Time
10 hours 8 minutes
Difficulty
Advanced
CEU/CPE
9

Video Transcription

00:00
librarians Welcome back to Sai Buri Live And our course today is thesis Egypt course which of course, is certified in the governance of enterprise. I t So we're glad you're here
00:15
and we're looking forward to going ahead and moving into the material
00:20
a little bit over halfway done. And today we're going to wrap up Chapter three, which is on value delivery, and we're gonna move into the section on risk. Optimization is we have just a little bit left
00:35
to do with the chapter three and then we'll be ready to roll. All right, So I hope everybody's having a good afternoon and we're ready to jump in and start talking about the governance of Enterprise I t. And one of the things that you've noticed I know and that we've been focused very heavily on,
00:55
has been on value creation and not just value creation, but
01:00
value creation. By that I mean value creation that we can trace and prove is bound to the I T department and that justifies our existence with what we do. And that's always gonna be important, because ultimately what we're looking for
01:18
is to prove that I t adds value to the organization.
01:22
Ah, as opposed to is just one of those necessary evils. So you and I know that the case, that how much value I t brings. But sometimes that's not enough. And sometimes we find that we have to justify our existence, toe others. So in the material that we looked
01:42
at earlier
01:44
Ah, we had talked about portfolio management and we talk about investment management first. And, of course, with investment management. What we're looking at is to view every element of I t. As an investment,
01:57
not is just an undertaking, not is just bigger, better, faster technology.
02:04
But it's something that will deliver value to the organization
02:07
and making sure that we can show that and demonstrated because perception really is reality. And if we're not able to demonstrate our value than people are not gonna understand our value, right? So with investment management, we talked about how we want to make sure that we can indicate the value
02:27
through
02:28
matching were accomplishing business objectives. We've said you know that investments come from lots of different categories. You know, we can look at innovation to be on the cutting edge. We can look at growth, potential, maintenance. All of those are areas in which we can justify
02:46
We can justify expenses.
02:49
So we said that we've got transactional. Uh, I'm sorry. Transactional investments. And ultimately, what we're looking to do is to do things better, right? You know, I've been I was actually kind of surprised about this. But there was
03:07
security breach with an international hardware company.
03:10
Very, very well known, very large company. And with the breach about six months earlier, they had hired 1/3 party organisation to come in and evaluate their environment because pretty much because they had to. And you could tell they get really have a whole lot of buy in.
03:29
But ultimately they were told. OK, here's your list of vulnerabilities. And the response from senior management was essentially,
03:37
Look, we build hammers.
03:39
That's all we do. We just We build hammers, we sell hammers. I want to sell more hammers. I don't want to focus on penetration test vulnerability assessments. I t patch. I don't want I don't want to mess with that.
03:52
So, you know, that's a very, very ignorant way of approaching business today. You just can't do that right. We have customer records, payment information, accounting information. We can't think about that.
04:06
However,
04:08
if you really do want to sell more hammers more efficiently, technology can help you with that,
04:14
right? We can manage customer accounts. We can find our inventory. We confined pricing, weaken track information. So that's a transactional investment. How can we help you do what you're already doing?
04:28
Okay.
04:30
Now, another way. That or another type of investment is informational. Help people get the information that they need at the right time.
04:39
So maybe in the hospital, I have to have a patient's medical information right now or in manufacturing. I have to know the, um uh, die color contents of the capsule.
04:54
Whatever. So, information helping us get our information when we need it, How we need it in with a guarantee that it hasn't been modified.
05:05
All right. Other investing, strict investment, strategic investments Help me get where I want to be down the line and where I want to be. Down the line is I want to be at the top of the industry or I want to be an innovative leader.
05:20
I want customers to see my name and think quality. Whatever my strategic goals are that's an investment as well. You don't get there for free without any effort.
05:31
And then last
05:33
infrastructure we have toe have a supporting infrastructure in orderto have technology, right? We have to have the servers and the systems in the network, in the cable and the routers in the villains in LA that I've done all of that infrastructure.
05:49
That's an investment, right? I'm investing in the capabilities of our organization.
05:55
So you know the whole point of that particular section waas. We have to think about I t expenditures as investments. And any time I make an investment, I want to know what my return is, right? I don't just invest and say I hope that does well.
06:13
Here's $50,000. I'm gonna buy some stock in X Y Z company.
06:17
Let's hope it does well. No, I want to be able to monitor it. I want to be able to know, Is it on track for meeting its objectives? Is it behind schedule or risks coming up? And are they interfering with the likelihood of meeting objectives? What's going on with this investment? And it's the same way with I t.
06:36
So when we're looking at our investments,
06:41
we have to manage in track. So when we make the investment, we have expectations for the performance of that investment. And before we investor, before we begin our project, we define exactly what we're looking for. What does a quality project
07:00
yield?
07:00
What is the expectation from this I t investment? What are the critical success factors for me to go? Okay,
07:11
we did it.
07:12
So as part of planning, before we would ever start a project, we have to clearly define what it means to be successful
07:21
and how we're gonna measure for success up against those metrics. And then what do we do if we don't get success?
07:30
Right? Cause I don't wait until Okay, we expect this investment to be good for five years. I don't wait till four years and 11 months to say we're not meeting our objectives. I do that early and often. So if I can determine we're off track early,
07:46
what do I do to get us back on track? All of that needs to be documented in the planning piece. And this is how we manage investments. Normally, I t endeavors or investment. So we've got adapted that line of thinking as faras governance goes.
08:05
All right, so talk about that and the process. We really kind of discussed the process for investment and how we select we figure our priorities cost benefit and so on.
08:20
Ah, uh, three make components. Here we go. The three main components of investment management.
08:28
The first element is the business case. And again, the business case is gonna help us determine which project to take on. And it's going to get by in, right? What we're trying to do here is persuade
08:45
others that this is the right endeavor to tackle. This is the right project that we work on or this is the right investment. And that business case is going to become really, really important because we'll continue to go back to the business case and we'll talk about why,
09:01
all right, then, the next piece, Once we've selected our investment, we manage that as a project or programme.
09:09
So ultimately we need to govern those processes that are necessary for implementation and execution.
09:18
We need to make sure that we're documenting. We need to have control over scope, time, cost,
09:24
and then ultimately we need to determine that we're receiving the benefits from this project, right? There may be benefits, but are we receiving them?
09:37
So ultimately, when we talk about managing investments,
09:41
business case authorizes, we go into program management so that we can ensure the implementation happens on schedule within our budget, doing the right amount of work. And then we go back and evaluate. We make sure we're getting the benefits.
09:56
All right. We talked about vow i t. And we talked about how val I t has practices and processes to make sure that we are getting the benefits.
10:09
Then we went into portfolio management. I'm not gonna go through every slide here, cause I know we've already talked about this, but ultimately, what I want from portfolio management is not to just demonstrate the value of specific investments, I want to demonstrate the value of I t overall.
10:28
Okay. I don't want just ah, you know, that was a good decision. I want to be able to say, and this is what we do for you. I want to be able to report in front of shareholders. This is what I t brought to the table for this quarter or for this past fiscal year or whatever it is,
10:46
you know, if if you can't demonstrate your worth within an organization,
10:52
it's not long before that organization looks for, you know, another entity to manage that working to be able to demonstrate value.
11:01
So, yeah, we've got to demonstrate that value.
11:05
All right, we talk about the different portfolio management practices
11:11
and talked about, ah, schemes that we might implement in order to better manage our portfolios and ultimately managing those portfolios in such a way that we don't suffer from scope creep. We try to identify and mitigate risks. Early on,
11:31
we try to remove redundancies
11:33
and we try to manage our investments well so that we can manage our portfolios. Well,
11:39
all right. And that brings us up to the business case. And this is where ah, we begin this week and talking about a business case and again, what I'm trying to do with this business case is to get shareholders on board,
11:56
try to get senior management on board. Other employees try to get the I T. Staff on board. If this is for a customer, make sure they're on board. Ultimately, this is the justification for the program that we're gonna undertake.
12:11
So we have to be convincing here.
12:13
Now,
12:16
when we start the business case, we realize that it's not always about money, and I know we know that. I think we're probably pretty solid on the fact that not every project is to make a profit.
12:28
Many of them are right. Nothing wrong with profit. But sometimes we have to do upgrade. Sometimes we have to make changes to be in regulatory compliance. There many different reasons that we might undertake I t endeavors other than projects. So whatever those reasons are,
12:46
they need to be referenced in the business case.
12:50
So again, we're gonna convince our stakeholders.
12:54
The business case is an essential project management document.
12:58
It goes into the project charter. So for those of you that have been sitting in the PMP course, the project management professional course, we talk about how the very first process in a project is to develop a project charter. That project charter authorizes the project.
13:16
This is where commitment to fund the project comes from the sponsor.
13:20
This is where the project managers officially named in their level off authority. You know, this is the document that says, Hey, we have a project here,
13:31
but we have to have chosen that project first. And how did we choose the project Through a business case And a lot of the information on that business case comes over into the Project charter. So I don't know if you've noticed this, but for those of you that are sitting through multiple classes, all of this ties in,
13:52
You know, every bit of what we do here on Cyber Eri
13:54
pulls together and comes together in a greater sense of an enterprise environment. And it should. You know, none of these services and these capabilities really stand alone. You want to just focus on being a technical person? Well, you can't be a technical person. Well,
14:13
if you don't understand the role of tech in your organization,
14:16
right, very hard to be an enterprise administrator if you don't understand not just the technology but the governance side. You know, it's hard. Teoh be in corporate governance. If you haven't managed projects, that's the way it should be. All of these elements should come together,
14:35
which I always think is great when folks have the capability and have the time
14:39
to take off. And, as a matter of fact, anybody that is an essential nonessential employees for the government.
14:46
Sadly, you have plenty of time, it seems, but the idea, you know, I really think it's great if you have the time to sit through multiple classes and just see how it all comes together.
15:00
Okay, now,
15:01
like I said, it's an essential document. It's the main input into the project charter. I want to write a project charter. First thing I need is business case.
15:13
Okay, so what is the business case? Well, I just told you what business? Wait, there's more. OK, so
15:20
what we wanna examine is the ways in which this investment, this project or programme, will benefit us.
15:28
So we have to think about strategic benefits, operational
15:33
benefits, financial benefits, innovation all coming together for a return on investment.
15:41
So once again, strategic. Think 3 to 5 years out. Think about how will this help me move closer to my goals
15:50
now? Operations?
15:54
Excuse me. These tend to be more day to day or more short, short term focused. So when we're looking at monitoring logs, we're looking at Ah, the day to day production of whatever organization produces. Those were the things that our operations. Okay,
16:11
Do we have benefits to both Or is it just more strategic or more operational?
16:15
Do we have financial benefits? Will this help us for innovation and doing things better? Well, whatever those elements are, what it ultimately comes down to is cost benefit analysis. And what I want to see is a return on my investment. We have to keep in mind
16:34
that when we talk about cost benefit,
16:37
benefit versus cost is not always money
16:41
on either end cost benefit.
16:42
You know, if you think about information security, the cost of information, security isn't always dollars.
16:49
It might be performance. It might be backwards compatibility. It might be ease of use. So those air costs now the benefit, maybe
17:00
reduced loss.
17:02
But we don't know. We see that's hard to get. Really excited. Yea, I didn't lose $100 today or yea, I didn't lose $100,000. And unfortunately, sometimes that's the only time folks think about information. Security is when it's a problem.
17:18
You know, nobody gets the pat on the back. Hey, thanks for not having us lose 100 million account numbers today,
17:22
but very quickly. When those account numbers are compromised, folks associate that with I t. So it's kind of one of those two edged swords.
17:32
Okay, So what's gonna be included in this business case? Well, we're gonna have an executive summary.
17:37
And I love executive summaries because I'm a little bit attention. Aly challenged. I am the original person that Oh, look, a squirrel was written for. So the executive summary just just get to the point,
17:52
right? Just tell me what we're doing here. And once I get that executive summary, then I can go into details. But I just can't dive right into details off the bat.
18:02
Tell me what we're looking at. And then let's move
18:04
now the next to pieces.
18:07
Often you'll hear these two pieces referred to his problem statement and solution statement
18:14
problem statement in solution statement. And these two entities should be totally separate.
18:21
The problem should come from the customer.
18:25
Okay, we
18:26
those of us that are gonna perform the work for the customer do not influence the problem statement.
18:33
We're the ones that come up with solutions statement, and we don't let the customer influence the solution
18:41
any more than is reasonable.
18:44
Here's what I mean by that.
18:45
Okay? Problems statement. Many times customers think they know what they want,
18:51
and I'm not discounting customers. Customers keep the world going round right. My customers air my favorite people, but not always. Does everybody know what they want? You know, I'll go into a store and think I need one thing and I actually need another.
19:07
Or if you don't know much about cars, you go in and say, Hey, I think my thermal flux capacitor isn't working right
19:12
and they go in. They say that's not a thing. What's actually failing is such and such, right? So
19:21
with problem statement, all I want for my customer to start with is what's wrong? What is the problem you're trying to solve? Don't say you want to migrate to the cloud or you need to upgrade your equipment or you need to move to I P V six or any that's don't
19:38
you?
19:41
What is the problem you're trying to solve?
19:44
That's problem statement, and that should stand alone.
19:48
Okay, This is the problem that the customer needs to fix.
19:52
Great.
19:53
Now I know what the customer needs to fix. What I want to do and spend my recent resource is on is to figure out how we can best solve the problem the customer has.
20:04
Okay, so the customer didn't tell us. We're gonna upgrade infrastructure. We're gonna move to I p v six. Those might be the answers. But the customer, in their problem statements, said here's the problem.
20:18
The problem is, at the beginning of the year, Medicare changed their requirements for billing. We're no longer in compliance. Stop.
20:29
So now I have to figure out, OK, you're not in compliance. What is compliance? Where are you? Where do you want to be?
20:36
Then? I'm gonna figure out how to get you there as the solution statement, but and I know it may seem like I spend too much time on this, but a lot of times when you're doing programmer project management,
20:48
the problem with a projects is that we have poor requirements. The customer gave us incomplete requirements. We didn't understand the requirements properly. Requirements change.
20:57
So if we can start off with a clear understanding of the problem, the customers trying to fix that will help us avoid some of those problems without requirements Because our solution to their problem
21:12
is gonna be what we do with our project. Right? We're gonna implement the solution that fixes their problem.
21:18
Now, we also want to talk about in our business case expected costs. What are, uh, you know, where we gonna output money? Or like I said, it's not always money. When we talk about costs, when we try to make this move, what are the things that are gonna limit us?
21:37
What sort of costs are we going to come up against?
21:41
But then, what are the benefits? And when are benefits outweigh? Our costs were in good shape, right? So that certainly helps to justify this particular programme or project.
21:52
Then we determine an execution. Timeline at the business case level were very high up. We're very broad. We're not saying OK, so we're gonna begin on January 22nd at eight oclock. Our 1st 3 tasks, we're gonna take 7.5 days, then we'll move on.
22:10
We're basically saying, Look, we can have this accomplished by January 1st or by the end of third quarter,
22:15
whatever, but it's gonna be very broad,
22:18
okay? And those are the elements of a business case
22:23
now, as a matter of fact, let me just see here. Uh
22:30
um, I want to show you a business case. I can't remember if I downloaded this or not. So if I didn't,
22:37
If you'll just give me one second, I wanna
22:40
hop out here
22:41
and get that business case for you
22:47
because I think it's always helpful. If you haven't worked with business cases, many of you probably have. But if not
22:53
just to kind of see, there's, ah, location online that I particularly like that has a lot of templates for program, project and portfolio management. And it's called Project Management doc's dot com. Like project management documents. But project management docks
23:12
dot com
23:14
And a lot of templates I use for program and project management come from that site. I think that, you know, they do a pretty good job.
23:22
Excuse me. Have to yawn all of a sudden.
23:26
Ah, here we go.
23:30
Due to do get a little redundancy in my layers There. I need
23:36
clean that up a little bit.
23:40
Eventually, I will get there a business case template. There we go.
23:45
Okay. So I just wanted to give you an idea of what your business case may look like, but again, it's a very critical element. All right, so we start out with the business case, we document the project or the investment,
24:02
right? This is what we're selling in this business case, and we don't have to go through. Every page is a matter of fact. If you just look at the table of contents and what you can see again the executive summary issue, that's ultimately what we're trying to accomplish.
24:18
That's really kind of the problem. Statement. Here's our solution. Statement, recommendation, Justification.
24:23
So this is just wrapping it up quickly.
24:26
However more drawn out, more detailed
24:30
problem definition.
24:32
Okay. And then the project is gonna be
24:34
what is going to
24:37
ah, the project is gonna be what solves the issue with Thea.
24:44
The problem.
24:45
An overview of the project. What are our successfactors goals? Objectives. What is expected from performance major milestones. These air big flags in your project. So January 4th, I should have faced one complete. That's a milestone in your project
25:02
and then noticed down at the bottom. We never get away from strategic alignment
25:07
with my organization. That's what it's all about. And in my business case, I don't just sell. Look at this. This is cool. I sell. How will this support our organization? How will this get our organization closer to our goals?
25:26
Okay, so ultimately, what we're saying
25:30
goals and objectives, how the project will move us closer.
25:34
And then we go through the cost benefit analysis like we talked about how certain costs
25:41
and certain benefits savings, um and so on.
25:45
So that's a business case scenario. And once again, this comes to us from the site Project
25:53
Project Management docks dot com.
25:56
I think it's a great side. I think it's really helpful. And of course, these templates aren't gonna be everything you need them to be, But they're really good start. So if you wanna work with it,
26:07
you have it there.
26:11
Okay, so moving right along, we continue.
26:22
All right.
26:23
So when we do our business case
26:26
business case should be top down, right? Our leaders should be on board. Are our senior managers board of directors Any upper level board members? You know, you might have a risk management board or a steering committee to determine certain things.
26:45
Those air all senior management, those air. All part
26:48
of governance. If we don't start at the top, nothing
26:53
else is gonna happen. Bottom up reporting. So top down decision making
27:00
top down direction, top down influence, bottom up reporting. And ultimately, what that means is the folks that end users, the tech team, the folks that are there in the field, they're gonna be the ones that report up.
27:15
But decisions flow downwards. So decisions up,
27:19
uh, escalations up, strategy down, if you will.
27:23
All right. So at the very minimum of business case needs to reference what the benefits are that we're trying to accomplish. What are the changes that need to happen?
27:37
Investment information. Return on investment. What's going to change? Were selling
27:45
the investment, were selling the project.
27:48
All right, now, to get started with a business case,
27:53
we always start with research. Always start with research, right? Can't just jump into something with both feet or let me just say we should always start with research. I've worked many places where that was not the case.
28:10
So a fact she what's are relevant data again,
28:15
things like problem statement.
28:18
I don't have my solution yet, but what's the problem? Statement collect that information. Who are the key stakeholders? Um,
28:26
what sort of funding do we expect? What sort of risk context do we operate within? When I talk about risk context, every organization has their own culture has their own environment. And the risks that I face
28:41
out in the field in the military are very different than the risks that I face sitting at home behind a computer recording videos, right?
28:49
So what's the context of our organization? What are the organization's strategic goals? I can align if I don't know.
29:00
So always, we go back to document document document.
29:04
Now, I take all this information, I'm gonna analyze it.
29:08
So with analysis, what I'm trying to figure out is once again, um, alignment with the business.
29:17
Okay, then we think about financial benefits and we think about nonfinancial benefits because again we're selling.
29:25
Here's what we're gonna do. Here's how we're going to see a return on investment.
29:30
Hey,
29:30
then we get an appraisal and optimization of the cost benefit or the risk returned,
29:37
and we're gonna document
29:40
ultimately all of this we're going to document our expectations.
29:45
We're going to document how we expect to manage this particular project very high level. What are our goals? And objectives are. And then we're ultimately gonna look at the business case that is going to be used throughout the entire life cycle off the project,
30:06
from planning to executing, to monitoring, controlling and closing a project. Did I meet my key objectives? That's always what we're asking with project Management. Did I get there?
30:18
Okay, so this is just a little flow chart that talks about what we're looking to do, right? Exact same eight steps we saw just a minute ago.
30:27
All right, priorities. Not everybody's priority is the same.
30:33
You'll see some companies that donate millions and millions of dollars, and you'll see some companies that don't.
30:40
You'll see some companies that just keep putting money back into the business. You'll see some organizations where the upper executives get a whole bunch of money and hit the road.
30:48
You'll see some organizations that share the wealth with employees. Employees get bonuses and lots of incentives. So the bottom line is every company is different. What our expectations are
31:00
should be
31:03
what our corporate strategy helps us achieve.
31:07
Okay, I don't think I said that particularly well, but the bottom line is the corporate strategy is
31:14
what we want to accomplish. And again, we're thinking down the road we're thinking longer term than just this week in this month.
31:21
So ultimately, what we want to do is have a strategy big picture that will lead to the development of a program, particularly when we think about information security. I'll have a security strategy, and that security strategy comes from governance. What are we looking to do?
31:38
Then I'll have a plan or a program that will help me get there. That's management
31:45
risk. Our risk strategy comes from senior management.
31:48
Our risk plans come from functional management. The how.
31:53
Okay, So
31:56
senior management has to prioritize for us. I'm an I T. Of course I t is the top priority urine production, Same thing. So senior management sets the priorities.
32:07
Okay, What we do is, or the next thing after we have our priorities, we figure out if we're meeting those priorities. You know, this is a priority to me. I want to make sure that we're in compliance. Will. Are we there?
32:21
And if not, we look at where we are versus where we want to be. So that's current state versus desired state. And when we look at those two and figure out how to bring them closer together, that's called the Gap analysis. That's a really important element of business, because what we want to do
32:40
is bring it together.
32:45
All right, now, again,
32:49
I'm not saying benefits don't exist if you don't track them.
32:52
But if you don't track them and if you don't shout them from the rooftops, so to speak,
33:00
you don't get credit for.
33:01
And I'm not being, you know,
33:04
juvenile. I'm not saying, you know, I want credit. I want my name on that employee of the month plaque or whatever. But again, it's about sustaining our department. It's about credibility for our department. It's about support for our department. It's about listening to us when we have needs. If we can show
33:23
that we
33:24
deliver value to the company, we get to stick around, and that's really important, right?
33:31
All right, So
33:35
how do we demonstrate that by meeting our objectives
33:38
and
33:39
by having your objectives tied to business?
33:43
Okay, So because we've met our objectives, weaken, demonstrate. We have enabled the business to perform in some way that they weren't able to earlier.
33:54
All right,
33:57
so
33:58
when you're developing systems So we're thinking about this from a nightie investment standpoint and were maybe doing software development or system development.
34:08
There's some best practices guidelines. Now I got to tell you the truth. I almost feel like I can't even say a line with business objectives anymore.
34:17
You know, if you've ever played kind of those drinking games where everybody times somebody says a word, you've got to take a shot
34:24
If we did that with this class and every time we said a line with business goals, I think all of us would be a little tipsy by now.
34:34
But, man, that's the theme of this, and it's so different than I t has been approached for so long. I t has been about fixing computers. I t. Has been about focusing in the basement. What's going on? What do I need to do to keep the systems running? That's not important.
34:52
That doesn't matter one bit,
34:55
except as how it satisfies the business.
35:00
Okay, so, step, make sure you're in alignment with business goals. Yep, at that. All right, and then ask, How can this system or software change the landscape.
35:13
What is this element going to do?
35:15
Leveraging strengths of existing systems so many times we think up. Let's buy new device. Let me tell you, there are a lot of systems that are in place that are being underutilized. You know, that's one of the things that I think about a lot.
35:31
I'm a football fan,
35:34
and to me it seems like every other week some team wants a brand new stadium.
35:39
How many stadiums do you need? You know, a different stadium for your baseball team. For your football team. We need this huge arena for a basketball team. We need a huge arena for a hockey team. Is there some overlap there? It makes no sense to me to have this massive stadium,
36:00
whether it's 20 years old or not, and say, Okay, we're done with that.
36:04
We're gonna move over here now
36:06
and you see it in buildings all the time. You know, you see a grocery store that closes down, and that building sits there, vacant and right across the street.
36:15
Somebody comes in and builds a brand new grocery store. Well, it's just so amazingly wasteful,
36:22
right, and it cuts back on value.
36:24
What can we do with what's already in place? And when we look at cost benefit analysis, do we actually have a higher benefit cost ratio by using existing systems? Or would we be better off with purchasing new systems?
36:39
Right. I'm not saying that you duct tape your 4 86 computer and run windows in t on it,
36:46
but
36:49
in I t. We do tend to like to spend the money on new technology. I'm is guilty is anybody. But we've gotta look at what's already in place.
36:59
What is the simplest combination that we can implement?
37:04
Um, I don't know. If you've heard of Occam's razor in ah comes razor just essentially says, With everything being equal,
37:12
the best solution is the easiest solution.
37:15
It's easy to incorporate. It's easy to understand it doesn't throw everybody off course. It's not difficult toe learn. So what can we do in the minimum
37:29
to accomplish the results that we need rather than just revamping everything? Don't throw the baby out with the bathwater we've heard. I'm just full of expressions today. I don't know why, but you know again
37:42
what's in place and what are some small changes, we can make little yield big results because many times
37:50
that happens,
37:52
make sure that we have flexibility built in scalability built in because things change our threat. Landscape changes, the needs will change.
38:05
Um,
38:06
you know, some people mistakenly think that complexity adds security or ads benefit just by the nature of being complex. That's actually the opposite way. You know, many times we hear the kiss principle, keep it simple, silly or whatever you hear that last s standing for,
38:24
um, make sure that projects
38:30
that that we don't try to do the same failed thing again. And remember, we talked about how the past doesn't teach us something unless we reflect on it.
38:42
So that's why for failed projects and successful projects, we need to conduct those put postmortems lessons learned and have documentation. This project failed.
38:55
Why?
38:57
You know, going back hindsight's 2020 a lot of cases, So we go back and we examine what calls this project to fail. What were the things we did wrong?
39:07
Because I certainly don't want to undertake a project with the same problems.
39:10
A vendor that was unreliable hardware that was incompatible with certain types of software not having the skill in house. Those are the things we need to know so that we don't just try to do it again.
39:23
We learned from our mistakes,
39:28
all right, So ultimately, this chapter on benefits realization is wrapping up
39:35
sound investment, project management and project oversight.
39:39
Choose investments wisely. I t. Endeavors. Choose them wisely,
39:45
manage them tightly for success
39:47
and oversee implementation, implementation and execution.
39:52
Business case starts that process,
39:57
and we want to make sure that there's accountability. Hence the selection of a project manager in a project management team.
40:04
And these were the ways that we can accomplish benefits realization.
40:09
All right, questions or thoughts there. Everybody's been so very quiet.
40:15
Anybody have any questions before we go into review
40:29
questions, questions, questions, thoughts or questions?
40:37
All right, well, let's go through some review questions and kind of talk about thes from an eye sacha standpoint and see the type of questions that could be perhaps testable.
40:49
All right, so the sample question the primary benefit
40:53
of managing I t enabled investments using investment management practices.
41:00
What is the primary benefit?
41:04
Is it to enable decision making about discretionary and non discretionary investments? That's a
41:10
is it about optimizing the value of the investments?
41:15
Is it to avoid
41:17
getting into risky investments?
41:21
Or is it to realize investment benefits?
41:24
Now you've got a couple that are pretty comparable, right? Optimized the value of investments, realize investment benefits.
41:32
Okay, so I think that's something you'll find that's indicative of questions on the exam to you can probably get out. You don't necessarily avoid getting into risky investments sometimes that your company's drive
41:46
and we're not worried so much about discretionary in non discretionary investments were thinking about value delivery,
41:55
so
41:57
optimizing the value of the investments. Okay, so when we talk about using investment management practices, we want to squeeze every last drop of investments will really realize the benefits,
42:14
but where we will realize more benefits
42:16
through optimization. If that makes sense, both B and D are correct.
42:22
B is the more correct tourist
42:25
because B says we're going to get the maximum value
42:30
beat D says.
42:32
We're gonna get a return, but be says we're gonna optimize
42:37
All right. The best use of a business case for I T related investments is
42:45
use it as a static documents supporting initial justification of the investment
42:52
a measure of financial performance of the investment.
42:57
It's a strategic document used over the life of the investment
43:01
or to use it as a checklist to monitor business outcomes off the investment.
43:08
Okay,
43:13
And the answer there is, it should be a strategic document used throughout the life of the investment. Absolutely. Lance, thanks for that comment. Optimization is important,
43:24
but you gotta have the right mix of investments, right? You've gotta have the right portfolio, and you're exactly right. And that's why portfolio management is such a big part of benefits. Realization. Because if you're not managing your portfolio, you're not gonna be realizing the benefits that you could be
43:45
all right
43:46
After conducting a project performance evaluation early project cancellation is a best practice because it
43:57
mitigates against project failure.
44:00
Preventing failing projects from continuing towards their eventual outcome
44:05
recovers the budgeted investment funds
44:09
it encourages on Lee the most profitable projects to survive
44:15
and imply strict level of business case development
44:19
in decision making.
44:21
All right, So after we conduct a project performance evaluation,
44:27
what would be the most legitimate reason to cancel that project?
44:32
What's the one that makes the biggest difference?
44:37
Well, why do I cancel project. It's just not working. And I don't want to keep throwing good money after bad if we know that we're headed towards disaster, right? If I see I'm getting ready to drive into a mountain, I don't keep my foot on the gas. I make corrections. So
44:53
we don't want to keep going towards an eventual income of outcome of family.
45:01
All right,
45:04
great.
45:05
That takes us all the way up to Chapter four, which is optimization of risks or risk optimization. And we need to take a short break before we can move on into this chapter. But we're gonna we probably won't get will finish risks up
45:21
today will probably get maybe 1/4 of the way halfway through risks.
45:25
And then we'll pick those up on Tuesday of next week. But we're definitely going to get into risk optimization risk. Management's a huge part of what we do in governance. All right,
45:37
See, in just a few minutes.
45:44
All right, everybody, welcome back. Welcome back. And as promised, we're going to go ahead and move into Chapter four risk optimization without further ado. Let's go ahead and see what we're looking at now.
45:59
I Sacha has. What's referred to is the i T risk management lifecycle.
46:05
And of course, since I Sacha has developed this certification, you can imagine that they'll be using the I T risk management lifecycle. This is also the same life cycle that essentially the sea risk exam is based on. This comes up in the schism exam, so if you have set through those classes, you'll see the overlap because
46:24
I sack essentially says, look,
46:27
therefore stages to risk management, you start out by identifying your risk than you assess those risks. Assessment could also be called analysis, by the way,
46:37
you mitigate the risks, then you monitor and control, and then you start all the way back over because you're never done with risk management. So four stages identify risks, assess um, mitigate and monitor
46:52
Now, first off, though, we've got to get some definitions down. Just make sure that we have definitions as I Sacha would have us. So with risk
47:02
risk is the probability. I'm sorry. It's a combination of the Probability and impact oven unknown event.
47:12
Okay, it's unknown.
47:15
The amount of risk is the combination of probability and impact,
47:19
and we're gonna use risks
47:22
as defining adverse effects or adverse instances or events because there are certain certification exams there. Certain this, documents that say You know what, really a risk is just a unknown entity or risk could be a positive opportunity or a negative threat
47:39
for this class. We're going to focus on risks being having negative
47:44
impacts.
47:45
All right, so when we're trying to figure out risks,
47:50
we've got to think about the risk context. Okay, so our risk context we mentioned right before break and we said We've got a look at the mission of the organization as a whole. What's the environment like in, you know, in relation to risks? Or we risk aggressive, or we risk averse
48:08
how, you know, critical our assets that were protecting.
48:15
How does our organization, you know, ultimately, what are the exposures that we're willing to submit ourselves to? What are the ones that we won't
48:22
So ultimately, that's risk context. What's the risk environment within our organization? What's our perspective on risk?
48:30
All right, now then, we've got to think about assets, threats and vulnerabilities. When you think about the risk triple,
48:39
you could hear it called that or you could hear called the operational triple. But when we're talking about risk, you have assets. You have threats, you have vulnerabilities. And unless you have all three of those, you have no risks. So I have to have something I'm protecting.
48:57
There has to be a weakness that would allow that asset to be exploited. And then there would have to be a threat that can cause the exploit. If there is no threat, I have no risk. If there is no vulnerability, I have no risk.
49:12
And then, of course, we talk about likelihood. An impact.
49:15
So
49:16
this, uh, down at the bottom this triple bullet point, the primary focus of risk management is to reduce residual risks to an acceptable level.
49:29
That's what we're trying to do with risk management.
49:31
Okay? We're worried about fire, for instance. And if we have a fire in our building, we will suffer tremendous loss, loss of life, loss of property, loss of all sorts of things. So we don't want to have fire.
49:45
So my job is gonna be to mitigate the potential for loss according, you know, based on fire.
49:52
So
49:52
I trained my employees. Good file. Your safety.
49:55
That just mitigates a little.
49:59
Right. Um, I don't store flammables by, um, uh, ignition sources. All right.
50:07
I have a disaster recovery plan that helps us evacuate with fire.
50:12
Right. I'm just mitigating a little bit right now.
50:15
All right? That's still not enough. I'm left with too much residual risk. So what do I do? I keep going. All right, now I implement sprinkler systems. Okay, That brings risks down. I, um ah, I've still got more risk than I want. So I buy fire insurance,
50:34
and that mitigates further.
50:36
That treats the risk further, if you will. So, ultimately, the whole purpose of this is to bring risks down to a level that's acceptable By whom? Senior governance. And what is the input into that?
50:51
What are my strategic goals? Because all risks have what we call a risk utility. I wouldn't take a risk if there wasn't a payback. You wouldn't catch me in Atlantic City
51:01
putting it all on red if there wasn't a chance. There's a chance. And there's that risk utility. So we look at the risk utility in relation to our organizational strategy in their objectives, and we determine well, how much risk are we willing to take,
51:20
and then sometimes we may decide, Okay, we're very risk averse,
51:23
but there might be a particular, um,
51:27
a particular opportunity that has a really high payoff. So we may operate outside of our risk appetite,
51:35
and we might have a different risk tolerance for specific events.
51:39
Okay,
51:40
so those definitions, just like upset we value our assets of vulnerabilities, a weakness a threat will cause harm to your asset
51:52
threat. Agent is what causes the risk event. Could be a an attacker could be software that they use.
52:00
All right, then we have exploits when it happened and again risk being the combination of the probability and consequence. So most folks are okay with those terms, And I just want to address a couple of other terms just to make sure we've
52:15
heard of all of them. And again that we're thinking about him in I sack in terms.
52:20
All right, So when we think about inherent risk,
52:23
there's just a certain amount of risk with getting out of bed in the morning. There is a certain amount of risk with absolutely everything that we do. So we're looking to do again
52:36
is to mitigate that inherent risk. Sometimes you'll hear inherent risk refer to as total risk,
52:43
and that's fine. Ah, but basically it's the amount of risk that exists before you medicate.
52:50
All right, now, after I mitigate what's left over is residual risk. And if residual risk is still too high, then I keep mitigating, mitigating, mitigate and bring it down. Bring it down. Bring it now,
53:02
all right, and then their secondary risks and secondary risks or trouble and secondary risks. Air frequently calls by a lack of foresight where we just don't play the situation through.
53:17
And we wind up with being in a position that
53:23
the risk solution caused an entirely separate risk event.
53:29
Probably the most tragic instance that I've seen with that was with After the events of September 11th
53:37
we decided, Well, we need to make cockpit doors on airplanes Impenetrable, right? We can't let the bad guys get into the airplanes. Well, the problem with that is, if we make the cockpit doors Impenetrable,
53:52
well, then all of a sudden, not only are they unavailable to the bad guys, but they're also unavailable to the good guys as well.
54:00
So what happened was there was a pilot who was having clearly some mental health issues
54:07
and what happened? Waas He waited till the pilot. He was a co pilot. He wait until the pilot left the cockpit to go to the restroom. And when the pilot was gone, he barricaded himself into the cockpit and essentially crashed the plane.
54:22
So we've got to be very mindful of the fact that we may solve one problem just to cause another,
54:29
and that tells us that we're not thinking comprehensively enough. You know, I don't know if you've ever had patches cause more problems than they were designed to fix, right You patches system, and the next thing you know, it just reboots over and over, or whatever that may be. Let's secondary risk.
54:47
And after we get burned by that, we've got to get a bigger risk strategy.
54:52
All right, risk appetite versus risk tolerance.
54:57
So risk appetite again. Governance determines risk. Appetite. Are we risk seeking? Are we risk neutral or we risk averse. So ultimately, what we're looking at is, um,
55:12
you know, what's our general approach? What's our philosophy in relation to risk?
55:16
So we may be a very risk averse organization, but again, if the payoff is high enough, we might say, All right, we're gonna tolerate a little more risk for this endeavor because that risk utility is so high,
55:30
right? We're gonna be willing to gamble a little bit more because we think that it is gonna pay off for us.
55:38
So the risk tolerance is a deviation from the standard risk appetite that essentially is gonna indicate. All right, we're looking at this particular endeavor a little bit differently than our overall risk appetite.
55:53
All right, risk threshold. That's that cut off point. What is the limit that you're not
56:00
allowing yourself to go past? So even though I may have a higher tolerance for specific risk event there still a point of loss that I will cross.
56:10
All right,
56:13
I go to Vegas, Atlantic City.
56:15
I don't spend much money at all in slot machines. I don't have a lot of faith in slot machines that I mean, I won't play him,
56:22
but you know, so I'm fairly risk aggressive when it comes to gambling. Nothing ventured, nothing gained. Can't win if you don't play.
56:30
So I'm fairly risk seeking. But my tolerance for loss with slot machines is very low. I might lose 20 bucks, and nope, I'm done right now
56:44
over all their facility. I can't lose any more than $200
56:49
right? That is my risk threshold. So my tolerance here's find my tolerance. There is fine. But overall, you know, I take $200 cash into the casino with me, and that's the point where I leave.
57:04
That's the point where I leave to go back to my car to get my A T M machine so I can get more cash.
57:10
I should stay out of casinos. I really should.
57:14
All right now,
57:16
the response to risks. Sometimes you'll hear the term a risk treatment and risk treatments what we do about the risk. And usually we treat risks by implementing controls.
57:29
So we have proactive controls. We have reactive controls, and ultimately what we're doing is we're putting mechanisms in place to manage those risks. So
57:43
I have some dogs.
57:45
I don't know if you guys knew that I have four,
57:47
four dogs,
57:49
three Boston terriers in a pug, and they're so quite They've been here at my feet all morning long and then all of a sudden door opens and craziness. So sorry about that. All right, So, uh, controls. They could be proactive. Controls, firewalls, policies like separation of duties.
58:07
They could be reactive controls, like termination of employees or corrective controls, restorative controls,
58:15
whatever but the controls or mechanisms that we put in place to manage risks to protect our assets
58:23
thing.
58:25
All right. So
58:28
because this is a course on governance, we've got to think in terms of risk governance.
58:32
So risk governance, governance, always senior management. Right. So their job is to set the risk appetite. What is our philosophy and our overall big picture approach to risk
58:47
and with governance, establish and maintain a common risk view.
58:53
So throughout the organization, we understand
58:58
that we use risk management when we're making our decisions. We understand the organizational philosophy to risk. We understand what processes are necessary
59:07
to do a competent risk assessment.
59:12
What risk treatment options we have.
59:15
Um,
59:15
what? Our risk context is what our tolerance limits are. We throughout the organization have to understand
59:24
the company's risk view. We have to be in alignment.
59:29
And then this piece of integrating risk management into the enterprise. I'm sure we're here in the terms Enterprise risk management, MAWR and more and more. It's no longer I t risk management. It's enterprise risk management because I t risks are enterprise risks.
59:47
So what we want to do is we want to incorporate
59:50
all of this into our enterprise. We choose a risk management framework we build to meet that framework and ideally, our goal being to mitigate risks to the degree that's acceptable. And we do that through planning. We do that through treatment.
60:08
We do that through proactive changes. We do that through Gap analysis,
60:13
but all of these pieces, ultimately we're trying to get risks minimized to a level that's acceptable,
60:22
a making risk, aware business decisions. Let's stop making business decisions on ideas like, Well, if it ain't broke, don't fix it. Just because it hasn't been broken yet doesn't mean we're not right on the verge.
60:37
You know, there's some organizations that still have wept
60:42
wired equivalent privacy, which is a train wreck for wireless security. It's a disaster.
60:46
Why in the world people lined the world. Would people still be running it? Because if it ain't broke, don't fix it.
60:52
That sort of logic leads us into trouble in what we're really saying is, Well, let's just wait till we have a huge compromise. Then we'll think about doing something different.
61:02
Thank you,
61:04
Woods. Like we have to have that stop sign at the intersection on Lee after we have a wreck.
61:09
Okay, so if it ain't broke, don't fix it.
61:14
Should be replaced by a yearly evaluation. What am I protecting? What's it worth?
61:20
What are the current threats? What are the current vulnerabilities? What's a current acceptable solution to bring the risk down to an acceptable level? And if that control that we have in place no longer brings risk down to an acceptable level, we get rid of that control and we replace it,
61:37
or we modify our existing control to the degree that it does bring risk down.
61:44
That's a whole lot better approach. Then
61:47
if it ain't broke, it's probably still good.
61:51
Okay, um,
61:52
other decisions are made based on. Nobody's ever gonna get on board with that. People hate change here. Well, we just won't be able to get by and let's let's just let that idea go. Well, I understand that I've certainly been in organizations where it's very hard to get by in That doesn't mean we don't conduct conduct our risk analysis
62:13
and share the information that we've learned through risk assessment report with senior management.
62:19
Okay, we can't
62:21
always
62:22
authorize the changes that we feel should be made. We have to prioritize, but we analyze and we get that deeper understanding. That's all part of through diligence
62:35
and
62:36
not only those pieces, but governance provides oversight.
62:39
So the controls that were determined did they ever get implemented?
62:45
Are they working? Are they meeting their objectives? Are they doing what they're supposed to be?
62:51
Right. So risk governance is responsible for the upper level for the oversight.
62:59
We want to make sure everybody in the organization has the same risk view. I want that integrated throughout the enterprise I wanted incorporated into all business decisions, and we wanna constantly monitor and maintain.
63:14
All right now, the next slide talks about that term. I keep bringing up risk context, the context of I t risk management. So it really is how your organization deals with risk
63:29
and the type of environment in which your organization exists. So if we're in a military environment, we're dealing with very high value assets we're dealing with human life. We're dealing with national security,
63:43
right? So that risk context is unlike just about any other environment I can think of in the medical field. You're dealing with patients and healthcare information and things that might make a decision between life or death.
63:55
Okay, that has very high value.
63:59
So we first look at our assets, then we think about Well,
64:04
what sort of threats are out there
64:08
who would benefit from harming our assets?
64:12
Miscellaneous hackers. Could it be state sponsored terrorism? Could it be hacktivists? Could it be, you know, malicious insiders. We think about the threats,
64:23
and we have to think about what the vulnerabilities are.
64:28
So ultimately, that's where we start with risk management, assets, threats and vulnerabilities.
64:33
Right. And there are many things that can change
64:36
the context in which we operate.
64:40
Okay, Sometimes we also talk about our risk profile, and the risk profile is the amount of risk to which were exposed.
64:48
Okay, so we've already implemented our risk management strategy. We've got mechanisms in place. You're never gonna get rid of risks. There's always gonna be a degree of exposure.
64:59
All right, but my risk profiles where I like it I'm within acceptable limits.
65:03
So what are things that might change
65:06
to make my risk profile change? Well,
65:11
new threats on the horizon,
65:13
the vulnerability that gets detected,
65:15
um, shifting environment,
65:18
change of staff, change of personnel. You know, all those things could impact my risk profile.
65:25
So
65:26
all of that needs to be evaluated,
65:30
all right. And that takes us up to once again just a reference of ice acas risk management lifecycle Knowing it's a cyclical process, it's based on identify risks, determine the value, treat them
65:49
and then continue to monitor.
65:51
So when we talk about risk identification, were identifying assets, threats, vulnerabilities,
65:59
assets, threats, vulnerabilities?
66:01
When we go to risk assessment that can also be called risk analysis, it's about getting a value. What's the potential for loss
66:12
when we moved to response and mitigation? That's about risk treatment. Will we do about our risks
66:17
and then risk monitoring control? We keep an eye on him.
66:20
How to risk profiles differ between programs and projects.
66:27
Um, that's a great question.
66:30
And when we're looking at that because programs tend to be much larger scale, there's more at stake with a program Failan. Usually a program is ah, collection of projects that we manage together
66:47
so I can have a project fail.
66:49
But when I have a program fail, the indication is that I have a Siris of project fails. So usually the failure usually the risk is greater were exposed to more risk. Because we have more moving pieces, each individual project has risks and they're all rolled up into the portfolio.
67:10
A. And so the idea is projects or risky
67:14
programs or even riskier and then portfolios. Because so many things Kenbrell down the value of your portfolio.
67:23
You know, that's it's almost like, you know, step step, step portfolio project programs and projects. I hope that answers your question
67:36
and just curious if anybody else has questions. If anybody else wants toe, throw out a common or ask a question
67:45
Ah, we're pretty close. I think we're in a good point for stopping, because what that will do is that it will allow us on Tuesday to pick up with risk identification, which is, of course, the first step in ice acas risk management.
67:57
Ah, I risk management
68:00
so questions, thoughts, concerns,
68:03
hopes, dreams, fears,
68:06
what you got,
68:10
and I do want to remind you sometimes after class. You think? I wish I'd ask that I am available on Friday. We do and ask Kelly anything. Session at 8 30 in the morning, Eastern Standard time and at 2 p.m. And that's just kind of a place where we can come in and talk about I t questions in general
68:29
Ah, or specific to any of the classes that I teach.
68:30
And if I don't have an answer for you, I confined one out. So if there are no further questions today will kind of wrap things up, knowing that Tuesday will come in with risk identification. Then we'll move to risk assessment, risk mitigation and then risk monitoring in control.
68:47
All right, I hope you have a great afternoon. Go out there and avoid all those risks associated with life on the Beltway or on the highways and byways, wherever you are. And I look forward to seeing you. Oh, wait, wait, wait. Don't wanna lose. Don't want to leave you, Bashar.
69:05
The siege it exam required detailed learning of different frameworks.
69:10
It depends on what you mean by detail. You certainly ought to be able to summarize I so 61,000. Um, nest 800. Dash 34 will cover those, though, so don't feel like we've skipped that. We're gonna cover those.
69:27
And basically, governance is due care while management is due diligence.
69:32
You know what? I would almost flip those lands. Because when I think about due diligence, I think about doing the research. Are we? Do we know what we're doing? Are we doing the right things? So due diligence is research. Do care is action. So once governance knows what needs to be done,
69:50
they handed off to management to figure out how to do it
69:54
and then to document the fact that they have done it. So I think that's almost flipped.
70:01
What?
70:15
All right. So I hope you guys have a great afternoon. Like I said, I'll be here on Friday, Which gosh is tomorrow? This week is formed by at 8:30 a.m. And at 2 p.m. So come visit me. So I'm not here lonely. And if you come into the chat room for the question and answer session,
70:33
if you don't answer questions in its silent net chat room, I will start telling bad jokes
70:41
that will be your punishment for coming into the chat room and not answering asking questions. So be forewarned. It's happened before it could happen again. All right, guys, hope you have a great afternoon. Really enjoyed today session. I hope that you did. And I hope that this brings you closer to your goals of doing well on the siege It exam.
71:00
I will see on Tuesday saying that time. Same bat channel.
71:04
Have a great afternoon.

Up Next

Certified in the Governance of Enterprise IT (CGEIT)

This course is designed to be a supplementary resource to the preparation for the CGEIT certification exam. CGEIT certification consists of professional knowledge and application of enterprise IT governance principles and practices.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor