadsheets Microsoft Project Requirements Document Portfolio Mgmt Tools Documents Management Meeting Notes Manual Processes Custom Databases Demand Management Process Management Portfolio Management Resource Planning Project Management Request 15: New budget report Request 215: Security fix Request 803: Application modification
We need to bring Order to Chaos 46
Main Problem is Communication 47
Business drives IT 23
Alignment? with the business 26
The Business side 31
The IT Operations side 32
How we link them 33
The New Role of IT Increase the Decrease Costs / Business Impact Improve Efficiency • Align IT priorities with business priorities • Cut Costs • Deliver more on a smarter • Add flexibility to costs budget Add Business Value • Repurpose resources • Improve time to delivery on business requests • Reduce Headcount • Improve quality 29
Synchronization – Merging of ‘two worlds’ CEO BUSINESS BUSINESS FUNCTIONS Manufacturing Operations HR Sales Finance COO COO/CSO EVP Sales CFO SVP Human Rsce General Manager SVP Ops SVP Marketing SVP Finance VP Procurement SVP Product Dev. VP Purchasing General Manager VP IT Finance VP Administration VP Research Dir Purchasing VP Line of Business Dir. IT Finance WHAT Information -- on processes, business needs, current IT states, future IT requirements DOES SYNCHRONIZATION Communication -- of performance levels, service levels, tradeoffs REQUIRE? Value Translation -- to the business, the organization, the bottom line IT Development Deployment Provisioning Problem Mgmt Testing FUNCTIONS INFORMATION TECHNOLOGY CIO 30
Adding Value through Strategic Alignment CEO BUSINESS BUSINESS FUNCTIONS Manufacturing Operations HR Sales Finance COO COO/CSO EVP Sales CFO SVP Human Rsce General Manager SVP Ops SVP Marketing SVP Finance VP Procurement SVP Product Dev. VP Purchasing General Manager VP IT Finance VP Administration VP Research Dir Purchasing VP Line of Business Dir. IT Finance IT Supports the Business Process and is Run like a Business WHAT IS SYNCHRONIZATION? Deliver and support Understand business Prioritize IT projects IT to the service processes, model based on levels desired and manage them business Value by the business IT Development Deployment Provisioning Problem Mgmt Testing FUNCTIONS INFORMATION TECHNOLOGY CIO 31
Business Service Optimization CEO BUSINESS BUSINESS FUNCTIONS Manufacturing Operations HR Sales Finance COO COO/CSO EVP Sales CFO SVP Human Rsce General Manager SVP Ops SVP Marketing SVP Finance VP Procurement SVP Product Dev. VP Purchasing General Manager VP IT Finance VP Administration VP Research Dir Purchasing VP Line of Business Dir. IT Finance IT Supports the Business Process and is Run like a Business BUSINESS SERVICE OPTIMIZATION Business Service Process IT Governance Management Management IT Development Deployment Provisioning Problem Mgmt Testing FUNCTIONS INFORMATION TECHNOLOGY CIO 32
GRC Schema …The IT projects, investments, activities and programs SELECT needed to successfully execute business strategies, goals and objectives IT Governance …The IT Assets and resources (including people and OPTIMIZE technology) needed to support Business services, providing strong financial stewardship throughout …The successful delivery of Business Services by EXECUTE managing complex change processing and Business Service deployment 33
Service Management and IT Governance “Run IT Like a Business” Service Management – Service Delivery Service Management – Service Support Project Portfolio Management Provision and assure service quality Prioritize IT projects based on business value Centralized control of Project requests IT Asset Management IT Financial Management Assess resources required Activate service metering Software Change Management Initiate software change tasks and activities 34
IT Governance Provides Answers • Can we accurately cost and budget for a new IT- Business service? • What risks are involved and how can we mitigate against them? • Is IT competitive? How does our service compare to what’s provided by outsourcers? • Are we in compliance of government and industry regulations? 35
IT Governance Provides Answers § How do I prioritize an increasing number of projects and activities? § Can do I communicate the value IT brings to the business in clear, unambiguous terms? § Do we have the staff and IT Assets and infrastructure to support my new business initiative? § Can my department respond efficiently to changing business requirements without disrupting existing services? § Do I know what technology assets I lease or own, where are they located, and how are they being used? § Do I know the status of all my projects both from a time and cost perspective? 36
CSFs, KGIs, KPIs: what are they? • CSFs: Critical Success Factors or “vital elements” • KGIs: Key Goals Indicators or “what” needs to be accomplished • KPIs: Key Performance Indicators or “how good” the process is behaving 37
Monitor vs. Manage R A GE ITO Refine, observe, MA N MON analize and classify data provided by Value (and cost) Act with business systems knowledge, in a Centralize single place according to access to data Apply business business needs content and relevance to the applications information to determine business priorities DATA INFORMATION KNOWLEDGE ACTION Level 1 Level 1 Level 2 Level 2 Level 3 Level 4 21
Some examples... © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com 39
...from the real world 40
From technology... 41
...to what really matters 42
A continuous process 43
A CONTINUOUS process for GRC Demand Management Process Management Portfolio Management Resource Planning Project Management Request 15: New budget report Request 215: Security fix Request 803: Application modification
THANK YOU Culture, Structure & Strategy for a GRC Program: Moving from Alignment to Synchronization Ramsés Gallego CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt General Manager Entel Security & Risk Management rgallego@entel.es 61

Recomendados

Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systemsRamsés Gallego
 
The Perfect Storm
The Perfect StormThe Perfect Storm
The Perfect StormRamsés Gallego
 
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierFrom technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
 
IT Controls Cloud Webinar - ISACA
IT Controls Cloud Webinar - ISACAIT Controls Cloud Webinar - ISACA
IT Controls Cloud Webinar - ISACARamsés Gallego
 
Dataplex Company Overview
Dataplex Company OverviewDataplex Company Overview
Dataplex Company Overviewdataplex systems limited
 
Mms201 Optimize Your Server Infrastructure
Mms201 Optimize Your Server InfrastructureMms201 Optimize Your Server Infrastructure
Mms201 Optimize Your Server Infrastructureguestd9aa5
 
NJVC Brochure
NJVC BrochureNJVC Brochure
NJVC BrochureSpencer Nelson
 
Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?doan_slideshares
 

Recomendados

Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systemsRamsés Gallego
 
The Perfect Storm
The Perfect StormThe Perfect Storm
The Perfect StormRamsés Gallego
 
From technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierFrom technology risk_to_enterprise_risk_the_new_frontier
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
 
IT Controls Cloud Webinar - ISACA
IT Controls Cloud Webinar - ISACAIT Controls Cloud Webinar - ISACA
IT Controls Cloud Webinar - ISACARamsés Gallego
 
Dataplex Company Overview
Dataplex Company OverviewDataplex Company Overview
Dataplex Company Overviewdataplex systems limited
 
Mms201 Optimize Your Server Infrastructure
Mms201 Optimize Your Server InfrastructureMms201 Optimize Your Server Infrastructure
Mms201 Optimize Your Server Infrastructureguestd9aa5
 
NJVC Brochure
NJVC BrochureNJVC Brochure
NJVC BrochureSpencer Nelson
 
Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?doan_slideshares
 
Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2CA Technologies Italia
 
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011IBM Sverige
 
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...IBM Sverige
 
Introduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceIntroduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceChristian F. Nissen
 
dataplex company presentation
dataplex company presentationdataplex company presentation
dataplex company presentationdataplex systems limited
 
Ajay dhir - The new CIO leader: Managing in challenging times
Ajay dhir - The new CIO leader: Managing in challenging timesAjay dhir - The new CIO leader: Managing in challenging times
Ajay dhir - The new CIO leader: Managing in challenging timesGlobal Business Events
 
Accelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, IntelAccelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, IntelOpen Data Center Alliance
 
Sukhbir jasuja digital_trends_11
Sukhbir jasuja digital_trends_11Sukhbir jasuja digital_trends_11
Sukhbir jasuja digital_trends_11Hellenic Professionals Informatics Society
 
Accel Ops Brochure0609
Accel Ops Brochure0609Accel Ops Brochure0609
Accel Ops Brochure0609GuardEra Access Solutions, Inc.
 
Kascade corporate profile
Kascade corporate profileKascade corporate profile
Kascade corporate profileMukund Ananda
 
Cogent Company Overview.11292009
Cogent Company Overview.11292009Cogent Company Overview.11292009
Cogent Company Overview.11292009Marc Hoppers
 
High Level Intro
High Level IntroHigh Level Intro
High Level Introfaisalsadaf
 
ITIL and IT Security Architecture
ITIL and IT Security ArchitectureITIL and IT Security Architecture
ITIL and IT Security ArchitectureLeo de Sousa
 
SaaS ERP adoption intent: Explaining the South African SME perspective
SaaS ERP adoption intent: Explaining the South African SME perspectiveSaaS ERP adoption intent: Explaining the South African SME perspective
SaaS ERP adoption intent: Explaining the South African SME perspectiveCONFENIS 2012
 
FFI PPT
FFI PPT FFI PPT
FFI PPT Benedict Gnaniah
 
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar SeriesDemystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar SeriesBhavesh Bhagat, CGEIT, CISM (LION)
 
Organisational evolution meets technology disruption
Organisational evolution meets technology disruptionOrganisational evolution meets technology disruption
Organisational evolution meets technology disruptionUXC Connect
 
Stefan Pappe Making S O A Operational
Stefan Pappe Making S O A OperationalStefan Pappe Making S O A Operational
Stefan Pappe Making S O A OperationalSOA Symposium
 
Cloud 101 Primer for Busy Executives
Cloud 101 Primer for Busy ExecutivesCloud 101 Primer for Busy Executives
Cloud 101 Primer for Busy ExecutivesBhavesh Bhagat, CGEIT, CISM (LION)
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelRamsés Gallego
 
DLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoDLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoRamsés Gallego
 
EMG Coregistrazione Editore
EMG Coregistrazione EditoreEMG Coregistrazione Editore
EMG Coregistrazione Editoresimonebarbon
 

Mais conteúdo relacionado

Mais procurados

Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2CA Technologies Italia
 
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011IBM Sverige
 
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...IBM Sverige
 
Introduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceIntroduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceChristian F. Nissen
 
Ajay dhir - The new CIO leader: Managing in challenging times
Ajay dhir - The new CIO leader: Managing in challenging timesAjay dhir - The new CIO leader: Managing in challenging times
Ajay dhir - The new CIO leader: Managing in challenging timesGlobal Business Events
 
Accelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, IntelAccelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, IntelOpen Data Center Alliance
 
Kascade corporate profile
Kascade corporate profileKascade corporate profile
Kascade corporate profileMukund Ananda
 
Cogent Company Overview.11292009
Cogent Company Overview.11292009Cogent Company Overview.11292009
Cogent Company Overview.11292009Marc Hoppers
 
High Level Intro
High Level IntroHigh Level Intro
High Level Introfaisalsadaf
 
ITIL and IT Security Architecture
ITIL and IT Security ArchitectureITIL and IT Security Architecture
ITIL and IT Security ArchitectureLeo de Sousa
 
SaaS ERP adoption intent: Explaining the South African SME perspective
SaaS ERP adoption intent: Explaining the South African SME perspectiveSaaS ERP adoption intent: Explaining the South African SME perspective
SaaS ERP adoption intent: Explaining the South African SME perspectiveCONFENIS 2012
 
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar SeriesDemystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar SeriesBhavesh Bhagat, CGEIT, CISM (LION)
 
Organisational evolution meets technology disruption
Organisational evolution meets technology disruptionOrganisational evolution meets technology disruption
Organisational evolution meets technology disruptionUXC Connect
 
Stefan Pappe Making S O A Operational
Stefan Pappe Making S O A OperationalStefan Pappe Making S O A Operational
Stefan Pappe Making S O A OperationalSOA Symposium
 

Mais procurados (19)

Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2
 
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
 
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
 
Introduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceIntroduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber Resilience
 
dataplex company presentation
dataplex company presentationdataplex company presentation
dataplex company presentation
 
Ajay dhir - The new CIO leader: Managing in challenging times
Ajay dhir - The new CIO leader: Managing in challenging timesAjay dhir - The new CIO leader: Managing in challenging times
Ajay dhir - The new CIO leader: Managing in challenging times
 
Accelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, IntelAccelerating the Speed of Innovation - Jason Waxman, Intel
Accelerating the Speed of Innovation - Jason Waxman, Intel
 
Sukhbir jasuja digital_trends_11
Sukhbir jasuja digital_trends_11Sukhbir jasuja digital_trends_11
Sukhbir jasuja digital_trends_11
 
Accel Ops Brochure0609
Accel Ops Brochure0609Accel Ops Brochure0609
Accel Ops Brochure0609
 
Kascade corporate profile
Kascade corporate profileKascade corporate profile
Kascade corporate profile
 
Cogent Company Overview.11292009
Cogent Company Overview.11292009Cogent Company Overview.11292009
Cogent Company Overview.11292009
 
High Level Intro
High Level IntroHigh Level Intro
High Level Intro
 
ITIL and IT Security Architecture
ITIL and IT Security ArchitectureITIL and IT Security Architecture
ITIL and IT Security Architecture
 
SaaS ERP adoption intent: Explaining the South African SME perspective
SaaS ERP adoption intent: Explaining the South African SME perspectiveSaaS ERP adoption intent: Explaining the South African SME perspective
SaaS ERP adoption intent: Explaining the South African SME perspective
 
FFI PPT
FFI PPT FFI PPT
FFI PPT
 
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar SeriesDemystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
 
Organisational evolution meets technology disruption
Organisational evolution meets technology disruptionOrganisational evolution meets technology disruption
Organisational evolution meets technology disruption
 
Stefan Pappe Making S O A Operational
Stefan Pappe Making S O A OperationalStefan Pappe Making S O A Operational
Stefan Pappe Making S O A Operational
 
Cloud 101 Primer for Busy Executives
Cloud 101 Primer for Busy ExecutivesCloud 101 Primer for Busy Executives
Cloud 101 Primer for Busy Executives
 

Destaque

Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelRamsés Gallego
 
DLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoDLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoRamsés Gallego
 
EMG Coregistrazione Editore
EMG Coregistrazione EditoreEMG Coregistrazione Editore
EMG Coregistrazione Editoresimonebarbon
 
Luca_Carniato_PhD_thesis
Luca_Carniato_PhD_thesisLuca_Carniato_PhD_thesis
Luca_Carniato_PhD_thesisLuca Carniato
 
Evolución económica y social s xix
Evolución económica y social s xixEvolución económica y social s xix
Evolución económica y social s xixJorge Cerdá Crespo
 
ISACA Barcelona Chapter Congress - July 2011
ISACA Barcelona Chapter Congress - July 2011ISACA Barcelona Chapter Congress - July 2011
ISACA Barcelona Chapter Congress - July 2011Ramsés Gallego
 
Entel Service Management
Entel Service ManagementEntel Service Management
Entel Service ManagementRamsés Gallego
 
Organization theory and design 09 2013
Organization theory and design 09 2013Organization theory and design 09 2013
Organization theory and design 09 2013Wai Chamornmarn
 
Organization theory and design 05 2013
Organization theory and design 05 2013Organization theory and design 05 2013
Organization theory and design 05 2013Wai Chamornmarn
 
Organization theory and design 06 2013
Organization theory and design 06 2013Organization theory and design 06 2013
Organization theory and design 06 2013Wai Chamornmarn
 
Organization theory and design 12 2013
Organization theory and design 12 2013Organization theory and design 12 2013
Organization theory and design 12 2013Wai Chamornmarn
 
Organization theory and design 05 2013
Organization theory and design 05 2013Organization theory and design 05 2013
Organization theory and design 05 2013Wai Chamornmarn
 
08 Dynamic Capability 2013
08 Dynamic Capability 201308 Dynamic Capability 2013
08 Dynamic Capability 2013Wai Chamornmarn
 

Destaque (20)

Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panel
 
DLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoDLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés Gallego
 
EMG Coregistrazione Editore
EMG Coregistrazione EditoreEMG Coregistrazione Editore
EMG Coregistrazione Editore
 
Módulo 2
Módulo 2Módulo 2
Módulo 2
 
Luca_Carniato_PhD_thesis
Luca_Carniato_PhD_thesisLuca_Carniato_PhD_thesis
Luca_Carniato_PhD_thesis
 
Evolución económica y social s xix
Evolución económica y social s xixEvolución económica y social s xix
Evolución económica y social s xix
 
Sesion dos...
Sesion dos...Sesion dos...
Sesion dos...
 
Solta de tortugues
Solta de tortuguesSolta de tortugues
Solta de tortugues
 
Malware mitigation
Malware mitigationMalware mitigation
Malware mitigation
 
ISACA Barcelona Chapter Congress - July 2011
ISACA Barcelona Chapter Congress - July 2011ISACA Barcelona Chapter Congress - July 2011
ISACA Barcelona Chapter Congress - July 2011
 
Entel Service Management
Entel Service ManagementEntel Service Management
Entel Service Management
 
HanStone Brochure
HanStone BrochureHanStone Brochure
HanStone Brochure
 
Zodiaq Collection
Zodiaq CollectionZodiaq Collection
Zodiaq Collection
 
traumatismos oculares
traumatismos ocularestraumatismos oculares
traumatismos oculares
 
Organization theory and design 09 2013
Organization theory and design 09 2013Organization theory and design 09 2013
Organization theory and design 09 2013
 
Organization theory and design 05 2013
Organization theory and design 05 2013Organization theory and design 05 2013
Organization theory and design 05 2013
 
Organization theory and design 06 2013
Organization theory and design 06 2013Organization theory and design 06 2013
Organization theory and design 06 2013
 
Organization theory and design 12 2013
Organization theory and design 12 2013Organization theory and design 12 2013
Organization theory and design 12 2013
 
Organization theory and design 05 2013
Organization theory and design 05 2013Organization theory and design 05 2013
Organization theory and design 05 2013
 
08 Dynamic Capability 2013
08 Dynamic Capability 201308 Dynamic Capability 2013
08 Dynamic Capability 2013
 

Semelhante a Culture structure strategy_for_a_grc_program

Aes Business Process Co Sourcing
Aes Business Process Co SourcingAes Business Process Co Sourcing
Aes Business Process Co Sourcingjames2861
 
Planning Expansion and Adding Scope to your Current Shared Services Operation
Planning Expansion and Adding Scope to your Current Shared Services OperationPlanning Expansion and Adding Scope to your Current Shared Services Operation
Planning Expansion and Adding Scope to your Current Shared Services OperationScottMadden, Inc.
 
South Florida HDI Virtual Event: IT Alignment and Value Network Metrics
South Florida HDI Virtual Event: IT Alignment and Value Network MetricsSouth Florida HDI Virtual Event: IT Alignment and Value Network Metrics
South Florida HDI Virtual Event: IT Alignment and Value Network MetricsEddie Vidal
 
Leveraging Virtualization from an IT Project to a Business Strategy
Leveraging Virtualization from an IT Project to a Business StrategyLeveraging Virtualization from an IT Project to a Business Strategy
Leveraging Virtualization from an IT Project to a Business StrategyDavid Resnic
 
Infusing EPM in people and process
Infusing EPM in people and processInfusing EPM in people and process
Infusing EPM in people and processRavi Tirumalai
 
ITIL® im Microsoft-Umfeld: Einführung in das MOF
ITIL® im Microsoft-Umfeld: Einführung in das MOFITIL® im Microsoft-Umfeld: Einführung in das MOF
ITIL® im Microsoft-Umfeld: Einführung in das MOFDigicomp Academy AG
 
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStormSolutions
 
Skills Services Phoenix June2010
Skills Services Phoenix June2010Skills Services Phoenix June2010
Skills Services Phoenix June2010Mike Ryan
 
Hybrid ITSM FrontRange & Gartner Webcast
Hybrid ITSM FrontRange & Gartner WebcastHybrid ITSM FrontRange & Gartner Webcast
Hybrid ITSM FrontRange & Gartner WebcastFrontRange
 
Luis lima v3
Luis lima v3Luis lima v3
Luis lima v3EuroCloud
 
The new role of CIO, Borut Kolmanič, S&T Slovenija
The new role of CIO, Borut Kolmanič, S&T SlovenijaThe new role of CIO, Borut Kolmanič, S&T Slovenija
The new role of CIO, Borut Kolmanič, S&T SlovenijaS&T GROUP
 

Semelhante a Culture structure strategy_for_a_grc_program (20)

Aes Business Process Co Sourcing
Aes Business Process Co SourcingAes Business Process Co Sourcing
Aes Business Process Co Sourcing
 
Planning Expansion and Adding Scope to your Current Shared Services Operation
Planning Expansion and Adding Scope to your Current Shared Services OperationPlanning Expansion and Adding Scope to your Current Shared Services Operation
Planning Expansion and Adding Scope to your Current Shared Services Operation
 
South Florida HDI Virtual Event: IT Alignment and Value Network Metrics
South Florida HDI Virtual Event: IT Alignment and Value Network MetricsSouth Florida HDI Virtual Event: IT Alignment and Value Network Metrics
South Florida HDI Virtual Event: IT Alignment and Value Network Metrics
 
Leveraging Virtualization from an IT Project to a Business Strategy
Leveraging Virtualization from an IT Project to a Business StrategyLeveraging Virtualization from an IT Project to a Business Strategy
Leveraging Virtualization from an IT Project to a Business Strategy
 
Infusing EPM in people and process
Infusing EPM in people and processInfusing EPM in people and process
Infusing EPM in people and process
 
ITIL® im Microsoft-Umfeld: Einführung in das MOF
ITIL® im Microsoft-Umfeld: Einführung in das MOFITIL® im Microsoft-Umfeld: Einführung in das MOF
ITIL® im Microsoft-Umfeld: Einführung in das MOF
 
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
 
Skills Services Phoenix June2010
Skills Services Phoenix June2010Skills Services Phoenix June2010
Skills Services Phoenix June2010
 
Hybrid ITSM FrontRange & Gartner Webcast
Hybrid ITSM FrontRange & Gartner WebcastHybrid ITSM FrontRange & Gartner Webcast
Hybrid ITSM FrontRange & Gartner Webcast
 
Luis lima v3
Luis lima v3Luis lima v3
Luis lima v3
 
Ams Webinar 25 March 2010 Jf Final[1]
Ams Webinar 25 March 2010 Jf Final[1]Ams Webinar 25 March 2010 Jf Final[1]
Ams Webinar 25 March 2010 Jf Final[1]
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
The new role of CIO, Borut Kolmanič, S&T Slovenija
The new role of CIO, Borut Kolmanič, S&T SlovenijaThe new role of CIO, Borut Kolmanič, S&T Slovenija
The new role of CIO, Borut Kolmanič, S&T Slovenija
 
It Risk Advisory Brochure
It Risk Advisory BrochureIt Risk Advisory Brochure
It Risk Advisory Brochure
 
It Risk Advisory Brochure
It Risk Advisory BrochureIt Risk Advisory Brochure
It Risk Advisory Brochure
 
It Risk Advisory Brochure
It Risk Advisory BrochureIt Risk Advisory Brochure
It Risk Advisory Brochure
 

Culture structure strategy_for_a_grc_program

  • 1. Culture, Structure & Strategy for a GRC Program: Moving from Alignment to Synchronization Ramsés Gallego CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt General Manager Entel Security & Risk Management rgallego@entel.es 1
  • 2. The need for IT to reinvent itself Despite the projections of renewed economic health, the business will continue to expect IT leadership to show strong financial competencies, that IT projects realize tangible business value, and that the IT organization demonstrates competitive effectiveness. “..IT organizations that rise to the challenge will be rewarded with substantial opportunities to develop a new type of service organization. Those that don’t will face a grimmer future” Gartner – CIO Update 2
  • 3. Definitions • Governance: “The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifing that the enterprise’s resources are used responsibly” 3
  • 4. Definitions • Risk: “the level of exposure to uncertainties that an organization must understand and manage effectively while performs its duties to achieve objectives and create value •  The uncertainty of an event happening (or not) can have an impact on the achievement of corporate goals 4
  • 5. Definitions • Compliance: “The act of adhering to, and demonstrating adherence to external laws and regulations as well as corporate policies and procedures” 5
  • 7. Business imperatives Improve Align IT Manage risk Manage cost service investments • Compliance • IT Portfolio Management • Optimize resources • Service Availability • Value Management • Protect assets • Automate processes • Service Management • Business Process • Business Continuity Management Optimal value providing Manage operational Better CAPEX and OPEX Align investments with effective and efficient and business risk management corporate goals services 7
  • 8. Best Practices for GRC A proved methodology is needed to make GRC real: § Business-driven, project-oriented, results-focused § Mesured with indicators and metrics § SOI - Strategize, Implement, Operate Capability Gap Analysis, Integrated IT Business Development measurement RoI (RoN) Flows processes and execution 9
  • 9. The best of both worlds IT Business • Quality of services • Cost reduction • Visibility of IT projects • Manage the financial • Take correct business perspective of IT decisions • Optimize assets and • Innovation as a driver resources • Agility • Manage risk and change 10
  • 10. Business Service Optimization IT GOVERNANCE Demand Pro ces ses Life Cycle People and Services Projects Business IT IT Portfolio ces Pra est cti B Services Assets IT Alignment? Provide the best value with Enable IT to fulfill its promise Improve IT efficiency through/for available resources for the business automated business processes 13
  • 11. Lyfe Cycle Services Management Demand Management • Define and publish services • Associating cost and Service Cost of service Demand Level • Charges based in the use Management or cost of assignment • Chargeback for SLA violation Change Management • Role-based support to Cost of Change • Apps and Operating decisions Service Management System Infrastructure • Standardize and automate Service IT process flows Service Level Support Management Service Support • Incident & Problem Management Service Level Management • Knowledge base • Define and control the service level centralized agreed • Operational metrics • Prioritize activity based on SLA impact 14
  • 12. People and Process Management Resource Management • Search capability on service catalog Process Management Resource • Planification depending on • Creation of templates, Management capability best practices • Report on services utilization Processes Projects & Programs Time & Cost Project Management • Creation of trends, budget, Billing by time and cost forecast • Cost on every project • Follow-up of deliverables • Provisioning resources based on cost • Incident and risk management and capability 15
  • 13. Asset Management Asset Management and Financial Management Inventory • Budget and forecast • Understand the • Obsolete resources to environment replace • Historic detail of assets Inventory & Financial tracking Management Contract Management Configuration Configuration Contracts • Lease Management Management • Understanding TCO • Software and patch to negotiate Software Licenses management • Migration support and standardization Software licenses management • Understand the requirements • Discover the gap (in excess or the lacking of) 16
  • 14. Managing the IT Portfolio - Clear relation between IT Pro ces investment and ROI ses - Alignment with the Life Cycle business through the Services People & priorities selection Processes IT IT ces Pra est Portfolio cti B Assets - Within business context Dashboard and BSC - Clear and concise communication - Agility for business priorities 17
  • 15. Integrated processes Service Change Operational Change Request IT Portfolio Request Management Tasks assigned to IT personnel Life Cycle Life Cycle Management People, Process Management Software Change Operational Change Request Request Software delivery Configuration Assets Change 18
  • 16. Why Projects Fail • According to “Darwin Online”, projects fail for six distinct reasons: – Lack of Executive sponsorship – Lack of early stakeholder input – Poorly defined or changing specifications – Unrealistic expectations – Uncooperative business partners – Poor or dishonest communications 45
  • 17. A Word About Estimating … 44
  • 18. Project Portfolio Management • Align IT investments and projects with business objectives • Improve quality and speed of decision making for IT projects • Bring strategic objectives to market faster with less risk Demand Management Process Management Portfolio Management Resource Planning Project Management Request 15: New budget report Request 215: Security fix Request 803: Application modification 19
  • 19. Project Portfolio Management • Provides a clear focus on the business value of IT projects and investments facilitating alignment with the business • Demonstrates a clear linkage between IT projects and ROI 20
  • 20. Project Portfolio Management Improve quality and speed of decision making for IT projects • Comprehensive, clear, views of IT projects and their value • Increase the ability to react to changes in business priorities and budgets 21
  • 21. Project Portfolio Management Bring Strategic objectives to market faster with less risk • Logical views of IT resources facilitate an optimal allocation of resources between day- to-day and strategic IT objectives. • Capital and operational IT costs are reduced through optimization of IT resource allocation 22
  • 22. Effective GRC Requires an Integrated System emails Spreadsheets Microsoft Project Requirements Document Portfolio Mgmt Tools Documents Management Meeting Notes Manual Processes Custom Databases Demand Management Process Management Portfolio Management Resource Planning Project Management Request 15: New budget report Request 215: Security fix Request 803: Application modification
  • 23. We need to bring Order to Chaos 46
  • 24. Main Problem is Communication 47
  • 26. Alignment? with the business 26
  • 28. The IT Operations side 32
  • 29. How we link them 33
  • 30. The New Role of IT Increase the Decrease Costs / Business Impact Improve Efficiency • Align IT priorities with business priorities • Cut Costs • Deliver more on a smarter • Add flexibility to costs budget Add Business Value • Repurpose resources • Improve time to delivery on business requests • Reduce Headcount • Improve quality 29
  • 31. Synchronization – Merging of ‘two worlds’ CEO BUSINESS BUSINESS FUNCTIONS Manufacturing Operations HR Sales Finance COO COO/CSO EVP Sales CFO SVP Human Rsce General Manager SVP Ops SVP Marketing SVP Finance VP Procurement SVP Product Dev. VP Purchasing General Manager VP IT Finance VP Administration VP Research Dir Purchasing VP Line of Business Dir. IT Finance WHAT Information -- on processes, business needs, current IT states, future IT requirements DOES SYNCHRONIZATION Communication -- of performance levels, service levels, tradeoffs REQUIRE? Value Translation -- to the business, the organization, the bottom line IT Development Deployment Provisioning Problem Mgmt Testing FUNCTIONS INFORMATION TECHNOLOGY CIO 30
  • 32. Adding Value through Strategic Alignment CEO BUSINESS BUSINESS FUNCTIONS Manufacturing Operations HR Sales Finance COO COO/CSO EVP Sales CFO SVP Human Rsce General Manager SVP Ops SVP Marketing SVP Finance VP Procurement SVP Product Dev. VP Purchasing General Manager VP IT Finance VP Administration VP Research Dir Purchasing VP Line of Business Dir. IT Finance IT Supports the Business Process and is Run like a Business WHAT IS SYNCHRONIZATION? Deliver and support Understand business Prioritize IT projects IT to the service processes, model based on levels desired and manage them business Value by the business IT Development Deployment Provisioning Problem Mgmt Testing FUNCTIONS INFORMATION TECHNOLOGY CIO 31
  • 33. Business Service Optimization CEO BUSINESS BUSINESS FUNCTIONS Manufacturing Operations HR Sales Finance COO COO/CSO EVP Sales CFO SVP Human Rsce General Manager SVP Ops SVP Marketing SVP Finance VP Procurement SVP Product Dev. VP Purchasing General Manager VP IT Finance VP Administration VP Research Dir Purchasing VP Line of Business Dir. IT Finance IT Supports the Business Process and is Run like a Business BUSINESS SERVICE OPTIMIZATION Business Service Process IT Governance Management Management IT Development Deployment Provisioning Problem Mgmt Testing FUNCTIONS INFORMATION TECHNOLOGY CIO 32
  • 34. GRC Schema …The IT projects, investments, activities and programs SELECT needed to successfully execute business strategies, goals and objectives IT Governance …The IT Assets and resources (including people and OPTIMIZE technology) needed to support Business services, providing strong financial stewardship throughout …The successful delivery of Business Services by EXECUTE managing complex change processing and Business Service deployment 33
  • 35. Service Management and IT Governance “Run IT Like a Business” Service Management – Service Delivery Service Management – Service Support Project Portfolio Management Provision and assure service quality Prioritize IT projects based on business value Centralized control of Project requests IT Asset Management IT Financial Management Assess resources required Activate service metering Software Change Management Initiate software change tasks and activities 34
  • 36. IT Governance Provides Answers • Can we accurately cost and budget for a new IT- Business service? • What risks are involved and how can we mitigate against them? • Is IT competitive? How does our service compare to what’s provided by outsourcers? • Are we in compliance of government and industry regulations? 35
  • 37. IT Governance Provides Answers § How do I prioritize an increasing number of projects and activities? § Can do I communicate the value IT brings to the business in clear, unambiguous terms? § Do we have the staff and IT Assets and infrastructure to support my new business initiative? § Can my department respond efficiently to changing business requirements without disrupting existing services? § Do I know what technology assets I lease or own, where are they located, and how are they being used? § Do I know the status of all my projects both from a time and cost perspective? 36
  • 38. CSFs, KGIs, KPIs: what are they? • CSFs: Critical Success Factors or “vital elements” • KGIs: Key Goals Indicators or “what” needs to be accomplished • KPIs: Key Performance Indicators or “how good” the process is behaving 37
  • 39. Monitor vs. Manage R A GE ITO Refine, observe, MA N MON analize and classify data provided by Value (and cost) Act with business systems knowledge, in a Centralize single place according to access to data Apply business business needs content and relevance to the applications information to determine business priorities DATA INFORMATION KNOWLEDGE ACTION Level 1 Level 1 Level 2 Level 2 Level 3 Level 4 21
  • 40. Some examples... © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com 39
  • 41. ...from the real world 40
  • 43. ...to what really matters 42
  • 45. A CONTINUOUS process for GRC Demand Management Process Management Portfolio Management Resource Planning Project Management Request 15: New budget report Request 215: Security fix Request 803: Application modification
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55. THANK YOU Culture, Structure & Strategy for a GRC Program: Moving from Alignment to Synchronization Ramsés Gallego CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt General Manager Entel Security & Risk Management rgallego@entel.es 61