SlideShare une entreprise Scribd logo

Strengthening Employee Responsibility through COBIT RACI Analysis

L
Luxembourg Institute of Science and Technology

This document discusses strengthening governance of IT through enhancing employee responsibility. It presents a literature review on responsibility concepts and proposes a responsibility model. The model defines key responsibility concepts like accountability, capability, commitment and their relationships. It also applies the model to analyze the COBIT framework's RACI chart for assigning roles and responsibilities. The analysis finds areas where the model could provide improvements to COBIT, such as clarifying different types of responsibilities like being responsible versus accountable. The document concludes that defining an innovative responsibility model can help improve governance of IT.

Direction et management
1  sur  26
Télécharger pour lire hors ligne
The 1st ACM Workshop on Information Security Governance November 13, 2009 Chicago, USA Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study Christophe Feltus, Michaël Petit, Eric Dubois Public Research Center Henri Tudor, Luxembourg-Kirchberg, Luxembourg PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium The research was funded by the National Research Fund of Luxemburg
Introduction : • Governance of IT is becoming more and more necessary  Sarbanes-Oxley Act ▫ Transparency regarding account  Basel II ▫ Management of operational risk and people affectation for that task  ISO/IEC 38500:2008 ▫ Provide 6 principles for corporate governance of IT ▫ One principle dedicated to responsibility • Need for more responsibility, transparency, accountability, ethic, commitment
Introduction : • Companies are used to work with well-known management framework like :  ITIL (IT Information Library) ▫ a public library that focuses on IT services management for high-quality service provision  CIMOSA ▫ an enterprise architecture model to define industrial computer system architecture  ISO/IEC 15504 [7] ▫ a framework for the assessment of software processes  CobiT • As much responsibility models as frameworks
Introduction : • Many responsibility models means : ▫ No consensus between frameworks / no unique one ▫ No interoperability ▫ Many interpretations of the concepts • Objective of the research : ▫ Defining a common responsibility model • Research methodology : ▫ Analyse of the literature ▫ Elaboration of a responsibility model ▫ Successive refinement by comparing it with professional framework
Responsibility Responsibility: Foreword • Responsibility : abstract or concret concept ? • Many definitions in the literature • L. Cholvy proposes 3 of them : • Something bad happened and you caused it or could have prevented it • Obligation or moral duty to report or explain you actions or someone else’s action to a given authority (answerability) • Position, which enables you to make decisions in a given organization but implies that you must be prepared to justify your actions (accountablity) • ∆ def 1 def 2 = blame • ∆ def 2 def 3 = answerability ≠ accountability = position (rules)
Responsibility Responsibility: Foreword • D'Arcy McCallum : ▫ Responsibility is not something that you can actually assign to someone ▫ Responsibility, in fact, has to come from within ▫ A person is responsible: we mean that he holds a personal commitment to doing something to some standard of quality ▫ And while you cannot assign responsibility, you can and do assign accountability...with the expectation that a person will execute the activity assigned to them to a standard of quality • Commonly accepted responsibility definitions encompass the idea of “having the obligation to ensure that something happens”.
Accountability Sanction Answerability ComposeCompose 1 11 0..1 1 Compose 1..* Accountability : o Obligation or moral duty to report or explain the action or someone else’s action to a given authority [Cholvy et al.] o Obligation(s) to report the achievement, maintenance or avoidance of some given state [Sommerville et al.] o Accountability is composed of one answerability and zero or one sanction [Fox] Accountability Responsibility
Functional vs. Managerial Obligation Obligation : most frequent concept Functional vs. Structural Obligation [Dobson] : o functional obligation : what a employee must do with respect to a state of affairs (e.g. execute an activity) o structural (managerial) obligation : what a employee must do in order to fulfill a responsibility such as directing, supervising and monitoring Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability ComposeCompose 1 11 0..1 1 Compose 1..* Responsibility
Soft Accountability Hard Accountability Type of Type of Positive SanctionNegative Sanction Type of Type of OpaqueClear Type of Type of Transparency Generate 1 Compose 1..* Responsibility o Sanction is positive or negative  also : compensation or a remediation [Fox] o Transparency is clear : information access policies & reliable information o Transparency is opaque : information reveled nominally and ponctually Accountability Sanction Answerability Compose 1 11 0..1 1 Compose 1..* Responsibility Compose Accountability, Answerability, Transparency
Rights o Common but not systematically embedded concept o Capability : describes the possession of requisite qualities , skills or resourcs to performan action [Vernadat,F.B.][Yu et. Al][Qingfeng et al.] o Authority : the power to command and control others employees (CIMOSA) o Delegation right : right to transfer some part of the responsibility to another employee Access Right Type of Authority Type of Needed for Right Capability Type of Require 1 0..* Delegation Possibility Type of Accountability Sanction Answerability Compose 1 11 0..1 1 Compose 1..* Responsibility Compose Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..*
1 Delegation Employee Delegation vs. affectation : o Affectation or Assignment is the action of linking an employee to a responsibility o Delegation is the transfer of an employee’s responsibility assignment to another employee  Right to further delegate the same obligation or not [Sommerville]  Delefation of accountability or not [Norman] Employee 1 0..* Commitment Antecedents Commitment Activate Type of1..* 1 Pledge Delegation Require 1 1..*0..* 1..* Is delegated Delegate Concernes Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Right Capability Type of Require 1 0..* Delegation Possibility Type of
Commitment Antecedents Commitment Commitment o Moral engagement to fulfill the action  difficult to integrate in a formalized framework o The psychological attachment felt by the person for the organization; it will reflect the degree to which the individual internalizes or adopts characteristics or perspetives of the organization [O’Reilly and Chapman] o The relative strength of an individual’s identification with and involvement in a particular organization [Mowday] o A structural phenomenon which occurs as a result of individual-organizational transactions and alterations in side-bets or investment over time [Hrebiniak and Alutto] Right Capability Require 1 0..* Employee 1 0..* Activate Type of1..* 1 Pledge Delegation Possibility Delegation Require 1 1..*0..* 1..* Is delegated Delegate Concernes Type of Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Type of 1
Continuance Type of AffectiveNormative Type of Type of Commitment Outcomes Citizen Behavior Type of Provide 1 0..* Employee Retention Type of Employee Performance Type of Willingness to Exert Efforts Type of Activate 1..* 1 Side-bets Desire Maintain Membership Belief in Goals And Values Contribute to Contribute to Contribute to Feeling of Obligation Contribute to Type of Type of Type of Type of Commitment Antecedents Commitment Commitment
Complete responsibility model Commitment Antecedents Commitment 1 Employee 1 0..* Activate 1..* 1 Pledge Delegation 0..* 1..* Is delegated Delegate Concernes Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Right Require 1 0..*
The COBIT responsibility model Control Action 11..* Employee Role 0..* 0..* Is hold o COBIT’s control are composed of actions to perform (obligation) o Employees hold roles like CEO, CFO, CIO, PMO, Head Operation, Business Executive,… o COBIT responsibility model is formalized through a RACI chart matrix attached to all 34 COBIT processes. o RACI stands for Responsible, Accountable, Consulted and Informed o Role may be Responsible, Accountable, Consulted and Informed depending on the control and the task to perform. RACI Chart Responsible Accountable Consulted Informed
Control The COBIT responsibility model Employee Role Action 1 0..* 0..* 1..* Is hold RACI Chart o Responsibility and Accountability at the same conceptual level part of the RACI chart o Accountability : the employee who provides direction and authorizes an action o Responsibility : the employee who gets the action done o “An individual assumes his/her responsibility and is usually held accountable”  It is possible or not to be responsible and accountable at the same time o “IT management has the resources and accountability needed to meet service level targets”  Accountability is possessed and as consequence, may be seen as rather a capability (or a right) than an accountability (or an obligation). Responsible Accountable Consulted Informed Affected to 0..* 0..* 0..* 0..* 0..* 0..* 1..* 1..* Affected to Analyzed by Viewable by 0..* 0..* 0..* 0..* 1..* 1..* 1..* 1..* Affected to Affected to Affected to Affected to
Responsible Control Affected to 0..* The COBIT responsibility model Accountable Consulted Informed Employee Role Action RACI Chart 1 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* Capability Needs 0..* 0..* 1..* 1..* 1..* 1..* 1..* 1..* 1..* Affected to Analyzed by Viewable by Affected to Affected to Affected to Affected to Is hold o Capability doen’s exist systematically in COBIT. It is necessary for an employee to perform an action o Authorithy : ”person or group who has the authority to approve or accept the execution of an action”  A type of right to approved or accept an action. Authority is something provided to the person responsible. I.e. the action ”Assigning sufficient authority to the problem manager”
Capability Needs 0..*Responsible Control Affected to 0..* The COBIT responsibility model Accountable Consulted Informed Employee Role Action RACI Chart 1 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 1..* 1..* 1..* 1..* 1..* 1..* 1..* Affected to Analyzed by Viewable by Affected to Affected to Affected to Affected to Is hold Commitment Pledge 0..* 1 0..* 0..* 1 1 o Assignement/delegation appears sporadically in COBIT and concerns mainly the capability or even the responsibility. o Commitment (appears in many controls but not explicitely defined)  […] employees are mindful of their compliance obligation (commitment antecedent)  “A positive, proactive information control environment, including a commitment to quality and IT security awareness, is established”  “Obtain commitment and participation from the affected employees in the definition and execution of the project […]”
1 Accountability Obligation Sanction Answerability Managerial Obligation Functional Obligation Type of Type of ComposeCompose Compose Compose Compose 1..*11 1 11 1..* 0..1 0..* Right Capability Type of Require 1 0..* ResponsibilityEmployee Affectation /Delegation 1 0..* Commitment Antecedents Commitment Activate Type of1..* 1 Pledge o Obligation, Right, Capability and Commitment are systematically integrated o Accountability no more perceived as an attribute that links an employee to an action and that is on the same level as the responsibility but as a component that composes this responsibility. o Informed no more perceived as a type of allocation/assignment of “role – action” but as a type of right for responsibility. o Consulted is no more seen as a type of allocation/delegation of “role – action” but as a type of responsibility. Proposed integration in COBIT ConsultedType of Informed Type of Responsibility Accountability
Cobit RACI Chart Case Study • Action : Identify system owner’s • From : PO4 Define the IT Processes, Organisation and relationship • RACI : Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
Enhancement 1 • HO is responsible, he gets the activity done but is not accountable for it. What happen if he doesn’t do it ? • CIO is accountable. He is answerable and sanctionable. HO is responsible and accountable for the task CIO is responsible and accountable for the managerial obligation regarding the task. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
Enhancement 2 • CFO, BE and BPO are consulted. Does it imply something for them ? Consulted is not only a function. It is a responsibility. This means that responibility components needs to be clarify i.e. : the obligation, the accountability, or the right. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
Enhancement 3 • CA, HD, HITA, PMO, CARS are informed. Is the information for everyone absolutly necessary ?  Informed is more a right than a function. Consequently, it should be attached to another task and a link should be created between the information and its use for another task. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
Conclusion • Willingness to improve the governance of IT advocates for the definition of an innovative responsibility model, including meaningful responsibility concept. • Afterward, we have compare the responsibility model with the COBIT RACI chart and we have detected possible improvements. • Identify system owners action has been depicted to illustrate the added value of the model.
Thank you !
References • Christophe Feltus, Preliminary Literature Review of Policy Engineering Methods - Toward Responsibility Concept, International Conference on Information & Communication Technologies: from Theory to Applications (IEEE ICTTA2008), May 2008, Damascus, Syria. • Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability, Capability and Commitment, Fourth International Conference on Availability, Reliability and Security (“ARES 2009 – The International Dependability Conference”), IEEE, March 2009, Fukuoka, Japan. • Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International Conference on Computer Systems and Applications (AICCSA-09) IEEE, May 2009, Rabat, Morocco. • Christophe Feltus, Michaël Petit, François Vernadat, Enhancement of CIMOSA with Responsibility Concept to Conform to Principles of Corporate Governance of IT, 13th IFAC Symposium on Information Control Problems in Manufacturing, June 2009, Moscow, Russia.

Recommandé

Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?Vyom Labs
 
Cobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalCobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalEmilio Gratton
 
COBIT®5 - Foundation
COBIT®5 - FoundationCOBIT®5 - Foundation
COBIT®5 - FoundationMirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...christophefeltus
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introductionaqel aqel
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyMethodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companychristophefeltus
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyMethodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyLuxembourg Institute of Science and Technology
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Luxembourg Institute of Science and Technology
 

Recommandé

Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?Vyom Labs
 
Cobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalCobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalEmilio Gratton
 
COBIT®5 - Foundation
COBIT®5 - FoundationCOBIT®5 - Foundation
COBIT®5 - FoundationMirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...christophefeltus
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introductionaqel aqel
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyMethodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companychristophefeltus
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyMethodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyLuxembourg Institute of Science and Technology
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Luxembourg Institute of Science and Technology
 
Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Luxembourg Institute of Science and Technology
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumLuxembourg Institute of Science and Technology
 
Accountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdfAccountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdfStaff Connect
 
Definition and validation of a business it alignment method for enterprise go...
Definition and validation of a business it alignment method for enterprise go...Definition and validation of a business it alignment method for enterprise go...
Definition and validation of a business it alignment method for enterprise go...Luxembourg Institute of Science and Technology
 
The Art of Delegation
The Art of DelegationThe Art of Delegation
The Art of DelegationDr. James Wanjagi, PhD - Org Mgt - Leadership, PMP, CMP
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logicchristophefeltus
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logicLuxembourg Institute of Science and Technology
 
Leadership Training
Leadership TrainingLeadership Training
Leadership TrainingArnold Rodriguez
 
RACI Approach
RACI ApproachRACI Approach
RACI ApproachRicky Smith CMRP, CMRT
 
Management Functions jbb 3
Management Functions jbb 3Management Functions jbb 3
Management Functions jbb 3Jo Balucanag - Bitonio
 
Raci r web3_1
Raci r web3_1Raci r web3_1
Raci r web3_1Hari Adavikolanu
 
OSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSHOSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSHMoon Girl
 
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONSMANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONSArnold Rodriguez
 
Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action Arnold Rodriguez
 
History of Disciplinary Authority
History of Disciplinary AuthorityHistory of Disciplinary Authority
History of Disciplinary AuthorityArnold Rodriguez
 
CONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptxCONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptxEmilio Fer Villa
 
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...Mark Ritchie
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...christophefeltus
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...Luxembourg Institute of Science and Technology
 
Accountability Focused Management Part 1
Accountability Focused Management Part 1Accountability Focused Management Part 1
Accountability Focused Management Part 1Brice Alvord
 
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsLuxembourg Institute of Science and Technology
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Luxembourg Institute of Science and Technology
 

Contenu connexe

Similaire à Strengthening Employee Responsibility through COBIT RACI Analysis

Accountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdfAccountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdfStaff Connect
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logicchristophefeltus
 
OSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSHOSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSHMoon Girl
 
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONSMANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONSArnold Rodriguez
 
Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action Arnold Rodriguez
 
History of Disciplinary Authority
History of Disciplinary AuthorityHistory of Disciplinary Authority
History of Disciplinary AuthorityArnold Rodriguez
 
CONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptxCONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptxEmilio Fer Villa
 
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...Mark Ritchie
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...christophefeltus
 
Accountability Focused Management Part 1
Accountability Focused Management Part 1Accountability Focused Management Part 1
Accountability Focused Management Part 1Brice Alvord
 

Similaire à Strengthening Employee Responsibility through COBIT RACI Analysis (20)

Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
 
Accountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdfAccountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdf
 
Definition and validation of a business it alignment method for enterprise go...
Definition and validation of a business it alignment method for enterprise go...Definition and validation of a business it alignment method for enterprise go...
Definition and validation of a business it alignment method for enterprise go...
 
The Art of Delegation
The Art of DelegationThe Art of Delegation
The Art of Delegation
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic
 
Leadership Training
Leadership TrainingLeadership Training
Leadership Training
 
RACI Approach
RACI ApproachRACI Approach
RACI Approach
 
Management Functions jbb 3
Management Functions jbb 3Management Functions jbb 3
Management Functions jbb 3
 
Raci r web3_1
Raci r web3_1Raci r web3_1
Raci r web3_1
 
OSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSHOSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSH
 
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONSMANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
 
Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action
 
History of Disciplinary Authority
History of Disciplinary AuthorityHistory of Disciplinary Authority
History of Disciplinary Authority
 
CONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptxCONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptx
 
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...
 
Accountability Focused Management Part 1
Accountability Focused Management Part 1Accountability Focused Management Part 1
Accountability Focused Management Part 1
 

Plus de Luxembourg Institute of Science and Technology

Plus de Luxembourg Institute of Science and Technology (20)

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
 

Dernier

How-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionHow-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionCIToolkit
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramCIToolkit
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingCIToolkit
 
THE LEADERSHIP TO CHANGE THE WOLRD THIS IS YOUR HOUR PURSUES YOUR GIFT, TALEN...
THE LEADERSHIP TO CHANGE THE WOLRD THIS IS YOUR HOUR PURSUES YOUR GIFT, TALEN...THE LEADERSHIP TO CHANGE THE WOLRD THIS IS YOUR HOUR PURSUES YOUR GIFT, TALEN...
THE LEADERSHIP TO CHANGE THE WOLRD THIS IS YOUR HOUR PURSUES YOUR GIFT, TALEN...PROF. PAUL ALLIEU KAMARA
 
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchRashtriya Kisan Manch
 
Choosing the best strategy qspm matrix.pptx
Choosing the best strategy qspm matrix.pptxChoosing the best strategy qspm matrix.pptx
Choosing the best strategy qspm matrix.pptxMadan Karki
 
The Final Activity in Project Management
The Final Activity in Project ManagementThe Final Activity in Project Management
The Final Activity in Project ManagementCIToolkit
 
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic TraitsDigital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic TraitsHannah Smith
 
Chapter 1 Performance Management HRM.ppt
Chapter 1 Performance Management HRM.pptChapter 1 Performance Management HRM.ppt
Chapter 1 Performance Management HRM.ppt2020102713
 
Mind Mapping: A Visual Approach to Organize Ideas and Thoughts
Mind Mapping: A Visual Approach to Organize Ideas and ThoughtsMind Mapping: A Visual Approach to Organize Ideas and Thoughts
Mind Mapping: A Visual Approach to Organize Ideas and ThoughtsCIToolkit
 
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Giuseppe De Simone
 
Shaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingShaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingGiuseppe De Simone
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixCIToolkit
 
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...CIToolkit
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证jdkhjh
 
From Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light AssessmentFrom Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light AssessmentCIToolkit
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsCIToolkit
 
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsFrom Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsCIToolkit
 

Dernier (18)

How-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionHow-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem Resolution
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
 
THE LEADERSHIP TO CHANGE THE WOLRD THIS IS YOUR HOUR PURSUES YOUR GIFT, TALEN...
THE LEADERSHIP TO CHANGE THE WOLRD THIS IS YOUR HOUR PURSUES YOUR GIFT, TALEN...THE LEADERSHIP TO CHANGE THE WOLRD THIS IS YOUR HOUR PURSUES YOUR GIFT, TALEN...
THE LEADERSHIP TO CHANGE THE WOLRD THIS IS YOUR HOUR PURSUES YOUR GIFT, TALEN...
 
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
 
Choosing the best strategy qspm matrix.pptx
Choosing the best strategy qspm matrix.pptxChoosing the best strategy qspm matrix.pptx
Choosing the best strategy qspm matrix.pptx
 
The Final Activity in Project Management
The Final Activity in Project ManagementThe Final Activity in Project Management
The Final Activity in Project Management
 
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic TraitsDigital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
 
Chapter 1 Performance Management HRM.ppt
Chapter 1 Performance Management HRM.pptChapter 1 Performance Management HRM.ppt
Chapter 1 Performance Management HRM.ppt
 
Mind Mapping: A Visual Approach to Organize Ideas and Thoughts
Mind Mapping: A Visual Approach to Organize Ideas and ThoughtsMind Mapping: A Visual Approach to Organize Ideas and Thoughts
Mind Mapping: A Visual Approach to Organize Ideas and Thoughts
 
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
 
Shaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingShaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful Thinking
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
 
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
 
From Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light AssessmentFrom Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light Assessment
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield Metrics
 
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsFrom Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
 

Strengthening Employee Responsibility through COBIT RACI Analysis

  • 1. The 1st ACM Workshop on Information Security Governance November 13, 2009 Chicago, USA Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study Christophe Feltus, Michaël Petit, Eric Dubois Public Research Center Henri Tudor, Luxembourg-Kirchberg, Luxembourg PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium The research was funded by the National Research Fund of Luxemburg
  • 2. Introduction : • Governance of IT is becoming more and more necessary  Sarbanes-Oxley Act ▫ Transparency regarding account  Basel II ▫ Management of operational risk and people affectation for that task  ISO/IEC 38500:2008 ▫ Provide 6 principles for corporate governance of IT ▫ One principle dedicated to responsibility • Need for more responsibility, transparency, accountability, ethic, commitment
  • 3. Introduction : • Companies are used to work with well-known management framework like :  ITIL (IT Information Library) ▫ a public library that focuses on IT services management for high-quality service provision  CIMOSA ▫ an enterprise architecture model to define industrial computer system architecture  ISO/IEC 15504 [7] ▫ a framework for the assessment of software processes  CobiT • As much responsibility models as frameworks
  • 4. Introduction : • Many responsibility models means : ▫ No consensus between frameworks / no unique one ▫ No interoperability ▫ Many interpretations of the concepts • Objective of the research : ▫ Defining a common responsibility model • Research methodology : ▫ Analyse of the literature ▫ Elaboration of a responsibility model ▫ Successive refinement by comparing it with professional framework
  • 5. Responsibility Responsibility: Foreword • Responsibility : abstract or concret concept ? • Many definitions in the literature • L. Cholvy proposes 3 of them : • Something bad happened and you caused it or could have prevented it • Obligation or moral duty to report or explain you actions or someone else’s action to a given authority (answerability) • Position, which enables you to make decisions in a given organization but implies that you must be prepared to justify your actions (accountablity) • ∆ def 1 def 2 = blame • ∆ def 2 def 3 = answerability ≠ accountability = position (rules)
  • 6. Responsibility Responsibility: Foreword • D'Arcy McCallum : ▫ Responsibility is not something that you can actually assign to someone ▫ Responsibility, in fact, has to come from within ▫ A person is responsible: we mean that he holds a personal commitment to doing something to some standard of quality ▫ And while you cannot assign responsibility, you can and do assign accountability...with the expectation that a person will execute the activity assigned to them to a standard of quality • Commonly accepted responsibility definitions encompass the idea of “having the obligation to ensure that something happens”.
  • 7. Accountability Sanction Answerability ComposeCompose 1 11 0..1 1 Compose 1..* Accountability : o Obligation or moral duty to report or explain the action or someone else’s action to a given authority [Cholvy et al.] o Obligation(s) to report the achievement, maintenance or avoidance of some given state [Sommerville et al.] o Accountability is composed of one answerability and zero or one sanction [Fox] Accountability Responsibility
  • 8. Functional vs. Managerial Obligation Obligation : most frequent concept Functional vs. Structural Obligation [Dobson] : o functional obligation : what a employee must do with respect to a state of affairs (e.g. execute an activity) o structural (managerial) obligation : what a employee must do in order to fulfill a responsibility such as directing, supervising and monitoring Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability ComposeCompose 1 11 0..1 1 Compose 1..* Responsibility
  • 9. Soft Accountability Hard Accountability Type of Type of Positive SanctionNegative Sanction Type of Type of OpaqueClear Type of Type of Transparency Generate 1 Compose 1..* Responsibility o Sanction is positive or negative  also : compensation or a remediation [Fox] o Transparency is clear : information access policies & reliable information o Transparency is opaque : information reveled nominally and ponctually Accountability Sanction Answerability Compose 1 11 0..1 1 Compose 1..* Responsibility Compose Accountability, Answerability, Transparency
  • 10. Rights o Common but not systematically embedded concept o Capability : describes the possession of requisite qualities , skills or resourcs to performan action [Vernadat,F.B.][Yu et. Al][Qingfeng et al.] o Authority : the power to command and control others employees (CIMOSA) o Delegation right : right to transfer some part of the responsibility to another employee Access Right Type of Authority Type of Needed for Right Capability Type of Require 1 0..* Delegation Possibility Type of Accountability Sanction Answerability Compose 1 11 0..1 1 Compose 1..* Responsibility Compose Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..*
  • 11. 1 Delegation Employee Delegation vs. affectation : o Affectation or Assignment is the action of linking an employee to a responsibility o Delegation is the transfer of an employee’s responsibility assignment to another employee  Right to further delegate the same obligation or not [Sommerville]  Delefation of accountability or not [Norman] Employee 1 0..* Commitment Antecedents Commitment Activate Type of1..* 1 Pledge Delegation Require 1 1..*0..* 1..* Is delegated Delegate Concernes Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Right Capability Type of Require 1 0..* Delegation Possibility Type of
  • 12. Commitment Antecedents Commitment Commitment o Moral engagement to fulfill the action  difficult to integrate in a formalized framework o The psychological attachment felt by the person for the organization; it will reflect the degree to which the individual internalizes or adopts characteristics or perspetives of the organization [O’Reilly and Chapman] o The relative strength of an individual’s identification with and involvement in a particular organization [Mowday] o A structural phenomenon which occurs as a result of individual-organizational transactions and alterations in side-bets or investment over time [Hrebiniak and Alutto] Right Capability Require 1 0..* Employee 1 0..* Activate Type of1..* 1 Pledge Delegation Possibility Delegation Require 1 1..*0..* 1..* Is delegated Delegate Concernes Type of Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Type of 1
  • 13. Continuance Type of AffectiveNormative Type of Type of Commitment Outcomes Citizen Behavior Type of Provide 1 0..* Employee Retention Type of Employee Performance Type of Willingness to Exert Efforts Type of Activate 1..* 1 Side-bets Desire Maintain Membership Belief in Goals And Values Contribute to Contribute to Contribute to Feeling of Obligation Contribute to Type of Type of Type of Type of Commitment Antecedents Commitment Commitment
  • 14. Complete responsibility model Commitment Antecedents Commitment 1 Employee 1 0..* Activate 1..* 1 Pledge Delegation 0..* 1..* Is delegated Delegate Concernes Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Right Require 1 0..*
  • 15. The COBIT responsibility model Control Action 11..* Employee Role 0..* 0..* Is hold o COBIT’s control are composed of actions to perform (obligation) o Employees hold roles like CEO, CFO, CIO, PMO, Head Operation, Business Executive,… o COBIT responsibility model is formalized through a RACI chart matrix attached to all 34 COBIT processes. o RACI stands for Responsible, Accountable, Consulted and Informed o Role may be Responsible, Accountable, Consulted and Informed depending on the control and the task to perform. RACI Chart Responsible Accountable Consulted Informed
  • 16. Control The COBIT responsibility model Employee Role Action 1 0..* 0..* 1..* Is hold RACI Chart o Responsibility and Accountability at the same conceptual level part of the RACI chart o Accountability : the employee who provides direction and authorizes an action o Responsibility : the employee who gets the action done o “An individual assumes his/her responsibility and is usually held accountable”  It is possible or not to be responsible and accountable at the same time o “IT management has the resources and accountability needed to meet service level targets”  Accountability is possessed and as consequence, may be seen as rather a capability (or a right) than an accountability (or an obligation). Responsible Accountable Consulted Informed Affected to 0..* 0..* 0..* 0..* 0..* 0..* 1..* 1..* Affected to Analyzed by Viewable by 0..* 0..* 0..* 0..* 1..* 1..* 1..* 1..* Affected to Affected to Affected to Affected to
  • 17. Responsible Control Affected to 0..* The COBIT responsibility model Accountable Consulted Informed Employee Role Action RACI Chart 1 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* Capability Needs 0..* 0..* 1..* 1..* 1..* 1..* 1..* 1..* 1..* Affected to Analyzed by Viewable by Affected to Affected to Affected to Affected to Is hold o Capability doen’s exist systematically in COBIT. It is necessary for an employee to perform an action o Authorithy : ”person or group who has the authority to approve or accept the execution of an action”  A type of right to approved or accept an action. Authority is something provided to the person responsible. I.e. the action ”Assigning sufficient authority to the problem manager”
  • 18. Capability Needs 0..*Responsible Control Affected to 0..* The COBIT responsibility model Accountable Consulted Informed Employee Role Action RACI Chart 1 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 1..* 1..* 1..* 1..* 1..* 1..* 1..* Affected to Analyzed by Viewable by Affected to Affected to Affected to Affected to Is hold Commitment Pledge 0..* 1 0..* 0..* 1 1 o Assignement/delegation appears sporadically in COBIT and concerns mainly the capability or even the responsibility. o Commitment (appears in many controls but not explicitely defined)  […] employees are mindful of their compliance obligation (commitment antecedent)  “A positive, proactive information control environment, including a commitment to quality and IT security awareness, is established”  “Obtain commitment and participation from the affected employees in the definition and execution of the project […]”
  • 19. 1 Accountability Obligation Sanction Answerability Managerial Obligation Functional Obligation Type of Type of ComposeCompose Compose Compose Compose 1..*11 1 11 1..* 0..1 0..* Right Capability Type of Require 1 0..* ResponsibilityEmployee Affectation /Delegation 1 0..* Commitment Antecedents Commitment Activate Type of1..* 1 Pledge o Obligation, Right, Capability and Commitment are systematically integrated o Accountability no more perceived as an attribute that links an employee to an action and that is on the same level as the responsibility but as a component that composes this responsibility. o Informed no more perceived as a type of allocation/assignment of “role – action” but as a type of right for responsibility. o Consulted is no more seen as a type of allocation/delegation of “role – action” but as a type of responsibility. Proposed integration in COBIT ConsultedType of Informed Type of Responsibility Accountability
  • 20. Cobit RACI Chart Case Study • Action : Identify system owner’s • From : PO4 Define the IT Processes, Organisation and relationship • RACI : Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • 21. Enhancement 1 • HO is responsible, he gets the activity done but is not accountable for it. What happen if he doesn’t do it ? • CIO is accountable. He is answerable and sanctionable. HO is responsible and accountable for the task CIO is responsible and accountable for the managerial obligation regarding the task. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • 22. Enhancement 2 • CFO, BE and BPO are consulted. Does it imply something for them ? Consulted is not only a function. It is a responsibility. This means that responibility components needs to be clarify i.e. : the obligation, the accountability, or the right. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • 23. Enhancement 3 • CA, HD, HITA, PMO, CARS are informed. Is the information for everyone absolutly necessary ?  Informed is more a right than a function. Consequently, it should be attached to another task and a link should be created between the information and its use for another task. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • 24. Conclusion • Willingness to improve the governance of IT advocates for the definition of an innovative responsibility model, including meaningful responsibility concept. • Afterward, we have compare the responsibility model with the COBIT RACI chart and we have detected possible improvements. • Identify system owners action has been depicted to illustrate the added value of the model.
  • 26. References • Christophe Feltus, Preliminary Literature Review of Policy Engineering Methods - Toward Responsibility Concept, International Conference on Information & Communication Technologies: from Theory to Applications (IEEE ICTTA2008), May 2008, Damascus, Syria. • Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability, Capability and Commitment, Fourth International Conference on Availability, Reliability and Security (“ARES 2009 – The International Dependability Conference”), IEEE, March 2009, Fukuoka, Japan. • Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International Conference on Computer Systems and Applications (AICCSA-09) IEEE, May 2009, Rabat, Morocco. • Christophe Feltus, Michaël Petit, François Vernadat, Enhancement of CIMOSA with Responsibility Concept to Conform to Principles of Corporate Governance of IT, 13th IFAC Symposium on Information Control Problems in Manufacturing, June 2009, Moscow, Russia.