ISACA® is a registered trademark of Information Systems Audit and Control Association. CISA®, Certified Information Systems Auditor®, CISM®, CGEIT®, Certified in the Governance of Enterprise IT/CGEIT® (and design)®, COBIT® are registered trademarks of ISACA®. CRISC™, Certified in Risk and Information Systems Control™, Certified Information Security Manager™, Risk IT™, Val IT™ are trademarks of ISACA®. Trademarks are properties of the holders, who are not affiliated with mind map author.
It covers 5 domains, 32 tasks and 51 knowledge statements (statements covering the required technical knowledge).
The CGEIT® certification / designation reflects a solid achievement record in IT governance and in topics such as strategic direction, value creation, risk management, resources management and measurement in information technology.
CGEIT® exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.
PBE & CBE (only pencil & eraser are allowed)., PBE - Paper based exam., CBE - Closed book exam.
4 hour exam.
150 multiple choice questions designed with one best answer., Several questions (about 10) are based on small scenarion
No negative points.
Pre-requisite for exam:, none
Pre-requisite for certification:, Read CGEIT® Application Form, http://www.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/Documents/CRISC-Application.pdf
The content area for Domain 1 will represent ..., 25% of the CGEIT® examination, approximately 38 questions
Better customer support.
Transformation of business to leverage technology.
Better oversight of IT investment by management.
Enterprise-wide consistency in IT technology, processes and procurement.
3 Key requirements, It must be positioned as an integral part of the enterprise governance framework., There must be clear definitions of roles and responsibilities., There must be an ongoing implementation and continuity plan.
5 Focus areas, Strategic alignment, Focuses on aligning with the business and collaborative solutions., Value delivery, Concentrates on optimizing expenses and proving the value of IT., Risk management, Addresses the safeguarding of IT assets, disaster recovery and continuity of operations., Resource management, Optimizes knowledge and IT Infrastructure., Performance measurement, Tracks project delivery and monitoring of IT services.
3 Critical foundations, Leadership., Structure or mechanisms., Processes., The presence of all three elements is required. IT Governance would be ineffective or compromised if any one were missing.
Scope of IT Governance, Setting objectives., Providing direction., Evaluating the evaluation of performance., Translating the strategic direction into action., Measuring and reporting on performance.
Steps to Implement IT Governance (generic), 1. Define the meaning of governance in the organization., 2. Identify constraints and enablers., 3. Achieve a broad understanding of IT Governance issues and benefits, 4. Agree, publish and gain acceptance of IT Governance framework, tools, processes., 5. Creation of a Project Initiation Document (PID) / Terms of Reference (ToR), 6. Create a Project Plan, 7. Identify and commit resources., 8. Identify and sign off on KPIs and Critical Success Factors (CSFs)., 9. Align with the business objectives.
External resources, IT Governance - Developing a successful governance strategy. A Best Practice guide for decision makers in IT, https://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Prepare-for-the-Exam/Study-Materials/Documents/Developing-a-Successful-Governance-Strategy.pdf
1. Define business goals and IT goals.
2. Define IT Governance processes correctly.
3. Set up clear IT organizational & decision structure.
4. Involve executives and board of directors.
5. Manage roles & responsibilities.
6. Have working IT steering and IT strategy committees.
7. Manage & align the IT investment portfolio.
8. Use performance measurement tools.
9. Set up support communication and awareness mechanisms.
PESTLE Analysis, PESTLE is a mnemonic which in its expanded form denotes P for Political, E for Economic, S for Social, T for Technological, L for Legal and E for Environmental., This concept is used as a tool by companies to track the environment they’re operating in or are planning to launch a new project/product/service etc., It gives a bird’s eye view of the whole environment from many different angles that one wants to check and keep a track of while contemplating on a certain idea/plan., There are certain questions that one needs to ask while conducting this analysis, which give them an idea of what things to keep in mind. They are:, What is the political situation of the country and how can it affect the industry?, What are the prevalent economic factors?, How much importance does culture has in the market and what are its determinants?, What technological innovations are likely to pop up and affect the market structure?, Are there any current legislations that regulate the industry or can there be any change in the legislations for the industry?, What are the environmental concerns for the industry?
SWOT Analysis, Structured planning method used to evaluate the strengths, weaknesses, opportunities and threats involved in a project or in a business venture., Strengths: characteristics of the business or project that give it an advantage over others., Weaknesses: characteristics that place the business or project at a disadvantage relative to others., Opportunities: elements that the project could exploit to its advantage., Threats: elements in the environment that could cause trouble for the business or project., Strengths, characteristics of the business or project that give it an advantage over others., Weaknesses (or Limitations), characteristics that place the business or project at a disadvantage relative to others., Opportunities, characteristics that place the business or project at a disadvantage relative to others., Threats, elements in the environment that could cause trouble for the business or project., SWOT analysis groups key pieces of information into two main categories:, internal factors, the strengths and weaknesses internal to the organization, external factors, the opportunities and threats presented by the environment external to the organization, Further reading, http://www.mindtools.com/pages/videos/SWOT-analysis-transcript.htm, http://www.mindtools.com/pages/article/newTMC_05.htm
TOWS Analysis, TOWS Analysis is a variant of the classic business tool, SWOT Analysis., TOWS and SWOT are acronyms for different arrangements of the words Strengths, Weaknesses, Opportunities and Threats., By analyzing the external environment (threats and opportunities), and your internal environment (weaknesses and strengths), you can use these techniques to think about the strategy of your whole organization, a department or a team., For each combination of internal and external environmental factors, consider how you can use them to create good strategic options:, Strengths and Opportunities (SO) – How can you use your strengths to take advantage of these opportunities?, Strengths and Threats (ST) – How can you take advantage of your strengths to avoid real and potential threats?, Weaknesses and Opportunities (WO) – How can you use your opportunities to overcome the weaknesses you are experiencing?, Weaknesses and Threats (WT) – How can you minimize your weaknesses and avoid threats?
Balanced Scorecard (BSC), What is it?, Strategic management system that helps organization translates its strategies into objectives that drive both behaviour and performance. Both financial and non-financial., Measures are designed to track the progress of objectives against targets., Financial, Share value, profit, revenue, cost of capital, debt, ROA, cash flow., Customer, Market share, customer satisfaction, customer service, number of contracts, KYC, customer due diligence, number of claims., Internal, Regulatory compliance, number of incidents, centralized data, process optimization., Growth, Competitive advantage, reputation., Further reading, http://www.mindtools.com/pages/article/newLDR_85.htm, variants, IT Balanced Scorecard (IT BSC)
Boston Box / Boston Consulting Group (BCG) Matrix, Further reading, http://www.mindtools.com/pages/article/newTED_97.htm
Porter’s 5 forces model, The Porter's Five Forces tool is a simple but powerful tool for understanding where power lies in a business situation., This is useful, because it helps you understand both the strength of your current competitive position, and the strength of a position you're considering moving into. , Five Forces Analysis assumes that there are five important forces that determine competitive power in a business situation. These are:, Supplier Power:, Here you assess how easy it is for suppliers to drive up prices. This is driven by the number of suppliers of each key input, the uniqueness of their product or service, their strength and control over you, the cost of switching from one to another, and so on. The fewer the supplier choices you have, and the more you need suppliers' help, the more powerful your suppliers are., Buyer Power:, Here you ask yourself how easy it is for buyers to drive prices down. Again, this is driven by the number of buyers, the importance of each individual buyer to your business, the cost to them of switching from your products and services to those of someone else, and so on. If you deal with few, powerful buyers, then they are often able to dictate terms to you., Competitive Rivalry:, What is important here is the number and capability of your competitors. If you have many competitors, and they offer equally attractive products and services, then you'll most likely have little power in the situation, because suppliers and buyers will go elsewhere if they don't get a good deal from you. On the other hand, if no-one else can do what you do, then you can often have tremendous strength., Threat of Substitution:, This is affected by the ability of your customers to find a different way of doing what you do – for example, if you supply a unique software product that automates an important process, people may substitute by doing the process manually or by outsourcing it. If substitution is easy and substitution is viable, then this weakens your power., Threat of New Entry:, Power is also affected by the ability of people to enter your market. If it costs little in time or money to enter your market and compete effectively, if there are few economies of scale in place, or if you have little protection for your key technologies, then new competitors can quickly enter your market and weaken your position. If you have strong and durable barriers to entry, then you can preserve a favorable position and take fair advantage of it., Further reading, http://www.mindtools.com/pages/videos/five-forces-transcript.htm, http://www.mindtools.com/pages/article/newTMC_08.htm
Porter’s value chain model, http://www.mindtools.com/pages/article/newSTR_66.htm, Further reading
The McKinsey's 7S Framework, The basic premise of the model is that there are seven internal aspects of an organization that need to be aligned if it is to be successful., This model proposes that organisations are subject to these seven inter-related aspects, The 7-S model can be used in a wide variety of situations where an alignment perspective is useful, for example, to help you:, Improve the performance of a company., Examine the likely effects of future changes within a company., Align departments and processes during a merger or acquisition., Determine how best to implement a proposed strategy., Explaining each of the elements specifically:, Strategy, The plan devised to maintain and build competitive advantage over the competition., Structure, The way the organization is structured and who reports to whom., Systems, The daily activities and procedures that staff members engage in to get the job done., Shared Values, Called "superordinate goals" when the model was first developed, these are the core values of the company that are evidenced in the corporate culture and the general work ethic., Style, The style of leadership adopted., Staff, The employees and their general capabilities., Skills, The actual skills and competencies of the employees working for the company., Further reading, http://www.mindtools.com/pages/videos/7s-transcript.htm, http://www.mindtools.com/pages/article/newSTR_91.htm
The McFarlan's matrix on the strategic importance of IT
Lean Thinking, Lean thinking links closely to the concept of delivering value. It is based on theory and practice developed for manufacturing and emphasises the removal of waste. Waste, often called “Muda” (a Japanese term) refers to everything which is not of value to the customer (internal and external)., The Lean approach advocates the following 5 principles:, Specify what creates value from a customer’s perspective, Identify all steps across the whole value chain, Make those actions happen that create the value flow, Make what is “pulled” (demanded or triggered) by the customer happen just in time, Strive for perfection by continually removing successive layers of waste
What is Enterprise Architecture?, An enterprise can be made up of:, Many divisions., Many departments., Many regions., Many lines of business., Many cultures., ..., Enterprise architecture attempts to align all of these diverse areas to realize economies of scale, consistent risk management, etc., Architecture can be defined as a representation of a conceptual framework of components and their relationships at a point in time EA takes a broader view of the entire enterprise and seeks to align individual architectures into a consistent model, Enterprise architecture provides consistency between all the elements of the organization:, Policy., Standards., Procurement., ..., Enterprise architecture provides better top level oversight, monitoring and direction.
Business architecture, Enterprise level.
Information architecture, Business unit level.
Information systems architecture, Systems level.
Data architecture, Data element level.
Technology / Delivery systems architecture, Hardware, software, networks.
Practical Architectural Layers, Applications., Databases., Networks., Operating systems / utilities., Hardware.
Key Success Factors (KSFs) for Enterprise Architecture, EA should be approached in a top-down, enterprise-wide fashion., EA is the link between strategy, technology, processes and organization and is one of the key IT contributions to the enterprise effort to implement strategy., For the optimal approach to doing EA in the organization, there are a number of factors to be kept in mind-size, culture, EA skill levels, stakeholder views, resources, financial strength.
1. Take a programme approach, Instead of approaching the framework as a single project or on a piece by piece basis, take an approach that the establishment of the frameworks is a series of many inter-related projects.
2. Champion or sponsor and funding, Have a clearly identified project champion or and secure sufficient short and sustainable funding.
3. Communication and buy-in, Adoption of an IT best practice, standard or framework must be communicated to stakeholders.
Evolution, Transformational change is implemented gradually.
Revolution, Transformational change that occurs simultaneously on many fronts.
Adaptation, Realign the way in which the organization operates, using a series of steps.
Reconstruction, Rebuilding entire business processes and models simultaneously.
ISACA®, COBIT® 5 A business framework for the governance and management of enterprise IT, COBIT® 5 is a single and integrated framework for GEIT but also a guidance for management, Helps enterprises create optimal value from IT by maintaining a balance between benefits and risk levels and resource use.
ISO, ISO / IEC 38500 - Standard for corporate governance of IT, ISO / IEC 20000-1:2011 Information Technology -- Service management -- Part 1: Service management system requirements, ISO 2700X family of standards, ISO/IEC 27001:2013 Information Technology - Security techniques - Information security management systems (ISMS) - Requirements, ISO/IEC 27002:2013 Information Technology -- Security techniques - Code of practice for information security controls, ISO/IEC 27003:2010 Information technology - Security techniques - Information security management system implementation guidance, ISO/IEC 27005:2013 IT Risk: Turning Business Threats Into Competitive Advantage (ISRM), ...
Application Management (NOT application lifecycle management), ASL BiSL Foundation, ASL®2 - Application Services Library 2, see ASL®2 mind map, www.aslbislfoundation.org
Bodies of Knowledge (selected), Business Analysis, IIBA®, Business Analysis Body of Knowledge (BABOK®), see BABOK®2 mind map, Extensions, Agile Extension to the BABOK® Guide, v1, 2013, 136 pages, description, The Agile Extension to the BABOK® Guide is a resource for business analysts, those who are practicing business analysis, as well as product owners, business owners and corporations who are working on agile projects. The Agile Extension to the BABOK® Guide is aligned with the Business Analysis Body of Knowledge (BABOK®) and has been developed in collaboration with the Agile Alliance. The Agile Extension to the BABOK® Guide provides business analysts with the tools and techniques they need to be extremely effective in their position on Agile teams. The Agile Extension to the BABOK Guide® provides 7 key guidelines for the practice of business analysis within an agile environment. These guidelines are supported by a Discovery Framework and a Delivery Framework that articulate specific techniques that have proven to be successful for agile teams in delivery value., see BABOK®3 mind map, DSDM Consortium, see AgileBA® mind map, www.dsdm.org, Outsourcing Management, IIOM®, Outsourcing Management Body of Knowledge (OMBOK™), IAOP®, Outsourcing Professional Body of Knowledge™ (OPBOK), see Outsourcing Professional Body of Knowledge (OPBOK®) mind map, Project Management, PMI®, Project Management Body of Knowledge (PMBOK®), see PMBOK®5 mind map, Security Management, (ISC)², Common Body of Knowledge, SRMBok, Security Risk Management Body of Knowledge, see Bodies of Knowledge mind map
COSO, Enterprise Risk Management (ERM) Integrated Framework, see COSO ERM-IF mind map, Internal Control (IC) Integrated Framework, see COSO III IC-IF mind map
Data Management, DMBoK, Data Management Body of Knowledge
Enterprise Architecture, Department of Defense Architecture Framework (DoDAF), EABOK, Enterprise Architecture Body of Knowledge, Federal Government's Coordination and Advisory Board for IT in the Administration (KBSt), Standards and Architectures for e-Government Applications (SAGA), Governance Enterprise Architecture (GEA), NIST, NIST Enterprise Architecture Model, The Open Group, TOGAF® - The Open Group Architecture Framework, US Office of Management and Budget (OMB), Federal Enterprise Architecture (FEA), Zachman International®, Zachman’s framework
IT Governance, ISACA®, COBIT® 5 A business framework for the governance and management of enterprise IT, COBIT® 5 is a single and integrated framework for GEIT but also a guidance for management, Helps enterprises create optimal value from IT by maintaining a balance between benefits and risk levels and resource use., see COBIT® 5 mind map
Information Provision / Demand Management (client side NOT IT side), ASL BiSL Foundation, BiSL® - Business Information Services Library, see BiSL® mind map, www.aslbislfoundation.org
Maturity Models (selected), SEI, CMM, CMMI, eSCM, eSourcing Capability Model of Carnegie Mellon University (CMU), see Maturity Models mind map
Outsourcing Management, IIOM®, Outsourcing Management Body of Knowledge (OMBOK™), IAOP®, Outsourcing Professional Body of Knowledge™ (OPBOK®), see Outsourcing Professional Body of Knowledge (OPBOK®) mind map
Process Frameworks, TM Forum, eTOM - Enhanced Telecom Operations Map
Procurement Management, ISPL Consortium, ISPL® - Information Services Procurement Library, see ISPL® mind map
Project Management, APM, APM Body of Knowledge, www.apm.org.uk, DSDM Consortium, The DSDM® AgilePF® - Agile Project Framework, see DSDM® AgilePF® mind map, AgilePM® V2, see AgilePM® V2 mind map, www.dsdm.org, AXELOS, PRINCE2® - PRojects IN Changing Environments, see PRINCE2® mind map, PRINCE2® - Agile, see PRINCE2® Agile mind map, www.axelos.com, PMI, Project Management Body of Knowledge (PMBOK®), see PMBOK®5 mind map, Extensions, Construction Extension to the PMBOK® Guide 3 Edition, ISBN-13: 978-1-930699-52-6, 208 pages, v2, 2007, Government Extension to the PMBOK® Guide 3 Edition, ISBN-13: 978-1-930699-91-5, 129 pages, v1, 2006, Software Extension to the PMBOK® Guide 5 Edition, ISBN-13: 978-1-62825-013-8, 288 pages, v1, 2013, www.pmi.org
Programme Management, DSDM Consortium, AgilePgM®, see AgilePgM® mind map, www.dsdm.org, AXELOS, MSP® - Managing Successful Programmes, see MSP® mind map, www.axelos.com
Quality Management, EFQM, ISO, ISO 9001, Six Sigma - Six Sigma model for quality management, TickIT Quality management for IT, TickIT+ Quality management for IT, TQM - Total quality management, QBoK, Quality Body of Knowledge
Risk Managment, ISO, ISO 31000:2009, ISO 27005:2013, OCTAVE, CRAMM, TRA, NIST-800-30, EBIOS, MEHARI, ..., M_o_R® - Management of Risk, see M_o_R® mind map
Value Management / Engineering, AXELOS®, MoV® - Management of Value, see MoV® mind map, www.axelos.com, SAVE International®, Value Methodology Standard
AXELOS®, AXELOS® Global Best Practices family of standards from UK., ITIL® - IT Infrastructure Library, see ITIL® mind map, M_o_R® - Management of Risk, see M_o_R® mind map, MoV® - Management of Value, see MoV® mind map, MoP® - Management of Portfolios, see MoP® mind map, MSP® - Managing Successful Programmes, see MSP® mind map, PRINCE2® - PRojects IN Changing Environments, see PRINCE2® mind map, PRINCE2® Agile, see PRINCE2® Agile mind map, P3O® - Portfolio, Programme and Project Office, see P3O® mind map
Applies to those who either own the required resources or those who have the authority to approve the execution and / or accept the outcome of an activity within specific risk management processes.
Ideally only one person should be accountable - from accountability reasons., e.g., Project Management is accountable for risk affecting his project., Team Leader is accountable for risks affecting his team and work.
Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation.
“One of the objectives of governance. The bringing about of new benefits for the enterprise, the maintenance and extension of existing forms of benefits, and the elimination of those initiatives and assets that are not creating sufficient value.”
Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle.
Generally accepted, business process-oriented structures that establish a common language and enable repeatable business processes.
Qualitative statements that describe a state of affairs or an accomplishment necessary for the business to become what it wants to become (the business vision).
A governance view that ensures that information and related technology support and enable the enterprise strategy and the achievement of enterprise objectives; this also includes the functional governance of IT, i.e., ensuring that IT capabilities are provided efficiently and effectively. (ISACA®, COBIT5®)
goal, To understand the issues and the strategic importance of IT so that the enterprise can sustain its operations and implement the strategies required to extend its activities into the future., Aims at ensuring that expectations for IT are met and IT risks are mitigated.
An objective must be quantitative - a specific, measurable achievement or milestone that must be reached to accomplish a goal or mission determined by appropriate metrics.
Groupings of ‘objects of interest’ (investment programmes, IT services, IT projects, other IT assets or resources) managed and monitored to optimise business value.
The goal of portfolio management (in relations to VAL IT) is to ensure that an enterprise secures optimal value across its portfolio of IT-enabled investments.
Frequent or unusual actions performed as an application of knowledge.
A structured set of activities concerned with delivering a defined capability (that is necessary but not sufficient, to achieve a required business outcome) to the enterprise based on an agreed on schedule and budget.
The potential for events and their consequences, contains both (aka. two sides of the risk coin):, Opportunities, for benefit (upside / benefits), Threats, to success (downside / disbenefits)
Risk is defined as the possibility of an event occurring that will have an impact on the achievement of objectives, and it is typically measured in terms of likelihood and impact., Risk = likelihood * impact
Established mandatory rules, specifications and metrics used to measure compliance against quality, value, etc.
The deliberate application of means to achieve business vision and goal-related ends. The purpose of strategy is to maximize possibilities for success by effective use of the means available to an enterprise.
The relative worth or importance of an investment for an enterprise, as perceived by its key stakeholders, expressed as total lifecycle benefits net of related costs, adjusted for risk and (in the case of financial value) the time value of money.
“The main governance objective of an enterprise, achieved when the three underlying objectives (benefits realization, risk optimization and resource optimization) are all balanced.”
“Value delivery in the context of governance of IT concentrates on optimizing expenses and proving the value of IT.”
A statement of the enterprise’s purpose, why it exists and what it aspires to. The business vision of an enterprise is articulated by a set of goals that define what the business will strive for and where the business will invest its resources.
The content area for Domain 2 will represent ..., 20% of the CGEIT® examination, approximately 30 questions
Strategic Alignment Model (SAM), Henderson and Venkatraman2
Extended Strategic Alignment Model (ESAM), Maes
The COBIT® 5 Goals Cascade, Stakeholder needs, Stakeholder Drivers Influence Stakeholder Needs, Enterprise goals, Stakeholder Needs Cascade to Enterprise Goals, IT-related goals, Enterprise Goals Cascade to IT-related Goals, Enabler goals, IT-related Goals Cascade to Enabler Goals
Value of the COBIT® 5 Cascade for Strategic Planning, Defines relevant and tangible goals and objectives., Filters the knowledge base of COBIT®., Clearly identifies and communicates how enablers are important to achieve enterprise goals.
Agility, Enterprises need to be agile to keep up with their markets, and IT organizations must be agile to stay aligned with their enterprises.
Agility Loops, Loop 1: Monitoring and deciding, responsive decision making, Loop 2: Improving existing processes, improving existing operations, Loop 3: Creating new processes, creating new operations, Techniques for Conducting Agility Loops, Loop 1 (monitoring and deciding), Boyd Cycle (Observe - Orient - Decide - Act), Loop 2 (improving existing processes), Six Sigma (Define, Measure, Analyze, Improve, Control [DMAIC]), Loop 3 (creating new processes), Define - Design - Build
Balanced Scorecard (BSC), What is it?, Strategic management system that helps organization translates its strategies into objectives that drive both behaviour and performance. Both financial and non-financial., Measures are designed to track the progress of objectives against targets., Financial, Share value, profit, revenue, cost of capital, debt, ROA, cash flow., Customer, Market share, customer satisfaction, customer service, number of contracts, KYC, customer due diligence, number of claims., Internal, Regulatory compliance, number of incidents, centralized data, process optimization., Growth, Competitive advantage, reputation., Further reading, http://www.mindtools.com/pages/article/newLDR_85.htm
IT Balanced Scorecard (IT BSC)
Investment Portfolio Categorizations
IT-enabled Investment Programs, Benefits of IT Investment Programs, 4 types of benefits of new IT initiative, Direct benefits, Productivity increases and cost savings due to the capacity increases brought about by a new system., Incremental benefits, Monetary benefits that may not be solely the result of the new system involved, but are measurable and due to the increased capabilities of the new system., Cost avoidance benefits, Savings related to the lower maintenance costs or increased capacity provided by the new system., Intangible benefits, Challenging to quantify. Includes things like maintenance of a competitive advantage by better intelligence and adaptability, superior service levels that solidify customer relationships.
Return on Investment (ROI), The ROI of an IT-driven initiative answers the question, Is this project worth doing? Is this process worth continuing?, The process of calculating ROI requires the input from both business and technical people., To be complete, ROI analysis should be performed twice., The first analysis should show the net present value (NPV) of the initiative using the low end of the range of benefits estimated and the second should use the high end of the estimated benefits., Calculating Return on IT Investment, Various techniques can be helpful (selected), Preparation of formalized, consistent business cases., Use of hurdle rates - minimum acceptable rate of return., Attention to portfolio management., Application of metrics such as internal rate of return (IRR) (value of today’s dollar compared to the value of future income), and payback period., If there is consensus and the ROI shows that the initiative produces a low NPV, then there is no point in continuing with the initiative., Only initiatives that have a consensus on costs and benefits and show a high NPV get to continue on into the “design” phase., Net Present Value (NPV) - the impact on revenue compared to the produced benefits.
Current Practice in Business Case Development
Business Case Components
Business Cases as Operational Tools
Benchmarking is a performance measurement tool, It measures performance of comparable enterprises and identifies the best practices., Allows management to measure their operations against other similar organizations, Base decisions on objective, quantifiable measures., Keep in line with competitors.
General 12 step approach to Benchmarking, 1. Develop senior management commitment., 2. Develop a mission statement., 3. Plan., 4. Identify customers., 5. Perform research., 6. Identify partners., 7. Develop measures., 8. Develop and administer questionnaires., 9. Scrub and analyze data., 10. Isolate best practices., 11. Conduct site visits and interviews., 12. Present findings and monitor results.
Critical Path Method (CPM), example #1
Gantt chart, example #1
PERT chart and CPM, example #1
Product Breakdown Structure (PBS).
Resourse Breakdown Structure (RBS).
Work Breakdown Structure (WBS).
1. Illustrating and Quantifying the IT Strategy
2. Communicating constantly
3. Focus on explaining and training
4. Using a participatory style of decision-making process
5. Documenting operational procedures
6. Benchmarking other organizations
Creating and sustaining awareness of the strategic role of IT at a top management level.
Clarifying the role that IT should play - utility vs. enabler.
Creating IT guiding principles based on business culture.
The culture of IT should reflect the same culture as the business IT supports.
The content area for Domain 3 will represent ..., 16% of the CGEIT® examination, approximately 24 questions
A 2002 Gartner survey found that 20 percent of all expenditures on IT is wasted - a finding that represents, on a global basis, an annual destruction of value totalling about US $600 billion.
A 2004 IBM survey of Fortune 1000 CIOs found that, on average, CIOs believe that 40 percent of all IT spending brought no return to their organisations.
A 2006 study conducted by The Standish Group found that only 35 percent of all IT projects succeeded while the remainder (65 percent ) were either challenged or failed., see The Standish Group Report - chaos-report
Cook, R.; ‘How to Spot a Failing IT Project’, CIO Magazine, 17 July 2007, http://www.cio.com/article/124309/How_to_Spot_a_Failing_Project
VAL IT sets out good practices for the goals and objectives of IT investment, by providing enterprises with the structure they require to measure, monitor and optimise the realisation of business value from investment in IT.
Are applied through 3 domains, Value governance., Portfolio Management., Investment Management.
6 Key Value Governance Practices, VG1 Establish informed and committed leadership, VG2 Define and implement processes, VG3 Define portfolio characteristics, VG4 Align and integrate value management with enterprise financial planning, VG5 Establish effective governance monitoring, VG6 Continuously improve value management practices
Programs are selected based not just on their desirability, but also on the enterprise’s ability to deliver them.
Having methodologies in place is less important than whether business managers and specialists use them.
Robust and realistic business cases are used and, if possible, include benefits for all stakeholders.
Benefits are managed over the entire investment life cycle through consistently applied practices and processes.
Integrated planning addresses benefit delivery as well as organizational, process and technology changes.
Business ownership and accountability are assigned for all benefits and changes targeted.
Investments and their results in terms of whether benefits are realized are systematically monitored and reviewed.
Lessons learned are consistently gleaned from both successful and unsuccessful programs, and used to improve the planning and management of new ones.
There are different categories of investment with differing levels of complexity and degrees of freedom in allocating funds., e.g., Innovation., Venture., Growth., Operational improvement., Operational maintenance., Mandatory investments.
IT Investment Objectives, Transactional, To cut costs or increase throughput for the same cost - faster transaction processing., Informational, To provide better information support for business purposes - including to manage, control, report compliance, communicate, collaborate or analyze (e.g., a sales analysis or reporting system)., Strategic, To gain competitive advantage or position in the marketplace (e.g. offering a service not offered by competitors)., Infrastructure, The base foundation of shared IT services used by multiple applications (e.g. servers, networks, laptops, customer databases).
Managing IT Investments, Choose, Determine priorities. Cost, benefits etc., Control, Continue to meet milestones. Cancel or continue., Evaluate, Post implementation reviews.
3 Key Components of Investment Management, Business Case, Essential to selecting the right investment programs and to manage them during their execution, Program Management, Governs all processes that support execution of the programs., Benefits Realization, The set of tasks required to actively manage the realization of program benefits.
IT Investment Management Practices and Processes from Val IT Framework perspective, Val IT process dedicated to Investment Management, Develop and evaluate the initial program concept business case., Understand the candidate program and implementation options., Develop the program plan., Develop full life-cycle costs and benefits., Develop the detailed candidate program business case., Launch and manage the program., Update operational IT portfolios., Update the business case., Monitor and report on the program., Retire the program.
2 Types of Benefits Realization, Business benefits, Contribute directly to value (an outcome that is expected to, or does directly increase value., Intermediate benefits, Benefits that are not business benefits but might lead to business benefits including leveraging assets, improving customer service, improving morale, or better management of information.
The goal of portfolio management (in relations to VAL IT) is to ensure that an enterprise secures optimal value across its portfolio of IT-enabled investments.
At a minimum, the business case should include the following, The business benefits targeted, their alignment with business strategy and who in the business functions will be responsible for securing them., Business changes needed to create additional value., The investments needed to make the business changes., The investments required to change or add new., IT services and infrastructure., The ongoing IT and business costs of operating in the changed way., The risks inherent in the above, including any constraints or dependencies., Who will be accountable for the successful creation of optimal value., How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used.
Development of a Business Case, Building a fact sheet with all the relevant data, followed by analysis of the data in steps 2-5., Alignment analysis., Financial benefits analysis., Nonfinancial benefits analysis., Risk analysis resulting in step 6., Appraisal and optimization of the risk / return of the IT-enabled investment represented by step 7., Structured recording of the results of the previous steps and documentation of the business case and, maintained by step 8., Review of the business case during the program execution, including the entire life cycle of the program results.
Closely align systems projects with business goals.
Use systems to change the competitive landscape.
Leverage the strengths of existing systems.
Use the simplest combination of technology and business procedures to achieve as many different objectives as possible.
Structure the design so as to provide flexibility in the development sequence used to create the system.
Ensure that systems are not built with levels of complexities which exceed the organization’s capabilities.
Ensure that projects are not renewed using the same organizational approach or using the same systems design after it has once failed.
The content area for Domain 4 will represent ..., 24% of the CGEIT® examination, approximately 36 questions
What is it?, The (constant) process of balancing the risk associated with business activities with an adequate level of control that will enable the business to meet its objectives., Holistically covers all concepts and processes affiliated with managing risk, including:, Systematic application of management policies, procedures and practices, Establishing the context, External, Internal, Communicating, consulting, Identifying, Analysing, Evaluating, Treating, Controlling, Monitoring, Reviewing
Goal, Major goal of risk management in the decision-making process is to manage the uncertainty.
High Level Process Phases (Risk IT), 1. Collect Data, 2. Analyze Risk, 3. Maintain Risk Profile
Portfolio risk, goal, Management of stakeholder perceptions that would affect the reputation of an organization., Ensuring business success of the organization., context, business success, business vitality, finance, core services, organization / enterprise capabilities, resources, portfolio management, by AXELOS®, MoP® - Management of Portfolios standard, see MoP® mind map, by PMI®, The Standard for Portfolio Management: Third Edition
Program risk, goal, Delivering business change with measurable benefits., Delivering business transformation., Delivering outcomes., context, benefits, capabilities, programme management, by AXELOS®, MSP®- Managing Successful Programmes standard, see MSP® mind map, by PMI®, The Standard for Program Management Third Edition
Project risk, goal, Producing defined business change products within time, cost and scope constraints., Delivering outputs., context (6 project parameters), time, budget, benefits, quality, scope, risk, context, project management, by AXELOS®, PRINCE2® - PRojects IN Controlled Environments, by PMI®, A Guide to the Project Management Body of Knowledge: PMBOK® Guide, see PMBOK® 5 Guide mind map
Operational risk, goal, Maintaining business services to appropriate levels., Day-to-day management., Business as Usual (BaU)., context, reputation, volume, quality, internal control, revenue, staff, customer
IT Benefit / Value Enablement, e.g., Technology enabler for new business initiatives., Technology enabler for efficient operations., Technology enabler for higher SLAs / OLAs levels.
IT Programme and Project Delivery, e.g., Project relevance / priority., Project time / budget overrun., Project quality.
IT Operations and Service Delivery, e.g., IT service interruptions (SLAs / OLAs crisis)., Security issues., Compliance / regulatory issues.
Service based SLA, Agreement that covers one service for all the customers of that service.
Customer based SLA, Agreement with the individual Customer group, covering all the services they use. More flexible, better adjusted to customer’s needs but more complicated.
Multi-level SLA, Good for the largest organisations. The most complex, divided on levels:, Corporate level, Covering all the generic SLM issues appropriate to every customer throughout the organization., Customer level, Covering all SLM issues relevant to the particular customer group or business unit, regardless of the service being used., Service level, Covering all SLM issues relevant to specific service, in relation to a specific Customer group (one for each service covered by the SLA).
Insourcing (Internal), Using an internal service provider to manage IT services.
Outsourcing (External), Using an external service provider to manage IT services.
Co-sourcing, Combination of insourcing and outsourcing. Other models.
Multi-sourcing, Formal arrangement between to or more provider organisations to work together and support one large customer (consortium)
Other models (selected), Business Process Outsourcing., entire business process outsourcing, Application Service Provision., providing computer based-services over a network, Knowledge Process Outsourcing., providing business and domain-based expertise, ...
Mean Time Between Service Incidents (MTBSI).
Mean Time Between Failures (MTBF)., aka. uptime.
Mean Time to Restore Service (MTRS)., aka. downtime.
Mean Time To Repair (MTTR).
Single Poinf Of Failure (SPOF).
The content area for Domain 5 will represent ..., 15% of the CGEIT® examination, approximately 22 questions
Applications, An application system adds value through its support for business processes and interaction with people and other systems.
Infrastructure, IT infrastructure includes hardware (memory, CPU, storage), software, networks and controls that facilitate business activities.
Information, Information resources (more commonly referred to as assets) are often among the most valuable assets owned by the organization. Their confidentiality, integrity.
People, People make up the most critical and aspect of business operations. The enterprise requires personnel with the right skills to operate systems and support business.
Organizations must determine the best way to provision IT services, Internal (aka. Insourcing), Advantages, In-house skills., Flexible., Responsive to and understands the business., Disadvantage, Extended timelines., Lack of skilled resources., External (aka. Outsourcing), Advantages, Availability of skilled resources., Lower training and development cost., Shorter timeframes for delivery., Disadvantage, Inflexible., Expensive., Loss of direct control over systems., Multiple Outsourcing Suppliers (aka. Multisourcing), Advantages, Reduce reliance on one firm., Competitive contracts., Variety of solutions., Disadvantage, Incompatibility between systems / equipment., Blame the other company for everything., Misaligned technology and provider strategies.
Services that are Eligible for Outsourcing (selected), Enterprise Resource Planning (ERP)., Customer Relationship Management (CRM)., Knowledge management and collaboration., End-user and distributed computing., Corporate platforms and data., Data networks and service., Voice networks and services., Storage., ...
Human capital can be regarded as the prime asset of an organization, and businesses need to invest in people to ensure business survival and growth.
Aims to ensure that the enterprise obtains and retains the skilled, committed and well motivated workforce it needs., Motivating IT professionals to increase productivity and reduce turnover involves a number of factors that IT managers need to manage.
It means engaging in talent management - the process of acquiring and nurturing talent.
Provide strong leadership especially during times of change.
Provide staff with development plans & a clearly defined career path.
Allow people to learn new technologies.
Ask staff what they want.
Give staff resources / support to do their job.
Be competitive in salary / benefits.
Ensure staff perceive job as meaningful.
Compares the costs with the benefits of the IT enabled investment that can be directly and indirectly attributed to the investment.
Techniques (selected), Payback period., Net present value analysis (NPV) / Internal rate of return (IRR)., Return on investment (ROI)., Return on security investment (ROSI)., Breakeven analysis.
Involves a comparative examination of the costs and benefits of a project by using some surrogate measure for intangible costs or benefits, that can be expressed in monetary terms.
As an example increase customer satisfaction, the benefit may be expressed in terms of reducing the cost of returned products and reducing the number of customer complaints.
important on exam!
important on exam!
important on exam!
important on exam!
important on exam!
important on exam!
important on exam!
ISACA® CGEIT® QAE Item Development Guide, http://www.isaca.org/Certification/Write-an-Exam-Question/Documents/CGEIT-QAE-Item-Development-Guide.pdf
ISACA® CGEIT® Item Development Guide, http://www.isaca.org/Certification/Write-an-Exam-Question/Documents/CGEIT-Item-Development-Guide-2013.pdf