IT Governance Ph.D. Indira Guzman

What is IT Governance? 2 Information Technology Governance (Gobierno de TI) es una disciplina subconjunto de Gobierno Corporativo centrada en el rendimiento de las tecnología de la información (TI) y su y la gestión del riesgo. El creciente interés en IT Governance se debe en parte a las iniciativas de cumplimiento de reglamentos (por ejemplo, la ley Sarbanes-Oxley (EE.UU.) y Basilea II (Europa)), así como el reconocimiento de que los proyectos de TI puede salir fácilmente fuera de control y afectar profundamente el desempeño de una organización. 2

IT governance IT governance es responsabilidad del consejo de administración y la gestión ejecutiva. Es una parte integrante de la gobernanza empresarial y consiste en el liderazgo y las estructuras organizativas y procesos que garanticen que la organización de TI sea capaz de sostener y extender las estrategias de la organización y sus objetivos What is IT Governance? ITGI, Board Briefing on IT Governance

IT Governance se ocupa de… Quien toma las decisiones (poder) Porque ellos las toman (alineamiento) Como se las toman (proceso de toma de decisiones) Idealmente las decisiones son tomadas conjuntamente entre la administración del negocio y la administración de TI. Es importante la comunicación efectiva y eficiente entre TI y el negocio. Aspectos críticos para la apropiada toma de decisiones respecto a TIs.

A 2002 Gartner survey found that 20 percent of all expenditures on IT is wasteda finding that represents, on a global basis, an annual destruction of value totaling about US $600 billion. A 2004 IBM survey of Fortune 1000 CIOs found that, on average, CIOs believe that 40 percent of all IT spending brought no return to their organizations. A 2006 study conducted by The Standish Group found that only 35 percent of all IT projects succeeded while the remainder (65 percent ) were either challenged or failed. En los últimos años, las encuestas han revelado de manera consistente que del 20 al 70 por ciento de las inversiones a gran escala de cambios basados en TI presentan perdidas o no resultan en las ganancias calculadas para la empresa (De hecho, una encuesta sobre la medición de los costos y valor, encontró que en muchas empresas, menos del 8 por ciento del presupuesto en TI se gasta en las iniciativas que realmente crean algún valor/retorno para la empresa. Reference: Val IT Framework 2.0 Motivos de su Importancia

Nike reportedly lost more than US $200 million through difficulties experienced in implementing its supply chain software. Failures in IT-enabled logistics systems at MFI and Sainsbury in the UK led to multimillion-pound write-offs, profit warnings and share price erosion. Tokyo Gas reported a US $46.6 million special loss due to cancellation of a large customer relationship management (CRM) project. In the public sector, the UK Department for Work and Pensions apparently squandered more than £2 billion by abandoning three major projects. Headlines around the world corroborate these findings: Reference: Val IT Framework 2.0

What Makes IT Governance so important? Strategic importance of IT Extended Enterprise Regulatory requirements Cost optimisation Return on investment Drivers Low return from high-cost IT investments, and transparency of ITs performance are two top issues More than 30% claim negative return from IT investments targeting efficiency gains 40% do not have good alignment between IT plans and business strategy Interest in and use of active management of the return on IT investments has doubled in 2 years (28% to 58%) Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects Standish Group – about 20% of projects fail outright, 50% are challenged and only 30% are successful ITGI 2005 Survey early findings confirm concerns

Forces Driving IT Governance Compliance Security Business/IT Alignment ROI Project Execution

What makes IT Governance so important? Shareholders want protection for the Enterprises Share Price …if not filed, auditor must include a paragraph in its annual report that it cannot vouch for the enterprises ability as a going concern… "... Si no es parte del informe, el auditor debe incluir un párrafo en su informe anual que no puede dar fe de la capacidad de la empresa de seguir como negocio en marcha..." …financial reporting system is not up to speed… …the company has lost a third more of its market value yesterday as it revealed a virtual collapse of its financial reporting system… …data entry problems…

Mayores Preocupaciones de los lideres en TI para el 2008 (segun una encuesta de la revista ComputerWorld) # 1 on this list is IT Governance, including business alignment From the Dec 10, 2007 issue of Computerworld Magazine (pg 74) Computerworld Magazine is a publication of International Data Group Inc.

Why is IT Governance important? 11 IT are in competition for budget – Business is beating IT to and for budget IT needs to become a business focused discipline IT is viewed by senior management as Fire Fighters and not Planners or implementers IT is viewed as a monetary drain on business IT needs to compete effectively at the C level Business does not perceive IT as value for money

Governance Issues Human interface Records Management Education Laws of the Land & beyond

Risk Issues

14 Legislative Issues

Security Issues

Internal Threats

External Threats

Physical Security

19 What should Information Technology Governance Deliver? Executives should focus on Information Technology Governance, which when properly implemented should provide the following:

20 Un tema general de IT Governance se refiere a que las capacidades de TI ya no puede ser algo que los que administran el negocio no entiendan y que también TI debe entender el negocio y sus necesidades. El manejo de TI ha sido siempre un problema para los ejecutivos de alto nivel de una empresa debido a la naturaleza técnica de las TI; por lo tanto, las decisiones clave fueron dejadas a los profesionales de TI. IT Governance implica un sistema en el que todas las partes interesadas, incluida la Junta, los clientes internos y áreas afines tales como las finanzas, tienen la información necesaria para la toma de decisiones. Esto evitará que un solo actor, por lo general de TI, sean culpados por malas decisiones. También evita que los usuarios más tarde se quejen de que el sistema no se comporta como se esperaba. 20 Caracteristicas

Caracteristicas (Cont.) 21 Lo más importante - El Consejo (de ejecutivos) tiene que entender la arquitectura de las TI de su empresa, asegurarse de que conoce los recursos de información disponibles, en qué estado están, y qué papel desempeñan en la generación de ingresos... 21

Objetivos de IT Governance 22 Los objetivos principales son: (1)asegurar que las inversiones en TI generen valor para el negocio (Ej. ganancias). (2) mitigar los riesgos asociados con TI. Esto puede hacerse mediante la aplicación de una estructura organizacional con funciones bien definidas sobre su responsabilidad de la información, procesos del negocio, aplicaciones, la infraestructura que son comunicados a toda la organización.

GRC Model view – supporting IT Governance

Alternativas de IT Governance Presupuesto (como y porque) Career crossover (mejorar relaciones y entendimiento) CIO-CEO Comunicacion/negociacion IT generando ventaja competitiva Educacion en TI y el Negocio Intermediarios (Liaison) Ubicacion del Departamento de Sistemas Estructura/dependencia Socios y consultores Riesgos compartidos Procesos (proceso de aprobacion de proyectos, planes, estrategias)

A quienes afecta? Senior Management CIOs CISOs IT Managers IT staff and IT centric organizations

IT Governance Institute IT Governance Institute is a non-profit research think-tank associated with ISACA ®

IT Governance Institute Product Suite Board Briefing on IT Governance Information Security Governance C OBI T 4.1 Val IT IT Governance Implementation Guide C OBI T Control Practices IT Assurance Guide Governance, Security and Assurance Management Business and Technology Management Governance

An Overview of IT Governance

IT Governance Needs a Management Framework Driving Forces Map Onto the IT Governance Focus Areas IT GOVERNANCE VALUE DELIVERY STRATEGIC ALIGNMENT RESOURCE MANAGEMENT RISK MANAGEMENT PERFORMANCE MEASUREMENT

Strategic alignment, focuses on ensuring the linkage of business and IT plan; on defining, maintaining and validating the IT value proposition; on aligning IT operations with the enterprise operations; and establishing collaborative solutions to Add value and competitive positioning to the enterprises products and services Contain costs while improving administrative efficiency and managerial effectiveness IT Governance Focus Areas

Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising expenses and proving the value of IT, and on controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc) IT Governance Focus Areas

Risk management requires risk awareness of senior corporate officers, a clear under- standing of the enterprises appetite for risk and transparency about the significant risks to the enterprise; it embeds risk management responsibilities in the operation of the enterprise and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of operations IT Governance Focus Areas

Resource management covers the optimal investment, use and allocation of IT resources and capabilities (people, applications, technology, facilities, data) in servicing the needs of the enterprise, maximising the efficiency of these assets and optimising their costs, and specifically focusses on optimising knowledge and the IT infrastructure and on where and how to outsource IT Governance Focus Areas

Performance measurement, tracking project delivery and monitoring IT services, using balanced scorecards that translate strategy into action to achieve goals measur-able beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow. IT Governance Focus Areas

IT Governance Life Cycle

IT Governance Control Cycle

Assess Environment Based on C OBI T ®, develop an approach for improved internal control to meet regulatory requirements that incorporates business and IT mission, vision, and strategy Establish risk management strategy Formally document existing processes

IT Governance Control Cycle Maintain IT Controls Framework Develop controls framework to supports sound business decisions Document integration points in the current environment Create an organizational mechanism to support the governance of IT Mitigate identified risks through the IT controls framework

IT Governance Control Cycle Develop & Refine Governing Documents Utilize a central repository for governing documents Develop a consistent approach for creating governing documents Consistently apply processes and procedures Gain executive commitment for IT governance frameworks and structure

IT Governance Control Cycle Communicate and Train Provide Tone at the Top Develop a strategic communication plan for mission objectives and overall management direction Execute strategic communication plan Implement a standard training program to avoid unnecessary and redundant training

IT Governance Control Cycle Implement and Operate Align staff responsibilities with IT control objectives Achieve sustainability of IT controls in the operational environment Support continuous improvement of operational effectiveness and accountability

IT Governance Control Cycle Measure and Validate Revise current metrics program to include newly defined controls Verify the sustainability of defined controls Develop cost effective automated measurements Measure all processes to include Applications, Databases, Platforms and Networks

IT Governance Control Cycle Monitor and Report Report on continued effectiveness of controls Increase transparency to auditors of issues and actions taken Accurately attest to ITs compliance with policy, laws, and regulations Improve existing processes using metrics trending

IT Governance Control Cycle Enforce Reinforce required policy compliance and standards conformance Define a consistent approach for enforcement across all processes