Okay, so let's look at our objectives for Chapter two.
Again, we're talking about managing I t. Governance,
a lot of things to talk about here. We need to define what
governance really is,
knowing a little bit about the scope and purpose of our I t. Controls our security controls.
How we use reference standards
to make the governance more effective.
Who's responsible for implementing governance? That's a really important question.
Sometimes when there's confusion on a point like this causes other problems due to the ripple effect of people making decisions on their own,
maybe they weren't authorized to make.
What about fiduciary responsibility?
Who's who's responsible for holding the purse strings as it relates to protecting assets?
And how do you deal with
requests for more money
defining our executive strategy?
What is that going to be for the organization? What direction are you going to head in? How will that be implemented?
Looking at portfolios programs
and the Project Management Office
trying to understand the differences between those those concepts? How does management control
the i t. Aspect of the organization?
What measurements are relying on?
Well, look, a look at some considerations. There
Also management has to protect
the transactions. Financial transactions, database transactions.
Anything that's that's occurring between a client and the organization or within
the organization itself needs to be understood,
especially from the auto perspective,
where you're looking at low level processes and mechanisms to make sure they're they're effectively working and can be measured in monitor
and then lastly, will cover
business process reengineering.
This is the idea that
if you're monitoring and measuring the performance of your organization
inevitable, you're going to come across something that's not working as well as it should be.
So what do you do in that case, and how do you manage that?
All right, starting off with our strategy for for organizational control planning.
The idea here is that the auditor is trying to to understand the high level objectives for management
there should be an alignment between what manager wants to do,
the resources they have available thio spend to make those goals happen and what the actual organization
the organization's charter is,
so it could be a difficult task
to deal with all these variables.
But the simplified way of saying is that the leadership in the organization needs to understand how tow expend their resource is to achieve the goals of the organization as a whole. What happens when there are
management not being involved at the right level?
This is another call back to our monitoring requirements.
If Manager is too involved, you know, the typical micromanager that presents its own problems.
But what we need to think about is what kinds of automated
detective controls can be used
in a typical typical environment.
To make sure that certain things are discovered when needed, without the need for somebody to actually manually look att at items and constantly be asking questions
that that sort of dovetails into the idea of continuous monitoring why that's so important
for the typical organization.
Another thing to think about here is that we want to make sure that
when problems do get discovered
that a mature organization can quickly decide what to do about it.
You shouldn't have a
ah discovery of a of a security issue that goes
un remediated for any length of time. That would be poor management,
and obviously there are different problems that will result from that kind of the pattern of behavior
What about an I T steering committee?
Steering committees are trying to decide
how to maneuver the organization through different
tasks or different challenges
as it relates to I t.
This means Where do we spend our money?
more firewalls? Do we buy more licenses for
our intrusion protection system?
Do we send more people to training? These are the kinds of questions that might get answered in a typical steering committee meeting.
Each member of the steering committee should have a,
representation within the steering committees charter
showing what the purpose of the group is and what each member's contribution is expected to be.
Each member also needs to be granted the appropriate level of authority to make some decisions.
So a steering committee might be composed of the managers or directors
or or different business units within the organization, so that they are guaranteed to have the authority required
to say yes, this is a problem. We can deal with it because I can make the decision to allocate some resource is to this particular challenge. So what kinds of people do we need? Any steering committee, someone from marketing?
their. Their goal is to try to get more customers for the products and service is that the organization offers.
They will definitely have some interesting input
as far as what makes sense
from from a marketing perspective, to spend money on or to spend time on
people that are involved in producing a product or developing software. Also important to have a steering committee
some representation of in this area would be useful because now you can
have that person decide whether or not it's worth the effort to do something.
If it's going to take a year to develop software to solve a problem, is that really makes sense, or should we buy something off the shelf? You know those kind of this
discussions you might expect to have
sales. They go hand in hand with marketing
sales people need their own resource is to try to attract new customers,
sure, or to increase the amount of purchases by existing customers. So these air things to think about
finance is also involved,
the purse strings, as I mentioned earlier, and should understand the connections between
the resource allocation requirements within the organization
coming up with effective budgets, knowing that
certain things require money. The idea that you have to spend money to make money should not be, ah,
having some legal representation.
This is important as well as I mentioned earlier. We want to make sure we stay on the right side of the law.
There might be a great idea that sales marketing has
for generating new business,
but there could be legal repercussions if it's done in the improperly.
You know, things like data mining or,
uh, you know, social
our typical areas where there are some legal considerations to make sure that
things were being done correctly.
ties again into some resource allocation considerations.
But this is the idea that someone should be there in the room that could look a TTE initiatives and projects to say that
we can't get this ready in the time frame that you want because we need time to test it. We need time to make sure that this is
up to the standards that the organization demands
Research and development or R d.
They're trying to find new ways to
create new products and service is for the organization,
it makes sense to have some representation here because they might have ideas
that need to be discussed among other members of the steering committee.
And then we have our project management office.
The PMO is in charge of
the portfolio of projects, trying to understand what each project requires
personnel and financial resource is
and of course, tracking each of those projects from
initiation to completion.
Well, some more people in the steering committee, business continuity or in disaster recovery.
This is an important thing to think about
an idea comes across
the table to say that we want to do something different. We want to expand this.
We wander. We organize that
business. Continuity experts might say. Well, that's going to present challenges for some of the the
requirements to keep the business running.
The idea that's being proposed is very complex
and would require a lot of work to ensure continuity if your primary facility goes down or offline. For some reason kept, forget, I t.
That's where your C I o. Plays a large role
to know that. Okay, we've got all these great ideas we've got some money to spend
now, Does the IittIe infrastructure
actually exist to support these efforts?
Or do we have to buy some new equipment or expand somehow what we've already been doing in order to support these initiatives?
making sure that we've got the right people
in the organization, that they've been properly vetted, properly checked
and that we've got that we're treating people with the respect that they deserve and,
ofcourse, being careful to avoid any kind of discrimination
and, uh, treating P i I properly and so on
Labor management sort of related to HR
maybe a little bit more specified if you're involved in the organization that's dealing with unions
and then lastly, we have administration,
and this is just a general term
t think about the people that helped keep all the moving parts working efficiently.
You've got administrative assistance. You've got secretaries,
executive assistants, people that are trying to help
others get their job done more effectively.
what is the difference between a strategic plan,
a long term plan or operational plan?
There's different kinds of timeframes involved here.
Um, we normally would think of that something that's three years or longer,
and it's a time frame.
So the strategy is something that's more the long term vision.
We know that tactics make up strategies, so tactical planning
is more akin to operational planning
or that something that's maybe a year or less in time frame.
These are smaller steps that are done in order to support the long term vision, which is your strategic planning.
But then we have long term planning, which is sort of the middle ground.
we can see in all these different cases of the board directors. We have various people for strategic planning, CEO, the CEO,
In our long term planning, some of the same people are involved. But now we've got department directors
that are looking at the components of the business, trying to understand
whether the products and services that are being offered are effective, or if there's room for improvement
and then again, with the operational planning.
These are the smaller day to day tasks
and initiatives that support the long term in strategic planning.
So they kind of all have their inter relationships with each other,
and we have the concept of the bounced scorecard or the BSC.
This helps business executives
defined the metrics that they can use to see if the organization is performing as expected. We're looking the various things customer perception,
the processes of the business.
What are the prospects for growth for the organization?
How how would you measure those things
in order to manage them?
Measure it to manage it. Idea here. So we look at the methodology for the BSC of the bound sport scorecard. We conceive from a customer perspective.
If they're thinking,
What is it about this organization that makes them stand out? Why are they important? What is it that they provide
makes customers want to do business with that
from the business process perspective you're thinking about? What is it that we do?
our products and service is to get an advantage in the marketplace? How how could we gain more market share?
What are the key performance indicators?
if you can't measure those things and you're is very difficult to know if you're doing well. Just measuring profits is only one indicator
for how well our organization's doing.
We have to consider financial goals.
If you're supporting shareholders. That's a consideration
act on their behalf as well as as the owners of the organization or the employees.
company generating a lot of profit? A lot of cash
or they heavily in debt. These or other
KP eyes that are not keep you guys but
scorecard items that might be considered
Then we have to think about the growth of the organization.
If you're trying to gain market share or increased sales, how is that going to be done?
What kinds of metrics
would need to be examined in order to understand if you're doing a good job now or where you might find areas for improvement?
You know, how would you, uh,
attract new new workers? Or how would you get those people trained in order to advance the goals of the organization?
So there are some advantages and disadvantages to using the Bounce scorecard method.
because it gives executives away to focus on the metrics that they think are most important to the way the organization functions.
Having some understanding of
the relationship between the financial aspect as well.
So we're measuring things. We see the linkages between those things were measuring and the money that we're spending to generate those numbers, right?
Ah, and this is another interesting concept here. If this is fully implemented,
none of the departments should have their own budget.
the budget is being decided at the enterprise level
therefore being controlled more centrally.
That means that your your organization might be a more mature state.
the initiatives that are that are actually put on the scorecard have to be chosen carefully so that you're not
blending things that are high priority with moderate or low priority.
They should be categorized correctly
and grouped accordingly, so that
when you're measuring,
performance and other indicators that makes sense. To do that
within that particular category or group,
you have to worry about politics.
If politics are a knish, you within your organization that might derail certain initiatives because they're not popular with certain individuals.
So trying to have a a powerful sponsor who can remove obstacles is one of the being goals here.
So we look at some different perspectives for abound scorecard we can see we've got
Aah! Financial perspective, process
growth and learning and customer perspective.
And we've got some relationships between these different things.
So between financial and customer,
you know, the customers looking for the vision of the company or the organization and financial
considerations are looking to the customers for growth.
Then we have strategy, an improvement between the financial aspects and the processes that the organization
that we got refinement and definitions between the process
processes that are the organizations using and initiatives to grow the company and to expand its customer base.
And then, lastly, between growth and learning in the customer
we wanted, the customer needs to know that they've got a good support
And we want to know that we can link the growth of the the company to expanding customer base.
So it's a nice, nice way of putting these four concepts together
to think about how abound Scorecard might look.
This isn't the way it would look on
on the actual documentation. Just more of a conceptual,
idea here. So information technology
is a part of your balance scorecard as as you would expect.
So the scorecard is created, and then the the IittIe management would then fill in some gaps as far as the details for how certain things are going to be accomplished.
For instance, the Mission
I G needs to support the mission of the organization as a whole.
So that means that you've got the right people available
with the correct level of training
and that they know what to do when when problems occurred or when new requirements are are discussed. Knowing how to control the strategy for I T.
Is an important thing to think about
a CZ, especially as it relates to the financial consideration.
You could have a fantastic strategy, but if the finances aren't available to achieve
those goals, then you might have to deal with some kind of compromise along the way
to say that we're gonna have to do more with less. And that's a common theme in this day and age,
doing more with less.
But in general, money spent on I T initiatives should provide
some value to the organization's bottom line.
Maybe your data is now more secure, so you've got less customers leaving because of problems
you're improving. The performance of your products and service is so that customers are happy and they buy more of them or they spread the word
to use your product and service is so there's some linkages there as well.
And then, of course, we can't forget metrics.
If we if we can't see how the expenditure of time and money
N i t. Is really affecting the organization overall,
then we can't manage that. We need to measure it first.