Professional Documents
Culture Documents
August 2018
Carolynn Chalmers
MSc, CGEIT, CBRM
Objectives
Maximize the value of IT governance investments
Align with COBIT 5® and other standards to King IV™ leadership approach
SESSION 1
Session 1 Agenda
Leadership /
Corporate Governance Doing the right things
5
The King Reports
King I - effective 1994 King II - effective 2002 King III – effective 2010 King IV – effective 2017
• Large listed and public • Large companies, SOEs, • All organisations • Governing body
entities local government • IT governance • Integrated thinking and 6
• Board: composition, • Risk management • Business rescue capitals
tenure and frequency • Internal audit • Alternative dispute • Governance Outcomes
• Code of ethics • Integrated sustainability resolution • Assurance and 5 lines of
• Director remuneration • Shareholders defence
• Affirmative action remuneration review
• Integrated Reporting
6
King IV™
King I - effective 1994 King II - effective 2002 King III – effective 2010 King IV – effective 2017
• Large listed and public • Large companies, SOEs, • All organisations • Governing body
entities local government • IT governance • Integrated thinking and 6
• Board: composition, • Risk management • Business rescue capitals
tenure and frequency • Internal audit • Alternative dispute • Governance Outcomes
• Code of ethics • Integrated sustainability resolution • Assurance and 5 lines of
• Director remuneration • Shareholders defence
• Affirmative action remuneration review
• Integrated Reporting
Constitution
Laws and
Regulations
8
International Context
• International Standards Organisation
• Technical Committee TC309 - Governance of Organizations
• British Standards Institute - November 2016
• 4 Projects:
– ISO 37000 - Guidance for the Governance of Organizations
– ISO 37001 - Anti-Bribery Management Systems
– ISO 37002 - Whistleblowing Management Systems
– ISO 19600 / 37301 - Compliance Management Systems
9
ISO 37000
10
Application
11
The 5 stages of Mindful Leadership
1. Trusted Professional
Depth, Attitude, Ownership
2. Change Agent
Influence, Resilience, Execution
3. People Developer
Agility, Coach, Feedback
4. Tribal Leader
Model, Ethos, Culture
5. Legacy Builder
Vision, Strategy, Authenticity
https://www.learn2lead.co
12
Ethical and Effective Leadership
Corporate Governance is…
13
Governance Outcomes
- Ethical Culture 3 Principles & Practices
14
Ethical Leadership
I - Integrity I
new C - Competence C
R - Responsibility R
A - Accountability I C R A F T
F - Fairness F
T - Transparency T
15
Ethical Leadership
Principle 1 The governing body should lead ethically and effectively.
Principle 2 The governing body should govern the ethics of the organisation in a way
that supports the establishment of an ethical culture.
Principle 3 The governing body should ensure that the organisation is and is seen to
be a responsible corporate citizen.
16
Effective Leadership
Principle 6
The governing body should serve as the focal point and custodian
of corporate governance in the organisation.
Recommended Practice 1
The governing body should exercise its leadership role by:
a. steering the organisation and setting its strategic direction;
b. approving policy and planning that give effect to the direction provided;
c. overseeing and monitoring of implementation and execution by management; and
d. ensuring accountability for organisational performance by means of,
among others, reporting and disclosure.
17
Effective Leadership using Policies
• Governance Policies
Principles which should be applied as management Practices
• Management Policies
Lower-level Principles which are executed as Procedures
• Employee Policies
Rules to be complied with, for example Employee Handbook
18
Effective Leadership using Policies
• Governance Policies
Principles which should be applied as management Practices
• Management Policies
Lower-level Principles which are executed as Procedures
• Employee Policies
Rules to be complied with, for example Employee Handbook
19
Governance Policies Management Policies
doing the right things in the right way
Governing Body
Executive
Operations
20
Governance Policies Management Policies
doing the right things in the right way
• Principles • Practices
• Delegation • Procedures
• Oversight • Management
Continuously
Quarterly
/ Weekly
/ Annually
/ Monthly
21
Governance Policies Management Policies
doing the right things in the right way
• Principles • Practices
• Delegation • Procedures
• Oversight • Management
Continuously
/ Weekly
/ Monthly
22
Governance Policies Management Policies
doing the right things in the right way
• Principles • Practices
• Delegation • Procedures
• Oversight • Management
23
Governance Policies Management Policies
doing the right things in the right way
• Principles • Practices
• Delegation • Procedures
• Oversight • Management
Direction Alignment
Outcomes Efficiency
24
Governance Policies Management Policies
doing the right things in the right way
• Principles • Practices
• Delegation • Procedures
• Oversight • Management
Direction Alignment
Outcomes Efficiency
25
Governance Policies Management Policies
doing the right things in the right way
Governing Body
Executive
Operations
26
Ethical and Effective Leadership
27
Questions
and
Discussion
Session 1 Agenda
30
Our world is changing – urban world
31
Our world is changing – work world
32
Change brings uncertainty
Uncertainty slows decision-making
Usually, business leaders have little difficulty articulating what needs to be done
when resolving problems when there is certainty.
But in uncertain times, business problems are complex and often intractable.
Martin Webster
33
Reducing uncertainty – improving decision-making
34
Decision-making context
Principles – the right things to do
35
Decision-making in a digital context
36
Decision-making in a technology context
37
Leadership, Decision-making, King IV™ and IT
38
IT Governance in the GRC context
39
Precedent
40
IT Governance Principles
41
IT Governance Principles
42
King IV™ IT Governance Principle
43
King IV™ Recommended Practices
10. Set the strategic direction
13. Transition
14. Information
15. Technology
16. Assurance
44
COBIT® 5 Principles and Processes
45
COBIT® 5 Governance Process Domains
46
COBIT® 5 Management Process Domains
47
Questions
and
Discussion
Session 1 Agenda
50
IT Governance in Practice
Direction Alignment
Outcomes Efficiency
51
IT Governance as Process
• Processes are measured in levels of maturity
• Processes are not merely measured on whether they are there or not (“gap analysis”)
52
ISO 15504:
Software Process Improvement and Capability Determination (SPICE)
53
COBIT® 5 Process Capability Model
• The process is not implemented or fails to achieve its process purpose.
0 Incomplete process • Little or no evidence of any systematic achievement of the process purpose
3 Established process • Implemented using a defined process that is capable of achieving its process outcomes
4 Predictable process • Operates within defined limits to achieve its process outcomes
5 Optimising process • Process is continuously improved to meet relevant current and projected business goals
54
ISO 33002: Software development processes
”the minimum set of requirements for performing an assessment that will ensure
assessment results are objective, consistent, repeatable, and representative of the
assessed processes”
55
CMMI: Capability Maturity Model Integration
56
Governance (effective leadership) maturity levels
• Governance is measured in levels of maturity
• Governance is improved by setting and achieving increasing maturity targets
• Targets are determined by risk appetite and tolerances, capacity and resources
57
OECD Assessment Scheme 2017
1 Not Applicable Principle does not apply due to structural, legal or institutional features
3 Partly implemented • One or more core are missing, but others are fully or broadly implemented in all material respects
• The core elements are present but not widely adopted
• The core elements are present but implementation is new
4 Broadly implemented One or more are less than fully implemented but
• All are implemented to some extent;
• The core elements are present
• Broadly adopted
58
Risk
IT Risk in South Africa - Allianz Risk Barometer 2018
Cybercrime
• Highest in Africa
• 3rd highest in the world
• “cyber hurricane” events
• SMEs highest impact
60
IT Risk in South Africa – IRMSA 2017
61
IT Risk in South Africa – IRMSA 2018
62
The Future of risk - New game, new rules
“The convergence of mobile and social media is intensifying the impact of reputational
risk for organisations and driving them to fundamentally rethink their approach to risk
management and proactively address these accelerated risks. What we see is that risk
onset, consequence and the entire nature of the risk discipline, is evolving. The good
news is that even the strategic conversation around risk is changing. It is no longer
something to only fear, minimise and avoid, but an opportunity to determine an
accurate upside value creation from risk and thereby encourage an appropriate level of
risk-taking.”
63
Governance Risk
64
Establishing an effective IT Governance environment
SESSION 2
Session 2 Agenda
67
Governance frameworks
“Having a common governance framework can play an important
role in helping boards gain a better understanding of their
oversight role. The framework should have attributes that
contribute to effective governance and tools for addressing
governance risk. A framework also provides a more cogent
construct for evaluating how management’s responsibilities fit
with the board’s oversight responsibilities.”
Wall Street Journal May 24, 2013
68
Governance frameworks
Project Management Database Entity
Framework Framework
www.parallelprojecttraining.com www.entityframeworktutorial.net
69
Deloitte Governance Framework
70
Southern Cross University Governance Framework
71
Framework as a Tool
72
Framework as a Governance Tool
• A component
• Depict “how” – delegation
• Clear for communication purposes
• Committees and Roles
• Comprehensive and complete
• WSJ: address governance risks
73
Framework as a Governance Component
• Effective leadership
• Ethical leadership
• Governance outcomes
74
Evidencing governance activities
75
Questions
and
Discussion
King IV™ Recommended Oversight Practices
Technology and Information Oversight
Practice 15 Practice 14
a) Architecture a) Intellectual Capital
b) Procurement b) Confidentiality, Integrity,
c) Innovation & Disruption Availability
c) Privacy
d) Security
77
King IV™ Recommended Technology Oversight Practices
Technology and Information Oversight
78
COBIT® 5 enabling processes
Technology and Information Oversight
79
ISO 38500 principles
Technology and Information Oversight
• Responsibility
• Strategy
• Acquisition
• Performance
• Conformance
• Human Behaviour
80
King IV™ Recommended Information Oversight Practices
Technology and Information Oversight
81
King IV™ Recommended Information Oversight Practices
Technology and Information Oversight
82
ISO/IEC 38505-1:2017
Guiding principles for members of governing bodies of organizations on the effective,
efficient, and acceptable use of data within their organizations.
83
King IV™ Recommended Transition Oversight Practices
Technology and Information Oversight
84
Transition / Change / Transformation
The term “transition” refers to all the activities that are carried out when a
new or changed service is moved to or from a “live” environment.
ISO/IEC 20000-1
85
Reasons for Change
Continuity Management
Project Management
Service Management
86
King IV™ Transition Principles and Practices
Principle 4 Strategy and Performance
Recommended Practice 4. The governing body should ensure that it approves the policies and
operational plans developed by management to give effect to the approved strategy. These
should include the key performance measures and targets for assessing the achievement of
strategic objectives and positive outcomes over the short, medium and long term.
Principle 11 Risk Governance
Recommended Practice 6. The governing body should exercise ongoing oversight of risk
management and, in particular, oversee that it results in …(e) the establishment and
implementation of business continuity arrangements that allow the organisation to operate
under conditions of volatility, and to withstand and recover from acute shocks.
Principle 12 IT Governance
Recommended Practice 3. The governing body should exercise ongoing oversight of technology
and information management and, in particular, oversee that it results in… (f) the assessment
of value delivered to the organisation through significant investments in technology and
information, including the evaluation of projects throughout their life cycles and of significant
operational expenditure.
87
The Governance of Organizational Transition
88
King IV™ Recommended Transition Oversight Practices
Technology and Information Oversight
89
90
Questions
and
Discussion
Assessing the IT Governance environment
SESSION 3
Session 3 Agenda
94
Select and agree the maturity scale
Process Optimization / Innovation
5
Optimal – ideal
Process Performance
1
Being performed or is in place
95
Assess the governance processes
96
My governance processes
97
Assessment Area
Example
Question Count
Short Long
Current
Term Term
Topic
0 1 2 3 4 5
# Process Statement
Partial Performed Managed Defined Measured Optimized
x u n
2018
2020 2023
LEADERSHIP 1 4 4
1 1 1.1 IT Governance Outcome - Ethical Culture
The organisation demonstrates ethical technology, information and transition cultures x u 1,5 4 4
Governance
Outcomes
98
Determine the risk period - example
Governance Risk Description Intervention Timeframe
0 Not willing to accept risk under any circumstance Immediate 1-3 months
99
Develop the roadmap - example
100
Ensure continual improvement
101
Thank You!