Koondkonspekt (it-valitsemine)

Risk

Risk- Riskiga on kõrvalekalle sellest, mida me ootame (kõrvalekalle eesmärgist), sellel on kas positiivne või negatiivne tagajärg.(tõenäosus, et läbib meie kaitsemehansieme * ohu esinemise tõenäosus * kahju). Riski puhul oluline tõenäosus ja toime (kahju)

ISO 31000 (enterprise risk management standard- juhised, kuidas toimida) käsitleb riski kui kõrvalekallet eesmärgist (positiivne või negatiivne)

(COSO) Riskide tüübid (Types of Risks):

Strateegilised (strategic)- seotud ettevõtte kõrgtasemeliste eesmärkidega

Taktikalised (tactical)- sinna kuuluvad programmid ja projektide realiseerimised. Nende kaudu realiseeruvad strateegiad

Operatsiooni (operational)- igapäevased operatsioonid

Aruandlus (reporting)-

Vastavus (compliance)- kas ettevõtte tegevused/toimingud/poliitika vastavad üldtunnustatud nõuetele. Kas sisemisi ja väliseid regulatsioone täidetakse

COSO- siseauditi standard (määratleb printsiibid, põhiõmõtted, kuidas siseauditit teha)

Riskid annavad kõrvalekalde negatiivses suunas võimalused (opportunities)annavad kõrvalekalde positiivses suunas. Risk = Probability * Damage Potential (tõenäosus * kahju suurus), ühikuks raha.

Oluline vaadata, mis on mõju ettevõttele (impact to business) ja kui suur on tõenäosus, et ohu realiseerumisel kahjustub meie vara (probability of exploit).

Ohud- kasutavad ära meie nõrkusi ja mõjutavad meie varasid negatiivses suunas. Ohud halvad, sest kasutavad ära meie nõrkusi.

Ohtude vektorid (tüübid)(ei pea pähe jätma) (Threat vectors):

Loomulikud (Natural)- tulekahjud, uputused, elektrikatkestused

Inimese poolt põhjustatud:

Mittetahtlikud (Unintentional)- õnnetused, halbade ajsade kokkulanemised
Tahtlikud (Intentional)- ründed:

Sisemised- nt vallandatud töötaja
Välised- nt kurjategija, terrorist, DOS atacks

ISO 27005 risk management standard- ohul on tõenäosus kahjustada meie varasid

The Elements of Risk

Ohuallikas põhjustab teatud tõenäosusega ohu, mis kasutab ära meie nõrkuse, mis viib meid riskini. Risk võib põhjustada kahju meie varadele, mis avaldub mitmesugustes vormides. Selleks tuleb kasutada vastumeetmeid/kontrolle, et neid ära hoida/vähendada

Riskijuhtimine (Risk Management)- määratleb riskid, vaatab ennetavaid tegevusi (süsteeme) riskide ära hoidmiseks ja paneb paika plaanid, kui mingi risk tekib. ENNE HALBA OLUKORDA (pre-event). Teeb ennetavaid tegevusi (kaitsemehhanismid). Focuses on controlling the unknown, refers to the architecture (principles, framework and process). Tegevused, milles kõigis on oluline communicate and consult ja monitor and review:

Establish context- objectives, criteria, stakeholders. Baasi loomine järgnevateks sisulisteks tegevusteks. Eelneb peaageu kõikidele järgmistele.

Identify risks- what and how can happen?

Analyse risks- likelihood and impact, consequence, level of risk

Evaluate risks- evaluate and rank. Korrutada likelihood ja impact ja otsustada, kas need on meile talutavad, kui ei ole, siis peab midagi ette võtma

Treat risks- identify options, select the best responses, develop the risk treatment plan, implement

Risk Management Process- systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context.

Riskiahel (Risk Chain)- mis toimub / mida teha enne (kanna kiivrit), kui paha sündmus toimub ja mis pärast (taastusravi). Hazard- sõidad õigest kohast mäest alla (vähendad tõenäosust), Exposure- kasutad kaitsemehhanisme ehk nt kiivrit, resiliency ehk millisel määral on objekt taastuv, contingency- kui kiiresti isik taastub

Jääkrisk (residual risk)- Kui oleme kõik kaitsemehhanismid rakendanud, siis risk läheb väiksemaks. Tänu rakendatud meetmetele on risk aktsepteeritav (ühel joonisel rohelises, mitte punases piirkonnas). Risk muutub jääkriskiks, kui oleme kõik kaitsemehhanismid rakendanud. Risk, mida ettevõte peaks olema suuteline taluma

Riskijuhtimise valikud:

Riski aktsepteerimine (risk retention)- ei tee midagi

Riski vähendamine (lisame vastumeetmeid) (risk reduction)- tahame punasest viia rohelisse alasse, teeme mingeid kontrolle ja vastumeetmeid

Riski sokutamine kellelegi teisele (Risk transfer) outsource, kindlustamine

Riski vältimine (risk avoidance)- eemaldame riskiallika

Riski maatriks (determine resultant risk)

Armastatakse teha heat mapi

Ühel teljel tagajärjed, teisel real tõenöosus

Kastikestes on hinnangud, meetmete klass

Enterprise risk management (erm)- riskide haldamine ettevõttes. COSOst alguse saanud. Nõukogu koostab selle (board of directors, management). Esimesena määratakse riski isu (risk appetite).

Types of (enterprise) risks:

Operational Risk- personnel, physical assets, technology (selle alamrisk on IT risk), relationships, regulatory (regulatsioonid)

Liquidity- likviidsus

Market- equity, currency, commodities, interest rate. Turg

Credit- krediidirisk

Enterprise Risk Framework

Strategic risk- arises form the inability to implement appropriate business plans, strategies.

Credit risk- arieses from counterpartys (teise liikme) inability or unwillingness to fully meet its on and/or off-balance sheet contractual obligations. Eg debtors, borrowers. NT VÕLGNIK EI MAKSA ÄRA. Kõige suurem tükk

Market risk- arises from changes in the market rates or prices. 2, 3 koht

Liquidity risk- arises from the inability to purchase or obtain necessary funds.

Operational risk- risk of loss resulting from the inadequate or failed internal processes, people or systems or from external events. Includes legal and regulatory risks. 2, 3 koht

Legal and regulatory risks- arises from non-conformance with laws, rules, regulations, ethical standards.

Reputational risk- arises from negative public opinion that will result in financial and non-financial losses.

Traditsionaalne (RM) versus ettevõtte (ERM) riskihaldus- juhuslike sündmuste poolt põhjustatud riskid ja ERMil lisanduvad äririskid. Traditsioonilises eesmärk esialgse taastamine, ettevõttes ei pea esialgset taasatama, aga tuleb eesmärgid saavutada (slaid 48):

Juhuslike sündmuste poolt põhjustatud VS lisanduvad ka ettevõtte rsikid

Esialgne olukord eesmärk VS ei ole oluline eesmärgi esialgse seisundi saavutamine

Vaatab väärtust, mis on saanud kahjustatud VS vaatab tervet organisatsiooni, kui palju riskid mõjutavad eesmärgi saavutamist

traditsionaalne kuulub ettevõtte riskihalduse alla

Risk capacity- the amaount and type of risk an organization is able to support in pursuit of its business objectives

Riski isu (Risk Appetite)- kui palju ettevõte on nõus riskima, et saavutada seatud strateegilised eesmärgid. Startupidel see suurem

Riski taluvus (Risk tolerance)- aeg ja riski suurus teljel. Riski suurus, millega ettevõte nõustub (kõiki riske ei leevendata 100% ära). Pärast leevendamist (maandamist ehk erinevate meetmete kasutamist) on jäänud jääkrisk, mida ettevõte on valmis taluma

Risk target- the optimal level of risk that an organization wants to take

Risk limit- threshold to monitor that actual risk exposure does not deviate too much from the risk target and stays within organizations risk tolerand and appetite. (slaid 59)

Operational risk- form of hazard risk that affects day-to-day businesses operations. It's potential failure to achieve mission objectives (kirjas ka üleval pool enterprise riski frameworkide all).

Business Continuity Planning (BCP) ehk talitluspidevus and Disaster Recovery Planning

Konsentreerume sellele, mida teeme, kui paha sündmus aset leiab. Et taluksime võimalikult hästi neid lööke taluda ja kuidas taastada enda toimivus (kasvõi osaliselt, põhiline funktrionaalsus)

Keskendume business impact analysisile ehk äri kahjude analüüsiks. (paariline risk assessmentile). Sellel kaks väljundit: kas tugevndada kontrolle ehk püüame mitte pihta saada (riskihaldust) või mõelda lahendused, kui halb olukord on juhtunud (BCP) ehk kuidas halvast üle saada.

Key functional elements of business continuity management (BCM)- risk assessment, business impact analysis, risk treatment, BCP.

Emergency response (ERP)- prevent loss of life, minimize injury, protect property. Hädaolukorrale reageerimine → mida ette võtta. Äripoole vastutusel. Tuleb vältida edasist arengut ja leida workaround ehk alternatiivne lahendus

Business resumption (BRP)- ensure resumption of operations. Viimane faas, kus püüame taastada esialgset olukorda. Äripoole vastutusel

Disaster recovery (DRP)- ensure recovery of IT infrastructure, applications and data. Peamiselt suunatud ITle.

Emergency communication- good communication with employees, stakeholders, suppliers etc

Intsidendihaldus- peame reageerima sellele intsidendile meil on emergency response
RTO recovery time objective- mis aja jooksul suudame midagi alternatiivset käivitada, tuleb määrata, mis aja jooksul peame suutma käivitada (kauem ei tohi see protsess maas olla, mis saab siis, kui on kauem?). võib olla käivitatud ka osaliselt. the period in which time the systems must be recovered after an outage
Käivitame alternatiivse protsessi
Vabanevad ressursid ja alustame esialgse protsessi taastamist (resumption)
Meil on business as usual
RPO recovery point objective- millal on tehtud viimane backup (kui kaua aega tagasi) ehk kui palju andmeid võib viimasest transaktsioonist kaduma minna. the point in time to which systems and data must be recovered after an outage

Contingency- ettenägematu asjaolu

Contingency planning- situatsioonplaneerimine

BCP osad:

Disaster recovery- intsidendid

Business recovery-

Business resumption- taastamine, tagasi normaalsusesse

Contingency planning- sitruatsioonplaneerimine

NB! IT-l ei ole Business Continuity Plani ega Continuity of Operations Plani

Aga on:

Disaster recovery plan- procedures to recover at alternate state

IT contingency plan- recovers major application or system

Cyber incident response plan

ERM (ettevõtte riskihaldus) vs BCM (business conitnuity management)

Mõlemad tegelevad halbade asjade juhtumisega

BCM ei vaata ITd, efektiivsus on sekundaarne (kõige olulisem on taastada funktsionaalsus), ei vaata kuidas ressursse efektiivselt kasutada, ei korruta tõenäosusega läbi (meil peab igal juhul olema talitsluspidevuse plaan) manage risk likelihood NO

Plan-do-check-act

Üldine skeem protsesside parendamiseks

Teha plaan, viia see plaan ellu, kontrollida, vajadusel korrigeerida ja teha paremaks

Kasutatakse ka talitluspidevuse korral (business continuity)

BCP Phases:

Project management and initiation (management initiates)-

Business impact analysis (BIA). Kõige olulisem samm. Äritoime mõju hindamine- midagi paha juhtub, mida see meie ärile tähendab. Analyzes the consequensec of a disruptive incident on the organization. Outcome is business continuity requirements (means the same as continuity and recovery priorities, objectives and targets). After BIA organization can select appropriate business continuity strategies to enable an effective response and recovery from a disruptive incident Steps:

Kellega tuleb rääkida
Mõelda, mida neilt küsida
Mõelda ajakriitilisi protsesse
MTD- maximum tolerable downtime. Maksimaalne potentsiaalne aeg, mille jooksul äritegevus ei saa kahjustatud.
Nende alusel prioritiseerime ja määrame strateegiad, kuidas käituda

Goals:

prioritize critical functions
determine requirements for critical functions
estimate maximum tolerable downtime (mtd)- kui kaua nt rakendus võib maas olla (nt 30 päeva, 1 päev, 1 tund jne)

Categorize events:

disruption in service (non disaster)
disaster
catastrophe

Measured by:

Mean time to repair (mttr)- mis ajaga suudame parandada
Mean time between failure (mtbf)- oodatav aeg kahe tõrke vahel

Recovery strategies- kuidas me edasi toimine, mis on meie äriprotsesside taastamise strateegiad. business recovery (mtd), facility and supply recovery (required space and equipment), user recovery (HR), technical recovery (hot, warm, cold site), data recovery (backups)

Plan design and development (design and develop plan)- planeerida need protsessid

testing, maintenance, awareness and training (test, train and maintain)-testimine, ülalhoid, teavitamine ja treening

Product and Service Prioritization

Esmalt tuleks prioritiseerida teenused või tooted (millised kõige olulisemad).

Management should agree on the priority of products and services following a disruptive incident which may threaten the achievement of their objectives

Process prioritization

Uurime teenuseid täpsemalt- milliseid äriprotsesse nad mõjutavad ja kui palju.

A process is a set of interrelated or interacting activities which transform inputs into outputs (ISO 22300); the priority is determined by the priority of the products and services which are its output

Activity prioritization

Protsessid toimuvad läbi mingisuguste tegevuste- millised sammud on kõige prioriteetsemad.

Organizations should perform activity level prioritization to obtain a detailed understanding of day-to-day resource requirements, enabling the organization to identify the quantity and timing of resources necessary for recovery and to help confirm impact-related conclusions developed at the process level

Business continuity management life cycle:

Reduce- prooviksime vältida halva sündmuse esinemist

Response- esimene vastus

Recover & Resume- alternatiivne protsess

Restore & Return- business as usual, esialgsete protsesside taastamine

Pikem kirjeldus BCP Process:

Millised on meil olemasolevad ressursid

Määrata, mis jääb projekti sisse, mida me käsitleme

Püüda aru saada meie kaitsevõimetest, riskide määratlemise tulemused

Talitluspidevuse plaanide esitlemine, läbiviimine, tuum

Strateegiate väljatöötamine

Testime strateegiaid

Incidents

Incident- event that threatens security in computing systems and networks. TÕSISEM, kui event. Oleme hädaolukorraga seotud

Many incidents have fit in the CIA model (confidentiality, integrity, availability)- ühte neist või kombinatsiooni neist kahjustab

Väga tihedalt seotud BCMiga, sest seal välja töötatud strateegiaid (eeltöö) kasutatakse ära intsidendihalduses (incident management)

Activities:

Events- include any observable thing that happens in a computer or network (näited slaid 55)

Timeline jooniseid on 2 tk (põhjalikum on slaidil 64)

Priority classification joonis ja seletused hakkavad

Kas mõjutab palju või vähe süsteeme

Kas mõjutab palju või vähe kasutajaid

Disaster- low probability of occurrence, devastating consequences, uncertainty

BCP vs DRP (business continuity planning vs disaster recovery planning)

BCP- äritegevuse toimimise tagamine, lähtume kriitilistest äriprotsessidest, vb polegi IT sinna sisse arvestatud

DRP- puudutab IT inimesi- kuidas taastada IT süsteeme

Äri on kõige olulisem, kõige üleval

BCP on ülemlik DRP suhtes

IT strategic planning

Strategic planning- process of deciding on the projects/programs that the organization will undertake and the appropriate amount of resources that will be allocated to each program over the next several years.

Ühes Goalsis võib olla mitu Objective ehk viise, kuidas neid eesmärke saavutada. Ühes Objectiveis võib olla mitu Key Resulti (OKR) ehk ToDo

Goal- tulemuse eesmärk (lõppeesmärk). Sellel ei ole mõõdikuid küljes. Mitte nii selgelt formuleeritud ja pigem pikaajaline. Saavutatav

Objective- eesmärk, nt profitable growth. Tegevuse eesmärk, sihteesmärk. Nende abil jõuame goalideni. Millised on vahetulemused, et lõpptulemus oleks saavutatav. Konkreetsed, tavaliselt lühiajalised. Osaliselt võiksid olla KPId (key performance indicatorid). Kvalitatiivsed

Strategies- üldised tegevuskavad, mille abil saavutame goale. Koosnevad taktikatest

Tactics- nende abil saavutame objectiveseid. Väga konkreetne asi

Measure- mõõtmisviisid, kuidas jõuad eesmärgini, nt growth in net margin

Target- konkreetsed eesmärgi väärtused (mida tahad saavutada), nt +2% growth in net margin. Alati arv

Initiatives- action programs, erinevad programmid eesmärkide saavutamiseks (nt töötajate koolitusprogramm, välismaa filiaali avamise programm jne. Tegevused, kuidas objective’eid saavutada.

Vision- hästi kauge eesmärk. Koosneb goalsidest, mis omakorda koosnevad objectivesitest. Saavutatamatu. What we want to be.

Mission- why we exist

Values- what is important to us

GOALS VS OBJECTIVES:

SMART objectives- specific, measurable, appropriate, realistic, time limited

SWOT- strengths (internal), weaknesses (internal), opportunities (external), threats (external)

IT strategyic planning process

Siia kuuluvad SWOT (saame goalid) ja tasakaalustatud tulemuskaart balanced scorecard (saame objective’id)

SWOT- Strengths, weaknesses (internal), opportunities, threats (external)
Balanced scorecard- financial, internal business process, learning and growth, customer. Põhjus-tagajärg-seos (sisemised protsessid paranevad → klientide kogemus paraneb → äri tulemused paranevad)

Strategy- minek punktist A puntki B. Mission, Vision, SWOT ja balanced scorecard

Plan stage of PDSA(plan-do-study-act) is the most important.

Talitluspidevusega (BCP) seotud RTO ja RPO

Riskijuhtimisega seotud risk appetite ja risk tolerance

Strategic theme- valdkonnad, milles sinu ettevõte peab hiilgama, sisaldab endas kõiki nelja valdkonda (all four balanced scorecard perspectives): financial, customer, internal process, organizational capacity. Nt business growth, customer service excellence, sustainability, innovation jne

PPM- portfolio program management

BPM- business process management

Hypothesis:

Mudel, model- plan-do-study-adjust:

Toimub mitmetasemeliselt.

Luua hüpotees, teha eksperiment, vaadata kuidas läks, kas visata kõrvale või standardiseerida

Selgitus:

Strategic themes- näitavad suunda, kuhu ettevõte tahab liikuda (vision). Mõjutavad balanced scorecardi.

Management by objectives (MBO)

Management by objectives (MBO)- process, where:

nagu Telias sean endale ettevõttega seotud aastaeesmärgi nt

management and employees agree

Seda on vaja, et teadvustaksime, et töötame ühelt poolt koos juhtkonnaga teiselt poolt teistega. IT inimestesse suhtumine peab olema austav.

Eelkõige knowledge-based enterprises kasutusel

self-leadership skills- tahame töötajate poolt palju initsiatiivi näha

MBO three parts:

igaühel on osa, mida ta peab saavutama. Peavad olema koostöös juhtkonnaga. All workers are assigned a special set of objectives to reach during a normal operating period.

Performance reviews- vaatame, kuidas on toiminud ja vajadusel teha korriktuure. Performance reviews to see how well people are to attain their objectives

Rewards- preemiad, tunnustused. Rewards are given on the basis of how close they come to reaching their objectives

MBO Process (external):

Osalevad nii pealikud kui ja töötajad koos tulemuseesmärkide püstitamises ja tegevusplaanide koostamisel

Tulemuste hindamine

Vajadusel korrigeerida

SMART Method- Focus is on the future when setting objectives. specific, measurable, achievable, realistic, timely

MBO managers focus on the result, not activity. creates a link between top managers strategic thinking and the strategys implementation lower down. Achieved by self-control. Objectives are broken down into specific key results

Individual responsibility- responsibility of objectives is passed to individuals. Worker is self-manager. Self-control.

MBO key advantages and disadvantages

Alati teada, mida ettevõte tahab saavutada

Töötajad saavad oma kohustustest aru

Vähendab võimalust, et mitu inimest teeb sama asja

Iga töötaja tunneb, et tema tehtud töö on oluline

Open environment

Disadvantage- koos tegemine võib aeag võtta (koos ülemusega pead tegema)

Dis- Juhtkond ei pööra teistele asjadele enam tähelepanu

Dis- Suured eesmärgid võivad jääda kõrvale, sest keskendume ainult kas 3, 6 või 12 kuu eesmärkidele

OKR

Objectives and key results- goal management framework. Aastase OKRiga seotud strateegia. Ambitious, aggressive, measurable, shared (kõik peavad teadma), graded (scale 0-1). Promote discipline and focus. Kõik teavad enda prioriteete. bi-directional goal-setting (nii alt-üles kui ka ülevalt-alla)

Objective- where do you need to go, it should set a clear direction (eg conquer the US market). WHAT is to be achieved. Significant, concrete, actin oriented, inspirational

Key results- will tell you if you are getting closer to objective (eg customer satisfication score of 97%). HOW we get to the objective. specific, time-bounf, aggressive, realistic

Initiative- action program aka steps you need to take to reach objective (eg interview 10 support rep candidates, loo kliendilojaalsusprogramm). viis, kuidas objectivi ära teeme (nt juurutame kliendilojaalsus programmi). Tegevuskava.

4 OKR rules:

set then annually and quarterly

don't have too many. 5 objectives with 4 key results is maximum per quarter.

make them challenging

it must have a number

Vision- long term view (ultimate goal)

Cascading OKRS:

OKR vs MBO

MBO- saab ka preemiat

OKR vs BSC (balanced scorecard)

BSC on hierarhiline tööriist, ei pea teistega koostööd tegema. Aastane tsükkel (sarnane MBOle)

OKR- kõik teavad kõiki OKR, on kommunikatsiooni tööriist, tihedam tsükkel (kvartal, kuu)

OKR vs KPI

KPId näitavad, kui hästi või halvasti tulemusi ja eesmärke oleme saavutanud. Seotud tihedalt BSCga. very obtainable

Hoshin planning

Loogiline suunamääramine, strateegiline protsess

Planning process which is based on the US techniques of Management by Objectives (MBO) and the classical Plan-Do-Check-Act (PDCA) aka Deming wheel improvement cycle.

It is a planning and implementation process which gives „direction‟ to an organization when looking at future strategy.

Hoshin Kanri is a stepdnote-by-step planning, implementation and review process for managed change. It is a systems approach to the management of change in critical business processes.

Quality, Delivery Cost and Innovation

Strategy and Execution. Systematically develops and links plans from organizational vision to operational tactics

All employees are engaged

Aligns the major strategy objectives with specific resources and action plans

2 parts:

hoshin management- strategies and objectives (tegevuseesmärgid ja plaanid). Special actions and plans are required to achieve a desired result
daily management- routine KPI management. can achieve targets with usual improvement activity and resources

Ho- direction. Shin- needle. HoShin- compass. Kan- control or channeling. Ri- reason or logic

Hoshin kanri management levels:

7 phase process

Lähtume visioonist

Strategic planning 3-5 aastat

Aastane tsükkel → annual breakthrough

Catchball process- company vision is broken into individual goals. Seob visiooni, pikaajalised eesmärgid ja aastase eesmärgi. Midagi läheb ülevalt-alla ja midagi alt-üles (sarnane OKRile)

Critical step- monthly review. Hästi oluline

Root cause, countermeasures- mis on läinud halvasti ja mida peaks ette võtma, et paremaks teha

Self-diagnosis- viia sisse muudatused aasta plaani

Hoshin kanri vs OKR

Hoshin Kanris ei ole selgeid lühemaajalisi eesmärke (kvartaalseid, kuiseid)

Hoshin kanri VS Balanced scorecard (BSC)

Mõlemad seotud strateegia elluviimisega

Hoshin X-Matrix

Tuleb esitada ühes maatriksis strategic objectives, strategic initatives, KPIs, key projects & action items, human resources requirements

Capability based planning

Elements of Business Architecture

Capabilities, information, value streams, organisation

Capability- võime teha midagi VÕIMEKUS. Processes. Describe WHAT the business is able to do an NOT HOW it is performed

Vision → goal → capability. Capabiliteid on vaja goalide saavutamiseks

Portfolio, program, project management

Project- has start and end date, schedule, cost and quality constraints, contains risk. To achieve objective

Project feasibility- projekti teostatavus, kas meil on ressursse, et teha projekti.

Project implementation- projekti teostamine

Project management- about doing projects right after they are accepted in the project portfolio

Death march- kui mingi projekti norm on ületatud vähemalt 50%. Tõenäosus, et need projektid ebaõnnestuvad on 50%. high risk, high reward (startup).

Visioonist Project Managementini:

Projektid ja portfellid kui strateegiliste sihteesmärkide (objectives) saavutamise instrumendid

Portfolio management- about doing the right projects → only those projects are selected which will add value. Vastab strateegiale, on programmid ja initsiatiivid (ressursid) ja projektid. Prioritiseerimine on oluline osa siin

Project vs portfolio management (PPM → project portfolio management):

Doing projects right (Project Management) and doing the right projects (Project Portfolio Management)

Portfell koosneb üksikutest projektidest ja programmidest. Programmid koosnevad omakorda ka projektidest. Programm+projekt on taktikaline eesmärk. Portfoolio on strateegiline eesmärk

Project- defined objective ehk väga konkreetne asi, eesmärgid täpselt püstitatud ja näidatud, kuidas me neid saavutada võiksime. Tehakse väiksemaid muudatusi vb. Plaanid vähem detailsed alguses. Monitoorime ja vaatame, kuidas meil läheb. Õnnestumine on määratud quality, schedule, budget and customer satisfication

Portfolio- vaatame keskkonnast tingitud muudatusi. Vaadatakse üldisemaid näitajaid. Mõõdetakse strateegilise objectivite järgi. Koosneb projektidest ja programmidest. Näiteks mida teeb product owner user storydega- analüüsib, prioritiseerib, valib

Program- oleme käivitanud projekte, aga paljusid neist tuleb ajaliselt juhtida.

Organizational Project Management Maturity Model (OPM3)

Portfellide juhtimine organisatsioonilisel tasandil. Eesmärk on edukad projektid, selleks on vaja olla hea nii portfellides, projektides kui ka programmides.

Sild strategy ja successful projects vahel. Bridge from vision, strategy and objectives to achievement of those objectives

OPM3 will enable organizations to align their projects to business strategy

Maturity Continuum

On tulnud CMMIst (capability maturity model integration, kus on 5 küpsuse taset)

Vaatame küpsust projektidele, programmidele ja portfooliole eraldi.

Võivad olla organisatsioonil erinevad küpsustasemed (nt projektidega on parem, kui programmidega)

Maturity- organisatsiooni võimekuse/küpsuse mõõt. Vaatame porfellidele, programmidele ja projektidele kõigile eraldi. Siin neli küpsuse taset (standardize, measure, control, improve):

Standardize- organisatsioon on kokku leppinud viisi, kuidas projekte juhitakse (kõik teavad, mis on põhidokumendid, kes on projekti sponsor jne), kuidas programme juhitakse (nt kuidas teha inventuur), kuidas portfellidega

Measure- tahaksime saada aru, mida tähendab fraas "me teeme tänavu aasta paremini, kui eelmine", pigem → me tahame, et ebaõnnestunud projekte oleks 3% vähem. Tahame projekti teostamist mõõta

Control- protsess on jälgitud, on tagatud selle täitmine, me oskame seda analüüsida

Improve- pidev paremaks saamine

IT4IT Introduction

It is information model (NOT process model like COBIT, it is COMPLEMENTARY to process models). It is attended to support Agile as well as waterfall approaches and Lean Kanban as well as fully elaborated IT service management process models.

Neutral to development and delivery methods.

Delivers Value Through a Series of Activities Which Means there are IT Value Chains (from why to what, reference architecture is built around it). IT value chain is a series of activities that IT performs to add value to a business service. Value chain is a sequence of activities required to design , produce and provide a specific good or service and along which information, materials and worth flows. A value chain is a series of activities that an organization performs in order to deliver something valuable, such as a product or service. A value chain framework helps organizations to identify the activities that are especially important for competitiveness – for the advancement of strategy and attainment of goals.

IT value chain is grouped into TWO 2 main categories of events:

Primary activities- are concerned with the production or delivery of goods or services for which a business function like IT is directly accountable
Supporting activities- facilitate the efficiency and effectiveness of the primary activities

IT value chain:

Miks on vaja teha WHY ja mida oleks vaja teha WHAR

Ülemised 4 on Value Streams (primary activities):

Strategy to Portfolio- drive IT portfolio to business innovation. Plan, demand, policy, selection. Kas teeme olemasolevaid äriprotsesse paremini või midagi uudset.

Requirement to Deploy- build what the business wants, when it wants. build, develop, test, release.

Request to Fulfill- catalog, fulfill an manage service usage. deliver, publish, subscribe, fulfill.

Detect to Correct- anticipate and resolve production issues. run, monitor, diagnose, change.

Approach to this model:

Service lifecycle- on a repeatabale, predictable, coherent and future safe reference architecture.

Strategy to Portfolio (S2P):

IT service gap- millised on antud hetkel teenused ja milliseid tarvis. Kuidas hinnata tööd, mis meil olemas on ja mida vaja on

Requirement to Deploy (R2D):

Cycle time- mida hoida backlogis ja mida evitada

Production defects- kui palju tuleb tagasi keerata pärast live’i panekut, millised vead ilmnesid esimesel nädalal

Request to Fulfill (R2F):

Detect to Correct (D2C):

MTTR- mean time to repair

MTBF- mean time before failures

Reference Architecture

Reference architecture- from what to HOW. Encompasses the four major IT value streams from the IT value chain

Reference architecture levels:

Governance (board level, valitsemine), Risk management and compliance (GRC)

Tagada ettevõtte jätukusuutlikkus

GRC- integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity. They are put together to reach organizations strategic goals. Ensured risk optimization. Evaluate risk management, direct risk manegement, monitor risk management. Protect, correct, detect

GRC Framework- extensive method to implement a governance structure, assure company existence, and permit regulatory consent.

Governance- policy is set and decision making executed. It's the set of laws, policies, culture and institutions that define how an organization should be managed. Execution on a strategy. Framework for risk and compliance. Drivers: financial reporting, audit and reducing costs. Reliably achieve objects

Compliance- act of adhering (kinni pidama) to regulations and corporate policies and procedures. Satisfying the external and internal standards that have been set for your business. Act with integrity

Ühel diagrammil A-accountable, r-responsible

Tehnoloogia, inimesed ja protsessid mõjutavad kõiki: governance, compliance ja risk management. Lähtume kõigi puhul strateegiast. Nende juurde käib ka maturity model

People: three lines of defence, cultural drivers, organisation structure and engagement
Technology: repository (single source of truth), workflows and automation, analytics and reporting
Process: defined GRC process, industry standards, common risk language

WHO:

Board level- ensure performance and compliance are monitored against objectives

Management- plans, builds, runs and monitors activities

WHY:

HOW (EDM):

WHAT:

COBIT- enterprise governance of IT (EGIT), aimed at the whole organization. EDM (evaluate. direct and monitor). EDM:

Ensured governance framework setting and maintenance

ensured benefits delivery

ensured risk optimization

ensured resource optimization

ensured stakeholder engagement

Shared view of risk

Strategies of sharing risk- diversify (hajutamine) and outsourcing (viin ettevõttest välja, riski kannab keegi teine)

SOX

Sarbanes-Oxley act (SOX)- it was created due to a notable corporate accounting scandals. It is about mitigating the risk of fraud, financialtransparency and process control. Siin on COSO, COBIT, ITIL ja midagi veel

SOX 302- pean enda firmasse palkama sellised raamatupidajad, kelle aruanded on usaldusväärsed

SOX 404- palka sellised sisekontrollid, kes vaatavad raamatupidajad üle

SOX Act of 2002- also known as the 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing Accountability and Responsibility Act'. It set new or enhanced standards for all U.S. public company boards, management and public accounting firms

SOX section 302 and 404:

SOQ, COSO and COBIT:

Kõigepealt SOX

Siis COSO, kes vaatab risk managementi ja internal controli (siseaudit)

COBIT

Monitor, evaluate and assess (MEA):

Managed Performance and conformance monitoring

managed system of internal control

managed compliance with external requirements

managed assurance

3 Lines of Defence (LoD) for Good Risk Management:

business unit managers, who define and manage processes, people and technology, and take ownership of the risks, the units take, including identifying and assessing risk. MANAGEMENT

risk and control specialist groups, supports first LoD managers in their ownership of risk and controls by establishing and communicating common risk management taxonomies, assessment methodologies, and standards and practices. SISEKONTROLL

internal and external auditors, validates managers’ risk and control assessments, including testing them where appropriate. They also provide senior management and the board with independent assurance of the design and operating effectiveness of the organization’s risk management activities. AUDIT

3 Lines of Defence as Basis for GRC:

Võib ka võtta sisekontrollina

GRC 1.0- SOX captivity

the focus for the first several years of GRC was on SOX compliance and internal controls over financial reporting.

GRC 2.0- enterprise/integrated GRC

it was time for technology for GRC to get back to an enterprise view of business objectives and the risks, controls, policies, and issues related to those objectives.

The concept of the Enterprise Integrated GRC platform gained hold that multiple departments can work off a common information and technology architecture to manage risks, control, policies, compliance, audits, assessments, and incidents.

GRC 3.0- GRC Architecture

There was often still a central hub for GRC management, but it no longer pretended to do everything and integration with other business systems as well as deeply focused GRC solutions was necessary.

GRC also started to evolve where it was no longer just about the back office of GRC processes (what some would refer to as the second and third lines of defense), but it was also about the front lines of the organization (first line) that are making risk and compliance decisions that impact objectives every day.

GRC 4.0- Agile GRC

Reageerime sellele, mis toimub

Our current stage

The need for highly configurable technology that engages the entire organization on GRC from the front office to the back office.

Agile technology that is highly configurable

Interfaces that are highly visual and interactive

GRC 5.0- Cognitive (artificial intelligence) GRC

Tahaksime ette näha ja ennetada asju

Things such as machine learning, natural language processing, and predictive analytics are starting to bear hold and take Agile GRC technologies to the next level.

Principled performance- addressing uncertainty, consistently evaluating unknows, unknowns are appropriately considered. Kuidas toimida, kui meid ümbritsevad asjad, mida me ei tea ja millest me aru ei saa

GRC Capability (maturity) model

Learn-align-perform-review

Agile GRC

Purpose-led risk- The objective is to align risk and compliance management initiatives with the organization’s purpose to cover all aspects of its strategy. This includes everything from mission, vision, brand and legacy, to culture, values and people.

Adaptive Governance- The objective is to guide all aspects of corporate governance, risk and performance management, as well as compliance and regulatory aspects. Enables agile collaboration and strong support for corporate performance. Align strategy and risk.

Dynamic Risk Assessment- likelihood, impact, velocity, connectivity. 2 viimast tulevad dünaamilisele juurde võrreldes tavalise riskiga

Hybryd GRC Function

Align Strategy and risk

Risk ID process

business strategy

policy limits

risk measurement

risk management

COBIT

enterprise governance of IT (EGIT), aimed at the whole organization. Stakeholder value creation

COBIT covers most of the activities of TOGAF (also includes business) but only from the IT-perspective;

Framework- assists enterprises in creating repeatable processes that can help in value creation. COBIT ka framework

ISO/IEC 38500- IT valitsemise standard

ISO/IEC 38500- Evaluate, direct and monitor. covers 6 principles for IT governance:

Acquisition ehk omandamine

Vastavus

Governance activities:

COBITi Põhimõisted (key concepts):

Principles

Governance and management objectives

Goals cascade

Components of a governance system

Focus areas

Design factors- tegurid, mis mõjutavad kavandamist

Governance system principles, the six principles:

Holistic approach- vaadatakse kõiki protsesse ammendava põhjalikkusega

Dynamic governance system- Vastavalt olukorrale süsteem võimaldab muutuda

Governance distinct from management- Valitsuse ja juhtimise eraldamine

Tailored to enterprise needs- Rätsepatöö

End-to-end governance system- Käsitleb kõiki valdkondi

Governance framework principles, the three principles:

Goals cascade:

COBIT Objectives

Governance or management objectve always relates to one process and a series of related components of other types to help achieve the objective

COBIT 2019 includes 5 governance and 35 management objectives, covering 231 governance and management practices in five domains:

COBIT Components (täpsemalt al slaid 710)

Komponendid võivad olla üldised generic components või spetsiaalsed variant components

Focus area- Konkreetne valitsemisvaldkond, mida oleks mõistlik eraldi käsitleda, nt DevOps, Information Security

COBIT Design Factors (täpsemalt alates slaid 731):

They Influence the design of an enterprise’s governance system

Enterprise Strategy (slaid 731)

Growth/acquisition
innovation/differentation
cost leadership
client service/stability

Enterprise goals (slaid 732)

financial
customer
internal
growth

risk profile (al slaid 734)

IT investment decision making, portfolio definition and maintenance
program and projects lifecycle management
it cost and oversight
it expertise, skills and behaviour
enterprise it architecture
it operational infrastructure incidents
unauthorized actions
software adaption/usage problems
hardware incidents
software failures
logical attacks
third party/supplier incidents
noncompliance
geopolitical issues
industrial action
acts of nature
technology based innovation
environmental
data and information management

7. Role of it for the enterprise (slaid 743)

support

factory

turnaround

strategic

sourcing model for it (slaid 744)

Outsourcing
cloud
insourced
hybrid

it implementation methods (slaid 745)

agile
devops
traditional
hybrid

technology adaption strategy (slaid 746)

first mover
follower
slow adapter

Impact of design factors:

COBIT Performance Management

Process activities are associated to capability levels included in the Governance and Management Objectives guide

Maturity levels are associated with focus areas (i.e., collection of governance and management objectivesand underlying components) and will be achieved if all required capability levels are achieved.

Capability and maturity levels:

Capability levels for processes:

Maturity levels for focus areas:

The role of enterprise architecture

Business and technology focus

Achieving business objectives is very important

The role of enterprise architecture is to create a picture of how

Enterprise architecture management practices

Develop the enterprise architecture vision

The architecture vision provides a first-cut, high-level description of the baseline and target architectures, covering the business, information, data, application and technology domains.

The architecture vision describes how the new capabilities (in line with I&T strategy and objectives) will meet enterprise goals and strategic objectives and address stakeholder concerns when implemented.

Define referense architecture

Describes the current and target architectures for the business, information, data, application and technology domains

Select opportunities and solutions

Rationalize the gaps between baseline and target architectures, accounting for both business and technical perspectives, and logically group them into project work packages.

Integrate the project with any related I&T-enabled investment programs to ensure that the architectural initiatives are aligned with and enable these initiatives as part of overall enterprise change.

Define Architecture implementation

Create a viable implementation plan in alignment with the program and project portfolios.

Ensure the plan is closely coordinated to deliver value and that the required resources are available to complete the necessary work.

Provide enterprise architecture services

Services must include:

guidance to and monitoring of implementation projects
measuring and communicating architecture’s value and compliance monitoring.

COBIT vs TOGAF

COBIT covers most of the activities of TOGAF, but only from IT perspective. TOGAF also includes business

Technology roadmap

Perfect trio- people, process, technology

TRIZ- ülesannete lahendamise teooria. Lahendused võiks jagada 5 kategooriasse:

Ülemised kõige tähtsamad

Enamik leiutisi lähevad kvantitatiivsete alla:

Ideoloogia, kuidas leiutisi teha:

kõigepealt peaks olema probleem, mida tahad lahendada

Tuleb probleemi üldistada

Lahendada see üldine probleem (sealt tuleks välja minu probleemi lahendus kui erijuhtum)

Lahendada konkreetne minu probleem

Hype Curve- kuidas tehnoloogia areng võiks välja näha

Tehnoloogia avastatakse alguses ja tekiv suur hype sellest. Satub ajakirjade kaanele, loodetakse, et see uus tegnoloogia lahendab kõik probleemid ära.

Kui asjaga hakatakse tõsisemalt tegelema, siis selgub, et päris hästi kõik asjad ikkagi ei õnnestu.

Edasi hakkab see tehnoloogia omandama vaikselt oma küpsust.

Kasutajate arv:

Adoption rate ehk kasutegur- hilistel kasutajatel kõige väiksem

Varajastel kasutajatel lõhe sees

Outsourcing, Business Process Outsourcing (BPO)

Complete transfer- complete transfer of all associated internal business process activities. Everything is maintained externally

Process

Strategic evaluation- kas on äriliselt ja tehnoloogiliselt mõistlik

Transition to the external sourcing model- arhitekti roll oluline

Elements of Strategic outsourcing:

Strategic evaluation

Financial evaluation

Supplier selection and contract development

Outsourcing Life cycle

RFP- request for proposal

RFI- request for information

BPO categories (business process outsourcing):

Back office outsourcing- includes internal business functions such as billing or purchasing

Front office outsourcing- includes customer-related services such as marketing or tech support

Reasons to outsource IT

cost minimization

refocus organization to core

improvement in operating

increased market share and revenue

Problems with outsourcing

What to outsource

Konkuentsieelis ja strateegia on telgedel

Outsourcing Service Delivery Method:

Full-Scope Outsourcing- anname kõik välja

Selective Outsourcing (partner)- valime, mida välja anda ja mida mitte

Hybrid Outsourcing (perform in-house aka insourcing development and partner with firms to develop selective applications- koostöö

Governance of Outsourcing

Ensures consistency of service provision to implement an approach that regulates and assists the interface between client and supplier.

It is the set of:

Governance process provides the mechanism to:

Human Resource Management

Memory organisation:

Working memory- suurema mahutavusega, kauem säilivusaeg, kui lühiajalisel mälul

Semantika- seletus, tähendus

Problem solving- requires transfer between short-term memory and working memory. Information may be lost during it. Requires integration of different types of knowledge.

Personality types:

Task-oriented- ülesannetele orienteeritud. Nt teadlased

self-oriented- endale orienteeritud. Vaatavad, mis kasu nemad saavad

interaction-oriented- suhtlusele orienteeritud. Kollektiivi tunnetus, tähtis et ma kuulun mingisse tiimi

The People Capability Maturity Model

5 five stage model:

Initial- ad-hoc people management
Repeatable- policies developed for capability improvement
Defined- standardised people management across the organisation
Managed- quantitative goals for people management in place
Optimizing- continuous focus on improving individual competence and workforce motivation

Workforce competency = knowledge + skills + process abilities

Maturity levels:

Managed

Defined

Predictable

Optimizing

Business excellence model:

Approach- Deployment - Results - Review, Align and Improve

Project human resource management- Use your resources effectively, efficiently, economically

Maslow’s human need hierarchy:

McGregor’s Theory x and theory y:

Theory X: assumes workers dislike and avoid work, so managers must use coercion, threats, and various control schemes to get workers to meet objectives

Theory Y: assumes individuals consider work as natural as play or rest and enjoy the satisfaction of esteem and self-actualization needs

Theory Z: motivating workers, emphasizing trust, quality, collective decision making, and cultural values

Three types of organizations:

Matrix structure- extremely difficult to work in, where project coordination and follow-up is mandatory.

Functional structure- relies on the functional managers to manage their projects. employees in an area need to report to all the directors. Everything will depend on the relationship between managers and, especially, on the appropriate use of IT to aid in internal communication.

Projectized structure- has the ability to rapidly formulate the project team and move forward. Highly dynamic and creative companies. It’s characterized by a series of specialized employees, ready to compose a work team as needed.

Management 1.0

people assume the organization consists of parts and that improvement of the whole requires monitoring, repairing, and replacing those parts. Let everyone know that they’re being watched

Management 2.0

everyone recognizes that “people are the most valuable assets” and that managers have to become“servant leaders” while steering the organization from “good to great.”

Managers correctly understand that improvement of the whole organization is not achieved by merely improving the parts but, at the same time, they prefer to stick to the hierarchy and have a tendency to forget that human beings don’t respond well to top down control and mandated “improvements.”

Unfortunately, many managers don’t see that they should manage the system around the people, not the people directly, and that they should leave micromanagement to the teams.

Are trying to do the right thing, but in the wrong way

Management 3.0

Chaos theory:

SFIA

Skills Framework for the Information Age

describes the skills and competencies required by professionals in roles involved in information and communication technologies, digital transformation and software engineering.

organisations can achieve a consistent and integrated skills and people management approach.

SFIA 7 seven levels of responsibility

Professional skills categories:

SAFe lean-agile principles (al slaid 1113):