More Related Content Similar to Initiating IT Governance Strategy to Identify Business Needs (20) Initiating IT Governance Strategy to Identify Business Needs1. © Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
1
2. Rohit Banerjee
ISO/IEC 38500 Lead Corporate IT Governance Manager
Rohit Banerjee has 14+ years overall, with 10+ years in IT hands-on
progressive experience across programme, project & team management
leading full SDLC life cycle for complex, cross-functional, multi-site initiatives.
He is ISO/IEC 38500 Lead IT Governance Manager.
Contact Information
(+968) 9789 4705
rohitbanerjee@gmail.com
www.rohitbanerjee.com
linkedin.com/in/rohitbanerjee
twitter.com/rohitbanerjee
fb.com//banerjeerohit
3. AGENDA POINTS
What is Governance, and why do we need Governance
Introducing IT Governance
ISO standards for IT Governance
IT Governance from ISO perspective
Business Needs for Governance of IT
Considerations for Governing Body to Identify Business Needs
Identifying the Business Performance and Conformance Needs
Evaluate-Direct-Monitor (EDM) cycle of IT Governance
Hierarchy and Overlap of Other Best Practices in IT
Business Risks and Changing Landscape of IT for Business
Common roadblocks, challenges, and lesson learned
Questions & answers
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
3
4. ABOUT THE SPEAKER
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
4
ISO/IEC 38500 Lead IT Governance Manager, ISO 9001 Lead Auditor &
Lead Implementer, ISO 21500 Lead Project Manager, CRISC™, CGEIT®,
COBIT® 5 Implementation, CSX™ Cybersecurity Fundamentals, PMP®,
PRINCE2®, MSP®, Six Sigma Black Belt, ITIL® V3 2011, Certified Master
Trainer & Certified Instructional Designer (CAMI)
IT Governance, Project Assurance and Programme Management
Professional with 15+ years overall & 11+ years IT experience in
programme, project, product & team management
Corporate trainer & academic lecturer/speaker since 2005
The only official PECB Certified trainer for ISO/IEC 38500 IT
Governance courses, & APMG Accredited trainer for COBIT® courses in
Oman
Director at ISACA® Muscat Chapter for CGEIT/CRISC Certifications,
PMI® International & PMI®-Oman volunteer
Asia (India), North America (USA, Canada), Europe (UK, Netherlands,
Belgium, Luxemburg) & GCC area (Oman, UAE)
BFSI, Media & Entertainment, Shipping & Logistics, E-Learning &
Publishing, Government & Public Sector
Rohit Banerjee
• B. Sc. in Computer Science
• MCA
• MBA (IT Systems & Intl PM)
• Ph.D. candidate (IT Governance)
5. WHAT IS GOVERNANCE
Derived from the Greek verb kubernáo meaning ‘to steer’.
o Establishment of policies,
o and continuous monitoring of their proper implementation,
o by members of governing body of an organization.
o Includes mechanisms required to balance powers of members
(accountability), and their primary duty of enhancing prosperity and
viability of organization1
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
5
In simple words, real meaning of the term Governance means
all the processes that coordinate and control an organization’s
resources and actions.2
1. Extracted from A Corporate Approach Is Needed to Provide for a More Effective Tax-Exempt Fraud Program, The Treasury Inspector General for Tax
Administration (TIGTA), 2009
2. Extracted from CORPORATE GOVERNANCE: Systemic approach versus traditional oversight and audit, NDMA (ndma.com), undated.
6. WHY DO WE NEED GOVERNANCE
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
6
Are we doing the right things?
Are we doing them the right way?
Are we getting them done well?
Are we getting the benefits?
Strategic
Architecture
Delivery
Value
Extracted from The Information Paradox, John Thorp, Fujitsu, 2003.
Performance Conformance
Organization
7. INTRODUCING IT GOVERNANCE
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
7
ITGI defines IT governance as:
The responsibility of executives and the board of directors, and
consists of the leadership, organisational structures and
processes that ensure that the enterprise’s IT sustains and
extends the organisation’s strategies and objectives.
Gartner defines IT Governance as:
“The processes that ensure the effective and efficient use of IT
in enabling an organization to achieve its goals.”
In simple words it means that
IT operations and IT projects should be aligned with the
organization’s strategy.1
1. Extracted from A Primer on IT Governance, INTERNAL AUDITOR - MIDDLE EAST, Stig J. Sunde, Sep 2014
8. ISO STANDARDS FOR IT GOVERNANCE
ISO/IEC 38500:2015
Information technology -- Governance of IT for the organization
ISO/IEC TS 38501:2015
Information technology -- Governance of IT -- Implementation guide
ISO/IEC TR 38502:2014
Information technology -- Governance of IT -- Framework and model
ISO/IEC TR 38504:2016
Governance of information technology -- Guidance for principles-
based standards in the governance of information technology
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
8
9. IT GOVERNANCE FROM ISO PERSPECTIVE
Key points:
provides guiding principles for members of governing bodies of organizations
on the effective, efficient, and acceptable use of information technology (IT)
within their organizations.
applies to the governance of the organization's current and future use of IT
including management processes and decisions related to the current and
future use of IT.
defines the governance of IT as a subset or domain of organizational
governance, or in the case of a corporation, corporate governance.
applicable to all organizations, including public and private companies,
government entities, and not-for-profit organizations, of all sizes from the
smallest to the largest, regardless of the extent of their use of IT.
assures stakeholders to have confidence in the organization's governance of IT.
establishes a vocabulary for the governance of IT.
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
9
10. BUSINESS NEEDS FOR GOVERNANCE OF IT
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
10
Successful enterprises recognised the board and
executives need to embrace IT like any other
significant part of doing business.
Boards and management—both in the business
and IT functions—must collaborate and work
together, so that IT is included within the
governance and management approach.
Governance and management of enterprise IT
helps create optimal value from IT by
maintaining a balance between realising
benefits, optimising risk levels and resource use.
Imagesbyadamr,podpad,styleTTT,jscreationzsatFreeDigitalPhotos.net
Extracted from COBIT® 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA®, 2012.
11. CONSIDERATIONS FOR GOVERNING BODY TO
IDENTIFY BUSINESS NEEDS
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
11
Adapted from Figure 3, “Four Ares”, Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0, ITGI™, 2008.
Are we
doing the
right
things?
Are we
doing
them the
right
way?
Are we
getting
the
benefits?
Are we
getting
them
done
well?
Strategy
• In line with the vision
• Consistent with the business
principles
• Contributing to the strategic
objectives
• Providing optimal value, at
affordable cost, at an acceptable
level of risk
Architecture
• In line with the architecture
• Consistent with the
architectural principles
• Contributing to the
population of the architecture
• In line with other initiatives
Value
• A clear and shared understanding
of the expected benefits
• Clear accountability for realizing
the benefits
• Relevant metrics
• An effective benefits realization
process over the full economic life
cycle of the investment
Delivery
• Effective and disciplined
management, delivery and change
management processes
• Competent and available technical
and business resources to deliver:
• – The required capabilities
• – The organizational changes
required to leverage capabilities
12. IDENTIFYING THE BUSINESS NEEDS
PAIN POINTS
Failed initiatives, rising IT costs, perception of low business
value
Significant IT-related business risk incidents
Outsourcing service delivery or service levels problems
Failure to meet regulatory or contractual requirements
IT’s limitations in innovation capabilities and business agility
Poor IT performance and quality audit reports
Hidden and rogue IT spending
Duplication or overlap between initiatives, wasted resources
Insufficient IT resources, inadequate skills, staff burnout
IT failing to meet business needs, delivered late, over budget
Multiple and complex IT assurance efforts
Reluctant or uncommitted board members, executives or
sponsors for IT initiatives
Complex IT operating models
TRIGGER EVENTS
• Merger, acquisition or divestiture, corporate restructuring
• A shift in the market, economy or competitive position
• Change in business operating model or sourcing
arrangements
• New regulatory or compliance requirements
• Significant technology change or paradigm shift
• An enterprise-wide governance focus or project
• A new CIO, chief financial officer (CFO), chief executive officer
(CEO) or board member
• External audit or consultant assessments
• A new business strategy or priority
• Desire to significantly improve the value to be gained from IT
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
12
Adapted from COBIT® 5: A Business Framework for the Governance and Management of Enterprise IT , ISACA®, 2012.
13. PERFORMANCE NEEDS OF BUSINESS FOR IT
Proposals addressing continuing normal operation and IT usage risk treatment, are
reviewed, so that IT can support processes with required capability and capacity
Risks to continued operations arising from IT activities, are evaluated.
Risks related to integrity of information and protection of IT assets, even intellectual
property and organizational memory, are reviewed
Options for effective, and timely decisions about use of IT in support of business goals,
are reviewed
Evaluation of effectiveness and performance of organization’s system for IT Governance,
is done regularly
Sufficient resources are allocated for IT to meet the needs of the organization, based on
priorities and budgetary constraints
IT supports the business, with correct and up-to-date data, protected from loss or misuse
Allocated resources and budgets are prioritized according to business objectives
Policies for data accuracy and efficient use of IT, are followed properly
21-10-
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
13
14. CONFORMANCE NEEDS OF BUSINESS FOR IT
Regulatory, legislative, legal, contractual obligations, and internal
policies, industrial standards and professional guidelines are satisfied by
IT
Regular and routine mechanisms are in place to check IT usage
compliance
Enforcement of policies to meet internal obligations IT usage
Professional behavior and development of IT staff is adhered
All actions relating to IT are ethical
Timely and comprehensive reviews, for appropriate reporting and audit
practices, to satisfaction of the business owners
IT activities to be monitored, to ensure relevant obligations are met
21-10-
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
14
15. EVALUATE-DIRECT-MONITOR (EDM) CYCLE
OF IT GOVERNANCE
21-10-
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
15
Business Pressures Business Needs
Evaluate
Direct Monitor
ICT Projects ICT Operations
Proposals
Corporate
Governance of IT
Business Processes
Adapted from Figure 1, Model for Corporate Governance of IT, ISO/IEC 38500:2008 - Corporate governance of information technology, ISO®, 2008.
Plans
Policies
Performance
Conformance
16. HIERARCHY OF OTHER BEST PRACTICES IN IT
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
16
Drivers
Enterprise Governance /
Corporate Governance
IT Governance
Best Practice
Standards
Processes and
Procedures
PERFORMANCE:
Business Goals
CONFORMANCE:
Sarbanes-Oxley Act, Basel II/III
Balanced Scorecard COSO
COBIT 5 ISO/IEC 38500:2015
ISO 9000:2015
ISO/IEC 20000-
1:2011
ISO/IEC
27001:2013
QA Procedures ITILSecurity
Principles
Source: Adapted from figure published by ISACA®, 2012.
17. OVERLAP OF OTHER BEST PRACTICES IN IT
21-10-
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
17
Evaluate, Direct, Monitor
Align, Plan, Organize
Build, Acquire, Implement
Evaluate, Direct, Monitor
Monitor,
Evaluate, Assess
Adapted from Figure 25, COBIT 5 Coverage of Other Standards and Frameworks, COBIT® 5: A Business Framework for the Governance and Management of
Enterprise IT , ISACA®, 2012
ISO/IEC 38500
ISO/IEC 31000
TOGAF
PRINCE2/PMBOK
ITIL V3 2011 and ISO/IEC 20000
ISO/IEC 27000
CMMI
18. RISK TO BUSINESSES
Forbes Top 10 Global Risks for Business 2015
1. Damage to Brand/Reputation
2. Economic slowdown/slow recovery
3. Regulatory/legislative changes
4. Increasing competition
5. Failure to attract or retain top talent
6. Failure to innovate/meet customer needs
7. Business interruption
8. Third party liability
9. Cyber risk (computer crime/hacking/ viruses/malicious codes)
10. Property damage
21-10-
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
18
Source: Cyber Risk As A Top 10 Global Risk for Businesses , Forbes®, 2015.
19. CHANGING LANDSCAPE OF IT FOR BUSINESS
TOP 10 EMERGING DIGITAL
TECHNOLOGY TRENDS 2015-2016
1. Big Data Analytics
2. Mobile
3. Cloud
4. Machine Learning
5. Internet of Things
6. Massive Open Online Courses
7. Social Networking
8. Digital Business Models
9. Cybersecurity
10. Digital Currency
TOP 10 CYBER SECURITY THREAT
TRENDS 2015-2016
1. Ransomware
2. Hardware-centric cyberattacks
3. Smartphone malware
4. Browser-based Flash vulnerabilities
5. Cloud service concerns
6. Phishing Attacks & Social Engineering
7. Identity Theft
8. Healthcare & Retail hacktivism
9. Connected cars
10. Nation-state sponsored attacks
21-10-
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
19
Source: Innovation Insights, ISACA®, 2015. Source: ZDNet Top 7 Cyberthreats to Watch Out for in 2015-2016, ZDNet
The top security threats of 2016, Heimdal Security 10 Critical Corporate
Cyber Security Risks – A Data Driven List,
20. COMMON ROADBLOCKS AND CHALLENGES
21-10-
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
20
Initial inertia or resistance to change
Lack of awareness or inaccurate
information about IT Governance and
Governance in general
Difficulty in proving short-term tangible
value and benefits
Inadequate training related to
Governance, IT Governance
ImagesbyStuartMiles&imagerymajesticatFreeDigitalPhotos.net
21. LESSONS LEARNT SO FAR …
21-10-
© Rohit Banerjee, 2016. All rights reserved for derivative work. Original copyrights retained with respective parties. All
trademarks, service marks and trade names are trademark of respective parties. COBIT® is a registered trademark of ISACA®.
21
Governance of Enterprise IT is vast and can go as deep as
you want. Start with easy and small processes (quick
wins) to get sustained executive support and
acceptance by others.
Creating the sense of urgency and sounding the wake up
call is integral for getting things into motion.
One of the best ways to formalize Governance of IT inititives
is to establish an IT executive strategy committee.
Patience and perseverance always pays …
22. ISO/IEC 38500 Training Courses
ISO/IEC 38500 Introduction
1 Day Course
ISO/IEC 38500 Foundation
2 Days Course
ISO/IEC 38500 IT Corporate Governance Manager
3 Days Course
ISO/IEC 38500 Lead IT Corporate Governance Manager
5 Days Course
Exam and certification fees are included in the training price.
www.pecb.com/iso-iec-38500-training-courses | www.pecb.com/events