The 1st ACM Workshop on

Information Security Governance

November 13, 2009
Chicago, USA

Strengthening Employees Responsibility to Enhance Governance of IT COBIT RACI

Chart Case Study
Christophe Feltus, Michal Petit, Eric Dubois
Public Research Center Henri Tudor, Luxembourg-Kirchberg, Luxembourg
PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium
The research was funded by the National Research Fund of Luxemburg

Introduction :
Governance of IT is becoming more and more
necessary
Sarbanes-Oxley Act
Transparency regarding account

Basel II
Management of operational risk and people affectation for that task

ISO/IEC 38500:2008
Provide 6 principles for corporate governance of IT
One principle dedicated to responsibility

Need for more responsibility, transparency,

accountability, ethic, commitment

Introduction :
Companies are used to work with well-known
management framework like :
ITIL (IT Information Library)
a public library that focuses on IT services management for high-quality
service provision

CIMOSA
an enterprise architecture model to define industrial computer system
architecture

ISO/IEC 15504 [7]

a framework for the assessment of software processes

CobiT

As much responsibility models as frameworks

Introduction :
Many responsibility models means :
No consensus between frameworks / no unique one
No interoperability
Many interpretations of the concepts

Objective of the research :

Defining a common responsibility model

Research methodology :
Analyse of the literature
Elaboration of a responsibility model
Successive refinement by comparing it with
professional framework

Responsibility: Foreword
Responsibility

Responsibility : abstract or concret concept ?

Many definitions in the literature
L. Cholvy proposes 3 of them :
Something bad happened and you caused it or could have prevented it
Obligation or moral duty to report or explain you actions or someone
elses action to a given authority (answerability)
Position, which enables you to make decisions in a given organization
but implies that you must be prepared to justify your actions
(accountablity)
def 1 def 2 = blame
def 2 def 3 = answerability accountability = position (rules)

Responsibility: Foreword
Responsibility

D'Arcy McCallum :
Responsibility is not something that you can actually assign to someone
Responsibility, in fact, has to come from within
A person is responsible: we mean that he holds a personal commitment
to doing something to some standard of quality
And while you cannot assign responsibility, you can and do assign
accountability...with the expectation that a person will execute the
activity assigned to them to a standard of quality

Commonly accepted responsibility definitions

encompass the idea of having the obligation to ensure
that something happens.

Accountability
Responsibility
1
Compose
1..*

Accountability
1

1
Compose

Compose

0..1

Sanction

Answerability

Accountability :

o
o
o

Obligation or moral duty to report or explain the action or someone elses action to a given
authority [Cholvy et al.]
Obligation(s) to report the achievement, maintenance or avoidance of some given state
[Sommerville et al.]
Accountability is composed of one answerability and zero or one sanction [Fox]

Functional vs. Managerial Obligation

Responsibility
1
Compose
1..*

Accountability
1

1
Compose

Obligation
Type of

Compose

0..1

Sanction

Type of

Answerability
1

Concern

Functional
Obligation
1..*
Concern

Managerial
Obligation
0..*

Obligation : most frequent concept

Functional vs. Structural Obligation [Dobson] :

o
o

functional obligation : what a employee must do with respect to a state of affairs (e.g.
execute an activity)
structural (managerial) obligation : what a employee must do in order to fulfill a
responsibility such as directing, supervising and monitoring

Accountability, Answerability, Transparency

Clear

Opaque

Responsibility
Soft Accountability

1
Compose
1..*

Type of

Compose

Sanction

Negative Sanction

Transparency

Compose

0..1

Type of

Type of

Hard Accountability

o
o
o

Generate

Accountability

Type of

Type of

Answerability
Type of

Positive Sanction

Sanction is positive or negative also : compensation or a remediation [Fox]

Transparency is clear : information access policies & reliable information
Transparency is opaque : information reveled nominally and ponctually

Rights
Access Right

Capability

Type of
Require

Responsibility

0..*

1
Compose
1..*

Type of

Authority
Needed
for

Type of

Answerability
1

o
o

Delegation
Possibility

Obligation

Compose

0..1

o
o

Right

Sanction

Type
of

Type
of

Accountability
Compose

Type of

Concern

Functional
Obligation
1..*
Concern

Managerial
Obligation
0..*

Common but not systematically embedded concept

Capability : describes the possession of requisite qualities , skills or resourcs to performan action
[Vernadat,F.B.][Yu et. Al][Qingfeng et al.]
Authority : the power to command and control others employees (CIMOSA)
Delegation right : right to transfer some part of the responsibility to another employee

Delegation
Commitment
Antecedents

1..*

Type of

Commitment

Activate

Capability
Type of

Pledge

Employee

0..*
1..*
0..*

Is delegated

Delegation

Responsibility

0..*

1
Concernes 1..* Compose

Obligation

1
Compose

Type of

Compose

0..1

Sanction

Right

Delegation
Possibility
1..*

Accountability

Delegate

Require

Require

Type
of

Type of

Answerability
1

Concern

Functional
Obligation
1..*
Concern

Managerial
Obligation
0..*

Employee
Delegation vs. affectation :

o
o

Affectation or Assignment is the action of linking an employee to a responsibility

Delegation is the transfer of an employees responsibility assignment to another employee

Right to further delegate the same obligation or not [Sommerville]

Delefation of accountability or not [Norman]

Commitment
Commitment
Antecedents

1..*

Type of

Commitment

Activate

Capability
Type of

Pledge

Employee

0..*
1..*
0..*

Is delegated

Delegation

Responsibility

1..*

Obligation
Type of

Compose

0..1

Sanction

Type of

Answerability
1

Right

Delegation
Possibility

1
Compose

0..*

Accountability

o
o

1
Concernes 1..* Compose

Delegate

Require

Require

Type
of

Concern

Functional
Obligation
1..*
Concern

Managerial
Obligation
0..*

Moral engagement to fulfill the action difficult to integrate in a formalized framework

The psychological attachment felt by the person for the organization; it will reflect the degree to which the
individual internalizes or adopts characteristics or perspetives of the organization [OReilly and Chapman]
The relative strength of an individuals identification with and involvement in a particular organization
[Mowday]
A structural phenomenon which occurs as a result of individual-organizational transactions and alterations
in side-bets or investment over time [Hrebiniak and Alutto]

Commitment
Employee
Performance
Type of
1

Activate

Commitment

Type of

0..*
Provide

Continuance

Contribute to

Feeling of Obligation

1..*

Commitment
Outcomes

Side-bets

Commitment
Antecedents

Type of

Type of

Willingness to
Exert Efforts

Affective

Contribute to

Type of

Type of

Type of

Type of

Type of

Normative

Citizen
Behavior

Employee
Retention

Contribute to

Desire Maintain
Membership
Type of

Type of

Contribute to

Belief in Goals
And Values

Complete responsibility model

Commitment
Antecedents

1..*

Activate

Commitment

Pledge

Employee

0..*
1..*
0..*

Is delegated

Delegation

Require

Responsibility

0..*

1
Concernes 1..* Compose

Accountability

Delegate

Obligation

Compose

Type of

Compose
0..1

Sanction

Right

Type of

Answerability
1

Concern

Functional
Obligation
1..*
Concern

Managerial
Obligation
0..*

The COBIT responsibility model

RACI Chart
Responsible
Control
1..*

Action

Employee

Accountable

0..*

Consulted

Role

0..* Is hold

Informed

o
o
o
o
o

COBITs control are composed of actions to perform (obligation)

Employees hold roles like CEO, CFO, CIO, PMO, Head Operation, Business Executive,
COBIT responsibility model is formalized through a RACI chart matrix attached to all 34
COBIT processes.
RACI stands for Responsible, Accountable, Consulted and Informed
Role may be Responsible, Accountable, Consulted and Informed depending on the control
and the task to perform.

The COBIT responsibility model

RACI Chart
Responsible
0..*

Control

1..*

Affected to

1..*

1..*

Action

Affected to
Affected
1..* to
0..*

0..*
0..*

Analyzed
by

0..*
Viewable by

0..*

Accountable
Consulted
Informed

1..*

0..*
0..*
1..*
0..*
Affected to
0..*
1..*

Employee

Affected to

0..*

Role

0..* Is hold

Affected to

Responsibility and Accountability at the same conceptual level part of the RACI chart
Accountability : the employee who provides direction and authorizes an action
Responsibility : the employee who gets the action done
An individual assumes his/her responsibility and is usually held accountable

o
o
o
o

It is possible or not to be responsible and accountable at the same time

IT management has the resources and accountability needed to meet service level targets

Accountability is possessed and as consequence, may be seen as rather a capability (or a right) than an
accountability (or an obligation).

The COBIT responsibility model

RACI Chart
Responsible
0..*

Control

0..*

Needs
0..*

1..*

Capability

Affected to

1..*

1..*

Action

Affected to
Affected
1..* to
0..*

0..*
0..*

Analyzed
by

0..*
Viewable by

0..*

Accountable
Consulted
Informed

1..*

0..*
Affected to

0..*
0..*
1..*
0..*
Affected to
0..*
1..*

Employee
0..*

Role

0..* Is hold

Affected to

Capability doens exist systematically in COBIT. It is necessary for an employee to

perform an action
Authorithy : person or group who has the authority to approve or accept the
execution of an action

o
o

A type of right to approved or accept an action. Authority is something provided to the person
responsible. I.e. the action Assigning sufficient authority to the problem manager

The COBIT responsibility model

RACI Chart
Responsible
0..*

Control

0..*

1..*

1..*

0..*

Affected

1..* to

Action

0..*
0..*

0..*
1
0..*

Analyzed
by

0..*
Viewable by

0..*

Accountable
Consulted
Informed

Capability

0..*

1..*

Affected to

Needs

Commitment

Pledge

0..*

Affected to

1..*

0..*
Affected to

0..*
0..*
1..*
0..*
Affected to
0..*
1..*

Employee
0..*

Role

0..* Is hold

Affected to

Assignement/delegation appears sporadically in COBIT and concerns mainly the

capability or even the responsibility.
Commitment (appears in many controls but not explicitely defined)

o
o

[] employees are mindful of their compliance obligation (commitment antecedent)

A positive, proactive information control environment, including a commitment to quality and IT
security awareness, is established
Obtain commitment and participation from the affected employees in the definition and execution
of the project []

Proposed integration in COBIT

Informed
Type of

Commitment
Antecedents

1..*

Activate

Employee

Type of

Commitment

Consulted

Pledge

Type of

0..*

Responsibility

Affectation
/Delegation

Capability
Type of

Require
1

0..*

1
Compose
1..*

Accountability
Type of

Compose

0..1

Sanction

o
o

Type of

Answerability
1

o
o

Obligation

1
Compose

Right

Compose

Managerial
Obligation
1..*
Compose

Functional
Obligation
0..*

Obligation, Right, Capability and Commitment are systematically integrated

Accountability no more perceived as an attribute that links an employee to an action and that
is on the same level as the responsibility but as a component that composes this responsibility.
Informed no more perceived as a type of allocation/assignment of role action but as a type
of right for responsibility.
Consulted is no more seen as a type of allocation/delegation of role action but as a type of
responsibility.

Cobit RACI Chart Case Study

Action : Identify system owners
From : PO4 Define the IT Processes, Organisation and relationship
RACI :
Activity
Function

CFO

Business
Executive

CIO

Business
Process
Owner

Head
Operation

Chief
Architect

Head
Development

Head IT
Administration

PMO

Compliance,
Audit, Risk
and Security

Identify
System
Owners

Enhancement 1
Activity
Function

CFO

Business
Executive

CIO

Business
Process
Owner

Head
Operation

Chief
Architect

Head
Development

Head IT
Administration

PMO

Compliance,
Audit, Risk
and Security

Identify
System
Owners

HO is responsible, he gets the activity done but is not accountable

for it. What happen if he doesnt do it ?
CIO is accountable. He is answerable and sanctionable.
HO is responsible and accountable for the task
CIO is responsible and accountable for the managerial obligation
regarding the task.

Enhancement 2
Activity
Function

CFO

Business
Executive

CIO

Business
Process
Owner

Head
Operation

Chief
Architect

Head
Development

Head IT
Administration

PMO

Compliance,
Audit, Risk
and Security

Identify
System
Owners

CFO, BE and BPO are consulted. Does it imply something for them ?
Consulted is not only a function. It is a responsibility.
This means that responibility components needs to be clarify i.e. :
the obligation, the accountability, or the right.

Enhancement 3
Activity
Function

CFO

Business
Executive

CIO

Business
Process
Owner

Head
Operation

Chief
Architect

Head
Development

Head IT
Administration

PMO

Compliance,
Audit, Risk
and Security

Identify
System
Owners

CA, HD, HITA, PMO, CARS are informed. Is the information for
everyone absolutly necessary ?
Informed is more a right than a function. Consequently, it should
be attached to another task and a link should be created between the
information and its use for another task.

Conclusion
Willingness to improve the governance of IT advocates
for the definition of an innovative responsibility model,
including meaningful responsibility concept.
Afterward, we have compare the responsibility model
with the COBIT RACI chart and we have detected
possible improvements.
Identify system owners action has been depicted to
illustrate the added value of the model.

Thank you !

References

Christophe Feltus, Preliminary Literature Review of Policy Engineering Methods - Toward

Responsibility Concept, International Conference on Information & Communication
Technologies: from Theory to Applications (IEEE ICTTA2008), May 2008, Damascus, Syria.

Christophe Feltus, Michal Petit, Building a Responsibility Model Including Accountability,

Capability and Commitment, Fourth International Conference on Availability, Reliability and
Security (ARES 2009 The International Dependability Conference), IEEE, March 2009,
Fukuoka, Japan.

Christophe Feltus, Michal Petit, Building a Responsibility Model using Modal Logic - Towards
Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International
Conference on Computer Systems and Applications (AICCSA-09) IEEE, May 2009, Rabat,
Morocco.

Christophe Feltus, Michal Petit, Franois Vernadat, Enhancement of CIMOSA with

Responsibility Concept to Conform to Principles of Corporate Governance of IT, 13th IFAC
Symposium on Information Control Problems in Manufacturing, June 2009, Moscow, Russia.