ISO Case Study

Corporate Governance of IT:
ISO 38500 Case Study
Presented by:
Mark Toomey
2008 Infonomics Pty Ltd Corporate Governance of IT: ISO 38500 Case Study 2 September, 2008 Page 1
This set of presentation slides was Consultants may provide a copy of these
developed for, and delivered at the itSMF slides to their clients without royalty
Australia 11th National Conference. providing that they are in their original
form and that they are accompanied by a
The slides are now available for download recommendation that Infonomics be
by participants in the conference and other consulted if further guidance is required.
interested parties, for their personal use in
self-development, and for the purpose of This material was prepared to provide
facilitating conversations with their general guidance and stimulate debate. It
colleagues, including top level should not be construed as providing
management and directors. Permission is professional advice and services for any
hereby given for participants to print and particular or specific situation. As such, it
copy this material for these purposes only. should not be used as a substitute for
consultation with expert advisers. Before
The slides do not equip readers with the making any decision or taking any action
in-depth knowledge required to enable you should consult with Infonomics Pty Ltd
them to provide any form of instruction or or other competent professionals.
consulting advice.
Use of these slides and copies thereof for

the purpose of knowledge transfer and
consulting is restricted to personnel
expressly approved by Infonomics and is
subject to payment of a license fee.
Top 5 management priorities of local CIOs
(Courtesy Peter Hind)
2006 2007
Aligning IT and business goals 1 1
Improving internal user satisfaction 3 2
Business continuity/risk management 2 3
IT-enabled process improvement 4 4
IT staff development 6 5
Controlling IT costs 5 6
Measuring & communicating IT value 10 7
IT governance IT governance 8 8
Improving project management discipline 9 9
Regulatory compliance 11 10
Revenue generating services/products N/A 11
Internal IT knowledge management 7 12
2 September, 2008 Page 3

Source: CIO Australia Magazine State of the CIO Survey (2007)
The Midco Case Study
As presented at the CEOs briefing
2008 Infonomics Pty Ltd Corporate Governance of IT: ISO 38500 Case Study 2 September, 2008
IT is changing the rules of the game in delivery
of education how do we adapt and lead?
G-O-Learning
We worked through a structured process to build
understanding and prepare for change
2a Interviews
6a Signoff
1a Logistics 4a Develop Charter
4b Develop Policy
Four-draft 6b Communication
1b Assertions Review
Cycle
3 Executive
Workshop
1c Briefings 2b Artefacts 5 Develop Process

6c Meeting
Prepare Collect Design Implement

We measured ourselves against the standard for
corporate governance of IT
ISO 3500 Framework
A Model, and Six Principles
Corporate
Governance
Evaluate Responsibility;
Direct Monitor Strategy;
Acquisition;
Policies
Conformance
Proposals
Plans,
Performance
Performance;
Conformance;
Human Behaviour.
IT IT
Projects Operations
Corporate Management
Using ISO 38500
Guide for assessment and improvement
Evaluate Direct Monitor
Principles
Responsibility
What does each cell mean?
Strategy How do you perform?
What should you seek to improve?

Acquisition
What consequences of improvement
Performance should you seek?
Do our management systems meet the

Conformance needs of effective governance?
vs
Human Behaviour Do our management systems meet the
requirements of formal frameworks?
The measurement showed where we had scope
for improvement
A = Financial Institution 2006 Research with RMIT

B = Listed Industrial Industry November 2006
C = Local Government Body Midco, May 2007
A B C A B C A B C A B C A B C A B C A B C A B C
AS8015 Principles
We considered key issues regarding assignment
of responsibility for IT
Things Midco needs to change Barriers to change

Clearly define responsibility / Lack of vision
Clear alignment of role to Role clarity
responsibility Acknowledgement and
Assign executive responsibility acceptance of business
Provide staff with the skills and imperative to change
tools associated with their Acceptance of new approach and
assigned responsibilities roles
Clarify the role of business Shared understanding of issues
owners Capability
Develop and monitor Internal expertise in operational
performance indicators management
Implement KPIs & reporting Executive ownership
Promote responsibility (in all
directions) to all staff
We considered key issues regarding planning for
IT
Things Midco needs to change Barriers to change:

Develop a business structure and Willingness to own
process to plan Current workloads
Plan process improvement first IT not seen as integral to
and include IT as a tool to company planning
achieve outcome Understanding the business
Link strategic and business Competence
planning with IT planning
Internal expertise at all levels
Develop an IT plan
Define/clarify responsibilities
Assign responsibility
Monitor performance
We considered key issues regarding decisions to
invest (spend) on IT
Things Midco needs to change Barriers to change

We need to plan to know what to Lack of adherence to process
acquire Lack of resources / time to fully
Ownership / Sponsorship at develop business case
senior & exec levels of products Culture
Business case methodology / Skills / competence, time &
formal business case process inclination
Stakeholder consultation No formal steering committee
Integrated planning process Lack of business ownership
Return on investment evaluation
We designed a new way of controlling our use of
IT
Council
A = Financial Institution
B = Listed Industrial
C = Local Government Body
2006 Research with RMIT
Industry November 2006 Performance Measure: Audit & Risk
Committee
Corporate
Committee
Executive
Committee
Governance Organisation:
Midco, May 2007
We can target and Chief Executive Officer

Revised committee
assess our Business
structures focus on
improvement. business issues and
Development ICT Governance
Advisory Committees
Committee
Education
Programs
executive responsibility.
Legend
Education
Services Reports
Business System ICT Infrastructure
A B C A B C A B C A B C A B C A B C A B C A B C Corporate Steering Committee Steering Committee Participates
Services
Informs
Owns
AS8015 Principles
Responsibility Policy:
Manage, update & communicate business/ICT strategy
Manage business/ICT investment budget & priorities

Measure & Report business/ICT performance
Process Model:
Midco
Monitor emerging technologies & trends
Everybody can Evaluate business process/ICT performance

Manage business/ICT architecture
Manage business continuity

Twenty-four key
understand and be
Manage business/ICT operation
Develop prioritised bus/ICT change

processes to be detailed,
Deliver Business/ICT Initiative

Plan new business/ICT initiative
Establish business/ICT strategy
Conduct teaching and learning
IT Governance
Manage Production Change

Approve Business Case
Manage operational Risk

operations using production
systems & technology
effective in their role.

infrastructure
showing how we translate
plan
Manage production problems
Manual
Administer and manage the TAFE
business using management &
strategy into plans, plans

support systems & infrastructure
Conduct preventative maintenance
into projects and projects

Select, engage & manage supplier
Manage initiative to realisation of benefits
into appropriate
Manage & allocate resource pool
Monitor programme/project portfolio
Define, implement and monitor Policy
operational capability.
Midco Developed Policy for control of IT
based on the ISO 38500 principles
Evalu ate Direct M on itor
Prin cip les
Responsibility
Strategy
Acquisition
Your ISO
38500
Strategic Policies
Performance
Conformance
Framework
Human Behaviour
Your posture relative to Principles
Board role: consultation and approval
Operating policies
Specify how projects and operations are conducted
Board role: awareness
Usage policies
Rules for how people use the business systems and technology resources
Board role: part of user community.
Midcos structure for governing IT is firmly based
on clear responsibility for Demand and Supply
Ongoing
Business Domain:
Strategic business
How IT is used to
Business operations
enable and operate
Future
the business
ValIT
Demand
Demand
Supply
Supply
IT Domain: Effective IT Reliable IT
How IT is managed enabled change Service
and delivered.
ITIL, ISO 20000, ISO 27000, CoBiT
etc
Midcos system for governing IT fully integrates
board oversight and management tasks.
Responsibility
Corporate
Governance Oversight
ISO 38500
Board
Rules, Direction, Performance,
The System of Governance

Behaviour Conformance
Business Domain: How IT Ongoing business

Strategic
is used to enable and operations
Business
operate the business
Responsibility
Management
Future
ValIT
Demand
Demand
Supply
Supply
IT Domain: Effective IT
How IT is managed and Reliable IT Service
enabled change
delivered.
ITIL, ISO 20000, ISO 27000, CoBiT etc
2008 Infonomics Pty Ltd Corporate Governance of IT: ISO 38500 Case Study 2 September, Page 17
2008
Midcos Overarching Policy: Responsibility for IT
IT is an essential enabling resource for current The IT Governance Committee is responsible

and future administration of Midco and for for establishing and maintaining an effective
service Delivery. Responsibility for effective, system of governance within which the
efficient and acceptable use of IT is broadly responsibilities defined in this policy are
based and not confined to the Information implemented.
Systems Department.
Realisation of the value of IT investments is the
direct responsibility of the Chief Executive Officer
All procedures relating to the use of IT in
and the Executive Management Team. This
Midco shall contain clear and specific responsibility may not be delegated.
statements of responsibility regarding:
Capability of the company to conduct its normal
monitoring performance of the procedure, and administrative and service operations insofar as
maintenance and improvement of the procedure; they are dependent on IT is the direct
responsibility of the Chief Executive Officer and
conduct of roles defined in the procedure. the Executive Management Team. This
responsibility may not be delegated.
The IT Governance Committee is responsible
for monitoring performance of, and acting to The Chief Executive Officer and the Executive
resolve problems with, the companys ongoing Management Team are all members of the IT
operational use of IT and with the companys Governance Committee and are collectively
responsible for implementing the decisions of the
IT related investment projects. Committee.
The Responsibility Policy is specific about
executive and management responsibility
Responsibility for Strategy Responsibility for Planning

for the ongoing and future use of IT Preparation of proposals for
is integral to business strategies investment in IT is the responsibility
and is the direct responsibility of the of the Steering Committees
Chief Executive Officer and the Steering Committees are
Executive Management Team. responsible for ensuring that the full
Allocation of resources for IT is the intended benefits of the investment
responsibility of board, acting on the are realised.
advice of the Chief Executive Officer. Preparation of technical plans for IT
The IT budget is a responsibility of infrastructure and software systems
the IT Governance Committee with aspects of business initiatives is the
the support of the Business Systems responsibility of the Senior Manager
Steering Committees and the IT Information Systems, working
Infrastructure Steering Committee. collaboratively with the
corresponding Business System
Steering Committee.
It establishes clear expectations of the new IT
Governance committees
Responsibility for Delivery Responsibility for Operation.

Projects are the responsibility of Day to day operation, control and
the Steering Committee which was maintenance of Midcos operational
responsible for preparing the business systems and infrastructure
business case. is the joint responsibility of the
This responsibility includes ensuring Information Systems Department
that the project is properly managed and the designated Business System
and has sufficient, appropriately Owners and Administrators.
skilled resources to deliver the This responsibility is subject to
intended business outcome and procedures for .. change
continues until acceptance by the IT management, problem management,
Governance Committee that all data protection and security,
attainable benefits have been performance and availability
delivered. management and so on.
It requires clearly defined Service
Level Specifications for each business
system and for the IT infrastructure.
There five further overarching policies
IT Innovation Posture (Strategy) IT Controls (Conformance)

Defines Midcos intentions in respect of which controls are to be established
technology leadership: delegation of authority to design,
how and where innovation is encouraged implement and enforce the controls
how much innovation risk is acceptable. baseline identification of the external
IT Investment Controls (Acquisition) controls (legislation, regulation, code of
rules for expenditure on IT (including practice etc.) that affect planning,
allocation of staff resources). delivering and operating IT capabilities.
business cases for new initiatives, and IT Human Factors (Human
oversight of initiatives through to Behaviour)
realisation of results. Identify the people in the process
controls for selection and engagement of involved in providing the IT capabilities
external organisations for all classes of IT who use the business systems
supplies. business partner organisations (both
IT Capability (Performance) upstream and downstream),
individual customers,
IT capabilities that are to be maintained
people seeking information.
within Midco
attitude to preparing for change, and
limits for the amount of concurrent change
supporting people as change is delivered.
the organisation undertakes
level of dedicated resources available for
IT and other aspects of change
benchmark targets for performance,
capacity, availability, reliability, integrity
and security
Midcos system for governing IT recognises that
IT is the enabler, not the driver
Operating context of the organisation
External
Internal.
Four key elements of operating organisations

People who participate in business events
Process what business events take place People
Structure where business events happen
Technology enabling and recording events
The
IT intrinsic to day to day operations Process Business Structure
Business process specific - Transactions, System
Customers, Etc
Generic - Email, Telephony, Information
Technology
This model is a variant

on H.J. Leavitts Model
of organisational
change, published in
1965.
The Fundamental Equations:
Changing The Business System
People People
People
The The
The
Process Business Structure Process Business
Process Structure
Structure
Business
System System
System
Technology Technology
Technology
Traditional IT Change Project
IT is now a fundamental enabler of Implementing IT enabled change involves

change and is leading to new business attention to every facet of business
models and new business practices models and practices
Eg e-Government Internal and external factors
The Fundamental Equations:
Changing The Business System
Change Program
Changed
People Business System People
People
People
Process
Technology
The Changed
The
Structure ChangedThe Changed
Process Business Structure People Process Business Structure
Process Structure
Process BusinessStructure
System Business Context System
System
Process
Technology
Technology Changed
Technology
Technology
Traditional IT Change Project
Structure Technology
People
IT is now a fundamental enabler of Implementing IT enabled change involves

change and is leading to new business attention to every facet of business
models and new business practices models and practices
Eg e-Government Internal and external factors
Governing IT Enabled Change involves much more than governing technology activities.
The Executive has overall responsibility for IT
Three organisation
Board elements:
IT Governance
Audit & Risk Corporate Executive
Committee Committee Committee Committee
Business System
Steering
Committees
IT Infrastructure
Chief Executive Officer
Steering
Committee
Business
Development IT Governance
Advisory Committees
Committee
Front-line
operations
Legend
Production
Operations Reports
Business System IT Infrastructure
Steering Steering
Corporate Committee Committee
Participates
Services
Informs
Owns
The IT Governance Committee is the focus for
key decisions about the use of IT
Purpose: Monitor IT investments through to

strategy for future use of (and investment realisation of business outcomes.
in) IT is integral to and driven by the Approve or recommend proposed
companys business strategy; investments in IT to CEO and board.
all investments in IT produce their Direct and monitor appropriate Key
intended outcomes; Performance Indicators for use and
the companys IT assets are managed and delivery of IT, initiating corrective action
used appropriately; and as and when required.
the operational performance of the Establish and monitor conformance with
companys IT resources meets reasonable additional detailed policies as required to
expectations in an efficient, effective and ensure that use of IT at Midco is
acceptable manner. appropriate and that Midcos assets are
properly managed and protected.
Duties:
Ensure that use of IT conforms with legal
Establish and manage conformance with and regulatory requirements
top level policies governing the use of IT
Ensure that the people involved in and
Set responsibility for IT, planning, impacted by IT are given due
acquiring, performance and conformance consideration.
Define strategy for the use of IT in service Continue development of a system of
and administration, prioritise initiatives governance for IT to ensure effective,
and allocate resources efficient and acceptable use of IT in both
Ensure appropriate business cases and administration and service delivery.
plans for investment in IT
The IT Governance Committee is an Executive
Committee, which engages the organisation
Members: As-required attendees (non voting):

Chief Executive Officer (Chair); Project managers (internal or
Deputy Chief Executive; external) of major business change
General Manager Corporate Services; and IT projects;
General Manager Front Line Representatives of stakeholder
Programs; bodies (suppliers, customers,
industry, government, IT vendors,
General Manager, Production consultants and auditors);
Operations.
Additional personnel by invitation, to
Delegation of membership is not provide information in respect of an
permitted. agenda item.
Permanent attendees (non-voting):
Secretary (EA to the General
Manager, Corporate Services);
Senior Manager, Information
Systems (also as chair of the IT
Infrastructure Steering Committee);
Chair of each Business System
Steering Committee.
Steering committees are key to operation of the
governance system
Business System Steering IT Infrastructure steering committee.

Committees. Oversight of the companys IT
Evolution of existing committees; infrastructure;
Focus on business process or Oversight of operational service
activity, and the use of the delivery;
information systems in that context; Chaired by the Senior Manager,
Prepare plans, recommend Information Systems.
investment, deliver benefits and
solve problems;
Chaired by a Senior Manager
responsible for key business
activities within the scope of the
Steering Committee.
The Process Model involves four primary process
groups
1 2 3 4
Vision Strategy Plan Deliver Operate
Ge neralised Specific Detaile d Activity Ongoing
Inte nded Actions,
perfor mance Busine ss C ha nge Busin ess Set Targets
Targets
, ca pa bility, Priority & Projects Manage &
profile , Seque nce
People report
be haviour Busine ss Ca se : -
A llocate Funds &
Process performance
Resour ces Structure Ensure Service
Organise Syste ms Technology
Support the
3 Key Questions & Infrastructure
Manage business
Do todays IT systems meet Project Risk
ongoing needs? Benef its
Does planned business affect IT
systems?
What does technology evolution
mean for business? Policy Foundation
Most of these things already happen, but we now
have a different perspective
Manage, update & communicate business/IT strategy
New approach to
responsibility
Measure & Report business/IT performance
Manage business/IT investment budget & priorities
Monitor emerging technologies & trends

Overarching
Manage business/IT architecture policies to guide
Evaluate business process/IT performance Manage business continuity decisions
Manage business/IT operation All processes
Develop prioritised bus/IT change plan
need to be
Deliver Business/IT Initiative
Plan new business/IT initiative
Establish business/IT strategy
Manage Production Change

Conduct business operations
Manage operational Risk

Approve Business Case
using production systems &

technology infrastructure
reviewed and
upgraded
Manage production problems
Administer and manage the

business using management &
support systems & infrastructure
Conduct preventative maintenance
Select, engage & manage supplier
Manage initiative to realisation of benefits
Manage & allocate resource pool
Monitor programme/project portfolio
Define, implement and monitor Policy
It looks complicated, but experience will make it
seem easy
The Magic
Roundabout in
Swindon, UK
looks confusing
but has a lower
accident rate
than normal
intersections,
with much
higher traffic
flows.
Public domain photograph courtesy Wikipedia

Process outlines provide initial understanding.
Detailed process design is required.
Manage business/ICT investment budget & priorities

Purpose:
Allocate available resources efficiently and to the most appropriate activities. Adjust
allocation and priority in the light of experience.
Frequency:
Annual establishment of budget overall, and determination of allocation for ongoing
operation of IT, basic maintenance of business systems, and investment in new
infrastructure and capability.
Responsibility:
IT Governance Committee
Requires:
Identification of the program of investment activities (derived from and aligned to
strategy) with identification of likely benefits and priorities, in order to establish best
sequence of activity. See Process Develop business/ICT initiative change plan.
Note:
This process needs to be integrated to the companys overall budget setting process,
so that competing demands for funding from all activities (business development,
infrastructure, IT etc) are properly managed.
Midcos governance development program
Stage one
Business System & IT Infrastructure
Steering Committees
Stage three
Governance
Committee Initiative
Planning
Guiding Policies
Strategic Plan
Membership)
Assessments
Governance
Responsibility Initiative
(including
Strategic
Charters
Policy Delivery
Training
Refined
Governance Continuing
Process Operations
Model Governance Processes
Detailed Policies
Continuing current initiatives

Continuing business operations
Governance Oversight
Midcos situation today
Continuing to evolve their system for governance of IT;
Learnings from the project supported a major restructure
of the organisation;
Business is now fully engaged in setting the IT agenda
and is fully responsible for deciding priority;
IT department gets on with its job free of unfair criticism,
and is able to devote resources to improving service
delivery;
New initiatives are getting off the ground as well defined,
formal business projects for the first time in years;
Skunkworks initiatives have disappeared;
Suppliers are no longer driving the Technocitement
agenda.
2008 Infonomics Pty Ltd What does ISO 38500 mean for us? 2 September, 2008 Page 34
Information Technology allows us to
change the way we do things
Corporate Governance of IT enables us to direct
and control the change with confidence
Corporate
Governance
Evaluate Responsibility;
Direct Monitor Strategy;
Acquisition;
Policies
Conformance
Proposals
Plans,
Performance
Performance;
Conformance;
Human Behaviour.
IT IT
Projects Operations
Corporate Management
ISO 38500 provides the missing link in building
an effective system of governance
Evaluate Direct Monitor

Principles
Responsibility
Strategy
CobiT Acquisition
ITIL Performance
Prince2 People
Conformance
PMBOK Human
Behaviour
Gateway
ValIT Control
Process and Direct Structure
use of IT.
Council
Technology
Audit & Risk Corporate Executive
Committee Committee Committee
Chief Executive Officer
Business
Development ICT Governance
Advisory Committees
Committee
Education
Programs
Legend
Education
Services Reports
Business System ICT Infrastructure
Corporate Steering Committee Steering Committee Participates
Services
Informs
Owns
Discussion
and
Questions
2008 Infonomics Pty Ltd Corporate Governance of IT: ISO 38500 Case Study 2 September, 2008

ISO Case Study

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO Case Study

Uploaded by

Copyright:

Available Formats

Corporate Governance of IT:

ISO 38500 Case Study

Use of these slides and copies thereof for

2 September, 2008 Page 3

1c Briefings 2b Artefacts 5 Develop Process

Prepare Collect Design Implement

Strategy How do you perform?

What should you seek to improve?

Do our management systems meet the

A = Financial Institution 2006 Research with RMIT

Things Midco needs to change Barriers to change

Things Midco needs to change Barriers to change:

Things Midco needs to change Barriers to change

We can target and Chief Executive Officer

Manage business/ICT investment budget & priorities

Everybody can Evaluate business process/ICT performance

Manage business continuity

Develop prioritised bus/ICT change

Deliver Business/ICT Initiative

Manage Production Change

Manage operational Risk

effective in their role.

showing how we translate

strategy into plans, plans

Conduct preventative maintenance

into projects and projects

Manage initiative to realisation of benefits

Monitor programme/project portfolio

Define, implement and monitor Policy

Rules, Direction, Performance,

The System of Governance

Business Domain: How IT Ongoing business

IT is an essential enabling resource for current The IT Governance Committee is responsible

Responsibility for Strategy Responsibility for Planning

Responsibility for Delivery Responsibility for Operation.

IT Innovation Posture (Strategy) IT Controls (Conformance)

Four key elements of operating organisations

This model is a variant

IT is now a fundamental enabler of Implementing IT enabled change involves

IT is now a fundamental enabler of Implementing IT enabled change involves

Purpose: Monitor IT investments through to

Members: As-required attendees (non voting):

Business System Steering IT Infrastructure steering committee.

Manage business/IT investment budget & priorities

Monitor emerging technologies & trends

Manage Production Change

Manage operational Risk

using production systems &

Administer and manage the

Conduct preventative maintenance

Select, engage & manage supplier

Manage initiative to realisation of benefits

Manage & allocate resource pool

Monitor programme/project portfolio

Define, implement and monitor Policy

Public domain photograph courtesy Wikipedia

Manage business/ICT investment budget & priorities

Continuing current initiatives

Evaluate Direct Monitor

Chief Executive Officer

You might also like