ISO/IEC 38500

The Corporate Governance of IT

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 1
 The Origins
ISO/IEC 38500 was prepared by Standards Australia (as
AS8015:2005) and was adopted, under a “fast-track
procedure”, by Joint Technical Committee ISO/IEC JTC 1,
Information technology, in parallel with its approval by
national bodies of ISO and IEC.
ISO/IEC 38500 is a high level, principles based advisory
standard. In addition to providing broad guidance on the role
of a governing body, it encourages organizations to use
appropriate standards to underpin their governance of IT.
The objective of this standard is
to provide a framework of
principles for Directors to use
when evaluating, directing and
monitoring the use of
information technology (IT) in
their organizations.

www.isaca-london.org © ISO/IEC
COBIT 4.12008
© 1996–- All
2007rights
ITGI Allreserved
rights reserved Roger Southgate 2
 The Content

1.0 Scope, Application and Objectives

( Benefits – References – Definitions)
2.0 Framework for Good Corporate
Governance of IT
2.1 Principles
2.2 Model
3.0 Guidance for the Corporate Governance
of IT ( Evaluate – Direct – Monitor for each Principle)

www.isaca-london.org COBIT 4.1 ©2008

© ISO/IEC 1996 - –
2007
AllITGI All rights
rights reserved
reserved Roger Southgate 3
 The Principles

1. Responsibility
2.Strategy
3.Acquisition
4.Performance
5.Conformance
6 Human Behaviour

www.isaca-london.org COBIT 4.1 ©2008

© ISO/IEC 1996 - –
2007
AllITGI All rights
rights reserved
reserved Roger Southgate 4
 Principle 1 Responsibility

Individuals and groups within the

organization understand and accept their
responsibilities in respect of both supply of,
and demand for IT. Those with
responsibility for actions also have the
authority to perform those actions.
www.isaca-london.org COBIT 4.1 ©2008
© ISO/IEC 1996 - –
2007
AllITGI All rights
rights reserved
reserved Roger Southgate 5
 Principle 2 Strategy

The organization’s business strategy takes

into account the current and future
capabilities of IT; the strategic plans for IT
satisfy the current and ongoing needs of the
organization’s business strategy.

www.isaca-london.org COBIT 4.1 ©2008

© ISO/IEC 1996 - –
2007
AllITGI All rights
rights reserved
reserved Roger Southgate 6
 Principle 3 Acquisitions

IT acquisitions are made for valid reasons,

on the basis of appropriate and ongoing
analysis, with clear and transparent
decision making. There is appropriate
balance between benefits, opportunities,
costs, and risks, in both the short term and
the long term.
www.isaca-london.org COBIT 4.1 ©2008
© ISO/IEC 1996 - –
2007
AllITGI All rights
rights reserved
reserved Roger Southgate 7
 Principle 4 Performance

IT is fit for purpose in supporting the

organization, providing the services, levels
of service and service quality required to
meet current and future business
requirements.

www.isaca-london.org COBIT 4.1 ©2008

© ISO/IEC 1996 - –
2007
AllITGI All rights
rights reserved
reserved Roger Southgate 8
 Principle 5 Conformance

IT complies with all mandatory legislation

and regulations. Policies and practices are
clearly defined, implemented and enforced.

www.isaca-london.org COBIT 4.1 ©2008

© ISO/IEC 1996 - –
2007
AllITGI All rights
rights reserved
reserved Roger Southgate 9
 Principle 6 Human Behaviour

IT policies, practices and decisions

demonstrate respect for Human Behaviour,
including the current and evolving needs of all
the ‘people in the process’.

www.isaca-london.org COBIT 4.1 ©2008

© ISO/IEC 1996 - –
2007
AllITGI All rights
rights reserved
reserved Roger Southgate 10
 Larry Greiner
Evolution and Revolution as Organisations Grow From HBR Reprint Larry E. Greiner Reprint 98308

Phase Elapsed Time The seeds of each crises lie in

the style of management
prevailing at the time
Creativity
1
Leadership The longer each period of
evolutionary growth the more
Direction
2 difficult it becomes to
Autonomy recognise and respond to the
growing crises
Delegation
3
Control These cycles are equally
applicable to departments and
Co-ordination
4 workgroups
Red Tape
Collaboration Knowledge
5
Information
?
Data

6 Collaboration external – Outsourcing / Joint Ventures

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 11
 ITGI Enables

Y
Y

Y
Published
28/01/2009

All publications available

from www.isaca.org
Y

Y
www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 12
 ITGI Guidance
Principle 1—Responsibility
What this means in practice: The business (customer) and IT (provider)
should collaborate in a partnership model utilising effective communications
based on a positive and trusted relationship and demonstrating clarity regarding
responsibility and accountability. For larger enterprises, an IT executive
committee (often referred to as the IT strategy committee) acting on behalf of
the board and chaired by a board member is a very effective mechanism for
evaluating, directing and monitoring the use of IT in the enterprise and for
advising the board on critical IT issues..........cont.d
Individuals and groups within the
organization understand and accept their
How ITGI’s guidance enables good practice:
responsibilities in respect
– The Board Briefing on IT Governance of both
and Unlocking Value: Ansupply
Executive of,
Primer on the Critical Role of IT Governance, 2nd Edition publications
and
providedemand
guidance on thefor IT.responsibilities
roles and Those forwith IT governance in the
business and for the IT function, whether in-house or outsourced, and
responsibility
describe how to establishfor actions
an effective also
IT executive have
(strategy) the
committee.
– The COBIT and Val IT frameworks include RACI charts showing example
authority to perform
roles and responsibilities those
for board members actions.
and management for all key .....
. cont.d

www.isaca-london.org COBIT 4.1 ©2008

© ISO/IEC 1996 - –
2007
AllITGI All rights
rights reserved
reserved Roger Southgate 13
 The Model

Business Business
Pressures Needs
Evaluate

Direct Monitor

Proposals

Conformance
Performance
Business Processes

ICT Operations

www.isaca-london.org COBIT 4.1 ©2008

© ISO/IEC 1996 - –
2007
AllITGI All rights
rights reserved
reserved Roger Southgate 14
 The Organisation Challenge

Where and how Define strategy

should IT be used in Create value Preserve value

meeting the
demands of Today Good things to
happen
Bad things not
happening

and preparing for Resolve

problems
the needs of
Tomorrow? Continuous
improvement

Measure
results

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 15
 The Reality Check

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 16
 Robert Simons
The Levers of Control

Interactive Strategic Critical Diagnostic

Control Uncertainties Performance Control
Systems Variables Systems

Core Risks to be
Values Avoided

Belief Systems Boundary

Systems
www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 17
 Robert Simons
Levers of Organisation Design

Unit Structure

Span of Support Span of Control

Customer
Definition

Critical Diagnostic
Shared Performance Control
Responsibilities Variables System

Creative
Tension Span of
Span of Accountability
Influence

Interactive
www.isaca-london.org COBIT 4.1 © 1996Networks
- 2007 ITGI All rights reserved Roger Southgate 18
 There are no such
things as the one right
organization.
There are only
organisations, each of
which has distinct
strengths, distinct
A given organization structure
limitations andfits
certain tasks, in certain conditions
specific applications
and at certain times
www.isaca-london.org COBIT 4.1 © Peter
1996 -Drucker
2007 ITGI- Management
All rights reserved Roger
Challenges for the 21stSouthgate
Century 19
 Execution - Larry Bossidy & Ram Charan

“Most often today the difference

between a company and its competitors is
the ability to execute”

“No strategy delivers results unless

it’s converted into specific actions”

“The gap nobody knows is the gap

between what a company’s leader’s want
to achieve and the ability of the
organisation to achieve it “

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 20
 Execution - Larry Bossidy & Ram Charan

“Organisations don’t execute unless the

right people, individually and collectively,
focus on the right details at the right
time”
“Dialogue is the core of culture and the
basic unit of work. How well people talk
to each other determines how well the
organisation will function.”

“Is the dialogue stilted, politicised,

fragmented and butt covering?”
“Or is it candid and reality based, raising
the right questions, debating them, and
finding realistic solutions?”
www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 21
 Authority and Accountability

What decisions need to be made? Global

Where should they be made?

Regional
Who should be involved?
When, where and how Country
will we reap the
benefits? Business
Unit

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 22
 The Roots
The journey continues

Business
IT Goals IT Processes IT Activities
Goals

2005/2007 Governance - IT Focus v4.1

2001-3

2000 Management of IT Performance v3

1998 IT Control v2

1996 Assurance v1

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 23
 Are we on the same page?

Enterprise governance is a set of

responsibilities and practices exercised by the board and
executive management with the goal of providing strategic
direction, ensuring that objectives are achieved, ascertaining that
risks are managed appropriately and verifying that the
enterprise’s resources are used responsibly.

IT governance is the responsibility of the board of

directors and executive management. It is an integral part of
enterprise governance and consists of the leadership and
organisational structures and processes that ensure that the
organisation’s IT sustains and extends the organisation’s
strategies and objectives.

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 24
 What Are We Doing? – The Challenge

Authority Accountability

Transparency
“Information theory tells us “every relay doubles the noise and cuts the message
in half”
Peter F Drucker Management Challenges for the 21st Century
www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 25
 What Are We Doing?- The Process
“None of us is smarter than all of us”

Authority Accountability

Opportunities Limitations
“The best plans will not work unless the people do”

Transparency

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 26
 The Organisation Challenge

Where and
What is thehow Define strategy

should IT be
purpose used
of this
Create value Preserve value
toorganisation?
meet the
demands
What areofitsToday Good things to Bad things not
happening
and prepare for
goals?
happen

the needs
How will itof
Resolve
problems

Tomorrow?
execute?
Continuous
improvement

RACI COBIT COBIT

Responsible – Accountable, Measure
Consulted - Informed RACI results MMA
MMA
COBIT Maturity Model attributes

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 27
 The Five Focus Areas of IT Governance

Are we Are we
doing the getting
right What? Define strategy
IT Alignment the
things? benefits?

Create value Preserve value

Value Risk
Good things to Bad things not Management
Delivery
happen happening

Resolve
problems
How? IT Resource
Management

Continuous
improvement
Are we Performance Are we
doing Measurement getting
them the them
Measure
right done
results
way? well?

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 28
 Identifying IT Governance Issues

Area

People Process

Text taken from

pages 50-52

COBIT COBIT
RACI MMA
www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 29
 Strategic Alignment
focuses on ensuring the linkage of business and IT plans; defining, maintaining
and validating the IT value proposition; and aligning IT operations with enterprise
operations

“None of us is smarter than all of us” RACI Never Seldom Often Mostly Always

Align and integrate IT strategy with business

goals
Align IT operations with business operations
CEO

Cascade strategy and goals down into the

organisation
Mediate between imperatives of the
business and of the technology
Understand the enterprise’s IT organisation,
infrastructure and capabilities
Executives
Business

Drive the definition of business requirements

and own them
Act as sponsor for major IT projects
www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 30
 Enterprise Governance

c e
? e r n a n

G o v ?
IT ?

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 31
 The Main Functions of a Board

• To define the company’s purpose;

• To agree strategies and plans for
achieving that purpose
• To establish the company’s policies
• To appoint the chief executive
• To monitor and assess the
performance of the executive team
• To assess their own performance

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 32
 Enterprise Governance in Practice
Enterprise Governance

Conformance Performance
Corporate Governance Business Governance
processes processes
• Chairman / CEO • Strategic Planning and
• Non-Executive Directors Alignment
• Audit Committee • Strategic Decision Making
• Resource and • Dashboards / Scorecards
Remuneration Committee • Strategic Enterprise Systems
• Strategic Risk Management • Continuous Improvement
for compliance • Strategic Risk Management
• Controls Assurance
Accountability Value Creation
Assurance Resource Utilisation
www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 33
 The Key Principles of Evaluating and
Improving Governance in Organizations
A. The creation and optimization of sustainable stakeholder
value should be the objective of governance.
B. Good governance should appropriately balance the interests
of stakeholders.
C. The performance and conformance dimensions of governance
are both important to optimize stakeholder value.
D. Good governance should be fully integrated into the
organization.
E. The governing body should be properly constituted and
structured to achieve an appropriate balance between
performance and conformance.
F .The governing body should establish a set of fundamental
values by which the organization operates. All those
participating in governance should embrace these fundamental
values.

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 34
 The Key Principles of Evaluating and
Improving Governance in Organizations
G. The governing body should understand the organization’s
business model, its operating environment, and how
sustainable stakeholder value is created and optimized.
H. The governing body should provide strategic direction and
oversight in both the performance and conformance
dimensions.
I. Effective and efficient enterprise risk management should
form an integral part of an organization’s governance system.
J. Resource utilization should align with strategic direction.
K. The governing body should periodically measure and evaluate
the organization’s strategic direction and business operations,
and follow up with appropriate actions to ensure appropriate
progress and continued alignment with objectives.
L. The governing body should ensure that reasonable demands
from stakeholders for information are met, and that the
information provided is relevant, understandable, and reliable.

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 35
 To Summarise

Are we WHAT Are we

doing the getting
right
HOW HOW the
things? Framework benefits?

Management
Management
Board Guidelines
Guidelines Board
Briefing
Control
Control Briefing
Briefing
Objectives
Objectives Maturity
Models
Executive
CIO Audit Director
CIO
Baseline for Baseline
Baselinefor
for
IT Governance Control
Control ITITGovernance
Governance
Value Risk
Objective
Objective

IT Governance Control Assurance

Assurance IT Governance
IT
Implementation Practices Approach
Steps
Steps Implementation
Assurance
Guide using CobiT Guide
Guideusing
usingCobiT
CobiT

Are we Are we
doing
We know we have the resources , experience and getting
them the skills to help organisations realise the benefits of their them
right done
way?
IT investments both in meeting the demands of Today well?
and preparing for the needs of Tomorrow?
www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 36
 The Way Forward

? Realism
? Relevance
? Results

Look

Act

Speak

Think
www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 37
 The Opportunity Clock is always
ticking……..

The demands
of Today Requirements for
Maturity Model Attributes: Information:
A&C Awareness and Communication Effectiveness
PSP Policies, Standards and Procedures
Efficiency
T&A Tools and Automation
S&E Skills and Expertise Confidentiality
R&A Responsibility and Accountability Integrity
GSM Goal Setting and Measurement Availability
Compliance
The needs Information Reliability

of Tomorrow

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 38
 Recent Publications

Are we Are we
doing the getting
right What? Define strategy
IT Alignment the
things? benefits?

Create value Preserve value

Value Risk
Good things to Bad things not Management
Delivery
happen happening

Resolve
problems
How? IT Resource
Management

Continuous
improvement
Are we Performance Are we
doing Measurement getting
them the them
Measure
right done
results
way? well?

www.isaca-london.org COBIT 4.1 © 1996 - 2007 ITGI All rights reserved Roger Southgate 39