IT GOVERNANCE FRAMEWORK - ISACA Athens · PDF fileIT Governance Risk management requires risk...

IT GOVERNANCE: From Value Governance to Benefits

Realization in a Controlled Environment

George Papoulias, CISA, CGEIT, CRISC

Senior Project Manager

National Bank of Greece

AN OVERVIEW OF THE ENTERPRISE

GOVERNANCE OF IT

•Essential Concepts

•ISACA’S Frameworks Relationships

•COBIT5 Overview

•COBIT Mappings

THE VAL IT FRAMEWORK

•ITGI’s Val IT Framework

•Key Terms

•Goals & Objectives

•Why Val IT?

•Synergies between Val IT and Cobit 4.1

•How Val IT Works

•Key Terms and Principles

•Val IT Domains & Processes

•The Business Case

BENEFITS RELEASATION THROUGH IT

GOVERNANCE

•Projects, Programs, and Portfolios Defintions

•IT Project Portfolio Categorization

•PM Guide Process and Mapping to SDLC

•SDLC Guide

•IT Governance Supporting Tools

CONCLUSION

•A Structured Approach

•The Challenge

•The Ingredients of Success

7 December 2011 2

George Papoulias



PRESENTATION OUTLINE

ENTERPRISE GOVERNANCE DRIVES IT GOVERNANCE

• Enterprise governance is about:

Conformance

• Adhering to legislation, internal policies, audit requirements, etc.

Performance

• Improving profitability, efficiency, effectiveness, growth, etc.

Performance

Conformance

Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board.

7 December 2011 3

George Papoulias



Source: Fujitsu

Can‟t kill projects

Leads to..

Too many projects

Quality of execution

suffers

Underestimation of

risks and costs

Projects not aligned to

strategy

Budget overruns

Project delays

Business needs

not met

Lack of

confidence (in

IT)

Results in..

Benefits not

received

Increased

Complexity

Sub-optimal

use of

resources

Finger pointing

Situation

Reluctance to say no

to projects

Lack of Strategic Focus

Projects are “sold” on

emotional basis -- not

selected

No strong review process

Overemphasis on

Financial ROI

No clear strategic

criteria for

selection

WITHOUT EFFECTIVE GOVERNANCE

7 December 2011 4George Papoulias



7 December 2011 5

ITGI defines enterprise governance of IT as:

The set of responsibilities—as well as the leadership and organizationalstructures and processes—exercised by the board of directors and executivemanagement to ensure that IT creates value for the enterprise. An integral partof overall enterprise governance, enterprise governance of IT ensures that ITsustains and extends the enterprise’s evolving objectives and strategies.

Source: IT Governance Institute, Board Briefing on IT Governance

What is IT Governance?

George Papoulias



7 December 2011 6

Relationship Between IT Governance and IT Management

The scope if IT Governance involves setting objectives, providing direction end evaluating performance

The scope of IT Management involves translating the direction already set in the strategy, implementing the strategy (translating the strategy into action) and measuring and reporting on performance

Set objectives

* IT is aligned with the business

* IT enables the business and maximizes benefits

* IT resources are used responsibly

* It related risks are managed appropriately

Provide Direction

Translate into Strategy

Translate Strategy into Action

* Increase automation(make the business effective)

* Decrease cost (make the business efficient)

* Manage Risks (Security, Reliability and Compliance)

Measure and Report

Performance

Evaluate Performance

IT GOVENANCE

IT MANAGEMENT

Source:

Courtesy of

Erik

Guldentops,

EG Consult,

Belgium

VAL IT RISK IT

COBIT

George Papoulias



7 December 2011 7

According to the IT Governance Institute the Enterprise Governance of IT has been subdivided into five focus areas:

Source: Enterprise Value: Governance of IT Investments, The Val It Framework 2.0, p.24, 2008, ITGI

Enterprise Governance of IT Focus Areas

IT

GOVERNANCE

RESOURCE

MANAGEMENT

George Papoulias



Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anagem

ent

Resource Management

Perfo

rmance

Measu

rem

ent

IT IT GovernanceGovernance

DomainsDomains

Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anagem

ent

Resource Management

Perfo

rmance

Measu

rem

ent


DomainsDomains

Strategic alignment, focuses on ensuring the linkage of business and IT plan; on

defining, maintaining and validating the IT value proposition; on aligning IT operations

with the enterprise operations; and establishing collaborative solutions to

•Add value and competitive positioning to the enterprise’s products and services

•Contain costs while improving administrative efficiency and managerial effectiveness

IT Governance Focus Areas


7 December 2011 8

George Papoulias



Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anagem

ent

Resource Management

Perfo

rmance

Measu

rem

ent


DomainsDomains

Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anagem

ent

Resource Management

Perfo

rmance

Measu

rem

ent


DomainsDomains

Value delivery is about executing the value proposition throughout the delivery cycle,

ensuring that IT delivers the promised benefits against the strategy, concentrating on

optimising expenses and proving the value of IT, and on controlling projects and

operational processes with practices that increase the probability of success (quality,

risk, time, budget, cost, etc)



7 December 2011 9

George Papoulias



Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anagem

ent

Resource Management

Perfo

rmance

Measu

rem

ent


DomainsDomains

Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anagem

ent

Resource Management

Perfo

rmance

Measu

rem

ent


DomainsDomains

Risk management requires risk awareness of senior corporate officers, a clear under-

standing of the enterprise’s appetite for risk and transparency about the significant

risks to the enterprise; it embeds risk management responsibilities in the operation of

the enterprise and specifically addresses the safeguarding of IT assets, disaster

recovery and continuity of operations



7 December 2011 10

George Papoulias



Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anagem

ent

Resource Management

Perfo

rmance

Measu

rem

ent


DomainsDomains

Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anagem

ent

Resource Management

Perfo

rmance

Measu

rem

ent


DomainsDomains

Resource management covers the optimal investment, use and allocation of IT

resources and capabilities (people, applications, technology, facilities, data) in servicing

the needs of the enterprise, maximising the efficiency of these assets and optimising

their costs, and specifically focusses on optimising knowledge and the IT infrastructure

and on where and how to outsource



7 December 2011 11

George Papoulias



Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anagem

ent

Resource Management

Perfo

rmance

Measu

rem

ent


DomainsDomains

Stra

tegic

Alignm

ent

Value Delivery

Ris

k M

anagem

ent

Resource Management

Perfo

rmance

Measu

rem

ent


DomainsDomains

Performance measurement, tracking project delivery and monitoring IT services, using

balanced scorecards that translate strategy into action to achieve goals measurable

beyond conventional accounting, measuring those relationships and knowledgebased

assets necessary to compete in the information age: customer focus, process efficiency

and the ability to learn and grow.



7 December 2011 12

George Papoulias



Relationships amongst CobiT, Val IT and Risk IT

7 December 2011 13

ITGI’s guidance, centered on theCOBIT, Val IT and Risk ITframeworks, enables enterprisedirectors and managers to betterunderstand how to direct andmanage the enterprise’s use of ITand the standard of good practiceto be expected from IT providers.

COBIT, Val IT and Risk IT providethe tools to direct and oversee allIT-related activities.

Source: The Risk IT Framework, Executive Summary, p.7, 2008, ISACA

George Papoulias



7 December 2011 14

Comparing how COBIT and Val IT focus on governance,processes and portfolios further helps to understand therelationship between the two frameworks as shown in figure15.


George Papoulias



7 December 2011 15

Integration of CobiT 4.1,Val IT 2.0 and Risk IT into COBIT 5

George Papoulias



ISACA’s COBIT5 Framework

• COBIT 5 is a governance and management framework for information and related technology that starts from stakeholder needs with regard to information and technology.

• COBIT 5 is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used.

7 December 2011 16

George Papoulias



COBIT 5 Process Reference Model

Governance and Management ProcessesOne of the guiding principles in COBIT is the distinction made between governance and management. In line with this principle, every organisation would be expected to implement a number of governance processes and a number of management processes in order to provide comprehensive governance and management of enterprise IT.When considering processes for governance and management in the context of the enterprise, the difference between types of processes lies into the objectives of the processes:• Governance processes—Governance processes will deal with the governance objectives—value delivery, risk management and resource balancing—and will include practices and activities aimed at evaluating strategic options,providing direction to IT and monitoring the outcome. (EDM—in line with the ISO/IEC 38500 standard concepts)• Management processes—In line with the definition of management, practices and activities in management processes will cover the responsibility areas of plan, build, run and monitor (PBRM) enterprise IT, and they will haveto provide end‐to‐end coverage of IT.

7 December 2011 17

Source: COBIT5, Process Reference Guide Exposure Draft, p.13, 2011, ISACAGeorge Papoulias



7 December 2011 18

Complete set of 36 Governance and Management Processes within COBIT5




COBIT 5 Drivers

A need to link together and reinforce all major ISACA frameworks (CobiT, Val IT, Risk IT)

A need to connect to, and, where relevant ,align with, other major frameworks andstandards in the marketplace, such as Information Technology Infrastructure Library(ITIL®), The Open Group Architecture Forum (TOGAF), Project Management Body ofKnowledge (PMBOK), PRojects IN Controlled Environments 2 (PRINCE2®) and theInternational Organization of Standards (ISO) standards. This will help stakeholdersunderstand how various frameworks, best practices and standards are positionedrelative to each other and how they can be used together and could augment eachother.

A need to for the enterprise to achieve increased:- Value creation through enterprise IT- Business user satisfaction with IT engagement and services- Compliance with relevant laws, regulations and policies

7 December 2011 19

Source: COBIT5, Process Reference Guide Exposure Draft, p.16, 2011, ISACA

George Papoulias



7 December 2011 20

COBIT5 Goals Cascade Overview


George Papoulias



7 December 2011 21


Enterprise Goals Mapped to Governance Objectives

The following scale applies:

- ‘P’ stands for primary, when there is an important relationship, i.e., the IT‐related goal is aprimary support for the enterprise goal.- ‘S’ stands for secondary, when there is still a strong but less important relationship, i.e., theIT‐related goal is a secondary support for the enterprise goal.

George Papoulias



7 December 2011 22


Mapping COBIT 5 Enterprise Goals to IT‐related Goals

George Papoulias



7 December 2011 23


Mapping COBIT 5 IT–related Goals to COBIT5 Processes (1)

George Papoulias



7 December 2011 24


Mapping COBIT 5 IT–related Goals to COBIT5 P Processes (2)

George Papoulias



COBIT 5 Organisational Structures Model

Illustrative Organisational Structures in COBIT 5

7 December 2011 25




7 December 2011 26

COBIT 5 Organisational Structures Model

Illustrative Organisational Structures in COBIT 5


George Papoulias



7 December 2011 27


Detailed process‐related information

George Papoulias



7 December 2011 28


George Papoulias



7 December 2011 29


George Papoulias



7 December 2011 30


George Papoulias



7 December 2011 31

George Papoulias



7 December 2011 32

George Papoulias



7 December 2011 33

COBIT5 Governance and Management

Practices

COBIT 4.1 Control Objectives

Val IT 2.0 Key Management

Practices

Risk IT Management Practices

MAPPING BETWEEN COBIT 5 AND LEGACY ISACA FRAMEWORKS


George Papoulias



7 December 2011 34




7 December 2011 35




7 December 2011 36




COBIT

PMBOK

ISO 27001

ITILV3

COSO

WHAT HOW

COBIT and Other IT and Project Management Frameworks

SCOPE OF COVERAGE

VAL IT

CMMI

Go

vern

ance

Laye

rIT G

ove

rnan

ceLa

yer

IT Man

agem

ent

Laye

r

7 December 2011 37

George Papoulias



COMBINATION OF COBIT AND ITIL V3

OVERVIEW

Figure 8 is an overview of ITIL V3 and COBIT and highlights the differences in guidance.

(+) Significant match(o) Minor match(-) Unrelated or minor focus(\) No COBIT IT process exists.

7 December 2011 38

Source: COBIT® MAPPING: MAPPING OF ITIL® V3 WITH COBIT® 4.1, p.22, 2011, ISACA

George Papoulias



COMBINATION OF COBIT AND PMBOK

7 December 2011 39

OVERVIEW

Figure 12 is an overview of PMBOK and COBIT highlights the differences in guidance.


Source: COBIT® Mapping: Mapping of CMMI® for Development, V1.2, Wit h COBIT® 4.1, p.28, 2011, ISACA

George Papoulias



COMBINATION OF COBIT AND CMMI-DEV

7 December 2011 40

OVERVIEW

Figure 13 is an overview of CMMI-DEV and COBIT highlights the differences in guidance.


Source: COBIT® Mapping: Mapping of CMMI® for Development, V1.2, Wit h COBIT® 4.1, p.28, 2011, ISACA

George Papoulias




GOVERNANCE OF IT



•COBIT5 Overview

•COBIT Mappings



•Key Terms


•Why Val IT?


•How Val IT Works





GOVERNANCE




•SDLC Guide


CONCLUSION


•The Challenge


7 December 2011 41


George Papoulias



ITGI’s Val IT Framework

7 December 2011 42

• The Val IT framework is a comprehensive, credible and pragmatic organizing framework, with practical guidelines, principles, processes and supporting practices that help boards, executive management and other organizational leaders maximize the realization of value from IT investments.

• Proven practices and techniques for evaluating and managing investment in business change and innovation

• Val IT helps executives:

– Increase the probability of picking winners

– Increase the likelihood of IT investment success

– Reduce surprises from IT cost and delivery date overruns

– Reduce costs due to inefficient investments

Source: The Business Case Guide: Using Val IT 2.0, p.22, 2011, ISACA

George Papoulias



Key Terms of Val IT

Portfolio: A grouping of programme, projects, services or assets, selected,managed and monitored to optimize business return. (Note that the initial focusof Val IT is primarily interested in a portfolio of programmes. COBIT is interestedin portfolios of projects, services or assets.)

Programme: A structured group of interdependent projects that are bothnecessary and sufficient to achieve the business outcome and deliver value.These projects could include, but not be limited to, changes to the nature of thebusiness, business processes, the work performed by people, as well as thecompetencies required to carry out the work, enabling technology andorganizational structure. The investment programme is the primary unit ofinvestment within Val IT.

Project: A structured set of activities concerned with delivering a definedcapability (that is necessary but NOT sufficient to achieve a required businessoutcome) to the enterprise based on an agreed schedule and budget.

7 December 2011 43

Source: Enterprise Value: Governance of IT Investments The Val IT Framework 2.0, p.11, 2008, ISACA

George Papoulias



Goals & Objectives

The goal of Val IT is to enable organizations to manage their investments in IT suchthat they deliver optimal value to the enterprise at an affordable cost and with anacceptable level of risk by:

• Identifying and clearly defining strategically aligned investment opportunitieswith clearly defined business outcomes

• Evaluating, prioritizing and selecting investments based upon their potential risk-adjusted value in the context of the organization’s strategic objectives

• Managing the execution of investments through their full economic life cycle suchthat they deliver the optimal value

7 December 2011 44


George Papoulias



An organization needs stronger governance over IT investments if:

• IT investments are not supporting the business strategy or providing expected value

• There are too many projects, resulting in inefficient use of resources

• Projects often are delayed, run over budget, and/or do not provide the needed benefits

• There is an inability to cancel projects when necessary

• It needs to ensure compliance to industry or governmental regulations

Why Val IT™

?

7 December 2011 45


George Papoulias



Val IT and COBIT: A Synergistic Relationship

Val IT and COBIT provide business and IT decision makers with a comprehensive framework forthe creation of value from the delivery of high-quality IT-based services. Val IT both complementsCOBIT and is supported by it.

‘Are we doing the right things?’ (the strategic question)

‘Are we getting the benefits?’ (the value question)

‘Are we doing them the right way?’ (the architecture question)

‘Are we getting them done well?’ (the delivery question)

COBIT, on the other hand, takes the IT view, helping executives focus on answeringthe questions.

Val IT takes the enterprise governance view. It helps executives focus on two of four fundamental IT governance-related questions

7 December 2011 46


George Papoulias



7 December 2011 47


George Papoulias



How Does Val IT Fit With/ Complement COBIT?

While COBIT is a comprehensive framework for IT governance, its primary focus has traditionally been on thedelivery of IT services through the effective and efficient management of IT assets. Val IT complements COBIT(see figure 2) by supporting the effective alignment, deployment and use of IT services such that they deliver optimal value to the enterprise.

7 December 2011 48


George Papoulias



Val IT is guided by a number of principles:

•IT-enabled investments will be managed as a portfolio of investments.

•IT-enabled investments will include the full scope of activities that are required to achieve business value.

•IT-enabled investments will be managed through their full economic life cycle.

•Value delivery practices will recognize that there are different categories of investments that will be evaluated and managed differently.

•Value delivery practices will define and monitor key metricsand will respond quickly to any changes or deviations.

•Value delivery practices will engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits.

•Value delivery practices will engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits.

7 December 2011 49


George Papoulias



The Val IT principles are applied in three management processes:

7 December 2011 50

Value Governance (VG)

Portfolio management (PM)

Investment Management (IM)


George Papoulias



Establish informed andcommitted leadership.

Align and integrate valuemanagement with enterprise financial

planning.

Define andimplement processes.

Establish effectivegovernance monitoring.

Define portfolio characteristics.

Continuously improve value management

practices.

Establish strategic direction

and target investment mix.

Evaluate and selectprogrammes to fund.

Determine the availability and sources of funds.

Monitor and reporton investment

portfolio performance.

Manage the availabilityof human resources.

Optimise investmentportfolio performance.

Understand the candidateprogramme and

implementation options.

Develop the detailed candidate

programme business case.

Develop the programmeplan.

Launch and managethe programme.

Develop full life cycle costsand benefits.

Update operationalIT portfolios.

Develop and evaluate the initial programme concept

business case.

Update the business case.Monitor and report on

the programme.Retire the programme.

Value Governance

(VG)

Portfolio Management

(PM)

Investment Management

(IM)

How Val IT™ Works

7 December 2011 51


George Papoulias



7 December 2011 52

Source: Enterprise Value: Governance of IT Investments The Val IT Framework 2.0, p.16, 2008, ISACAGeorge Papoulias



7 December 2011 53


George Papoulias



The Business Case is a detailed investment proposal that considers quantitative and qualitative evaluation factors that underlie selection of a business solution.

Use of the Business Case should provide answers to the following questions:

• Why do the project now? • What is the impact of not doing the project? • How does the project support the organization goals? • What business problem does the project solve? • What is the financial impact? • When will the project show results?

The Business Case

A business case analysis is used to compare various business solution alternatives and to provide a basis for selecting the one that delivers the greatest value to the organization and the Stakeholders.

Ultimately, use of a Business Case should help the organisation prioritize its technology investments by making smart decisions, and provide the basis for evaluation of business outcomes following project closure.

7 December 2011 54

George Papoulias



7 December 2011 55

The Business CaseThe investment, category size, the impact if not successful, and position in the economic life cycle are factors thatdetermine which components of the business case require greater attention and what level of detail is required. Thefollowing example illustrates an overall structure and content of a business case:

Source: The Business Case Guide: Using Val IT 2.0, p.38, ISACA, 2010

George Papoulias




GOVERNANCE OF IT



•COBIT5 Overview

•COBIT Mappings



•Key Terms


•Why Val IT?


•How Val IT Works





GOVERNANCE

•Projects, Programs, and Portfolios Definitions



•SDLC Guide


CONCLUSION


•The Challenge


7 December 2011 56


George Papoulias



PortfolioManagement

ProgrammeManagement

Project Management

Programme – a structured grouping of projects designed to produce clearly identified business value

Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget

Portfolio – a suite of business programmes managed to optimise overall enterprise value

Projects, Programs, and Portfolios

7 December 2011 57

George Papoulias



7 December 2011 58

IT Project Portfolio Categorization

Run the Business

•The spending necessary to maintain existing operations at the existing level

Grow the Business

•The spending necessary to, for instance, provide additional automation to improve efficiency or the consolidation of data centers to reduce costs and increase competitiveness

Transform the Business

•The introduction of new areas of business, the expansion into new markets or any other radical transformation project designed to lead to significantly enhanced revenues and profits

Transformational Investments

•Information Systems to process the basic, repetitive transactions of the business

•Example: Mortgage processing, account management

Informational Investments

•Information Systems for managing and controlling the enterprise

•Example: Financial control, decision making, planning, communication

Strategic Investments

•Information Systems enabling entry into new markets and adding value by increasing competitive advantage to the business

•Example: Internet-enabled Banking, Data Center consolidation

Infrastructure Investments

•Infrastructure Systems that may not generate any direct quantifiable financial benefit themselves but they benefit the business applications that depend upon them

•Example: Network Systems replacement or major upgrade

Legislative, Regulatory or Mandatory Investments

•Projects that need to be undertaken just to stay in business by implementing the requirements of industry regulators, environmental agencies or governmental bodies

•Example: The US Sarbanes-Oxley Act of 2002 and, for financial services companies, Basel II requirements.

The META Group Categorization

Two popular Project Portfolio Categorization paradigms:

The MIT Center for Information Systems Research (CISR)

Source: META Group, „Portfolio Management and the CIO, Part 3‟, March 2002

Source: Weill, Peter; Marianne, Broadbent; Leveraging the New Infrastructure, HBS Press 1998

George Papoulias



7 December 2011 59

Task

• Small piece of work

• Independent of a project

• Lasting not longer than a few person-hours

• Involving only a few people

• Meant to accomplish a simple and straightforward goal

• May be a component of operational work

• May require change management processes

• Rated as such from the Project Complexity and Risk Assessment model

Operational

• Ongoing work to sustain or provide a service

• Change management processes applicable for non project-related changes

Project

• Temporary endeavor (defined beginning and end)

• Which uses progressive elaboration

• To create products, services, or results

Application of Project Management

Types of WorkInitiatives categorized as ‘tasks’ or ‘operational’ are not required to follow theproject management methodologies. Upcoming/potential work should beanalyzed to determine which category is applicable:

George Papoulias



Project Classification Model

7 December 2011 60

Assigns a classification level to a project based on a combination of complexityand risk; this step also defines projects that require an additional level ofmanagement.

The Project Classification Model includes the most predominant factorscontributing to determining the Classification Level of a project. It includes alsothe Project Management Processes required to successfully implement a project.

Information technology projects are managed through standardized projectmanagement practices. However, the specific processes engaged within eachProject Management process group is based upon a project’s classification level.

As new project ideas and requests are brought for consideration, they must firstbe classified through the Project Complexity and Risk Assessment model, whichscores factors that define a project’s complexity and risk.

The Classification Matrix uses this information to determine the Classification Level of a project.

George Papoulias



Project Complexity and Risk Assessment Criteria

7 December 2011 61

George Papoulias



Classification Matrix

The Classification Matrix uses this information to determine the Classification Level of a project.

7 December 2011 62

Complexity High risk Medium risk Low risk

Complex Level 1 Level 1 Level 2

Medium Level 1 Level 2 Level 3

Small Level 2 Level 3 Level 3

George Papoulias



7 December 2011 63

Classification Level

Classification level one (1) indicates that risk will play a very crucialrole throughout the project development, planning,implementation, and closeout. A more detailed analysis anddocumentation of procedures are required to avoid, mitigate, andtransfer risks associated with the project.

Level two (2) denotes less complex projects with medium-to-low risk and risk is handled as a key project component that influences development, planning, implementing, and closeout.

Level three (3) identifies risk as a consideration in development,planning, implementing and is particularly important in thecloseout stage.

Based on the risks identified through the Project Classification process, a project‟s risk score is used to help assess the Classification Level (Level 1, Level 2, Level 3) of the project and indicate the project management processes required for the project.

The classification level of a project will determine the project management methodologies (ProjectManagement Process Group Processes) required or recommended for each phase of the project lifecycleof the project.

George Papoulias



7 December 2011 64

Level 1

Project Initiation

• Identify Project Sponsor

• Identify Initial Project Team

• Develop Project Charter

• Conduct Project Kick-off Meeting

• Establish Project Repository

• Define Project Scope

• Develop High-Level Schedule

• Identify Quality Standards

• Establish Project Budget

• Document Risks

• Identify and Document Stakeholders‟ Involvement

• Develop Communications Plan

• Compile All Information to produce the Initial Project Plan

• Review/Refine Business Case

• Gain Approval Signature from Project Sponsor

Project Planning

• ………

• ………

Level 2

Project Initiation

• Identify Project Sponsor




• Establish Project Repository

• Define Project Scope


• Establish Project Budget

• Identify and Document Stakeholders‟ Involvement

• Develop Communications Plan

• Compile All Information to produce the Initial Project Plan

• Review/Refine Business Case

Project Planning

• ………

• ………

Level 3

Project Initiation





Project Planning

• ………

• ………

PROJECT CLASSIFICATION

Requirements by Project Level

George Papoulias



7 December 2011 65

2 Gate 1-Approve project

proposal?

1Create Project

Proposal

5Develop

Business Case

10Review Project

9Implement & Manage

Project

11Realize Benefits

12Close

Project

Program/Project Portfolio Management Process

who Input Output

Gate 1 Gate 2 Project Reviews Gate3

4End/Suspend

or ReplanPP/BC

6 Gate2-

Authorize Implementation?

7Analyze Portfolio & Recommend

Project Priorities

8Prioritize Project Portfolio

Portfolio/

Program/

Project

Management

Office (PMO)

Decision

Board

Business

Leaders,

Sponsors

Finance

Processing

Budgeting

Process

Project Idea,

Project

Guidelines,

Project

Status,

Budgets,

Financial

Assumptions

, Risks,

Resources,

Results,

Benchmark

Results,

Polices,

Procedures,

Standards

Project

Decision

Criteria,

Project

Guidelines,

Strategic

Plans,

Budgets,

Mergers,

Acquisitions

&

Divestitures

Market,

Industry

Trends,

Process

Tools,

Templates &

Guides

Yes

Yes

No

No Yes

3Incorporate into Budgeting Process

George Papoulias



7 December 2011 66

PROJECT MANAGEMENT LIFECYCLE

SYSTEM DEVELOPMENT LIFECYCLE

Mapping the Project Management and System Development Lifecycles

PROJECT ORIGINATION

PROJECT INITIATION

PROJECT PLANNING

PROJECT EXECUTION &

CONTROLPROJECT CLOSE

SYSTEM INITIATION

SYSTEM REQUIREMENTS

ANALYSISSYSTEM DESIGN

SYSTEM CONSTRUCTION

SYSTEM ACCEPTANCE

SYSTEM IMPLEMETATION

George Papoulias



7 December 2011 67

Project Origination

Develop Project Proposal

Develop Business Case

Evaluate Project Proposals

Select Projects

Project Initiation

Prepare for the Project

Define Cost Schedule Scope Quality

Perform Risk Identification

Develop Initial Project Plan

Confirm Approval to Proceed to Next

Phase

Project Planning

Conduct Project Planning Kick-Off

Refine Cost Schedule Scope Quality

Perform Risk Assessment

Refine Project Plan

Confirm Approval to Proceed to Next

Phase

Project Execution and Control

Conduct Project Execution and Control

Kick-Off

Manage Cost Schedule Scope

Quality

Monitor and Control Risks

Manage Project Execution

Gain Project Acceptance

Project Close

Conduct Post-Implementation

Review

Perform Administrative Close

PROJECT MANAGEMENT LIFE CYCLEWORK BRAKEDOWN STRUCTURE

SYSTEM DEVELOPMENT LIFECYCLEGeorge Papoulias



BUSINESS PROCESSES

DIVISION

&

INFORMATION TECHNOLOGY

DIVISION

Project Management Life Cycle

(PMLC)

VOLUME 1

Introduction to the PMLC

VOLUME 2

PMLC Phases

VOLUME 3

Glossary and Acronyms

VOLUME 4

Templates

7 December 2011 68

George Papoulias



Table of Contents

VOLUME 1

INTRODUCTION

OVERVIEW

______________

VOLUME 2

PROJECT ORIGINATION

1.1 Develop Project Proposals

1.1.1 Develop Business Case

1.1.2 Develop Proposed Solution

1.2 Evaluate Project Proposals

1.2.1 Present Project Proposals

1.2.2 Screen Project Proposals

1.2.3 Rate Project Proposals

1.3 Select Projects

1.3.1 Prioritize Project Proposals

1.3.2 Choose Projects

1.3.3 Notify Project Sponsors

PROJECT INITIATION

2.1 Prepare for the Project

2.1.1 Identify Project Sponsor

2.1.2 Identify Initial Project Team

2.1.3 Review Historical Information

2.1.4 Develop Project Charter

2.1.5 Conduct Project Kick-off Meeting

2.1.6 Establish Project Repository

2.2 Define Cost Schedule Scope Quality

2.2.1 Define Project Scope

2.2.2 Develop High-Level Schedule

2.2.3 Identify Quality Standards

2.2.4 Establish Project Budget

2.3 Perform Risk Identification

2.3.1 Identify Risks

2.3.2 Document Risks

2.4 Develop Initial Project Plan

2.4.1 Identify and Document Stakeholders‟

Involvement

2.4.2 Develop a Communications Plan

2.4.3 Compile All Information to Produce Initial

Project Plan

2.5 Confirm Approval to Proceed to Next Phase

2.5.1 Review/Refine Business Case

2.5.2 Prepare for Formal Acceptance

2.5.3 Gain Approval Signature From Project

Sponsor

7 December 2011 69

George Papoulias



Table of Contents (continued)

VOLUME 2 (Continued)

PROJECT PLANNING

3.1 Conduct Project Planning Kick-Off

3.1.1 Identify New Project Team Members

3.1.2 Review Outputs of Project Initiation and

Current Project Status

3.1.3 Kick-Off Project Planning

3.2 Refine Cost Scope Schedule Quality

3.2.1 Refine Project Scope

3.2.2 Refine Project Schedule

3.2.3 Refine/Define Quality Standards and

Quality Assurance Activities

3.2.4 Refine Project Budget

3.3 Perform Risk Assessment

3.3.1 Identify New Risks, Update Existing Risks

3.3.2 Quantify Risks

3.3.3 Develop Risk Management Plan

3.4 Refine Project Plan

3.4.1 Define Change Control Process

3.4.2 Define Acceptance Management Process

3.4.3 Define Issue Management and

Escalation Process

3.4.4 Refine Communications Plan and Define

Communications Management Process

3.4.5 Define Organizational Change

Management Plan

3.4.6 Establish Time and Cost Baseline

3.4.7 Develop Project Team

3.4.8 Develop Project Implementation and

Transition Plan

3.5 Confirm Approval to Proceed to Next

Phase

3.5.1 Review/Refine Business Case

3.5.2 Prepare Formal Acceptance Package

3.5.3 Gain Approval Signature from Project

Sponsor

PROJECT EXECUTION AND CONTROL

4.1 Conduct Project Execution and Control

Kick-Off

4.1.1 Orient New Project Team Members

4.1.2 Review Outputs of Project Planning and

Current Project Status

4.1.3 Kick Off Project Execution and Control

4.2 Manage Cost Scope Schedule Quality

4.2.1 Manage Project Scope

4.2.2 Manage Project Schedule

4.2.3 Implement Quality Control

4.2.4 Manage Project Budget

4.3 Monitor and Control Risks

4.3.1 Monitor Risks

4.3.2 Control Risks

4.3.3 Monitor Impact on Cost Scope Schedule

Quality

7 December 2011 70

George Papoulias



Table of Contents (continued)

VOLUME 2 (Continued)

4.4 Manage Project Execution

4.4.1 Manage Change Control Process

4.4.2 Manage Acceptance of Deliverables

4.4.3 Manage Issues

4.4.4 Execute Communications Plans

4.4.5 Manage Organizational Change

4.4.6 Manage the Project Team

4.4.7 Manage Project Implementation and

Transition

4.5 Gain Project Acceptance

4.5.1 Conduct Final Status Meeting

4.5.2 Gain Acceptance Signature from Project

Sponsor

PROJECT CLOSE

5.1 Conduct Post-Implementation Review

5.1.1 Solicit Feedback

5.1.2 Conduct Project Assessment

5.1.3 Prepare Post-Implementation Report

5.2 Perform Administrative Closeout

5.2.1 Update Skills Inventory and Provide

Performance Feedback

5.2.2 Archive Project Information

______________

VOLUME 3

GLOSSARY & ACRONYMS

_______________

VOLUME 4

TEMPLATES

7 December 2011 71

George Papoulias



7 December 2011 72

System Initiation

Prepare System Initiation

Environment

Validate Proposed Solution

System Schedule

System Requirements

Analysis

Prepare Requirements

Analysis Environment

Determine Business

Requirements

Define Business Process Model

Define Logical Data Model

Reconcile Business

Requirements with Models

Produce Functional

Specification

System Design

Prepare System Design

Environment

Define Technical Architecture

Define System Standards

Create Physical Database

Prototype System Components

Produce Technical Specifications

System Construction

Prepare System Construction Environment

Refine System Standards

Develop, Test and Validate (Unit

Level)

Conduct Integration and System Testing

Produce User and Training Materials

Produce Technical Documentation

System Acceptance

Prepare System Acceptance Environment

Validate Data Initialization and

Conversion

Perform Acceptance Test

Refine Supporting Material

System Implementation

Prepare System Implementation

Environment

Deploy System

Transition to Support

Operational System

SYSTEM DEVELOPMENT LIFE CYCLE

WORK BRAKEDOWN STRUCTURE

PROJECT MANAGEMENT LIFECYCLEGeorge Papoulias



BUSINESS PROCESSES

DIVISION

&

INFORMATION TECHNOLOGY

DIVISION

System Development Life Cycle

(SDLC)

VOLUME 1

Introduction to the SDLC

VOLUME 2

SDLC Phases

VOLUME 3

Glossary and Acronyms

VOLUME 4

Templates

7 December 2011 73

George Papoulias



Table of Contents

VOLUME 1INTRODUCTION

OVERVIEW

______________

VOLUME 21 SYSTEM INITIATION

1.1 Prepare for System Initiation

1.2 Validate Proposed Solution

1.3 Develop System Schedule

2 SYSTEM REQUIREMENTS

ANALYSIS

2.1 Prepare for System Requirements

Analysis

2.2 Determine Business Requirements

2.3 Define Process Model

2.4 Define Logical Data Model

2.5 Reconcile Business Requirements with

Models

2.6 Produce Functional Specification

3 SYSTEM DESIGN

3.1 Prepare for System Design

3.2 Define Technical Architecture

3.3 Define System Standards

3.4 Create Physical Database

3.5 Prototype System Components

3.6 Produce Technical Specifications

4 SYSTEM CONSTRUCTION

4.1 Prepare for System Construction

4.2 Refine System Standards

4.3 Develop, Test and Validate (Unit Level)

4.4 Conduct Integration and

System Testing

4.5 Produce User and Training Materials

4.6 Produce Technical Documentation

5 SYSTEM ACCEPTANCE

5.1 Prepare for System Acceptance

5.2 Validate Data Initialization and

Conversion

5.3 Test, Identify, Evaluate, React

5.4 Refine Supporting Materials

6 SYSTEM IMPLEMENTATION

6.1 Prepare for System Implementation

6.2 Deploy System

6.3 Transition to Support Operational

System

______________

VOLUME 3GLOSSARY & ACRONYMS

_______________

VOLUME 4TEMPLATES

7 December 2011 74George Papoulias



7 December 2011 75

NBG BPO DIVISION Enterprise Business and IT Process Architecture

IT Governance Supporting Tools

George Papoulias



7 December 2011 76

George Papoulias



7 December 2011 77

George Papoulias



7 December 2011 78

George Papoulias



7 December 2011 79

George Papoulias



7 December 2011 80

NBG IS DIVISION Project Management Portal

George Papoulias



Are we maximizing the value of our IT

enabled business investments such that:

• we are getting optimal benefits;

• at an affordable cost; and

• with an acceptable level of risk?

The Fundamental Question

Over the full economic life-cycle of the investment

7 December 2011 81

George Papoulias



IT‐RELATED GOAL METRICS

7 December 2011 82

Having a Robust and well run Program/Project Management Methodology is not a Silver Bullet!What about the Metrics and the Realized Benefits?

IT RELATED GOALS AND METRICS

IT‐RELATED GOALS

Realized benefits from IT enabled investments and services portfolio

Delivery of programmes on time, on budget, and meeting requirements and quality standards

METRICS

Percent of IT‐enabled investments where benefit realization monitored through full economic lifecycle

Percent of IT services where expected benefits realised

Percent of IT‐enabled investments where claimed benefits met or exceeded

Number of programmes / projects on time and within budget

Percent of stakeholders satisfied with programme / project quality

Number of programmes needing significant rework due to quality defects

Cost of application maintenance vs. overall IT cost

George Papoulias




GOVERNANCE OF IT



•COBIT5 Overview

•COBIT Mappings



•Key Terms


•Why Val IT?


•How Val IT Works





GOVERNANCE




•SDLC Guide


CONCLUSION


•The Challenge


7 December 2011 83


George Papoulias



7 December 2011 84

The COBIT5 Framework

A governance and management framework

for information and related technology that starts from

stakeholder needs and create optimal value by maintaining a balance

amongst realizing benefits, managing risk and

balancing resources is about to be released

The Val IT 2.0 Framework.

A comprehensive, proven, practice-based structured

governance framework that can provide boards and executive

management teams with practical guidance in making IT investment decisions and using IT to create

enterprise value can be used

The CobiT 4.1 Framework.

A comprehensive, proven, structured framework that can provide boards and executive

management teams with information about the delivery of IT services through the effective and efficient management of IT

assets can be used. The Risk IT Framework.

A comprehensive, structured framework that provides board

and executive management teams with practical guidance in making

decisions to balance risk and reward for all IT systems matters

can be used

A Structured ApproachIT-enabled investments can bring huge rewards, but only with the right governance and management processes and full engagement from all management levels.

Using a Comprehensive IT Governance Framework:

George Papoulias



7 December 2011 85

The Challenge

Frameworks and best practices like CobiT don’t work as an off the self product. They must be adapted and customized to suit the organizations culture and operating style.

Strong leadership, of course, is imperative, particularly from leaders in addition to the CIO, such as senior executives, all of whom must be visibly committed to championing the value that IT and IT governance can deliver to the enterprise.

George Papoulias



The ingredients of Success

The key to realizing the true potential of IT-enabled business investments is torecognize that the organization is implementing change—not technology.

The intelligent and disciplined implementation of the best practices containedwithin COBIT and Val IT will make a significant contribution to enterprisesrealizing value from their IT-enabled business investments.

Val IT, together with COBIT, enables such an approach by ensuring thatinvestments are aligned with the enterprise’s strategic objectives, that acomplete and comprehensive business case is developed, that there isappropriate accountability and relevant metrics, and that the business case ismanaged through the full economic life cycle of the investment.

7 December 2011 86

The IT governance process, to be successful, needs visibility, leadership and commitment from the top.

George Papoulias



7 December 2011 87

Questions?

George Papoulias



Date post:	15-Feb-2018
Category:	Documents
Upload:	vuongmien
View:	218 times
Download:	2 times

IT GOVERNANCE FRAMEWORK - ISACA Athens · PDF fileIT Governance Risk management requires risk...

Documents