IT Governance and Policy Framework Example

IT Advisory Services IT Policy Framework and Charter

for client discussion

DRAFT, not for further distribution

© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International

Cooperative, a Swiss entity. All rights reserved. 1

The ICT Charter is the mechanism used by the Board to delegate authority for the

governance of IT within ABC. It provides a preliminary delineation of roles and

responsibilities, outlines the function’s objectives, identifies the main stakeholders and

defines the authority of the CIO.

It serves as a reference of authority for the future.

A charter is a grant of authority or rights stating that the granter formally recognises the

prerogative of the recipient to exercise the rights specified. It is implicit that the granter

retains superiority and that the recipient admits a limited (or inferior) status within the

relationship.

Webster’s Dictionary

The ICT Governance Charter?

What is a Charter?



• Context, Definitions and Acronyms

• Objectives

• Principles of King III

• Structures and Mechanisms

- Delegation of Authority

- Reporting Responsibilities

• Roles and Responsibilities

• CIO Activities (Principles for ICT)

What’s in the Charter?



King III stipulates that IT Governance should focus on four key areas:

• strategic alignment with the business and collaborative solutions, including the focus on

sustainability and the implementation of ‘green IT’ principles

• value delivery: concentrating on optimising expenditure and proving the value of IT

• risk management: addressing the safeguarding of IT assets, disaster recovery and

continuity of operations

• resource management: optimising knowledge and IT infrastructure

None of these factors can be managed appropriately without performance measurement,

tracking delivery and monitoring IT services

(ITGI, 2003:22)

The Role of IT Governance (according to King III)



Recommended Practice

The Board should assume the responsibility for the governance of IT

and place it on the Board agenda.

The Board should ensure that an IT charter and policies are

established and implemented.

The Board should ensure promotion of an ethical IT governance culture

and awareness and of a common IT language.

The Board should ensure that an IT internal control framework is

adopted and implemented

The Board should receive independent assurance on the effectiveness

of the IT internal controls.

• Board responsibility

• Performance and Sustainability

• IT Governance Framework

• IT Investments

• Risk Management

• Information Security

• Governance Structures

King III Principles



“Run”Application

Management

Business

Operations

Policies & Standards

Architecture Regulatory Quality RiskQuality

Test

Management

Service Management

Delivery and support Strategy

Integrated Service Desk

End-to-end Service Management

IT Innovation

Management

Account & Demand Management

Sourcing Office

Business

Operations


Architecture Regulatory Quality Risk

Service Management




Infrastructure Partner

Application

Maintenance

Application

Management

Service

Deployment

Management

Test

Management

Deployment

Strategy

Change

Management

Release

Management

Transformation Management

Solution Development Strategy

Project/program Portfolio Management

Transformation


Transformation

Project

Transformation

Project

Transformation

ProjectApplication

Management“Run”Application

Management

Business

Operations




Architecture Regulatory Quality RiskArchitecture Regulatory Quality RiskQuality

Test

Management

Service Management




Quality

Test

Management

Service Management




Service Management




IT Innovation

Management


Sourcing Office

IT Innovation

Management


Sourcing Office

Business

Operations




Architecture Regulatory Quality RiskArchitecture Regulatory Quality Risk

Service Management





Application

Maintenance

Application

Management

Service

Deployment

Management

Test

Management

Deployment

Strategy

Change

Management

Release

Management

Deployment

Management

Test

Management

Deployment

Strategy

Change

Management

Release

Management

Transformation Management

Solution Development Strategy

Project/program Portfolio Management

Transformation


Transformation

Project

Transformation

Project

Transformation

ProjectApplication

Management

Enterprise Architecture

• Enterprise Architecture

• Design Authority

• Industry standards and model

IT Strategy and Management

Account & Demand Management:

• Interface between Business and IT

• Demand Management

• SLA management

Innovation:

• Channel to infuse innovation to

business

• Focus on ICT and business

innovation

• Compliance audits

• Management assurance

Risk and Compliance

• Identify suppliers

• Negotiate contracts

• Monitor provider performance

Vendor management

• Integrated approach for service

management

• End-to-end service management

Competency Centres,

Technology Infrastructure,

Service Delivery Transformation

• Standard Solution Development lifecycle

• Relationships between projects

Deployment:

• Structured approach to (acceptance) testing

• Consistent approach to roll-out of changes and

releases

• Alignment of application and infrastructure life-

cycles

Programme Management Office

Adapted from Transnet Group ICT Strategy March 2010

The Role of ICT within ABC



Source:

ITGI, 2003:53-57; ITGI, 2005b:18-22; ITGI, 2007:29-168; ITGI, 2008:29

EXAMPLE

Contemporary Practice IT governance interrelationships



Board of Directors

Audit Committee

Chief Executive

Officer

Chief Financial

Officer

Non Executive

ICT

Representation

Chief Information

Officer

Applying King III, the Charter and the ICT Strategy

Delegation of Authority



Reporting Responsibilities



Roles and Responsibilities



CIO Activities

Organisational, accountability and reporting

Strategic Alignment

Value Delivery

Resource Management

ICT Risk Management

Performance Management



IT

Governance

Charter

King III Requirements for IT

Board of Directors

Responsibility of….

Delegated through….

CIO

To….

Strategy

Value

Management

Risk

Management

Security

Management

Resource

Management

Performance

Management

High level decisions about domains below

Project Management

Financial Management

Deliverable

King III principle (Board responsibility)

Policy Framework

Information

Management

The

“IT Shop”

Service Mngt

IT Operations

IT Development

Physical Security

Logical Security

Privacy

Governance Framework

Business Goals

IT Goals

IT Processes

IT Process

Model

(COBIiT)

How it all hangs together

Board of

Directors

Risk & Audit

Committee

EXCO

IT Strategy

CIO

SIG Design Authority RISK/Security

IT Operations

Committee

Board of

Directors

Audit & Risk

Committee

EXCO

IT Strategy

CIO

IT

Charter

Board of

Directors

Audit & Risk

Committee

EXCO

CIO SIG

Design Authority

ICT

Risk/Security

ICT Operations

Business

Systems/Applica

tions

Programme’s

& project

management

Security Resource

Management

ICT Strategy

ICT Operations

Committee

Risk Reporting Lines

© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the

KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss

entity. All rights reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of

KPMG International.

The information contained herein is of a general nature and is not intended to address the

circumstances of any particular individual or entity. Although we endeavour to provide accurate and

timely information, there can be no guarantee that such information is accurate as of the date it is

received or that it will continue to be accurate in the future. No one should act on such information

without appropriate professional advice after a thorough examination of the particular situation.

IT Governance and Policy Framework Example

Documents

Transcript of IT Governance and Policy Framework Example