08/04/2023 Bruno Claudepierre 2
Course goals
• Understand core concepts of IT governance
• Situate IT governance within an organization
• Identify the interface between IT governance and EA
• Develop academic culture
08/04/2023 Bruno Claudepierre 3
Course content
• What is IT governance?– Corporate governance & subsystems– IT governance goals– Frameworks
• Academic & research challenges– IT governance and IS engineering
08/04/2023 Bruno Claudepierre 4
Course scheduling
• Thursday 23rd February– Morning: Course introduction &
academic presentation– Afternoon: project session
• Friday 26th February– Morning: project session– Afternoon : presentation session
08/04/2023 Bruno Claudepierre 5
IT GOVERNANCEHistorical background and concepts
08/04/2023 Bruno Claudepierre 6
Historic
• Corporate Governance– 1992 – Report of the Commitee on the Financial Aspects
of Corporate Governance – Cadbury commission (UK)– 1994 – Guidlines of improved Corporate Governance
(Canada)– 1994 – Principles of Corporate Governance (USA)– 1995 – Vienot report on Corporate Governance (France)– 2001 – Nouvelle loi de Réguation Financière (France)– 2002 – Sarbanes-Oxley Act, SOX (USA)– 2003 – Loi de Sécurité Financière (France)– 2004 – Principles of Corporate Governance (OECD)
08/04/2023 Bruno Claudepierre 7
Acts, laws & compliance
• Act– A bill which has passed through the various
legislative steps required for it and which has become law.
• Law– "A rule of conduct prescribed by the supreme
power in a state, commanding what is right and prohibiting what is wrong." W. Blackstone
• Compliance– The state of being in accordance with the relevant
state authorities and their requirements (i.e. the law).
08/04/2023 Bruno Claudepierre 8
Acts, laws & compliance
• SOX requirements– Sec. 103. Auditing, quality control, and
independence standards and rules.– Sec. 302. Corporate responsibility for
financial reports.• CEO & Officers make a review and sign the
financial report.
– Sec. 404. Management assessment of internal controls.
– Sec. 906. Corporate responsibility for financial reports.
08/04/2023 Bruno Claudepierre 9
Informatics & companies
• IT Business Foundation principles
Information Technology
Finance
Activity
Competence
Knowledge Ressources
Processes
Products and services
Sup
port
Valu
ecr
eati
on
08/04/2023 Bruno Claudepierre 10
Concept
• Definition (Managerial discipline)– Information Technology Governance (IT
Governance) is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.
Corporate governance
IT governance
Social governance
Financial governance
08/04/2023 Bruno Claudepierre 11
Concept• Other definitions
– “the organisational capacity exercised by the Board, Executive Management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT” (Van Grembergen, 2002)
– “IT governance is the responsibility of the Board of Directors and Executive Management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives” (ITGI)
– "Specifying the decision rights and accountability framework to encourage desirable behaviour in the use of IT.“ (Weill and Ross, 2004)
– “Activity that aims at regulating and optimizing the IS management of an organization. It is generally performed under the responsibility of the Chief Information Officer.” (Claudepierre, 2009)
08/04/2023 Bruno Claudepierre 12
ConceptOrganizationExternal context
Law&
Act
COSO
COBIT
-SOX-LSF
-Risk management
-Control
Corporate Governance
IT governance
Management
CIO
-Rules
Risk
Control
-Compliance
-Goals -Reporting
08/04/2023 13
From IT governance to IS
Bruno Claudepierre
Tactical/Operational levelStrategic level
Alignment
Management
Ressources
Risk
Performance
Control
Value
Maturity
Support
Network
Systems
Infrastructure
Service
Project
Security
IT department
chief
Other department
chiefs
Needs
Services
IT Governanc
e
CIO
Information
Goals
08/04/2023 Bruno Claudepierre 14
Zachman Framework
21e.g. DATA
ENTERPRISE ARCHITECTURE - A FRAMEWORK
Builder
SCOPE(CONTEXTUAL)
MODEL(CONCEPTUAL)
ENTERPRISE
Designer
SYSTEMMODEL(LOGICAL)
TECHNOLOGYMODEL(PHYSICAL)
DETAILEDREPRESEN- TATIONS(OUT-OF- CONTEXT)
Sub-Contractor
FUNCTIONINGENTERPRISE
DATA FUNCTION NETWORK
e.g. Data Definition
Ent = FieldReln = Address
e.g. Physical Data Model
Ent = Segment/Table/etc.Reln = Pointer/Key/etc.
e.g. Logical Data Model
Ent = Data EntityReln = Data Relationship
e.g. Semantic Model
Ent = Business EntityReln = Business Relationship
List of Things Importantto the Business
ENTITY = Class ofBusiness Thing
List of Processes theBusiness Performs
Function = Class ofBusiness Process
e.g. Application Architecture
I/O = User ViewsProc .= Application Function
e.g. System Design
I/O = Data Elements/SetsProc.= Computer Function
e.g. Program
I/O = Control BlockProc.= Language Stmt
e.g. FUNCTION
e.g. Business Process Model
Proc. = Business ProcessI/O = Business Resources
List of Locations in which the Business Operates
Node = Major BusinessLocation
e.g. Business Logistics System
Node = Business LocationLink = Business Linkage
e.g. Distributed System
Node = I/S Function(Processor, Storage, etc)Link = Line Characteristics
e.g. Technology Architecture
Node = Hardware/SystemSoftware
Link = Line Specifications
e.g. Network Architecture
Node = AddressesLink = Protocols
e.g. NETWORK
Architecture
Planner
Owner
ENTERPRISEMODEL
(CONCEPTUAL)
Designer
SYSTEMMODEL
(LOGICAL)
TECHNOLOGYMODEL
(PHYSICAL)
DETAILEDREPRESEN-
TATIONS (OUT-OF
CONTEXT)
Contractor
FUNCTIONING
MOTIVATIONPEOPLE
e.g. Rule Specification
End = Sub-condition
Means = Step
e.g. Rule Design
End = ConditionMeans = Action
e.g., Business Rule Model
End = Structural AssertionMeans =Action Assertion
End = Business ObjectiveMeans = Business Strategy
List of Business Goals/Strat
Ends/Means=Major Bus. Goal/Critical Success Factor
List of Events Significant
Time = Major Business Event
e.g. Processing Structure
Cycle = Processing CycleTime = System Event
e.g. Control Structure
Cycle = Component CycleTime = Execute
e.g. Timing Definition
Cycle = Machine CycleTime = Interrupt
e.g. SCHEDULE
e.g. Master Schedule
Time = Business EventCycle = Business Cycle
List of Organizations
People = Major Organizations
e.g. Work Flow Model
People = Organization UnitWork = Work Product
e.g. Human Interface
People = RoleWork = Deliverable
e.g. Presentation Architecture
People = UserWork = Screen Format
e.g. Security Architecture
People = IdentityWork = Job
e.g. ORGANIZATION
Planner
to the BusinessImportant to the Business
What How Where Who When Why
John A. Zachman, Zachman International (810) 231-0531
SCOPE(CONTEXTUAL)
Architecture
e.g. STRATEGYENTERPRISE
e.g. Business Plan
TM
08/04/2023 Bruno Claudepierre 15
STRATEGIC GOALS FOR IT GOVERNANCE
08/04/2023 Bruno Claudepierre 16
Strategic alignment
• Strategic Alignment is related to the concept of strategic fit, introduced by Michael Porter (1980).
• Kaplan and Norton (2006) define strategic fit as internal consistency of the activities that implement the differentiating components of a strategy. Strategic fit exists when the network of internal performance drivers is consistent and aligned with the firm's desired customer and financial outcomes
08/04/2023 Bruno Claudepierre 17
Porter’s value chain
Business activities
Support activities
Source : http://www.learnmarketing.net/valuechain.htm
08/04/2023 Bruno Claudepierre 18
Porter’s value chain
• Inbound logistics : Refers to goods being obtained from the organizations suppliers.
• Operations : The raw materials and goods obtained are manufactured into the final product (Added value).
• Outbound logistics : Once the products have been manufactured they are ready to be distributed.
• Marketing and Sales: Marketing must make sure that the product is targeted towards the correct customer group.
• Services: After the product/service has been sold what support services does the organization have to offer?
Production(Added value)
Distribution & services
Suppliers Customers
08/04/2023 Bruno Claudepierre 19
Porter’s value chain• Procurement: This department is responsible for sourcing raw materials
for the best price and best quality.• Technology development: The use of technology to obtain a competitive
advantage within the organization. Technology can be used in production to reduce cost thus add value, or in R&D to develop new products, or via the use of the Internet so customers have access to online facilities.
• Human resource management: The organization will have to recruit, train and develop the correct people (knowledge & competences) for the organization.
• Firm infrastructure: Every organizations needs to ensure that their finances, legal structure and management structure works efficiently and helps drive the organization forward.
Production(Added value)
Distribution & services
Suppliers Customers
IT IT IT IT IT
08/04/2023 Bruno Claudepierre 20
Balanced scorecard• Monitoring organization performance against strategic goals• Lack of traditional financial approach :
– "The balanced scorecard retains traditional financial measures. But financial measures tell the story of past events, an adequate story for industrial age companies for which investments in long-term capabilities and customer relationships were not critical for success. These financial measures are inadequate, however, for guiding and evaluating the journey that information age companies must make to create future value through investment in customers, suppliers, employees, processes, technology, and innovation.“ (Kaplan & Norton)
• BSC proposes 4 analysis axes– Customer: What are the customer needs?– Financial: How to satisfy shareholders appétit?– Key process: What are the processes essential for value creation?– Learning & growth: Knowledge & evolving capacity of the
organization (human centric aspect)
08/04/2023 Bruno Claudepierre 21
Balanced scorecard
08/04/2023 Bruno Claudepierre 22
Business alignment
• Business/IT alignment is a desired state in which a business organization is able to use information technology (IT) effectively to achieve business objectives - typically improved financial performance or marketplace competitiveness. Some definitions focus more on outcomes (the ability of IT to produce business value) than means (the harmony between IT and business decision-makers within the organizations)
Product Process
People LocationData Software
Interface DeliveryBusiness & activities
IT domainAlignmentLink
Fit
08/04/2023 Bruno Claudepierre 23
Strategic & Business alignment
Strategy (BSC)
Value Chain
IT
Reporting
Business process
Support
Information system
IT steerage
08/04/2023 Bruno Claudepierre 24
Responsability & decision owner• “IT governance is not about what specific
decisions are made. That is management. Rather, governance is about systematically determining who makes each type of decision (a decision right), who has input to a decision (an input right) and how these people (or groups) are held accountable for their role. Good IT governance draws on corporate governance principles to manage and use IT to achieve corporate performance goals.” Peter Weill (MIT)
• Necessity to structure the decision-making system with:– Decision role– Responsibility– Organizational rules
08/04/2023 Bruno Claudepierre 25
Responsability & decision owner
• IT governance council– Responsible for compliance with laws and regulations (SOX, LSF…)– Define IT strategic goals with respect to corporate strategic goals
and technological risk limitation– Responsible for IT accountability and report to shareholders– Name the members of the IT governance committee– Audit decision
• IT governance committee– Manage & conduct audit– Report to the IT governance council– Control and manage assets– Manage alignment and maturity– Coordinate workgroups– Evaluate conformity and compliance process– Priorize projects (PPM)
08/04/2023 Bruno Claudepierre 26
Responsability & decision owner
• IT accountability– Refers to the ability of IT governance
council in ensuring IT controls and reporting results to investors and shareholders.
ShareholdersStock
exchange
IT governance council
IT governance comitee
HIC Audit SIC Audit
needs
goals results
reporting
Accountance
08/04/2023 Bruno Claudepierre 27
Responsability & decision owner
Project Portfolio Management (PPM)- A project is allocated to a portfolio (a set of projects)- A project can be in the following states:
- Designed, in progress, completed, canceled- How much ressources allocate to a project?- KPI and KGI help decision makers in allocating ressources
and priorizing projects within a portfolio
- Control process over the projects
Plan
Do
Check
Act
Deming’s wheel of improvment
08/04/2023 Bruno Claudepierre 28
Ressource management
• Ensure the execution of IT activities by creating, maintaining, allocating or dismiss IT ressources
• Ressource typology– Information– Hardware, or IT infrastructure. Refer to
technological support: servers, network, firewall, reverse proxy, DMZ…
– Software, or IT architecture. Refer to applicative components: business software, ERP, Intranet, Website…
– People
08/04/2023 Bruno Claudepierre 29
Information
• Information Quality (IQ)– Intrinsic IQ:
• Accuracy, the closeness to the true value seen as the degree of agreement of readings or of calculated values.
• Objectivity, Believability or credibility, • Reputation or Integrity
– Contextual IQ: • Relevancy or information retrieval• Timeliness refers to information that is current at the time of
publication • Completeness or knowledgeable granularity
– Representational IQ: • Interpretability, Ease of understanding, Concise representation,
Consistent representation
– Accessibility IQ: • Accessibility ability to access information and services• Access security
08/04/2023 30
Hardware & Software
• EA and resource management
Bruno Claudepierre
Transitional Process
Standards
Drivers
BusinessArchitecture
DataArchitecture
ApplicationsArchitecture
TechnologyArchitecture
BusinessArchitecture
DataArchitecture
ApplicationsArchitecture
TechnologyArchitecture
StrategicDirection
As-Is To - Be
Contextual
Conceptual
Logical
Physical
As Built
Functioning
Why
Why
Who
Who
When
When
Where
Where
What
What
How
How
Models
Adapted from “Federal Enterprise ArchitectureFramework”
08/04/2023 Bruno Claudepierre 31
People
• IT persons– Developers, managers, architect– Knowledge and competences– Intern vs extern– Security access (logicaly and physicaly)
• Workgroup structure
08/04/2023 Bruno Claudepierre 32
Manage the Risk
• ISO standard ISO 31000:2009 provides guidelines for risk management implementation.
• The US Sarbanes Oxley Act mandated the adoption of : – an appropriate system of internal control
and, – requires directors to monitor and report
operational risk
08/04/2023 Bruno Claudepierre 33
Manage the Risk
• Derivation of risk based on goals analysis
• Evaluate the risk by enacting control process
• Decide (or choose) the adequat action to perform
Goals
Identify risk
Evaluate risk
Decide
Actions
08/04/2023 Bruno Claudepierre 34
Source of Risk
• Human– Error, Internal fraud and Criminal activity
(terrorism, hacking…)
• Technology – Software infrastructure component– Hardware infrastructure component– Informational agent
• Business– Production, Process structures & Information
• Natural– Disaster: flood, lightning, heat & frost…
Identify risk
08/04/2023 Bruno Claudepierre 35
Impact of risky events
• IT infrastructure and network security– rising from concerns about hackers, terrorists, cyber-criminals,
insiders, outsiders, viruses, and so on
• Data integrity, confidentiality and privacy– rising from regulatory and market pressure around protecting
personal (e.g. data protection legislation), and corporate data (e.g. fair disclosure regulations), as well as financial and operational data (e.g. Sarbanes Oxley)
• Business continuity– rising from concerns about the capability to continue in
business after a natural or man-made disaster
• IT management– rising from concerns about project failure, poor IT operational
performance, inadequate IT infrastructure, etc
08/04/2023 Bruno Claudepierre 36
Risk classification matrix
• Risk evaluation over a 1 to 100 scale• 3 or 5 degree of impact (e.g. with 3 degree)
– Low: 0 to 10 points– Medium: 11 to 50 points– High: 51 to 100 points
Probability Impact
Low risk (10) Medium risk(50) High risk (100)
Low (0.1) 0.1 x 10 = 1 0.1 x 50 = 5 0.1 x 100 = 10
Medium (0.5) 0.5 x 10 = 5 0.5 x 50 = 25 0.5 x 100 = 50
High (1.0) 1.0 x 10 = 10
1.0 x 50 = 50 1.0 x 100 = 100
Evaluate risk
08/04/2023 37
Risk limitation• Avoidance
– Avoid the possibility of risky event– Software configuration
• Protection– Anticipate risky event– E.g. antivirus, firwall, DMZ
• Risk traitment– In case of risky event occurrence– Risk management planning : include documentation, knowledge, risk
evaluation and control.– Emmergency plan, Crisis plan and restoration
• Risk transfert– Risk management is transfered to a competent person– Intern transfert (e.g. CSO)– Extern transfert
Bruno Claudepierre
Actions
08/04/2023 Bruno Claudepierre 38
Performance management
• What is IT Performance management?– refers to the monitoring and measurement of
relevant metrics to assess the performance of IT resources
• Management level– Monitoring of project portfolio– Expenditure of capital and human resources in IT
projects
• Operational level– Monitoring of IT components (servers, databases,
software, services)– Monitoring of processes (BAM) using SLA indicators
08/04/2023 39
Performance Management
Bruno Claudepierre
Database
Web sites
ERP CRM Others
META DATA
Extract Transform and Load
Analysis
Performance impact
Decision
DATA
MIN
ING
08/04/2023 Bruno Claudepierre 40
Evaluation & control
Audit goals
Evaluation process
Conclusions
Recommendations
Support
Network
Systems
Infrastructure
Service
Project
Security
Audit methodology
Audit process is customized for each IT component to control
IT governance
comitee
ROI
SLA
08/04/2023 Bruno Claudepierre 41
08/04/2023 Bruno Claudepierre 42
Value - TCO
• Total Cost of Ownership (TCO)– “A financial estimate. Its purpose is to help
consumers and enterprise managers determine direct and indirect costs of a product or system. It is a management accounting concept that can be used in full cost accounting or even Ecological economics where it includes social costs” – Wikipedia
– IT costs :• Harware & Software• Operational expenses• Longterm expenses
08/04/2023 Bruno Claudepierre 43
Value - TCOHardware and Software
• Network• Server• Workstation• Installation and integration• Purchasing research• Warranties and licenses• License tracking - compliance• Other migration expenses• Risks: susceptibility to
vulnerabilities, availability of upgrades, patches and future licensing policies, etc.
Operation expenses• Infrastructure (floor space)• Electricity• Testing costs• Downtime, outage and failure• Diminished performance• Security• Backup and recovery process• Technology training• Audit (internal and external)• Insurance• IT related personnel• Corporate Level Management
timeLong term expenses
• Replacement• Future upgrade or scalability
expenses• Decommissioning
08/04/2023 Bruno Claudepierre 44
Value - TBO
• Total Benefit of Ownership– The TBO tries to summarize positive
effects on acquisition of new IT components.
TCO / TBOIndicator
TCO TBO
Direct cost Indirect cost Direct benefitIndirect benefit
08/04/2023 Bruno Claudepierre 45
Value - TRO
• Total Risk of Ownership
– Indicator of risk value: take into account direct risks like cost, data integrity and indirect risk business impact over production…
08/04/2023 Bruno Claudepierre 46
Value - GITV
• Global IT Value (GITV)
GITV = (TBO-TCO) / TROWith stabilized TBO and TCO:
TRO GITV
08/04/2023 Bruno Claudepierre 47
IT GOVERNANCE FRAMEWORKS
08/04/2023 Bruno Claudepierre 48
ERM Framework
• Enterprise Risk Management Framework• Historic
– 1992: Internal Control – integrated FW (COSO1)– 2004: Enterprise Risk Management – integrated FW
(COSO2)
• Framework goals– Risk control objective– Compliance with regulation– Accountability
• Structure– 3 strategic goals– 8 risk management domains– N organizational processes
08/04/2023 Bruno Claudepierre 49
COBIT• Control Objectives for I & T• Historic
– 1967: ISACA– 1994: COBIT V1– 1998: COBIT V2– 2001: COBIT V3– 2003: IT Control Objectives for SOX– 2005: COBIT V5
• Framework goals– IT Ressources evaluation– Control and audit
• Structure– 34 IT processes & 34 high control objectives– 318 control objectives– Maturity model (CMMi based evaluation scale)
08/04/2023 Bruno Claudepierre 50
ITIL
• IT Infrastructure Library• Historic
– 80’: Best practices edited by the Central Computer & Telecommunication Agency under the command of the british government.
• Framework goals– Improve quality and efficacy in service delivery
• Structure– Method for IT service management– 6 books: Service delivery, Service support, Business
perspective, Application management, ICT infrastructure management, Planning to implement service management.
08/04/2023 Bruno Claudepierre 51
Overview
Alignment
Management
Ressources
Risk
Performance
Control
Value
Maturity
COBIT
ITIL
COSO
Indirect impact
Understanding framework and
select the appropriate one
08/04/2023 Bruno Claudepierre 52
ACADEMIC & RESEARCH TOPICS
08/04/2023 53
Research questions and goals
• What are the impacts of IT governance over engineering mechanisms?
• Problems:– IT governance (management domain) is
not formalize for engineering purposes– Engineering Methodologies does not
anticipate their interface with control processes
Bruno Claudepierre
As-is model
To-be model
Old reality
New reality
Change process model
Change process
Change definition
Legacy integration
Reverse analysis
Change implementatio
n
Control system
Control variables
Action variables
IT governance
loop
Act CheckAbstract Do
Engineering IS
08/04/2023 55
IT Governance
• Definition (Claudepierre et al., 2009)– An activity that aims at regulating and
optimizing the IS management of an organization.
Str. IS
Tactical IS
Operationnal IS
(i) Strategic planning
(ii) Tactical (control framework)
(iii) Measures
(Wirtz, 2008) Value creation shareholders/ stakeholders(Luftman et al., 2004), (Corteau et al., 2001) Strategic alignment(Weill, 2004), (De Haes, 2005) Decision making structure and processes
(AFAI, 2002) COBIT(Simonsson, 2008) ITOMAT(Saidani et al., 2007), (Bessai et al., 2008) process (re)engineering
(Ben Zaïda et al., 2007) Indicators(Kaplan et al., 1996) Balanced Score Card
Bruno Claudepierre
08/04/2023 56
Requirement modeling
Intentional process
Goals structureGoals usage
GRAIL/KAOS
I*
MAP
Bruno Claudepierre
08/04/2023 57
IS Engineering
Start
Stop
I1
I2
I3
As-is System
To-be System
As-is Model To-be Model
Abstraction
Propagation
Implementation
Legacy
• IS evolution (Jackson, 1996) Requirements integration
Bruno Claudepierre
08/04/2023 58
Research question
• Current state– IT governance requirements are not
specified in order to ensure their integration to an IS engineering process.
• how to formalize IT governance requirements to provide additional inputs to information system (re)engineering processes?
• Hypothesis– The literature contains the description of
the requirementsBruno Claudepierre
08/04/2023 59
Modeling requirements
• Usage of the MAP meta-model
Start
Stop
I1
I2
S1 S2
S1
S3S3
S4Intention
Start : Intention Stop : Intention
MAP
Section
Strategy
+Source
0..*+Target
0..*1..*
Use Use
1..*
+Refines
0..*
0..1
Bruno Claudepierre
08/04/2023 Bruno Claudepierre 60
Method supports
• Usage of MAP model for methodological guidlines
• Ability to support method processes for IT governance
08/04/2023 61
?
Modeling requirements
• Identification process for MAP components
Start
Stop
I1
I2
S1 S2
S1
S3S3
S4
Bruno Claudepierre
08/04/2023 62
Modeling requirementsName: C3 - Alignment model
Type: Descriptive
Start
Align IT and business process
S1 : by modeling
« (Align) verb( IT and BP)object by (modeling the relationship between requirements and IT and BP components)way »
Component
+Name+Type
Section
Bruno Claudepierre
08/04/2023 63
Modeling requirements
• Construction process overview
MAP meta-model
ITGIM
Instanciation
Universe of
Discourse
Goal taxonomy
MAP component generation
Bruno Claudepierre
08/04/2023 64
Model Risk
• Context of Decision making: evolving and risky environment
• Various way to manage risk :– to limit the occurrence of the event by using a
prevention strategy;– to accept the risk and to put it under control;– to categorically refuse it and to cancel projects
which can potentially generate this risk.
• Known Frameworks : European project CORAS, ISO 27001
Model risk
Bruno Claudepierre
08/04/2023 65
Align IT an business process
• Managing project in a risky context• Engineering an information system which is
coherent with business strategies and goals– Coevolution (Etien, 2005) : modeling the
linkage between the business and IS layers– (Thevenet, 2008) : modeling the linkage
between strategic goals and business/IS components
• Evaluation frameworks:– COSO– COBIT
Align IT and business process
Bruno Claudepierre
08/04/2023 66
Comply with laws
• Limitation of financial risks– Enron/WorldCom scandals
• Sarbanes-Oxley act of 2002– SOX – S302: CEO must personally verify
the balance sheet and income statement of the organization by signing it.
• Knowing and reviewing relevant lawsMake IT
compliant
Bruno Claudepierre
08/04/2023 67
Generate value
• We identified two types of value: – The external value for which the purpose of the
organization is to fulfill the expectations of investors and shareholders;
– The internal value or partnership value for which the purpose of the organization is to develop synergies and improve internal performance of the organization
• Competitive advantage of complying with law• Strategic alignment as internal value support
Generate value
Bruno Claudepierre
08/04/2023 68
ITGIM overview
Start
Model risk
Align IT and business process
S1 : by defining risk
S2 : by project planning
S1 : by modeling
Make IT compliant
Generate value
Stop
S3 : by evaluation
S4 : by reviewing relevant laws
S5 : by law application S6 : by competitive
advantage
S7 : by IT service proposal
S8 : by failure
S9 : by non-profit consideration
S10 : by completenessS11 : by
application of controls
Bruno Claudepierre
08/04/2023 Bruno Claudepierre 69
PROJECT
08/04/2023 Bruno Claudepierre 70
Project
• Organized by teams of 2-3 students :– Select an article– Read and summarized it (#1 page A4)– Presentation (session of 20’) with
questions time on Friday afternoon– Email Slides and summary
• Keep in touch !!
08/04/2023 Bruno Claudepierre 71
References• F. Georgel, IT Governance Management Stratégique d’un système
d’information, DUNOD (2009). ISBN: 978-2-10-05274-4• Y. Caseau, Urbanisation et BPM Le point de vue d’un DSI, DUNOD (2005).
ISBN: 2-10-048724-8• Henderson, J. and Venkatraman, N. (1992) Strategic alignment: A model for
organisational transformation through information technology. In T. A. Kochan, T. A. and Useem, M. (Eds.), Transforming Organisations, Oxford University Press, Oxford and New York.
• B. Claudepierre, and S. Nurcan, "ITGIM: An intention-driven approach for analyzing the IT Governance requirements", Requirements, Intentions and Goals in Conceptual Modeling (RIGiM), Gramado, Brazil, November 2009.
• B. Claudepierre, and S. Nurcan, "Constats et fondements pour des méthodes d'ingénierie de SI dirigées par les exigences de gouvernance", Revue des Sciences et Technologies de l'Information (RSTI), Editions Lavoisier, O. Pastor, A. Flory, M. Collard, Paris, France, 14:4, pp. 9 - 32, 2009.
• Weill P., Ross J., IT Governance: How Top Performers Manage IT for Superior Results, Harvard Business School Press, 2004, ISBN 1-59139-253-5
08/04/2023 Bruno Claudepierre 72
References• A. Deyrieux, Le système d’information nouvel outil de stratégie –
Direction d’entreprise et DSI, MAXIMA, Paris 2004, ISBN: 2-84-001-357-6
• COSO Website: www.coso.org• COBIT Website: www.isaca.org• ITIL Website: www.ogc.gov.uk