RP_IT Consulting and Audit_121116_17_v1.0

Testing, evaluation and auditing of information systems

IT Consulting and IT Audit best practises

Index and Content• DEFINITIONS• CONSULTING AND THE MARKETSHARE• ICT MANAGEMENT CONSULTING• IT GOVERNANCE• IT SERVICE MANAGEMENT, ORGANISATION

AND PROCESSES• AUDIT, IS AUDIT, IT AUDIT• ADVISORY: WHEN AUDIT BECOMES

CONSULTING

13/11/2012 2

References• ITIL is a Registered Trade Mark and a Registered Community

Trade Mark of the Office of Governement Commerce (UK), and is Registered in the U.S. Patent and Trademark Office.

• IT Infrastructure Library is a Registered Trade Mark of the Office of Governement Commerce (UK).

• BSC is a Registered Trade Mark of R. S. Kaplan and D. P. Norton.• EVM is a Registered Trade Mark of Deloitte.• PRINCE2 is a Trade Mark of the Office of Governement

Commerce (UK).• PMI, PMP and PMBOK are registered marks of the Project

Management Institute Inc.• COBIT is a Registered Trade Mark of ISACA.• CMMI is a Registered Trade Mark of Carnegie Mellon University.• Six Sigma is a Registered Trade Mark of Motorola Inc.

Rosario PiazzeseWith about 23 years experience in the biggest Consulting Firms of IT Management Consulting, now I provide high value added professional services supporting companies needing help about:

– IT Management– IS Audit– Governance, Risk and Compliance (GRC)– Partner, technology and software selection– Outsourcing and Off Shoring Strategies– Regulatory Compliance– International standard (ISO 27001, ISO 20000, SAS 70, etc.)– Business Process Reenginering and Process Automation– Business Continuity and Disaster Recovery

Born in 1967, I began my consulting and audit experience in ICT consulting firms at beginning of '90, with Microsoft Certified Partners like Avanade (Accenture group). I joined IDC in 2001 as Manager in charge of the Management & Technology Practice of IDC EMEA Consulting, with a specific focus on IT Governance, IT Audit (Security and Risk Mgmt), Business Continuity and Disaster Recovery strategies and planning. I joined Key Partners in 2004 as Manager. In 2006, after the acquisition, I entered in the Deloitte network as Senior Manager. I took place to IT Audit, ICT Governance, Business Continuity,Disaster Recovery, Business Process Reengineering and analysis and organizational design projects, with a strong specialization in Audit, Governance, Risk Mgmt and Security. I was in charge of the IT Governance and Security Competence Centre of the Deloitte Consulting FSI Business Area in Italy.I was involved, as Partner at The Innovation Groupand CEO & Founder of ISAS Group, as project manager or subject matter expert in projects dealing with definition of ICT Governance and ICT Security functions role. I’m in charge as Consulting Director of THINK!, an Italian think tank focused on new technologies and their social impacts (www.thinkinnovation.org).As trainer and freelancer consultant I'm now I'm now focused on developing offering on new Cloud, Mobile & Social Strategies and delivering high value added support on IT Governance & Management topics, particularly related on ITIL and COBIT topics in Change and Release Management processes, BPR and sourcing model.My main skills are:

– ICT Governance (ITILV2 and V3, COBIT, CMMI)– Business Continuity and ICT Risk Management (BCI, NIST, BS 7799, ISO 27001)– Certified Information System Auditor (CISA)– Certified in Governance of Enterprise IT (CGEIT)– Lead Auditor 27001– CMMI SCAMPI Team Member

13/11/2012 4

DEFINITIONS

13/11/2012 5

Agenda

• STRATEGY CONSULTING• MANAGEMENT CONSULTING• IS CONSULTING vs ICT CONSULTING• ADVISORY, QUALITY ASSURANCE,

AUDIT

13/11/2012 6

Consultancy

Consultancy is the professional performance of a consultant, an individual with certified experience and practice in a field of knowledge, who advises and assists his client on his activities, through the provision of information and opinions.

13/11/2012 7

ConsultancyThe consultant’s duty is therefore, once the client delivers the elements at hand, to add those factors deriving from his competence, knowledge and professionalism that will allow for development in the desired direction; In this context the thrust between the parties is crucial. This thrust can be based on an established relationship, on the consultants reputation or academic and professional titles he acquired.

13/11/2012 8

IT Consulting• "IT Consulting" or "Business and Technology Consulting" is the is the professional

performance, of one or more field experts, who give companies suggestions on how to use Information Technology at best in order to achieve the business objectives. Besides pure consulting the professional, most of the times, implements, designs, administers and monitors the information system. The IT consulting sector can be divided in 3 main categories:

• Professional services. These are companies with many consultants and high billing tariffs. These companies look for work force especially in nations with a very low cost of labor.

• "Staffing" companies. These companies work by providing their clients with one ore more consultants on temporary basis. These companies are called «body shops» in negative terms. Such companies, although geographically limited by the clients location, are distinguished from others because of the fact that they usually don’t charge on the basis of projects or achieved goals, but on the days worked by their consultants at the customer site.

• Independent consultants that work on contract or totally autonomously, and are paid hourly or for project.

• The difference between the IT Consulting and Management Consulting is slight.There often overlaps, although IT Consultants generally have a degree in Informatics, electronics or engineering, while Management consultants have a degree in Business Administration, Economics, Commerce, Financial sciences or similar.

13/11/2012 9

Management ConsultingBy Management Consulting we mean consulting activities related to the improvement of company performance through processes of analysis, problem identification, planning and roadmap development that can regard the organization, the processes, policies, relations, etc. Management Consulting, depending on the scope of intervention, is divided in various subcategories, for example:• IT consulting• Business advisory services • Operations management• Strategy consulting • HR consulting

13/11/2012 10

What is IT Management Consulting?

1. It is a service based on knowledge (specialized or not) and experience the consultant accumulated , in order to solve business problems satisfying the client’s explicit or implicit needs.

2. IT Management Consulting can be divided in 2 great sub-categories: specialized consultancy that relates to specific content and process consulting, both based on replicable practices

3. In the following part we will focus on consulting related to businesses and executives (management consulting) rather than technical-specialized consultancy related to products and technologies.

13/11/2012 11

There are various types of consultancy:

• Strategic– Strategic Goal Management, Mid-long term plans– Strategy implementation levers– Bain & Co - BCG – McKinsey - Monitor– Other niches

• Operations– Operational functioning of processes/functions, achieve goals– Re-engineering, outsourcing, supply-chain etc.– Accenture - Deloitte– Cap Gemini - KPMG

13/11/2012 12

Segmentation by function

• IT– System design and requirements– Systems development, and implementation– IBM - Replay/ Engineering – Accenture - HP

• HRM– Strategic alignment of personal functions– training, culture change, skills management– Accenture - PWC– Mercer - AT Kearney

13/11/2012 13

Management Consulting & IT

• All IT management consultants must be knowleadgeableand capable in using IT in various business functions of the client company.

• IT is also an important tool for many aspects and activities that characterize management consulting, such as strategic planning analysis, projectmanagement, data analysis in marketing and commercial consulting, etc.

• The IT consulting industry has always been veryfragmented by competiton, and also after the growthperiod experienced during the internet bubble of the years 2000-2001, it remained an industry characterizedby low levels of concentration, if we marginally considerthe big companies.

13/11/2012 14

Strategy Consulting• By Strategy Consulting we mean that set of activities mainly

directed to understanding where the client company should position itself on the market (the strategy) and how to reach the placement that is considered optimal (strategic plan).

• For this reason Strategy Consultants directly work with company executives to support them in the most critical decision processes thanks to the competences they should posses, like the ability to identify evolving markets and technologies, environmental changes and other analytical skills with the objective of increasing stakeholders’ return.

• Examples of questions directed to Strategy Consultants are:– Should Tesco’s take over its nearest competitor?– Should Ford focus on high-value, niche, or cheap, mass-market cars?– Should Accenture sell off its Indian operations?– Should Nokia launch a disposable mobile phone?

13/11/2012 15

IS vs ICT Consulting• Information System Consultants analyze, design and develop business

solutions based on information systems. The pervasiveness of computer systems in the various company functions adds value to this professional figure.

• Information Systems Development mainly goes through the following 5 steps:

– Preliminary analysis– Detailed requirement and system analysis– System analysis and design– Development and system testing– System implementation, evaluation and maintenance.

• By ICT Consulting we mean all those consulting activities aimed at achieving business goals of the client company aided by Information and Communication Technologies. This activity is based on the evaluation of the client company’s IT strategy and development of an improvement plan regarding the information system at use, making sure the adopted technologies are alligned with business processes and needs, during the whole period from plan conception to implementation.

1613/11/2012

Advisory, Quality Assurance and Audit

• By Advisory we mean that set of professional services aimed at suggesting client companies on investments. The professional advisor possesses important knowledge regarding the investment field in question and assists his client on the basis of considerations about risk tolerance, scheduling requirements, performance objectives, etc. in order to evaluate which class of assets is best suited to satisfying a particular business need.

• Quality assurance is a process oriented approach aimed at assuring that quality requirements of the product/service are respected. It is therefore a process improvement activity, not to confuse with quality control which is instead preoccupied with output analysis.

• Audit is an activity that determines, through investigation, the adequacy and compliance of a process or organization to given procedures, operational instructions, specifics, standards and other functional requirements, and verify their application in practice.

1713/11/2012

CONSULTING AND THE MARKETSHARE

13/11/2012 18

Agenda

• ICT Consulting Business Models• ICT Consulting Service Models• Job Opportunities• Big Players, Regional/Local Players• Specialised vs General Purpose• What about System Integration• Audit and Advisory: Differences in

Business and Service Models on the Marketshare 1913/11/2012

Business – IT Maturity Model

13/11/2012 20

Consulting “products”Dates Product Consultant Organisation

1976 Portfolio Analysis Henderson BCG

1980 Five Forces Porter Monitor / Harvard

1985 Value Chain Analysis

Hamel & Prahalad

Strategos / Harvard

1998 TQM Peters & Waterman

MIT

1990 Core Competencies

Reichheld Bain & Co.

1993 BPR Hammer & Champy

CSC

1993 Economic Added Value

Stewart Stern Stewart

Products have a name, a methodology, an application and lots of

Consultants and Products are often “fads”

IT Governance & IT Service Mgmt (1/2)

R.Peterson, "Integration Strategies and Tactics for Information Technology Governance", in Strategies for Information Technology Governance, Ed. Wim Van Grembergen, Idea Group Publishing, 2003

• The evolution of IT organizations from technology providers into service providers requires taking a different perspective on IT management. IT Service Management put the services delivered by IT at the center of IT management and is commonly defined as

A set of processes that cooperate to ensure the quality of live IT services, according to the levels of service agreed to by the customer. It is superimposed

on management domains such as systems management, network management, systems development, and on many process domains like change

management, asset management and problem management

• The difference between IT Service Management and IT Governance has been subject to confusion and myths. Peterson provides us with a clear insight into the differences between these two notions:

Whereas the domain of IT Management focuses on the efficient and effective supply of IT services and products, and the management of IT operations, IT

Governance faces the dual demand of contributing to present business operations and performance, and transforming and positioning IT for meeting

future business challenges13/11/2012 22

IT Governance e IT Service Mgmt (2/2)

13/11/2012 23

Time Orientation

BusinessOrientation

External

Internal

Present Future

IT Service Management

IT Governance

Who is the Management Consultant?

1. Not always the best is the most brilliant or a superman.

2. Not all those with an MBA or a business and technology background become good consultants

3. They aren’t Magicians or Sorcerers, but curious persons that study and work hard.

Types of IT consulting projects

1. Advise Provisioning: which is the IT system/solution that best fits my needs?

2. Design: how do I structure the solution?

3. Implementation: make the system I built work in the best of ways for all the interested users.

4. Management Support: I help you manage the function and the persons that use the system..

The Client – Consultant Relationship

• What it is

• How to manage it

• Success criteria

The Consulting lifecycle• Initial Contact

• Project Definition

• Initial Analysis

• Formal Proposal

• Contract

• Project Implementation– Data Collection– Data Analysis– Decisions / Plan– Intervention

• Review

Initial Contact Definition Proposal & ContractData Collection

Data Analysis

Decision-making,PlanningIntervention

Disengaging

Review

Working with Clients• Define the project

– Stimulate, discover and qualify the client’s needs.– Individuate the Key Decision Makers and

stakeholders

• Build interest and “tempt” the Client

• Successful projects– Contracts, contracts, contracts– Clear Goals, roles and procedures– Boilerplating & reuse– Measurable Quick wins– Solid Conclusions– Not only the project, but also the person must be

remembered

Consultancy Marketing1. Identify an opportunity

• External threaths• Copy others• Lag behind: Benchmarks• New opportunities

2. Consultancy Marketing• Links with accademies/Business Schools (HBS, MIT, Sloan, etc.)• Links to institutional conferences• Pubblications: books, journals, press, web.

3. Be recognized• Free surveys / research• ‘Solution’ stories• References

Some basic consulting principles

• Focus on the relation: – Understand the client company’s and all

stakeholders’ expectations and personality• Clearly defined roles:

– Do a good job defining roles and responsabilities for the client, stakeholders and the consulting team

• Help the client see the end of works from the beginnig:– Clear goals

• The consultants suggests and the client decides• Always be result oriented

What an IT consultant must avoiddoing

Links to some websiteswww.accenture.comwww.mckinsey.com

www.reply.comwww.kpmg.comwww.ibm.com

www.capgemini.com

The role of skills

Hard Skills• Technical skills• Market skills• Methodological

skills

Soft Skills• Relational skills• Analytic skills• Standing• Interrelations• Evolving vision

Consulting company modelsPyramid

Companies (Big four)

Silos model: The pyramids repeat and overlap by LOB/Partner

CompetenceCentre

CompetenceCentre

CompetenceCentre

CompetenceCentre

Services companies

Matrix model: Skills vs markets

Prodotti

• Tecnologici• Soluzioni

Servizi Professionali

• System Integration• Gestione Prodotti

Consulenza

• Di prodotto• Di mercato

ICT companies

Product Company Model: Consulting as integrator / expander of the offering portfolio

Operational metrics of the consultancy company

IT Consulting Fee Levelsand Utilization Rates

•Book and realized fee rates•Target and actual utilization rates•Service type and career levels analyzed

Compensation in IT Consulting •Salary levels across the profession•Annual bonus analysis

IT Consulting FirmOperational Benchmarks(call for details)

•Revenue per professional•Leverage ratios•Firm operating costs

• Source Kenndy Research

Expertise depth: Skills and knowledge base

Wide range of general consultancy skills

Skills:• High interpersonal skills• Great ability in presenting content• Excellent report writing

Knowledge:• General or Specialized Business knowledge • Methods/Practices & Frameworks• In depth specific skills: Functional, technological or process based

Skills profile: breadth and depth

Average base salaries (UK – 2009)

• Graduate £20 – 26k• Junior Project Leader £30 – 35k• Team Leader £40 – 60k• Senior Consultant £60 – 80k• Principle Consultant £70 – 100k• Partner £100k +

+ 10 – 20% bonus+ car+ benefit

• Some niches can offer higher salaries

HOW THE CONSULTANTS JOB CHANGED

Problems with Consulting Today: the “Ivory Tower” Approach is Inefficient

The Internet has Opened up Research that was once the Domain of Consulting Firms

Level the Consultant Client Relationship

Don’t Dictate

Collaborate

ICT MANAGEMENT CONSULTING

13/11/2012 41

Agenda

• IS Strategy and Strategic Allignement Models

• From Business into IT: Balance Scorecard and Cascade Models

4213/11/2012

IS STRATEGY AND STRATEGIC ALLIGNEMENT MODELS

13/11/2012 43

Aligning IT to Business Strategy (1/3)

• The market context, the business needs and the organizational models typically represent a unitary model for businesses.

• IT, and more particularly the process of selection of an informatics solution, often act as independent variables with respect to this context, exclusively bounded by cost control logics.

• In reality the increasingly binding need of tying the IT strategic model to business strategies and consequent organizational implications, makes the presence of a model of constant strategic alignment between IT and business indispensable, one that may also address the choices of acquisition of new solutions.


•With the notion of strategic alignment it isn’t intended to refer to the correct transfer of business requirements to IT functions to correctly address the decisions and choices, which is a relevant aspect but not a central one, it rather refers to need of guaranteeing the construction of a model that doesn’t simply derive IT strategies from business strategies but, on the contrary, allows to define them at the same time, in a non-hierarchical but synergistic context, functional to the identification and correct representation of the needs even before of the requirements.


•The following graph shows how different business sectors perceive the importance of allignement between IT and corporate strategy.

IT Governance Status Report, 2008

Strategic Alignment Models (1/9)

•The identification of the relationship model that links the role of IT to business requires a clear definition of the same business strategies, critical success factors and metrics of measurement.

•It is complex to define precisely the role of IT in absence of a strategic and operative business analysis model, whether it is built in a Balanced Score Card (BSC) logic or with the support of tools of greater detail like the Enterprise Value Map (EVM)


•When it is possible to define the strategic business model with enough detail, it is also possible to define:

– The strategic alignment logics between IT and business;– the processes of alignment, transferring business objectives via

BSC or EVMTM and supporting the creation of an IT BSC.

•In order to establish IT's role with respect to the business in a proper and relatively simple manner, it is often useful to apply Henderson and Venkatraman Strategic Alignment Model (SAM).


•The Strategic alignment Model provides a structured mechanism for setting the alignment between business and IT according to different points of view. The model is based on the concepts of matching strategy and functional integration (see figure below). Strategic correspondence aims to emphasize that IT strategies should take into account the positioning of IT on the market and the way in which the IT infrastructure should be designed and managed. The concept of strategic correspondence could also be applied to the company’s business component.


•Functional integration can be observed both from a strategic point of view and from an operational point of view. Adopting a strategic perspective it constitutes the link between business strategy and IT strategy, and reflects the general belief that IT has emerged as a strategic competitive factor with respect to the market and competition.

•The operational integration addresses the links between infrastructure and organizational processes and between infrastructure and processes.


• Starting from a model of relationships between strategic components and operational, business and IT components, the Henderson-Venkatraman model allows us to identify several possible scenarios alignment, declining them in a number of organizational, functional and economic-financial characteristics, as shown in the following figure

Source: The Innovation Group

Business strategy

Needs

Answers

Business and Technology – External Environment

Stimulation Opportunity

Organizational infrastructure and

Business processes

IT Strategy

Technologic infrastructure and IT

processes and systems

Needs

Answers

IT placement guidelines (1/2)The Strategic Alignment Model considers four different approaches to the modes of interaction and alignment between the Business and IT components within the overall corporate framework.

DRIVER: BUSINESS STRATEGY

Business Strategy

Organisational Infrastructure

IT Infrastructure

IT as a business strategy executer<<Business strategy is the driver to both the definition of the organizational infrastructure and for the definition of the IT infrastructure In this scenario, the IT components are addressed to support the business objectives, researching for effective and efficient solutions based on the indications reported in the business strategy>> (*)The IT component serves as a cost center. (**)

IT as business alignment enabler<<Business strategy is the driver to which IT strategy is aligned in order to achieve business objectives. Compared to the previous approach, the organizational infrastructure is not binding and the IT strategy is free to set the IT infrastructure researching the best available solutions to support the business>> (*)The IT component serves as a profit center (**)

Business Strategy

IT Strategy

IT Infrastructure

(*) Fonte: Strategic alignment: Leveraging IT for transforming organisations - Henderson, Venkatraman, IBM System Journal, Vol32, No.1, 1993, pp. 4-16(**) Fonte: ITIL Application Management - Office of Government Commerce (OGC), settembre 2002 - ISBN 0113308663

IT placement guidelines (2/2)

IT as a business opportunityIn this perspective << IT strategy, through the use of new or emerging technologies, addresses the business strategy (which does not represent a constraint) and, therefore, decisions related to the business’s organizational aspects>> (*)The IT component serves as an investment center. (**)

IT as a service center (*)<< The business strategy, in this view, plays an indirect role, while IT strategy focuses on the creation of a range of services based primarily on meeting the needs of IT users. >>

Business Strategy

IT Strategy


IT Strategy


IT Infrastructure

DRIVER: IT STRATEGY

(*) Source: Strategic alignment: Leveraging IT for transforming organisations - Henderson, Venkatraman, IBM System Journal, Vol32, No.1, 1993, pp. 4-16(**) Source: ITIL Application Management - Office of Government Commerce (OGC), settembre 2002 - ISBN 0113308663


•Whatever perspective you adopt, the three elements are inseparable, since the strategic alignment model is based on a classical logic of construction of the preconditions for the representation of a value chain. Some typical examples:

– Cost Center – traditional point of view that uses the business strategy as driver and organizational infrastructure as a pivot to align IT to the business. In this situation, the IT acts as a cost center, interested in responding to the needs of automation of business processes focusing only on reducing the Total Cost of Ownership (TCO). As a result, applications are designed to be easily maintainable and are based on well-established technologies.

– Service Center – Using the business strategy as a driver, it is intended to build a centralized unit capable of providing excellent IT services to all its customers regardless of the definition of a proper possible business strategy (as outsourcers). An example of this approach is given when the IT acting as a corporate resource that delivers services to the whole corporation focuses on the quality of service. The infrastructure and applications are therefore designed to be cost-effective and of high availability.


– Profit center – In this case, the pivot to align IT to business is represented by the IT strategy, since IT strategy and business strategy almost overlap. This situation sees IT as a profit center, where all activities are focused to achieve maximum revenue provided by the implemented technology at an acceptable cost. This leads to performing applications characterized by high flexibility, and high adaptability to changing businesses and requirements

– Competitive center – In this case IT presents itself as a competitive advantage element. The IT function qualifies as an enabling factor for the qualification of new products or services or for the improvement of internal processes in terms of production efficiency and related ability to generate benefits on the income statement. In this scenario, IT, while not being configured as a profit center, has the ability to act directly on the income statement, resulting in savings or allowing for a reduction in operating costs.


•In the operative reality these schematic representations, typical of a theoretical model, tend to become contaminated, usually resulting in a bias towards one of the prevailing aspects of a model rather than another but without full adherence to it. At this point, when the role of IT is clear, the need of formalizing the communication model manifests in order to allow business functions to transfer their own requirements.


•The SAM model clearly recognizes the need for continuous alignment, but does not provide a practical scheme to achieve it. Over time various alignment mechanisms have been identified and applied in various companies, to obtain the convergence between IT and business: business system planning, critical success factors, Porter's value chain and business process reengineering.

•As we already mentioned, the business can transfer its IT objectives through tools that support strategic implementation. We will mainly take into consideration Norton and Kaplan's Balanced Scorecard

BALANCED SCORECARD

13/11/2012 58

Brief History• The Balanced Scorecard was developed by Robert Kaplan

and David Norton in a 1992 article ("The Balanced Scorecard -Measures That Drive Performance", Harvard Business Review), in which the authors proposed a holistic approach to measuring corporate performance that would allow overcoming the limits of traditional economic and financial accounting.

• In the following years (Kaplan and Norton, "The Balanced Scorecard: Translating Strategy into Action", Harvard Business Review, 1996) the emphasis shifted from measurement to strategic management, while the methodology was enriched through its integration in managerial processes, 'strategic alignment and communication.

• You can think of this stage as the transition from the Balanced Scorecard intended as measurement board to the Balanced Scorecard intended as a process of strategic management.

From the industrial age to the information age (1/2)

• Companies are now facing revolutionary transformations:– The industrial age competition is transforming in

the information age competition• During the industrial age, a company’s

success depended on their ability to extract the maximum possible profits from economies of scale and scope. Technology had its relevance but in the end success arose for those companies that were able to apply the new technology to real goods, therefore offering an efficient mass production of standardized products.

60

From the industrial age to the information age (2/2)

• The coming of the information era made many prerequisites fo competition of the industrial age obsolete. Companies wouldn’t be able any more to obtain constant competitive advantage with simple adoption of new technologies on real goods production and a solid management of financials.

• In the information era the company’s ability to deliver and exploit its material and immaterial goods became way more essential with respect to management and investment in real and tangible goods.

61

The new operative environment

Industrial Era Information Era

Crossed Functions They obtained competitive advantages by specializing functional qualities in the production, purchase, distribution, marketing and technology sectors

They operate with integrated business processes that proceed transversally to the traditional business functions, thus combining the extremely beneficial specialization resulting from the functional competence with the speed, efficiency and quality of integrated business processes

Relationship with clients and suppliers

They worked with customers and suppliers through direct transactions

Information technology enables today’s organizations to integrate supply, production and delivery so that the operations begin as soon as the order arrives

Client segmentation They offered lo cost but standardized products and services

They must offer personalized products and services to various customer segments

Global Scale The market and the competition was mostly confined to national borders

It is necessary to combine efficiency and the development of competitive global operations with the market sensitivity that applies to local customers

Innovation Companies could survive without innovating Product life cycles are continuously shrinking. Competitiveadvantages gained during a certain phase of a product’s life cycle doesn’t guarantee product leadership on the next competitive platform

Knowledge workers Employees were divided in 2 groups:!) Intellectual elite: managers and technicians2) Operators: The actual producers and service deliverers

All employees must contribute to the company’s value with what they know and the information they can provide. Investments in employees, their correct management and embracing the value of their knowledge has become essential to business success

Organizations that are active in the information age are founded on a new series of operative preconditions.

Traditional general accountability model

• Financial accounting– In most companies the financial billing and accounting

process remained the one that has been developedcenturies ago, to account for direct transactions betweenindependent parties.

• Needs in the information age– The ideal situation would that in which this financial

reporting model would expand to embrace the evaluationof society’s intangible and intellectual goods, like for example high quality products and services, specializedand motivated employees, reactive and reliable internalprocesses, loyal and satisfied clients.

– The evaluation of immaterial goods and capabilities wouldbe of particular usefulness because in the infrmation era because such goods are more important to achievesuccess than traditional, real and tangible goods.

Balanced Scorecard (1/2)

• Balanced Scorecard– The collision between the irresistible forces of long term

competitive capacity creation and the static financial accounting model gave birth to a new synthesis.

– The Balanced Scorecard integrates past financial-economic performance measures with measures of future performance drivers.

– Goals and measures of the Scorecard derive from the organization’s strategy and vision, by examining its performance under 4 perspectives:

• Financial-Economic;• Customers;• Internal Processes;• Learning and Growth.

Balanced Scorecard(2/2)

The Balanced Scorecard (BSC) is a strategic management support tool thatallows to translate the company’s mission and strategy in a coherent set of performance measures, allowing for overall business evaluation.

The Balanced Scorecard as a management system (1/1)

• The Balanced Scorecard shuld translate a business unit’s mission and strategy in tangible goals and measures. These measures represent an equilibrium between external measures (related to stakeholders and clients) and internal critical business processes, innovation, learning and growth measures.

• The measures are balanced between external measures (resulting from passed efforts) and measures that incentivize future performance.

• The Scorecard is balanced with objective (quantifiable measures) and subjective considerations, meaning that some measures are opinable and act as drivers of future outcomes.

The Balanced Scorecard as a management system (1/1)

• The most innovative companies use the balanced scorecard as a strategic evaluation system, to manage their long-term strategy, exploiting it to create management processes of vital importance:– clarify and translate vision and strategy;– communicate and connect strategic objectives and

measures with each other;– plan, set targets, and align strategic initiatives;– enhance feedback and strategic learning.

67

Balanced Scorecard creation (1/5)

Clarify and translate visionand strategy

• Clarify strategy• Build consensus

Communicate and relate• Communicate and

train• Define goals• Relate rewards to

performance measures

Feedback and strategiclearning

• Create a shared vision• Provide strategic

feedback• Ease reviews and

strategy learning

Business planning and goal setting

• Define goals• Allign strategic initiatives• Allocate resources• Establish milestones

Balanced Scorecard

Balanced Scorecardcreation (2/5)

• Clarify and translate strategy and vision– The process of building a balanced scorecard starts from

the collaboration of top executives in transforming the business unit’s strategy in precise strategic goals:

• Establish goals related to the economic-financial aspect of the business:

– Profit and Market growth;– Profitability;– Cash flow generation.

• Establish goals with respect to the customer base:

– Define the target customers and segment the market• Establish objectives and measures for internal processes

– The process of building a BSC allows to clarify strategic objectives and individuate their essential drivers.


• Communicate and connect with each other strategic objectives and measures.– Strategic objectives and measures of the BSC are communicated

at all levels of the organization– In some cases, strategic measures that are inserted at high levels of

the business unit’s scorecard are split in specific measures at operative levels.

• For example, the On Time Delivery (OTD) goal in the BSC of a business unit can be translated in reducing preparation time of a specific machine.

– The BSC encourages dialogue between business units, business executives and board of directors, not only with regard to short-term financial goals, but also for the formulation and implementation of a strategy to make a decisive step forward in future performance.


• Plan, define goals and align strategic initiatives– The BSC is used at its best when promoting changes in the

organization.– To achieve ambitious goals managers must identify flexible goals

for customers, internal processes, learning and growth.– The goal planning and management process allows the

organization to:• quantify the results it wants to achieve in the long term; • identify the mechanisms and provide resources for the achievement

of those results; • Establish short term milestones for financial and non-financial

measurements included in the BSC.


• Enhance feedback and strategic learning– The final management process includes the BSC in a

strategic learning structure• Today, managers have no way to receive

feedback relative to their strategy and to verify the validity of the assumptions on which the strategy is based. Conversely, the BSC enables them to follow the implementation of their strategy, to make some adjustments on the go or, if necessary, substantially change the strategy.

BSC creation process• Set goals for the BSC program:

– Guide the decision of objectives and measures for the BSC.– Get the participants' commitment to the project.– Clarify the structure of the implementation and

management processes that must follow the construction of the initial BSC.

• Examples of reasons that may lead to building a BSC:– achieve clarity and consensus around the strategy;– focus on the objectives;– decentralization and leadership development;– strategic intervention.

BSC creation process• The process of creating a BSC can be broken down into

four phases:– Define the architecture for measurement

• Select the appropriate business unit;• Identify correlations between SBU and headquarters.

– Build consensus around strategic goals• Conduct a first round of interviews;• Summary meeting;• Executives’ workshop: first round.

– Select and design Measures• Sub-group meetings;• Executives’ workshop: second round.

– Develop the implementation plan• implementation plan development;• Executives’ workshop: third round;• Complete the implementation plan.

Performance driversROI

(Return on investment)

Client loyalty

Punctualityin deliveries

Processquality

Processcycle timing

Employees’ skills and capabilities

Economic-financial

Customer base

Learning and growth

Soutce: The Innovation Group

Internal Business processes

Monetary cycle (1/2)• A measure of capital management efficiency is the cash to cash

cycle duration• Driver: measure of cash to cash cycle time, which is identified with the sum of days of

warehouse storage and days-sales in accounts receivable, less supplier debt duration.– Therefore the monetary cycle represents the time a company needs to convert cash

payments to suppliers of resources in cash payments received from customers.

Information Technology e Governance79

Acquisto materie prime o merci dal

fornitore

Vendita del prodotto

Ricevimento contanti dal

cliente

Pagamento fornitore per

materie prime (merci)

Giorni debiti Ciclo cash to cash

Giorni creditiGiorni magazzino


Monetary cycle (2/2)• Although many business find it difficult, if not impossible,

to reach zero or negative cash to cash cycles, the objective of reducing this cycle with respect to current levels can be a great incentive to improve working capital efficiency.– The Rockwater (underwater construction company) had a

particular problem with accounts receivable: it had to wait for over one hundred days for customers’ final payments. One of the main financial objectives was therefore to significantly reduce the duration of this cycle, a goal that, once achieved, would result in a dramatic ROI improvements.

Customer Perspective• Managers identify customer and market segments in

which the business unit intends to compete and measure its performance in those segments.

• The customer perspective enables business unit managers to articulate a market and customer oriented strategy capable of ensuring higher financial profits in the future.

Primary measures• Market share

– Expresses (in terms of number of clients, overall revenues or unitary sales volumes) the total business turnover portion generated by a particular unit(the company, a business unit, size, etc.)

• Customer acquisition– Measures in absolute or relative terms, the rate at which a certain business unit

attracts or acquires new clients or commissions.• Customer loyalty

– Identifies in absolute or relative terms, the rate at which a certain business unit keeps itself in touch with the client.

• Customer satisfaction– Evaluates the customers’ satisfaction in relation to specific performance

criteria that fall within the company value proposition.• Customer profitability

– Measures net profits from single customers, or customer segments, once expences to support those customers have been subtracted.

Primary measuresAmong the consideredmeasures thereare:• Customer

satisfaction;• Customer

loyalty;• New

customeracquisition;

• Customerprofitability;

• Market share;

• Profitability of selectedsegments.

Source : The Innovation Group

Market share

New customer acquisition

Customer loyalty

Customer satisfaction

Customer profitability

Internal processesperspective (1/2)

• Executives individuate internal processes of crucial importance in which the organization must excel. These processes allow the business unit to:

• Present proposals capable of attracting clients within the pre-selected market segments and manage their loyalty;

• Satisfy the shareholders’ expectations of great economic returns.

– The BSC approach identifies totally new processes in which the organization must excel in order to satisfy the customers’ and the economic-financial expectations.

Internal processesperspective (2/2)

• The following generic measures can be found:– Quality;– Reaction time– Cost and introduction of new products.

• Traditional performance measurement systems are based on processes necessary to deliver today’s products and services to today’s clients, trying to control and enhance the existing operations that represent the short wave of value creation. For many companies, instead, the innovation process, long wave of value creation, is a much stronger driver of future economic performance with respect to the short term operative cycle.

Value Creation Chain•The following value chain generic model provides us

with a base that companies can adapt to their needs in preparing for the business process perspective:

– innovation: the business unit studies the latent or emerging needs of customers, then they create products or services that meet these needs. It represents the long wave of value creation in which companies first identify and cultivate new markets, customers and at the same time also emerging or latent needs of existing customers;

– operative: phase in which existing products and services are delivered to customers. It represents the short wave of a company’s value creation.

– Post-sale services: it consists in guaranteeing customer service after sale or delivery of the product or service.

source: The Innovation Group

Client need recognition

Market identification

Product / Service design

Creation of the offering

Level of customer’s

need satisfaction

Product delivery

Innovation process Operation management

Time-to-market Provisioning cycle

Customer care

Post sale services

Break-Even-Time• The break even time measures the product

development cycle efficiency .– It measures the time that separates the beginning of design with the

moment the product is introduced on the market and has generated enough profit to cover development costs invested.

Tempo (mesi)

Cost

i cum

ulat

ivi e

d en

trat

e (in

mili

oni)

Investimento

Break-Even_time (BET)

Indagine Time-to-marketSviluppo

Break-Even-After-ReleaseProduzione-Vendite


Time Measures• Many customers give great value to quick reaction times, intended

as the time that

• Many customers place significant value on short response times, considered as the elapsed time from the moment they issue an order to the moment they receive the product or service they want and on response time reliability, in the sense of deliverypunctuality.

• Manufacturing Cycle Effectiveness is an indicators that many companies use to switch to a just-in-time production flux, and we define it as:

– MCE = work time / throughput time where throughput time = (work time) + (inspection time) + (movement time) + (waiting/ storage time).

– In many operations the work time, which means the time actually spent creating the product, is less than 5%. In an ideal production process, the throughput time for each unit is equal to the work time: therefore the ideal MCE is equal to 1.

Employees skills• Primary employees evaluation group

– The three essential employee related measurements are:• Person’s satisfaction:

– Goal: having satisfied employees is an essential condition for enhanced productivity, reactivity and quality of the offering.

• Person’s loyalty:– Goal: not to lose employees for which the company has long term interest

• Person’s productivity:– Goal: establish relationships between the final result obtained by the

employees and the number of individuals needed to produce the result.

Fonte: The Innovation Group

Results

Person’sproductivity

Person’ssatisfaction

Person’sloyalty

Staffcompetencies

Technologicalinfrastructures

Organizzationalclimate

Primarymeasurements

Incentives

Employees requalification• Many companies that use the BSC go through a phase of

radical changes and their employees must undertake completely new responsabilities. The need to requalifyemployees can be considered under two dimensions

• Required level of update;• Percentage of emplyees that require to be updated.

Strategic riqualification

General riqualification

Skills enhancement

high

highlowPercentage of employeesLe

vel o

f re

qual

ifica

tion

(pro

fess

iona

l gap

)

various requalification perspectives

The strategic plan's key theme is the need to requalifystaff, or improve their skills, in order to carry out the

vision

Strategic riqualification A precise staff segment must acquire new strategic skills ofhigh level

General riqualification A significant proportion of staff requires a general update

Skills enhancement A certain staff portion, large or small, must enhance its primary skills


IT GOVERNANCE

13/11/2012 88

Agenda• IT, Enterprise, Corporate Governance• Governance Risk and Compliance: The Consulting and

the Audit views• IT Financial Management: Business value and Company

value• Toolkit:

– SAM– BSC– COBIT– ROI– TCO– ROSI– MPV– IRR– Payback Period– Project Management

13/11/2012 89

IT Governance (1/3)•As for Enterprise Governance, IT Governance also refers

to the work of the board of directors, the executive management and the organization as a whole., the basic principles are different from the other two types of corporate governance and include: alignment with business strategy, the provision of added value through information technology and adequate technological risks management.

• According to the definition:– “IT Governance is the responsibility of the board of directors

and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives”. source: IT Governance Institute

IT Governance (2/3)

•The need for guarantees on the value of IT, IT-related risk management and the increasing requirements for control over information are finally included as key business management elements. Value, risk and control constitute the core of IT governance.

IT Governance (3/3)• To improve control over the organization, governance

and IT governance can no longer be considered separate and distinct disciplines. An effective corporate governance channels the experience, the skills of individuals and groups where they can be more productive, monitors and measures performance, and provides positive answers to the issues. IT governance is a formally recognized discipline and is considered an integral part of corporate governance. Although Information Technology is managed by the head of information systems, the responsibility for fails in achieving results by new technologies always falls on the top and executive management.

Enterprise Governance(1/2)

• Enterprise governance, or business governance, is usually depicted as an umbrella, sheltering on the inside the other two. It represents the management paradigm of all management processes, and is designed and developed by executive management under the patronage of senior management. These two corporate bodies strive together to optimize the use of resources, aligning all the organization's activities, in order to clarify and execute strategic and operational guidelines at best and on the basis of the firm's risk attitude.

• The Enterprise Governance refers to the work of the board of directors, the executive management and the organization as a whole. The basic principles regard the strategic alignment, the responsibility for dissemination of information, and organizational roles with related responsibilities.

Enterprise Governance(2/2)

• The key element is the proper management of business processes, which are of course responsibility of the board of directors and management. Nowadays the managerial figure that better than others fits in the context of enterprise governance is the CFO (Chief Financial Officer), in fact:

– «I am responsible for traditional accounting issues: cash flows, capital, and cost structures. But my role is increasingly linked with strategy and operations». ClaytonDaley-CFO Procter& Gamble;

– «I am involved in all operational and strategic group decisions, and I am a member of the executive board». Karl-GerhardEick-DeputyCEO and CFO DeutscheTelecom;

– «The CFO is now at the center of all governance issues…there is a much broader involvement in the overall business management of the company». ThierryMoulonguet-Executive Vice Presidentand CFO Renault;

– «The CFO stands in a special relationship to the chairman and the CEO which is why the three of them form the top team in a company. The basis of this relationship is the CFO’s independence». SirAdrianCadbury-ex ChairmanCadburySchweppes.

Corporate Governance• Corporate Governance is also based on the work of the directors

and of executive management, but also of the shareholders. The fundamental principles on which it focuses to give indications regarding governance are: shareholders' rights, management independence and even here the responsibility for the dissemination of information.

• Its fundamental goals are:– Assure the accounting and financial reporting system’s integrity– To have an appropriate control system for: the financial system, risk monitoring and

compliance with laws and regulations.

• Key elements in corporate governance are:– A majority of independent administrators;– The use of international accounting standards;– Independent audit actions;– Clear answers to the market’s informational needs.

IT Governance and IT Service Mgmt (1/2)

R.Peterson, "Integration Strategies and Tactics for Information Technology Governance", in Strategies for Information Technology Governance, Ed. Wim Van Grembergen, Idea Group Publishing, 2003

• The evolution of IT organizations from technology providers into service providers requires taking a different perspective on IT management. IT Service Management put the services delivered by IT at the center of IT management and is commonly defined as

A set of processes that cooperate to ensure the quality of live IT services, according to the levels of service agreed to by the customer. It is superimposed

on management domains such as systems management, network management, systems development, and on many process domains like change

management, asset management and problem management

• The difference between IT Service Management and IT Governance has been subject to confusion and myths. Peterson provides us with a clear insight into the differences between these two notions:

Whereas the domain of IT Management focuses on the efficient and effective supply of IT services and products, and the management of IT operations, IT

Governance faces the dual demand of contributing to present business operations and performance, and transforming and positioning IT for meeting

future business challenges

IT Governance and IT Service Mgmt (2/2)

BusinessOrientation

Time Orientation

BusinessOrientation

External

Internal

Present Future

IT Service Management

IT Governance


The Framework

Support: e.g. PMI, Prince 2

Governance and Control: e.g. COBIT

Operations: e.g. ITIL

The main decisional areas in IT business: IT governance

IT Strategy Principles

How IT is used in the business : IT-Business alignment

IT infrastructure strategies

Strategies for the base foundation of budgeted-for IT capability (both technical and human), shared throughout the firm as reliable services, and centrally coordinated (e.g., network, help desk, shared data)

IT architectureOrganizing logic for data, applications, and technology infrastructure captured in a set of policies, relationships, and technical choices to achieve desired business and technical standardization and integration

IT investment and prioritization

Decisions about how much and where to invest in IT including project approvals and justification techniques

Businessapplication needs

Specifying the business need for purchased or internally developed IT applications


ITGovernance

Model

Allignmentof

IT/BusinessStrategies

IT investmentsprioritation

IT Architectureand roadmapIT Sourcing

strategies

Service & deliveryand

developmentIT

Skills& Assets Fonte: The Innovation Group

IT Strategic Components & IT Governance

The importance of IT in the modern business

environment (1/3)• Information & Communication Technology

(ICT) has transformed, in the last years, from a mere support tool into a crucial competitive element to consolidate and improve the positioning of the company with respect to the market. The importance of the information system and communication business has grown in parallel with the evolution of technology, so, today, it is no longer just a simple tool for operational procedures automation, but it can make a substantial contribution to the pursuit and even redefinition of corporate strategy.


environment (2/3)• Information Technology requires

remarkable investments in the sector, but it is an element that directly contributes to determining market value of an organization, and is essential for the achievement of business objectives; think of banking services without IT support, it would be impossible to make money transfers from home through the internet, you would have to go to the bank for the withdrawal, and the same would happen with simple statement of accounts, etc..


environment (3/3)• It is also necessary to consider the other side

of the coin, one that brings out the need to adequately manage the risks associated with IT through increasingly efficient and sophisticated controls. In fact, IT, because of its important investment, increases the business risk . Consequently, management is carefully studying the market to highlight the differences with competitors and to ensure that investments reach a significant percentage of profit on the organization's turnover even if they grow with abnormal trends.

IT expenditure analysis(1/4)

• If the last 4 years IT spending has been trending strongly negative, in the previous five years there has been a steady growth in technology spending in companies around the world.

• According to the main market observers thisphenomena can be related to:– The haste of technological innovation that enabled the

production of new services and managerial models(Cloud, BYOD, etc.);

– The increase in obsolescence rates of technologicalcomponents;

– The constant evolution of operative systems and application softwares that result in increasing needs of elaboration resources, communication and storage.

The IT market (2009-2011)

4.874 5.012 4.559

755 718 678

4.307 4.268 4.226

8.750 8.432 8.212

2009 2010 2011

Services

Software

Technicalsupport

Hardware

18.686 18.430 17.675

+2.8%-9.0%

-4.9%-5.6%

-1.4% -4.1%Numbers in millions of Euro and %

-0.9% -1.0%

-3.6% -2.6%

IT market by firm size(2010-2011)

Mln €, % on total and % net of consumers

‐10,3%

‐7,3%

‐8,0%

‐4,6%

‐2,0%

‐2,2%

‐6,0%

‐3,3%

‐3,7%

Small

Medium

Big

11/10 10/09E 09/08E

9.480(57.4%)

4.237(25.7%)

2.793(16.9%)

IT expenditure analysis (2/4)

• Some recent investigations involving IT managers of large companies, indicate that, compared to five years ago, the use of technology among users has increased by 50% and this trend is growing, as shown in the following figure.

IT Services Spending in Industry Markets (Million of Euros)

0

10

20

30

40

50

60

Agr

icul

ture

, Min

ing

and

Con

stru

ctio

n

Com

mun

icat

ions

Dis

cret

e M

anuf

actu

ring

Edu

catio

n

Fina

ncia

l Ser

vice

s

Hea

lthca

re

Loca

l and

Reg

iona

lG

over

nmen

t

Nat

iona

l and

Inte

rnat

iona

lG

over

nmen

t

Man

ufac

turin

g

Ret

ail T

rade

Ser

vice

s

Tran

spor

tatio

n

Util

ities

Who

lesa

le T

rade

2005 2006 2007 2008 2009 2010

Gartner Industry IT Spending in EMEA

Forecast, 4Q06



• The increased use of technology, however, drags a request for ever greater technical assistance, the latter needed to maintain the proper functioning of the various technological devices. In addition, support costs, as claimed by half of the respondents, are four times higher than the purchase price of the device and have increased since 2001 of at least 50%.

• According to IDC, in 2006 companies worldwide spent about 1,160 billion dollars in Information Technology and this level of spending would continue to grow at an average annual rate of 6.3% to reach 1.48 trillion U.S. dollars in 2012, net of economic crisis.


• These analysis seem to suggest:– the centrality of the investment in Information Technology,

a market that still follows in some cases (BYOD growth) trends that are typical of the merchandise sectors with a high level of competitiveness and a high rate of innovation, with an almost anti-cyclical dynamic;

– The need to keep the growth of IT costs under control, favoring service oriented investments that are capable of making real contributions to the implementation of corporate strategies (Cloud).

– the need to intervene at different levels on the rationalization of current spending aiming at balancing the weight of "commodity" services spending on compared to those with high added value (moving from CAPEX to OPEX => Cloud).

Benefits and control in Information Technology

(1/7)• The market is undergoing a global competition, companies are

restructuring to improve their position, to be more adherent to their "core business" and at the same time exploit the competitive advantages offered by the most advanced technologies. These changes have and will continue to have, profound implications for the structures of management and control. The crisis in this case is a facilitator and an accelerator and not an inhibitor

• Automating the functions of an organization obliges, by its very nature, to incorporate increasingly powerful control mechanisms both hardware and software, on computers and networks. Furthermore, the basic and structural characteristics of these controls progress at the same pace of evolution and in the same way in which the underlying information technology evolves.


(2/7)• Business activities demand information to the information system to meet

business objectives. Companies, therefore, must ensure interdependence between their strategic planning and their IT operations. IT and business strategies must be aligned, and IT must enable the enterprise to take full advantage of its information assets, maximizing benefits, capitalizing on opportunities and gaining competitive advantage. Information technology provides the organization with tools for:

– developing many strategic initiatives that generate a competitive advantage;– providing information based on fundamental analysis for decision-making,

including governance indicators;– recording the organization's performance, both financial and otherwise ;– monitoring the internal control system;– capturing and storing the company's intellectual capital;– supervising the development of the organization's information policies such as

security, privacy, consumerization, business continuity and disaster recovery.


(3/7)•Many activities related to information technology

emphasize the need to better manage the risks associated with these technologies. The most critical business processes are supported by information managed by electronic systems. Within the legislative context increasingly tight information control are being introduced . This is reasoned in large part by the growing number of serious accidents caused by the malfunctioning of business information systems, which are made known to the market, resulting in a loss of credibility, the rise of electronic fraud, and the recent scandals that have occurred in Italy and abroad and have led to a growing lack of confidence on the part of customers.


(4/7)• IT-related risk management is now seen as a key

element of corporate governance. Organizations, therefore, must ensure that their information assets, as all of its assets, meet requirements for quality, reliability and safety. Management must also optimize the use of available resources that include: data, application systems, technology, infrastructure and staff. To meet these responsibilities, as well as to achieve its objectives, management needs to know in depth the situation of their IT systems and decide what level of security and control they should provide.


(5/7)•All of this suggests that the management must ensure that

it is operating a system of internal control or a methodology that supports the business processes; and for each control activity must be clearly indicated. the consequences it has on IT and how it can meet the business requirements These can be identified in the effectiveness, efficiency, confidentiality, integrity, availability, regulatory compliance, and reliability. Control, which includes policies, organizational structures, practices and procedures is responsibility of the management. Thus, an IT control goal is the indication of expected results or the purpose to pursue, implementing the specific control procedures within each informatics activity.


(6/7)•Management, through organization governance, must

ensure that due diligence is exercised by all the people involved in the management, use, design, development, maintenance and operation of information systems. Factors that may highlight the critical nature and importance of information systems, are summarized below:

– an increasing dependence on information and the systems that manage them, as it happens for example in the banking environment;

– an increasing number of vulnerabilities and a wide spectrum of threats related to information systems, such as telematic ones and cyber warfare;

– the pervasiveness and the volume of current and future investments in data processing and information technologies;

– the potential of technology to radically transform organizations and business practices, create new opportunities and reduce costs.


(7/7)•From all this it is increasingly clear that it is important

to have a framework with regard to security and control. IT Successful companies must have a basic knowledge and make an estimate of the risks and the constraints imposed by information technology within the enterprise, in order to combine effective management with appropriate controls. Therefore, the management needs a clear framework for security and control. IT in order to evaluate and compare both the existing environment and the planned one, and the cost - benefit tradeoff of a control system.

The need for a control framework in IT

governance(1/8)• Senior management needs to know if

the company manages information in order to:– have the chance to achieve their

objectives;– be flexible enough to learn and adapt;– manage the risks it meets flawlessly;– properly recognize opportunities and act

accordingly.


governance(2/8)•The key elements of IT governance concern, with

regard to the information system as a whole: the strategic planning, internal control system, project management and asset management. Each of these must have among its fundamental principles:

– Governance – the ability to keep business processes under control

– Accountability – the ability to provide explanations regardingthe managerial operations;

– Transparency – clearness of provided information bothinternally and externally;

– Disclosure - make relevant information known to the externalenvironment;

– Independence – in the managerial activities.


governance(3/8)

Relative importance of some business drivers, Forrester Reasearch,

2007

• A good business governance allows to:

• maximize revenues, and distribute the resources among activities with high added value;

• minimize business risks and negative publicity, through proper planning of the most important activities of the company;

• save money, streamlining the governance and control methods: reducing duplication and waste, reducing losses, penalties and damages;

• increase the confidence in the organization on the part of all stakeholders (employees, customers, suppliers, investors, shareholders);

• obtain continuous information to improve the response to the variable market conditions.


governance(4/8)•IT governance is responsibility of executives and the Board of Directors and consists of a directive department, an organizational structure and processes that ensure that the company's IT supports and achieves business goals and strategies.

•The clear and unambiguous definition of the roles and responsibilities of all parties involved is a crucial prerequisite for the definition of a model for effective IT governance. It 'up to the Board of Directors to communicate these roles and make sure they are well understood


governance(5/8)•An effective IT governance is obviously also determined

by the organizational structure of the IT function and the localization, within the organization, of the decision-making responsibility for IT.

• IT governance should be an integral part of corporate governance, and therefore one of the key elements brought to the Board of Directors' attention. The Board of Directors may carry out its duties of government through appropriate committees, and appoint for example an IT Strategy Committee. This is composed of both board members and top management, and should assist the Board in the governance and supervision of the business issues related to information technology, and solicit the Board of Directors to regularly deal with issues related to IT in a structured manner.


governance(6/8)•IT governance is usually developed at different

levels: team leaders and corporate executives, who report and receive instructions from their managers, and managers, who report to the directors and the latter to the Board of Directors. The information flows and related report documents give information on deviations from the objectives, including recommendations for actions to be taken at the management level. Clearly, these activities will not be effective until strategies and objectives will not be dropped down the organization.


governance(7/8)•Furthermore, IT governance integrates and institutionalizes best practices that ensure that IT supports business goals. The frameworks for governance and control are becoming thus part of IT management best practices and they are a facilitating factor for establishing IT governance and comply with ever-increasing normative requirements


governance(8/8)• IT Best Practices have become important due to several factors:

– managers and the governing bodies of the company expect a greater return on investment in IT, so that IT may provide the services that the company needs to increase value for stakeholders;

– concern about the general increase in the level of IT spending; – the need to satisfy the legislative requirements for IT controls in areas such as privacy and

the preparation of financial statements (for example, the Sarbanes-Oxley Act, Basel II) and in specific sectors such as financial, pharmaceutical and health;

– the selection of service providers and the management of outsourcing and acquisition of services;

– the growing complexity of IT-related risks such as network security;– IT governance initiatives that include adoption of control frameworks and best practices

that help monitor and improve critical IT activities to increase business value and reduce risk;

– the need to optimize costs by following, where possible, standardized approaches rather than specifically developed methods;

– the growing maturity and consequent acceptance of established frameworks such as COBIT, ITIL, ISO 17799, ISO 9001, CMMI, PRINCE2 and PM Bok;

– the need for companies to evaluate and compare their own performance both with generally accepted standards and with its competitors (benchmarking).

It GovernanceFramework (1/4)

•According to a general definition, IT governance is the process through which IT investment decisions are made . This process evaluates how to make decisions, who is responsible for them and how the results are monitored and measured throughout the organization. Based on this definition, each company will have, of course, its own interpretation of IT governance. Unfortunately for many businesses, governance is an "ad hoc" and informal process, which means that there is no consistency between companies, the responsibilities are poorly defined and there are no formal mechanisms to measure and monitor the decisions' results


•In today's companies optimizing investments in IT has become a priority. a growing trend was found among organizations to increase IT results to the levels of the board of directors.

•IT governance can not exist alone, but must be placed within the wider Enterprise Governance, and the responsibility does not fall only on the information systems area, but also on the board of directors and executive management.


•To implement good IT governance a structure based on three main elements is required:

– Structure: who makes the decisions, such as which organizational structure should be created, who will take part within the organization and what responsibilities must be undertaken.

– Processes: how investment decisions should be taken _ and what are the processes of decision-making underlying the proposed investment, reviewed and sorted by priority. The activities that comprise the process of IT governance are: IT portfolio management (proactive management of the entire collection of projects, applications, systems, etc.), service-level agreements_ _ , chargeback mechanism (allocation of costs and services to different business units that consume them) and demand management (demand for iT resources).


– Communication: how the results derived from these processes and decisions should be monitored, measured and communicated; which mechanism will be used to communicate the IT investment decisions made by the board of directors , the executive mangers, from corporate executives, IT responsible managers, its employees and shareholders. Sharing must be facilitated by using mechanisms such as parallel careers and job rotation (IT staff goes to businesS units and non-technical staff is assigned to the IT), continuous training, cross-training, etc.

•Once the concept of IT governance has been defined, the next step would be to establish the principles on which to build a good governance structure. These principles are made explicit in three main elements: understanding the level of governance maturity , knowledge about how the company's resources impact on IT governance, _ and deep understanding of the four IT governance objectives.

The 4 IT dimensions (1/2)• Finally, to conclude our analysis it is possible to identify 4

dimensions guiding IT governance, each of which may be addressed to a specific part f the IT governance process:

– IT value and strategic alignment - One of the primary objectives for IT governance is to ensure strategic alignment between business and IT. The creation of the necessary structure and processes around IT investment and management ensures that only projects aligned with the strategic objectives will be approved, implemented and made priority. Therefore, such an alignment increases the existing business and allows for its transformation, enhancing business value typically means increased revenues, improved customer satisfaction, reduced costs, and enables the development of new products or services.

– Risk management - The risk associated with IT is usually the same risk associated with the company, so managing it becomes a priority for the company. The risk includes security breaches by hackers, violations of privacy and access, errors, interruptions, and risks associated with project failure.

The 4 IT dimensions (2/2)– Accountability - IT governance is essentially based on the allocation of

responsibilities. The Sarbanes-Oxley act among all its obligations, also requires for the allocation of senior executive managers to ensure the integrity and credibility of financial information and controls. In order to align with this law, IT governance _ holds management responsible of missed returns on investment in Information Techonlogy, as well as of the credibility and transparency of IT controls.

– Performance Measurement - The heads of IT governance, measure results according to the four perspectives of the Balanced Scorecard (concept detail in the following chapters). The IT balanced scorecard is divided into four key concepts: value of IT, customer service, operational excellence and future orientation. Two of these perspectives contain measures to manage the key objectives of governance: the value of IT and risk management. The IT value perspective contains specific indicators to measure the alignment between IT objectives and strategic goals for the company, while the operational excellence provides indicators that measure the risk of IT.

Governance investments• According to a market survey conducted by Forrester in 2005, a growing

interest over the years towards IT governance methodologies was found. The customer base consists of the analyzed CIOs, CTOs i, the CFOs, VPs and executive managers of some major companies (more than 60% declare more than a billion in revenues) in the United States.

IT FINANCIAL MANAGEMENT: BUSINESS VALUE AND COMPANY VALUE

13/11/2012 132

Benefit analysis (1/3)• The need to quantify in economic-financial terms

investments in IT and to make a proper verification of the cost-benefit ratio is born, beyond contingent or special purposes of accounting, tax and internal control nature, within a wide perspective of the concept of corporate governance.

• The perspective of information systems governance, intended as the configuration of the types of decisions and responsibilities related to information systems, is particularly useful in order to induce certain behaviors in terms of users and business as a whole.

Benefit analysis (2/3)• In this respect, among the choices of the business ruler

are those that define which decisions must be made with respect to the information systems, who must take them and, more importantly, how they are measured and the results achieved.

• The evaluation of the convenience of an IT project, such as analysis that try to estimate the impact of the introduction of a new information system or a component thereof, is a central element for the proper management of its IT control model.

Benefit analysis (3/3)• The degree of success of this introduction is often only evaluated

on the basis of return on investment (ROI) in economic and financial terms. In fact, the adoption of standard models of ROI definition, is not always applicable or, worse, significant with respect to the value of the decision. The experience does say, therefore, that the financial analysis should be complemented with an analysis of the value of the choice that is based on an analysis of the impact that the application solution has on the process in its aspects of:

– execution times and crossing;– streamlining bureaucracy;– use of resources;– improvement of service levels;– volumes.

• The integration of the two levels, related to the value of the assets and the related impact on the process, help to qualify a genuine process of IT governance.

Monetary benefits• Many are the kinds of benefits that can be

extracted, and from an economic-financial point of view they can be classified in:– Higher returns;– Reduced operative costs– Reduced working capital or fixed assets and a consequent

reduction in borrowing costs.

Increased returns• The increase in revenues is the result of an IT project that

creates new products or services (the most obvious example is that of an e-commerce site to which an IT project allows to add new information or digital products), which allows to deploy into new areas or new customer segments, its products and services, or allows to enrich traditional services and products with information, increasing the value perceived by customers and therefore its average selling price (an example can be that of tracking systems via web of shipments in the past has led to the recognition of premium price).

• In summary, the benefits that should be included in an economic evaluation are equivalent to the hypothesized turnover (expected revenue) net operating costs of production.

Reduced operative costs

• The reduction in operating costs can be related to improvements in efficiency (lower fuel consumption with equal volumes, increased productivity), the elimination of activities or organizational units (reduction in personnel costs, elimination of fixed assets and related operating costs), greater coordination (and therefore a reduction of warehouse stocks or other cushion resources that covered coordination offcuts), and so on.

Reduced working capital or fixed assets (1/3)

• The third class relates to the possibility of reducing working capital, represented basically by storage and accounts receivable. This reduction results in a lower level of operating costs, because, for example, it reduces the need for staff to manage the inventory or buildings dedicated to storage are not longer necessary.

• The most important benefit, however, is the reduction of unproductive assets with a consequent reduction of onerous debts with third parties (bank loans and similar ). In summary, inventory decreases , debt is reduced, as well as interest expenses on these borrowings thus improving the annual margin.


• But how is working capital reduced?– Supply Chain Management projects aimed at improved

integration with suppliers and customers and thus providing better access to information upstream and downstream of the supply chain, allowing for better alignment of plans for production and sale to other chain operators and thus the reduction of cushion stocks.

– The introduction of Sales Force Automation or ElettronicBilling systems allows for the reduction of time spent on sales force alignment and distribution channel management beisdes average credit collection period, because the days of physical delivery of the information and paper supports are reduced.


• The resources freed up of unproductive fixed assets may alternatively be invested in a profitable way and therefore may not lead to a reduction of interest expense but rather an increase in financial income.

Limitations of financialmodels (1/3)

• When the financial analysis is applied to information systems many well known problems emerge . The financial models do not sufficiently express the risks and uncertainties associated with the estimates of costs and revenues. The costs and benefits do not occur in the same period of time: the costs tend to occur in the early stage and are tangible while the benefits tend to occur later and are, at least initially, mainly intangible and therefore difficult to quantify.

• Traditional approaches tend to examine the profitability levels of single implementations related to specific business functions, without tackling effectively:– Infrastructural investments– Transversal impacts with respect to functions, which do create value

for the company.


• They often neglet considering other factors such as the social and organizational implications of change, which can significantly alter the cost-benefit ratio concerning the choice of an application solution.

• Many investment decisions related to the adoption of a new application solution do not adequately consider the costs generated by organizational change (training, learning curves and diffusion, management commitment) and related benefits (acceleration of business processes and decision-making, increased by process and function capability), which may be over-or under-estimated.


• The presence of organizational variables and the temporal asymmetries between costs and benefits therefore require particular caution in the adoption of traditional approaches to estimating the investments and their returns regarding the adoption of application solutions.

• In particular, the financial analysis models must be calibrated to adequately take into account the actual timing of implementation, testing, production and obsolescence of application solutions and the underlying technological chains (basic infrastructure, processing systems, telecommunications equipment, operating systems , basic software, middleware).

• In particular, the speed of obsolescence determines, when defining the investment programs, the need to consider appropriate timeframes, which are certainly shorter than those of traditional industrial investments.

Investment planning (1/6)

• The return on investment represents the first object of interest of such analysis. The clearly generic term indicates that, in spite of a certain investment (usually intended in financial terms, but hopefully not exclusively) and related costs, some benefits that justify these expenses should arise.

• As already stated, the process is made complex by certain factors:– Benefits are hard to quantify and usually present various components

that aren’t directly quantifiable;– Some costs are spread across years and differently impact the

economic activity.– Other costs are tied together and are needed to set up the

infrastructure that supports the application solution that is object of analysis and other systems that are or can be introduced in the company.


• This complexity and the presumption of objectivity of financial analysis models often allow the application of instrumental approaches aimed at guiding in one direction or another the decision on the basis of decision-makers' prejudice based approaches, making the process exclusively bureaucratic.

• The real benefit of such an analysis covers the whole life cycle of the project: objectives, expectations and impact hypothesis are declared during the assessment whose verification is carried out during the implementation and use of the solution.


• Only then it is in fact possible to understand if the initial estimates were correct, if unexpected events occurred and if the estimates were influenced by individual prejudice in positive or negative terms.

• Quite simply, corporate knowledge is built only from the comparison between estimated and final values which allows to identify the main deviations and progressively through repeated implementations, to make the appropriate estimation models tuning.


The evaluation can in any case onlyhappen with:

•Clear objectives in terms of business and system;

•Exact definition of functional specifics;•Exact definition of technical

pre-requirements;•Exact definition of organizational and

competitive effects;

The definition of the above mentionedelements is essential to determine:

•The types of cost:•investment;•operative;

•The benefits:•Monetary:

•Increased revenues;•Reduced operative costs;•Reduction of working capital and

assets and related reduction of financial obligations;

•Organizational or process related:•Execution and crossing times;•Bureocracy streamlining;•Resourse usage;•Improvement in service levels;•Volumes treated;•Normative obligations’ fulfillment.


• With regard to the costs, if the estimate of investment costs is relatively simple (human and technological resources for implementation, licensing and acquisition of external expertise), the estimation of operating costs requires to consider several factors :

– Steady operation costs:• personnel;• licenses;• fees;• consumption;• Depreciation of project costs;.

– Maintenance costs:• personnel;• fees;• consumption


• This clearly relates to differential costs, or costs that arise because the investment has been deliberated or why it was decided to allocate corporate resources that are no longer available for other activities.

• Speaking of costs, a profitability perspective is adopted, which detects the link between use of the productive factor and activity.

• An alternative is the financial perspective in which factors are observed in terms of disbursement values and disbursements timings .

The profitabilityperspective (1/3)

• In the profitability perspective there is the concept of multiannual cost (an asset that remains in the company for several years and whose contribution to economic activity takes place by depreciation.

• After determining the once-in-a-while costs of the project, the next step is the identification of annual impacts. It is usually after the introduction of the system that its benefit and costs are born it is therefore necessary to punctually hypothesize their rising.

• Changes in revenue net of changes in cost are the annual net margin (which may be either positive or negative) attributable to the decision to introduce the system that is object of evaluation. The estimate of annual changes in costs and revenues, and costs arising from the evaluated system is based on different classes of possible monetary benefits.


• With regard to the operating costs it is necessary to estimate operating and maintenance costs. Among the costs of operation it is necessary to insert the portion of implementation cost amortization : in fact the development phase originates once-in-a-while costs involved in the economic activity starting from the moment in which the system is used in production. Therefore it's like imagining to acquire an asset from an external supplier and progressively depreciate it . Costs and revenues estimate should be made for the years in which it is assumed the system is used (useful life).

• Where the expected benefits outweigh the incremental costs, the project has a positive return, otherwise resulting in a lower business margin.


• For internal reporting purposes it can be useful not only to work in differential terms, but with the direct comparison between the income statement with and without the project . In fact, the decision maker may thus enhance its sensitivity to the overall assessment of the project's impacts, comparing it to the forecasts available for the period in question.

• The operating income variation can then be included in the decision-making process in absolute value, as a percentage of estimated operating income without the project or as a percentage of company turnover expected in the period considered by the evaluation.

The financialperspective (1/2)

• The financial perspective, however, places over the entire life of the system all the project's expenses and financial incomes and then brings them back to a single point in time (usually the time of evaluation) thanks to the discounting process.

• In the financial perspective it is therefore possible to achieve indicators of financial investment convenience – Net Present Value (NPV) - Present value of the series of cash

inflows and outflows generated by the project;– Internal Rate of Return (IRR)- rate that indicates the project’s

return with respect to discounted cash inflows and outflows;– Pay Back Period (PBR) - time necessary for discounted cash

inflows to cover discounted cash outflows.

The financialperspective (2/2)

• All these indicators are widely used among the investment evaluation methodologies and business practices often state in a timely manner what are the values under which the projects will not be accepted (for example, an IRR of 5% or a PBR of 18 months).

• These indicators typically contribute to the composition of the ROI (Return On Investment), the measure of return that can be achieved by any investment.

ROI (1/4)• The return on investment rate calculates the rate of return the

investment is capable of generating relating annual cash flows to depreciation.

• This index gives an idea about the accounting returns the project would be able to yield.

• In order to obtain the ROI the average net benefit must be calculated as:

• The average net benefit is then divided by the total investment:

(Total benefits – Total costs – Depreciation)Investment life span

Average net benefit =

Total investment= ROI

Average net benefit

ROI (2/4)• The problem with ROI is that it doesn’t consider the cost of

money in time.• For this reason the Net Present Value is introduced.• The present value is the value in current currency of a

payment that will be received in the future.• It is needed to discount the investment’s returns and is

calculated as:

• Il Net Present Value is therefore calculated as:

Discounted expected future cash flow – initial cost of the investment = NPV

1 – (1+ interest rate)Interest rate

= Present Value-n

Payment x

ROI (3/4) • The Internal Rate of Return id an alternative to the NPV.

• The model does consider the value of money in time.

• The IRR is defined as the rate of return or profit that an investment is capable of generating.

• The IRR is the discount rate that will make equal the present value of expected future cash flows deriving from the investment and the initial cost of investment.

R (discount rate) is such that Present Value – Initial Cost = 0

ROI (4/4)• The Payback Period method is pretty simple:

– It represents the time required in order to pay back the project’s initial investment.• It is calculated as:

• The payback period is very diffused because:

– It is simple;– It is useful for a first screening of alternative

hypothesis;– It is particularly good in evaluating cases

characterized by high risk in which the project’s lifecycle is difficult to estimate.

Initial investment

Annual net cash flows= years needed to payback the investment

TCO• The Total Cost of Ownership of an information system

includes:– initial cost of acquisition and implementation;– the upgrade costs;– maintenance costs;– technical support costs;– training costs;– logistics costs.

• The TCO model is particularly useful to analyze real costs.• Considering all above elements, for example, the TCO of

a pc can be 3 times higher than the purchase price.• In fact acquisition costs generally range between 20%

and 30% of the purchase price.

Qualitative factors: an integrated approach (1/7)

• What about non-monetary benefits?• The adoption of an integrated governance

model allows us to integrate such an assessment with the identification of those factors that can be considered of interest or risk. The evaluation of convenience, if properly contextualized with respect to a model of strategic alignment between business and IT, can not disregard an assessment in which all the elements that are not immediately quantifiable are placed or for which quantification has excessive discretion margins.

Qualitative factors: an integratedapproach (2/7)

• If you think in a logic of dependencies between critical success factors at different levels of the corporate valuepyramid, you can not help but take into account the cost-benefit analysis (CBA ) also of indicators that are measurable and attributable to specific business goals, but whose financial assessment is not immediate (such as increased competitive ability or the fulfillment of legal requirements that may result in intangible damages, jeopardized image , rather than pecuniary quantifiable damages and penalties).


• The value chain logic allows us to reconstruct the dependency relationships and define a chain by which you can weigh each specific benefit element that is not directly reconductable to monetary ones which clearly have a relative value to the company's strategic model but not discretionary as it is directly derived from the critical success factor and related indicators to which it binds.


• Therefore looking at the representation that shows the close correlation between indicators for the evaluation of business objectives and success indicators of the IT world, you can better understand how also the benefit analysis can not be reduced to a mere economic and financial analysis, although it is necessary to bring it back to its measurable monetary value.

Correlations

Alignments

Company

IT Function

IT processes

Company Strategic

Objectives

Division Function

Objectives

IT Process objectives

IT Process KFS

CompanyCFS

IT FunctionCFS

Performance Indicators



Strategic Scorecard

IT Function Scorecard

IT Process Scorecard

Software Selection

requirementsSoftware Selection Process

IT System

Correlations

Alignments

Company

IT Function

IT processes

Company Strategic

Objectives

Division Function

Objectives

IT Process objectives

IT Process KFS

CompanyCFS

IT FunctionCFS




Strategic Scorecard

IT Function Scorecard

IT Process Scorecard

Software Selection

requirementsSoftware Selection Process

IT System



• It is therefore desirable to identify the factors of interest and the risk factors that must be included in the evaluation process. The definition of these factors must follow a logic that cuts across the organizational logics but must associate factors to specific business processes, or better to the specific business processes that have created the need for automation. This association also allows you to embed comparative processes in terms of performance and feasibility of the process, highlighting the elements of advantage or disadvantage related to the adoption of a supporting application solution.


• Among interest factors that can be mentioned for example are– Compliance with juridical (e.g. normative requirements like the

Sarbanes Oaxley Act), accounting (e.g. IAS) or holding requirements;

– The impact in competitive terms (image improvement, product innovativeness with respect to the market of reference, customer relationship, supply chain);

– Improvement of management’s decision making (reporting, business intelligence).


• Similar considerations must be done in relation to risk factors. For example:– degree of technological innovation compared to the solution (the

first mover risk) and in relation to the skills the company can access (relative innovation rate );

– uncertainty of the requirements and their priority (cross process solution);

– level of dependence on other solutions that are already in the company, or to be introduced (waterfall effect);

– organizational dimension of the implementation project and of the induced change (crawling change induced by the solution).

• The relationship between factors of interest and risk factors must be properly formalized and weighed and, where possible, reduced to quantifiable variables, with the goal of building a coherent and comprehensive investment evaluation model.

TOOLKITS

13/11/2012 168

13/11/2012 169

SAM

Strategic Alignment Model: considers four different approaches to the mode of interaction and alignment between Business and IT components within the overall company framework.

BSCBalanced Scorecard: integrates the economic-financial measures of past performance with measures of future performance drivers

COBIT

Control Objectives For Information and Related Tecnology: is a Framework for ICT Governance that provides managers, auditors and users of IT systems a structure of processes and a set of indicators in order to assess whether effective management of the IT function it is in place an or to provide guidance to establish it

ROI

Ritorno dell’Investimento: The rate of return on investment calculates the rate of return that the investment is able to generate weighting the annual cash flows in relation to the depreciation.This index provides a relative indication of the accounting revenues that the project will be able to generate.

13/11/2012 170

TCO Total Cost of Ownership : analyzes real costs including:initial cost of acquisition and implementation;the upgrade costs;maintenance costs;technical support costs;training costs;logistics costs.

ROSI Return of Security InvestimentNPV Net Present Value : present value of cash inflows and outflows

generated by the project.

IRR Internal Rate of Return: rate that indicates the project’s returnwith respect to the set of discounted cash inflows and outflows.

PaybackPeriod

Time needed for discounted cash inflows to cover discountedexpenses.

Project Management

IT SERVICE MANAGEMENT, ORGANISATION AND PROCESSES

13/11/2012 171

Agenda

• BPR• ITIL• CMMI• SIX SIGMA

17213/11/2012

BUSINESS PROCESS REENGINERING (BPR)

13/11/2012 173

Process theory: Basic concepts (1/4)

• A business process is a correlated set of activities and decisions that intakes a certain number of inputs and produces an output with added value for the client, weather internal or external to the company.

• The advantages of assuming a process based approach are:– Improve control over final products/services;– Provide a clear visual over the activities to carry on to transform

inputs in output;– Obtain a better management of functional interrelations by

alligning individuals to the process objectives;– Allows to identify errors and solutions in complex systems.


• The following graph recalls the basic elements of a business process.

ClientSupplier Process

Input Output


• The elements that characterize a process, which were shown in the previous graph, can be identified as follows:– Suppliers: external parties or other business processes that

provide the necessary inputs– Input: physical and informative factors incoming from the outside

or other business processes, which are necessary to start the process activities.

– Activity: set of actions that transform the input in output for internal or external clients.

– Client: user of the process output, who can be internal (business unit of the same company that uses the provided output as input for its activities) or external (actual customer that buys the product or service).


– Output: physical or informative factor addressed to the client whether internal or external. The identification of the output requires the definition of the performances that are associated to it, in terms of costs, qualitative characterisitcs and delivery or development timing.

– Added Value: additional characteristic with respect to the input (generated by a series of activities/processes and included in the output) that is perceived as an improvement by the client.

– Binding factors: events, procedures, rules, norms and guide lines that determine a efficacy and efficiency performance of an activity. If these conditions are not respected the process output may not be delivered because of its poor quality.

• Process analysis is divided in 2 phases: – Contextualization of all the regarded processes, by identifying the

links between the different processes and external factors *, other business processes and organizational structures. This information can be represented in a clear and structured manner by the Context Diagram.

– Decomposition of the regarded processes , through a progressively deeper understanding, level by level, until the last level of decomposition, with a description of each activity.

Process theory: Process Analysis

DECOMPOSITION OF THE REGARDED PROCESSES

CONTEXTUALIZATION OF ALL PROCESS REGARDED BY THE ANALYSIS

CONTEXT INDIVIDUATION• We define external agent a process, organization, application, or external role to the process under analysis with which the latter must interact and exchange information or materials.

• The Context Diagram is a graphical representation of the process boundaries that shows all known and relevant external agents and the main data flows between the process object of analysis the external agents.

• The Context Diagram’s goalsare to:– contextualize the scope of

subsequent process decompositions;

– document the process by highlighting external agents that interact with it;

– act as a communication tool.

Process theory: Context Diagram

INPUT DATA FLOW

OUTPUT DATA FLOW

EXTERNALAGENT

EXTERNAL AGENT

EXTERNAL AGENT

EXTERNAL AGENT

PROCESS

• To achieve the desired detail level, weoperate through an iterative approachthat decomposes the processesthrough subsequent refinings of greaterdetail.

– Mega process – Highest level for anyprocess identified by the company (mainprocesses through which a comopanypursues its mission).

– Major process – Represents the sub-divisionof the mega process.

– Sub process – Represents the sub-divisionof the major processes in an other set of sub-processes. The number of sub-processlevels is variable.

– Activity – Represents the last step in the process decomposition and consists of an elementary «portion» of work thattransforms input in output (e.g. compilare la richiesta di acquisto).

Process theory: Decomposition

Detailedactivity

Mega‐Process

Major‐Process

Sub‐Process 1

Sub‐Process 2

Sub‐Process n

• Examples:– Product families;– clients;– markets;– suppliers;– Geographical segments;– Distribution channels;– etc.

Domain: Definition

By process domain we mean a context/dimension with respect to which the process is differentiated

• oversees the project's overall objectives and the operative continuity ;

• is responsible to the customer;• promotes continuous

improvement;• is usually chosen in related

functions;• may differ from the boss;• can cover a wider range of

responsibilities than those of a single function.

Process Owner: DefinitionBy process owner we mean the process responsible who is in charge of ensuring its

overall efficacy and efficiency

Process Ownerexamples

PROCESS

• Development of new products and services• Go-to market and commercialization

planning• Sales monitoring

• Management of delivery to client• Production and assembly

PROCESS OWNER

• Product manager

• Contract manager (product/service supplier)

Definizione di Attività

• The main methods of activity definition are:– top-down (decomposition of sub-processes in single

activities);– bottom-up (Identification of all activities and

clusterization based the sub-process they belong to);– Hybrid or mixed.

Activity

• set of actions that transform an input in output by adding value to the recipient

• performed in a defined period of time• executed within a single organizational unit

Decomposition of Sub-processes in activites

Activity

Level 1 Sub-process

Level 2 Sub-process

Flux Diagram: Simbols

Government process

Core process

Support process

Organizational unit

Process inputProcess output

Manual activity

Activity supportedby a system

System activity

System activities or activites supported by

it require the specification of the

system in use

Flux Diagram: Conventions (1/2)• The source of the input must always be indicated whether the input came from a process that is internal or

external to the process in question, and whether it comes from an organizational unit or external party (Supplier).

• The input can enter both at the beginning of the process, or subsequently , when the related activity is about to be carried on,

• The destination of the output must always be indicated whether the output is addressed to a process that is internal or external to the process in question, and whether it is addressed to an organizational unit or external party (Customer).

• The output may be delivered both at the end of the process, or before, in the moment it is ready.

Flusso delle AttivitàFornitoreInput

DestinatarioOutput

Segnalazione materialeda approvvigionare

Segnalazione materialeda impegnare

Richiesta Kit Richiesta parametri entità logiche

Ordine approntamentomateriale

no

sì

sì

no

Ordinarie?

Kit Parametri entità logiche

SegnalareImpegnoprodotto

Verificaretipologiaprodotto

RilevareprioritàSTART

SOM/T-Systems/

ConfigurazioneEntità logiche

Emettere ordine diapprontamento

materiale

si

noSegnalazione materialepronto per la spedizione

APPROVVIGIONARE/Gestire Richieste

END

Completo? Sollecitareintervento

Sollecito

Segnalazionechiusura attività

Outsourcerpreconfigurazione e

logistica


Verificare necessità richiedereKit di preconfigurazione/parametri entità logiche

Richiedere Kit eparametri

configurazione

E'necessario

?

Allegare Kit e parametri diconfigurazione all'ordine di

approntamento


Sollecito

Richiestaapprontamento

materiale

AcquisireRichieste

SPAI

Segnalare prodottoda approvvigionare

APPROVVIGIONARE/Gestire Acquisti

SOM -T-Systems/

ConfigurazioneEntita' Logiche

Monitorarecompletamento

intervento

SPAIOutsourcer

preconfigurazione elogistica

SPAI

Segnalare chiusuraintervento

SPAI

Flux Diagram: Conventions (2/2)• The activities should be described as concisely as possible.• It is important to highlight the activities of the system or carried on supported by the system . These activities are

fundamental to the definition of user requirements in the case of implementation of an application to support the process in question.

• The decisional moment is always preceded by a verification activity.• The decisional moment only has a double exit: yes / no.• The decisional moment can not be followed by another one. Otherwise the two decision points must be

separated by an verification activity.

Flusso delle AttivitàFornitoreInput

DestinatarioOutput

Segnalazione materialeda approvvigionare

Segnalazione materialeda impegnare

Richiesta Kit Richiesta parametri entità logiche

Ordine approntamentomateriale

no

sì

sì

no

Ordinarie?

Kit Parametri entità logiche

SegnalareImpegnoprodotto

Verificaretipologiaprodotto

RilevareprioritàSTART

SOM/T-Systems/

ConfigurazioneEntità logiche

Emettere ordine diapprontamento

materiale

si

noSegnalazione materialepronto per la spedizione


END

Completo? Sollecitareintervento

Sollecito

Segnalazionechiusura attività

Outsourcerpreconfigurazione e

logistica


Verificare necessità richiedereKit di preconfigurazione/parametri entità logiche

Richiedere Kit eparametri

configurazione

E'necessario

?

Allegare Kit e parametri diconfigurazione all'ordine di

approntamento


Sollecito

Richiestaapprontamento

materiale

AcquisireRichieste

SPAI

Segnalare prodottoda approvvigionare

APPROVVIGIONARE/Gestire Acquisti

SOM -T-Systems/

ConfigurazioneEntita' Logiche

Monitorarecompletamento

intervento

SPAIOutsourcer

preconfigurazione elogistica

SPAI

Segnalare chiusuraintervento

SPAI

The process based approach

• Taking a process approach means adopting the process "customer's" point of view . A measure of process evaluation is, therefore, the latter's satisfaction with the output of the process itself.

• The advantages of a process based approach are:– increase value for the end customer;– encourage process customer orientation ;– improve control over final products or services ;– obtain a better management of functional interrelationships, by aligning people to the

process objectives ;– allow for detection of errors and solutions in complex systems;– provide a clear overview of the activities to be carried out to transform input into output.

• The classical business organization by functions doesn’twelcome changes in terms of added value for clients and usually generates:– Managerial overlapping;– Lack of responsibles on interfunctional spaces

Organization by Processes

ORGANIZATION

SUPPLIERS CLIENTS

Funzione A

Funzione B

Funzione C

Funzione D

Funzione E

PROCESSES

=VALUE CREATION

Processes are, by definition, oriented to value creation

• The definition of a process orientedorganizational model requires:

– the definition of a reference framework, intended as a logical structure for classifying and organizing complex models of business processes;

– the identification and positioning within the framework, of the mega processes, intended, within the hierarchy of the decomposition processes, as the highest level of corporate ICT processes;

– the breakdown of each of the mega processes identified in the constituent major processes, intended as a sub-set of processes that enable the achievement of the specific objectives of the mega processes.

Methodological process based approach

FRAMEWORKdefinition

Guide lines

MEGA PROCESS identification

MAJOR PROCESS definition

The term "reference framework" means a logical structure for classifying and organizing complex models of business processes.The reference framework chosen as starting point for the definition of the ICT operation model is shown in the diagram below, which requires the segmentation of processes regarding ICT in three distinct types of areas within which processes of similar nature lie.

Framework of reference(1/4)

The choice of this framework is justified by the opportunity of identifying and justifying already at the macroscopic level the correct positioning and the correct significance of the model's main processes in the overall context of the business environment.

SUPPO

RT

CORE

GOVERNANCE

• The area called Governance includes the processes of strategic and managerial inprint which direct, supervise and control the remaining processes in the ICT context and that interface with business processes outside the ICT context. Examples of subjects that characterize the area are:– the definition of the ICT strategy;– ICT demand management;– management of ICT investments.

Framework of reference (1/4)

SUPPO

RTCORE

GOVERNANCE

• The area called Core consists of the processes aimed at the production, management and the technological delivery of IT services. Examples of subjects that characterize the area are:– ICT products and services life cycle management;– operations management;– anomaly management;– service levels management;– security management.


SUPPO

RTCORE

GOVERNANCE

• The area called Support includes those processes that do not add value that is directly perceivable by the output user of Core processes. Examples of subjects that characterize the area are:– purchase management;– human resources management;– standards and qualitymanagement.


SUPPO

RT

CORE

GOVERNANCE

INFORMATION TECNOLOGY INFRASTRACTURE LIBRARY (ITIL)

13/11/2012 196

THE ITIL SERVICE TEAM

13/11/2012 197

WHY ITIL

13/11/2012 198

The Purpose of V3

• Meet the needs of today and tomorrow• Evolve SM practices to next level of maturity• Address current practice gaps• Embed solid processes into a service lifecycle• Stronger connection to converging

frameworks– Governance– Standards– Management

13/11/2012 199

The need for change

• More practical ‘how to’ guidance• Improved consistency and

comprehensiveness• Extend the focus to measurable

business value• Visible links to other industry practices• Guidance in context to current needs

13/11/2012 200

THE ITIL SERVICE MANAGEMENT PRACTICES

13/11/2012 201

ITIL –At your Service

13/11/2012 202

Core Structure

13/11/2012 203

ISO 20000

CMMI

eSCM

ISO 27001

COBIT

Six Sigma

Why a Lifecycle?• Building on a great

practice base• Enabling integration with

business process• Managing services from

cradle to grave• Removing process silos• Reflecting the public

feedback for holistic lifecycle focus

13/11/2012 204

A lifecycle stage at work

13/11/2012 205

Non linear process

13/11/2012 206

ITIL Service Strategy

13/11/2012 207

NEW CONCEPTS FOR TODAY AND TOMORROW

13/11/2012 208

Value for Services

13/11/2012 209

The Service Portfolio

13/11/2012 210

Five Aspects of Service Design

1. Requirements, Resources, Capabilities2. Management Systems, Tools3. Technology and Management

architectures4. Processes5. Measurement systems

13/11/2012 211

Service Knowledge and Stability

13/11/2012 212

Wisdom

Knowledge

Information

Data

Continual Improvement

13/11/2012 213

7 Steps to Service Improvement

THE LIVING LIBRARY

13/11/2012 214

ITIL Complementary Portfolio

• Supports the ITIL Core• Topic Specific• Enhanced Guidance• Industry Developed• Research Supported• Living Library• Industry owned• ITIL Branded

215

NEW• Official Study Aids• Outsourcing Expertise• Scalable Adaptation• Public Sector • Knowledge System• Measurement• ITIL for Executives• ITIL in various sectors• ITIL in various platforms

Business Benefits of V3

• Improved use of IT investments• Integration of business and IT value• Portfolio driven service assets • Clear demonstration of ROI and ROV• Agile adaptation and flexible service

models • Performance and measures that are

business value based • IT Service Assets linked to business services

13/11/2012 216

BE A PART OF THE FUTURE TODAY!

Service Strategy

13/11/2012 217

From ITILv2 to ITILv3

13/11/2012 218

What do you see?

13/11/2012 219

There are no triangles

• We provide the edges as we provide our views of the world.

13/11/2012 220

• The “edge” of IT was once to be found solely in technology.

• ITIL rearranged the “edge” to include people and process.

• ITILv3 once again rearranges the “edge.” This time with a focus on services.

The future: A global service economy

13/11/2012 221

“Steps towards a Science of Service Systems”, Jim Sporhrer,et al. IBM

The past: “What ever happened to other process frameworks such as

TQM, BPR, QC, et al.?”

13/11/2012 222

What is the service strategy of ITILv2?

13/11/2012 223

• A model whereby the strategy is the optimization of work tasks.

• The parameters of value are contained within the walls of IT

• Value means making whatever you want more efficiently.

• Not wrong, but are you making the right things to begin with, or can you create more value by undertaking broader or narrower missions?

ITIL Service Strategy

13/11/2012 224

• It is a model whereby the strategy begins with the customer’s desired outcomes.

• “Customers don’t buy products, they buy the satisfaction of particular needs.”

• This means that what the customer values is often different from what the service provider thinks he or she provides.

• Acknowledges that every service provider is subject to competitive forces.

What is a Service?

Services are a ‘means of delivering value to customers by facilitating outcomes customers want to achieve, without the ownership of specific costs and risks’.

13/11/2012 225

What is a Service Strategy? A means to become not optional.

• The lifecycle begins with Service Strategy, the discernment of an IT organization’s strategic purpose; a topic that often gets short shrift in the pursuit of day-to-day practicalities.

• It service strategy helps senior managers understand how their organization will differ from competing alternatives and thereby satisfy both customers and stakeholders.

• Properly done, these core strategic concepts can and should lead to powerful and practical insights – where is the organization headed and what does it need to do to get there?

13/11/2012 226

Operational efficiency is necessary but not sufficient.

• IT services are now part of the fabric of the business and customers expect guaranteed levels of service:

13/11/2012 227

A few years ago, customers could only use ATMs to withdraw cash.

Service strategies are required to create long-term value for

Customers and Stakeholders. • IT services are now part of the fabric of

the business and customers expect guaranteed levels of service:

13/11/2012 228

Today, the entire customer experience may take place through ATMs:• withdraw cash;• pay in cheques and cash;• manage their accounts;• transfer money;• obtain quotes for loans;• top-up their mobile phones.

Service strategies are required to create long-term value for

Customers and Stakeholders. • IT services are now part of the fabric of

the business and customers expect guaranteed levels of service:

13/11/2012 229

Service strategies will shape the ATMs of tomorrow.

Why should CIOs care about ITILv3?

13/11/2012 230

Why should CIOs care about ITILv3?

…they will also need to understand how to shape service strategies that create value for Business and its Customers. The new Service Strategy volume deals with these ‘C-Level’ Business concepts. For example:• Defining Services;• Defining Strategy;• Value Networks, Value Creation and Value Capture;• Market Spaces and Solution Spaces;• Business and IT Service Management;• Service Portfolios;• Enterprise Architecture and Service Oriented Architecture;• Types of Service Providers;• The Business Case for building Service Assets and Service

Management Capabilities;• Measuring Service Performance.

13/11/2012 231

Business outcomes and performance of customer assets are the basis for valuing

services and service management

13/11/2012 232

Service management synchronizes the productive capacity of service assets with

business activity of customer assets

13/11/2012 233

Services and service level packages are tagged with the outcomes for which they have service potential

13/11/2012 234

On behalf of customers, Relationship Managers negotiate productive capacity

in the form of suitable services

13/11/2012 235

The Service Portfolio represents investments across the Service Lifecycle necessary to

implement strategy

13/11/2012 236

So, Service Strategy is not the exclusive concern of “strategists” who come to

work in specially marked cars!!

13/11/2012 237

SERVICE DESIGN

13/11/2012 238

A few citations

13/11/2012 239

IT Service Lifecycle

13/11/2012 240

Service Definition

'The design of appropriate and innovative IT services, including their architectures, processes, policies and documentation, to meet current and future agreed business requirements'

13/11/2012 241

13/11/2012 242

The five aspects of Service Design

• Design of the service solutions• Design of the Service Management

Tools (and other supporting systems)• Design of the technology architectures

and management systems• Design of the processes• Design of the measurement systems,

methods and metrics

13/11/2012 243

Service Design

• There is a requirement to design all processes

• Processes covered in detail:– Service Level Management– Availability Management– IT Service Continuity Management– Supplier Management– Information Security Management– Capacity Management– Service Catalogue Management ……….

13/11/2012 244

13/11/2012 245

13/11/2012 246

13/11/2012 247

13/11/2012 248

Summary

• “Design is so critical it should be on the agenda of every meeting in every single department.” Tom Peters

• “Design is not just what it looks like and feels like. Design is how it works.” Steve Jobs

• “Good design is the most important way to differentiate ourselves from our competitors.” Samsung CEO Yun Jong Yong

• “Your products run for election every day and good design is critical to winning the campaign.” Procter & Gamble CEO A.G. Lafley

• “Design's fundamental role is problem solver” Fast Company

13/11/2012 249

SERVICE TRANSITION

13/11/2012 250

Service Transition Taking ITIL forward

Value to the business• Integrate/align new or changed services with the

customer’s business• Ensure that the changed service can be used in a

way that maximizes value to the business operations

• Deliver more change successfully– Across the customer base – Reduce unpredicted impact and risks– Reduce variation - ‘estimated’ v. ‘actuals’– Services - fit for purpose, fit for use

13/11/2012 251

What is Service Transition?

• Taking the design and transitioning the Service into operations – focused on Service

• Delivering in the actual circumstances• Practices to:

– Make it easier for to adopt and manage change– Standardize transition activities– Maintain the integrity of configurations as they evolve– Expedite effective decisions– Ensure new / changed services will be deployable,

manageable, maintainable, cost-effective

13/11/2012 252

Key Processes

• Lots that isn’t new - but improved– Change management– Configuration management– Release and Deployment

• Nothing much there to upset your– Tools– Training– Practitioners

13/11/2012 253

Change Management Scope

13/11/2012 254

What’s improved Change & configuration

management• Change

– Normal, standard emergency change models– Change evaluation – More granular change authorization

• Design – Configuration structures, models, levels– Processes, procedures, workflows– Configuration management system

• Managing change to service assets and configurations– Optimisation and lifecycle management of service assets– Capturing baselines and releases– Minimizing issues due to improper configurations

13/11/2012 255

Configuration Management System - CMS

13/11/2012 256

What’s improved Release and Deployment

13/11/2012 257

What’s new Transition planning and support

• Integrated planning– Transition capacity and resources– Across all service transition

• With service operations and CSI• With the business, customer and users

• Proactive support– Maintain/ re-use transition models– Progress tracking & management– Course corrections– Transition closure

13/11/2012 258

What Else is New

13/11/2012 259

What’s new –Service V model

13/11/2012 260

What’s new – SKMS

13/11/2012 261

What’s new – Managing organizational change

• Strategies to manage organization, stakeholder, people change• People’s commitment, roles and emotions

13/11/2012 262

Service Transition –Moving ITIL forward

• Delivering what the business needs • Services fit for purpose, fit for use• Integrated, holistic, standard approach • Reduce variation predicted vs actual

– Quality, Cost, Time– Capabilities, Resources, Capacity – Risks, Errors and incidents

• More IT enabled change that adds value to the customer’s business

13/11/2012 263

SERVICE OPERATIONBusiness as usual

13/11/2012 264

Why Service Operation?

• Stability but not stagnation• Realizing value• Responding to operational needs in

Business and Technology• Great design is worth little if it can not

be delivered• Achieving balance

13/11/2012 265

What Were we Thinking?

• Service and Infrastructure are not different worlds

• Different service models will be operated differently – we limited ourselves to IT

• The “what” and the “who” are equally important

• The world of Operation does not stand alone

13/11/2012 266

MONITORING AND CONTROLContext

13/11/2012 267

Context - Monitor Control Loop

13/11/2012 268

Complex Monitor Control Loops

13/11/2012 269

Context - The ITSM Lifecycle

13/11/2012 270

PROCESSES

13/11/2012 271

Service Operation Processes

13/11/2012 272

Self Help

• Significant potential to:– Improved responsiveness– Reduced demands on IT staff– Reduced costs– Improved standardization– Improved quality

13/11/2012 273

Self Help

13/11/2012 274

Event Management Logging and Filtering

13/11/2012 275

Event Management Managing Exceptions

13/11/2012 276

Event Management Information & Warnings

13/11/2012 277

Service Operation Reactive Processes

13/11/2012 278

FUNCTIONS

13/11/2012 279

Service Operation Functions

13/11/2012 280

Common SO Activities• Mainframe Management• Server Management• Network Management• Storage and Archive• Database Administration• Directory Services Management• Desktop Management• Internet / Web Management• Etc.

13/11/2012 281

The Application Management Lifecycle

13/11/2012 282

The Application Management Lifecycle

13/11/2012 283

Questions?

13/11/2012 284

ITIL V3 CONTINUAL SERVICE IMPROVEMENT

13/11/2012 285

Organizations Have Always Talked About It

• CSI is not a new concept. Organizations have talked about it for many years; but, for most, the concept has not moved beyond the discussion stage.

• For many organizations, CSI becomes a project when something has failed and severely impacted the business.

• When the issue is resolved, the concept is promptly forgotten until the next major failure occurs

13/11/2012 286

What’s Different in v3

• Most everything• CSI was only addressed as part of

Service Level Management in v2• Addressed as part of the overall

Service Lifecycle• Improvement Model in v3• Continual Improvement Process in v3

13/11/2012 287

CSI Goals, Scope & Key Processes

• Goals– To identify and implement improvement activities on IT Services that support

the business processes as well as identify and implement improvements to IT Service Management processes. The improvement activities will support the Lifecycle approach through Service Strategies, Service Design, Service Transition, and Service Operations and should always be looking for ways to improve process effectiveness, efficiency as well as cost effectiveness

• Scope– Service and Service Management improvement– All of IT

• Key Processes– Service Level Management (monitor, report, review)– Problem Management (Proactive / trending / analysis)– Knowledge Management (DIKW)

13/11/2012 288

CSI Objectives• Review, analyze and make recommendations on

improvement opportunities in each lifecycle phase: Service Strategies, Service Design, Service Transition, and Service Operations

• Review and analyze Service Level Achievement results• Identify and implement improvement activities to

improve IT Service quality and improve the efficiency and effectiveness of ITSM processes

• Improve cost effectiveness of delivering IT Services• Identify and implement improvement activities of the

ITSM processes and supporting tools• Ensure applicable quality management methods are

used to support continual improvement activities

13/11/2012 289

Continual Service Improvement Model

13/11/2012 290

The Continual Improvement Process

13/11/2012 291

Service Lifecycle Improvement

13/11/2012 292

CSI Review

• Key Messages– Everyone has responsibility for continual improvement– Each handoff can provide an opportunity for

improvement – Relies on other service management processes

• Needs to be treated just like any other process– Policies– Roles and responsibilities (different for program,

project and production)– Procedures– Management information and reporting

13/11/2012 293

ITIL V3 QUALIFICATION SCHEME

13/11/2012 294

The Management Sturcture

13/11/2012 295

The Qualification Board

13/11/2012 296

The Global Senior Examiner Panel

13/11/2012 297

V3 Examiner Panel -Scope

• Development of Qualification structure for ITIL v3 • Design the certification elements required of the scheme• Produce the requirements for learning objectives and

knowledge competency• Produce the supporting accredited formal syllabi • Produce the requirements for delivery mechanism • Produce sample examinations in support of the syllabi• Provide recommendation on the required trainer and course

provider competency to deliver against the scheme• Manage Exam bank

13/11/2012 298

Guiding Principles• Must offer value to the career objectives of

the student• Allow innovation and flexibility and value for

Course Providers• Meets learning objectives and competency

outcomes• Blooms taxonomy for setting exams• Contribute to the maturity of ITSM

professionalism• Responsive to evolving market demand• Transitional V2 –V3 bridging

13/11/2012 299

Basic Features• Modular design• Official Study aids• Flexible Choice• Career path oriented• V2 to V3 bridging• Service Lifecycle• Service Capability• Classroom• E-learning• On Demand examination• Live Exam Bank

13/11/2012 300

The Structure

13/11/2012 301

13/11/2012 302

13/11/2012 303

Syllabus Features

13/11/2012 304

V3- A means to an end?

• Service Management is the means but not an end– A route guide and trip planner

• V3 Core practices are the seeds of future vision

• A community garden tended by fellow travelers

13/11/2012 305

Eating our own cooking

• Applied the service lifecycle to V3– Strategy

• Defined our market• Created the portfolio scope• Built the organizational structure

– Design• Gathered requirements• Designed the infrastructure• Delivered a SDP to the author team

13/11/2012 306

Eating our own cooking

• Transition– Built the practice– Tested and validated with QA– Established the SAC– Deployed the service

• Operation– Now in Early Life support– Begin monitoring and control

13/11/2012 307

Sites

• www.itil.co.uk• www.best-management-practice.com

13/11/2012 308

CAPABILITY MATURITY MODEL INTEGRATION (CMMI)

Misurazione dei Servizi 309

PROCESS IMPROVEMENT CONCEPTS AND CMMI

13/11/2012 310

General Definitions of Process

• Process – a sequence of steps performed for a given purpose (IEEE)

• Process – the logical organization of people, materials, energy, equipment, and procedures into work activities designed to produce a specified end result (From Pall, Gabriel A. Quality Process Management. Englewood Cliffs, N.J.: Prentice Hall, 1987.)

• Process – activities that can be recognized as implementations of practices in a model (CMMI glossary)

13/11/2012 311

The Process Management Premise

The quality of a system is highly influenced by the quality ofthe process used to acquire, develop, and maintain it.This premise implies a focus on processes as well as onproducts:• This is a long-established premise in

manufacturing.• Belief in this premise is visible worldwide in

quality movements in manufacturing and service industries (e.g., ISO standards).

• This premise is also applicable to development.

13/11/2012 312

Quality Leverage PointsWhile process is often described as a node of the process people-technology triad, it can also be considered the “glue” that ties the triad together.

13/11/2012 313

Everyone realizes the importance of having a motivated, quality work force but even our finest people cannot perform at their best when the process is not understood or operating at its best.

Process, people, and technology are the major determinants of product cost, schedule, and quality.

Ad Hoc ProcessesProcesses are ad hoc and improvised by practitioners and their management.Process descriptions are not rigorously followed or enforced.Performance is highly dependent on current practitioners.Understanding of the current status of a project is limited.Immature processes result in fighting fires:• There is no time to improve—instead, practitioners are

constantly reacting.• Firefighters get burned.• Embers might rekindle later.

13/11/2012 314

Improved Processes• Process descriptions are consistent with the

way work actually is done.• They are defined, documented, and

continuously improved.• Processes are supported visibly by

management and others.• They are well controlled—process fidelity is

evaluated and enforced.• There is constructive use of product and

process measurement.• Technology is introduced in a disciplined

manner.

13/11/2012 315

Institutionalized Processes

• “That’s the way we do things around here.”• The organization builds an infrastructure that

contains effective, usable, and consistently applied processes.

• The organizational culture conveys the process.

• Management nurtures the culture.• Culture is conveyed through role models and

recognition.• Institutionalized processes endure after the

people whooriginally defined them have gone.

13/11/2012 316

Benefits of Improving Processes

• Processes enable you to understand what is going on.

• People develop their potential more fully and are more effective within the organization.

• By defining, measuring, and controlling the process, improvements are more successful and sustained.

• The likelihood that appropriate technology, techniques, and tools are introduced successfully increases.

13/11/2012 317

Benefits in Terms of Predictability

13/11/2012 318

Early Process Improvement

• The theories of process management are a synthesis of the concepts of Deming, Crosby, Juran, and others.

• Over the past decades, these theories have been used to address problems common to many organizations.

• Solutions to some problems have been developed.

• Many of these solutions have been used to build process improvement models.

13/11/2012 319

What Is a Process Model?

• A process model is a structured collection of practices that describes the characteristics of effective processes.

• Practices included are those proven by experience to be effective.

13/11/2012 320

How Is a Process Model Used?

A process model is used• to help set process improvement

objectives and priorities• to help ensure stable, capable, and

mature processes• as a guide for improving project and

organizational processes• with an appraisal method to diagnose

the state of an organization’s current practices

13/11/2012 321

Why Is a Process ModelImportant?

A process model provides• a place to start improving• the benefit of a community’s prior

experiences• a common language and a shared vision• a framework for prioritizing actions• a way to define what improvement

means for an organization

13/11/2012 322

CMMI for Process Improvement

Use CMMI in process improvement activities as a• collection of best practices• framework for organizing and prioritizing activities• support for the coordination of multi-disciplined

activities that might be required to successfully build a product

• • means to emphasize the alignment of the process improvement objectives with organizational business objectives

CMMI incorporates lessons learned from use of the SWCMM ®, EIA-731, and other standards and models.

13/11/2012 323

THE CMMI PRODUCT SUITE

13/11/2012 324

The CMMI Framework• The CMMI Framework is the structure that organizes the

components used in generating models, training materials, and appraisal methods.

• The CMMI Product Suite is the full collection of models, training materials, and appraisal methods generated from the CMMI Framework.

• A constellation is the subset of the CMMI Product Suite relevant to improvement in a particular area of interest. Currently, there are several constellations:– Development– Acquisition– Services

13/11/2012 325

Development Constellation Models

13/11/2012 326

CMMI Model Representations

• There are two representations in CMMI models:– staged– continuous

• The two representations will be presented in a later module.

13/11/2012 327

Note

• A CMMI model is not a process.• A CMMI model describes the

characteristics of effective processes.“All models are wrong, but some are useful.” George Box (Quality and Statistics Engineer)

13/11/2012 328

The Appraisal Method

13/11/2012 329

Appraisal Method Classes

13/11/2012 330

The SEI Training for CMMI

13/11/2012 331

BUSINESS BENEFITS OF CMMI

13/11/2012 332

Benefits InformationInformation about CMMI benefits is available in the August 2006 SEI technical report, Performance Results of CMMI-Based Process Improvement (CMU/SEI-2006-TR-004).• This report is based on public reports, interviews,

supplementary materials, and comprehensive literature review.

• It is available on the SEI Web site at http://www.sei.cmu.edu/publications/documents/06.reports/06tr004.html.

• The following seven slides are adapted from this technical report.

• For more information, see the CMMI Performance Results Web site at http://www.sei.cmu.edu/cmmi/results.html.

13/11/2012 333

Impacts: Costs and Benefits of CMMI

13/11/2012 334

Costs May VaryThe cost of CMMI adoption is highly variable depending on many factors, including organizational• goals• size• culture• structure• processesRegardless of the investment, organizations generally experience a respectable return on their investment

13/11/2012 335

Performance Measures -CMMI

• The performance results in the following table are from 30 different organizations that achieved percentage change in one or more of the six categories of performance measures below.

13/11/2012 336

Example Benefit -1• The organization 3H Technology, with a little over

2 years of CMMI-based process improvement, showed significant improvement in average number of defects found.

13/11/2012 337

Example Benefit -2• Motorola Global Software Group Russia, a

maturity level 5 organization, improved the cost of quality while holding the cost of poor quality steady.

13/11/2012 338

Example Benefit -3• The Software Maintenance Group at Warner

Robins Air Logistics Center, a maturity level 5 organization, significantly reduced schedule variance.

13/11/2012 339

CMMI Can Benefit You

CMMI provides• guidance for efficient, effective

improvement across multiple process disciplines in an organization

• improvements to best practices incorporated from the earlier models

• a common, integrated vision of improvement for all elements of an organization

13/11/2012 340

The Bottom Line -1

• Process improvement should be done to help the business—not for its own sake.

“In God we trust, all others bring data.” W. Edwards Deming

13/11/2012 341

The Bottom Line -2

Improvement means different things to different organizations:• What are your business goals?• How do you measure progress?Improvement is a long-term, strategic effort:• What is the expected impact on the

bottom line?• How will impact be measured?

13/11/2012 342

OVERVIEW OF CMMI MODELCOMPONENTS

13/11/2012 343

CMMI for Development Model Document Contents

13/11/2012 344

Process Areas (PAs) -1The 22 process areas (in alphabetical order by acronym) are• Causal Analysis and Resolution (CAR)• Configuration Management (CM)• Decision Analysis and Resolution (DAR)• Integrated Project Management +IPPD (IPM+IPPD)• Measurement and Analysis (MA)• Organizational Innovation and Deployment (OID)• Organizational Process Definition +IPPD (OPD+IPPD)• Organizational Process Focus (OPF)• Organizational Process Performance (OPP)• Organizational Training (OT)

13/11/2012 345

Process Areas (PAs) -2• Product Integration (PI)• Project Monitoring and Control (PMC)• Project Planning (PP)• Process and Product Quality Assurance (PPQA)• Quantitative Project Management (QPM)• Requirements Development (RD)• Requirements Management (REQM)• Risk Management (RSKM)• Supplier Agreement Management (SAM)• Technical Solution (TS)• Validation (VAL)• Verification (VER)

13/11/2012 346

Continuous Representation: PAs by Category

13/11/2012 347

Staged Representation: PAs by Maturity Level

13/11/2012 348

PROCESS AREA COMPONENTS

13/11/2012 349

Process Area Components We Will Be Discussing

13/11/2012 350

Process and Process Area

Process – a sequence of steps performed for a given purpose (IEEE)• It is how you perform your work.CMMI Definition of a Process – activities that can be recognized as implementations of practices in a CMMI model.These activities can be mapped to one or more practices in CMMI process areas to allow a model to be useful for process improvement and process appraisal. (Glossary)

13/11/2012 351

Process AreaCluster of related practices in an area that, when implemented collectively, satisfy a set of goals considered important for making improvement in that area.All CMMI process areas are common to both continuous and staged representations.They are organized by• maturity level in the staged representation• process area category (i.e., Process

Management, Project Management, Support, and Engineering) in the continuous representation.

There are 22 process areas.

13/11/2012 352

Process Area Contents

All process areas contain the following:• Purpose• Introductory Notes• Related Process Areas• Specific Goal and Practice Summary• Specific Practices by Goal

– Specific Goals and Specific Practices• Generic Practices by Goal

– Generic Goals and Generic Practices13/11/2012 353

Process Area Components -1

13/11/2012 354

Purpose

Describes the purpose of the process areaProject Planning examplePurposeThe purpose of Project Planning (PP) is to establish and maintain plans that define project activities.

13/11/2012 355

Introductory Notes

This section describes the major concepts covered in the process area.Project Planning examplePlanning begins with requirements that define the product and project.

13/11/2012 356

Related Process Areas

This section lists references to related process areas and reflects the high-level relationships among the process areas.Project Planning exampleRefer to the Risk Management process area for more information about identifying and managing risks.

13/11/2012 357

Specific Goal and Practice Summary

The titles of the specific goals and specific practices for that process area are summarized at the beginning of each process area.Project Planning exampleSG 1 Establish Estimates

SP 1.1 Estimate the Scope of the ProjectSP 1.2 Establish Estimates of Work Product

and Task AttributesSP 1.3 Define Project LifecycleSP 1.4 Determine Estimates of Effort and Cost

13/11/2012 358


13/11/2012 359

Specific Goals (SGs)A specific goal applies to a process area and describes some of the unique characteristics that must be present to satisfy the process area.Project Planning exampleSG 1: Estimates of project planning parameters are established and maintained.Specific goals are numbered starting with the prefix SG (e.g., SG 1). The number is only there to uniquely identify the goal.

13/11/2012 360

Specific Practices (SPs)Specific practices describe the activities expected to result in achievement of the specific goals of a process area.Project Planning exampleSP 1.4: Estimate the project effort and cost for the work products and tasks based on estimation rationale.Specific practices are of the form SP x.y where x is the same number as the goal to which the specific practice maps.y is the sequence number of the specific practice under the specific goal.

13/11/2012 361

Typical Work ProductsThis section lists sample output from a specific practice.Typical work products are samples of specific practices’ outputs and are not a complete list.For example, project cost estimates might be a typical work product for the Project Planning specific practice SP 1.4, “Estimate the project effort and cost for the work products and tasks based on estimation rationale.”

13/11/2012 362

SubpracticesSubpractices are detailed descriptions that provide guidance for interpreting and implementing a specific or generic practice.The following is an example of a subpractice from the “Identify and analyze project risks” specific practice (SP 2.2) in the Project Planning process area:3. Review and obtain agreement with relevant stakeholders on the completeness and correctness of the documented risks.

13/11/2012 363


13/11/2012 364

Generic Goals (GGs) -1Generic goals describe the characteristics that must be present to institutionalize the processes that implement a process area.Achievement of a generic goal in a process area signifies improved control in planning and implementing the processes associated with that process area.Generic goals are called generic because the same goal statement appears in multiple process areas.Project Planning exampleThe process is institutionalized as a defined process.

13/11/2012 365

Generic Goals (GGs) -2

Generic goals are numbered starting with the prefix GG(e.g., GG 2). The number corresponds to the capability level of the GG.Note: We will talk more about generic goals in Module 4.

13/11/2012 366

Generic Practices (GPs)Generic practices are activities that ensure that the processes associated with the process area will be effective, repeatable, and lasting.Generic practices are called generic because the same practice appears in multiple process areas.Project Planning exampleGP 2.5: Train the people performing or supporting the project planning process as needed.Generic practices are of the form GP x.y wherex corresponds to the number of the generic goal.y corresponds to the sequence number of the generic practice.

13/11/2012 367

Generic Practice Elaborations

Generic practice elaborations appear after the generic practice to provide guidance on how the generic practice may be applied in the context of a process area.Project Planning process area example GP 2.9: Objectively Evaluate AdherenceExamples of activities reviewed include the following:• Establishing estimates• Developing a project plan• Obtaining commitment to the project plan

13/11/2012 368

SUPPORTING INFORMATIVE COMPONENTS

13/11/2012 369

Supporting InformativeComponents

There are many places in CMMI models where further information is provided.This further information is provided in the form of the following components:• Examples• Amplifications• References• Notes13/11/2012 370

ExamplesAn example is a component comprising text and often a list of items, usually in a box, that can accompany any other component and provides one or more examples to clarify a concept or described activity.Project Planning SP 1.2 example• Examples of size measures include the following:• Number of functions• Function points• Source lines of code• Number of pages

13/11/2012 371

Amplifications -1

Amplifications are informative material relevant to a particular discipline.Certain disciplines found in some organizations are explicitly identified in the models. Those disciplines are• Systems Engineering (SE)• Software Engineering (SW)• Hardware Engineering (HW)

13/11/2012 372

Amplifications -2

The Amplification example for Project Planning SP 2.7

For Hardware EngineeringFor hardware, the planning document is often referred to as a hardware development plan. Development activities in preparation for production may be included in the hardware development plan or defined in a separate production plan.

13/11/2012 373

References

References are pointers to additional or more detailed information in related process areas and can accompany nearly any other model component.Project Planning SP 2.2 example Refer to the Risk Management process area for more information about risk management activities.

13/11/2012 374

NotesA note is text that can accompany nearly any other model component. It may provide detail, background, or rationale.A note is an informative model component.The example below shows a note that accompanies the specific practice 1.3 in the Project Planning process area.Project Planning SP 1.3 exampleThe determination of a project’s lifecycle phases provides for planned periods of evaluation and decision making. . . .

13/11/2012 375

REQUIRED, EXPECTED, AND INFORMATIVE MODEL COMPONENTS

13/11/2012 376

Required, Expected, and Informative Model ComponentsProcess area components are grouped into three categories:• required• expected• informativeThese categories reflect how to interpret the process area components.

13/11/2012 377

Required Components

Required components describe what an organization must achieve to satisfy a process area. This achievement must be visibly implemented in an organization’s processes.Goal satisfaction is used in appraisals as the basis for deciding whether a process area has been achieved and satisfied.• Specific goals and generic goals are the

required components in CMMI models.

13/11/2012 378

Expected ComponentsExpected Components describe what an organization will typically implement to achieve a required component.Expected components guide• those who implement improvements• those who perform appraisalsSpecific practices and generic practices are the expected components in CMMI models.Before goals can be considered satisfied, either the practices as described or acceptable alternatives to them must be present in the planned and implemented processes of the organization.

13/11/2012 379

Informative ComponentsInformative components provide details that help organizations get started in thinking about how to approach the required and expected components.Examples of informative components include• subpractices• typical work products• amplifications• generic practice elaborations• goal and practice titles• goal and practice notes• references

13/11/2012 380

Summary of CMMI Model

Components

13/11/2012 381

Reviewing Process Area Components

13/11/2012 382

AdditionsAdditions can be a note, a reference, an example, a specific practice, a specific goal, or a process area. The model components that are additions extend the scope of a model or emphasizes a particular aspect of its use. In the CMMI for Development model, there is one group of additions that all apply to IPPD.An addition example for Project Planning SP 3.1IPPD AdditionWhen integrated teams are formed, their integrated work plans are among the plans to review.

13/11/2012 383

GlossaryThe CMMI glossary defines the basic terms used in CMMI models. It was designed to document the meaning of words and terms that should have the widest use and understanding by users of CMMI products.Definitions of terms were selected based on recognized sources that have a widespread readership (e.g., ISO, CMMI source models, IEEE).Glossary term exampleEstablish and maintain . . . This phrase means more than a combination of its component terms; it includes documentation and usage. . . .

13/11/2012 384

Typographical Conventions

Some components of the process areas are labeled Staged Only or Continuous Only.Components that are not marked apply to both representations.Components marked Staged Only apply only if you are using the staged representation.Components marked Continuous Only apply only if you are using the continuous representation.These restrictions appear in the Generic Practices by Goal section of every process area.

13/11/2012 385

MODEL REPRESENTATIONS

13/11/2012 386

CMMI Model Representations

There are two types of representations in CMMI models:• staged• continuousA representation in CMMI is analogous to a view into a data set provided by a database.Both representations provide ways of implementing process improvement to achieve business goals.Both representations provide essentially the same content and use the same model components but are organized in different ways.

13/11/2012 387

CMMI Model Structure

13/11/2012 388

Process Area Organization in the Two Representations

In the continuous representation, process areas are organized by process area category:• Process Management• Project Management• Engineering• SupportIn the staged representation, process areas are organized by maturity level.

13/11/2012 389

Continuous Representation: PAs by Category

13/11/2012 390

Staged Representation: PAs by Maturity Level

13/11/2012 391

UNDERSTANDING LEVELS

13/11/2012 392

Understanding Levels -1Levels are used in CMMI to describe an evolutionary path for an organization that wants to improve the processes it uses to develop and maintain its products and services.CMMI supports two improvement paths:• continuous - enabling an organization to

incrementally improve processes corresponding to an individual process area (or set of process areas) selected by the organization

• staged - enabling the organization to improve a set of related processes by incrementally addressing successive predefined sets of process areas

13/11/2012 393

Understanding Levels -2

These two improvement paths are associated with two types of levels that correspond to the two representations, staged and continuous.For the continuous representation, we use the term capability level or process area capability.For the staged representation, we use the term maturity level or organizational maturity.

13/11/2012 394

Understanding Levels -3Regardless of the representation you select, the concept of levels is the same.Levels characterize improvement from an ill-defined state to a state that uses quantitative information to determine and manage improvements that are needed to meet an organization’s business objectives.To reach a particular level, an organization must satisfy all of the appropriate goals of the process area or set of process areas that are targeted for improvement, regardless of whether the level is a maturity or a capability level.

13/11/2012 395

Capability Levels -1A capability level consists of a generic goal and its related generic practices that can improve the organization’s processes associated with a process area.Capability levels provide a scale for measuring your processes against each process area in a CMMI model.There are six capability levels.Each level is a layer in the foundation for continuous process improvement.Capability levels are cumulative (i.e., a higher capability level includes the practices of the lower levels).

13/11/2012 396

Capability Levels -2

13/11/2012 397

Representing Process Area Capability

13/11/2012 398

Capability Levels Are Cumulative

13/11/2012 399

Maturity Levels -1

The maturity levels are1: Initial2: Managed3: Defined4: Quantitatively Managed5: Optimizing

13/11/2012 400

Maturity Levels -2

13/11/2012 401

Maturity LevelsShould Not Be Skipped

• Each maturity level provides a necessary foundation for effective implementation of processes at the next level:– Higher level processes have a greater chance of

success with the discipline provided by lower levels.

– The effect of higher maturity innovations are more easily measurable.

• Higher maturity level processes may be performed by organizations at lower maturity levels with the risk of not being consistently applied in a crisis.

13/11/2012 402

Comparing Capability and Maturity Levels

13/11/2012 403

PROCESS INSTITUTIONALIZATION

13/11/2012 404

Process Institutionalization

Institutionalization means that the process is ingrained in the way the work is performed: “That’s the way we do things around here.”The organization builds an infrastructure that contains effective, usable, and consistently applied processes.The organizational culture conveys the process.Management nurtures the culture.Culture is conveyed through role models and recognition.Institutionalized processes endure after the people who originally defined them have gone.

13/11/2012 405

Generic Goals and Generic Practices: Building Blocks

• Generic goals and generic practices contribute to process institutionalization.

• The generic goals and generic practices are the model components that provide for commitment and consistency throughout an organization’s processes and activities.

13/11/2012 406

Generic Goals and Institutionalization

13/11/2012 407

Generic Goals EvolveEach generic goal provides foundation for the next. Therefore, the following conclusions can be made:• A managed process includes and builds

on a performed process.• A defined process includes and builds on

a managed process.• A quantitatively managed process

includes and builds on a defined process.• An optimizing process includes and builds

on a quantitatively managed process.13/11/2012 408

GG1: Performed ProcessGG 1: Achieve Specific GoalsThe process supports and enables achievement of the specific goals of the process area by transforming identifiable input work products to produce identifiable output work products.• A performed process accomplishes the work necessary

to produce work products.• All specific goals of the process area are satisfied.• Essential activities are performed and the work is

accomplished.• The definition, planning, monitoring, and controlling of

the process may be incomplete.• The process may be unstable and inconsistently

implemented.

13/11/2012 409

GG1 Generic Practices

GP 1.1: Perform Specific PracticesPerform the specific practices of the process area to develop work products and provide services to achieve the specific goals of the process area.

13/11/2012 410

GG 2: Managed ProcessGG 2: Institutionalize a Managed ProcessThe process is institutionalized as a managed process.• A managed process is a performed process that is

planned and executed in accordance with policy; employs skilled people having adequate resources to produce controlled outputs; involves relevant stakeholders; is monitored, controlled, and reviewed; and is evaluated for adherence to its process description.

• Management of the process is concerned with institutionalization and the achievement of specific objectives established for the process, such as cost, schedule, and quality objectives.

13/11/2012 411

GG 2 Generic Practices -1The generic practices for managed processes are the same for all process areas.GP 2.1: Establish an Organizational PolicyEstablish and maintain an organizational policy for planning and performing the <x> process.GP 2.2: Plan the ProcessEstablish and maintain the plan for performing the <x> process.<x> represents the name of a process area (e.g., Requirements Management)

13/11/2012 412

GG 2 Generic Practices -2GP 2.3: Provide ResourcesProvide adequate resources for performing the <x> process, developing the work products, and providing the services of the process.GP 2.4: Assign ResponsibilityAssign responsibility and authority for performing the process, developing the work products, and providing the services of the <x> process.GP 2.5: Train PeopleTrain the people performing or supporting the <x> process as needed.

13/11/2012 413

GG 2 Generic Practices -3GP 2.6: Manage ConfigurationsPlace designated work products of the <x> process under appropriate levels of control.GP 2.7: Identify and Involve Relevant StakeholdersIdentify and involve the relevant stakeholders of the <x> process as planned.GP 2.8: Monitor and Control the ProcessMonitor and control the <x> process against the plan for performing the process and take appropriate corrective action.

13/11/2012 414

GG 2 Generic Practices -4

GP 2.9: Objectively Evaluate AdherenceObjectively evaluate adherence of the <x> process against its process description, standards, and procedures, and address noncompliance.GP 2.10: Review Status with Higher Level ManagementReview the activities, status, and results of the <x> process with higher level management and resolve issues.13/11/2012 415

GG 3: Defined ProcessGG 3: Institutionalize a Defined ProcessThe process is institutionalized as a defined process.• A defined process is a managed process that is

tailored from the organization’s set of standard processes according to the organization’s tailoring guidelines.

• A defined process has a maintained process description.

• A defined process contributes work products, measures, and other process improvement information to the organizational process assets.

• The organization’s set of standard processes are established and improved over time.

13/11/2012 416

GG 3 Generic PracticesThe generic practices for defined processes are the same for all process areas.GP 3.1: Establish a Defined ProcessEstablish and maintain the description of a defined <x> process.GP 3.2: Collect Improvement InformationCollect work products, measures, measurement results, and improvement information derived from planning and performing the <x> process to support the future use and improvement of the organization’s processes and process assets.

13/11/2012 417

GG 4: Quantitatively Managed Process

GG 4: Institutionalize a Quantitatively Managed ProcessThe process is institutionalized as a quantitatively managed process.• A quantitatively managed process is a defined process

that is controlled using statistical and other quantitative techniques.

• Quantitative objectives for product quality, service quality, and process performance are established and used as criteria in managing the process.

• People performing the process are directly involved in quantitatively managing the process.

• Statistical predictability is achieved.

13/11/2012 418

GG 4 Generic PracticesThe generic practices for quantitatively managed processes are the same for all process areas.GP 4.1: Establish Quantitative Objectives for the ProcessEstablish and maintain quantitative objectives for the <x> process that address quality and process performance based on customer needs and business objectives.GP 4.2: Stabilize Subprocess Performance Stabilize the performance of one or more subprocesses to determine the ability of the <x> process to achieve the established quantitative quality and process-performance objectives.

13/11/2012 419

GG 5: Optimizing Process

GG 5: Institutionalize an Optimizing ProcessThe process is institutionalized as an optimizing process.• An optimizing process is a quantitatively managed

process that is improved based on an understanding of the common causes of variation inherent in the process.

• The focus is on continually improving the range of process performance through both incremental and innovative technological improvements.

• Quantitative process improvement objectives are established.

• Process improvement is inherently part of everybody’s role, resulting in cycles of continual improvement

13/11/2012 420

GG 5 Generic PracticesThe generic practices for optimizing processes are the same for all process areas.GP 5.1: Ensure Continuous Process ImprovementEnsure continuous improvement of the <x> process in fulfilling the relevant business objectives of the organization.GP 5.2: Correct Root Causes of ProblemsIdentify and correct the root causes of defects and other problems in the <x> process.

13/11/2012 421

Critical Distinctions Among Processes

13/11/2012 422

Summarizing Generic Goals and Practices

13/11/2012 423

Achieving Capability Levels (CLs) fora Process Area

13/11/2012 424

Requirements Management (REQM) - Capability Levels 1 & 2

13/11/2012 425

REQM - Capability Level 3

13/11/2012 426

REQM - Capability Levels 4 & 5

13/11/2012 427

Achieving Maturity Levels

To achieve a maturity level• All process areas at that level and all

levels below it must be satisfied or determined to be not applicable.

And to achieve a maturity level 3 or higher• The generic goal 3 for each applicable

maturity level 2 PA must also be rated satisfied for maturity level 3 or higher.

Note: A process area is satisfied if and only if all of the process area’s relevant specific and generic goals are rated as satisfied.13/11/2012 428

Achieving Maturity Levels (ML)

13/11/2012 429

REQM - Maturity Levels 1 & 2

13/11/2012 430

REQM - Maturity Level 3

13/11/2012 431

REQM - Maturity Levels 4 & 5

13/11/2012 432

Applying Generic Practices

All process areas have generic practices that apply to them.• Generic practices ensure sustainability of

the specific practices in the processes over time.

• For example, GP 2.2, “Establish and maintain the plan for performing the project planning process,” when applied to Project Planning, ensures that you planned the activities for creating the plan for the project.

13/11/2012 433

SIX SIGMA

13/11/2012 434

Automation and continuous improvement

(Deming Cycle – ISO IEC 17799:2005)

Automate

Improve

Organize

Measure


What is Six Sigma:Some of the most common

definitions (1/3)• Quality standard equal to the generation of a number of

defects lower than 3.4 per million in performing production or service delivery operations. (Online Learning Center - McGraw Hill).

• A tool that allows to significantly improve customer satisfaction and shareholder value by reducing inefficiencies in business activities. Through a structured approach, Six Sigma supports a better understanding of customer needs and the design and / or modification of processes and products in order to make them more consistent with the customers' expectations. (The quality portal).


definitions (2/3)• Movement, methodology and set of techniques focused

on improving business processes and based on the use of statistical concepts for performance measurement. (Business Process Trends).

• Structured quality program for the limitation of the defects within the value of 6 standard deviations from the mean. One of the major aspects on which Six Sigma focuses is the reduction of process variations. (Overall Equipment Effectiveness - OEE).


definitions (2/3)• It 'a process improvement methodology based on

statistical concepts, aimed at reducing the defects to a rate of 3.4 per million through the identification and elimination of the causes that result in business process variations. To properly define the concept of defect, Six Sigma focuses on the development of a clear understanding of customer requirements. (Mekong Capital)

It is a rigorous and systematic methodology based on the use of data and statistical analysis aimed at measuring and improving the company's operational performance by identifying and eliminating "defects" in the processes of production or service provision

. (iSixSigma)

The impact of quality on the company’s income statement

• In the case of a rejection rate of 10% on finished products, the company, in order to be able to sell 1,000 products (for $ 1.000/unit) must produce 1111 units.

• Volumes sold being equal (1,000), the elimination of manufacturing defects would lead to a 10% reduction in operating costs resulting in 120% increase of profit.

• To achieve the same profit goal, a company that works at 10% of defects should increase revenues by 15%.

• Working with higher quality means anticipating the breakeven point (revenues = costs) and thus represents a better protection against recessions and demand contractions.

• The produced quality usually introduces additional positive impacts on both the costs (eg, reducing warranty costs) and on revenues (eg.: Increase in sales due to the increase of standing in the market).

• The cost of quality (COPQ *) causes direct effects on the overall company profit and its economic stability.• The economic benefits resulting from the reduction of defects and COPQ can be reached both in manufacturing and services

companies

Ricavi $ 1.000.000

Costi Variabili $ 600.000

Margine di Contribuzione $ 400.000

Costi Fissi $ 350.000

Profitti $ 50.000

$ 1.000.000

$ 540.054

$ 495.946

$ 350.000

$ 109.946

Ricavi [$K]

-400

-300

-200

-100

100

500 1000 1149

0% di difetti nel processo


Variazione dei Ricavi

Profitti [$K]

Ricavi [$K]

-400

-300

-200

-100

100

500 1000 1149



Variazione dei Ricavi

Profitti [$K]


Complexity and Performance

Although each analyzed process observed alone may present acceptable quality levels (for example 99% of cases satisfy requirements), when the various processes are integrated for the production of a product or a service destined to the end customer, the overall performance of processes turns out to be much lower.

Numero di operazioni o componenti Rendimento complessivo (*)

1 99,00%

50 60,50%

100 36,60%

200 13,40%

500 0,66%

1000 0,00%

Processo 2Processo 2Processo 1Processo 1

Fornitore

Processo nProcesso n

Processo jProcesso j

…

Cliente

Processo iProcesso i

Input

O1;R1=99% Oi;Ri=99%

Oj;Rj=99%O2;R2=99%

On;RnProcesso 2Processo 2Processo 1Processo 1

Fornitore

Processo nProcesso n

Processo jProcesso j

…

Cliente

Processo iProcesso i

Input

O1;R1=99% Oi;Ri=99%

Oj;Rj=99%O2;R2=99%

On;Rn

• Il rendimento del processo n (Rn) è influenzato dalla numerosità e dal rendimento degli altri processi: Rn<< 99%

• Il 99% di rendimento sulle singole operazioni non riesce a garantire la qualità per prodotti o servizi molto complessi in quanto il rendimento complessivo degrada velocemente.

(*) nel caso di rendimento delle singole operazioni o componenti pari a 99%Fonte: The Innovation Group

The statistical principle on whichSix Sigma is based

Principi di base• Il termine six sigma deriva dalla

teoria probabilistica sviluppata da Gauss per definire il comportamento di alcuni fenomeni aleatori (fenomeni a distribuzione normale).

• Sigma (σ) rappresenta la deviazione standard della variabile aleatoria X rispetto al suo valor medio X.

• Nel caso di distribuzione normale la probabilità che un’osservazione della variabile rientri nell’intervallo (X ± σ) è del 31% mentre che rientri nell’intervallo (X ± 6 σ) è di 99,9997 %.

• Il teorema del limite centrale dimostra che sotto opportune condizioni una variabile aleatoria al crescere del numero di osservazioni tende ad assumere una distribuzione normale rendendo tale teoria largamente applicabile.

• Come regola generale più la campana è stretta e minore è la variabilità rispetto al suo valore medio X.

X +1 +2 +3 +4 +5 +6-1-2-3-4-5-6

Distribuzione normale (odi Gauss)

Livello sigma Probabilità che l’osservazione rientri nell’intervallo(*)

1 31 %

2 69,2 %

3 93,32 %

4 99,379 %

5 99,977 %

6 99,9997 %

(*) X ± livello sigmaFonte: The Innovation Group

The statistical concept and quality levels (1/2)

The statistical analysis isimplementable on any business process:

• Working in "Six Sigma" conditions means to produce outputs that are consistent with the addressed customer tolerances (Upper and Lower Specification Limits) 99.9997% of times, which means to respect the maximum number of defects equal to 3.4 cases per million.

From 3 process…

LSL

X +1 +2 +3 +4 +5 +6-1-2-3-4-5-6

X +2 +4 +6-2-4-6

Probabilityof defect

Range of acceptability(LSL-USL)

USL

…to 6 process

As the number of sigmas growswithin the specific process

tolerance, the probability of obtaining defects or errors

decreases.

Livello sigma Difetti per milione di opportunità Rendimento

1 690.000 31 %

2 308.537 69,2 %

3 66.807 93,32 %

4 6.210 99,379 %

5 233 99,977 %

6 3,4 99,9997 %


The statistical concept and quality levels (2/2)

Using Six Sigma ensures an overall high process performance even in particularly complex systems.

Number of operations orcomponents

Overall performance Improvement: 99% 6

99 % 6

1 99,0000% 99,9997% ~ 1%

50 60,5006% 99,9850% ~ 65%

100 36,6032% 99,9700% ~ 173%

200 13,3980% 99,9400% ~ 646%

500 0,6570% 99,8501% > 15.000%

1000 0,0043% 99,7004% > 2 milions %

Com

plex

ity


Value created by Six SigmaCustomer’s Value Line

2 3 4 5 6 Quality

COPQ (1)

25%

15%

5%

Profits per single sigma

Cost and value of quality

• The cost of quality (COPQ) decreasessignificantly with the increase in sigmasper process, allowing to achievegreater profits.

• Analysis conducted in manufacturing contexts demonstrate that the operativity at a six sigma level reducesthe COPQ by 1% of returns.

Sigma Level Defects per million of opportunity

COPQ (1)

3 66.807 25-40 %

4 6.210 15-25 %

5 233 5-15 %

6 3,4 < 1 %

(1) COPQ – Cost of poorquality % with respect toreturns in manufacturingcontexts. Source: Chiarini &Associati


Evolution in the performance measurement systems

• The various quality systems evolve over time changing the focus with which they tackle the challange of improvingbusiness process performance.

Medioevo 1920 1960 1980 1990 Tempo

Efficacia

100%

75%

50%

In-line inspection

Qualitycontrol

Rate of improvement

In-process controls

Design for Mnfc (DFM)

System

6ProcessManagement

In-Process statisticalcontrols

e.g.: ISO 9000, TQM,…


• Continuous focus on customer requirements (concentrate on VOC – voice of customer)

• Usage of quantitative data and statistical techniques to identify and measure process variations, both productive and business ones, with respect to expected values.

• Identification of primary causes of encountered problems.

• Emphasis on process improvement in order to reduce defects and improve customer satisfaction

• Management's proactive contribution to problem prevention, continuous improvement and constant perfection pursuit.

• Cross-functional business collaboration• Definition of ambitious improvement targets

Six Sigma basic principles

• The merger of the underlying principles of both methods was designed to meet the needs of companies that provide services and operate in a market where customers expect high quality, speed of delivery and reduced price.

• Therefore establishing a model characterized by the mixture of the basic principles of cycle times reduction, for Lean production, and the reduction of variations for the Sigma method

The Lean 6 Sigma modelEvolution towards the service

deployment society

Lean Principles

Six Sigma Principles

Lean Six Sigma

Customer

Satisfaction

ProcessImprovement

Qu

alit

y

Sp

eed

Def

ect

and

V

anri

ance

Pro

cess

Flu

x

Data and Facts

Team-workTransversal Principles


The Lean Six Sigma modelMain Characteristics

FROM LEAN MANUFACTURING

FROM SIX SIGMA

• Greater market competitivity

• Increased Return on Invested Capital (profit after tax / invested capital) throughpotential interventions on processes thatdetermine up to 50% cost savings poisitivelyimpacting profits

• Customer satisfaction improvement, bearingin mind the relationship between quality, speed and low prices.

• Elimination of losses/delays and costs from no added value jobs

• Quantification and elimination of costsderiving from complexities.

• Identification of quick improvement actions

• Evaluations based on the measurement of results and processes(customer satisfaction, financial results,, speed/lead time, quality/process defects)

Lean Six Sigma Direct relationshipbetween quality and speed

Cycle time reduction

No value added job analysis

Quick improvementactions (e.g. Kaizens)

Process flux analysis(every step)

Identification and measurement of waste

Variance reduction

Process goernancemeans of statistic control

Creation of culture and of a support organizational

structure

Focus on customer and supplier needs

Use of problem solvingtools

Quality improvement

Introduction of the projectsponsorship concept

Use of speedmeasurement tools


• To answer these needs 5 main rules were defined as the model’s basis:

The Lean Six Sigma modelThe rules

Rule 1: the market

Customer needs define the quality and represent the top priority in orderto improve the company and market competitiveness

Rule 2: flexibility The speed of each process is proportional to that process’ flexibility

Rule 3: the focus

20% of the activities in a process lead to 80% of delays, it is necessary tofocus on the activities that determine the highest number of inefficiencies

Rule 4: speed The speed of each process is inversely proportional to the amount ofwork-in-process (WIP)

Rule 5: complexity and costs

The complexity of the service or product offered generally increases thecosts of non-value added work and of poor quality (low-sigma or lean)WIP


• Combining the basic concepts of Data, Clients and Quality (6 Sigma), with the concepts of flux analysis, added value work and cost reduction (Lean), the Lean Six Sigma aims at creating high delivery quality, costreduction and greater competitiveness.

The Lean Six SigmaConclusions

Six Sigma - miglioramento qualità attività di valore aggiunto

Lean

–riduzi

one

attivi

tànon

a v

alor

e ag

giu

nto

# di attività

1

7

10

20

40

+_3σ +_4σ +_5σ +_6σ

93,32%

61,63%

50,08%

25,08%

6,29%

99,379%

95,733%

93,96%

88,29%

77,94%

99,9767%

99,839%

99,768%

99,535%

99,074%

99,99966%

99,9976%

99,9966%

99,9932%

99,9864%

Fonte: Six Sigma Research Institute – Motorola University

Six Sigma - miglioramento qualità attività di valore aggiunto

Lean

–riduzi

one

attivi

tànon

a v

alor

e ag

giu

nto

# di attività

1

7

10

20

40

+_3σ+_3σ +_4σ+_4σ +_5σ+_5σ +_6σ+_6σ

93,32%

61,63%

50,08%

25,08%

6,29%

99,379%

95,733%

93,96%

88,29%

77,94%

99,9767%

99,839%

99,768%

99,535%

99,074%

99,99966%

99,9976%

99,9966%

99,9932%

99,9864%

Fonte: Six Sigma Research Institute – Motorola University

Lean Six Sigma simultaneously governs quality, speed, and cost

AUDIT, IS AUDIT, IT AUDIT

13/11/2012 451

Agenda

• Audit, is audit, it audit• IT Roles and Responsibilities• Risk and compliance

– A Privacy Audit• Toolkits:

– Cobit– ISO 2700x– ISO 38500– Six Sigma

• COBIT 5

13/11/2012 452

Audit• Audit: Formal inspection and verification to check whether a standard or set of

guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met

• Audit accountability : Performance measurement of service delivery including cost, timeliness and quality against agreed service levels

• Audit authority : A statement of the position within the enterprise, including lines of reporting and the rights of access

• Audit charter: A document approved by the board that defines the purpose, authority and responsibility of the internal audit activity

• Audit evidence: The information used to support the audit opinion• Audit expert systems: Expert or decision support systems that can be used to

assist IS auditors in the decision-making process by automating the knowledge of experts in the field

– Scope Note: This technique includes automated risk analysis, systems software and control objectives software packages.

• Audit objective: The specific goal(s) of an audit– Scope Note: These often center on substantiating the existence of internal controls to

minimize business risk.

13/11/2012 453

• Audit plan : A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion

• Audit program: A step-by-step set of audit procedures and instructions that should be performed to complete an audit

• Audit responsibility : The roles, scope and objectives documented in the service level agreement (SLA) between management and audit

• Audit risk: The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred

• Audit sampling: The application of audit procedures to less than 100 percent of the items within a population to obtain audit evidence about a particular characteristic of the population

• Audit trail: A visible trail of evidence enabling one to trace information contained in statements or reports back to the originalinput source

• Audit universe: An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process

13/11/2012 454

IS Audit (1/5)Information systems audit is a part of the overall audit process, which is one of the facilitators for good corporate governance. While there is no single universal definition of IS audit, Ron Weber has defined it (EDP auditing--as it was previously called) as "the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently."Information systems are the lifeblood of any large business. As in years past, computer systems do not merely record business transactions, but actually drive the key business processes of the enterprise. In such a scenario, senior management and business managers do have concerns about information systems. The purpose of IS audit is to review and provide feedback, assurances and suggestions. These concerns can be grouped under three broadheads:Availability: Will the information systems on which the business is heavily dependent be available for the business at all times when required? Are the systems well protected against all types of losses and disasters?Confidentiality: Will the information in the systems be disclosed only to those who have a need to see and use it and not to anyone else?Integrity: Will the information provided by the systems always be accurate, reliable and timely? What ensures that no unauthorized modification can be made to the data or the software in the systems?

13/11/2012 455

IS Audit (2/5)Elements of IS AuditAn information system is not just a computer. Today's information systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the components are evaluated and secured. The proverbial weakest link is the total strength of the chain. The major elements of IS audit can be broadly classified:Physical and environmental review—This includes physical security, power supply, air conditioning, humidity control and other environmental factors.System administration review—This includes security review of the operating systems, database management systems, all system administration procedures and compliance.Application software review—The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed.

13/11/2012 456

IS Audit (3/5)All these elements need to be addressed to present to management a clear assessment of the system. For example, application software may be well designed and implemented with all the security features, but the default super-user password in the operating system used on the server may not have been changed, thereby allowing someone to access the data files directly. Such a situation negates whatever security is built into the application. Likewise, firewalls and technical system security may have been implemented very well, but the role definitions and access controls within the application software may have been so poorly designed and implemented that by using their user IDs, employees may get to see critical and sensitive information far beyond their roles.It is important to understand that each audit may consist of these elements in varying measures; some audits may scrutinize only one of these elements or drop some of these elements. While the fact remains that it is necessary to do all of them, it is not mandatory to do all of them in one assignment. The skill sets required for each of these are different. The results of each audit need to be seen in relation to the other. This will enable the auditor and management to get the total view of the issues and problems. This overview is critical.

13/11/2012 457

IS Audit (2/4)Network security review—Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.Business continuity review—This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan.Data integrity review—The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques).

13/11/2012 458

IS Audit (4/5)Risk-based ApproachEvery organization uses a number of information systems. There may be different applications for different functions and activities and there may be a number of computer installations at different geographical locations.The auditor is faced with the questions of what to audit, when and how frequently. The answer to this is to adopt a risk-based approach.While there are risks inherent to information systems, these risks impact different systems in different ways. The risk of nonavailability even for an hour can be serious for a billing system at a busy retail store. The risk of unauthorized modification can be a source of frauds and potential losses to an online banking system. A batch processing system or a data consolidation system may be relatively less vulnerable to some of these risks. The technical environments on which the systems run also may affect the risk associated with the systems.The steps that can be followed for a risk-based approach to making an audit plan are:Inventory the information systems in use in the organization and categorize them.Determine which of the systems impact critical functions or assets, such as money, materials, customers, decision making, and how close to real time they operate.Assess what risks affect these systems and the severity of impact on the business.Rank the systems based on the above assessment and decide the audit priority, resources, schedule and frequency.The auditor then can draw up a yearly audit plan that lists the audits that will be performed during the year, as per a schedule, as well as the resources required.13/11/2012 459

IS Audit (5/5)The Audit ProcessThe preparation before commencing an audit involves collecting background information and assessing the resources and skills required to perform the audit. This enables staff with the right kind of skills to be allotted to the right assignment.It always is a good practice to have a formal audit commencement meeting with the senior management responsible for the area under audit to finalize the scope, understand the special concerns, if any, schedule the dates and explain the methodology for the audit. Such meetings get senior management involved, allow people to meet each other, clarify issues and underlying business concerns, and help the audit to be conducted smoothly.Similarly, after the audit scrutiny is completed, it is better to communicate the audit findings and suggestions for corrective action to senior management in a formal meeting using a presentation. This will ensure better understanding and increase buy-in of audit recommendations. It also gives auditees an opportunity to express their viewpoints on the issues raised. Writing a report after such a meeting where agreements are reached on all audit issues can greatly enhance audit effectiveness.Key ChallengeIS audit often involves finding and recording observations that are highly technical. Such technical depth is required to perform effective IS audits. At the same time it is necessary to translate audit findings into vulnerabilities and businesses impacts to which operating managers and senior management can relate. Therein lies a mainchallenge of IS audit.

13/11/2012 460

IT Audit (1/3)An information technology audit is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

13/11/2012 461

IT Audit (2/3)• While a financial audit's purpose is to evaluate whether an

organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing

13/11/2012 462

IT Audit (3/3)• IT controls do not exist in isolation. They form an interdependent continuum of

protection, but they may also be subject to compromise due to a weak link. They are subject to error and management override, may range from simple to highly technical, and may exist in a dynamic environment.

• IT controls have two significant elements: the automation of business controls and control of IT. Thus, IT controls support business management and governance as well as provide general and technical controls over IT infrastructures.

• The internal auditor’s role in IT controls begins with a sound conceptual understanding and culminates in providing the results of risk and control assessments.

• Internal auditing involves significant interaction with the people in positions of responsibility for controls and requires continuous learning and reassessment as new technologies emerge and the organization’s opportunities, uses, dependencies, strategies, risks, and requirements change.

13/11/2012 463

IT Roles and Responsibilities (1/5)

Many different roles have emerged in recent years for positions within the organization with IT control responsibilities and ownership. Each position within the governance, management, operational, and technical levels should have a clear description of its roles, responsibilities, and ownership for IT controls to ensure accountability for specific issue.13/11/2012 464


Analyzing RiskIT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified, suitablerisk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying awide range of specific controls, including insurance. 13/11/2012 465


Monitoring and TechniquesThe implementation of a formal control framework facilitatesthe process of identifying and assessing the IT controlsnecessary to address specific risks. A control framework is astructured way of categorizing controls to ensure the wholespectrum of control is covered adequately. The frameworkcan be informal or formal. A formal approach will morereadily satisfy the various regulatory or statutory requirementsfor organizations subject to them. The process ofchoosing or constructing a control framework shouldinvolve all positions in the organization with direct responsibilityfor controls. The control framework should apply to,and be used by, the whole organization — not just internalauditing.13/11/2012 466


IT Control AssessmentAssessing IT controls is a continuous process. Businessprocesses are changing constantly as technology continuesto evolve. Threats emerge as new vulnerabilities are discovered.Audit methods improve as auditors adopt an approachwhere IT control issues in support of the business objectivesare near the top of the agenda.Management provides IT control metrics and reporting.Auditors attest to their validity and opine on their value.The auditor should liaise with management at all levels andwith the audit committee to agree on the validity and effectiveness of the metrics and assurances for reporting.

13/11/2012 467


The audit process provides a formal structure for addressingIT controls within the overall system of internal controls. Figure below divides the assessment into a logical series of steps.The internal auditor’s role in IT controls begins with asound conceptual understanding and culminates in providing the results of risk and control assessments. Internalauditors interact with the people responsible for controlsand must pursue continuous learning and reassessment asnew technologies emerge and the organization’s opportunities, uses, dependencies, strategies, risks, and requirements change.

13/11/2012 468

13/11/2012 469

13/11/2012 470

13/11/2012 471

13/11/2012 472

RISK AND COMPLIANCE

13/11/2012 473

Risk (1/4)IT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified through experience or formal risk assessment suitable risk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying a wide range of specific controls, including insurance.It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization. However, each control has a specific cost that may not be justified in terms of cost effectiveness when considering the type of business done by theorganization.

13/11/2012 474

Risk (2/4)Furthermore, no list of controls is universally applicable across all types of organizations.Although there is a lot of good advice available on the choice of suitable controls, strong judgment must be used.

Controls must beappropriate for the level of risk faced by the organization.The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization.

13/11/2012 475

Risk (3/4)In this respect, the risk appetite of the organization is defined by COSO as:“… the degree of risk, on a broad-based level, that a company or other organization is willing to accept in pursuit of its goals. Management considers the organization’s risk appetite first in evaluating strategic alternatives, then in setting objectives aligned with the selected strategy, and in developing mechanisms to manage the related risks.”

13/11/2012 476

Risk (4/4)In addition, the CAE should consider risk tolerance. COSO (The Committee of Sponsoring Organizations of the Treadway Commission) defines risk tolerance as:“… the acceptable level of variation relative to the achievement of objectives. In setting specific risk tolerances, management considers the relative importance of the related objectives and aligns risk tolerances with its risk appetite.”Thus, the CAE should consider whether or not:• The organization’s IT environment is consistent withthe organization’s risk appetite.• The internal control framework is adequate to ensurethat the organization’s performance remains withinthe stated risk tolerances.

13/11/2012 477

Baseline IT Controls (1/4)IT controls are to be applied when mitigating the risks is thebest option. While IT controls should be applied with dueregard to the relevant risks, there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene. For example, the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet, or between internal network domains, is abaseline control. The level of risk associated with the businessvalue and sensitivity of the network traffic, the servicesprovided, and the information stored in the infrastructuredetermines the extent to which firewalls restrict trafficcoming into and departing from an organization’s networks.Firewalls are a physical and logical manifestation of informationsecurity policy elements that dictate what is allowedinto or out of an organization.

13/11/2012 478

Baseline IT Controls (2/4)IT controls most widely applicable to all IT infrastructuresare known as baseline controls. There are many types ofbaseline controls. Two baselines that apply to IT securitycontrols are the Digital Dozen, from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive, from the Center for Internet Security The Fundamental Five and Digital Dozen complement each other.It is not easy to define the baseline IT controls, because thegeneral threats, such as malicious software and hacking,change and newer technologies and applications frequentlyare implemented across the organization. The followingquestions can be considered when selecting a suitable set ofbaseline controls:• Do IT policies — including for IT controls — exist?

13/11/2012 479

Baseline IT Controls (3/4)• Have responsibilities for IT and IT controls been

defined, assigned, and accepted?• Are IT infrastructure equipment and tools logically

and physically secured?• Are access and authentication control

mechanisms used?• Is antivirus software implemented and

maintained?• Is firewall technology implemented in

accordance with policy (e.g., where external connections such as the Internet exist and where separation between internal networks isneeded)?

13/11/2012 480

Baseline IT Controls (4/4)

• Are external and internal vulnerability assessments completed and risks identified and appropriately resolved?

• Are change and configuration management and quality assuranceprocesses in place?

• Are structured monitoring and service measurement processes in place?

• Are specialist IT audit skills available (either internally or outsourced)?

13/11/2012 481

Choosing a Control Framework (1/4)

The process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by the organization’s adoption of a formal control framework. Thisframework should apply to, and be used by, the wholeorganization — not just internal auditing. Although manyframeworks exist, no single framework covers every possiblebusiness type or technology implementation.A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control isadequately covered. The framework can be informal orformal. A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily .13/11/2012 482


Each organization should examine existing control frameworksto determine which of them — or which parts — mostclosely fit its needs. The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls. The CAEshould be involved in the decision process because the internalaudit function will assess the framework’s adequacy anduse it as a context for planning and performing audit work.The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controls.The CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk. Risk analysisand assessment cannot be viewed as a one-time process,

13/11/2012 483


especially when applied to IT, because technology changesconstantly and rapidly, as do the associated risks and threats.Categorizing IT controls according to their organizationalplacement, purpose, and functionality is useful in assessingtheir value and adequacy, as well as the adequacy of the systemof internal controls. Knowledge of the range of availableIT controls, the driving forces for controls, and organizationalroles and responsibilities allows for comprehensive riskanalysis and assessments. In assessing control effectiveness,it is also useful to understand whether the controls aremandated or voluntary, discretionary or nondiscretionary,manual or automated, primary or secondary, and subject tomanagement override.

13/11/2012 484


Finally, the assessment of IT controls involves selectingkey controls for testing, evaluating test results, and determiningwhether or not evidence indicates any significant controlweaknesses. Several existing frameworks and approaches can assist the CAE and other managers when determining IT controlrequirements. However, organizations should investigateenough frameworks to determine which one best fits theirown needs and culture. The COSO (The Committee of Sponsoring Organizations of the Treadway Commission) Internal Control – Integrated Framework(1992) is accepted by the U.S. Public Company AccountingOversight Board (PCAOB) for the purpose of reporting

13/11/2012 485

13/11/2012 486

Compliance

It is important to realize that compliance with applicable laws and regulations is a foundational issue that should be addressed when performing a comprehensive risk assessment and audit for an organization.

13/11/2012 487

A Case StudyA Privacy Audit (1/17)

When planning an audit, the auditors should:• Obtain a comprehensive understanding of the personal information collected and stored, its use by the organization, its processing by technology, and the jurisdictions/countries through which the data is processed.• Interview the individuals responsible for the organization’sprivacy policy and its enforcement and/or inhouse or outside legal experts to gain an understandingof the privacy laws and regulations governingthe business and the type of information handled,as well as the known risks, designed controls, andreported incidents.

13/11/2012 488

A Privacy Audit (2/17)• Identify the laws and regulations that govern personal information in the jurisdictions where the organization conducts business.• Determine the regulations and governmental bodies responsible for enforcing privacy rules. Ask the privacy officer or the individual responsible for privacy compliance how such rules are codified in the organization’s policies and procedures.

13/11/2012 489

A Privacy Audit (3/17)• Identify the customers’, employees’, and businesspartners’ personal information that the organizationcollects. If a data inventory of personal informationis available, that may provide a starting point forthe auditor. If there is no documented inventory,interviews with business process owners and theirIT counterparts may be necessary to identify whatpersonal information is collected. Also, automateddiscovery tools can assist the auditor in this phase.• Identify what, if any, personal information is sharedwith third parties. Determine how the data is sharedwith each of these third parties, including hard copy,file transfer, and portable electronic media.

13/11/2012 490

A Privacy Audit (4/17)The intent is to identify the formal and informal means by which personal information is shared within the organization and with other entities to identify potential threats, vulnerabilities, and overall risk.Determine whether agreements with third-party service providers and business partners include provisions on appropriate controls for handling personal information from receipt through disposal.Identify Privacy ThreatsInternal auditors should identify privacy threats to the organization through research, benchmarking, and brainstorming, and rank them according to the likelihood ofoccurrence and impact. Risk assessment meetings with business process owners also can ensure risks and threats to personal information are explored and identified thoroughly

13/11/2012 491

A Privacy Audit (5/17)Assigning values to threats and assets through aprivacy risk assessment highlights where the strongest controls or countermeasures should be and the areas on which the auditors should focus to identify vulnerabilities.A threat uses a vulnerability to exploit an asset. For the purposes of privacy management, the asset is protected personal information. So, who or what is the threat? The

13/11/2012 492

A Privacy Audit (6/17)threat is the individual or process that, intentionally ornot, makes an organization’s personal information publicor allows any unauthorized access to personal information.A legitimate threat could be a business partner violatingcontractual obligations or a hacker employed by organized crime. Empirically verified, threats posed by employees, contractors or temporary workers, competitors, developers, janitors, and maintenance staff — those who often have access to stores of confidential information — are very relevant. Whether through malice or carelessness, individuals with access to personal information have the ability to make that information public. If personal information is shared with business partners and contractors, the additional threats to and within their operations and processes should be evaluated.

13/11/2012 493

A Privacy Audit (7/17)Identify the Controls and CountermeasuresTo determine what the organization is doing to protect personalinformation from the worst threats, auditors should validate the basic infrastructure and general controls in place, as well as the specific application and internal controls throughout the organization that are active and relied on by the privacy program. Common steps to identify the controls include:• Requesting and reviewing documentation. Review the privacy program as it is implemented in policies, procedures, and other documentation. How do the policies match up with the high-risk areas defined in the privacy risk assessment? How often, if ever,are these policies reviewed? Do they incorporate the latest regulatory and legal guidance? Is the guidance consistent across divisions in the organization?

13/11/2012 494

A Privacy Audit (8/17)Identify any gaps for follow-up.• Interviewing and observing the processing of personalinformation in action. The gap between the written policy and the operational action can be significant.Sit with employees on the front lines in operations and IT to determine whether they are aware of the impact of their actions/processes in handling personal information. Determine whether the outrightrequirements, as well as the spirit or intent of theprivacy program, motivate the staff ’s decisions andactions.• Reviewing third-party contracts and contacts. Thedepth of the review will depend on how the contractorsand the personal information handled bythem rank in the threat matrix, but the auditor, ata minimum, should review for language compliantwith applicable laws and regulations.

13/11/2012 495

A Privacy Audit (9/17)If right-to audit clauses are included, are they exercised with appropriate frequency and depth? Another common technique that auditors can use in reviewing third parties is a security/privacy control survey or questionnaire. This will allow the auditor to obtain information about the controls the third party has in place to protect the organization’s personal information and help to identify areas that may require follow-up. Using a third-party provider’s controls wholly, or in conjunction with the organization’s own controls, may impact the organization’s ability to achieve its control objectives. A lack of controls or weakness in third parties’ control design, operation, or effectiveness could lead to such things as loss of personal information confidentiality and privacy. Hence, contracts with third-party providers are a critical element and should contain appropriate provisions for data and application privacy and confidentiality. By this point, the potential high-impact risks should comeinto sharper focus, but significant questions will remain unanswered. It is time to test the controls and countermeasures, hitting the highest impact assets and modeling the highestimpact threats.

13/11/2012 496

A Privacy Audit (10/17)Performing the AssessmentThe common steps throughout an audit are described in detail in The IIA’s International Professional Practices Framework (IPPF). When the auditor understands the organization’s privacy objectives, its privacy risks, the types of personal information handled, and the legal framework in which the organization conducts business, an audit program including scope, objectives, and timing of the audit can be developed and approved. The audit team will gather information, perform tests, and analyze and evaluate the test work to prepare the report and recommendations.Test Work MethodologiesAfter the risk assessment is completed, traditional test work is focused on general, application, and security controls.

13/11/2012 497

A Privacy Audit (11/17)Potential testing may include methods beyond the usually applied techniques such as vulnerability assessments and penetration tests, physical control tests, and social engineering tests.Vulnerability Assessments and Penetration TestsThese methods are often cited as assurance methods for network-accessibleapplications and infrastructure. Consultants often use terms such as “tiger team” or “ethical hacking” to describe this methodology of identifying and exploiting vulnerable services in a production environment. Vulnerability assessments generally focus on identifying potential vulnerabilities in information systems. The assessments identify and prioritize vulnerabilities in the configuration, administration, and architecture of information systems. Penetration tests take vulnerability assessments one step further, exploiting the identified vulnerabilities. Penetration tests generally require a higher degree of technical skill and could potentially disrupt productionsystems. Vulnerability assessments and penetration tests require a set of skills that the internal auditor may need to acquire, either through contracting third-party expertise or training.

13/11/2012 498

A Privacy Audit (12/17)Physical Control TestsPersonal information is not limited to digital data. If the organization’s modeled threat has access to the building, all the encryption, firewalls, and patched databases in the world cannot keep that individual from retrieving printed information from the trash or accessing data through an unlocked workstation. Digging through trash for protected information, identifying logged-in and unattended workstations, and reviewing secure information storage and handling processes may identify vulnerabilities in the handling of private information. This type of test can answer questions such as:• Is personal information being disposed of according to policy and

procedures?• Are documents containing personal information stored securely prior to

disposal or shredding?• Are working documents with personal information stored securely?• Are documents or monitors that display personal information viewable by

unauthorized personnel?• Are workstations locked when unattended?• Is the application of privacy controls consistent across various departments?

13/11/2012 499

A Privacy Audit (13/17)Social Engineering TestsSocial engineering, in the context of security, is the technique of gaining unauthorized access through nontechnical deception. In the scope of testing a privacy program, social engineering can be used to test the effectiveness of controls regarding release of personal information. In other words, can an individual obtain personal information by simply asking for it? The auditor could impersonate executives, network administrators, or other authorized users to “con” or “sweet talk” passwords or personal information from employees who act as key countermeasures.

13/11/2012 500

A Privacy Audit (14/17)Social engineering tests can help answer some of the following audit questions:• How effective are the organization’s privacy awareness and training programs?• Is the balance between customer service and restricting personal information appropriate?• Is the privacy program supported by the corporate culture?Organizations have different attitudes toward the conning of employees by internal auditors, so build a threat model and identify vulnerabilities carefully. Discuss the process with the human resources and legal teams to ensure the results will be used to improve privacy practices and not for random firing of tested employees.

13/11/2012 501

A Privacy Audit (15/17)Communicating and Monitoring ResultsMany privacy audits are evaluations of compliance programs, and the auditor should consult with legal counsel if potential violations are to be included in audit communications.Consultation and coordination with counsel can reduce the conflict between the auditor’s responsibilities to document the results of the engagement with the counsel’s legal obligation to defend the organization. Some of the challenges specific to reporting the results of a privacy audit include: • Getting all of the participants involved in the scope of the privacy audit. An

effective privacy program is practiced by nearly all areas of the organization. Be sure that key participants have input.

• Developing a common, understandable language to describe the risks.• Ensuring that legal counsel has reviewed the proposed audit plan and draft

audit report before issuance to ensure that compliance considerations are addressed appropriately. The CAE should be aware of IIA Performance Standard 2600: Resolution of Senior Management’s Acceptance of Risks in the event that he or she believes that senior management has accepted a level of residual risk that may be unacceptable to the organization related to its privacy program and practices.

13/11/2012 502

A Privacy Audit (16/17)Privacy and Audit ManagementThe IIA’s IPPF reminds auditors to take regulations and risks into account when planning, performing, and reporting assurance and consulting assignments. Many other professional bodies, legislators, and supervisory authorities issue a broad variety of guidance and regulations. The privacy of personal information and how the organization manages this asset should be considered when developing the risk-based audit plan.

13/11/2012 503

A Privacy Audit (17/17)The internal audit staff is a key part of the organization’s governance structure to address privacy. As such, training programs and policies should be in place to provide internal auditors with the necessary background and knowledge to conduct privacy engagements effectively. There also is a need for due diligence to ensure that auditors act in accordance with relevant laws and policies when using personal information during assurance or onsulting engagements. Internal auditors should understand that it may be inappropriate — and in some cases illegal — to access, retrieve, review, manipulate, or use personal information when conducting internal audit engagements. Before initiating an audit, the internal auditors should investigate these issues and request advice from legal counsel, if needed. Finally, internal auditors should consider related privacy regulations, regulatory requirements, and legal considerations when reporting information outside the organization.

13/11/2012 504

Toolkits

13/11/2012 505

COBIT ISACA’s globally accepted framework, providing an end‐to‐end business view of the governance of enterprise IT that reflects the central role of information and technology in creating value for enterprises. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from business, IT and governance experts around the world.

ISO 2700X A growing family of ISO/IEC Information Security Management Systems (ISMS) standards.The series provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).

ISO 38500 Provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.

SIX SIGMA Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors) and minimizing variability inmanufacturing and business processes

COBIT 5

Information!• Information is a key resource for all enterprises.• Information is created, used, retained,

disclosed and destroyed.• Technology plays a key role in these actions.• Technology is becoming pervasive in all

aspects of business and personal life.

What benefits do information and technology bring to enterprises?

507

Enterprise Benefits• Enterprises and their executives strive to:• Maintain quality information to support business

decisions.• Generate business value from IT-enabled investments,

i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT.

• Achieve operational excellence through reliable and efficient application of technology.

• Maintain IT-related risk at an acceptable level.• Optimise the cost of IT services and technology.

How can these benefits be realised to create enterprise stakeholder value?

508

Stakeholder Value• Delivering enterprise stakeholder value requires good

governance and management of information and technology (IT) assets.

• Enterprise boards, executives and management have to embrace IT like any other significant part of the business.

• External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached.

• COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.

509

The COBIT 5 Framework• Simply stated, COBIT 5 helps enterprises create

optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.

• COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.

• The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.

510

COBIT 5 Principles

511

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.

COBIT 5 Enablers

512


Governance and Management

• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives(EDM).

• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

513

In Summary …

COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.

514

Governance of Enterprise IT

COBIT 5

IT Governance

COBIT4.0/4.1

Management

COBIT3

Control

COBIT2

An business framework from ISACA, at www.isaca.org/cobit

Audit

COBIT1

2005/720001998

Evo

lutio

n of

sco

pe

1996 2012

Val IT 2.0(2008)

Risk IT(2009)

COBIT 5: Now One Complete Business Framework for

515© 2012 ISACA® All rights reserved.

COBIT 5 FrameworkCOBIT 5:• The main, overarching COBIT 5 product• Contains the executive summary and the full

description of all of the COBIT 5 framework components:– The five COBIT 5 principles– The seven COBIT 5 enablers plus– An introduction to the implementation guidance

provided by ISACA (COBIT 5 Implementation)– An introduction to the COBIT Assessment Programme

(not specific to COBIT 5) and the process capability approach being adopted by ISACA for COBIT

516

COBIT 5 Product Family

517


Five COBIT 5 Principles

The five COBIT 5 principles:1. Meeting Stakeholder Needs2. Covering the Enterprise End-to-end3. Applying a Single Integrated

Framework 4. Enabling a Holistic Approach5. Separating Governance From

Management518

1. Meeting Stakeholder Needs

• Principle 1. Meeting Stakeholder Needs• Enterprises exist to create value for their

stakeholders.

519Source: COBIT® 5, figure 3. © 2012 ISACA® All rights reserved.

1. Meeting Stakeholder Needs (cont.)

Principle 1. Meeting Stakeholder Needs:• Enterprises have many stakeholders, and ‘creating value’

means different—and sometimes conflicting—things to each of them.

• Governance is about negotiating and deciding amongst different stakeholders’ value interests.

• The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions.

• For each decision, the following can and should be asked: – Who receives the benefits? – Who bears the risk? – What resources are required?

520


• Principle 1. Meeting Stakeholder Needs:

• Stakeholder needs have to be transformed into an enterprise’s actionable strategy.

• The COBIT 5 goals cascade translates stakeholder needs into specific, actionable and customised goals within the context of the enterprise, IT-related goals and enabler goals.



Principle 1. Meeting Stakeholder Needs:Benefits of the COBIT 5 goals cascade:• It allows the definition of priorities for implementation,

improvement and assurance of enterprise governance of IT based on (strategic) objectives of the enterprise and the related risk.

• In practice, the goals cascade:– Defines relevant and tangible goals and objectives at

various levels of responsibility.– Filters the knowledge base of COBIT 5, based on enterprise

goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects.

– Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals.

522

2. Covering the Enterprise End-to-end

Principle 2. Covering the Enterprise End-to-end:• COBIT 5 addresses the governance and management of

information and related technology from an enterprisewide, end-to-end perspective.

• This means that COBIT 5: – Integrates governance of enterprise IT into enterprise

governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance.

– Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.

523

2. Covering the Enterprise End-to-end (cont.)

Principle 2. Covering the Enterprise End-to-end

524

Key components of a governance

system



3. Applying a Single Integrated Framework

• Principle 3. Applying a Single Integrated Framework: • COBIT 5 aligns with the latest relevant other standards

and frameworks used by enterprises: – Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000– IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF,

PMBOK/PRINCE2, CMMI– Etc.

• This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator.

• ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references.

525

4. Enabling a Holistic Approach

Principle 4. Enabling a Holistic Approach• COBIT 5 enablers are:• Factors that, individually and collectively,

influence whether something will work—in the case of COBIT, governance and management over enterprise IT

• Driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve

• Described by the COBIT 5 framework in seven categories

526

4. Enabling a Holistic Approach (cont.)

• Principle 4. Enabling a Holistic Approach


4. Enabling a Holistic Approach (cont.)

Principle 4. Enabling a Holistic Approach:• Processes—Describe an organised set of practices and activities to achieve certain

objectives and produce a set of outputs in support of achieving overall IT-related goals

• Organisational structures—Are the key decision-making entities in an organisation• Culture, ethics and behaviour—Of individuals and of the organisation; very often

underestimated as a success factor in governance and management activities• Principles, policies and frameworks—Are the vehicles to translate the desired

behaviour into practical guidance for day-to-day management• Information—Is pervasive throughout any organisation, i.e., deals with all

information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself.

• Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services

• People, skills and competencies—Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions

528

4. Enabling a Holistic Approach (cont).

• Principle 4. Enabling a Holistic Approach:• Systemic governance and management through

interconnected enablers—To achieve the main objectives of the enterprise, it must always consider an interconnected set of enablers, i.e., each enabler:– Needs the input of other enablers to be fully effective, e.g.,

processes need information, organisational structures need skills and behaviour

– Delivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient

• This is a KEY principle emerging from the ISACA development work around the Business Model for Information Security (BMIS).

529

4. Enabling a Holistic Approach (cont).

• Principle 4. Enabling a Holistic Approach• COBIT 5 Enabler Dimensions:• All enablers have a set of common dimensions. This set of

common dimensions:– Provides a common, simple and structured way to deal with

enablers– Allows an entity to manage its complex interactions – Facilitates successful outcomes of the enablers


5. Separating Governance From

ManagementPrinciple 5. Separating Governance From Management:• The COBIT 5 framework makes a clear distinction

between governance and management. • These two disciplines:

– Encompass different types of activities– Require different organisational structures– Serve different purposes

• Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.

• Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.

531


Management (cont.)Principle 5. Separating Governance From Management:• Governance ensures that stakeholders needs, conditions

and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM).

• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

532


Management (cont.)Principle 5. Separating Governance From Management:• COBIT 5 is not prescriptive, but it advocates that organisations

implement governance and management processes such that the key areas are covered, as shown.



Management (cont.)Principle 5. Separating Governance from Management:• The COBIT 5 framework describes seven categories of

enablers (Principle 4). Processes are one category.• An enterprise can organise its processes as it sees fit, as

long as all necessary governance and management objectives are covered. Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives.

• COBIT 5 includes a process reference model (PRM), which defines and describes in detail a number of governance and management processes. The details of this specific enabler model can be found in the COBIT 5: Enabling Processes volume.

534

COBIT 5: Enabling Processes

• COBIT 5: Enabling Processes complements COBIT 5 and contains a detailed reference guide to the processes that are defined in the COBIT 5 process reference model:– In Chapter 2, the COBIT 5 goals cascade is recapitulated

and complemented with a set of example metrics for the enterprise goals and the IT-related goals.

– In Chapter 3, the COBIT 5 process model is explained and its components defined.

– Chapter 4 shows the diagram of this process reference model.

– Chapter 5 contains the detailed process information for all 37 COBIT 5 processes in the process reference model.

535

COBIT 5: Enabling Processes (cont.)


COBIT 5: Enabling Processes (cont.)

537

COBIT 5: Enabling Processes (Cont.)

COBIT 5: Enabling Processes:• The COBIT 5 process reference model subdivides the IT-

related practices and activities of the enterprise into two main areas—governance and management— with management further divided into domains of processes:• The GOVERNANCE domain contains five governance

processes; within each process, evaluate, direct and monitor (EDM) practices are defined.

• The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM).

•

538

COBIT 5 Implementation• The improvement of the governance of enterprise IT

(GEIT) is widely recognised by top management as an essential part of enterprise governance.

• Information and the pervasiveness of information technology are increasingly part of every aspect of business and public life.

• The need to drive more value from IT investments and manage an increasing array of IT-related risk has never been greater.

• Increasing regulation and legislation over business use of information is also driving heightened awareness of the importance of a well-governed and managed IT environment.

539

COBIT 5 Implementation (cont.)

• ISACA has developed the COBIT 5 framework to help enterprises implement sound governance enablers. Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework. Best practices and standards are also available to underpin COBIT 5.

• Frameworks, best practices and standards are useful only if they are adopted and adapted effectively. There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully.

• COBIT 5: Implementation provides guidance on how to do this.

540


• COBIT 5: Implementation covers the following subjects:• Positioning GEIT within an enterprise• Taking the first steps towards improving GEIT • Implementation challenges and success factors• Enabling GEIT-related organisational and behavioural

change • Implementing continual improvement that includes

change enablement and programme management• Using COBIT 5 and its components

541



COBIT 5 Product Family

543


COBIT 5 Future Supporting Products

• Future supporting products:• Professional Guides:

• COBIT 5 for Information Security• COBIT 5 for Assurance• COBIT 5 for Risk

• Enabler Guides:• COBIT 5: Enabling Information

• COBIT Online Replacement• COBIT Assessment Programme:

• Process Assessment Model (PAM): Using COBIT 5• Assessor Guide: Using COBIT 5• Self-assessment Guide: Using COBIT 5

544

ADVISORY: WHEN AUDIT BECOMES CONSULTING

13/11/2012 545

Agenda• Project Management• Quality Assurance:

– Strategies– Execution– Software Selection– Software Development– Architecture

• New Paradigms– Cloud– BYOD

13/11/2012 546

PROJECT MANAGEMENT

13/11/2012 547

Software Project Management

548

Management

ProjectManagement

SoftwareProject

Management

Software production projects

549

• They have specific characteristics thatdiversify them from other kinds of projects:

• Invisibilty – software is not as easy to see asa brisge or a chemical plant can be.

• Complexity – on average, costs beingequal, software projects are more complexeven because of the users strong involvement in the top phases of the project

• Flexibility – ease of modifying the productboth while in production and once it iscreated.

Software production projects

550

• Two main kinds of projects:• Information Sistems characterized by the

fact that they communicate with the organization

• Industrial Systems that interface with machines (operation systems, processcontrol systems)

• Production processes that are good for developing one system are ofteninefficent for the other

Set up

control

closing

planning

execution

Project phases

551

Identification of roles

Responsibility attribution

Resource allocation and Time estimation

Scheduling

Project WBS

WBS + organizational structure

Roles and Responsabilities matrix

Technical restraints, resources, W.P.

Logical ties, deadlines and milestones.

PERTH Diagram

Duration WP

Productive activiy planning

552

TimeInitial phase

Intermediate phase

Final phase

Possibility of influencing results

Managerial attention Resourses usedEffo

rt

The Project

• The project is a temporary effort oriented to the creation of a unique product or service(Project Management Institute)

The Project• A project’s scope is not limited to the design of

components that constitute a product, but it entails allthe phases that are involved in achieving a completeproduct service and delivering it, beginning from itsconception.

• The project is a temporary effort started to develop aproduct or services.

• It is temporary in the sense that it is located in time with aprecise beginning and ending date, it may last yearsand the created product or service is unique.

• The fundamental element to optimize these factors is theemployment of methodologies and tools that are findapplication within every business organization.

554

The Project• Project Management is a particular approach to contract

management (initially developed in the military environment) whoseprimary goal is to handle the project in a way that achieves itscompletion while respecting timings, costs and technic-qualitativeperformances contractually agreed upon with the client and withregard for the law.

• It’s a set of common sense rules to manage project planning andcontrol activities, to orient available resources towards achieving thegoals while respecting planned times, costs and requirementssatisfaction.

• A sound project management allows each company to meet themarket challenges by optimizing the costs of the various stagesleading to the completion of the project on schedule. marketplanning and control are becoming increasingly important,especially in market contexts of high competitiveness, along withrelated cost analysis and benefit evaluation which represent the keyfactors in order to achieve the predefined objectives.

555

Types of projects

• The variables according to whichprojects can be classified are:

1. Size of the project: need of human andfinancial resources, range andgeographical diffusion;

2. Project complexity: variety of goals andscope;

3. Degree of project risk: degree ofinnovativeness, scope and complexity.

556

Leve

l of e

ffort

Time

beginning planning execution closing

feasibility requirement definition and planning

development test implementation

maintenance

Project management phases

Technical cycle phases

Projects lifecycleAny project’s lifecycle entails:• Managerial issues• Tecnical issues.

557

Project ManagementA project is a temporary initiative (with a beginning and end) directed towards the creation of a product a service or a result characterized by uniqueness, under conditions of uncertainty.Projrect Management is the application in practice of knowledge, skills, tools and techniques to project activities to satisfy its requirements.

A project can be divided in 5 main phases, also called process groups:• Startup• Planning• Execution• Monitoring and Control• Closing

A new set of essential phases can be identified in IT projects:• Startup• Requirement definition and analysis• Architectural design• Development• Testing• Production• Closing

Project should be characterized by SMART goals: Specific, Measurable, Agreed upon, Realistic, Timed.

558

The activity of project management can be braken down in the following key processes: • Identify requirements• Keep stakeholders’ interest in consideration during the project planning and

development• Balance the project’s constraints that are in conflict (scope, quality, schedule,

budget, resources and risk)The Project Manager is the the responsible of the project’organization and successful goal achievement. A good Project Manager usually has knowledge, skills and personality.The Project Management Office (PMO) is the organizational unit that centrally manages and coordinates projects that fall under its responsability. Among activities that characterize this unit are:• Manage the shared resources of various projects• Identify and develop methodologies, standards and best practices• Train, form and supervise staff• Monitor compliance with the standards, requirements and policies.• Develop and maintain policies, procedures, documents and other organizational

process assets• Coordinate information flows

Project Management Elements

559

Project Management Elements

Business environmental factors: They generally represent inputs in the planning processes and influence the project in ways that can be positive or negative (+/-constraints) and are:• Culture, structure and organizational processes• government / industry standards (regulations, behavioural codes, technical

standards and quality)• infrastructure• Human resources management processes• Market conditions• Risk tolerance of the stakeholders• Political climate• Communication channels used by the organization• Database and Information Systems for Project ManagementRoles: Project team, customer, supplier, end user, sponsors, Project Manager, Client Project Manager, Project Management Office, Project Board or Steering Committee, Team Leader, Project Accountant, Program / Portfolio Manager, Team Member, Technical Expert / Analyst.Project Management Documents: Business Case, Project Charter, Offering, Organization chart, responsibility matrix, Contact List Request for Proposals, Project Plan, Risk Log (risk analysis), contingency plans, Communication Plans, Progress Report.

560

Projects vs operative workCommon characteristics:• Performed by individuals• Limited by constraints• Planned, executed, monitored and controlled• Performed to achieve organizational goals or strategic plansDifferences:• Operative activities are continuous, they produce ripetitive

products/services/results• Projects are temporary and produce unique outputs.Operative jobs support the business environment in which the projects are developed, therefore there are important interactions between the project team and the operative departments. The Project Manager will comminicate a lot with the operative department managers and often some of the latters resources will be redirected towards the project.

561

Project lifecycleBy project lifecycle we mean a set of project phases, sequential or overlapping, whose name and number depend on the project’s nature. This provides the basic framework for project management.Structure:• Starting the project• Organizing and preparing• Carrying out the work• Closing the project

Characteristics:• The level of costs and human resources (dotted line) starts low, then they have

a peak while carrying out the work, and decrease again during closure.• Stakeholder influence, risks and uncertainty are maximum at the beginning

and monotonously decrease overtime.• The costs of modifying or correcting mistakes are minimum at the beginning

and grow monotonously overtime.

562

Project phasesThe project phases consist of divisions within the same project that create checkpoints for evaluating intermediate deliverables. This allows the segmentation of the project in logical subsets for ease their management, planning and control. The applied division into phases depends on size, complexity and impact of the project.If the steps are sequential, the end of a phase means a deliverable is ready which serves as starting point of a new phase ( milestone or decisional block). These are natural moments of evaluation of the projects invested commitment, possible changes or termination.There is no unique way to define the ideal structure of a project, beyond the common industry or market practices . Therefore, this must be assessed from project to project depending on its particular characteristics and the management style of the project team and the organization.The phase usually ends with a review of the deliverables to determine completeness / acceptance and evaluation of the work to decide on possible changes, a process that brings to the beginning of a new phase. The key decisions are therefore:• Determine whether the project should continue to the next phase• Identify and correct mistakes based on efficiency considerations

(costs)Some projects can benefit from overlapping phases. Phases can therefore be sequential or overlapping. 563

The Project Manager is the supervisor or facilitator and must therefore:• Define and control the project's objectives;• Analyze the environment in which the project will be developed and regulations in force;• Define the end result and the main activities necessary for its achievement;• Plan and schedule the activities of the project (historical data for future projects);• Estimate the necessary resources (labor, materials, equipment, etc ...);• Formulate the project budget;• Allocate and control resources to the individual assets and authorize the beginning of work;• Integrate all the planning and control activities of the project and provide tutoring;• Define the progress of the project, in terms of both physical development and costs;• Measure the progress of the project during its implementation;• Enable corrective action in case of deviations (definition of risk tolerance );• Resolve conflicts with the customer, with suppliers and with the specialized functions (80-90% of

the time is used to communicate with stakeholders, source: Project Mngmt Inst.).The reasons for the inclusion of the logics of Project Management in enterprises are mainlyattributable to the causes of project failure, which according to a survey by the EuropeanCommunity in 2002, are: poor communication, poor project scoping, unfulfilled customerexpectations , inadequate planning, lack of leadership, lack of motivation in the team.The percentage of successfully completed projects with respect to time, cost and objectives is 26%.The proportion of unfinished projects, over budget, and that do not meet the objectives is 34%. Theremaining 40% of projects are canceled before completion.

The Project Manager’s role

564

low

high

highlowInstitutionalStakeholder

KeyStakeholder

MarginalStakeholder

Operative Stakeholder

Interest in the project

Pow

ers

over

the

proj

ect

• Project stakeholders are «persons and organizations that are actively involved in the project or whose interests can be influencedby the project’s outcome. On the other handthey can also influence the project and itsoutcome».

Project Stakeholders

565

Production planning techniques

566

Note: These techniques have been designed and developed forthe creation of highly complex works especially in the urban engineering ormilitary fields, and mainly on contractual production terms [relevanteconomic dimensions, long implementation times (over a year, classicmanagement period), management and organizational complexity(places physically distinct from the company), generally unique and nonripetitive products ].

• Work Breakdown Structure (W.B.S.)• Gantt diagram• CPM (Critical Path Method) • PERT (Program Evaluation and Review

Technique)

The Work Breakdown Structure

• It consists in the decomposition of the project into subprojects, ofthese in macroactivities and so on up to elementary activities whosesubsequent decomposition is no longer convenient.

• Each elementary activity should be easy to manage in terms ofplanning, execution, control and closure.

• It uses a to a tree diagram , that allows for the description anddisplay of all parts of a project at different levels of detail, in astructured and hierarchical manner.

• Includes all parts of a project that must be carried out, and all themajor functional tasks that must be performed to implement themcompletely.

• Activities at the lower levels are therefore necessary and sufficient tocomplete the parent element (top level).

• Every element is perfectly schedulable, with its own budget and canbe assigned to an operating unit (in terms of responsibility). They arealso easily reusable for future projects.

567

Problem: complex project entail houndreds or thousands of elements that result in overly complex management

Preparing a WBSThe Project Manager must structure the job in small elements that must be:• Manageable (possibility to determine authorities and responsibilities);• Independent (with minimum interfaces with other activities);• Integrated (to put them together in general packages);• Measurable (to estimate their development state and success).The WBS is a key element because:• It provides a clear description of the project as sum of its elements;• It allows for cost and budget estimation;• It allows for time, cost and performance control;• Goals are connected to business resources;• It simplifies planning, scheduling, reporting and management control

operations• It allows to assign responsible to each element

568

WBS organizationAt a first level the WBS can be organized in:• Product structure. The decomposition is done on the

basis of product components (physical/spatialdecomposition logic). For example, while developinga new car, component groups are established.

• Project Lifecycle. The decomposition is done on thebasis of logic stages or process phases: it can be donefollowing the technical process (requirement analysis,design/planning, production, etc.). This is also calleddivision by work processes.

• By deliverable and sub-projects. The subprojects aredeveloped by organizations that are external to theteam (decomposition by objectives).

569

The principles of decomposition may also be different: breakdown by objectives,work processes, the physical logic, the functional logic the spatial ...

In our example, the same building could have been decomposed first of all intoground floor, first and second floor, and so on. Time after time, we will try to identify thecriterion of the most functional decomposition with respect to productive goals.

Building

termiccabindistribution hydric

mechanicElectric

Urban works

Plants Construction site

WBS Organization

570

Work PackageSet of information relevant to the creation of one or more products.Must contain the following information:- What to do;- responsible and client;- Costs and schedule;- Input and output products;- Activities.

WBS- Software Development Project

Requirements

Analysis Design Development

Test

Software Specifics

Work Package: Requirements Cost: € 25.000,00Description: collection and analysis of customer and userrequirementsResponsibles: Mario Rossi Sponsor: Divis. AlfaInput: legal constraints, organization’s standards, client’sspecificsOutput: meeting reports, requirement analysis reportActivities: meetings with executives, analysis of existing systems,project draft, interviews and surveys, reviews, approval, finalformalization.

Definitions

571

DeliverableIt is any product, result or skill capable of delivering a unitary andverifiable service that must be created to complete a process, a phaseor a project.

Project

Work Package 1.1

Deliverable 1 Deliverable 2 … Deliverable n

Work Package 1.2

Definitions

EventSomething that happens which marks the beginning orthe end of one or more tasks or activities.

MilestoneEvents that represent decisive moments of the projectevolution, as intermediate checkpoints or moments ofcompletion of a significant portion of the project.Milestones are often contractually imposed (start andfinish timing) or self imposed by the project manager

Definitions

573

Rules for a correct WBS- The union of all the activities at the same level corresponds to

the same set of activities at the root;- Each work should be assigned to one and only one level;- There should be no overlap between tasks in different

branches;- Each level increase must be based on the same logic as the

previous and all of its siblings must follow the same logic;- Different levels can be developed according to different

logics;- As the size of the WBS decreases the responsible’s

management is simplified ,while project control becomesmore complicated ;

- The WBS parts must be filled by those responsible formanagement and control;

- The logics of aggregation-disaggregation is based on thedefined goals.

574

For the realization of the Gantt chart it is necessary to associate to theactivities, as identified by the WBS, their estimated lifetime.

This technique allows to describe the project through therepresentation of the durations of each activity on a chart (ahistogram).The horizontal axis shows the time scale; the vertical axis, notoriented, shows the activities that make up the project.The placement of activity "bars" along the time axis allows tohighlight not only the length, but also the moment of completion ofeach task.

The Gantt diagramm is said to have the defect of not accountingfor resources (although they indirectly are regarded in time lenghts)

Gantt diagram

575

Durations estimates can be obtained through different techniques thatpreferably use historic data:

• Expert’s opinion

• Estimation by analogy

• Quantitative duration, based on quantitative data for each workingcategory (number of designs, tons of steel, etc.) defined during theengineering/design phase multiplied for the unitary production rate (hoursof work per design, etc.)

Contingency time can be introduced to face unexpected events

Activity duration

576

The basic elements are

Activity duration;

Dependance relationships with other activities

Time schedule;

Possible milestones.

Project Design

577

578

• H.L. Gantt defined a technique of productive processrepresentation using time bars at the beginning of the lastcentury.

• in 1957 M. Walker defined the CPM (Critical Path Method) tocontrol project timings

• in1958 the PERT technique was developed while working onnuclear submarines projects (Polaris Project)

A bit of history

The Gantt diagram pitfall

• Time relationships among activities:

1. Why did we set a certain activity in a certain moment in time?2. Are there constraints of logic dependency?3. If the duration or starting time of an activity changes, what

happens to the others?

579

An evolved approach: reticular techniques

• Activity = characterized by duration (and usedresources).

• Events = instantaneous activities that mark thebeginning and/or end of one or more activites

• Time sequenciality= indicates succession constraintsdue to logical dependencies or opportunities.

Used to evaluate the total project duration and dates ofmilestone achievements in implementing the project . Incontrast with the Gantt chart, such techniques showlogical dependencies between tasks that must necessarilybe carried out in succession.

580

For the application of CPM and PERT techniques, special software isemployed (like MS Project) providing the following input data:

•Identification of activities which constitute the project (through WBS);•Identification of logical-temporal sequence constraints between theproject activities (which activities precede/follow the one in question, andwhat can be done in parallel?)•Estimate of the project activities duration (based on resources).•The sequential constraints of individual activities, should refer to logical ortechnical conditions that prevent the execution of a task if its beginningrequires the completion of one or more activities that are "work in progress".

Sequential constraints may rise also because of lack of resources.

PM and Automation

581

Preparing a CPM \ PERT

1. The Project Manager writes the list of activities;2. The PM arranges activities according to

sequentialiity criteria ;3. The PM reviews the diagram with line managers

(experts);4. The functional managers create the CPM \ PERT

entering durations (the schedule is not known yet, so estimates are based on infinite resources );

5. The PM looks at the CPM \ PERT and checks if itrespects the key dates and timetable the project;

6. The PM sets the reference dates on the calendarand reorganizes the CPM \ PERT on the basis ofreal resources (limited).

582

Differenze PERT e CPM• CPM: deterministically calculates the parameters "start as soon as

possible," "starts later" and " finish it" to identify activities that have less flexibility (critical path) based on the most common durations (experience): Gaussian distribution;

• PERT: Uses weighted estimates of durations to calculate the project duration (3 estimates approach): ß distribution with 1/6 Do, 1/6 Dp e 4/6 Dml;

Do + 4Dml + Dp

6D =

583

Differences betweenPERT and CPM

• PERT uses an evaluation of the time based on three estimates (optimistic, pessimistic, normal), while the CPM uses a single normal estimation.

Duration estimates with PERT are more accurate• PERT is of probabilistic nature based on the beta probability

function and allows to assess risk, while the CPM is deterministic.• Both allow the use of dummy activities (crucial activities with zero

duration; eg end of stage) to develop complex project logics;• PERT is used for estimating projects where timing is highly variable,

while the CPM is preferred for projects where time estimates are more accurate, as well as dependencies between resources;

• PERT is used for those projects into which the percentage of job completion can not be assessed before they end, while the CPM is used in projects where we can estimate the percentage of completion of a task and load costs on the customer .

PERT is good in R&D projectsCPM is good with construction projects

584

Differences betweenPERT and CPM

A major difference is that the PERT does not allow to estimate the percentage of completion, because the activities can't be estimated in percentage until completion (probabilistic estimate).PERT/CPM Advantages: Highlights where to focus efforts (logic-sequential); Allows to evaluate the changes effects on the project; Visualizes complex structures in a simple and clear

mannerPERT/CPM disadvantage: Is more complex and expensive than other systems; Requires more data; Not convenient for small projects.

585

QUALITY ASSURANCE

13/11/2012 586

Quality assurance• Quality assurance (QA) refers to the planned and

systematic activities implemented in a quality system so that quality requirements for a product or service will be fulfilled. It is the systematic measurement, comparison with a standard, monitoring of processes and an associated feedback loop that confers error prevention. This can be contrasted with quality control, which is focused on process outputs.

• Two principles included in QA are: "Fit for purpose", the product should be suitable for the intended purpose; and "Right first time", mistakes should be eliminated. QA includes management of thequality of raw materials, assemblies, products and components, services related to production, and management, production and inspection processes

13/11/2012 587

PROCUREMENT, SOURCING & SELECTION

Investment decision criteria (1/4)

• Assuming that the evolution of Demand Management processes (note) is able to lead to the formulation of real needs, whether they derive from business needs or regulatory limits, the effectiveness of a software selection is then anchored to:– the ability to define a response that is actually consistent

with the "needs" manifested by users;– the correct sizing of the investment and subsequent

operating costs;– the implementation of appropriate project and

technology "risk mitigation policies" ;– a solid identification and quantification of the tangible and

intangible benefits resulting from the investment made..


• In a usually complicated and articulated environmental context , we can not guarantee results "acceptable" in the absence of adequate organizational and methodological support. In other words, the quality of an application software investment depends strictly on the maturity level of the processes that govern the selection of software.

• The process must be repeated continuously because of the fact that the costs and benefits of a "solution" are closely related to its content and that "needs" can be satisfied through solutions of different content. The idea is to induce a virtuous cycle in which decisions are the result of the overall contributions of the different actors in the process, agents of a "single innovation committee" responsible, as a whole, of the obtained result.


• Such an approach requires that quality and robustness of the selection process "dramatically" limit spaces for discretion typical of "weak" organizations and address towards the formalization of "objective" evaluation elements, which means based on solid quantitative elements and clearly defined standards .

• It goes without saying that a number of critical issues, related to the investment capacity and the alignment of the outlined solutions to business and IT strategies must be taken care of during the process .


• These concepts move away from established practices in which the decision to invest, and often finding the solution to be adopted, follows a sequential and hierarchical path for analysis, in a context of strong discretion and opinability of the choices made. In these practices, the contribution of the IT department is carried out in a "degraded" organizational context which, in the absence of any real benefit analysis considers the cost as the key variable and thus exerts a strong pressure on those who ultimately "must" create what the customer demanded / required.

Needs and solutions (1/2)• «Needs» regard the rise of a requirement, a

problem or an opportunity. In general one can assume that «needs» are correctly indentified. The critical issue is which IT «solution» should lead to the satisfaction of the «need». In this sense, the correct determination of the net value(costs –benefits) created by the solution is the only element on which to discern the IT investment. This distinction between «need» and «solution» culd appear unnecessary. Actually noone can deny needs, while the opportunity to satisfy it or not is the key element in governing IT investments in applications.

Needs and solutions (2/2)• This interpretation of the selection processes'

objectives is extensive compared to a practice in which a solution is always searched . In other words, we believe that:– It is simply possible not to adopt a solution, which

means not investing when it is not possible to determine a positive net value to the need’s satisfaction;

– The identification of the right solution is a continuous process that searches for the best compromise between costs and benefits. Notice that serching for the best compromise doesn’t take value off the result, rather, this continuity has the objective of impacting on the research for benefits and the ambition of finding them.

Make or buy (1/4)• Needs can be satisfied by producing custom

solutions (make) or acquiring them and possibly personalizing the package (buy). Generally this decision can be taken at the software selecton phase.

• The fundamental questions when facing a make or buy decision are:– Do we have the know how?– What are we buying?– How much of what we are buying satisfies our

needs?

Make or buy (2/4)• The history of applications has been written in the last

thirty years. From the first mechanizations of elementary accounting processes on, the support provided by applications has become more invasive and complex. Traditionally Italian companies have invested poorly on the documentation of their knowledge: know-how was not transformed into a company's "intangible asset" and remained "trapped" in individuals. Sometimes the individual know how went lost, most of the time it exists in daily operational practices but it is not "recognizable and usable" unless significant investments are done. The "buy" has to do with this issue from two alternative points of view :– An organization buys a know-how it doesn’t have– An organization buys pieces at moderate prices a

know-how that it has but hasn’t capitalized upon.

Make or buy (3/4)• Obviously, in the first case, the intrinsic value of the "buy"

is potentially much higher. Sometimes, however, the greatest value of know-how acquired with software is distorted through heavy customization.

• Just like the buyer of a mobile phone ends up paying a significant number of functions that are not needed and which he neither knows to have , so when you buy a software is difficult to understand what was actually paid. This problem is in general stronger every time you proceed to customize the software. In this situation there is a tendency, in fact, not to use all the features that are not already part of existing operational practices.

Make or buy (4/4)• It is not always that easy to understand what you are

buying, or what you want to buy. The widespread practice heavily customizing acquired software in order to support unchanged processes, implies a substantial process of replacing the purchased service: the idea was to acquire a standard market product , with all the related guarantees on the evolution of the product , then it became implicitly to buy the realization of a "custom" product based on a semi-finished. This practice has been in some industrial sectors, such as financial services, so widespread that even the software industry was heavily conditioned (confusion between products and services, distorted business models , mispricing, poor quality, etc..).

The QEERB protocol (1/2)• The QEERB protocol means to represent a

methodologicaI approach to software selection, with the goal of reducing the risk of sub-optimal choices. QEERB gives guidelines to:– frame the issues involved;– identify the issues that really matter (and their prioritization);– define an effective and efficient process in the selection of

IT investments;– involve in the selection process the interested company

structures (stakeholders);– build a Knowledge Management system that capitalizes

on the knowledge, business skills and past experiences, providing the basis for improving efficiency and effectiveness in the process of investment decision making.

The QEERB protocol (2/2)• In particular the protocol categorizes and organizes the

set of evaluation elements of an applicative solution on 5 main areas:– Quality, meaning the individuation and description of the

solution’s content;– Effort, which determines project costs (internal and

external) for set up and production of the defined output, and its subsequent continuative management.

– Elapsed, estimating project timings (and possible system evolutions or of the structures associated to IT investments);

– Risk, defining the risk profile of the investment (project risk, supply risk, etc.) in terms of project and subsequent protection of the acquired value (risk of technological obsolescence;

– Benefit, describing the modes of identification of benefits related to the investment.

Quality (1/2)

• The protocol assumes to operate in a context in which:– The needs to be satisfied through selection

and implementation of new application solutions have been expressed;

– The needs are related to the requirements of supporting commercial initiatives management, the production of new services, the rationalization/redefinition of internal business processes, governance or compliance

Quality (2/2)• The definition of needs should be explicit and formalized

according to a predefined scheme that highlights:– The goals for which the informatics solution should be the

achievement enabler– The general requirements that unambiguously document

the activities to be supported by the application.• During the following selection process, these general

requirements should be transformed in specific requirements:– Functional;– User;– Technological;– Integration.

Functional Requirements(1/2)

• Functional requirements define in a more timely and specific manner the user functions, the data requirements and any calculation algorithms of the new application; the depth of these requirements will typically have to be linked to the discriminating fundamentals of cost and benefit. In other words, the need to define punctually significant customization or proceeding to levels of single operative functions comparability will inevitably affect the depth of analysis.

Functional Requirements(2/2)

• These requirements direct those needs that are regularly defined so as to adhere to the specific operational processes or the requirements of management analysis of the specific organization and this way enable a better calibration of the selection and related costs.

• It would be useful to associate to functional requirements a graded assessment (ranking) that reflects the importance of the described function.

User Requirements (1/2)

• The needs should include a specification of any user requirements conditioning the identification of compatible solutions.

• These user requirements are normally constrained by market practices, by regulatory constraints or organizational policies.

User Requirements (2/2)• In detail, user requirements are related to:

– means of interaction with the application by the end-user (online, off-line, batch);

– the characteristics and quality of user interfaces (graphical / character based, assisted - with help - / non-assisted, ...);

– system user documentation (user manuals, training courses, self study, classroom courses, ...);

– system performance (response time for on-line transactions, elapsed and batch scheduling, volumes of data to be processed, ...);

– the administration and parameterization of the system procedures (if the parameterization of the system should be maintained directly by the user or not and with which kind of functionality and interface: metabase, automatic documentation systems, navigation systems on metadata and data, possibility to define user functions, ....);

– the safety profiles both on portions of data and on functions.

TechnologicalRequirements (1/3)

• In an evolved organizational context, with respect to the maturity of managed processes, specific architectural standards should exist and be defined with the objective of:– Acquiring ex-ante significant cost synergies through

the definition of architectures and supporting technologies, consequently scoping the skills needed for the functioning of IT;

– Acquiring greater bargaining power against technological suppliers by explicitly concentrating on defined technologies, on which to direct the most significant investments;

– Limit technological risks related to the introduction of specific technologies.


• With the term technological standard we mainly refer to:– Environments, like operative systems, Z/OS

elaborators on IBM Mainframes, UNIX, MS WIN, Linux, etc.;

– DBMS per environment and kind of application;– Applicative architecture (Legacy/SOA/….);– Integration middleware (or robot);– ETL and BI tools;– Security, performance monitoring, system log,

anomaly signaling standards;– Change management processes (tests and

production management).


• Of course, the existence of technological standards does not imply a systematic adaptation of the solutions to these standards, the possible conflicts between existing standards and technologies used by the solutions under analysis should, however, engage in a specific process for estimating the extra costs linked to the adoption of any non-standard component. These costs would naturally affect the cost-benefit analysis.

Integration Requirements (1/2)

• The inclusion of any application in an existing information system, involves the implementation of appropriate and specific integration processes.

• These processes can be carried out through specific standard components of the application architecture or through the creation of "custom components".

• It is possible that the integration process and related planting costs are dependent on the specificity of alternative solutions under analysis and therefore their definition and quantification affects the choice of the application as well as the quantification of the investments.

Integration Requirements (2/2)

• In any case we expect that integration processes are described through specifics that highlight:– The data to be extracted/sent – from/to

which procedures;– The interexchange modes (synchronous –

real time, asynchronous – daily batch, etc.) with other applications and the use of standard components (middleware) or custom ones.

– The means of control of the flows between different applications (audit trial).

Quality evaluation (1/3)• The assessment of alternative solutions requires a rigorous

process that predefines methods of analysis, metrics and methods of equalization of the identified measures . The widely diffused practice of using check lists, packed from time to time in a contingent way, does not guarantee the quality nor the uniformity of assessments.

• The preparation of a structured interpretation scheme capable of covering all the elements of assessment for the qualitative part, sort them by homogeneous topics, synthesize them according to defined criteria, allows for a systematic comparison of alternative solutions. It is important, however, to compose an homogeneous comparability profile identifying and estimating uneven functions, once again through a specific and well-defined process of elaboration of the specific requirements.

Quality evaluation (2/3)• In fact the analysis of need satisfaction

and subsequent level of required customizations, allows to categorize solutions based on the following scenarios:– Need satisfaction when detailed estimations

and customization feasibility analysis are possible.

– Need modifications based on the absence of detailed intervention estimates.

– Solution exclusion when a fundamental functionality is missing

Quality evaluation (3/3)• The qualitative evaluation could allow for

a first screening and exclusion of solutionsthat are less alligned with the needs. However it does not allow to compare «acceptable» alternative solutions, thatare potentially capable of satisfying the defined needs, at least from a qualityperspective.

• It is infact necessary to complete the assessment on the basis of differentevaluation elements.

Effort (1/8)• The evaluation of economic efforts invested in

IT solutions should be based on well definedand solid processes which, for each solution in the short list, can estimate the following costs:– costs directly related to software acquisition;– costs associated with the project of making the

application operative ;– indirect costs of the associated technological

chain;– recurrent operation , application management

and facility management costs.

Effort (2/8)• In general terms, these costs can be real or

internal depending on whether we proceed with the acquisition of third party services rather than using internal capacity. In any case the valorization of internal resources should be made on the basis of defined and approved standards that enable an optimum allocation of resources, internal or external.

• In practice it is not uncommon that internal human resources and hardware overcapacity are not valorized. This logic could lead to a misallocation of available budgets ie the existing investment capacity .

Effort (3/8)• The costs referred to above should constitute the input

of a specific application software investment calculation model with the aim of defining the initiative's contribution to the ROI.

• The model should furthermore provide an accurate and comprehensive grid of the cost items to be estimated in order to limit the space for "discretion" of the project groups and reduce the tendency to underestimate the investment. For estimates to be reliable and acceptable it is necessary to supervise a process capable of producing, controlling and historicizing on an ongoing basis the basic information (KPIs) required by the same estimates, also considering the limited duration of a project of software selection.

Effort (4/8)• Normally the costs directly related to

software acquisition are defined correctly; they should not in fact be estimated but simply acknowledged from the suppliers.

• The project costs related to the application set up of must instead be estimated. It is possible that, especially in cases where major customization and integration interventions should be planned for the application under selection, these estimates are underestimated. During the software selection sufficient customization gap analysis are rarely performed: once you have selected the software and taken the investment decision, there should be a further phase of "go / no go" at the end of the customization design phase , so at the beginning of the project implementation.

Effort (5/8)• At this stage of the project it remains possible to

reevaluate the investment's real costs and eventually stop the work. Appropriate clauses in contracts with suppliers involved in the project could "protect" the investment by expressly allowing for a stop of activities within a limited and defined time period and consequential canceling of existing obligations.

• In practice it is rare that such options are present in the project plans, or that they are "forced" by the existing organizational processes. Once the investment and committed budget have been defined and approved stakeholders seem completely focused on meeting the project's deadlines . The rationale underlying this understandable attitude is the assumption that the project estimates are "correct" and that only operative execution activities are crucial.

Effort (6/8)• In reality, the most significant budget "overruns" of occur

due to poor estimates of required customization/integration activity commitment . During the software selection project it isn't always possible to carry out really reliable in depth analysis. This possibility exists, however, in the immediately subsequent phases to the choice, but obviously the implementation work plans should be configured to account for this option.

• The indirect hardware or software costs that come along with the choice of a certain investment aren’t always completely identified during the software selection. In general, there is no established standard that "conditions and constraints" the activities of estimation of all hardware and software components. In this case, investments are underestimated, and the choice between alternative applications may be distorted.

Effort (7/8)• Recurring application management and

facility operative costs directly tied to the adoption of a new solution are rarely estimated. These costs are not identified and end up with impacting current management. They however constitute an important part of IT costs. They are generated by:– The existence of a new solution;– The architecture in which the solution is installed;– The basic software it uses and the fact that they

may or may not be in line with the approved architectural standards;

– The intrinsic quality of the application.

621

Effort (8/8)

• Where possible, the drivers used during the software selection to estimate recurring costs (CPU consumption, etc.) should be stated by contract in order to allocate part of the estimation and quality risks on the supplier.

• Recalling the above mentioned cost categories it is possible to expose IT costs according to more detailed and specific voices.

Effort directly related to software purchase

• Costs that are directly related to software purchase are: – The license costs or periodic rental fees of the

software product naturally have a different impact on the Capital Budget and the yearly income statement; with the first the full cost is charged with the second only the current year. depreciation is charged. The license and maintenance costs would be replaced in situations where the software is managed through full outsourcing with a specific and unique fee.

EffortCosts related to the applications

regular functioning project• Costs related to the applications regular

functioning project:• Effort to parameterize the main software;• Effort of product customization;• Effort of product integration with the specific context.

• These costs are related to all the actions necessary to implement the selected software. These may vary, among the selected solutions in relation to the following variables:

• Covered functions;• Existence of native integration components;• Technological components of the solution.

• Indirect costs of the associated technological chain:– By_ "technological chain" we mean to refer to all those

requirements such as basic software, hardware and telecommunications directly related to the adoption of the "investigated" solution . We are therefore talking about costs of:

• licenses and related maintenance fees, accessories to your main software product, such as DBMS, operating systems, middleware, etc., in some cases it may be necessary to conduct a simple upgrade of existing licenses in others to go back to the first supply ;

• hardware infrastructure, these components may be purchased or leased. Alternatively, the requirements could be met through full outsourcing. In any case, the cost of installation and configuration of used components should be added

• elaborative resources, such as disks and other storage media, MIPS and CPU. In practice, these costs are not always estimated and explained, although they constitute a significant component of facility management costs . The estimate can not be improvised and can only take place in a particularly mature organizational context because of the need to acquire a significant and critical series of basic measures. Some KPIs used to make these estimates may, once defined, be included as a parameters of contractual licenses with the aim of governing the possible performance degradations these applications;

EffortIndirect costs of the associated

technological chain

• Recurring operative costs :– These costs regard the following operative issues:

• Maintenance fees of the main software and accessories (if not outsourced);

• Application management of the main software and accessories (if not outsourced);

• Maintenance fees of hardware components involved in the application (if not in facility management)

• Commitments related to the aggravation of operational management activities (if not outsourcing);

• Eventual pro quota facility management fee (if outsourced).

EffortRecurring operative costs

Global IT costs• The listed costs, once estimated, are the elements on which to calculate the "Global IT costs."

This cost allows:• to compare the various solutions and offerings of suppliers, in a context of actual usability; of

course the eventual prevalence of a solution implies the identification of a package and a supplier;

• to assess, through a comparison of the benefits associated with alternative solutions under investigation, the value created by the investment.

• The calculation of the Global IT cost must consider the project timings, define the moment of actual production of the solution and the average life of the related application procedure in order to proceed with the discounting of foreseeable cash flows , according to the rough schematization shown in the the following table.


Internal and externalproject costs (1/7)

• In terms of IT Global Cost , the missed valorization of internal costs can lead to misleading results whenever you should proceed towards comparisons among solutions requiring a mix of different skills.

• In practice, often the internal costs, human resources and hardware components are not considered or are underestimated and this leads to sub-optimal choices or even choices that destroy value. The possible internal overcapacity should not mislead the importance of estimating all the cost components . In the medium term, however, any overcapacity could be set to zero and implicit internal costs could become explicit external costs.


• Throughout time some IT governance methodologies have been developed which are directed towards the identification and estimation of IT sector’s costs and their subsequent allocation over projects, procedures and organizational structures.

• In particular these methodologies concentrate on the estimation of the internal staff costs and require for the following to be defined:– Existing internal professional figures and related competencies;– Internal resources’ skills;– Guidelines aimed at:

• Identifying which internal competences are needed for the project;• Quantifying project commitment (effort) and operative commitment

(continuous functioning) of each professional figure;• Structure and maintain a standard cost system associated to each internal

professional figure


• Personnel costs should eventually be charged for any expenses related to the "standard equipment" necessary to internal resources to work effectively. The daily standard cost of the resource should therefore consider an estimate of the portion of the fees (actual or imputed) related to:– the office (the feesincluding rent, utilities costs: _ heating,

lightg, cleaning)– the workstation (personal computer, application software,

telephony, etc. ..)– etc. ..

• All standard costs must be taken from the Cost Allocation system of the Management Control Office.


• Same logics, once developed on the internal structure, can be used for the evaluation of offers from suppliers. The implicit structure of analysis and classification can in fact be adopted to verify, for example, offers regarding development activities:– development, configuration and customization of the

application software;– operations management (both applicative and related to

the activities of business management;– maintenance.

• It is possible to adapt these methods to the process of software selection forcing its adoption by the supplier making the comparability of identified solutions more solid and improve the "reading" of terms and content of the proposed offering.


• In practice these procedures would allow to identify possible anomalies regarding:– Overestimation of man-days effort: presence of unnecessary

activities or use of excessively senior professional figures;– Underestimation of man-days effort; missed identification of

necessary activities or use of resources with lower than optimal skills.

• Furthermore the matching of professional profiles of external resources with respect to the internal specific ones and related standard costs can allow to:– Evaluate the supplier’s real experience;– Identify apparent dumpings that hide «anomalous» behaviors, like

for example:• The systematic over structuration of necessary man-days;• The employment of professional figures that aren’t coherent with project

requirements.


• On big projects it is possible to overestimate project efforts in order to over bill actually invested man-days: In these contexts it is really difficult to achieve complete control over the supply side.

• The daily fee indicator for a professional figure doesn’t discriminate supply services on its own; a different configuration of the project team can affect productivity.


• It is therefore suggested to base the choice on global costs, using unitary parameters of cost per professional figure to evaluate the supplier’s approach.

• This is that much more important in cases, which are frequent, in which the «supply costs» isn’t closed (turnkey) but recalculated on the basis of the actually performed activities; in these situations a «low» unitary price could distort the selection without allowing for actual savings.

Elapsed (1/2)• Any investment should be evaluated with regard

to its duration and usefulness with respect to availability of the underlying good/service. Investment in software is no exception to this logic, and it is necessary to consider:– the possible time-to-market of initiatives enabled by

the investment, for example in the case of production of new products and services;

– any deadlines set out in the business plan (normally communicated to the financial community), in particular for all savings operations;

– deadlines derived by regulatory requirements (such as the IAS accounting principles, the MiFID, Basel II, 262, and Solvency II).

Elapsed (2/2)

• In order for the programmed returns from IT investments to respect deadlines it is necessary for the project scheduling to be respected.

• We here recall some key elements for effective program management.

Project Deadline (1/2)• The deadlines of an IT project

implementation affect and constrain the alternative solution selection process.

• It is important to remember that implementation activities are actually:– Not compressible over a certain level;– Often conditioned by each other in ways

that define a critical path which is also not compressible.

– Constrained by the availability of certain skills in a specific timeframe.

Project Deadline (2/2)• For example, the production of an application:

– Is conditioned by the duration of operative processes of Change Management (that are themselves conditioned by the organizational structure’s productive capacity) and by the level of required customization;

• Ad esempio, la messa in produzione di un’applicazione:– è condizionata dalla durata dei processi operativi del Change

Management ( a loro condizionati dalla capacità produttiva della struttura organizzativa preposta) e dal livello di personalizzazioni previste;

– must be preceded by the testing activities , task that is usually assigned to very specific user resources, which in certain times of the year may not be available (e.g. General Accountability resources during the financial exercise closure)

• Every project solution is characterized by planning that entail different deadlines potentially incompatible with the defined project deadline.

Project planning (1/3)

• The deadlines verification is doneduring the project planning actvities.

• A mature organization should defineand approve a structured approachto project planning with which to support internal planners and guide possible external ones.

Project planning (2/3)• In this sense the Planning responsible should:

– Define project planning standard stereotypes identifying them and categorizing them as a function of:

• The kind of project or scope (new application installation, application replacement, change of technological-applicative architecture, etc.)

• Project size (small, medium, large project).– Identify and estimate for each project standard

stereotype:• Necessary activities and temporal ties (critical path)• Main milestones, including those related to estimating

customization activities (as the effort phase of the QEERB requires)• Skills (and therefore business structures that supply competencies)

– Keep historical series of estimates and related actual values in order to improve and refine the related KPIs.

Project planning (3/3)• These standards can ease and make planning processes solid,

allowing for:– customization of project standard stereotypes

• defining the estimates of effort with the corporate structures that provide skills;

• identifying resources (internal / external) that possess the necessary skills and verifying their availability;

• identifying and sharing the final project dead lines with the stakeholders of the IT solution to implement.

– directing and monitoring of eventual project schedules defined by suppliers:

• reviewing the project plans that do not meet the dead lines of internal project planning ;

• highlighting the faults of design schedules which differ from the stereotypes in terms of activity, type of resources and KPI of reference;

– A solid project planning activity requires for it to be engineered and organized in well-defined processes.

Evaluation indicators(1/2)

• The deadline satisfaction can be evaluated through a synthetic index that highlights the degree of fitting with the defined deadlines.

• The minimum requirements that a deadline fitting indicator should satisfy are:– It assumes maximum value (100%) when there is

perfect matching between the deadlines of the analyzed solution and those planned internally;

– Account for gaps between planned deadlines and solution deadlines (fitting errors) based on the duration of the activities of reference, allowing for:

• Highlighting the degree of deviation for each activity by comparing the deviation to the time leght of the activity (the error is more important if related to shorter activities);

• Compare deviations among different activities.

Evaluation indicators(2/2)

• The indicator has its own particular utility in situations in which several alternative solutions are to be compared in the context of a software selection process.

Risk (1/3)• In general terms, the ex-ante estimates of Quality, Effort, and

Elapsed involves risk-taking because of the possibility that the project predictions will not actually occur.

• A risk analysis must consider the main types of risks that exist, such as:– Supplier risk, deriving from the degree of current and potential

reliability of a certain supplier (size, competencies, methodological approach, history, market position, reputation, etc.);

– Technological risk, deriving from the use of obsolete or not mature technologies;

– Risks deriving by possible lack of internal skills;– Time risks, related to eventual short project durations (no

catch-up time);– Size risks, related to the number of activities, their complexity and

scope (project complexity risks).

Risk (2/3)• It is also necessary for risk analysis to accounts for

impacts on estimates regarding:– Quality:

• Solution unaligned with the defined needs (consequent invalidation of customization estimates); the impact of this risk should be reduced by a specific verification milestone of defined and planned performances in the first weeks of the project;

• Inadequate functionalities, unusable, or not compliant with user specifications;

– Effort (Costs)• unexpected and significant deviations between project and management

planned (budget) and real costs.• unexpected information system management cost increase determined by:

– Low quality of the application software;– Mismatching between implemented solution and the declared architectural and technological characteristics

(during selection)

– Elapsed• Missed respect of release or production dates of the new application.

Risk (3/3)

• Each project planning should highlight the risks associated with the initiative and argue about the existing contingencies and possible mitigation actions. Even more so this should be done during the software selection process, and for each solution analysis.

Benefit (1/3)• The assessment of the benefits resulting from an

investment in application software is quite complex. However, a careful conciliation of qualitative motivations with quantitative elements is essential in a process of investment appraisal that operates in a context of economic and time constraints

• In general terms the reasons that require the implementation of a new application solution are attributable to the following:– process, operational, governance or compliance

automation;– support the commercialization of new products / services;– internal / external communication;– technological obsolescence.

Benefit (2/3)• The value created by the investment in

applications is a function of the impact generated by the application solution on the corporate system. Not all the needs which they intend to address with the adoption of an application solution are directly relatable to quantifiable benefits. approximations are therefore needed to collect a set of sufficiently objective results, meaning capable of inducing a substantially conscious choice.

• It is possible to suppose that expected benefits from an IT investment are attributable to some typical categories. The following table shows some of these benefits.

Benefit (3/3)Qualitative Benefits Prevailing Organizational Implications Economic Impact

Decreased execution timeImproved service for the final customer

Improved human resource management

> Returns (products/services sold))

< Staff costs

Decreased crossing times Improved service for the final customer > Returns (products/services sold)

Decreased execution and crossing

timesGreater volumes treated > Returns (products/services sold)

More information availabilityImproved human resource management

Improved decision making

< Staff costs

< Risk (operative, market, credit)

Service improvement (internalImproved human resource management

Greater technological efficiency

< Staff and administration costs

< Risks (operative)


The Return on Investment(1/3)

• The QEERB protocol, once applied in a software selection process, produces the following results:– It identifies one or more solutions that are

coherent with the needs that were established at the beginning of the process;

– It explicates the global IT cost, the estimated solution revenue and risks associated to each evaluated solution.

• The first result allows for a homogeneous comparison between different evaluated options allowing to compare costs and revenues associated to each alternative.


• The methods used in calculating the Global IT costs and the Estimated Solution Revenue allow to calculate the investment margin and its return (Return on Solution) based on the following scheme:

• The ROS naturally highlights the relationship between IT investments costs and related benefits deriving from its implementation. In general it may be right to expect an allignment between the ROS and the company’s target ROE.

• An efficient organization should generally give up on alternatives with a negative ROS.

• In case of obliged initiatives, the ROS can be always negative. In this case the evaluation of differential benefits should guide towards the most convenient solution

ROS =( “Estimate Solution Global Revenue” – “Costo Globale IT” )

( “Estimate Solution Global Revenue” )ROS =

( “Estimate Solution Global Revenue” – “Costo Globale IT” )

( “Estimate Solution Global Revenue” )


• As we said, the QEERB protocol, associates each investment to a specific risk profile, generally in qualitative terms. If facing the same ROS, the risks involved in each solution become the main decision driver, guiding towards the less risky solution.

• In cases in which the ROS and related risk profiles are particularly different it is necessary to weigh the ROS with the associated risk, using a standard scale, defined on the basis of historical experience.

NEW SCENARIOS

IT Staff (000) Servers (M) Mobile InternetUsers (M)

NonTraditionalDevices (M)

Information(EB)

UserInteractions (B

per Day)

WW Growth from 2008-2012Technology is a catalyst

1.1X1.9X

3.0X3.6X

5.1X

8.4X

EfficiencyResource Sharing

ComplexityEconomy of Scale

Off Premises


“Traditional” Information Management

DataWarehouse

ReportingDSS

Enterprise Business Applications

DataWarehouse

DataWarehouse

Executive KPI

Dashboard


0

1.000

2.000

3.000

4.000

5.000

6.000

7.000

8.000

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Computer

Nr. Of devices destined to Worldwide Communication

PhonesToys

GamesCars

Videocameras

VoIPGPS

BuildingsReaders

TVEquipment

Milions

“Pervasive” Computing


Changing the Landscape• Blades Grid• Big Data Web Apps• Cloud Web 2.0• VoIP IP Networking• Fixed & Mobile Unified Commun.Conv.• Social Networks Virtual Worlds


The software qualitybreakthrough

… from a comlexity crisis to…

– Web 2.0

– Software as a Service/CloudComputing

– “composite” Applications

– Service Oriented Architecture

– Open Source


Value chain integration

Strategies that are only based on technology don’t workSource: The Innovation Group

next generation IT

Optimized Sourcing

Variable Cost Structure

Managed Likea Business

Service-Oriented,Loosely-Coupled

Web 2.0 Architecture

Extensive Leverage of Standard “Commodity” Components

Business Process-CenteredStrategy & Operations


Utility/Cloud Computing Ecosystem

Direct

Direct

Channel

Users

Roaming devices

Wireless “smart” office

Wireless “smart” home

Networked “Internet” Data Centers

“Utility”/Cloud ServiceProvider

“Arms” Suppliers

HARDWAREStorage

Server

Network

SOFTWAREDigital MediaBusinessapplicationsSystems managementMiddleware

INFORMATION TECHNOLOGY

BUSINESSSTRATEGY

SUPPORTS

DETERMINES


LESSON #1 – THE POWER OF IT: business pervasiveness

We need a new view of IS to become an intelligent enterprise• The goal is to increase the productivity of all business

processes:– Operative transitional structured/structurable processes: what

matters is the efficiency and focus of the enterprise applications.– Operative semi-structured processes, “information/knowledge

intensive managerial and decisional processes that aren’t structured/structurable which are present in many low volume functions resulting fragmented and with high levels of interaction and cooperation.

• The IS first focused on operative processes while they are now being redirected to individual productivity of knowledge workers.

• The new platforms for access and information use can disclose greater productivity of knowledge workers and improved efficiency of decision making processes of managers.

Building a social media strategy

• A strategy to interact…

Social Media/Networks

Corporate Website


… we need a strategy to move towards the Social

Corporate Website

No social integration

Link away with no strategy

Link awaybut

encourage sharing

Brand integrated in social channels

Aggregate discussion

on site

Users stay on site

with social log‐in

Social log‐in

triggers sharing

Seamless Integration

Source: Altimeter Group

CIO: challanges for the IT division

CIO/IT Responsible

Internal IT Staff

CIOs must learn how to do IT «marketing»

IT governance is fundamental

Does the company already havethe necessary competencies?

Are the market and the offeringalligned with the customersrequirements?

55%

65%

75%

81%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Ottimizzare l’utilizzo delle risorse

Assicurare la governance dell’IT

Comunicare efficacemente

Interagire con i BU managers

50%

60%

52%

70%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Allineamento skills presenti rispetto acompetenze richieste

“”Do More with Less People”

Capacità di interazione con i BU managers

Meno Task Mgmt, più Project Mgmt

BusinessPriorities

Source: Indagine IDC sui CIO delle imprese italiane, 2008Risposte Multiple.

24%

37%

40%

50%

51%

54%

62%

83%

0% 20% 40% 60% 80% 100%

Corporate Social Responsibility

Organizzazione e Processi

Sviluppo Risorse Umane

Pianificazione & Forecasting

Efficienza economico-finanziaria

Aumento produttività interna

Time-To-Market

Customer Service

Business priorities

28%

40%

30%

40%

75%

70%

55%

70%

0% 10% 20% 30% 40% 50% 60% 70% 80%







Time-To-Market

Customer Service

Business priorities

The role of IT

Source: Indagine IDC sui CIO delle imprese italiane, 2008Risposte Multiple.

7%

20%

5%

32%

10%

40%

15%

40%

25%

42%

25%

38%

47%

55%

35%

45%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%







Time-To-Market

Customer Service

Ruolo IT: Primario Ruolo IT: Determinante quanto altre strategie

8%

17%

6%

38%

15%

34%

18%

45%

22%

45%

29%

35%

44%

52%

38%

36%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%







Time-To-Market

Customer Service

Ruolo IT: Primario Ruolo IT: Determinante quanto altre strategie

Business and IT alignment and the CIO: the worse is yet to come?

• The crisis is having a negative impact but requires more speed to change for the CIO: The CIO as a "BOXER": defend then attack quickly

• It also takes an equivalent evolution of the Lob and Top Management • Compliance issues become a more important and strategic landscape• Supply and Demand = Customer Supplier Partnership??

31%

40%

43%

57%

70%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Il CIO/Responsabile IT è una presenzafissa nei comitati decisionali dell’azienda

Il rapporto con i vendors è ancoracliente-fornitore e non ha ancora un

profilo di partnership

Sta aumentando l’allineamento traBusiness e IT

Le competenze del CIO/Responsabile ITsulla gestione economico-finanziaria

degli assets IT e sui tema della“compliance” devono essere maggiori

Il CIO/Responsabile IT deve comunicaremeglio con le LOBs; le LOBs devono

capirne di piú di funzioni e processi IT

27%

50%

35%

65%

80%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Il CIO/Responsabile IT è una presenzafissa nei comitati decisionali dell’azienda

Il rapporto con i vendors è ancoracliente-fornitore e non ha ancora un

profilo di partnership

Sta aumentando l’allineamento traBusiness e IT

Le competenze del CIO/Responsabile ITsulla gestione economico-finanziaria

degli assets IT e sui tema della“compliance” devono essere maggiori

Il CIO/Responsabile IT deve comunicaremeglio con le LOBs; le LOBs devono

capirne di piú di funzioni e processi IT

Mobile, BI, data, and cloud are seen as the source of the most disruptive change

Forrester, 2011

How IS Add Valueto Intelligence

Leverage the Social Media

Seek Feedback on New Product Development

Create Buzz Marketing to Beat the Competition and Blogs


Interactive EngagementThe Internet is an Organic Test Lab

IS don’t Need to Hole Up in their Ivory Tower


Interactive EngagementCollaborate with Management in Real Time

Leverage the Social Media to Beta Test and Ask for Solutions


Be Open to the Discovery Process

The Social Media Spawns Epiphanies

Real Time Conversations of Ideas

Can Move the Original Plan in an Entirely New Direction

Apply Zen


Management and Consultant Must Resolve to Execute Iteratively

So Consulting doesn’t become a Navel Gazing Exercise

4. Level the IS – USER Relationship


The role of skills

Hard Skills• Technical skills• Market skills• Methodological

skills

Soft Skills• Relational skills• Analytic skills• Standing• Interrelations• Evolving vision

Cloud compuntig : just the definition

“Cloud computing is an architectural model that enables on-demand access,

through networks, to a shared pool of configurable computing resources (e.g. networks, server storage, applications and services), that can be delivered and freed in a quick way while allowing for managerial activities.”

National Institute of Standards and Technology (U.S.)

Self serviceOn‐demand

Ubiquitousnetwork access

Resource sharing

Quickflexibility

Measurableservices

3 Delivery models

4 Distribution models

IaaS PaaS SaaS

Private, Community, Pubblic, Hybrid


Why cloud computing is a structural change

• Technological factors– Growth and broadband availability– Diffused virtualization technology usage– Drastic reduction in computing and storage costs– Mobile revolution and the diffusion of smart devices

• Economic factors and managerial practices of the ICT industry– New ways to develop software (software design by components,

SOA, etc.)– The financial crisis and lack of liquidity make low fixed cost and

higher variable cost investment models more attractive.– Managerial mentality stating that models of access to services

and content rather than possession and ubiquity are more attractive

– Strong investments in ICT worldwide

Cloud economy and sociology1. Agglomeration economies:

– “ the total computing capacity of enterprises tends to be equal to the sum of peaks that must be sustained by single businesses "

– In Italy 70% of IT expenses are related to maintenance

– Through agglomeration, IT providers can achieve significant scale economies and users, exploiting territorial (business networks) and supply chain concentration logics, can benefit on management costs and choice flexibility

– HOW MUCH CAN WE SAVE WITH CLOUD COMPUTING? Remember that agglomeration is symmetrically related to diffusion effects.

2. Diffusion effects– If agglomeration exerts and manifests its effects

on basic system components in IaaS and PaaSviews, it also creates effects, it also creates a leverage effect in expanding the application and service offering spectrum , which then frees itself from the limitations of the technological infrastructure and becomes merely functional to business and process logics

– Under this perspective the obvious savings granted by consolidation are coupled with advantages in terms of simplification of selection criteria, which are freed from technological conditions, and with a widening of the range of opportunities of added value service fruition, which shouldn’t be accompanied by related infrastructural burdens

3. Homogeneization effect– Cloud Computing can allow to bypass the

system fragmentation in companies, favoring standardization, activating interoperability and finally unveiling resistances to applicative cooperation and the «data possession» syndrome.

4. Innovation’s effect:– A company that also invests some part of its

resources in innovative technologies, architectures and services, strongly contributes to the qualification of its Country System’s demand profile

5. Extension effect:– The Cloud is already accelerating. Part of the

PA entrepreneurial world is already migrating towards this technology. The problem remains on how to govern these processes.

Transforming an ICT services company in a

«Cloud Solution Provider»You must examine and evaluate a series of business activities and functions using a set of models as analytic tools to go on with an assessment useful for the identification of the transformation roadmap.1. service/offering model (IaaS, PaaS, AaaS, SaaS) and

(product, solution)2. product/production model (applicative, operative,

managerial)3. Governance model for the «Solutions Plant»

(organizational, processes) 4. Sale/channel model (direct, Reseller/Var agents,

Claps Community Partner/CloudApps catalog ) 5. Market model (end Market - cross/selected, two-sided

Market/Ecosystem) As it emerged from the meeting we will focus on point 3 using 1 and 2 as inputs and eventually develop 4 and 5.

Products

Services

Solutions

Offering

Identify/define supportive flows of the solutions offeringSource: The Innovation Group

Offering model (product, service, solution)

Provide Services aroundICT Cloud Services

Provide ICT asCloud Services

Provide ICT Products/Services to enable (public & private) Cloud

APs (Cloud Application Providers)

ServersStorage

Netw

ork Equipm

ent

IT/Netw

orkManagem

entSoftw

are

Netw

orkServices

App Development/

Deployment Softw

are

IT Services –Consulting, Integration, etc.

(Solution‐as‐a‐service)

Source IDC

Service/supply model(IaaS, PaaS, AaaS, SaaS)

Application To Be in Cloud

Application As Is Today

Client

Server

Applicative model:How is the Application structured/designed (elaborative logic, database, access methods, resources, network)

Operative model:Which OS environments are related to different C/S applicative modules(Server OS, Client/SmartT OS, Network OS - GLan, WiFi, Mobile)

Managerial model:where are Application execution, control, monitoring and security located (insourcing, outsourcing, coop.sourcing)

Decline the distribution model in

Product/production model(applicative, operative, managerial)

Goal:Understand the business offering through itsorganization

Products

Services

Solutions

Governing the business as a Solution Plant

PROCESSES

Func

tions

Flow

sA

ctiv

ities

Offering

Azienda


Governance model of the ‘’solutionplant‘’ (organization, processes)

FROM SERVICES FACTORY… TO CLOUD PROVIDER

685

How ICT services work


From the factory…


… to the Cloud


The process-system model


Internal vs. Private Cloud

• Service Management• Charge Back system (Financial Mgmt)• Orchestration• Service Catalogue

Internal Cloud Private Cloud

First, drop processes into a framework, especially if operation or serviceoriented to verify both the preparation and the inward orientation rather than toward delivery, also in a Cloud perspective .Then you start to place this model with respect to the maturity model of reference contextualized to the needs of cloud computing


• Virtual infrastructure• On-demand, elastic,

automated/dynamic

The maturity model

EVALUATION AND PROCUREMENT

PROCUREMENT AND CHANGE MGMT

AUDIT AND ACCOUNTING

MODELS

DEFINITION OF STANDARD IaaS

MODELS

PLANNING IAM OLICIES

LAB AUTOMATION PROVISIONING AND VM AUTOMATION

APPLICATIVE PROVISIONING AUTOMATION

SERVICE PROVISIONING AUTOMATION

«CLOUD BURSTING» AUTOMATION

SERVICE CLASS DEFINITION SERVICE POOLS CHARGE BACK SERVICE CATALOGUE

DEFINING IAM REQUIREMENTS OF SERVICE MGMT

DEFINITION OF STANDARD TEMPLATES

SERVICE MANAGEMENT

TOOLS DISTRIBUTION

QoS

APPLIANCE DISTRIBUTION FOR

THE VIRTUAL INFRASTRUCTURE

VIRTUAL DATA CENTRE

DISTRIBUTION

CONSOLIDATION AND

VIRTUALIZATION

HA SERVICES DISTRIBUTION

LOAD BALANCING DISTRIBUTION MULTINENANCY

OPTIMIZING FOR «CLOUD

PORTABILITY»

Stage 1 Stage 2 Stage 3 Stage 4 Stage 5

TECNOLOGY OPERATIONS APPLICATION MGMT SERVICES CLOUD

GOVERNANCE

AUTOMATION

SERVICE MGMT

CLOUD INFRASTRUCTURE

IaaS


Stage 1• Consolidation and virtualization are the starting point with regard to which, however, CSI appears to be

already well prepared, together with the distinction between factory and service. The integration required between the architectural and technological themes and organizational and managerial insights (governance) are to be verified


Stage 1

693

VIRTUALIZZAZIONE E PROCUREMENT

PROCUREMENT E CHANGE MGMT

MODELLI DI AUDIT E ACCOUNTING

DEFINIZIONE DI MODELLI IaaSSTANDARD

PIANIFICAZIONE DELLE POLICIES IAM

AUTOMAZIONE LABORATORI

AUTOMAZIONE DEL PROVISIONING

DELLE VM

AUTOMAZIONE DEL PROVISIONING APPLICATIVO

AUTOMAZIONE SERVICE

PROVISIONING

AUTOMAZIONE «CLOUD

BURSTING»

DEFINIZIONE DELLE CLASSI DI SERVIZIO SERVICE POOLS CHARGE BACK SERVICE

CATALOGUE

DEFINIZIONE DEI REQUISITI IAM DI SERVICE MGMT

DEFINIZIONE DEI TEMPLATE STANDARD

DISTRIBUZIONE DEGLI STRUMENTI

DI GESTIONE SERVIZI

QoS

DISTRIBUZIONE DI APPLIANCE PER

L’INFTRASTRUTTURA VIRTUALE

DISTRIBUZIONE DI DATA CENTRE VIRTUALI

CONSOLIDAMENTO E

VIRTUALIZZAZIONE

DISTRIBUZIONE DI SERVIZI IN HA

DISTRIBUZIONE IN LOAD BALANCING MULTINENANCY

OTTIMIZZAZIONE PER LA «CLOUD PORTABILITY»


TECNOLOGIA OPERATIONS APPLICATION MGMT SERVIZI CLOUD

GOVERNANCE

AUTOMAZIONE

SERVICE MGMT

INFRASTRUTTURA CLOUD

IaaS


Stage 2• On this basis, we find the logic of provisioning services through the Cloud, first internally and in "captive"

environments , then on the market. The issue becomes less operational and more organizational and process related by starting to oversee the organizational issues of support and not just the operational and service ones.


Stage 2

695








DELLE VM


AUTOMAZIONE SERVICE

PROVISIONING

AUTOMAZIONE «CLOUD

BURSTING»


CATALOGUE




DI GESTIONE SERVIZI

QoS




CONSOLIDAMENTO E

VIRTUALIZZAZIONE






GOVERNANCE

AUTOMAZIONE

SERVICE MGMT


IaaS


Stage 3• As always in maturity model models of source SEI - Carnegie Mellon, the transition from level 2 to 3 is not

linear but almost exponential as the process and organization issues begin to be coupled with measurement topics both internally on the systems and externally on services, in order to feed the service catalog and facilitate the enabling of a charge back model , even with the limits of the CSI context peculiarities


Stage 3








DELLE VM


AUTOMAZIONE SERVICE

PROVISIONING

AUTOMAZIONE «CLOUD

BURSTING»


CATALOGUE




DI GESTIONE SERVIZI

QoS




CONSOLIDAMENTO E

VIRTUALIZZAZIONE






GOVERNANCE

AUTOMAZIONE

SERVICE MGMT


IaaS


Stage 4• From this point on the growth becomes geometric, merely establishing input - output

relationships between the processes of measurement, accounting and consuntivation, making this a set of attributes of the Service Catalogue, which is now fully evolved from internal tool to service delivery instrument.


Stage 4








DELLE VM


AUTOMAZIONE SERVICE

PROVISIONING

AUTOMAZIONE «CLOUD

BURSTING»


CATALOGUE




DI GESTIONE SERVIZI

QoS




CONSOLIDAMENTO E

VIRTUALIZZAZIONE






GOVERNANCE

AUTOMAZIONE

SERVICE MGMT


IaaS


Service CatalogueRequirements

Service Design

OrganizationalReadiness

Service Life‐CyclePlan

• Initial business requirements• Service applicability (business, customer, user)• Service referents

• Functional requirements and expected deliverables• Service level requirements (SLR / SLA targets)• Exercibility requirements (monitoring, support, measurement and reporting)• Service topology

• Financial and technical evaluations• Assessment of needs in terms of resources (skill, volumes, ...)• Assessment of organizational needs

• Plan and implementation phases, exercise, subsequent updates• Transition plans (development, testing, migration, release ...)• Plan of operative acceptance (events, issues, changes, known errors ...)• Acceptance criteria to be used during transitions related to the Life‐Cycle


Stage 5: Orchestration• The last step is perhaps the most important one because it defines in a single

Governance process the entire internal process orchestration functional to the operative machine's functioning , to the provision of services and, above all, to their measurement, and to tend to greater efficiency levels, even through lean logics.


Stage 5








DELLE VM


AUTOMAZIONE SERVICE

PROVISIONING

AUTOMAZIONE «CLOUD

BURSTING»


CATALOGUE




DI GESTIONE SERVIZI

QoS




CONSOLIDAMENTO E

VIRTUALIZZAZIONE






GOVERNANCE

AUTOMAZIONE

SERVICE MGMT


IaaS


Governance• All of this must be the targeted towards the delivery model which is considered most

consistent with their own service model and its control needs. In fact, if the definition of the deployment model (Private, Public, Community Hybrid) is functional to the identification of market strategies, in this case defined also and especially by the corporate mission, the definition of the delivery model decisively addresses the governance and control model with a view to assigning roles and responsibilitieswithrespect to which work is specifically carried out.

GOVERNANCE

Client Supplier

IaaS

PaaS

SaaS

RESPONSIBILITY

SER

VIC

E M

OD

EL

• Machine government

• Organizationalmodels

• Accounting and Control models

• SLA/Roles and Responsabilitiesmodels


The mobile revolution iscoming

• Cellular telephony• SMS• Mail• Forum• Chat• Blog• Social networks• Microblogging• IP telephony• Teleconference• Web radio/TV

70

2011 est:86.7%

Source: ITU, Measuring the Information Society, 2011

Cloud+Consumerization + Mobility = BYOD

COMPANY CAR


The BYOD turnseverything around!

Fonte: TechMarketView LLP Intellect Regent Conference 2012

CLOUD and BYOD


Why Cloud and BYOD are "disruptive“: Old market models do not work anymore

IT Services

ProjectServices

Outsourcing

Consulting App Dev SystemsIntegration Apps Os’g Infra Os’g BPO

•Short term•Time-and-materials•Flexible staffing

•Long term•Fixed price•People & assettransfer


The future of Cloud and BYODCloudEverywhere!

Public CloudPrivate Cloud

Personal Cloud

DropBox

GmailE‐mail aziendale


BYOD

13/11/2012 710

BYOD (1/17)• Many companies are considering adopting

personal devices for business applications. Their goal is to increase customer satisfaction and employee productivity through the use of new technologies, while reducing expenses for mobile. This BYOD trend is one of the most sensational results of IT's consumerization, in which the user preference and not the business initiatives drive the adoption of technology in businesses. However, many of these technologies were not built bearing business requirements in mind so that IT groups are often uncomfortable about security and solution sustainability.

BYOD (2/17)• But BYOD means much more than just moving the

property of a device to the worker. It has far more complex and hidden implications for which it is necessary to define a strategy in advance. Based on our customers’ experience, this document traces eight main components of successful BYOD strategies:

• Sustainability• Devices chosen• Loyalty model• Responsibility• Application design and management• Economic aspects• Internal marketing

BYOD (3/17)• BYOD is new for most organizations, and

consequently, established best practices are yet to be developed. One of the traps many fall in is to define a rigid set of policies which are unsustainable on the long term. In order to be sustainable BYOD policies must try to meet the needs of both IT and workers in order to:– Secure business data– Minimize implementation and adoption costs– Preserve native user experience– Stay in line with the user’s preferences and

technological innovations.

BYOD (4/17)• The primary catalyst for BYOD is the fact that

workers have personal preferences for different devices than those their company traditionally provides them with. The most common example is a worker having a BlackBerry for work provided by the company and an iPhone or Android for personal use at home and would prefer to only use one phone instead of two. However in a world in which a consumers preferences change every year or even quarterly, and the mobile devices and related application sectors are in continuous evolution, it is difficult to define how much to leave to the workers choice.

BYOD (5/17)• Building a policy regarding the choice of devices requires:

– To analyze worker preferences and understand which devices they have already bought: a BYOD program that doesn’t consider current or projected purchases will hardly be attractive.

– Define minimum security and supportability requirements that the device must respect. The goal is to include all the mobile platforms preferred by the workers, avoiding security gaps or complicated situations. Minimum requirements usually regard resource management, cryptography, password policies, remote block/reset and e-mail/Wi-Fi/VPN configurations. Without these fundamentals the mobile platform is not company friendly. The more advanced requirement list usually focuses on particular functionalities related to certain applications and on evolved security, like authentication based on certifications.

BYOD (6/17)– Understand the operating system, hardware and territorial variations with respect to

the minimum requirements: especially on Android, similar devices can support very different functionality based on the manufacturer and on the geographic area. Even the brand of the same device may vary according to the wireless operator, adding confusion.

– Develop an agile certification scheme for evaluating future devices: Most organizations invest in early certifications when casting their BYOD program. However, new devices are introduced into the market every three to six months so that the certification process should be growing and evolving. If the process is too rigid it will become expensive and possibly fail, since the speed and efficiency of the certification is essential.

– Establish clear communication with the user about what devices are allowed or not and why: the absence of these clarifications may cause users to purchase unsupported devices or to become frustrated because the level of IT service they expect is not met .

– Ensure that the IT team has the breadth necessary to keep up to date: the list of allowed devices is strongly influenced by user demand and can therefore change quickly, often several times a year. Someone in the IT team must become the expert of the devices and power the evolution of the system.

BYOD (7/17)Loyalty Model:• Trust is the foundation for enterprise security: which users do I trust, with which data

or applications, and under what circumstances? Larger organizations have gone through the classification of data to establish a base for their own security policies. But even without the introduction of BYOD, models of trust for the mobile environment add extra complexity as the devices easily oscillate within and outside of compliance. The trust level of a mobile device is dynamic and depends on its security positioning in a given time. For example it is easy to trust the CFO of a company with financial data on your tablet but not if it inadvertently download a risky application or disables encryption. As mobile devices can not be completely closed, as is the case with traditional laptops and desktops, they escape compliance more frequently.

• The BYOD adds another layer to the trust model, since the level of trust for personal devices can be different from that of enterprise devices. Privacy policies will vary as your expectations change. For example, users may agree to not be allowed to use social networking applications on enterprise devices, but that kind of policy is unacceptable for personal devices.

BYOD (8/17)• Building a loyalty model for BYOD requires to:

– Identify and evaluate the risk for security issues common on personal devices: employees use personal devices differently from those of the business, for example they download more applications. So with the BYOD, devices can exit the compliance of corporate policies more frequently or for different reasons.

– Define reparatory options (notification, access control, quarantine, selective deletion): These options may vary in severity from BYOD to business devices . For example, on a company device with a moderate risk of compliance, the remedy may be immediate and complete elimination. But on a personal device there may be initially a less severe action like blocking access to business content, followed by the selective elimination of only corporate data.

– Define a multilayer policy : the 'Property' is now a key element in the definition of policies. As a result, personal and company devices will have a different set of policies for security, privacy and application deployment.

– Establish the user's and device's identity : since the choice of the device becomes fluid, it is more important to verify the identity of the user and the device, normally through certificates.

– Take a critical look at the sustainability of security policies that were set up: what is the impact on the user experience? Will users accept the compromise in the long term? If the level of trust in personal devices is so low as to require extensive use restrictions for safety reasons, the employee's personal mobile experience will be damaged and neither policies nor the BYOD program will be sustainable.

BYOD (9/17)Responsibility:• All companies implement long consolidation

approaches to evaluate risks related to workers’ actions and related responsibilities. These actions range from insecure use of company data to access to unappropriatesited and applications. The BYOD introduces a new consideration: the device on which theseactions are carried out are not corporate property. So the question becomes: «movingthe property of a device from the company to the worker increases or reduces corporate responsibility?».

BYOD (10/17)• To evaluate BYOD responsibility you need to:

– Define the elements of a basic enterprise data protection on BYOD devices: all companies must protect corporate data on mobile devices. But different protections may be required on different devices. For example, extra protection may be necessary for ultra-privileged user applications on Android rather than on iOS. Employees will need clarity on what actions create and limit their responsibilities.

– Assess responsibility for using personal web sites and applications: the expectation of employees is that they can use their personal devices in any way they want.

– Does inappropriate use still constitute a liability to the company, even when it relates to not-corporate data?

– Assess the responsibility for use in and out of the office, and within and outside working hours: should use be monitored when you are at work, but not when you are away? The boundaries between work time and personal time are confused for many knowledge workers, so that companies avoid this additional complexity.

– Assess whether the nature of BYOD reimbursements affects responsibilities (partial salary or full payment of the services costs ): Many organizations have decided that the level of payment has no impact on the level of responsibility, but this is an area with regional variations. Financial responsibility may impose legal obligations.

– Quantify costs to monitor, strengthen and verify BYOD compliance: If the responsibility is lower than the corresponding compliance costs these will be low enough to potentially make significant contributions to cost reductions .

– Assess the risk and liability arising out of damage to personal data (for example, by mistake you operate full deletion instead of selective, by mistake ): Most organizations cover themselves legally in the agreements with the user, this possibility creates frutstrations related to privacy in the worker.

BYOD (11/17)Privacy and User experience:• The BYOD itself reflects the idea that user satisfaction is a primary goal

for IT. But many times the security and user experience were seen as conflicting interests: the usability of traditional enterprise applications has substantially lagged behind the consumer applications usability that are designed with user experience as a top priority. The fundamental principle of successful BYOD strategies is to preserve the user experience. These programs will not be sustainable if the user experience will be compromised when employees begin to use for email and business applications on personal devices. The user experience can be compromised in many ways: increased consumption of batteries, third-party email applications that do not provide the native experience, complex authentication, disabled useful features, interfaces that are not intuitive, lack of privacy.

• A social contract must be established between workers and company. This social contract is an agreement between the worker and employer related to the respective roles and responsibilities regarding BYOD.

BYOD (12/17)Application management and design• The considerations about trust model and device choice

described in the previous sections have a fundamental impact on the strategy of BYOD applications. Initially, the organizations believe that BYOD merely affects the properties of the devices with minimal impact on applications. But applications involve corporate data and if the level of confidence of a BYOD device is different from that of a traditional device, this will directly affect the application's design and deployment. In addition, employees will expect internal applications are supported on all approved BYOD devices , not only on a small set. This implies either a deeper investment in the application development and testing by the company , or a clear education and communication to employees about what applications are supported on which devices and why. User confusion will result in support calls for technical assistance.

BYOD (13/17)Economic aspects:• Short-term economic analysis of the BYOD phenomenon

generally revolve around the elimination of the device purchase cost and on the shift from paying the full service to paying a predictable monthly fee. But the economic implications in the long term may come from unexpected sources. In most organizations, _ strategies have not yet been implemented long enough to accurately assess their economic impact, but here are some key dimensions to consider (the BYOD ROI is a combination of the below listed variables weighted against the value of employee satisfaction and productivity . The hidden the economic value of this kind of programs depends essentially on its ability to increase productivity, to manage the cost of complexity and to achieve value thanks to a more responsible use of the devices by employees):

BYOD (14/17)• Device Hardware : no need to buy attractive hardware . However, many large companies have traditionally

bought highly subsidized smartphone so that the actual savings may be lower than expected.• Overspending: when employees have visibility about personal use of the device, their behavior tends to

become more responsible. They use the device less when in roaming and are more careful not to lose it. The BYOD encourages personal responsibility.

• Service Plans: some organizations continue to pay for the full service, while others are geared to a fixed monthly salary to the user, often based on seniority and position within the organization. However, the power to negotiate with the wireless carrier may be lost if the billing model does not provide for consolidation.

• Productivity is more difficult to quantify, but access to business functions on the device preferred by the employee instead of the preferred device from the company implies not only greater satisfaction but also increased productivity. Employees now have the tools they want to use for the job they have to do.

• Technical Support: traditional wisdom suggests that BYOD will increase the technical assistance costs due to device choice fragmentation . implementing new technical assistance policies, regarding full support and "best practices" can increase complexity. However, we found a balancing force in the fact that employees who use their own devices are likely to invest more time in solving problems on their own rather than calling for technical support. They gradually increase their technological knowledge and, most importantly, do not want IT to touch their personal device. With the right self-service tools, technical assistance can be a last resort rather than the first to BYOD users.

• Compliance and Audit: the previous section on liability posed the question: "Moving the property of a device from the company to the employee increases or decreases company liability?" The answer to this question will impact significantly on the costs of compliance. If the organization believes it is not responsible for actions beyond data protection, this could lead to substantial savings.

• Implications for taxation: Some regions have different implications for the taxation of personally paid devices . The cost of a BYOD program will be influenced by the fact that the company has an obligation to tie reimbursements to a percentage of estimated use for business purposes of the device and how detailed related controls should be.

BYOD (15/17)Internal Marketing• BYOD offers an opportunity to improve internal

perception of the company regarding the role and value of IT. This represents a great opportunity of internalmarketing both for the mobile strategy and for the team responsible for its implementation and support. Manyorganizations don’t recognize the value in this, until the BYOD program is established. BYOD gives IT the uniqueopportunity to strongly impact on opinions, productivityand culture of the organization. Thinking about the internal marketing strategy in advance will influencecommunication and decisions in a way that can enhance the IT staff’s status in front of internal clients. The components are:

BYOD (16/17)• Communicate why the company is going towards the BYOD:

The message you want to convey is that of «moving costs towards workers» or «let the workers use their favorite device for work»?

• Understand that BYOD is an HR initiative just as much as it is IT. What is its impact on the company culture, on communication or employment strategies?

• Define the IT team «brand»: is IT a user supporter, an innovator or a source of mobile best practices? IT can become the hero of end users and show its innovativeness and readiness through an appropriate BYOD program.

• Support the «brand» message through appropriate actions: BYOD requires IT to provide a positive end-to-end experience for users, who need the program to be simply understood, want to chose and customize their device, solve problems and potentially migrate to new devices every year. This is why BYOD must meet internal marketing.

BYOD (17/17)Conclusion:• The BYOD sounds simple but often it is not. Moving ownership

of mobile devices has many complex implications on the company's business . In this document we have discussed different elements to build a program that effectively addresses some of the main issues. The initial adoption of a BYOD program will depend on the actual preparation of the company, while its long-term sustainability will depend on the growing quality of the end-to-end user experience . The objective of this document is to provide a basic framework for the initial preparation needed to start. The BYOD makes huge promises across multiple dimensions. While many organizations are looking at BYOD as a possible mean of cost reduction , the real value of a well-studied BYOD programs is in the increased worker satisfaction and productivity , while at the same giving an important boost to the adoption of technologies in the company.

[email protected]

+39 349 399 0794

www.piazzese.it

13/11/2012 728

Date post:	25-Jul-2015
Category:	Documents
Upload:	rosario-piazzese
View:	88 times
Download:	3 times