TATA KELOLA TEKNOLOGI

INFORMASI
 What is ‘IT Governance’?

It is ...
the responsibility of the board and executive

It consists of...
The leadership, organisational structures & processes...

to ensure that the enterprise’s IT...

sustain and extend organisational strategies & objectives.

Source: ITGI
Enterprise governance drives IT governance

Enterprise governance is
about:
• Kesesuaian
• Adhering to legislation, internal
policies, audit requirements, etc.
Performance
• Kinerja
• Improving profitability, efficiency, Conformance
effectiveness, growth, etc.

Tata Kelola Perusahaan dan Teknologi Informasi

memerlukan kesimbangan antara tujuan kesesuaian
dan kinerja yang diarahkan oleh dewan direksi
Source: ITGI
 What is the ‘governance of outsourcing’?

The responsibilities, roles, objectives, interfaces & controls

required...

to anticipate change and ...

manage the introduction, maintenance, performance, costs

and control of third-party provided services.

Source: ITGI
Literature review of
selected codes,
frameworks, standards
and best practices
 King III requirements – the link between
IT governance practices and law

• Directors’ duty of care: ensure prudent and reasonable

steps taken re IT governance.
• Corporate governance practices, codes and guidelines
lift the bar of what are regarded as appropriate
standards of conduct.
• Failure to meet a recognised standard of governance,
albeit not legislated, may render a board or individual
director liable at law.
 King III requirements: IT governance
• IT governance...
– is the responsibility of the board;
– should be an integral part of enterprise governance structures;
– should be owned by the board.

• The board must set the management direction. Required

to...
– assume more significant role in terms of IT governance, and
– insist on establishment of an IT governance management
framework:
• To be based on a common approach, eg. COBIT.
 King III requirements: IT Governance
focus areas
IT governance should focus on four key areas:

• strategic alignment with business;

• value delivery;
• risk management; and
• resource management.
 King III requirements: IT Governance
focus areas
IT governance should focus on four key areas:

• strategic alignment with business; COBIT focus

areas
• value delivery;
• risk management; and
• resource management.

www.itgi.org
www.itgi.org

RESOURCE
MANAGEMENT

Source: ITGI
 Context: Best Practices
Governance King Reports
Non-IT related
Corporate

governance elements

IT related
governance elements

Val IT

Governance of outsourcing
CobiT
ISO 38500 management
IT Governance

framework

ITIL ISO 27002

Source: Own source

 Context: COBIT and VAL IT
The strategic question The value question.
Are we Are we
doing the getting
right the
COBIT VAL IT

things? benefits?

Are we Are we
doing getting
them the them done
right way? well?

The architecture question The delivery question

Source: Thorpe,
cited by ITGI
Industry application of
governance concepts
 Status: IT Governance Best Practise
Implementation
Alignment
between IT
strategy and 16% 12% 21% 51%
overall strategy
IT resource 18% 12% 20% 50%
management

IT Value Delivery 9% 9% 21% 61%

IT Risk
Management
9% 9% 16% 66%

Actual IT
performance 10% 10% 14% 66%
measurement
Active
management 7% 8% 13% 72%
of IT ROI
0% 100%
Have implemented Considering implementation
Source: ITGI/Lighthouse survey 2005 Implementing now Not considering implementation
Generic governance
framework for IT
and outsourcing
 Generic governance model

Service Provider IT Governance Framework Outsource Client IT Governance Framework

Enterprise
VAL IT VAL IT
Governance
of IT
Compliance Compliance
COBIT require- COBIT require-
ments ments

Practitioner Practitioner
processes processes
IT
Governance
Outsource Service
Client Provider
Interface Interface

Source: own source

 Generic process model
Service Provider Outsource Client (Buyer)
Manage Manage
enterprise enterprise

Develop Strategic Strategic Develop Strategic Strategic

enterprise management of management enterprise management of management
strategy product portfolio of capacity strategy product portfolio of capacity

Support Support
processes processes

Client Service Provider

Interface Interface
Outsource Client 1 Service Provider 1
Outsource Client 2 Service Provider 2
Outsource Client 3 Service Provider 3
Outsource Client (n) Service Provider (n)

Source: own source

 IT governance interrelationships
(service provider perspective)
Board of
Directors
Compen- Business
IT Strategy Finance Audit
sation Strategy
Committee Committee Committee
Committee Committee CEO

Compliance, CFO
Audit, Risk &
Security(CARS)
IT Steering
Committee
Sales &
IT Architecture
Marketing
Review Board

Account Technology
Management Council
Business Programme
Process CIO HR
Executives Management
. . . Oversight
. Office (PGMO)
Committee
. .

Source: ITGI,
own source
‘IT’
 IT governance interrelationships
(service provider perspective)
Board of
Directors
Compen- Business
IT Strategy Finance Audit
sation Strategy
Committee Committee Committee
Committee Committee CEO

Investment &
Compliance, CFO Services Board
Audit, Risk & (ISB)
Security(CARS)
IT Steering Value
Committee Management
Office (VMO)
Sales &
IT Architecture
Marketing
Review Board

Account Technology
Management Council
Business Programme
Process CIO HR
Executives Management
. . . Oversight
. Office (PGMO)
Committee
. .

Source: ITGI,
own source
‘IT’
 Conclusion

• Best practices not widely adopted

• Significant room for improvement in most
companies’ IT governance domain
• Governance best practices address outsourcing
governance only to limited extent
• A focussed effort is required by SA companies to
ensure compliance to the King III principles for good
IT governance
• The generic framework that has been formulated
addresses the need for an integrated approach to IT
governance
Backup slides
COBIT & Other IT Management Frameworks
Organisations will consider and use a variety of IT models, standards and
best practices. These must be understood in order to consider how they
can be used together, with COBIT acting as the consolidator (‘umbrella’).

COSO

COBIT ISO 9000

ISO 27002

WHAT ITIL HOW

SCOPE OF COVERAGE
Source: ITGI
Where Does COBIT Fit?
CONFORMANCE
PERFORMANCE: Basel II, Sarbanes-
Drivers Business Goals Oxley Act, etc.

Balanced
Enterprise Governance COSO
Scorecard

IT Governance COBIT

ISO ISO ISO

Best Practice Standards
9001:2000 27002 20000

Processes and Procedures QA Security ITIL

Procedures Principles

Source: ITGI
COBIT Framework
BUSINESS OBJECTIVES AND
GOVERNANCE OBJECTIVES

C O B I T
ME1 Monitor and evaluate IT FRAMEWORK
PO1 Define a strategic IT plan.
performance. INFORMATION PO2 Define the information
ME2 Monitor and evaluate
architecture.
internal control.
Efficiency Integrity PO3 Determine technological
ME3 Ensure compliance with
direction.
external requirements. Effectiveness Availability
PO4 Define the IT processes,
ME4 Provide IT governance. Compliance Confidentiality organisation and
Reliability relationships.
MONITOR PLAN PO5 Manage the IT investment.
AND AND PO6 Communicate management
EVALUATE ORGANISE aims and direction.
IT PO7 Manage IT human resources.
DS1 Define and manage service
RESOURCES PO8 Manage quality.
levels.
PO9 Assess and manage IT risks.
DS2 Manage third-party services.
PO10 Manage projects.
DS3 Manage performance and
capacity.
DS4 Ensure continuous service. Applications
DS5 Ensure systems security. Information AI1 Identify automated solutions.
DS6 Identify and allocate costs. Infrastructure AI2 Acquire and maintain
DS7 Educate and train users. DELIVER People ACQUIRE application software.
DS8 Manage service desk and AI3 Acquire and maintain
AND AND
incidents. technology infrastructure.
DS9 Manage the configuration. SUPPORT IMPLEMENT AI4 Enable operation and use.
DS10 Manage problems. AI5 Procure IT resources.
DS11 Manage data. AI6 Manage changes.
DS12 Manage the physical AI7 Install and accredit solutions
environment. and changes.
DS13 Manage operations.

Source: ITGI
Interrelationship of the COBIT Components
Business Goals

requirements information

IT Goals

IT Processes

derived
from
Control Outcome Control
Key Activities
Tests Objectives

based
on
Responsibility &
Performance Control
Accountability Outcome Measures Maturity Models Control Practices
Indicators Design Tests
Chart
Source: ITGI
 Dimensions of Maturity
HOW
(capability)

4 IT
Mission
3 and
2
Goals

1
0 HOW
Risk and
MUCH
Compliance 100% (coverage)

Return on
Investment and
Cost-efficiency
WHAT
(control) Primary Drivers
Source: ITGI
 VAL IT domains & processes
Establish informed and Define and implement Define portfolio
committed leadership processes characteristics
Value
Align & integrate value
Governance (VG) management with Establish effective
Continuously improve
value management
enterprise financial governance monitoring
practices
planning

Establish strategic Determine the

Manage the availability
direction and target availability and sources
of human resources
Portfolio investment mix of funds
Management (PM) Evaluate and select
Monitor and report on
Optimise investment
investment portfolio
programmes to fund portfolio performance
performance

Develop and initiate the Understand the

Develop the Develop full life-cycle
initial programme candidate programme &
programme plan costs and benefits
business case implementation options

Develop the detailed

Launch and manage the Update operational IT
Investment candidate programme
programme portfolios
Management (IM) business case
Update the business Monitor and report on
Retire the programme
Source: ITGI case the programme
 Road map to IT governance
Identify Needs
Raise awareness &
Define resources
obtain management Define scope Define risks Plan programme
and deliverables
commitment

Envision solution
Analyse gaps and
Assess actual Define target for
identify
performance improvement
improvements

Plan solution
Define
Define projects
improvement plan

Implement solution
Monitor Review
Implement the
implementation programme
improvements
performance effectiveness

Operationalise solution
Identify new
Build
governance
sustainability
requirements
Source: ITGI