Objectives, Risks, and Controls
The following table provides examples of how management objectives for this phase can be related to risk and then to controls that help manage those risks. By clearly linking objectives, risks, and controls, an IT organization will be more effective and compliant. It will also be more efficient in gathering and maintaining documented evidence of its control environment and risk management. Management reviews (MRs) introduce the appropriate level of control to Plan Phase activities. Every company needs to evaluate laws and regulations to determine its own policies and thus its own compliance controls. However, the management reviews still provide management controls so that compliance can be evaluated at these points of the lifecycle.
Table 8. Plan Phase Objectives, Risks, and Controls
Objective
Risk
Control
Ensure that the desired services are delivered with the desired quality at the desired cost
- Services do not meet business needs
- Cost of services is not predictable
Service Alignment MR
Portfolio MR
Ensure that IT services are reliable and trustworthy
- IT services waste resources and are more expensive than necessary
- IT services are poorly designed and hard to support
- Service delivery improvement is ineffective
- IT services fail, causing business loss
Service Alignment MR
Portfolio MR
Important MR control considerations:
- Include the reconciliation of planned-to-actual spending
- Service reviews performed at least annually or semi-annually and when there are major service breaks
Ensure that IT services are compelling to the business
- IT services fail to provide significant value to the business
- IT services are under-used or over-used, resulting in misallocation of resources
Service Alignment MR
Portfolio MR
Important MR control considerations:
- IT service planning based on business strategy, with documented relationship between strategy and service
- Recurring service reviews with business stakeholders
- Usage rates of service capacity tracked and incorporated into service planning
Ensure that IT services are predictable and can adapt to new business requirements
- Unpredictable service performance
- Unplanned changes to IT environment
- The process of changing IT services is cumbersome and contains unnecessary bureaucracy
- IT has conflicting or inadequate workflow
Service Alignment MR
Portfolio MR
Important MR control considerations:
- Feedback from service performance monitoring contributes to service design
- Change control procedures are in place and evidence of control operation is documented
- Appropriate business stakeholders are available for change reviews when needed
- Change methodology supports different levels of analysis and approval that result in consistently documented results
Ensure that the IT organization partners with the business for the planning and delivery of services
- Business unable to efficiently understand available IT services
- Service levels not appropriate for business needs
- Business requirements not well understood or translated into IT designs
Service Alignment MR
Portfolio MR
Important MR control considerations:
- Business and IT partnership roles defined with clear accountabilities
- IT understands how levels of service criticality relate to different business functions
- Service requirements are vetted with business and demonstrated functionality is reviewed
Ensure that the IT organization proactively manages risk
IT services repeatedly negatively affected by unplanned events
Service Alignment MR
Portfolio MR
Important MR control considerations:
- Process of identifying risk starts at beginning of planning
- Risk management continues throughout an IT service’s lifecycle
This accelerator is part of a larger series of tools and guidance from Solution Accelerators. |
Download |
Solution Accelerators Notifications |
Feedback |