Initiating IT Governance Strategy to Identify Business Needs

© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
1

Rohit Banerjee
ISO/IEC 38500 Lead Corporate IT Governance Manager
Rohit Banerjee has 14+ years overall, with 10+ years in IT hands-on
progressive experience across programme, project & team management
leading full SDLC life cycle for complex, cross-functional, multi-site initiatives.
He is ISO/IEC 38500 Lead IT Governance Manager.
Contact Information
(+968) 9789 4705
rohitbanerjee@gmail.com
www.rohitbanerjee.com
linkedin.com/in/rohitbanerjee
twitter.com/rohitbanerjee
fb.com//banerjeerohit

AGENDA POINTS
 What is Governance, and why do we need Governance
 Introducing IT Governance
 ISO standards for IT Governance
 IT Governance from ISO perspective
 Business Needs for Governance of IT
 Considerations for Governing Body to Identify Business Needs
 Identifying the Business Performance and Conformance Needs
 Evaluate-Direct-Monitor (EDM) cycle of IT Governance
 Hierarchy and Overlap of Other Best Practices in IT
 Business Risks and Changing Landscape of IT for Business
 Common roadblocks, challenges, and lesson learned
 Questions & answers
3

ABOUT THE SPEAKER
4
 ISO/IEC 38500 Lead IT Governance Manager, ISO 9001 Lead Auditor &
Lead Implementer, ISO 21500 Lead Project Manager, CRISC™, CGEIT®,
COBIT® 5 Implementation, CSX™ Cybersecurity Fundamentals, PMP®,
PRINCE2®, MSP®, Six Sigma Black Belt, ITIL® V3 2011, Certified Master
Trainer & Certified Instructional Designer (CAMI)
 IT Governance, Project Assurance and Programme Management
Professional with 15+ years overall & 11+ years IT experience in
programme, project, product & team management
 Corporate trainer & academic lecturer/speaker since 2005
 The only official PECB Certified trainer for ISO/IEC 38500 IT
Governance courses, & APMG Accredited trainer for COBIT® courses in
Oman
 Director at ISACA® Muscat Chapter for CGEIT/CRISC Certifications,
PMI® International & PMI®-Oman volunteer
 Asia (India), North America (USA, Canada), Europe (UK, Netherlands,
Belgium, Luxemburg) & GCC area (Oman, UAE)
 BFSI, Media & Entertainment, Shipping & Logistics, E-Learning &
Publishing, Government & Public Sector
Rohit Banerjee
• B. Sc. in Computer Science
• MCA
• MBA (IT Systems & Intl PM)
• Ph.D. candidate (IT Governance)

WHAT IS GOVERNANCE
Derived from the Greek verb kubernáo meaning ‘to steer’.
o Establishment of policies,
o and continuous monitoring of their proper implementation,
o by members of governing body of an organization.
o Includes mechanisms required to balance powers of members
(accountability), and their primary duty of enhancing prosperity and
viability of organization1
5
In simple words, real meaning of the term Governance means
all the processes that coordinate and control an organization’s
resources and actions.2
1. Extracted from A Corporate Approach Is Needed to Provide for a More Effective Tax-Exempt Fraud Program, The Treasury Inspector General for Tax
Administration (TIGTA), 2009
2. Extracted from CORPORATE GOVERNANCE: Systemic approach versus traditional oversight and audit, NDMA (ndma.com), undated.

WHY DO WE NEED GOVERNANCE
6
 Are we doing the right things?
 Are we doing them the right way?
 Are we getting them done well?
 Are we getting the benefits?
 Strategic
Architecture
Delivery
Value



Extracted from The Information Paradox, John Thorp, Fujitsu, 2003.
Performance Conformance
 Organization

INTRODUCING IT GOVERNANCE
7
ITGI defines IT governance as:
The responsibility of executives and the board of directors, and
consists of the leadership, organisational structures and
processes that ensure that the enterprise’s IT sustains and
extends the organisation’s strategies and objectives.
Gartner defines IT Governance as:
“The processes that ensure the effective and efficient use of IT
in enabling an organization to achieve its goals.”
In simple words it means that
IT operations and IT projects should be aligned with the
organization’s strategy.1
1. Extracted from A Primer on IT Governance, INTERNAL AUDITOR - MIDDLE EAST, Stig J. Sunde, Sep 2014

ISO STANDARDS FOR IT GOVERNANCE
ISO/IEC 38500:2015
Information technology -- Governance of IT for the organization
ISO/IEC TS 38501:2015
Information technology -- Governance of IT -- Implementation guide
ISO/IEC TR 38502:2014
Information technology -- Governance of IT -- Framework and model
ISO/IEC TR 38504:2016
Governance of information technology -- Guidance for principles-
based standards in the governance of information technology
8

IT GOVERNANCE FROM ISO PERSPECTIVE
Key points:
 provides guiding principles for members of governing bodies of organizations
on the effective, efficient, and acceptable use of information technology (IT)
within their organizations.
 applies to the governance of the organization's current and future use of IT
including management processes and decisions related to the current and
future use of IT.
 defines the governance of IT as a subset or domain of organizational
governance, or in the case of a corporation, corporate governance.
 applicable to all organizations, including public and private companies,
government entities, and not-for-profit organizations, of all sizes from the
smallest to the largest, regardless of the extent of their use of IT.
 assures stakeholders to have confidence in the organization's governance of IT.
 establishes a vocabulary for the governance of IT.
9

BUSINESS NEEDS FOR GOVERNANCE OF IT
10
Successful enterprises recognised the board and
executives need to embrace IT like any other
significant part of doing business.
Boards and management—both in the business
and IT functions—must collaborate and work
together, so that IT is included within the
governance and management approach.
Governance and management of enterprise IT
helps create optimal value from IT by
maintaining a balance between realising
benefits, optimising risk levels and resource use.
Imagesbyadamr,podpad,styleTTT,jscreationzsatFreeDigitalPhotos.net
Extracted from COBIT® 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA®, 2012.

CONSIDERATIONS FOR GOVERNING BODY TO
IDENTIFY BUSINESS NEEDS
11
Adapted from Figure 3, “Four Ares”, Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0, ITGI™, 2008.
Are we
doing the
right
things?
Are we
doing
them the
right
way?
Are we
getting
the
benefits?
Are we
getting
them
done
well?
Strategy
• In line with the vision
• Consistent with the business
principles
• Contributing to the strategic
objectives
• Providing optimal value, at
affordable cost, at an acceptable
level of risk
Architecture
• In line with the architecture
• Consistent with the
architectural principles
• Contributing to the
population of the architecture
• In line with other initiatives
Value
• A clear and shared understanding
of the expected benefits
• Clear accountability for realizing
the benefits
• Relevant metrics
• An effective benefits realization
process over the full economic life
cycle of the investment
Delivery
• Effective and disciplined
management, delivery and change
management processes
• Competent and available technical
and business resources to deliver:
• – The required capabilities
• – The organizational changes
required to leverage capabilities

IDENTIFYING THE BUSINESS NEEDS
PAIN POINTS
 Failed initiatives, rising IT costs, perception of low business
value
 Significant IT-related business risk incidents
 Outsourcing service delivery or service levels problems
 Failure to meet regulatory or contractual requirements
 IT’s limitations in innovation capabilities and business agility
 Poor IT performance and quality audit reports
 Hidden and rogue IT spending
 Duplication or overlap between initiatives, wasted resources
 Insufficient IT resources, inadequate skills, staff burnout
 IT failing to meet business needs, delivered late, over budget
 Multiple and complex IT assurance efforts
 Reluctant or uncommitted board members, executives or
sponsors for IT initiatives
 Complex IT operating models
TRIGGER EVENTS
• Merger, acquisition or divestiture, corporate restructuring
• A shift in the market, economy or competitive position
• Change in business operating model or sourcing
arrangements
• New regulatory or compliance requirements
• Significant technology change or paradigm shift
• An enterprise-wide governance focus or project
• A new CIO, chief financial officer (CFO), chief executive officer
(CEO) or board member
• External audit or consultant assessments
• A new business strategy or priority
• Desire to significantly improve the value to be gained from IT
12
Adapted from COBIT® 5: A Business Framework for the Governance and Management of Enterprise IT , ISACA®, 2012.

PERFORMANCE NEEDS OF BUSINESS FOR IT
 Proposals addressing continuing normal operation and IT usage risk treatment, are
reviewed, so that IT can support processes with required capability and capacity
 Risks to continued operations arising from IT activities, are evaluated.
 Risks related to integrity of information and protection of IT assets, even intellectual
property and organizational memory, are reviewed
 Options for effective, and timely decisions about use of IT in support of business goals,
are reviewed
 Evaluation of effectiveness and performance of organization’s system for IT Governance,
is done regularly
 Sufficient resources are allocated for IT to meet the needs of the organization, based on
priorities and budgetary constraints
 IT supports the business, with correct and up-to-date data, protected from loss or misuse
 Allocated resources and budgets are prioritized according to business objectives
 Policies for data accuracy and efficient use of IT, are followed properly
21-10-
13

CONFORMANCE NEEDS OF BUSINESS FOR IT
 Regulatory, legislative, legal, contractual obligations, and internal
policies, industrial standards and professional guidelines are satisfied by
IT
 Regular and routine mechanisms are in place to check IT usage
compliance
 Enforcement of policies to meet internal obligations IT usage
 Professional behavior and development of IT staff is adhered
 All actions relating to IT are ethical
 Timely and comprehensive reviews, for appropriate reporting and audit
practices, to satisfaction of the business owners
 IT activities to be monitored, to ensure relevant obligations are met
21-10-
14

EVALUATE-DIRECT-MONITOR (EDM) CYCLE
OF IT GOVERNANCE
21-10-
15
Business Pressures Business Needs
Evaluate
Direct Monitor
ICT Projects ICT Operations
Proposals
Corporate
Governance of IT
Business Processes
Adapted from Figure 1, Model for Corporate Governance of IT, ISO/IEC 38500:2008 - Corporate governance of information technology, ISO®, 2008.
Plans
Policies
Performance
Conformance

HIERARCHY OF OTHER BEST PRACTICES IN IT
16
Drivers
Enterprise Governance /
Corporate Governance
IT Governance
Best Practice
Standards
Processes and
Procedures
PERFORMANCE:
Business Goals
CONFORMANCE:
Sarbanes-Oxley Act, Basel II/III
Balanced Scorecard COSO
COBIT 5 ISO/IEC 38500:2015
ISO 9000:2015
ISO/IEC 20000-
1:2011
ISO/IEC
27001:2013
QA Procedures ITILSecurity
Principles
Source: Adapted from figure published by ISACA®, 2012.

OVERLAP OF OTHER BEST PRACTICES IN IT
21-10-
17
Evaluate, Direct, Monitor
Align, Plan, Organize
Build, Acquire, Implement
Evaluate, Direct, Monitor
Monitor,
Evaluate, Assess
Adapted from Figure 25, COBIT 5 Coverage of Other Standards and Frameworks, COBIT® 5: A Business Framework for the Governance and Management of
Enterprise IT , ISACA®, 2012
ISO/IEC 38500
ISO/IEC 31000
TOGAF
PRINCE2/PMBOK
ITIL V3 2011 and ISO/IEC 20000
ISO/IEC 27000
CMMI

RISK TO BUSINESSES
Forbes Top 10 Global Risks for Business 2015
1. Damage to Brand/Reputation
2. Economic slowdown/slow recovery
3. Regulatory/legislative changes
4. Increasing competition
5. Failure to attract or retain top talent
6. Failure to innovate/meet customer needs
7. Business interruption
8. Third party liability
9. Cyber risk (computer crime/hacking/ viruses/malicious codes)
10. Property damage
21-10-
18
Source: Cyber Risk As A Top 10 Global Risk for Businesses , Forbes®, 2015.

CHANGING LANDSCAPE OF IT FOR BUSINESS
TOP 10 EMERGING DIGITAL
TECHNOLOGY TRENDS 2015-2016
1. Big Data Analytics
2. Mobile
3. Cloud
4. Machine Learning
5. Internet of Things
6. Massive Open Online Courses
7. Social Networking
8. Digital Business Models
9. Cybersecurity
10. Digital Currency
TOP 10 CYBER SECURITY THREAT
TRENDS 2015-2016
1. Ransomware
2. Hardware-centric cyberattacks
3. Smartphone malware
4. Browser-based Flash vulnerabilities
5. Cloud service concerns
6. Phishing Attacks & Social Engineering
7. Identity Theft
8. Healthcare & Retail hacktivism
9. Connected cars
10. Nation-state sponsored attacks
21-10-
19
Source: Innovation Insights, ISACA®, 2015. Source: ZDNet Top 7 Cyberthreats to Watch Out for in 2015-2016, ZDNet
The top security threats of 2016, Heimdal Security 10 Critical Corporate
Cyber Security Risks – A Data Driven List,

COMMON ROADBLOCKS AND CHALLENGES
21-10-
20
Initial inertia or resistance to change
Lack of awareness or inaccurate
information about IT Governance and
Governance in general
Difficulty in proving short-term tangible
value and benefits
Inadequate training related to
Governance, IT Governance
ImagesbyStuartMiles&imagerymajesticatFreeDigitalPhotos.net

LESSONS LEARNT SO FAR …
21-10-
21
Governance of Enterprise IT is vast and can go as deep as
you want. Start with easy and small processes (quick
wins) to get sustained executive support and
acceptance by others.
Creating the sense of urgency and sounding the wake up
call is integral for getting things into motion.
One of the best ways to formalize Governance of IT inititives
is to establish an IT executive strategy committee.
Patience and perseverance always pays …

ISO/IEC 38500 Training Courses
 ISO/IEC 38500 Introduction
1 Day Course
 ISO/IEC 38500 Foundation
2 Days Course
 ISO/IEC 38500 IT Corporate Governance Manager
3 Days Course
 ISO/IEC 38500 Lead IT Corporate Governance Manager
5 Days Course
Exam and certification fees are included in the training price.
www.pecb.com/iso-iec-38500-training-courses | www.pecb.com/events

THANK YOU
?
Contact Information
(+968) 9789 4705
rohitbanerjee@gmail.com
www.rohitbanerjee.com
linkedin.com/in/rohitbanerjee
twitter.com/rohitbanerjee
fb.com//banerjeerohit

Initiating IT Governance Strategy to Identify Business Needs

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Initiating IT Governance Strategy to Identify Business Needs

Similar to Initiating IT Governance Strategy to Identify Business Needs (20)

More from PECB

More from PECB (20)

Recently uploaded

Recently uploaded (20)

Initiating IT Governance Strategy to Identify Business Needs