This document discusses strengthening governance of IT through enhancing employee responsibility. It presents a literature review on responsibility concepts and proposes a responsibility model. The model defines key responsibility concepts like accountability, capability, commitment and their relationships. It also applies the model to analyze the COBIT framework's RACI chart for assigning roles and responsibilities. The analysis finds areas where the model could provide improvements to COBIT, such as clarifying different types of responsibilities like being responsible versus accountable. The document concludes that defining an innovative responsibility model can help improve governance of IT.
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
Strengthening Employee Responsibility through COBIT RACI Analysis
1. The 1st ACM Workshop on
Information Security Governance
November 13, 2009
Chicago, USA
Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI
Chart Case Study
Christophe Feltus, Michaël Petit, Eric Dubois
Public Research Center Henri Tudor, Luxembourg-Kirchberg, Luxembourg
PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium
The research was funded by the National Research Fund of Luxemburg
2. Introduction :
• Governance of IT is becoming more and more
necessary
Sarbanes-Oxley Act
▫ Transparency regarding account
Basel II
▫ Management of operational risk and people affectation for that task
ISO/IEC 38500:2008
▫ Provide 6 principles for corporate governance of IT
▫ One principle dedicated to responsibility
• Need for more responsibility, transparency,
accountability, ethic, commitment
3. Introduction :
• Companies are used to work with well-known
management framework like :
ITIL (IT Information Library)
▫ a public library that focuses on IT services management for high-quality
service provision
CIMOSA
▫ an enterprise architecture model to define industrial computer system
architecture
ISO/IEC 15504 [7]
▫ a framework for the assessment of software processes
CobiT
• As much responsibility models as frameworks
4. Introduction :
• Many responsibility models means :
▫ No consensus between frameworks / no unique one
▫ No interoperability
▫ Many interpretations of the concepts
• Objective of the research :
▫ Defining a common responsibility model
• Research methodology :
▫ Analyse of the literature
▫ Elaboration of a responsibility model
▫ Successive refinement by comparing it with
professional framework
5. Responsibility
Responsibility: Foreword
• Responsibility : abstract or concret concept ?
• Many definitions in the literature
• L. Cholvy proposes 3 of them :
• Something bad happened and you caused it or could have prevented it
• Obligation or moral duty to report or explain you actions or someone
else’s action to a given authority (answerability)
• Position, which enables you to make decisions in a given organization
but implies that you must be prepared to justify your actions
(accountablity)
• ∆ def 1 def 2 = blame
• ∆ def 2 def 3 = answerability ≠ accountability = position (rules)
6. Responsibility
Responsibility: Foreword
• D'Arcy McCallum :
▫ Responsibility is not something that you can actually assign to someone
▫ Responsibility, in fact, has to come from within
▫ A person is responsible: we mean that he holds a personal commitment
to doing something to some standard of quality
▫ And while you cannot assign responsibility, you can and do assign
accountability...with the expectation that a person will execute the
activity assigned to them to a standard of quality
• Commonly accepted responsibility definitions
encompass the idea of “having the obligation to ensure
that something happens”.
7. Accountability
Sanction Answerability
ComposeCompose
1
11
0..1
1
Compose
1..*
Accountability :
o Obligation or moral duty to report or explain the action or someone else’s action to a given
authority [Cholvy et al.]
o Obligation(s) to report the achievement, maintenance or avoidance of some given state
[Sommerville et al.]
o Accountability is composed of one answerability and zero or one sanction [Fox]
Accountability
Responsibility
8. Functional vs. Managerial Obligation
Obligation : most frequent concept
Functional vs. Structural Obligation [Dobson] :
o functional obligation : what a employee must do with respect to a state of affairs (e.g.
execute an activity)
o structural (managerial) obligation : what a employee must do in order to fulfill a
responsibility such as directing, supervising and monitoring
Concern11
Obligation
Functional
Obligation
Managerial
Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
ComposeCompose
1
11
0..1
1
Compose
1..*
Responsibility
9. Soft Accountability
Hard Accountability
Type of
Type of
Positive SanctionNegative Sanction
Type of Type of
OpaqueClear
Type of Type of
Transparency
Generate
1
Compose
1..*
Responsibility
o Sanction is positive or negative also : compensation or a remediation [Fox]
o Transparency is clear : information access policies & reliable information
o Transparency is opaque : information reveled nominally and ponctually
Accountability
Sanction Answerability
Compose
1
11
0..1
1
Compose
1..*
Responsibility
Compose
Accountability, Answerability, Transparency
10. Rights
o Common but not systematically embedded concept
o Capability : describes the possession of requisite qualities , skills or resourcs to performan action
[Vernadat,F.B.][Yu et. Al][Qingfeng et al.]
o Authority : the power to command and control others employees (CIMOSA)
o Delegation right : right to transfer some part of the responsibility to another employee
Access Right
Type of
Authority
Type
of
Needed
for
Right
Capability
Type of
Require
1 0..*
Delegation
Possibility
Type
of
Accountability
Sanction Answerability
Compose
1
11
0..1
1
Compose
1..*
Responsibility
Compose
Concern11
Obligation
Functional
Obligation
Managerial
Obligation
Type of Type of
Concern
1..* 0..*
11. 1
Delegation
Employee
Delegation vs. affectation :
o Affectation or Assignment is the action of linking an employee to a responsibility
o Delegation is the transfer of an employee’s responsibility assignment to another employee
Right to further delegate the same obligation or not [Sommerville]
Delefation of accountability or not [Norman]
Employee
1 0..*
Commitment
Antecedents
Commitment
Activate
Type of1..* 1
Pledge
Delegation
Require
1
1..*0..*
1..*
Is delegated
Delegate
Concernes
Concern11
Obligation
Functional
Obligation
Managerial
Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
Compose
1
11
0..1
Compose
1..*
Responsibility
Compose
Right
Capability
Type of
Require
1 0..*
Delegation
Possibility
Type
of
12. Commitment
Antecedents
Commitment
Commitment
o Moral engagement to fulfill the action difficult to integrate in a formalized framework
o The psychological attachment felt by the person for the organization; it will reflect the degree to which the
individual internalizes or adopts characteristics or perspetives of the organization [O’Reilly and Chapman]
o The relative strength of an individual’s identification with and involvement in a particular organization
[Mowday]
o A structural phenomenon which occurs as a result of individual-organizational transactions and alterations
in side-bets or investment over time [Hrebiniak and Alutto]
Right
Capability
Require
1 0..*
Employee
1 0..*
Activate
Type of1..* 1
Pledge
Delegation
Possibility
Delegation
Require
1
1..*0..*
1..*
Is delegated
Delegate
Concernes
Type
of
Concern11
Obligation
Functional
Obligation
Managerial
Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
Compose
1
11
0..1
Compose
1..*
Responsibility
Compose
Type of
1
13. Continuance
Type of
AffectiveNormative
Type of Type of
Commitment
Outcomes
Citizen
Behavior
Type of
Provide
1 0..*
Employee
Retention
Type of
Employee
Performance
Type of
Willingness to
Exert Efforts
Type of
Activate
1..*
1
Side-bets Desire Maintain
Membership Belief in Goals
And Values
Contribute to
Contribute to
Contribute to
Feeling of Obligation
Contribute to
Type of Type of
Type of
Type of
Commitment
Antecedents
Commitment
Commitment
14. Complete responsibility model
Commitment
Antecedents
Commitment
1
Employee
1 0..*
Activate
1..* 1
Pledge
Delegation
0..*
1..*
Is delegated
Delegate
Concernes
Concern11
Obligation
Functional
Obligation
Managerial
Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
Compose
1
11
0..1
Compose
1..*
Responsibility
Compose
Right
Require
1 0..*
15. The COBIT responsibility model
Control
Action
11..*
Employee
Role
0..*
0..*
Is hold
o COBIT’s control are composed of actions to perform (obligation)
o Employees hold roles like CEO, CFO, CIO, PMO, Head Operation, Business Executive,…
o COBIT responsibility model is formalized through a RACI chart matrix attached to all 34
COBIT processes.
o RACI stands for Responsible, Accountable, Consulted and Informed
o Role may be Responsible, Accountable, Consulted and Informed depending on the control
and the task to perform.
RACI Chart
Responsible
Accountable
Consulted
Informed
16. Control
The COBIT responsibility model
Employee
Role
Action
1
0..*
0..*
1..*
Is hold
RACI Chart
o Responsibility and Accountability at the same conceptual level part of the RACI chart
o Accountability : the employee who provides direction and authorizes an action
o Responsibility : the employee who gets the action done
o “An individual assumes his/her responsibility and is usually held accountable”
It is possible or not to be responsible and accountable at the same time
o “IT management has the resources and accountability needed to meet service level targets”
Accountability is possessed and as consequence, may be seen as rather a capability (or a right) than an
accountability (or an obligation).
Responsible
Accountable
Consulted
Informed
Affected to
0..*
0..*
0..*
0..*
0..*
0..*
1..*
1..*
Affected
to
Analyzed
by
Viewable by
0..*
0..*
0..*
0..*
1..*
1..*
1..*
1..*
Affected to
Affected to
Affected to
Affected to
17. Responsible
Control Affected to
0..*
The COBIT responsibility model
Accountable
Consulted
Informed
Employee
Role
Action
RACI Chart
1
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
Capability
Needs
0..*
0..*
1..*
1..*
1..*
1..*
1..*
1..*
1..*
Affected
to
Analyzed
by
Viewable by
Affected to
Affected to
Affected to
Affected to
Is hold
o Capability doen’s exist systematically in COBIT. It is necessary for an employee to
perform an action
o Authorithy : ”person or group who has the authority to approve or accept the
execution of an action”
A type of right to approved or accept an action. Authority is something provided to the person
responsible. I.e. the action ”Assigning sufficient authority to the problem manager”
18. Capability
Needs
0..*Responsible
Control Affected to
0..*
The COBIT responsibility model
Accountable
Consulted
Informed
Employee
Role
Action
RACI Chart
1
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
1..*
1..*
1..*
1..*
1..*
1..*
1..*
Affected
to
Analyzed
by
Viewable by
Affected to
Affected to
Affected to
Affected to
Is hold
Commitment Pledge
0..*
1
0..*
0..*
1
1
o Assignement/delegation appears sporadically in COBIT and concerns mainly the
capability or even the responsibility.
o Commitment (appears in many controls but not explicitely defined)
[…] employees are mindful of their compliance obligation (commitment antecedent)
“A positive, proactive information control environment, including a commitment to quality and IT
security awareness, is established”
“Obtain commitment and participation from the affected employees in the definition and execution
of the project […]”
19. 1
Accountability Obligation
Sanction Answerability
Managerial
Obligation
Functional
Obligation
Type of Type of
ComposeCompose
Compose
Compose
Compose
1..*11
1
11
1..*
0..1
0..*
Right
Capability
Type of
Require
1 0..*
ResponsibilityEmployee
Affectation
/Delegation
1 0..*
Commitment
Antecedents
Commitment
Activate
Type of1..* 1
Pledge
o Obligation, Right, Capability and Commitment are systematically integrated
o Accountability no more perceived as an attribute that links an employee to an action and that
is on the same level as the responsibility but as a component that composes this responsibility.
o Informed no more perceived as a type of allocation/assignment of “role – action” but as a type
of right for responsibility.
o Consulted is no more seen as a type of allocation/delegation of “role – action” but as a type of
responsibility.
Proposed integration in COBIT
ConsultedType of
Informed
Type of
Responsibility
Accountability
20. Cobit RACI Chart Case Study
• Action : Identify system owner’s
• From : PO4 Define the IT Processes, Organisation and relationship
• RACI :
Activity
Function
CFO
Business
Executive
CIO
Business
Process
Owner
Head
Operation
Chief
Architect
Head
Development
Head IT
Administration
PMO
Compliance,
Audit, Risk
and Security
Identify
System
Owners
C C A C R I I I I I
21. Enhancement 1
• HO is responsible, he gets the activity done but is not accountable
for it. What happen if he doesn’t do it ?
• CIO is accountable. He is answerable and sanctionable.
HO is responsible and accountable for the task
CIO is responsible and accountable for the managerial obligation
regarding the task.
Activity
Function
CFO
Business
Executive
CIO
Business
Process
Owner
Head
Operation
Chief
Architect
Head
Development
Head IT
Administration
PMO
Compliance,
Audit, Risk
and Security
Identify
System
Owners
C C A C R I I I I I
22. Enhancement 2
• CFO, BE and BPO are consulted. Does it imply something for them ?
Consulted is not only a function. It is a responsibility.
This means that responibility components needs to be clarify i.e. :
the obligation, the accountability, or the right.
Activity
Function
CFO
Business
Executive
CIO
Business
Process
Owner
Head
Operation
Chief
Architect
Head
Development
Head IT
Administration
PMO
Compliance,
Audit, Risk
and Security
Identify
System
Owners
C C A C R I I I I I
23. Enhancement 3
• CA, HD, HITA, PMO, CARS are informed. Is the information for
everyone absolutly necessary ?
Informed is more a right than a function. Consequently, it should
be attached to another task and a link should be created between the
information and its use for another task.
Activity
Function
CFO
Business
Executive
CIO
Business
Process
Owner
Head
Operation
Chief
Architect
Head
Development
Head IT
Administration
PMO
Compliance,
Audit, Risk
and Security
Identify
System
Owners
C C A C R I I I I I
24. Conclusion
• Willingness to improve the governance of IT advocates
for the definition of an innovative responsibility model,
including meaningful responsibility concept.
• Afterward, we have compare the responsibility model
with the COBIT RACI chart and we have detected
possible improvements.
• Identify system owners action has been depicted to
illustrate the added value of the model.
26. References
• Christophe Feltus, Preliminary Literature Review of Policy Engineering Methods - Toward
Responsibility Concept, International Conference on Information & Communication
Technologies: from Theory to Applications (IEEE ICTTA2008), May 2008, Damascus, Syria.
• Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability,
Capability and Commitment, Fourth International Conference on Availability, Reliability and
Security (“ARES 2009 – The International Dependability Conference”), IEEE, March 2009,
Fukuoka, Japan.
• Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards
Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International
Conference on Computer Systems and Applications (AICCSA-09) IEEE, May 2009, Rabat,
Morocco.
• Christophe Feltus, Michaël Petit, François Vernadat, Enhancement of CIMOSA with
Responsibility Concept to Conform to Principles of Corporate Governance of IT, 13th IFAC
Symposium on Information Control Problems in Manufacturing, June 2009, Moscow, Russia.