IT Governance and Policy Framework Example
description
Transcript of IT Governance and Policy Framework Example
IT Advisory Services IT Policy Framework and Charter
for client discussion
DRAFT, not for further distribution
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 1
The ICT Charter is the mechanism used by the Board to delegate authority for the
governance of IT within ABC. It provides a preliminary delineation of roles and
responsibilities, outlines the function’s objectives, identifies the main stakeholders and
defines the authority of the CIO.
It serves as a reference of authority for the future.
A charter is a grant of authority or rights stating that the granter formally recognises the
prerogative of the recipient to exercise the rights specified. It is implicit that the granter
retains superiority and that the recipient admits a limited (or inferior) status within the
relationship.
Webster’s Dictionary
The ICT Governance Charter?
What is a Charter?
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 2
• Context, Definitions and Acronyms
• Objectives
• Principles of King III
• Structures and Mechanisms
- Delegation of Authority
- Reporting Responsibilities
• Roles and Responsibilities
• CIO Activities (Principles for ICT)
What’s in the Charter?
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 3
King III stipulates that IT Governance should focus on four key areas:
• strategic alignment with the business and collaborative solutions, including the focus on
sustainability and the implementation of ‘green IT’ principles
• value delivery: concentrating on optimising expenditure and proving the value of IT
• risk management: addressing the safeguarding of IT assets, disaster recovery and
continuity of operations
• resource management: optimising knowledge and IT infrastructure
None of these factors can be managed appropriately without performance measurement,
tracking delivery and monitoring IT services
(ITGI, 2003:22)
The Role of IT Governance (according to King III)
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 4
Recommended Practice
The Board should assume the responsibility for the governance of IT
and place it on the Board agenda.
The Board should ensure that an IT charter and policies are
established and implemented.
The Board should ensure promotion of an ethical IT governance culture
and awareness and of a common IT language.
The Board should ensure that an IT internal control framework is
adopted and implemented
The Board should receive independent assurance on the effectiveness
of the IT internal controls.
• Board responsibility
• Performance and Sustainability
• IT Governance Framework
• IT Investments
• Risk Management
• Information Security
• Governance Structures
King III Principles
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 5
“Run”Application
Management
Business
Operations
Policies & Standards
Architecture Regulatory Quality RiskQuality
Test
Management
Service Management
Delivery and support Strategy
Integrated Service Desk
End-to-end Service Management
IT Innovation
Management
Account & Demand Management
Sourcing Office
Business
Operations
Policies & Standards
Architecture Regulatory Quality Risk
Service Management
Delivery and support Strategy
Integrated Service Desk
End-to-end Service Management
Infrastructure Partner
Application
Maintenance
Application
Management
Service
Deployment
Management
Test
Management
Deployment
Strategy
Change
Management
Release
Management
Transformation Management
Solution Development Strategy
Project/program Portfolio Management
Transformation
Infrastructure Partner
Transformation
Project
Transformation
Project
Transformation
ProjectApplication
Management“Run”Application
Management
Business
Operations
Policies & Standards
Architecture Regulatory Quality Risk
Policies & Standards
Architecture Regulatory Quality RiskArchitecture Regulatory Quality RiskQuality
Test
Management
Service Management
Delivery and support Strategy
Integrated Service Desk
End-to-end Service Management
Quality
Test
Management
Service Management
Delivery and support Strategy
Integrated Service Desk
End-to-end Service Management
Service Management
Delivery and support Strategy
Integrated Service Desk
End-to-end Service Management
IT Innovation
Management
Account & Demand Management
Sourcing Office
IT Innovation
Management
Account & Demand Management
Sourcing Office
Business
Operations
Policies & Standards
Architecture Regulatory Quality Risk
Policies & Standards
Architecture Regulatory Quality RiskArchitecture Regulatory Quality Risk
Service Management
Delivery and support Strategy
Integrated Service Desk
End-to-end Service Management
Infrastructure Partner
Application
Maintenance
Application
Management
Service
Deployment
Management
Test
Management
Deployment
Strategy
Change
Management
Release
Management
Deployment
Management
Test
Management
Deployment
Strategy
Change
Management
Release
Management
Transformation Management
Solution Development Strategy
Project/program Portfolio Management
Transformation
Infrastructure Partner
Transformation
Project
Transformation
Project
Transformation
ProjectApplication
Management
Enterprise Architecture
• Enterprise Architecture
• Design Authority
• Industry standards and model
IT Strategy and Management
Account & Demand Management:
• Interface between Business and IT
• Demand Management
• SLA management
Innovation:
• Channel to infuse innovation to
business
• Focus on ICT and business
innovation
• Compliance audits
• Management assurance
Risk and Compliance
• Identify suppliers
• Negotiate contracts
• Monitor provider performance
Vendor management
• Integrated approach for service
management
• End-to-end service management
Competency Centres,
Technology Infrastructure,
Service Delivery Transformation
• Standard Solution Development lifecycle
• Relationships between projects
Deployment:
• Structured approach to (acceptance) testing
• Consistent approach to roll-out of changes and
releases
• Alignment of application and infrastructure life-
cycles
Programme Management Office
Adapted from Transnet Group ICT Strategy March 2010
The Role of ICT within ABC
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 6
Source:
ITGI, 2003:53-57; ITGI, 2005b:18-22; ITGI, 2007:29-168; ITGI, 2008:29
EXAMPLE
Contemporary Practice IT governance interrelationships
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 7
Board of Directors
Audit Committee
Chief Executive
Officer
Chief Financial
Officer
Non Executive
ICT
Representation
Chief Information
Officer
Applying King III, the Charter and the ICT Strategy
Delegation of Authority
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 8
Reporting Responsibilities
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 9
Roles and Responsibilities
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 10
CIO Activities
Organisational, accountability and reporting
Strategic Alignment
Value Delivery
Resource Management
ICT Risk Management
Performance Management
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative, a Swiss entity. All rights reserved. 11
IT
Governance
Charter
King III Requirements for IT
Board of Directors
Responsibility of….
Delegated through….
CIO
To….
Strategy
Value
Management
Risk
Management
Security
Management
Resource
Management
Performance
Management
High level decisions about domains below
Project Management
Financial Management
Deliverable
King III principle (Board responsibility)
Policy Framework
Information
Management
The
“IT Shop”
Service Mngt
IT Operations
IT Development
Physical Security
Logical Security
Privacy
Governance Framework
Business Goals
IT Goals
IT Processes
IT Process
Model
(COBIiT)
How it all hangs together
Board of
Directors
Risk & Audit
Committee
EXCO
IT Strategy
CIO
SIG Design Authority RISK/Security
IT Operations
Committee
Board of
Directors
Audit & Risk
Committee
EXCO
IT Strategy
CIO
IT
Charter
Board of
Directors
Audit & Risk
Committee
EXCO
CIO SIG
Design Authority
ICT
Risk/Security
ICT Operations
Business
Systems/Applica
tions
Programme’s
& project
management
Security Resource
Management
ICT Strategy
ICT Operations
Committee
Risk Reporting Lines
© 2013 KPMG Services (Proprietary) Limited, a South African company and a member firm of the
KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss
entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of
KPMG International.
The information contained herein is of a general nature and is not intended to address the
circumstances of any particular individual or entity. Although we endeavour to provide accurate and
timely information, there can be no guarantee that such information is accurate as of the date it is
received or that it will continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the particular situation.