On March 2nd, I will be speaking at the Delaware Apartment Association’s annual conference at Dover Downs. My part of the presentation will be an hour long. The setting will be a “casual” Larry King type setting. A moderator will be asking questions and I will be answering the questions. The presentation will be focused on 5 area’s of IT for the SMB market, each topic 10 minutes long.
- Proper IT Governance
- Pro-Active Managed Services
- Risk & Risk Management
- Disaster Recovery & Business Continuity
- Cloud Services vs. On-Site
I just completed my material on what I believe is Proper IT Governance. Most of the information came from class materials & ISACA Library. Feel free to let me know your thoughts and feelings, and if I missed something or incorrect.
How To Implement Proper Governance
Understand & Identify Organizational “Pain” Problems
• Rising costs
• Perception of low business value for IT investments
• Significant incidents related to IT risk and security events (e.g., data loss)
• Service delivery problems
• Failure to meet regulatory or contractual requirements
• Audit findings for poor IT performance or low service levels
• Insufficient IT resources
• IT staff burnout/dissatisfaction
• Frequent failure of IT-enabled changes
• Reluctance of board members or senior managers to engage with IT
• Ineffective IT third-party or vendor relationships
Create A Plan
Form an IT Committee – Select a member of each business process to be a part of a Technology Council. Entice them to join.
Review Current Policies
Perform a SWOT Analysis and label business processes. Example:
- Process workflows/documents
- Control activities and control frameworks
- Existing controls and matrices
Set a Goal
Whether it is to better demonstrate compliance with regulatory requirements or decrease operational inefficiencies, the desired state is set by the needs of the stakeholders. Once the desired state is identified, a gap analysis is necessary to identify what gaps exist between the current state and the desired state.
Develop Roadmap & Plan
Identifying the gaps between the enterprise’s current state and desired state yields a set of tasks that must be completed to bridge the gaps.
The implementation plan outlines the steps that will be taken:
- the individual(s) responsible
- the time line and dependencies
- the resources needed to complete the project.
This is necessary because resources will be needed from various areas in the enterprise and their managers must be committed to making them available.
Enterprise resources must be tied to processes in the internal control environment, which provides the enterprise the means to ensure that risk is managed appropriately and resources are used effectively.
Connecting resources to processes will ideally follow the results of a risk assessment. This risk assessment identifies the potential risk areas that face the organization and documents the impact, severity and potential undesirable outcomes for the organization as a result. The scope of the risk assessment could be to enable the organization to select which areas need to be improved based on the data gathered in the SWOT analysis and interviews and help prioritize based on the residual risk that remains after the effectiveness of the control environment are evaluated
Execute the Plan
This phase of implementation is typically the longest and most involved, but the time frame should be reasonable in order to be manageable and deliver benefit
The enterprise may still not yet be ready for implementation. For example, there may be competing priorities that need to be resolved before the implementation can proceed, or the resources required to implement may not be readily available. Therefore, the organization must be readied for the implementation to start.
Tone At The Top: Complete & Total Buy-In from all high-level employees. Management Sets the example. Prior to executing the plan, the enterprise must understand and be on board with the changes that are to come. Communication & Transparency throughout the projects.
A few keys elements to effectively manage Execution
- Keep the business case and project plan up to date so the plan can continue to operate based on the current situation.
• Build quick wins into the program to keep momentum going from the initial communications. Recognize and reward those involved in achieving the quick wins. Communicate these wins in project communications or more broadly on internal portals or postings.
• Make sure that “success” in this context is clearly defined and communicated.
• Clearly communicate roles and responsibilities for use.
• Be prepared to handle issues related to transition and change (i.e., addressing concerns related to changes in reporting/ responsibility/authority or handling new expectations).
• Provide regular updates to stakeholders so they know the program is progressing and remains on track.
• Monitor risk and issues related to executing the project plan and develop means for remediation if needed.
• Approve and manage any changes to the plan
Continuous Monitoring, Improving, & Evaluating
Overall performance can be monitored against the goals and objectives set in the business case, and investment can be measured in actual costs versus benefits of the initiative. Analysis of processes can also help to see if the enterprise has achieved the efficiency’s that were sought at the beginning of the implementation project.
One way to determine success is to have defined critical success factors (CSFs). CSFs are key issues or actions that must go right if goals are to be attained. Like all metrics, these should be
measurable so that it is easy to determine if the action has been successful.
Metrics should be SMART:
• Specific—Based on a clearly understood goal; clear and concise
• Measurable—Able to be measured; quantifiable (objective), not subjective
• Attainable—Realistic; based on important goals and values
• Relevant—Directly related to a specific activity or goal
• Time-bound—Grounded in a specific time frame
It is important to establish a review cycle to ensure that the program is still delivering value to stakeholders. At a minimum, this should be done yearly. New requirements may arise that will need to be addressed, stakeholders’ needs may change or other changes may occur that can affect the goals