Assessing IT Governance

August 2018
Carolynn Chalmers
MSc, CGEIT, CBRM
Objectives
Maximize the value of IT governance investments

Align with COBIT 5® and other standards to King IV™ leadership approach

Entrench an effective IT governance assessment competency

Provide IT governance guidance

Promote Business IT leadership

IT Governance in today’s corporate governance context

SESSION 1
Session 1 Agenda

King IV™ and the changing corporate governance landscape

IT governance principle, practices and outcomes and GRC

IT governance maturity in a governance risk context

Corporate Governance

Leadership /
Corporate Governance Doing the right things

Management / Doing those things right

Operational Governance / in the right way

5
The King Reports

Companies Act 61 of 1973 Companies Act 71 of 2008

King I - effective 1994 King II - effective 2002 King III – effective 2010 King IV – effective 2017
• Large listed and public • Large companies, SOEs, • All organisations • Governing body
entities local government • IT governance • Integrated thinking and 6
• Board: composition, • Risk management • Business rescue capitals
tenure and frequency • Internal audit • Alternative dispute • Governance Outcomes
• Code of ethics • Integrated sustainability resolution • Assurance and 5 lines of
• Director remuneration • Shareholders defence
• Affirmative action remuneration review
• Integrated Reporting

Comply or else Comply or explain Apply or explain Apply and explain

6
King IV™

Companies Act 61 of 1973 Companies Act 71 of 2008

King I - effective 1994 King II - effective 2002 King III – effective 2010 King IV – effective 2017
• Large listed and public • Large companies, SOEs, • All organisations • Governing body
entities local government • IT governance • Integrated thinking and 6
• Board: composition, • Risk management • Business rescue capitals
tenure and frequency • Internal audit • Alternative dispute • Governance Outcomes
• Code of ethics • Integrated sustainability resolution • Assurance and 5 lines of
• Director remuneration • Shareholders defence
• Affirmative action remuneration review
• Integrated Reporting

Comply or else Comply or explain Apply or explain Apply and explain

The King IV Report on Corporate Governance for South Africa 2016,

The Institute of Directors in Southern Africa
http://www.iodsa.co.za/page/KingIVReport
7
Precedent

Constitution

Laws and
Regulations

Codes and Standards

8
International Context
• International Standards Organisation
• Technical Committee TC309 - Governance of Organizations
• British Standards Institute - November 2016
• 4 Projects:
– ISO 37000 - Guidance for the Governance of Organizations
– ISO 37001 - Anti-Bribery Management Systems
– ISO 37002 - Whistleblowing Management Systems
– ISO 19600 / 37301 - Compliance Management Systems

9
ISO 37000

10
Application

• Mindful • Size and turnover

• Purposeful • Resources
• Responsible • Complexity
• Contextual • Industry

11
The 5 stages of Mindful Leadership
1. Trusted Professional
Depth, Attitude, Ownership
2. Change Agent
Influence, Resilience, Execution
3. People Developer
Agility, Coach, Feedback
4. Tribal Leader
Model, Ethos, Culture
5. Legacy Builder
Vision, Strategy, Authenticity

https://www.learn2lead.co
12
Ethical and Effective Leadership
Corporate Governance is…

“The exercise of ethical and effective leadership

by the governing body
towards the achievement of governance outcomes.”
- Ethical Culture
- Good Performance
- Effective Control
- Legitimacy

13
Governance Outcomes
- Ethical Culture 3 Principles & Practices

Good performance is an organization achieving its

- Good Performance strategic objectives, and positive outcomes in
terms of its effects on the capitals it uses and
affects, and on the triple context in which it
operates.

- Effective Control The adequate accomplishment of the desired

objective or a pursuit with the minimum
expenditure of time, resources, waste and effort.

- Legitimacy Compliance: the fact of being allowed by law or

done according to the rules of an organization or
activity.
The state of being fair or honest.
Cambridge Dictionary

14
Ethical Leadership

I - Integrity I
new C - Competence C
R - Responsibility R
A - Accountability I C R A F T
F - Fairness F
T - Transparency T

15
Ethical Leadership
Principle 1 The governing body should lead ethically and effectively.
Principle 2 The governing body should govern the ethics of the organisation in a way
that supports the establishment of an ethical culture.
Principle 3 The governing body should ensure that the organisation is and is seen to
be a responsible corporate citizen.

Ethics of the Board

Ethics in the Organisation

Ethics in the Organisation

16
 Effective Leadership
Principle 6
The governing body should serve as the focal point and custodian
of corporate governance in the organisation.

Recommended Practice 1
The governing body should exercise its leadership role by:
a. steering the organisation and setting its strategic direction;
b. approving policy and planning that give effect to the direction provided;
c. overseeing and monitoring of implementation and execution by management; and
d. ensuring accountability for organisational performance by means of,
among others, reporting and disclosure.

17
 Effective Leadership using Policies

• Governance Policies
Principles which should be applied as management Practices

• Management Policies
Lower-level Principles which are executed as Procedures

• Employee Policies
Rules to be complied with, for example Employee Handbook

18
 Effective Leadership using Policies

• Governance Policies
Principles which should be applied as management Practices

• Management Policies
Lower-level Principles which are executed as Procedures

• Employee Policies
Rules to be complied with, for example Employee Handbook

19
Governance Policies Management Policies
doing the right things in the right way

Governing Body

Executive

Operations

20
Governance Policies Management Policies
doing the right things in the right way
• Principles • Practices
• Delegation • Procedures
• Oversight • Management

Continuously
Quarterly
/ Weekly
/ Annually
/ Monthly

21
Governance Policies Management Policies
doing the right things in the right way
• Principles • Practices
• Delegation • Procedures
• Oversight • Management

Continuously
/ Weekly
/ Monthly

22
Governance Policies Management Policies
doing the right things in the right way
• Principles • Practices
• Delegation • Procedures
• Oversight • Management

23
Governance Policies Management Policies
doing the right things in the right way
• Principles • Practices
• Delegation • Procedures
• Oversight • Management

Direction Alignment
Outcomes Efficiency

24
Governance Policies Management Policies
doing the right things in the right way
• Principles • Practices
• Delegation • Procedures
• Oversight • Management

Direction Alignment
Outcomes Efficiency

25
Governance Policies Management Policies
doing the right things in the right way

Governing Body

Executive

Operations

26
Ethical and Effective Leadership

Apply the Principles as practices

Explain how you are applying the principles in practice

Recommended Practices not Required Practices

27
Questions
and
Discussion
Session 1 Agenda

King IV™ and the changing corporate governance landscape

IT governance principle, practices and outcomes and GRC

IT governance maturity in a governance risk context

Our world is changing – natural world

30
Our world is changing – urban world

31
Our world is changing – work world

32
Change brings uncertainty
Uncertainty slows decision-making
Usually, business leaders have little difficulty articulating what needs to be done
when resolving problems when there is certainty.

But in uncertain times, business problems are complex and often intractable.
Martin Webster

33
Reducing uncertainty – improving decision-making

34
Decision-making context
Principles – the right things to do

Controls – Keeping things right Practices – the right way to do things

35
Decision-making in a digital context

36
Decision-making in a technology context

37
Leadership, Decision-making, King IV™ and IT

38
IT Governance in the GRC context

ISO 38500, COBIT® 5, CGICTPF

ISO 31000, COSO ISO 19600

39
Precedent

40
IT Governance Principles

Companies Act, Non-Profit Organisations Act, ECT, PROATIA,

POPIA, GDPR, etc.

King IV™, ISO 37000,

Codes of Good Practice for South African NPOs, etc.

ISO 38500, COBIT® 5 EDM, ISO 38505, CGICTPF, etc.

ISO 20000, ITIL, COBIT® 5, PCI-DSS, ISO 27000, etc.

41
IT Governance Principles

Companies Act, Non-Profit Organisations Act, ECT, PROATIA,

POPIA, GDPR, etc.

King IV™, ISO 37000,

Codes of Good Practice for South African NPOs, etc.

ISO 38500, COBIT® 5 EDM, ISO 38505, CGICTPF, etc.

ISO 20000, ITIL, COBIT® 5, PCI-DSS, ISO 27000, etc.

42
King IV™ IT Governance Principle

43
King IV™ Recommended Practices
10. Set the strategic direction

11. Approve policy

17. Disclosure
12. Delegate

13. Transition
14. Information
15. Technology
16. Assurance
44
COBIT® 5 Principles and Processes

45
COBIT® 5 Governance Process Domains

46
COBIT® 5 Management Process Domains

47
Questions
and
Discussion
Session 1 Agenda

King IV™ and the changing corporate governance landscape

IT governance principle, practices and outcomes and GRC

IT governance maturity in a governance risk context

Ethical and Effective Leadership of IT
IT Governance is…

“The exercise of ethical and effective leadership

by the governing body
towards the achievement of governance outcomes.”
- Ethical Culture
- Good Performance
- Effective Control
- Legitimacy

50
IT Governance in Practice

Direction Alignment
Outcomes Efficiency

IT Governance is a Perpetual Process

51
IT Governance as Process
• Processes are measured in levels of maturity
• Processes are not merely measured on whether they are there or not (“gap analysis”)

Example IT-related process maturity models

• ISO/IEC 15504-6: 2013 = COBIT® 5 Process Capability Model
• ISO/IEC 33002: 2015
• CMMI

52
ISO 15504:
Software Process Improvement and Capability Determination (SPICE)

• Derived from ISO/IEC 12207

• Replaced by ISO/IEC 33002
• No longer available from ISO

53
COBIT® 5 Process Capability Model
• The process is not implemented or fails to achieve its process purpose.
0 Incomplete process • Little or no evidence of any systematic achievement of the process purpose

1 Performed process • The implemented process achieves its process purpose

• Implemented in a managed fashion (planned, monitored and adjusted)

2 Managed process • Work products are appropriately established, controlled and maintained

3 Established process • Implemented using a defined process that is capable of achieving its process outcomes

4 Predictable process • Operates within defined limits to achieve its process outcomes

5 Optimising process • Process is continuously improved to meet relevant current and projected business goals

ISO/IEC 15504-compliant process capability assessment scheme is used

54
ISO 33002: Software development processes
”the minimum set of requirements for performing an assessment that will ensure
assessment results are objective, consistent, repeatable, and representative of the
assessed processes”

33001 Concepts and terminology

33002 Requirements for performing process assessment
33003 Requirements for process measurement frameworks
33004 Requirements for process reference, process assessment and maturity models
33014 Guide for process improvement
33020 Process measurement framework for assessment of process capability

55
CMMI: Capability Maturity Model Integration

• 1987 development led by the Carnegie Mellon Software Engineering Institute

• 2010 improved to cater for Agile software development
• 2016 acquired by ISACA
• 2018 CMMI 2.0 released

Sally Godfrey (2008), NASA presentation

56
Governance (effective leadership) maturity levels
• Governance is measured in levels of maturity
• Governance is improved by setting and achieving increasing maturity targets
• Targets are determined by risk appetite and tolerances, capacity and resources

Example governance maturity levels

• OECD Assessment Scheme 2017
• ISO/IEC 33002:2015

57
OECD Assessment Scheme 2017
1 Not Applicable Principle does not apply due to structural, legal or institutional features

2 Not implemented Is appropriate where there are major shortcomings

3 Partly implemented • One or more core are missing, but others are fully or broadly implemented in all material respects
• The core elements are present but not widely adopted
• The core elements are present but implementation is new

4 Broadly implemented One or more are less than fully implemented but
• All are implemented to some extent;
• The core elements are present
• Broadly adopted

5 Fully implemented Fully implemented in all material respects

58
Risk
IT Risk in South Africa - Allianz Risk Barometer 2018
Cybercrime
• Highest in Africa
• 3rd highest in the world
• “cyber hurricane” events
• SMEs highest impact

60
IT Risk in South Africa – IRMSA 2017

61
IT Risk in South Africa – IRMSA 2018

62
 The Future of risk - New game, new rules
“The convergence of mobile and social media is intensifying the impact of reputational
risk for organisations and driving them to fundamentally rethink their approach to risk
management and proactively address these accelerated risks. What we see is that risk
onset, consequence and the entire nature of the risk discipline, is evolving. The good
news is that even the strategic conversation around risk is changing. It is no longer
something to only fear, minimise and avoid, but an opportunity to determine an
accurate upside value creation from risk and thereby encourage an appropriate level of
risk-taking.”

Navin Singh, Business Report, 27 September 2017

https://www.iol.co.za/business-report/opinion-the-future-of-risk--new-game-new-rules-11377268

63
Governance Risk

• Strategy - lack of purpose and vision

• Policy - lack of guidance
• Oversight – lack of discipline
• Disclosure – lack of accountability

64
Establishing an effective IT Governance environment

SESSION 2
Session 2 Agenda

Ethical and effective leadership of IT and evidencing IT

governance activities

Business resilience and building for change

Governing information, ensuring stakeholder confidence

Evidencing governance activities

67
Governance frameworks
“Having a common governance framework can play an important
role in helping boards gain a better understanding of their
oversight role. The framework should have attributes that
contribute to effective governance and tools for addressing
governance risk. A framework also provides a more cogent
construct for evaluating how management’s responsibilities fit
with the board’s oversight responsibilities.”
Wall Street Journal May 24, 2013

68
Governance frameworks
Project Management Database Entity
Framework Framework
www.parallelprojecttraining.com www.entityframeworktutorial.net

69
Deloitte Governance Framework

70
Southern Cross University Governance Framework

71
Framework as a Tool

• Comprehensive and complete

• “Birds-eye view” overview
• Simple depiction
• Communication
• Collective understanding
• Agreement at a point in time

72
Framework as a Governance Tool

• A component
• Depict “how” – delegation
• Clear for communication purposes
• Committees and Roles
• Comprehensive and complete
• WSJ: address governance risks

73
Framework as a Governance Component

• Effective leadership

• Ethical leadership

• Governance outcomes

74
Evidencing governance activities

75
Questions
and
Discussion
King IV™ Recommended Oversight Practices
Technology and Information Oversight

Technology Information Transition

Practice 15 Practice 14
a) Architecture a) Intellectual Capital
b) Procurement b) Confidentiality, Integrity,
c) Innovation & Disruption Availability
c) Privacy
d) Security

77
King IV™ Recommended Technology Oversight Practices
Technology and Information Oversight

Technology Information Transition

Hardware Software Connectivity

78
COBIT® 5 enabling processes
Technology and Information Oversight

Technology Information Transition

79
ISO 38500 principles
Technology and Information Oversight

Technology Information Transition

• Responsibility
• Strategy
• Acquisition
• Performance
• Conformance
• Human Behaviour

80
King IV™ Recommended Information Oversight Practices
Technology and Information Oversight

Transition Information Technology

81
King IV™ Recommended Information Oversight Practices
Technology and Information Oversight

Transition Information Technology

Confidentiality Integrity Availability

Privacy Records Management Security

82
ISO/IEC 38505-1:2017
Guiding principles for members of governing bodies of organizations on the effective,
efficient, and acceptable use of data within their organizations.

83
King IV™ Recommended Transition Oversight Practices
Technology and Information Oversight

Technology Information Transition

84
Transition / Change / Transformation

The term “transition” refers to all the activities that are carried out when a
new or changed service is moved to or from a “live” environment.
ISO/IEC 20000-1

The term “business transformation” refers to making changes in how business

is conducted in order to help cope with a shift in market environment.
John Kotter, Harvard Business Review, 2007

85
Reasons for Change

Continuity Management

Project Management

Service Management

86
King IV™ Transition Principles and Practices
Principle 4 Strategy and Performance
Recommended Practice 4. The governing body should ensure that it approves the policies and
operational plans developed by management to give effect to the approved strategy. These
should include the key performance measures and targets for assessing the achievement of
strategic objectives and positive outcomes over the short, medium and long term.
Principle 11 Risk Governance
Recommended Practice 6. The governing body should exercise ongoing oversight of risk
management and, in particular, oversee that it results in …(e) the establishment and
implementation of business continuity arrangements that allow the organisation to operate
under conditions of volatility, and to withstand and recover from acute shocks.
Principle 12 IT Governance
Recommended Practice 3. The governing body should exercise ongoing oversight of technology
and information management and, in particular, oversee that it results in… (f) the assessment
of value delivered to the organisation through significant investments in technology and
information, including the evaluation of projects throughout their life cycles and of significant
operational expenditure.
87
The Governance of Organizational Transition

• Board oversight of “change” across the organisation

• Strategy enablement – portfolio management
• Increased potential for convergence
• Increased focus on IT value realization
• Business Resilience not just Disaster Recovery

88
King IV™ Recommended Transition Oversight Practices
Technology and Information Oversight

Technology Information Transition

Projects Services Continuity

89
90
Questions
and
Discussion
Assessing the IT Governance environment

SESSION 3
Session 3 Agenda

Choosing an appropriate assessment basis and selecting

the assessment scope

Aligning with the organisational risk profile and supporting

organisational strategy

Engaging with stakeholders and embedding continual

improvement
Define the scope
1. Identify relevant business drivers
• Define the objective
• Prioritise processes based on business drivers
2. Identify and prioritise the IT processes
3. Perform a preliminary scoping selection
4. Confirm the selection
5. Finalise the scope
6. Record the scoping methodology in the assessment
records.

COBIT® 5 Assessment Scoping Tool

94
Select and agree the maturity scale
Process Optimization / Innovation
5
Optimal – ideal

Process Measurement and Control

4
Happens without fail and is exactly repeatable

Process Definition and Deployment

3
Established as “business as usual”

Performance / Work Product Management

2
In place with ad-hoc management

Process Performance
1
Being performed or is in place

Incomplete, work in progress,

0
no physical representation of this being in place

95
Assess the governance processes

Governance Process 0 1 2 3 4 5 Comment

96
My governance processes

My Governance Process 0 1 2 3 4 5 Comment

97
 Assessment Area
Example
Question Count

Short Long
Current
Term Term
Topic

0 1 2 3 4 5
# Process Statement
Partial Performed Managed Defined Measured Optimized
x u n
2018
2020 2023

LEADERSHIP 1 4 4
1 1 1.1 IT Governance Outcome - Ethical Culture
The organisation demonstrates ethical technology, information and transition cultures x u 1,5 4 4

2 1 1.2 IT Governance Outcome - Good Performance

The organisation demonstrates appropriate technology, information and transition performance x u 2 4 4

3 1 1.3 IT Governance Outcome - Effective Control

The organisation demonstrates effective control of its technology, information and transition activities x u 0 3 4

4 1 1.4 IT Governance Outcome - Legitimacy

The organisation demonstrates legitimate use of its technology and information x u 0 3 4

Governance
Outcomes
98
Determine the risk period - example
Governance Risk Description Intervention Timeframe

5 Outside of governance risk profile

4 Meets governance risk profile Maintain

3 Willing to accept risk 24 months

2 Willing to accept some risk in certain circumstances 12 months

1 Not willing to accept risk in most circumstances Urgent - within 6 months

0 Not willing to accept risk under any circumstance Immediate 1-3 months

99
Develop the roadmap - example

100
Ensure continual improvement

101
Thank You!