COBIT

Of droughts, and flooding rains, of businesses and broken business continuity plans.

by

Well, this is a blog entry, and I have a thing for bad business poetry.  In Brizvegas, as you may have heard, we’ve had droughts a-plenty until the last two years, and then the flooding rains that just created a seeping, growing, black mess that crept stealthily towards everyone’s place of business or abode.

Well, that might seem a little melodramatic, but you know what?  It’s not.  We’re all affected here in Brizvegas, even in little ways such as losing our carparks (my wife doesn’t think that’s so little) or daycare centre (my daughter, yes, same attitude as her mother).  My house was perfectly fine, halfway up Mount Cootha, but I went for a ride on my pushbike to see how my daughter’s daycare centre was faring.  As I rounded a corner and ran into deep, black water quite some time before I rather thought I would.  Squealing on the brakes, I thought to myself, ‘That’s not good!’

I also came to the realisation that my five-year old daughter was not going back to daycare tomorrow.

And so from my back deck, all seemed fine as I looked over the tall trees of Mt Coot-tha, but at the same time some people were cut off from food and petrol – friends of mine were refused service after the floods because they ‘looked grotty’. Well, how would you look after 5 days without power or a shower?

It was an odd flood, bright sunny day, and yet still I noticed the Lexus dealership madly moving cars, and the people at the Brumby’s bakery madly moving flour to the only bakery down the road that wasn’t flooded (it appears they rather had some trouble finding the key, and saved the flour only just in time or the western suburbs would have had to start eating crushed up gumleaves spiced with mud. And then having to drink the wooded Chardonnay left in the wine rack – oh the humanity!)

But the point (and there is one!) is that we precisely do not know what will ever happen to our homes or places of business.  Some of us thought we were really very safe at the time.  That idea’s comforting, but not always true (I can see a mountain full of trees from my back deck – so one day bushfires are on the cards).

Here’s a video I took of a house normally way, way above the river:

All of us banana-benders are looking at each other now, after inland tsunamis, floods-that-weren’t-supposed-to-happen, and Cyclone Yasi, and saying that if we had a blizzard come down Queen Street we’d let loose a suitable expletive and get down to it.

So how do you as a business prepare for these things?

Well, fortunately we do have best practice approaches available such as COBIT and ITIL.  A year or so ago, when I was lecturing at QUT in IT Governance, I asked the students to use COBIT’s framework to help with the development of a business continuity plan.  This is what it, rather drily, says:

DS4.2 IT Continuity Plans: Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.

The exercise for the student was to take a look around their bedroom and work out what they might lose, what they could afford to lose, and how they might get back on deck.  I seem to recall one student came up with a contingency plan that involved explaining to his lecturer how he didn’t need to submit the assignment that week – I believe I may have said he needed to improve that excuse for his risk register.

Anyway, business continuity plans are things that are really hard if you don’t know where to start.  So I took that reasonably vague statement above from ITGI’s COBIT and turned it into something like the below.  Feel free to borrow it as a template if you like for your business.  It’s not great, it’s not fantastic, but it’s a start, and at least you get thinking about what you need to do in the event of problems like droughts, flooding rains, bushfires, cyclones, blizzards, alien invasion, or inland tsunamis.  Try adapting this for your purposes:

Example business continuity plan

View more documents from Micheal Axelsen.

And so I’m going to leave this blog entry right about here, now that I’ve gotten to use some great phrases like ‘a seeping growing black mess’ (seriously, anyone who saw that floodwater will agree that it was pretty yuck).  Readers, please take a look or download the example business continuity plan – a BCP doesn’t need to be hard, it just needs to work.  In fact, if it’s big and hard and ugly, it’s likely it’ll never work.  ‘Keep it Simple, Silly’ is the appropriate rule of thumb.  It’s a good start for some businesses, possibly not for others.

But please don’t find yourself caught on the hop and having to remove those files from the basement where they’re stored to the top floor of your building in your pyjamas and best thongs, like some people I’ve heard of.  Or the people at the Lexus dealership, who were frantic because they couldn’t find the keys to the four wheel drive blocking the driveway.

PS:  I hope I rickrolled somebody in one of those links up above…

Risk management framework

by

It was with some alarm that I sat down to read my favourite read, ISACA’s monthly IS Control Journal, to discover that ISACA/ITGI is producing another framework to go with the COBIT framework (and it is a framework, I don’t care what anyone else says), and the VAL IT framework:  the IT Risk Management Framework.

I was a little concerned that perhaps it might be one framework too many.

However, it does make sense to create such a beast when you consider that, as I am fond of telling the students I am lecturing (no doubt much to their disgust, terror and ennui), the only two things that matter are what value you can get for what risk. 

Anyway, you can check out the new risk management framework on ITGI’s website, where it will b released as it becomes available.  It’s mentioned in the latest Information Systems Control Journal, in an article by Urs Fischer, and in this relatively recent update to the COBIT vision and strategy.

ITGI Roundtable discussion

by

Yesterday I had the privilege of attending the Brisbane ISACA chapter’s Executive Lunch with John Thorp on the topic of Value Governance, Investment Management and Portfolio Management.  Amongst many other qualifications, John chairs the ITGI Val IT Committee.

John’s luncheon presentation was very, very good, and reaffirmed some of the positions I’ve had for some time now.  What I love about COBIT and VAL IT is that it is bringing a framework to all that stuff we have in the past done ‘just because’. 

Some highlights for me from John’s presentation were the following points:

  1. IT investments don’t exist, this is all about investment in IT-enabled change – which we can only change when business and IT know who is responsible for what.
  2. A nice little formula from John:  OO + NT = COO [Old Organisation + New Technology = Complex Old Organisation].  Seen that a few times.
  3. Appealing to the television geeks in the audience (like myself), John pilloried the Star Trek school of management – ‘Make It So!’ is rarely as successful as it is in Star Trek.  For a start, most people have no common view as to what ‘it’ is.
  4. John has a nice turn of phrase – ‘bad news does not get better with age’; ‘decibel-based decision-making’, ‘more effort into less things for more value’ (so true!).
  5. Apparently governance goes back to the Greek word ‘kubernan’, which is defined as ‘continually steering or adjusting to stay on course’.
  6. There is a new VAL IT – VAL IT 2.0, which partners COBIT more closely than in the past, and is maturing.  I suspect that in a year or two the course I am giving on IT Governance needs to pick up on this point and move with it.
  7. What I have always referred to as a ‘business prioritisation forum’ is better called an ‘investment services board’ – at least that is what it is in VAL IT parlance.

I believe John’s presentation will soon be on the Chapter website.

Last night I had also had the honour of attending dinner for a recorded roundtable discussion on the topic of IT Governance, with many local professionals giving their thoughts and comments.  One of the curious things that really did highlight for me is probably that the term ‘IT Governance’ is all wrong – which is why ISACA’s new qualification is called ‘CGEIT’ – Certified in the Governance of Enterprise IT.  I haven’t met anyone yet who actually likes the term, yet we keep using it and getting confused with corporate governance issues.

I mean, why don’t we have a marketing governance or an HR Governance, or such like?

At any rate, John is very passionate about advancing the profession in the world of IT management.

It was a good night, and we certainly managed to relax after the microphone was turned off in the convention centre.  I was bitterly disappointed though – the Plough Inn was closed at 10.20 on a Thursday night.  Bitterly disappointed!

ISACA Executive Briefing on IT Governance

by

Today I am attending the John Thorp Executive Lunch on IT Governance (specifically, he is discussing value governance, investment management and portfolio management).  This is happening at the Convention Centre, and then afterwards I am attending a round table discussion for the IT Governance Institute on the topic of IT Governance and where it needs to go to.

The discussion is complementary to my current role lecturing in IT Governance at QUT and the PhD I am doing in IT Audit (which relates directly to COBIT, and whether organisations need to have different approaches to IT Audit).  My personal view is that not enough organisations are working with COBIT enough, and are treating their IT systems as black boxes.  I don’t believe that that’s appropriate for large, IT-dependent businesses.  And I think that is becoming an increasingly validated point of view. 

I get a guernsey to the roundtable discussion as a ‘leading local professional’ in the area of IT Governance.  Modesty prevents me from affirming that description, but I will fight for their right to say it. 

It promises to be interesting; I’ll post my thoughts on how it travelled after it’s happened. 

Feedback from Optimising your financial reporting systems for long-term value

by

Well I did say the test of transparency would be whether I rushed to put up a poor evaluation of a presentation.  I did a roadshow for CPA Australia in July (24th and 25th) in Sydney and Melbourne to the topic of ‘Optimising your financial reporting systems for long-term value’.  The feedback that was received was not as good as I would have liked but if you’re going to give presentations you’re not going to find it possible to do really well all the time.

I did spend at least a day putting together the presentation and trying to convert COBIT-type thinking to a more practical consideration.  Probably predictably the feedback was mixed.

At any rate I am posting the feedback.  It’s always a good thing to be transparent and honest, I am sure.  Just ask governments.  Firstly the average overall rating was 3.9 (where 1 = poor, 2 = fair, 3 = average, 4 = very good and 5 = excellent).  So I suppose if we rounded it’s still a ‘Very Good’ assessment.  Technical content received an average of 4.27 and presentation skills 3.96.  CPA’s look for 4.2 so I guess that’s not as good as it could have been.  I’m hoping the audience were hard markers.

Comments specific to my presentation included:

  • Great.  Nice to see some personality, relevance and interaction with us.
  • Presentation too long – had to rush through part of it
  • Great presenter but subject matter much too vague
  • Good speaker, covered the topic well, shame we ran out of time
  • Gave some practical things/going to ask myself
  • Great – very knowledgeable
  • Too much consulting waffle
  • Great – Entertaining

The only unambiguously negative comment of course is the ‘too much consulting waffle’ comment.  Personally I thought I had added just the right amount of consulting waffle but perhaps some people don’t like as much waffle as others do. :).

Overall the ratings are a ‘Very Good’ and it’s of course silly to go off the deep end over that.  Still I would have liked to do better on that score.

Ah well, ‘Must try harder’.