Professional Documents
Culture Documents
firms with effective IT governance have 20% higher profits than their competitors (MIT, 2009)
Gooimeer 4 1411 DC Naarden Netherlands Tel: Web: Email: +31 35 6783922 www.bastagroup.nl office@bastagroup.nl
BastaGroup bv 2010
- -
MATS BEEM @
Content
- introduction - the courses & workshops - why should I have IT governance at all? - why ISO 38500? - ISO 38500: for whom? - the 6 principles - the model - evaluating, directing and monitoring
BastaGroup bv 2011
- ISO 38500 has a stakeholder rather than shareholder focus tells you what you should have, not how you should
do it, but some have far reaching consequences
- some suggestions on how to implement are included. - Our implementation guideline comes with an
implementation workshop.
BastaGroup bv 2011
BastaGroup bv 2011
- existing IT governance frameworks (like BiSL) do not address the board & director level or are
too complex (COBIT)
BastaGroup bv 2011
- estimated over $50 Billion write-offs per year on IT - after software development projects have been delivered: - the estimated costs of software defects are still $60 Billion
annually (USA, National Institute of Standards and Technology, 2002) but:
Failing IT can have major impact on the bottom line and can even cause the company to fail example, case CETECO: - during explosive growth, a software implementation failed - as a result the company no longer had insight in who owed them money or who had payed - the company is now bankrupt and all directors have been sentenced to pay damages to the shareholders (current estimation 190 Million)
BastaGroup bv 2011
BastaGroup bv 2011
ISO 38500: the principles 1. responsibility 2. strategy 3. acquisition 4. performance 5. conformance 6. human behaviour
BastaGroup bv 2011
10
what does the responsibility mean) and accepting (I agree that I am responsible and I feel responsible) responsibility for supply and demand of IT have the authority (explicit and well documented, part of the normal, overall command structure)
BastaGroup bv 2011
11
future capabilities of IT (does the strategy make appropriate use of what IT can and cannot do, does the strategy take into account what needs to be changed in IT in order to achieve the business goals) business requirements (having been involved in establishing current requirements and being involved in regular evaluations, being involved in the processes of business planning and strategic planning)
BastaGroup bv 2011
12
ISO 38500:acquisition the acquisition principle: - IT is acquired for valid reasons (in line with business & IT planning) based on appropriate and current analysis (positive business case with regular evaluations), with clear (unambiguous) and transparent (process and reasoning are clear to all who need to know) decision making - there is appropriate balance between benefits, opportunities, costs and risks, both in the short and long term (does the business case take all of the above into account?)
BastaGroup bv 2011
13
ISO 38500:performance the performance principle: - IT is fit for purpose in supporting the organisation, providing the right services at the right service levels, for both current and future requirements (there is no such thing as a good car, a minivan, a truck, a sportscar all serve different purposes, there is no such thing as good IT, it needs to be fit for purpose)
BastaGroup bv 2011
14
ISO 38500:conformance the conformance principle: - IT complies with all mandatory legislation and regulations (e.g.: security standards, privacy legislation, spam legislation, trade practices legislation, record keeping requirements, environmental legislations, health and safety legislation, accessibility legislaton, social responsibility standards)
BastaGroup bv 2011
15
ISO 38500:human behaviour the human behaviour principle: - IT policies, practices and decisions demonstrate respect for human behaviour, including the current and evolving needs of all the people in the process
BastaGroup bv 2011
16
Business pressures
evaluate direct
Plans & Polici es
Business needs
Propo sals
monitor
Perfor mance Confor mance
Business processes
IT projects
IT operations
BastaGroup bv 2011
17
BastaGroup bv 2011
18
- strategy:
- business planning have the IT director in on all meetings where you have business
directors & have actions & decisions documented of each meeting at least once a year, organise a session, challenging the business directors, IT director, BIM & architecture, to come up with ways to address strategic business issues, solving problems & coming up with possibilities to improve the competitive position make sure business and IT make it a common activity
directors & have actions & decisions documented of each meeting organise a session (at least once a year), challenging the IT director, BIM and architecture, to join forces with at least one business director and his delegates, to come up with concrete improvement plans based on the suggested ideas in the strategy sessions
BastaGroup bv 2011
19
20
BastaGroup bv 2011
21
The responsibility principle in practice: - evaluate: what are the options for assigning responsibilities? taking into account the way IT should support the business & the competencies of the people give those responsibilities business managers should be responsible, supported by IT specialists. In order for them to be responsible and successful, the business managers need to be IT savvy (be able to judge IT) and IT managers need to be business savvy (at least understanding business processes and values in the context of the business strategy) direct: directors should assure that plans are carried out in line with responsibilities and that they get the right information to carry their (directors) responsibility - monitor: are the right mechanisms in place? do all understand and take their responsiblity? what is their performance?
BastaGroup bv 2011
22
BastaGroup bv 2011
23
BastaGroup bv 2011
24
BastaGroup bv 2011
25
BastaGroup bv 2011
ISO 38500: strategy, about competencies and business IT alignment/integration - 60-80% of IT project failures* can be contriabout the business buted to poor requirements, poor analysis, miscommunication. What to do:
put together a program for (at least) senior IT staff, to learn ditto for teaching non-IT managers & directors enough about
IT (IT-savvyness programme)
an IT posting should be part of all career paths to the top dont compromise on quality when hiring Business Information
Managers and architects (see next two slides)
BastaGroup bv 2011
27
BastaGroup bv 2011
28
Architecture:
- technical architects: can conceptualise technical issues can operationalise technical concepts (NOT the same as the above!) oversees the whole of the technology architecture and understands how things are connected and how they impact each other know about construction by theory and experience - business architects: can conceptualise business issues can operationalise concepts (broader than just technical) oversees the whole and understands how things are connected and how they impact each other - translate business goals in technology solutions working with technical architects and specialists - score high on the in basket test
BastaGroup bv 2011
29
The acquisition principle in practice: - evaluate professional judgement of business cases (treated like other
business cases) look at IT alternatives for the proposed solution (there is always an alternative) use the appropriate interest rate/IRR (internal rate of return): cost of money in the financial markets: when there is risk, you risk adjust (see SFBs Return on IT presentation) direct have the right people involved (judgement, professional skills & the numbers and use a professional process and documentation monitor make sure you can get the numbers from your financial system exactly the way you made your business case involve suppliers enough in the process to have a common understanding of why and under what conditions you want to acquire
*our experience shows that responsibilities arent as well described as the board expects them to be
BastaGroup bv 2011
30
The performance principle in practice fit for purpose: being able to judge if IT is fit for purpose, requires
alignment to function properly (see the strategy principle and the SFB presentation: how to get business IT alignment right) addressed by having proper processes for the whole of IT in place and get the risk management as a result. If all risk areas are addressed in isolation, the cost usually rises and the agility will suffer relevant issues and if we agree on the proposals, does it provide us with the IT we need? what it needs when it needs it and make sure the right resourcing is available organisations needs? (supporting the business, right priority resourcing, policies followed properly)
- evaluate: are proposals for renewal or innovation addressing all - direct: direct those responsible to make sure the business gets - monitor: can you actually conclude that you get the IT your
BastaGroup bv 2011
31
The conformance principle in practice: - evaluate: conformance to internal policies and guidelines, regulatory, legal and -
contractual obligations and to professional guidelines where applicable conformance to the (organisations own) system of governance of IT direct: those responsible to establish mechanisms that ensure compliance with relevant obligations to ensure that policies exist and are enforced that enable the organisation to comply with internal obligations that IT staff follow relevant guidelines for professional behaviour and development actions relating to IT to be ethical monitor: compliance and conformance using appropriate reporting and audit practices IT activities to ensure that all relevant obligations are met
BastaGroup bv 2011
32
The human behaviour principle in practice: - evaluate: ensure that human behaviours are identified and considered - direct: It activities to be consistent with human behaviours that any issue (risk, opportunity, concern, generic issue etc) can be
raised by anyone at any time
issues that are raised are addressed according to the rules (policies,
procedures) and escalated to the right level of decision making
BastaGroup bv 2011
33