2e

Chapter 5
Corporate
and IT
Governance

Information Technology for Managers
George W. Reynolds
Strayer University
Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly
accessible website, in whole or in part.
 Objectives

• What is IT governance and what are the key
elements of an IT effective governance process?
• How can an effective IT governance program
improve the likelihood of organizational success?

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 2
accessible website, in whole or in part.
 IT Governance

Guide to Microsoft
Copyright ©2016 Virtual
Cengage Learning. All PCMay
Rights Reserved. 2005 and Virtual
not be scanned, copied or duplicated, or posted to a publicly 3
accessible website, in whole or in part.
 Corporate Governance

• Processes, customs, rules, procedures, policies,
and traditions
– Determine how to direct and control management
activities
• Key players
– Board of directors, CEO, senior executives, and
shareholders

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 4
accessible website, in whole or in part.
 Issues Addressed by Corporate
Governance
• Preparing of the firm’s financial statements
• Monitoring the choice of accounting principles and
policies
• Establishing internal controls
• Hiring of external auditors
• Nominating and selecting of people to the board of
directors
• Managing risk
• Dividend policy

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 5
accessible website, in whole or in part.
 IT Governance

• Framework that ensures IT decisions are based on
goals and objectives
• Includes defining:
• Decision­making process
• Who makes the decisions
• Who is held accountable for results
• How the results of decisions are communicated,
measured, and monitored

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 6
accessible website, in whole or in part.
 Primary Goals of Effective IT
Governance
• Ensuring that an organization achieves good value
from its investments in IT
• Mitigating IT­related risks

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 7
accessible website, in whole or in part.
Figure 5.1 ­ Board of Directors and Various
Subcommittees Involved in Governance

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 8
accessible website, in whole or in part.
 Figure 5.2 ­ Two Primary Goals of IT
Governance

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 9
accessible website, in whole or in part.
 Ensuring that an Organization
Benefits from IT Investments
• Efficient governance is needed in the management
of IT by business managers
– Effective IT strategic planning process ensures
close alignment between business and IT project
goals and objectives
– Involves applying good project management
principles

Guide to Microsoft Virtual PC 2005 and Virtual Server 2007

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 10
accessible website, in whole or in part.
 Mitigating IT­Related Risks

• Requires use of good internal controls and
management accountability
• Sarbanes­Oxley Act
– Holds senior management accountable for the
integrity of organization’s financial data and internal
controls

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 11
accessible website, in whole or in part.
 Mitigating IT­Related Risks

• Internal control
– Fundamental concept involves separation of duties
– Affected by improper conduct of senior managers
and failure to hold the managers accountable
– Offers reasonable assurance for:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 12
accessible website, in whole or in part.
 Figure 5.3 ­ Key Activities Needed for
Effective IT Governance

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 13
accessible website, in whole or in part.
 Why Managers Must Understand IT
Governance

Guide to Microsoft
Copyright ©2016 Virtual
Cengage Learning. All PCMay
Rights Reserved. 2005 and Virtual
not be scanned, copied or duplicated, or posted to a publicly 14
accessible website, in whole or in part.
 Importance of IT Governance for
Managers
• Universal goal for businesses
– Leveraging IT to transform an enterprise and create
value­added services, increased revenue, and
decreased expenses
• Effective IT governance:
– Aligns and integrates the IT organization with the
business
– Reduces risks and costs
– Helps the company gain a business advantage

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 15
accessible website, in whole or in part.
 IT Governance Frameworks

Guide to Microsoft
Copyright ©2016 Virtual
Cengage Learning. All PCMay
Rights Reserved. 2005 and Virtual
not be scanned, copied or duplicated, or posted to a publicly 16
accessible website, in whole or in part.
 IT Infrastructure Library (ITIL)

• Set of guidelines initially formulated by the UK
government
• Used to standardize, integrate, and manage IT
service delivery
• Provides a proven and practical framework to plan
and deliver IT operational services
• Organized around a five­phase service life cycle
• Levels of training and certification
– Foundation, practitioners, and managers

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 17
accessible website, in whole or in part.
 Figure 5.4 ­ Five Phases of ITIL
Process Life Cycle

Source: Ingerstedt, Anders,

“ITIL and LEAN in IT Service
Management,” Alite
International, October 24, 2014,
www.alite-international.com/
blog/itil-and-lean-in-it-service-
management.

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 18
accessible website, in whole or in part.
 Control Objectives for Information and
Related Technology (COBIT)
• Set of guidelines
• Goal
– Aligning IT resources and processes with business
objectives, quality standards, monetary controls,
and security needs
• Issued by the IT Governance Institute
– www.isaca.org/COBIT/Pages/default.aspx
• Provides guidance for 37 IT­related processes
grouped into five major categories and two
domains of governance and management
Information Technology for Managers
Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 19
accessible website, in whole or in part.
 Table 5.4 ­ Grouping of COBIT 5.0
Processes

ormation Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 20
accessible website, in whole or in part.
 Table 5.4 ­ Grouping of COBIT 5.0
Processes

ormation Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 21
accessible website, in whole or in part.
 Control Objectives for Information and
Related Technology (COBIT)
• Maturity level of management processes evaluated
on a scale of 0 to 5
• Used for each process to evaluate a number of
items
• Use the information to choose:
– Which processes have priority for improvement
– Which can be addressed later

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 22
accessible website, in whole or in part.
 Using PDCA and an IT Governance
Framework
• Plan­Do­Check­Act (PDCA) model
• Proven method
• Applied to a specific targeted process
• Each step in the model has specific objectives
– Plan step
– Do step
– Check step
– Act step

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 23
accessible website, in whole or in part.
 Figure 5.5 ­ Process Improvement
Using PDCA and COBIT or ITIL

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 24
accessible website, in whole or in part.
 Business Continuity Planning

Guide to Microsoft
Copyright ©2016 Virtual
Cengage Learning. All PCMay
Rights Reserved. 2005 and Virtual
not be scanned, copied or duplicated, or posted to a publicly 25
accessible website, in whole or in part.
 Business Continuity Planning

• Defines the people and procedures required to
ensure timely and orderly resumption of an
organization’s processes with minimal interruption
• International Standards Organizational
standard ISO 22301:2012
– Specifies requirements to plan, establish, implement,
operate, monitor, review, maintain, and continually
improve a documented management system

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 26
accessible website, in whole or in part.
 Business Continuity Planning

• Due diligence: Effort made by an ordinarily
prudent or reasonable party to avoid harm to
another party
– Failure to make the effort is considered negligence

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 27
accessible website, in whole or in part.
 Disaster Recovery Plan

• Component of the business continuity plan
• Defines the process to recover business
information system assets, in the event of a
disaster
• Focuses on technology recovery
• Identifies the people or teams responsible for
taking action in the event of a disaster

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 28
accessible website, in whole or in part.
 Figure 5.6 ­ Process to Develop a
Business Continuity Plan

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 29
accessible website, in whole or in part.
 Process for Developing a Disaster
Recovery Plan
• Identify vital records and data
– Determine where and how they are being stored
and backed up
– Assess the adequacy of the current data storage
plan
– Offsite backup recommended
• Conduct a business impact analysis
– Recovery time objective: Time within which a
business function must be recovered

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 30
accessible website, in whole or in part.
 Table 5.8 ­ Business Function
Classification

ormation Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 31
accessible website, in whole or in part.
 Process for Developing a Disaster
Recovery Plan
• Define resources and actions required to recover
– AAA priority business functions
• Document all the resources needed to recover the
business function within the recovery time objective
• Identify the sequences of steps that must occur to
recover from a disaster
• Specific features to consider for inclusion in the
recovery of a AAA priority business function

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 32
accessible website, in whole or in part.
 Process for Developing a Disaster
Recovery Plan
– When all the preceding tasks have been completed
for the AAA priority business functions:
• Repeat the process for all the AA priority business
functions, then for all A priority business functions
– Disaster recovery as a service (DRaaS)
• Replication and hosting of physical or virtual servers
and necessary hardware and software
• Hosted by a third­party service provider
• Delivers IT services in the event of a disaster

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 33
accessible website, in whole or in part.
 Process for Developing a Disaster
Recovery Plan
• Define emergency procedures
– Involve establishing the steps to be taken during a
disaster and immediately following the steps
– Planning and practice:
• Minimize loss of life and injuries
• Reduce the impact on the business and its operations
– Develop plans in conjunction with professional first
responders
– Computer, data, and equipment backup processes
should be triggered automatically

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 34
accessible website, in whole or in part.
 Process for Developing a Disaster
Recovery Plan
• Identify and train disaster recovery teams
– Disaster recovery teams
• Control group
• Emergency response team
• Business recovery team
– Members should be selected based on:
• Area of expertise, experience, and ability to function
under extreme pressure

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 35
accessible website, in whole or in part.
 Process for Developing a Disaster
Recovery Plan
• Train employees
– Employees should be trained to recognize and
respond to various types of disaster warnings
– Identify floor wardens who are responsible for
evacuating a given floor or work area

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 36
accessible website, in whole or in part.
 Process for Developing a Disaster
Recovery Plan
• Practice and update the plan
– Test disaster recovery plan to ensure that it is
effective and that people can execute it
– Employees are expected to exercise the plan and
restore operations within the desired recovery time
– Capture problems or issues not addressed by the
plan and revise it to incorporate solutions
– Plan must be continually updated to account for
changes

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 37
accessible website, in whole or in part.
 Summary

• IT governance is a framework
– Ensures information technology decisions are made,
taking into consideration the goals and objectives of
the business
• IT governance is the responsibility of executive
management
• Five central themes of IT governance
• Use frameworks as a basis to develop their own
governance model
– ITIL and COBIT are best known frameworks

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 38
accessible website, in whole or in part.
 Summary

• Business continuity plan, people, and procedures
are required to ensure timely and orderly retrieval
of data in case of a disaster

Information Technology for Managers

Copyright ©2016 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly 39
accessible website, in whole or in part.