COBIT® Conference

30 April – 01 May, 2016 | Marriott Hotel|New Orleans, Louisiana

Implementing Governance of Enterprise IT (GEIT) Using COBIT® 5

A Business Driven Approach

 Tichaona Zororo

CIA, CISA, CISM, CRISC, CRMA, CGEIT, COBIT 5 Certified Assessor

B.Sc. Honors Information Systems, PGD Computer Auditing

Accredited COBIT 5 Trainer

The Business Case of Implementing GEIT
05
Disruptive Innovation - The Irrevocable GEIT Forces
New Business Models

07
New Business Models

08
New Business Models

09
A Tsunami of Regulations
 “External legal, regulatory and
contractual compliance requirements
related to enterprise use of
A Tsunami of Regulations information and technology are
increasing, threatening value if
breached ”

11
The Familiar IT Environment
The Familiar IT Environment

CEO CIO CISO

File Fighting Approach

13
 IT Is Complicated.

Governance of Enterprise
IT Does Not

Have To Be

14
GEIT - A Business As Usual Prerequisite
Governance of Enterprise IT as BAU

16
Implementing GEIT Using COBIT® 5 & Not Implementing COBIT® 5
18
19
20
The Practical Enterprise Context
 Adapt & Adopt

Cut Your Own Loan Size – One Size Does Not All

22
23
 Stakeholders

Stakeholder Drivers

Environment, Technology Evolution,…

Stakeholder Needs
Value Creation Governance Objectives

Enterprise Context

Enterprise Goals

IT Related Goals

Enabler Goals

24
25
A South Africa Local Municipality Case
Residents - 1 154 673
51 Councillors
The Bigger Picture
National Government
Regulators Stakeholders
Vendors
Employees
Services- water, roads, housing, Stakeholder Drivers
electricity, sanitation
Votes
Environment, Technology Evolution,…
National Government
Compliance
Payments
Salaries, bonuses, holidays
Stakeholder Needs
Payments collections
Value Creation Governance Objectives

Integrated Development Plan - IDP

Service Delivery Budget
Implementation Plan - SDBIP
Budget
Mission, Vision, Values
Structures
Policies, Processes and Procedures Enterprise Goals

IT Strategy, IT Plans, Policies,

Processes, procedures
Principles, Policies & Frameworks
IT Related Goals
Processes
Organizational Structures
Culture, Ethics & Behavior
Information Enabler Goals
Services, Information & Structures
People, Skills & Competencies
27
Applying the 4 Enabler Dimensions - A South Africa Local Municipality Case
 Stakeholders Goals

v Service delivery to residence

vBoard Members
v Serviced Roads
v51 Councilors
v Clean Water
vNational Government
v Clean Financial records
vRegulators
Who are the enterprise stakeholder? vVendors
What are their drivers? vEmployees
What are their needs?
What are the enterprise strategic
and performance goals and what
does the GEIT program aim to
achieve? Good Practices
What are the enterprise timelines
Life Cycle
that have an impact on the GEIT
v 2030 National Development v Municipal Finance
program?
Plan Management ACT
King IV, ISO 38500, COBIT 5,
v 5 Year Strategic Plan v Municipal Systems Act
v Service Delivery Budget v Constitution of South Africa
Implementation Plan v Municipal Corporate
Governance of ICT Policy
Framework

29
GEIT Implementation Success Factors
31
The Business Benefits of Implementing GEIT Using COBIT® 5
33
GEIT Implementation

The Life Cycle Approach

 Grab The Low Hanging Fruit
“Focusing on quick wins
and the prioritisation of the
most beneficial
improvements that are
easiest to implement to
demonstrate benefit and
build confidence for further
Unlocking Your World to a Sea Opportunities
improvements ”

35
The 7 phases of the Programme management Change enablement Continual Improvement Life
implementation life cycle – Cycle
Creating the Appropriate
Environment

What are the drivers? Initiate programme Establish desire to change Recognise need to act

Where are we now? Define problems and Form implementation team Assess current state
opportunities

Where do we want to be? Define road map Communicate outcome Define target state

What needs to be done? Plan programme Identify role players Build improvements

How do we get there? Execute Operate and use Implement improvements

Did we get there? Realise benefits Embedded new approaches Operate & Measure

How do we keep the Review effectiveness Sustain Monitor & Evaluate

momentum going?

36
 Phase 1

Initiation Phase

What Are the Drivers?

Unlocking Your World to a Sea Opportunities

37
 Phase 1 identifies current change drivers
and creates at executive management
levels a desire to change that is then
expressed in an outline of a business
case.

A change driver is an internal or external

What are the drivers? event, condition or key issue that serves
as a stimulus for change

Risk associated with implementation of

the programme itself will be described in
the business case and managed
throughout the life cycle.

Preparing, maintaining and monitoring a

business case are a fundamental and
important disciplines for justifying,
supporting and then ensuring successful
outcomes of any initiative, including the
improvement of GEIT.

38
The 7 phases of the Programme management Change enablement Continual Improvement Life
implementation life cycle Cycle

Initiate the Programme

What are the drivers? Initiate programme Establish desire to change Recognise need to act

39
 Phase 2
Process Assessment Phase

To Determine Current State

Where Are We Now?

Unlocking Your World to a Sea Opportunities

40
 Phase 2 aligns IT-related objectives
with enterprise strategies and risk, and
prioritises the most important enterprise
goals, IT-related goals and processes.

COBIT®5 provides a generic mapping

of enterprise goals to IT-related goals to
IT processes to help with the selection.
Where Are We Now?
Given the selected enterprise and IT-
related goals, critical processes are
identified that need to be of sufficient
capability to ensure successful
outcomes.

Management needs to know its current

capability and where deficiencies may
exist. This is achieved by a process
capability assessment of the as-is status
of the selected processes.

41
The 7 phases of the Programme management
implementation life
cycle
Define problems & opportunities
Where are we now? Define problems and opportunities
v Understand the pain points that
have been identified as
governance problems
v Take advantage of trigger
events that provide opportunity
for improvement
Change enablement Continual Improvement Life
Cycle
Form implementation Assess current state
team
v Knowledge of the v Identify the IT goals in respect
business environment to enterprise goals
v Insight into influencing v Identify the most important
factors processes
v Understand management risk
appetite
v Understand the maturity of
existing governance
v Related processes
42
 Phase 3
Process Assessment Phase

To Define Target State

Where Do We Want to Be?

Unlocking Your World to a Sea Opportunities

43
 Phase 3 sets a target for
improvement followed by a gap
analysis to identify potential
solutions.

Some solutions will be quick wins

and others more challenging,
Where Do We Want To Be?
long-term tasks.

Priority should be given to

projects that are easier to
achieve and likely to give the
greatest benefit. [Low Hanging
Fruit]

Longer-term tasks should be

broken down into manageable
pieces.

44
The 7 phases of the Programme management Change enablement Continual Improvement
implementation life cycle Life Cycle

Define road map

Where do we want to be? Define road map Communicate outcome Define target state

v Describe the high level v Develop a v Define the target for

change enablement plan communication strategy improvement
and objectives v Communicate the vision v Analyze the gaps
v Articulate the rationale v Identify potential
and benefits of the improvements
change
v Set the tone at the top

45
 Phase 4
Solution Design

What Needs to Be Done?

Unlocking Your World to a Sea Opportunities

46
 Phase 4 plans feasible and
practical solutions by defining
projects supported by
What Needs To Be Done? justifiable business cases and
developing a change plan for
implementation.

A well-developed business
case will help ensure that the
project’s benefits are identified
and continually monitored

47
The 7 phases of the Programme
implementation life management
cycle
Plan the Programme
What needs to be done? Plan programme
v Prioritize potential initiatives
v Develop formal and
justifiable projects
v Use plans that include
contribution and program
objectives
Change enablement Continual
Improvement Life
Cycle
Identify role players Build improvements
Empower role players and identify v Plot improvements
quick wins [Low Hanging Fruit – visible onto a grid to assist
issues that can be addressed relatively with prioritization
quickly and help establish the v Consider approach,
credibility of the overall initiative by deliverables, resources
demonstrating benefits ] needed, costs,
v High benefit, easy implementations estimated time scales,
should come first project dependencies
v Obtain buy-in by key stakeholders and risks
affected by the change
v Identify strengths in existing
processes and leverage accordingly
48
 Phase 5
Solution Implementation

How Do We Get There?

Unlocking Your World to a Sea Opportunities

49
 Phase 5 provides for the
implementation of the proposed
solutions into day-to-day
practices and the establishment
of measures and monitoring
systems to ensure that business
How Do We Get There? alignment is achieved and
performance can be measured.

Success requires engagement,

awareness and communication,
understanding and commitment
of top management, and
ownership by the affected
business and IT process owners.

50
The 7 phases of the Programme management
implementation life cycle
Execute the Programme
How do we get there? Execute
v Execute projects according
to an integrated program
plan
v Provide regular update
reports to stakeholders
v Document and monitor the
contribution of projects while
managing risks identified
Change enablement Continual Improvement Life
Cycle
Operate and use Implement improvements
v Build on the momentum v Adopt and adapt best
and credibility of quick practices to suit the
wins enterprise’s approach to
v Plan cultural and policies and process changes
behavioral aspects of
the broader transition
v Define measures of
success
51
 Phase 6
Post GEIT Implementation
Phase

Did We Get There?

Unlocking Your World to a Sea Opportunities

52
 Phase 6 focuses on
sustainable transition of the
improved governance and
management practices into
Did We Get There?
normal business operations
and monitoring achievement
of the improvements using
the performance metrics and
expected benefits.

53
The 7 phases of the Programme management Change enablement Continual Improvement
implementation life cycle Life Cycle

Realise Benefits

Did we get there? Realise benefits Embedded new approaches Operate & Measure

v Monitor the overall v Provide transition from project v Set targets for each
performance of the mode to business as usual metric
program against business mode
v Measure metrics
case objectives v Monitor whether new roles and
v Monitor and measure the responsibilities have been against targets
investment performance taken on v Communicate results
v Track and assess objectives of and adjust targets as
the change response plans necessary
v Maintain communication and
ensure communication
between appropriate
stakeholders continues

54
 Phase 7
Post GEIT Implementation
Phase

How Do We Keep the Momentum Going?

Unlocking Your World to a Sea Opportunities

55
 Phase 7 reviews the overall success of the
initiative, identif ies further governance or
management requirements and reinforces the
need for continual improvement. It also prioritises
further opportunities to improve GEIT.
Programme and project management is based
How Do We Keep The
Momentum Going ? on good practices and provides for checkpoints
at each of the seven phases to ensure that :the
programme’s performance is on track, the
business case and risk are updated, and
planning for the next phase is adjusted as
appropriate.
The overall time spent on each iteration of the full
life cycle ideally should not exceed six months,
with improvements applied progressively;
otherwise, there is a risk of losing momentum,
focus and buy-in from stakeholders.

56
The 7 phases of the Programme management
implementation life
cycle
Review Effectiveness
How do we keep the Review effectiveness
momentum going?
keeping the momentum is critical to
sustainment of the lifecycle.
v Review program effectiveness
through a program review gate
v Review the program benefits
Change enablement Continual Improvement Life
Cycle
Sustain Monitor & Evaluate
v Conscious reinforcement v Identify new governance
(reward achievers) objectives based on
v Ongoing communication program experience
campaign (feedback on v Communicate lessons
performance) learned and further
v Continuous top improvement
management commitment requirements for the next
iteration of the cycle
57
Questions
tichaona.zororo@egit.co.za

@TichoanaZororo

Tichaona Zororo

+27 (0) 73 298 9606

Tichaona Zororo

+27 (0) 11 234 2597

tichaona.zororo

EGIT | Enterprise Governance of IT (Pty) Ltd

tichoanazororo
Thank You