PPTX 571 KB

Report
CANHEIT Overview Presentation - June 2012
Clark Ferguson, CIO, University of Lethbridge
Program Overview
Implementation Overview
Section 1 – Foundation Elements
Section 2 – Strategic Alignment
Section 3 – Risk Management
Section 4 – Value Delivery: IT Financial Management
Section 5 – Value Delivery: IT Human Resources
Management
Section 6 – Value Delivery: IT Service Management
Wrap Up
2
Governance & Management
Controls Overview Session
3

Alberta …

Post secondary sector …

Information & Technology Management …

Control Framework Program
4






Provincial Office of the Auditor General increasing attention to
governance & management controls across public sector
Alberta Advanced Education & Technology (AET) initiated
program and enlisted support of post secondary leaders
Recognition that all post secondary institutions would need to
comply
Quality of institutional systems would vary based on size of
institution and capacity to allocate scarce resources
Province-wide program with contributions by AET & institutions
Leveraged program management and specialized consultants to
harvest industry and institutional best practices
5




26 post secondary institutions (all but 1 or 2) engaged
2 years of projects have been successfully completed with 1
project rescheduled due to quality problems
Significant involvement of business leaders and IT experts in
projects
Team approach, high quality project deliverables, and strong
communications & training have led to rapid adoption
6




Dedicated program management and expert project
consultants freed participating institutions to focus on
contribution
Governance and approval of project and program materials
tricky but with minor rework, successful process achieved
Procurement process to contract project experts and careful
oversight of their work extremely important
Joint approach has yielded very high quality deliverables and
commitment amongst institutions share best practices
7






Rising expectations regarding organizational governance
Concern over generally increasing level of IT expenditure &
demand for better return on IT investments
Need to meet regulatory requirements
Significance of selection of service provider & management of
outsourcing
Increasingly complex risk associated with information
management & related technology
Need to optimize costs by following standards and best
practices

Growing maturity and acceptance of frameworks and standards

Need for assessment against standards and peer organizations
8
1.
Proper Governance
2.
Strategic Alignment
3.
Value Realization
4.
Risk Management
5.
Resource Optimization
9

Collaboratively develop a system-wide control
framework for managing information and related
technology that will assist with the implementation
of strategic priorities, policies and principles
through:
◦ Common best practice controls that are modifiable,
scalable and implementable
◦ A shared content management system that will foster
ongoing collaboration and effectively manage the control
life cycle
10
ITM Control Framework
COBIT
Legislation
PMBOK
WHAT
ITIL
SCOPE OF COVERAGE
ISO 2700x
HOW
11
Year 1
(2010)
Control
Framework &
Policies Project
(June 2010)
Year 2
(2011)
Information &
Technical
Management
(December 2011)
Year 3
(2012)
Information
Management
(February 2013)
Privacy
Project
(November
2010)
Enterprise
Architecture
(Resched. to Yr 3)
Change
Management
Project
(October 2010)
Governance
Project
(April 2011)
Content
Mgmt.
System
Project
(April 2012)
Identity
Management &
Information
Security
(December 2011)
Technology
Management
(February 2013)
Enterprise
Architecture
(February 2013)
Complete
In progress
Year 4
(2013)
Information
Management
... Continued
(August 2013)
Wrap-up
Project
(December 2013)
Post-Secondary System ITM Control Framework
13


Volunteers from the Institutions
Program designed to provide opportunity to
volunteer:
◦ Working Group = 6-12 hours/month
◦ Key Stakeholders = 2-4 hours/month
◦ Project Steering Committee = 2 hours/month

Composition impacts legitimacy of deliverables

Committed participants who see the bigger picture
14

PSS expert body of knowledge

Relationships

Synergy

Sharing and capture of knowledge

Bleeding edge

Ongoing support

Common foundation for future opportunities
15





Look at the framework as a whole
Determine what pieces you need and how ‘deep’ you want to
go in each area
Know your capabilities, capacity, current maturity, resource
availability
Be realistic in your planning
Assign dedicated people to manage, communicate, train and
assist with organizational change

Don’t underestimate the commitment that's required

Don’t forget to collaborate

Keep your eye on the end game
16
Program
Two business and 3 IT participants in the
program work
Section 1 –
Foundation Elements
ITM Control Framework leader assigned;
ITM policy approved by the Board in May 2012
Section 2 –
Strategic Alignment
Developing Fiscal 2014 budget in conjunction
with University Strategic alignment
Section 3 –
Risk Management
Initiated PCI improvement program;
Planning external review of IT Security
Section 4 –
Financial Management
Strengthening portfolio management;
Developing a consolidated view of full IT spend
Section 5 –
HR Management
Conducting key skills review and gap analysis
Section 6 –
IT Services Management
Documenting service portfolio;
Establishing business relationship management
processes
17
Governance & Management
Controls Overview Session
18
19
Foundation
Pieces
(17)
Human
Resources
Management
(3)
Strategic
Alignment
(4)
ITM Governance &
Management
Controls
(64)
Service
Management
Risk
Management
(26)
(8)
Financial
Management
(6)
20

Cobit 4.1
◦ Risk IT
◦ Val IT

ITIL
◦ Service Strategy
◦ Service Design
◦ Continual Service Improvement

ISO/IEC 20000, ISO 31000

Web research
Controls derived through ~3,000 hours of synthesis,
discussion and adaptation to the post-secondary
environment
21
Sustain
Momentum
Measure
Results
Identify
Drivers
Use of
maturity
models
(next slide)
Assess
Current State
Define
Desired
Future State
Execute Plan
Develop
Plan
22

1 Initial/Ad Hoc

2 Repeatable but Intuitive

3 Defined Process

4 Managed and Measurable

5 Optimized
Program Objective:
To increase the maturity level of all participating Institutions to a
COBIT Maturity Level 3 by June 2014 in the areas where the
controls have been implemented within the Institution.
23
Governance & Management
Controls Overview Session
24
Foundation
Pieces
(17)

An ITM control framework is a critical part of every
institution’s internal control program to mitigate risks and
ensure:
◦ Management understands ITM’s role and relevance in the
organization
◦ Alignment of investment with the institution mandate and
strategic direction
◦ Value delivery
◦ Compliance with external requirements
◦ Continuous improvement re: ITM processes


It is the responsibility of the Board of Governors & executive
management to communicate ITM investment objectives and
expectations re: control environment and to provide training
Planning and adequate resourcing are essential
25
Foundation
Pieces
(17)
The strategic
question
Are we doing
the right things?
The value
question
Are we doing
them the right
way?
Are we getting
the benefits?
The delivery
question
Are we getting
them done well?
The
architecture
question
26
Foundation
Pieces
(17)
Organization Role
Responsibility
Board of Governors
•
Oversight regarding strategic alignment, risk
management and value delivery of ITM
Executive Committee
•
Approval of enterprise-level investment
decisions, including adequate funding for
development, implementation, communication
and training re: ITM controls
ITM Steering Committee
•
•
Approval of ITM Control Framework
Ensures control environment aligns with
institution’s management philosophy and
operating style
Regular assessment of the maturity of the
institution’s control processes
•
CIO
Business Managers
•
Overall development and implementation of the
control environment
Reporting on progress/results
•
•
Input to development of the control environment
Responsibility for operation of many controls
•
27
Foundation
Pieces
(17)


Institution needs to appoint a ‘custodian’ or manager of the
framework and maintain a log of all compliance requirements
Comprehensive procedure required for:
◦ Identifying externally generated requirements in a timely manner
◦ Identifying internally generated requirements
◦ Escalating and resolving issues identified through
implementation/operation of the ITM Control Framework

Framework needs to be regularly reviewed
◦ Internal audit
◦ Periodic 3rd party reviews

Provide for approved and documented exceptions to
compliance with controls
28
Governance & Management
Controls Overview Session
29
Strategic
Alignment
(4)




Strategic ITM Plan is an integral element of the
comprehensive institution plan….not an afterthought!
Performance is measured using an ITM Balanced Scorecard
ITM investments should be managed across the institution in
portfolios
Outcomes
◦ Alignment of business, ITM and risk management objectives
◦ Organization, services, application portfolios, technologies,
competencies, processes & methodologies are in place to
maximize ITM contribution
◦ Bi-directional education & involvement in ITM and business
planning
◦ Regular assessment re: ITM contribution to business objectives
◦ Roadmap for addressing future needs
30
Strategic
Alignment
(4)



Clearly articulated institutional vision and priorities
Planning is considered important and closely linked to
institutional budget
ITM plan is published
◦ Formal communication strategy specific to ITM stakeholders
developed with communication strategy for comprehensive
institution plan

ITM governance practices are seen to be effective
◦ Close relationships between ITM and non-ITM organizations and
staff
◦ Informal and formal
◦ Communication with and involvement of key constituents,
especially faculty and deans
31
Comprehensive Institution Plan
Strategic
Alignment
(4)
Strategic Priorities
Goals & Expected Outcomes
Institutional
Access Plan
Performance Measures
Financial Plan
Institutional
Research
Plan
ITM Plan
Capital Plan
Plan to Plan
• Purpose
• Process
• Scope
Assess Current
ITM capability &
performance
Conduct Gap
Analysis
Describe Desired
ITM Future
Articulate Goals,
Objectives,
Strategies &
Measures
Develop
Business Cases
for Individual
Initiatives
Adjust Plan as
Required
Categorize by
Portfolio and
Prioritize
32
Strategic
Alignment
(4)
Comprehensive
Institution Plan
Business
Goals for IT
Business
Requirements
require
IT Goals
Enterprise
Architecture
deliver
Governance
Requirements
Information
Services
imply
influence
Information
Criteria*
Balanced
Scorecard
IT
Processes
run
need
Information
Applications
Infrastructure
& People
* effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability
33
Governance & Management
Controls Overview Session
34
Risk Mgmt.
(8)

ITM risk is business risk

ITM risk always exists, whether it is detected or recognized


Management of ITM-related risk is an essential and strategic
component of responsible administration and should be
integrated into overall enterprise risk management
Who should be involved?
◦ Board members and senior executives who need to set direction &
monitor risk at the enterprise level
◦ Managers of ITM and business departments who define risk
management processes
◦ Risk management professionals
◦ External stakeholders
35
Risk Mgmt.
(8)

ITM benefit risk
◦ Missed opportunities to use technology to improve efficiency of
effectiveness of business processes or as an enabler for new
business initiatives

IT program and project delivery risk
◦ Failure to realize the expected contribution of ITM to new or
improved business solutions

IT operations and service delivery risk
◦ Where performance of IT systems and services does not meet
service level expectations
36
Risk Mgmt.
(8)

ITM risk management always connects to business objectives
◦ Focus is on the business outcome





ITM risk governance aligns the management of ITM-related
risk with overall ERM
ITM governance should balance the costs and benefits of
managing ITM risk
There should be open communication regarding ITM risk
Establishment of well-defined risk tolerance levels by the
Board and executive management should be coupled with
definition and enforcement of personal accountability for
operating within tolerance levels
ITM risk management is continuously improved
37
Risk Mgmt.
(8)
Risk Governance
Ensure ITM risk management
practices are embedded in the
enterprise, enabling it to secure
optimal risk-adjusted return
Integrate
with
ERM
Establish
& Maintain
a
Common
Risk View
Manage
Risk
Articulate
Risk
Make
RiskAware
Business
Decisions
Business
Objectives
Collect
Data
React to
Events
Risk Response
Ensure ITM-related risk issues,
opportunities and events are
addressed in a cost-effective manner,
in line with business priorities.
Analyze
Risk
Communication
Maintain
Risk
Profile
Risk Evaluation
Ensure ITM-related risks and
opportunities are identified,
analyzed and presented in
business terms.
38
Risk Mgmt.
(8)

Risk appetite
◦ Amount of risk the institution is willing to accept in pursuit of its
mission
 “What level of risk are we comfortable living with?”
◦ Provides context for analysis and response to individual risks by
management
◦ Defined/approved by the Board of Governors in terms of
frequency and impact
 No absolute norm or standard of what constitutes acceptable
risk
◦ Should be clearly communicated to stakeholders and staff through
policies and standards

Consider objective capacity to absorb loss & management
culture
39
Risk Mgmt.
(8)
ITM Risk Management Scoping Based on Risk Assessment Results
Very High
•
•
•
•
Detailed scenario development and frequent maintenance of the risk register
Independent review of risk analysis results
Quarterly detailed reporting on risk profile
...
High
•
•
•
•
Detailed scenario development and frequent maintenance of the risk register
Independent review of risk analysis results
Semi-annual detailed reporting on risk profile
...
Medium
•
•
•
•
Detailed scenario development for analysis
Self-assessment and review
Yearly update and quarterly summary reporting
...
Low
•
•
•
•
Self-assessment and review
Generic scenarios
Less frequent reporting
...
40
Governance & Management
Controls Overview Session
41
Financial
Management
(6)

Institution must establish a financial management framework
for information and related technology
◦ Approved by the ITM Steering Committee
◦ CIO accountable to the ITM Steering Committee for implementing
and monitoring the effectiveness of the framework and ensuring
integration with enterprise policies, standards etc.
◦ Should be formally evaluated based on schedule determined by
ITM Steering Committee


Focused on ensuring accountability and transparency re:
value contribution and total cost of ownership of information
and related technology
3 main elements:
◦ ITM budget management, portfolio mgmt. and cost/benefit
management
42
Financial
Management
(6)
Inputs
Outputs




Comprehensive
Institution Plan
Enterprise
Architecture
Information
Security Plan

Strategic ITM Plan

ITM Tactical Plans
Financial
Management
Framework



Budget
Actual
Expenditures vs.
Budget Reports
Updated portfolios
Accountability &
Transparency re:
Value Contribution
& TCO through
Cost/Benefit
Reports
43
Financial
Management
(6)
ITM Governance
Financial Management Framework
ITM Budget Management
Portfolio Management
Application
Assets
+
Infrastructure
Assets
+
Information
Assets
+
People
Assets
+
Process
Assets
+
Service
Assets
Investment Prioritization within Portfolios
Business Case Development & Use
Cost/Benefit Management
44
Financial
Management
(6)

Budget Management
1. Define strategic business objectives and determine highlevel budget envelopes
2. Develop ITM budget
3. Monitor and report on actual results
4. Develop ITM budget recommendations
45
Financial
Management
(6)

Portfolio Management
1. Define portfolios and sub-categories
2. Determine the investment ‘weight’ of each portfolio or
sub-category
3. Develop and use ITM business cases for ITM investment
4. Prioritize investments within portfolios
5. Identify HR needs across portfolios
6. Review and report on project, program and portfolio
performance
46
Governance & Management
Controls Overview Session
47
Human
Resources
Management
(3)



Processes for the management of IT human resources are an
essential part of an ITM Control Framework
CIO (not HR) is responsible for ensuring the institution has an
ITM workforce with the skills necessary to achieve
organizational and ITM goals
Main tasks:
◦ Define, monitor and supervise execution of ITM roles &
responsibilities
◦ Provide appropriate and sufficient training (technical, internal
control and security)
◦ Minimize dependency on key staff
◦ Ensure compliance with organizational policies
◦ Report to the ITM Steering Committee on key issues
48
Human
Resources
Management
(3)





Labour costs 30% - 60% of the ITM budget
Quality of ITM personnel has enormous impact on
effectiveness of the service provider organization, end-user
satisfaction, optimizing value and proactive use of technology
Market for highly proficient IT resources is competitive and
will get more so – hiring and retaining the best resources will
continue to be a critical success factor for the CIO
Unique aspects to management of IT professionals (pool
characteristics, diverse career expectations, training
requirements) exacerbates need for involvement of ITM
managers
Turnover costs are enormous (e.g., 1 – 2 times annual salary)
49
Human
Resources
Management
(3)
Inputs





Outputs
Integrated
Governance
Structure
ITM Organization
Chart
ITM Strategic &
Tactical Plans

IT Human
Resource
Management

IT skills matrix

Job descriptions

ITM Budget
Business
Requirements
IT HR policy and
procedures

Staff skills and
competencies,
including
individual
training logs
Training plans
50
Human
Resources
Management
(3)
Start
Determine
Personnel Needs
•
•
Managing
10% attrition model
IT staff career development
Key drivers of staff retention
Compensation
Handling layoffs
Management coaching
Creating performance plans
•
•
•
•
•
•
•
•
•
Develop organization chart
Perform swap analysis &
identify personnel gaps
Determine staffing strategy
– contract, permanent,
contract-to-hire
Create final hiring plan
Sourcing
•
Hiring
•
•
•
•
Finalizing an offer
decision
Checking references
Ramping up new
hires quickly
•
•
Permanent & contract
candidate sourcing
Additional screening for
permanent hires
Recruiting funnel
Working with agencies
& technical recruiters
Interviewing
•
•
•
•
•
Interviewing techniques
Interview team
Best practices for
conducting interviews
High-volume interviewing
Interviewing contractors
51
Governance & Management
Controls Overview Session
52
Service
Management
(26)
“The idea of strategic assets is important in the context of
good practice in service management. It encourages IT
organizations to think of investments in service management
in the same way businesses think of investing in production
systems, distribution networks R&D laboratories.
Strategic assets provide the basis for core competence,
distinctive performance, durable advantage and qualifications
to participate in business opportunities. IT organizations can
transform their service management capabilities into
strategic assets.”
- ITIL Service Strategy, OGC, 2011
53
Evaluating services &
identifying ways to
improve their utility &
warranty in support of
business objectives
Service
Strategy
Service
Operation
Continual
Service
Improvement
Managing services
to ensure utility &
warranty objectives
are achieved
Envisioning &
conceptualizing the set of
services required to achieve
business objectives
Service
Design
Designing the
services to meet
utility & warranty
objectives
Service
Transition
Moving services into
live production
54
Service Strategy
Strategy Management
Service Portfolio
Management
Financial Mgmt. for IT
Services
Service Demand
Management
Business Relationship
Mgmt.
Service Design
Identify Business
Requirements & Drivers
Define Services &
Develop Service Catalogue
Educate & Train Users
Service Level Management
Monitor
Service Performance & Produce
Service Reports
Develop
SLA Framework, SLAs & OLAs
Review Service,
Instigate Improvements & Update
SLAs/OLAs
Supplier Management
Develop & Align Procurement Controls
& Select Suppliers
Develop/Manage Contracts & Relationships
& Protect Enterprise Interests
Monitor
Supplier Performance
Service Continuity
Develop Service
Continuity Framework
Develop & Maintain
Continuity Plans
Test Continuity
Plans
Provide Training
on
ITM Continuity Plans
Review Plan
Effectiveness
Service
Management
(26)
ITSM Framework
Element
Description
IT Service Strategy
•
Defining a strategy to deliver services to meet the
institution’s business outcomes
IT Service Design
•
Procedures for determining, documenting and
agreeing upon requirements for new services and
documenting in a service catalogue
Service Level Mgmt.
•
Defining SLAs based on customer requirements and
IT capabilities, service metrics, roles &
responsibilities
Supplier Mgmt.
•
Aligning procurement controls with those of the
institution, identification & categorization of
supplier relationships, developing and managing
contracts, protecting IP & monitoring performance
Service Continuity
•
Developing a service continuity framework
consistent with institution business continuity
56
Questions?
57

similar documents