The Experience of Generali Group in Implementing COBIT 5 Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA
Generali Group at a glance
Let me introduce myself Marco Salvato CISA, CISM, CGEIT, CRISC Areas of expertise COBIT Information System Audit (CISA) Governance of Enterprise IT (CGEIT) Information Security Management (CISM) Risk Management (CRISC) Experience Process governance Freelance software developer ISACA Venice Chapter Board Member Information Security Governance Risk Governance Compliance Governance
Let me introduce myself Andrea Pontoni CISA Areas of expertise COBIT Information System Audit (CISA) Experience IT Audit IT Project Leader ISACA Venice Chapter Board Member
Quick overview on the overall scenario Which is the company environment?
Group Strategy Generali's strategic imperatives for the operating platform GENERALI INVESTOR DAY, London, May 2015
Group Strategy Operational Excellence Consolidation, centralization and standardization are currently underway.
Group Strategy IT Transformation Transformation of IT Systems required to accelerate digitalization and industrialization. GENERALI INVESTOR DAY, London, May 2015
Triggers for COBIT 5 Implementation Strong alignment with the business strategy and the customer needs Need to establish an overall view to ensure a centralized enterprise governance Define an harmonized process framework, cross countries Improve efficiency Resources optimization Ensure the cross-countries compliance Ensure an approach risk-based Ensure a centralized management for audit activities
The COBIT story in Generali How the Group started using COBIT
The COBIT story in Generali Before 2008 The Group was using COBIT 3.x and 4.x to fulfil some audit or compliance requirements The main good practices used were ITIL and some ISOs
The COBIT story time line in Generali The Generali Audit function starts the COBIT adoption all over the Group companies Many Generali Group companies start to implement COBIT in their own Process Framework GBS deliver a COBIT 5 training program for > 300 employees in 2 years: COBIT 5 Introduction & COBIT 5 Foundation The new COBIT 5 is coming and GBS subscribe a GBS hosted a Corporate License with workshop to ISACA about COBIT 5 understand its library benefit with external guests from University of Antwerp Generali Group subscribe a Corporate License with ISACA about COBIT 5 library GBS deliver a COBIT 5 for Executives training GBS and GIS continue to plan new COBIT 5 training: COBIT 5 Introduction & COBIT 5 Foundation 2008 2009 2010 2011 2012 2013 2014 2015 2016 GBS = Generali Business Solutions GIS = Generali Infrastructure Services
Generali Infrastructure Services (GIS) The experience of GIS using COBIT
Generali Infrastructure Services WHO WE ARE... The creation of GIS, as a Generali shared service provider reflects that. Our purpose is to enable Generali strategy both locally and globally, support innovation, and manage efficient and reliable infrastructure services.
Generali Infrastructure Services WHERE WE ARE GOING... Our ambition is to be a global, agile, business partner that brings relevant, addedvalue and shared solutions. We aim at developing, integrating and delivering simple, fitting and maintainable services.
The main challenges GIS was created in 2014 focusing in deliver shared common infrastructure services and there were some critical challenges: Align business strategy with IT strategy Harmonize processes and services Define a centralized governance Improve the added value of the services provided Deal with different cultures
What we did We defined some workstream managed through a centralized governance within a cross-countries program. One of them was focused on the process landscape definition and the members were Group experts in different good practices (ITIL, CMMi, COBIT, ISOs, ). When a first draft of the process landscape was defined, the responsibility of its improvement and implementation was transferred to the line functions. A Process Governance Board was establish to support the evaluation of the main changes.
Good practices and framework Which good practices and framework has been used?
Good practices and framework Best practises and standards used in GIS Process Framework: IT Infrastructure Library (ITIL 2011 edition) Service Strategy, Design, Transition, Operation and Improvement ISACA COBIT 5 Governance and Management of Enterprise IT ISO 31000 series Risk Management ISO/IEC 38500:2008 Corporate Governance of IT ISO/IEC 27001:2013 Information Security Management Systems Project Management Body of Knowledge (PMBOK ) Project Management
Risk Governance Financial Governance & Opt. Strategic Alignment Service Value & Quality Service Portfolio Management Project Portfolio Management Business Relationship Mgmt Procurement Design Coordination Service Level Management Architecture Management IT Service Continuity Mgmt Innovation Management Incident Management Problem Management Request Fulfilment Change Management Release & Deployment Mgmt Capacity Management Knowledge Management Security Services Service Asset & Config. Mgmt Event Management Identity & Access Management Availability License Management Project Management Supplier Management Financial Management Charge Back Risk Management Regulatory & Compliance Management Information Security Management HR Management Process Framework Management Mapping with COBIT 5 P = Primary match S = Secondary match Generali Infrastructure Services GIS Process Book Governance Service Strategy Service Developement Service Management & Operations Enterprise Management COBIT 5 DOMAIN COBIT 5 PROCESSES 2 EDM01 Ensure Governance Framework Setting and Maintenance S S 1 EDM02 Ensure Benefits Delivery P Evaluate, Direct 1 EDM03 Ensure Risk Optimisation P and Monitor 1 EDM04 Ensure Resource Optimisation P 1 EDM05 Ensure Stakeholder Transparency S 1 APO01 Manage the IT Management Framework P 1 APO02 Manage Strategy P 1 APO03 Manage Enterprise Architecture P 1 APO04 Manage Innovation P 2 APO05 Manage Portfolio P P 2 APO06 Manage Budget and Costs P S Align, Plan and 1 APO07 Manage Human Resources Organise 1 APO08 Manage Relationships P P 2 APO09 Manage Service Agreements S P 2 APO10 Manage Suppliers S P 2 APO11 Manage Quality P S 2 APO12 Manage Risk P S 2 APO13 Manage Security P S 2 BAI01 Manage Programmes and Projects S P 1 BAI02 Manage Requirements Definition P 1 BAI03 Manage Solutions Identification and Build P 2 BAI04 Manage Availability and Capacity P P 1 Build, Acquire and BAI05 Manage Organisational Change Enablement S 1 Operate BAI06 Manage Changes P 1 BAI07 Manage Change Acceptance and Transitioning P 1 BAI08 Manage Knowledge P 2 BAI09 Manage Assets P S 1 BAI10 Manage Configuration P 6 DSS01 Manage Operations S S S S P S 2 DSS02 Manage Service Requests and Incidents P P 1 Deliver, Service DSS03 Manage Problems P 2 and Support DSS04 Manage Continuity P S 2 DSS05 Manage Security Services P S 0 DSS06 Manage Business Process Controls 2 MEA01 Monitor, Evaluate and Assess Perform. and Conformance S S Monitor, Evaluate 1 MEA02 Monitor, Evaluate and Assess the System of Internal Control P and Assess 1 MEA03 Monitor, Evaluate and Assess Compl. with Ext. Requirements P 1 1 3 2 1 2 1 1 4 3 1 2 1 1 1 1 1 1 1 1 3 2 1 2 2 1 1 1 1 1 1 3 2 2 3
Mapping with ITIL
Why these governance processes COBIT 5 makes a distinction between governance and management in alignment with the guidance of ISO/IEC 38500-2008 Directors should govern the IT through three main tasks: a) Evaluate the current and future use of IT, b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives, c) Monitor conformance to policies and performance against the plans. IT governance processes ensure that enterprise goals are achieved by evaluating stakeholder needs; setting direction through prioritization and decision making; monitoring performance, compliance and progress against plans. ISO, ISO/IEC 38500:2008 Corporate governance of information technology, Switzerland, 2008, www.iso.org Based on the governance activities, the business and IT management will plan, build, run and monitor activities to ensure alignment with the direction set by the governance body to achieve the enterprise objectives.
Why these governance processes Stakeholder needs are always about value creation Benefit Realisation Risk Optimisation Resource Optimisation Risk Governance Service Value & Quality Financial Governance & Optimization Strategic Alignment
IT Audit How we using COBIT in IT Audit activities
The story of COBIT in Internal Audit The first version of IT Group Audit Methodology based on COBIT 4.1 and also on the other most important IT Governance and Management Frameworks (i.e. ITIL and ISO27002) was presented and adopted by all the countries in 2008. In 2012, after the launch of the new version of COBIT 5 by ISACA, we decided to update the internal IT Audit Methodology adopting the new COBIT 5 Framework. An international project was launched with the following goals: update the current IT Audit Process Tree considering the new processes model defined by COBIT 5; define a set of control objectives associated to the processes of the IT Audit Matrix; review the control activities within the Engagement Matrix for the most important IT processes; define a set of testing activities for each control activity; define specific IT Risks associated to the control activities and aligned with the Operational Risks defined by the Group Risk Management.
The adoption of COBIT 5 in Internal Audit Project Scope: during the project the three main elements (steps) of our Group IT Audit Methodology (IT Audit Process Tree, Audit Matrix and Engagement Matrix) were revised and updated according to the new COBIT 5 framework:
IT Audit Process Tree The new IT Audit Process Tree is based on the latest version of COBIT (COBIT 5), includes 34 IT processes. (COBIT 5 includes 37 processes). Three processes in grey were dismissed according to the assessment procedure developed in the first step of the project.
IT Audit Process Tree Processes excluded: During the first step of the project, a deep analysis of the COBIT 5 processes was performed and as a result, three processes were excluded.
IT Audit Matrix The new version of the Audit Matrix includes 34 IT processes of process tree. The Audit priority is defined in terms of Significance of Controls and Control Risk.
Engagement Matrix
Engagement Matrix New information have been included in the engagement matrix in order to obtain detailed information about controls level inside the process
Engagement Matrix
Conclusions Pros & Cons
Pros & Cons Being aware of different process definitions was recognized as a culture step further also if it was time consuming Thanks to the corporate license agreement we were able to provide the COBIT 5 documentation in the right moment it was recognized as an enabler Being open mind and ready to highlight the right benefits from the different good practices let us to design the car using the best spare parts available on the market Top down cascading training and awareness sessions were time consuming but really successfully For sure, the top management trust and commitment was really a success key
Conclusions The frameworks, as well as the best practices, are a common languages that can go over the boundaries between countries The double approach, from the top through the audit function and from the bottom, through the process cards and the employees training, was a good choice Using different good practices, for the processes definition, was really a good chance to share experiences and skills between different countries Merging different good practices required deep skills in each topic and a lot of effort, but the final result worth it
Questions? Thank you