DOMAIN  

ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES

Board CIO/CTO IT Management
 BOARD IT Governance is the Responsibility of the Board
RESPONSIBILITIES
IT Steering Committee Appoint an IT steering committee with the Chair the IT Steering Committee  Relevant representation is
CIO/CTO as the chairperson and: required from business and IT to
 Determine prioritisation of IT- assist with governance of IT
enabled investment programmes
in line with the enterprise’s
business strategy and priorities
 Track status of projects and
resolve resource conflicts
 Monitor service levels and
service improvements

  Oversight Bodies Established oversight bodies with clear terms of These oversight authorities may  Relevant representation is
reference and appropriate membership from have accountability for: required from business and IT
the business  Governance, Strategy,
Investment and Performance
 Service Management
 Solution Delivery
 Third-Party Management
 Architecture, Technical Support
and Operations
 Risk, Compliance and Internal
Controls
 Security and Business Continuity

  IT Governance Project Initiate the IT Governance Project Treat the IT governance initiative Implement IT Governance
as a project activity with a series of
phases rather than a “one-off” step
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
  Leadership and The board is to:
Direction  Place IT on the board agenda
 Clarify business strategies and objectives,
and the role of IT in achieving them
 Delegate responsibility for implementing an
IT governance framework to management
 Determine and communicate levels of risk
tolerance/appetite
 Oversee the development of the information
security strategy and delegate its
implementation to IT management
 Assign accountability for the organisational
changes needed for IT to succeed.
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
  Monitoring and The board is to:
Evaluation  Ensure that IT is aligned with strategic
objectives
 Monitor and evaluate the extent to which IT
actually sustains and enhances the
organisation’s strategic objectives
 Use the Risk and Audit committees to assist
the board fulfil its responsibilities
 Ensure that prudent and reasonable steps
have been taken in regard to IT governance
 Monitor and evaluate the acquisition and
appropriate use of technology, process and
people
 Ensure that an internal control framework
has been adopted, implemented and is
effective
 Ensure that information assets are managed
effectively
 Protect information and intellectual property
 Ensure personal information is treated by the
company as an important business asset
 Ensure information records provide adequate
evidence of business activity
 Monitor the application of King III
governance principles by all parties, at all
levels (starting with the board), at all stages
of business operations, across organisational
boundaries (including third parties) and for
the acquisition and disposal of IT goods and
services
 Obtain project assurance from independent
experts that IT management apply all basic
elements of appropriate project
management principles to all IT projects
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
  IT Reporting to the Ensure IT reporting is adequate for their Management must increase
Board purpose transparency and provide the board
with complete, timely, relevant,
accurate and accessible information
about:
 The likelihood of IT achieving its
objectives?
 IT’s resilience to learn and adapt?
 The judicious management of the
inherent risks from using IT,
including disaster recovery?
 How well IT has recognised
opportunities and acted on them?
GOVERNANCE A IT governance framework assists those at the highest level of organisations ensure that IT use contributes positively to the performance of the
FRAMEWORK organisation and conforms with the organisational obligations (regulatory, legislation, common law, contractual) concerning the acceptable use of IT

IT Governance Ensure that an IT Governance Framework is Adopt or developing an IT An IT governance framework

Framework adopted or developed Governance Framework comprises definitions, principles and
a model for governing IT and broadly
covers all areas of IT activity:
 presents IT activities in a
manageable and logical structure
 is generally accepted as containing
good practices
 is business-orientated and capable
of linking IT activities to business
goals
 provides management with control
objectives suitable to uncover IT
issues
 fits with and supports risk
management
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
 incorporates a baseline of internal
controls for IT managers to
implement
 guides management in aligning IT
initiatives with real business needs
 contains performance measures to
judge success and failures
 assists with assurance activities
that confirm the achievement of
business objectives and
undesirable events are prevented,
detected and corrected
 assists companies to comply with
continually increasing regulatory
requirements.
IT Governance Ensure that the IT Governance Framework Deliver value and manage risk For the IT governance framework to
Framework to Deliver adopted or developed delivers value and through adopting or developing an add value or manage risk it must:
Value and Manage Risk manages risk IT Governance Framework  Establish a link to the business
requirements
 Make performance against
business requirements transparent
 Organise IT’s activities into a
generally accepted process model
 Be focused on both the process
and the outcomes to be achieved
 Identify the major IT resources to
be leveraged
 Define the management control
objectives to be considered
 Provide a common language.
IT Governance Charter The board is to ensure that a IT Governance Develop an IT Governance charter Organisational charter provides the
Charter is developed terms of reference for the IT
organisation. It ensures that those
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
with responsibility for actions also
have the authority to perform those
actions
Structure the Place the IT function in the overall The reporting line of the CIO is  The typical organisational structure
Organisation organisational structure with a business model commensurate with the for IT governance starts with the
contingent on the importance of IT within the importance of IT within the board, an IT steering committee, a
organisation, specifically its criticality to enterprise. CIO and IT management with
business strategy and the level of operational delegated responsibility to execute
dependence on IT. the IT governance framework,
implemented to add value and
minimise risk, including business
continuity.
 A suitable organisation structure
with relevant representation from
the business and IT, appropriate
for the size needed to adequately
manage the IT organisation is to be
implemented. A top-down, layered
approach to IT governance is
required. To be effective, business
strategy and goals have to be
cascaded down into the IT
organisation and used as the basis
for measuring performance.

Processes Maintain oversight of the establishment and
maintenance of IT processes
Exercise control over the
establishment and maintenance of
IT processes
Establish and maintain IT Processes
as:
 Process serves as the foundation
for the definition of a management
system used to capture and
document details about
ownership, scope, responsibilities,
measurements, structured working
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
practices and interfaces.
 Processes describe the life-cycle of
activities (with feedback loops) and
enable the development and
implementation of a lean,
sustainable capability to achieve
the outcomes (business goals)
desired.
 Processes ensure a stable,
controlled, repeatable service that
can be objectively measured
against deliverables and outcomes
achieved.
Governance  Monitor that those given responsibility to Enforcing governance mechanisms Governance mechanisms include
Mechanisms deploy governance mechanisms strategies, goals, policies, steering
acknowledge and understand their committees, oversight authorities,
responsibilities. processes, procedures, roles, job
 Monitor the performance of those given descriptions, plans, schedules,
responsibility in the governance of IT contracts, proposals, authorisations,
standards and scorecards with a view
to deliver value and minimise risk.

Governance of Oversee the business requirement for Ensure that information conforms To satisfy business objectives,
Information information to the business requirements in information needs to conform to the
order for it to satisfy business business requirements that:
objectives  information is relevant and
pertinent to the business process,
and is
 delivered in a timely, correct,
consistent and usable manner
 Information is provided through
the optimal (most productive and
economical) use of resources
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO
Accountability Ensure that decision-making occurs as a part of When assigning decision-making
Framework (Decision a process with clearly defined roles and authority:
Rights) accountabilities.  start by articulating the decision
that needs to be made, then
 determine the steps that must
be carried out to reach a
decision
 identify who must provide input,
and what activities are required
to obtain such input, and how
 determine who will decide,
IT Management
 Sensitive information is protected
from unauthorised disclosure
 Information is accurate and
complete, and its validity is in
accordance with business values
and expectations
 Information is available when
required by the business process
now and in the future as a result of
deploying the necessary resources
and associated capabilities
 Information provided complies
with the laws, regulations and
contractual arrangements to which
the business process is subject, i.e.,
externally imposed business
criteria as well as internal policies
 Information provided is
appropriate for management to
operate the entity and exercise its
fiduciary and governance
responsibilities.
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO
ensuring that the decision
makers are equipped with the
information to make a fact-
based decision
 More granular assignment of
responsibilities and decision
rights is achieved through the
preparation of detailed process
workflow charts
IT Internal Controls Ensure that an IT control framework is adopted Exercise control over the adoption
Framework and implemented, and that the board receives and implementation of an IT
independent assurance of its effectiveness. control framework
IT Management
An IT controls framework to be
adopted or established comprising of
Accounting controls (“General”
controls, “Application” controls and
“User” controls) and Administrative
controls.
 General controls are found in the
infrastructure, technology and
system software.
 Application controls are specific to
business processes.
 User controls are the manual
checks performed by staff.
 Administrative controls represent
the wider concerns of
management, particularly with
regard to efficiency and
effectiveness of administration,
and increased profitability.
The role of an internal control is to
be preventative, detective or
corrective regarding a particular risk.
Controls are made sustainable
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO
The Role and Appoint a suitably qualified and experienced The CIO/CTO to:
Responsibilities Chief individual as the chief information officer (CIO)  Interact regularly on matters of
Information Officers or chief technical officer (CTO) IT governance with the board, or
appropriate board committee, or
both
 Understand the accountability
and responsibility of IT
 Take responsibility for the
implementation and monitoring
of IT governance
 Seek leadership from the board,
obtain direction and an
understanding of the ethics and
values that will influence and
guide practices and behaviour
within IT to achieve sustainable
performance
 Implement an Accountability
framework to assign decision-
making rights
 Implement a suitable
organisational structure and
define terms of reference
IT Management
through incorporation in the
operational process. The selection of
controls is risk-based.
The condition of controls depends on
the organisational structure, written
policies, systemisation, evidence of
controls operating and the
competence and integrity of the
people involved.
 Implement an IT Governance
framework to deliver value and
manage risk
 Implement IT processes and
governance mechanisms
 Implement IT frameworks, policies,
procedures and standards
 Develop and implement an IT
governance charter and policies
 managers to provide timely
information, comply with the
direction given and to conform to
the principles of good governance
 Adopt and implement an IT control
framework
 Implement an ethical IT
governance and management
culture
 Implement an ethical IT
governance and management
culture
 Implement an IT controls
framework
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
 Be a bridge between IT and the 
business
 Ensure transparency through
regular reporting to the board
 Enable IT to add value to the
business and mitigate risks
 Incorporate IT into the business
processes in a secure,
sustainable manner
 Encourage the desirable use of IT
by requiring
 Create an awareness of the
maturity levels of governance
 Build management skills and
competencies to govern and
promote a common language
Incorporate IT governance in
corporate governance
 Implement processes to ensure
that reporting to the board is
complete, timely, relevant,
accurate and accessible
 Obtain assurance on the
effectiveness of the IT control
framework
 Sustain and enhance the
strategic objectives
 Implement a strategic IT
planning process that is
integrated with the business
strategy development process
 Enable the improvement of the
company’s performance and
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
sustainability
 Integrate IT plans with the
business plans
 Define, maintain and validate the
IT value proposition
 Align IT operations with business
operations
 Align IT activities with
environmental sustainability
objectives
 Implement a robust process to
identify and exploit, where
appropriate opportunities to
improve performance and
sustainability of the company in
line with triple bottom line
objectives
 Include relevant representation
from the business in oversight
structures
 Have regard for the legislative
requirements that apply to IT
 Understand business
requirements and long-term
strategy
 Have a strategic approach and
facilitate the integration of IT
into business strategic thinking
 Translate business requirements
into efficient and effective IT
solutions
 Exercise care and skill over the
design, development,
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
implementation and
maintenance of sustainable IT
solutions
 Support the business and
governance requirements in a
timely and accurate manner
through the acquisition of
people, process and technology
 Optimise resources usage,
leverage knowledge
 Ensure that the business value
proposition is proportional to
the level of investment
 Deliver the expected return from
IT investments
 Measure and manage the
amount spent on and the value
received from technology
 Protect information and
intellectual property
 Conduct post-implementation
reviews to learn from each
implementation
 Promote sharing and re-use of IT
assets
 Ensure all parties in the chain
from supply to disposal of IT
services and goods apply good
governance principles
 Monitor and enforce good
governance across all suppliers
 Obtain independent assurance
that outsourced service
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
providers have applied the
principles of IT governance
 Obtain independent assurance of
the effectiveness of the IT
controls framework
implemented by service
providers
 Obtain independent assurance
that the basic elements of
appropriate project
management principles are
applied to all IT projects
 Regularly demonstrate to the
board that the company has
adequate business resilience
arrangements in the event of a
disaster affecting IT
 Implement a risk management
process based on the boards risk
appetite
 Design, implement and monitor
the IT risk management plan
 Maintain an IT risk register,
including IT legal risks
 Comply with applicable laws and
regulations
 Perform continual risk
assessments
 Select and use an appropriate
framework for managing risk
(Group BRM Risk Management
Framework)
 Consider and implement
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
appropriate risk responses
 Minimise risks
 Manage information assets
effectively
 Ensure the integrity and
availability of information and
information systems in a timely
manner
 Implement information records
management and ensure
information assets are identified,
classified, retained, stored,
archived, protected and made
available when required for
business and legal purposes
 Establish a business continuity
programme for the company’s
information and successful
execution of the business’
activities
 Identify all personal information
processed by the company and
treat this as an important
business asset, including being
processed in accordance with
applicable laws
 Implement an information
security strategy
 Implement an information
security management system in
accordance with an appropriate
information security framework
(Group BRM Information
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Security Framework)
 Provide the Audit and Risk
Committees with relevant
information about IT risks and
the controls in place
 Measure, manage and
communicate IT performance
 Report to the IT Steering
Committee on IT performance
 Consider using IT to aid the
company’s risk management,
compliance and audit efforts.
STRATEGIC The Board should ensure that IT is Aligned with Business Objectives, including Economic, Social and Environmental Sustainability
ALIGNMENT
Alignment With g Ensure that Business goals are cascaded to IT Take responsibility for and cascade  Ensure that Group objectives, IT
Objectives goals, process goals and activity goals Group objectives, IT goals, process goals, process goals and activity
goals and activity goals to IT goals are understood and
management achievable
 Deliver on the above goals
 Align IT activities with the
performance and sustainability
objectives of the company”
 Strategic objectives are attained
through the effective and efficient
management of IT resources. This
assists management understand
“what is the outcome expected”,
“what does success look like” and
“who will recognise this success”.
Integration of Strategic Ensure that IT achieves, sustains and extends Exercise control ensuring that IT Implement a strategic IT planning
IT Planning With the the company’s strategic objectives achieves, sustains and extends the process that is integrated with the
Organisational strategic objectives business strategy development
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Strategic and Business process, and:-
Objectives  IT plans are integrated with the
business plans
 IT operations are aligned with
business operations
 The IT function, roles and reporting
lines are structured to reflect the
integration of IT with the business
operations
 IT contributes towards the
company’s objectives in an
effective and efficient manner
 The IT contribution towards the
attainment of the company’s
objectives is monitored and
measured
 The IT value proposition has been
defined, maintained and validated
 The effect of IT on the
environment is considered
 There is a process in place to
identify and exploit opportunities
where IT can create value and
assist the company to gain
competitive advantage for the
company
 The IT steering committee contains
both business and IT
representation
 A business-oriented CIO is
appointed
 The CIO has an understanding of
the business strategy
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
 The CIO has access to the board
and executive management
 IT investment and expenditure
supports the business objectives
 The role of IT in achieving strategic
business objectives is clear
 IT spend is measured and managed
to deliver value to the business
 IT assurance is addressed as an
integral part of the normal
assurance activities
 IT risk is addressed as an integral
part of the normal risk
management activities
 IT compliance with legal
requirements is addressed as an
integral part of the normal
compliance activities
 IT risks are understood and
managed from a business strategic
perspective
Direction From the Top Translate its leadership into clear statements of An example would be the policy
direction that management of the organisation defined by the CIO for board
can follow. approval as to the nature, extent
and accountability for
implementing information security
Define, Maintain and Ensure that the value proposition of IT is Within value chain analysis, there Add business value by enabling the
Validate the IT Value determined by clarifying the role of IT in are two generic strategies an organisation to differentiate its value
Proposition achieving business strategies. Oversee the organisation can pursue to achieve chain from each of its competitors’
definition, maintenance and validation of the IT a competitive advantage by: value chains.
value proposition  Creating a low-cost competitive IT activities to be prioritised in areas
advantage by reducing the cost where there is greater contribution
of an individual value chain of value.
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
activity or reconfiguring the
value chain.
 Creating a value-added
competitive advantage by
increasing the value of an
individual chain activity or
reconfiguring the value chain.

Aligning IT Operations Ensure that IT activity goals are aligned with IT Business goals cascaded down to
With Business process goals, which in turn are aligned to IT the activity level within IT providing
Operations organisational goals and business goals substance to the requirement of
aligning IT with strategic goals

Sustainability Ensure sustainable capability to perform as Nurturing, protecting, capturing,
expected. retaining and developing human
capital is a vital ingredient in the
sustainable economic performance
of any enterprise
Sustainability is about maintaining
the capability to perform as
expected. Without investment,
capability within IT is certain to
diminish over time and dependency
would grow on external solution
providers. Without the necessary
skills the company will not be able to
exploit business opportunities that
may come their way in the future.

Performance and Monitor and evaluate the extent to which IT Implement improvements related Implement a robust process to
Sustainability actually sustains and enhances the to IT performance and identify and exploit, where
Improvements organisation’s strategic objectives sustainability appropriate, opportunities to
improve performance and
sustainability of the company in line
with triple bottom line objectives.
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Process orientation, with an element
of self-analysis, provides for
continuous improvement often
described as the Deming cycle of
“Plan-Do-Check-Act”.
Concern For the  Established environmental policy  Align IT activities with Aligning IT activities with
Environment  Ensure that green IT initiatives are aligned environmental sustainability environmental sustainability
with the overall strategy and corporate social  Implement Green IT principles objectives requires management to
responsibility programme by aligning IT based on the environmental consider the environmental aspects
activities with environmental sustainability policy established by the board. and significant Impacts of IT and IT
These principles provide decision activities, including:
 makers with predefined  Energy saving
preferences when alternative  Switch and Data centre facilities
options are available. design
 Switch and Data centre heat
recycling
 Advanced cooling technologies
 Processor design and server
efficiency
 Energy management for the
office environment
 Integrated energy management
for the software environment
 Combined heat and power
 Use of modelling and monitoring
software

 Avoidance of wasteful expenditure

 Recycling of infrastructure
 Reusable code and services
 Paperless reporting
 Optimised software programs
 Overly complex and tightly
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
integrated solutions
 Unnecessarily large
infrastructure
 Unnecessary data storage
 Excessive security and disaster
recovery planning.

 Avoidance of unnecessary CO2

emissions
 Disposal of inefficient
technology
 Purchase greener energy
 Purchase from companies
known to be greener
 Excessive data redundancy
 Excessive feature
 Records management
 Avoiding travel and transport.

Value Delivery Executing on the Value Proposition of IT

Value Delivery Ensure that IT delivers the promised benefits
against the strategy, concentrating on
optimising costs and proving the intrinsic value
of IT
Ensure that the expected return on investment
from IT projects is delivered and that the
information and intellectual property contained
in the information systems are protected.
Direct and control efforts to prove Deliver on the promised benefits
the value of IT against the strategy, concentrating
on optimising costs and delivering
the intrinsic value of IT
The CIO/CTO does so by:
 clarifying the role of IT in
achieving business strategies;
 measuring and managing the
amount spent on and the value
received from IT;
 assigning accountability for
organisational changes required
to benefit IT capabilities;
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
 learning from each
implementation, becoming more
adept at sharing and reusing IT
assets;
 implementing balanced
scorecards as a tool for proving
the value of IT and measuring
performance.
Risk Management Risk Management seeks to provide Interventions that Optimise the Balance between Risk and Reward within the Organisation
IT Governance and Risk Ensure that regular opportunities for The CIO/CTO to monitor the
Management information technology failures that disrupt following causes carefully:
business and prevent the achievement of  Error
operational and strategic objectives are  Poor quality of service
minimised  High-rate of obsolescence
 High-level of development
 High-level of dependence on
vendors, service providers and
consultants
 Wasteful expenditure,
unnecessary features
 Inadequate architecture, limited
interoperability and poor
scalability
 Unproven, brittle and poorly
designed technology
 Limited capability to implement
and support solutions and end
users
 Monolithic, inflexible
applications with complex
integration
 Multiple contractual, regulatory
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
and legislated compliance
requirements
Ensure that IT risks form part of enterprise risk  Regularly demonstrate to the  Implement adequate “business
management board that the organisation has resilience” arrangements to
adequate “business resilience” recover from disaster
Ensure that the following King III principles for arrangements in place to recover  Considers and implements
risk management are adhered to: from disaster appropriate risk responses
 accepting responsibility for the governance  Demonstrate that effective IT
of risk risk management process is
 determining the levels of risk tolerance place
 the risk committee or audit committee to  Demonstrate design,
assist the board in carrying out its risk implementation and monitoring
responsibilities of the risk management plan
 delegating to management the responsibility
to design, implement and monitor the risk
management plan
 performing of risk assessments are on a
continual basis
 implementing of frameworks and
methodologies to increase the probability of
anticipating unpredictable risks
 management considers and implements
appropriate risk responses
 monitoring risk by management continually
 obtaining assurance regarding the
effectiveness of the risk management
process
 ensuring processes are in place enabling
complete, timely, relevant, accurate and
accessible risk disclosure to stakeholders.
Responsibility For Risk  Accept responsibility for the process of risk Direct and control implementation Responsible for managing risk which
Management management of risk management must be reflected in individual letters
 Ensure that risk management is embedded in of appointment, key performance
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board
its operations, decision-making processes
and the execution of strategy.
Risk Appetite  Set a risk appetite or tolerance level for the
organisation which must be determined in
accordance with the strategic objectives
 Ensure that the CIO uses the risk appetite as
the basis for implementing a risk
management process across the IT function
and for establishing an IT risk management
plan.
Risk Identification  Ensure that risk identification is directed
within the context of the organisation’s
purpose and focuses on strategic and
operational risks.
 Consideration must be given to reputation
risk and IT legal risks
Risk Quantification and  Ensure that key risks are quantified and are
Response responded to appropriately
 Decide with management which risks are
significant
 Classify risk as high, moderate or low
 Develop a clear, shared understanding of the
risks that are acceptable or likely to become
unacceptable and then decide how they will
manage the risks and control strategies
 Ensure that risks evaluated are prioritised
and ranked to focus risk response measures
on those risks outside the board’s risk
tolerance limits.
 Ensure that management identifies and
consider the possible risk response options
CIO/CTO
Use the risk appetite as the basis
for implementing a risk
management process across the IT
function and for establishing an IT
risk management plan
Direct and control risk
identification and ensure that the
focus is on both strategic and
operational risks
 Develop a clear, shared
understanding of the risks that
are acceptable or likely to
become unacceptable and then
to decide how they will manage
the risks and control strategies
 Ensure that risks are validated
with relevant stakeholders.
IT Management
areas and reward systems.
Implement the IT risk management
plan
Identify risks focusing on both
strategic and operational risks
 Develop a clear, shared
understanding of the risks that are
acceptable or likely to become
unacceptable and then to decide
how they will manage the risks and
control strategies
 Risks must be validated with
relevant stakeholders to confirm
the:
 accuracy and validity of risk
information recorded
 assumptions made in
assessment of the risk
information provided
 the need for any additional data
or information on the
effectiveness of the control
DOMAIN  ATTRIBUTE
Board
Risk Management Plan Adopt a risk management plan for achieving
risk management objectives
Risk Assessment Using Ensure that a process-orientated model like
a Generally Recognised CobiT forms the basis of the IT Control
Methodology framework as this provides management with a
framework that assists with understanding the
scope of risk assessment and helps avoid gaps
when conducting the risk assessments.
RESPONSIBILITY - DESCRIPTION/ACTIVITIES
CIO/CTO
CIO/CTO to establish or adopt a
direct and control the
implementation of a risk
management plan with the
following requirements:
 Risk management plan must
include an implementation plan,
which must be monitored as a
medium-term project and have
scheduled reviews.
 The risk management plan must
outline the resources, tasks and
responsibilities for introducing
and developing the risk
management processes and
activities into the company
Adopt a process-orientated model
that provides management with a
framework that assists in their
understanding of the scope of risk
assessment and helps to avoid
gaps when conducting the risk
IT Management
environment.
 Design or adopt the risk
management plan
 The risk management plan must
state the objectives on risk
optimisation, how risk
management must support its
business strategy and how
regulatory requirements must
be managed. Risk management
processes must be incorporated
into budgeting and business
planning activities.
 Implement the risk management
plan
 In designing the implementation
plan, management must
determine the sequence of
implementation, document
roles and responsibilities
determine the target dates for
implementation and decide on
the frequency and format of
reporting against milestones
Implement the IT control framework
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board
Risk Assessment Ensure that risk assessments are to be
Outputs performed on an ongoing basis with the
outputs of risk assessments provided to the
board and management with a realistic
perspective of the material risks facing the
organisation
Risk Register Monitor and evaluate the register of risks
including a profile of aggregated risks,
correlated risks and risk concentrations with a
balanced assessment of the significant risks and
the effectiveness of internal control in
managing those risks.
Reputational, Monitor and evaluate reputational,
Sustainability and sustainability and ethics risks
Ethics Risk Assessment
Alignment of IT with  Implement IT governance, splitting
Business Objectives responsibility between the board and
and Sustainability management
 Specify the decision rights and accountability
framework to encourage the desirable
culture in the use of IT
 Take an active role in IT strategy and
governance
 Stay informed and able to exercise the
necessary oversight during times of major
investment in IT
 Take full accountability and be responsible
for the decisions made where Technology, is
promising a major transformation of the
organisational business processes
CIO/CTO
assessments
Direct and control risk assessments
and reporting thereof
Communicate openly with the
board on matters relating to risks
and controls
Direct and control risk assessments
and reporting thereof
Exploit available business
opportunities by exploiting
information technology in
innovative ways based on the
board’s risk appetite and the
direction provided
IT Management
Perform risk assessments and report
on the assessment focusing on
significant risks and the effectiveness
of internal control in managing those
risks.
Report any significant control failings
or weaknesses identified in a report,
including the effect that they have
had, or may have had, on the
organisation, and the actions being
taken to rectify them.
Address the broader issues of
organisational reputation,
sustainability and ethics when
assessing risk
Map IT objectives with business and
sustainability objectives and address
any gaps
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Business Continuity Monitor and evaluate business resilience Demonstrate that there are Implement adequate business
arrangements in the event of a disaster adequate business resilience resilience arrangements in the event
affecting IT arrangements in the event of a of a disaster affecting IT
disaster affecting IT.
Information Delegate responsibility for information Demonstrate that information  Ensure the integrity and availability
Management management management efforts are adequate of information and information
systems in a timely manner
 Retain records
 Comply with security and privacy
requirements.
Data Privacy Monitor and evaluate processes for managing Ensure that resources are deployed Implement the processes for
personal information and relevant compliance to manage personal information managing personal information to
with the applicable laws and to ensure compliance with the ensure compliance with the
applicable laws applicable laws
Information Security Delegate responsibility for Information Security Resources must be deployed to Implement the information security
Management develop, implement and manage management strategy and required
an appropriate Information systems
Security Management strategy and
system
The Use of Technology Obtain assurance that technology is being used Consideration must be given to the Implementing suitable technology to
to Aid the to aid business risk management functions suitability, economy and manage risk and compliance (e.g.
Management of Risk effectiveness of using technology policies, standards, etc)
and Compliance at various stages of the processes
to manage risk and compliance
Financial/Resource Optimising Knowledge, IT Infrastructure and Relationships
Management
Resource Management  Ensure that the economic, social and  CIO/CTO responsibilities include: Leverage knowledge and skill,
environmental resources are treated capture the lessons learnt and build
responsibly and that their performance is  monitoring and evaluating the capability
reported on in an “integrated report” extent to which IT actually
 Direct management to focus on ensuring the sustains and enhances the
optimal use of available resources, including strategic objectives
knowledge, infrastructure and partnerships  monitoring and evaluating the
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
 Consider any outsourced IT services as this acquisition and use of IT
remains the responsibility of the Board and resources to ensure that they
external assurance regarding the governance support business
must be considered. requirements
 monitoring and evaluating the
acquisition and appropriate
use of technology, process
and people
 overseeing IT investment to
ensure that IT expenditure is
in proportion to the delivery
of business value
 ensuring good governance
principles apply to all parties
that provide IT resources. This
includes suppliers of
hardware, software, skills and
IT services
 Remaining accountable for
ensuring that effective IT
governance is in place where a
resource has been “outsourced”.
The following outsourcing issues
are important:

 Governance of outsourced
services
 Compliance in an outsourced
environment
 Capability to outsource
 Capability of service providers
to provide contracted
services.
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
 Considerable additional risks
from outsourcing –
compliance, staff turnover,
control of costs
 Nature of third-party contracts
(outsourced services or lease
agreements for equipment
and the hiring of staff)
 Adequacy of service level
agreements
 Pricing and charging practices
 What capability is required at
termination of the outsourcing
contract?
 The audit committee must
include these assurance tasks
within the normal assurance
activities.

Performance Proper IT Governance Assists the Board Ensure that IT Use Contributes Positively to The Performance of the Organisation
Measurement
IT Governance and  Consider performance management which The CIO/CTO must consider the Report to the Board about IT:
Performance underpins IT governance by proving the value following in terms of performance
Management proposition and measuring the performance measurement:  achieving its objectives
of IT.  being resilient and agile to adapt
 Request reviews by independent experts to  Outcomes expected by to changing strategic needs
ensure that appropriate project management stakeholders - key goal indicators  judiciously managing risks
principles are applied.  Measurement of the enablers  recognising and acting on business
used to achieve these outcomes opportunities.
 Management’s control of  IT managers and staff must
activities critical to the success of develop performance
the enablers. management systems that
 IT goals and measures must flow optimise operational customer
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO
directly from strategic goals.
Approach to Measure not only the outcomes of the Institutionalised a managed
Performance governance activities but also the relevance process by doing the following:
Measurement and effectiveness of the applied governance
framework, processes and measurements.  Assigning responsibility and
authority for performing the
process
 Adhering to organisational
policies
 Following established plans and
process descriptions
 Providing adequate resources
(including funding, people,
methods and tools)
 Training the people performing
and supporting the process
 Placing designated work
products under appropriate
levels of configuration
IT Management
results from an organisational
perspective.
 IT goals and measures in support
of individual operational
customers must meet IT
department or business unit
objectives. In turn, IT function or
business unit objectives must map
directly to both programme and
organisation-wide strategic
directions and goals.
 IT goals and measures must be
tracked in a seamless fashion back
to the business objectives and
group goals.
Implement a performance
management system for monitoring
and tracking the outcomes of the
governance activities and the
effectiveness of the applied
governance framework and
processes
DOMAIN  ATTRIBUTE
Board
Risk & Audit Risk and Audit Committees should Assist the Board in Carrying out its IT Responsibilities
Committees
Risk Committee  Fully understand the overall exposure to IT
risks from a strategic and business
perspective
 Obtain assurance that all significant risks are
managed in an appropriate manner
Audit Committee  Oversee the reporting and assurance
functions on behalf of the board and serve as
a link between the board and these functions
 Monitor the integrity and completeness of
the organisation’s financial reporting and
compliance with other regulatory
RESPONSIBILITY - DESCRIPTION/ACTIVITIES
CIO/CTO IT Management
management
 Identifying and involving
relevant stakeholders
 Monitoring and controlling the
performance of the process
against the plans for performing
the process and taking corrective
actions
 Objectively evaluating the
process, its work products, and
its services for adherence to the
process descriptions, objective
and standards, and
 addressing non-compliance
 Reviewing the activities, status,
and results of the process with
higher-level management and
taking corrective action.
Establish measures such as the Fully commit to the goal of
ones documented here, monitor implementing, supporting and
and evaluate these measures in maintaining an effective risk
order to provide assurance on committee
effectiveness of the risk
management efforts to the risk
committee
As information technology often  Fully commit to the goal of
provides the system of internal supporting and maintaining an
controls, the CIO and IT effective audit committee.
management are therefore  At least annually conduct a formal
required to conduct suitable tests documented review of the design,
and report back to the audit implementation and effectiveness
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
requirements committee. of the system of internal financial
 Review aspects of risk and sustainability controls by conducting suitable
issues where it is mandated to do so by the testing and report back to the
board chiefs and audit committee.
 Obtain appropriate assurance that controls  Enables the audit committee to
are adequate to address the risks in areas perform its responsibilities to
that are not appropriately governed (e.g. oversee the integrity of the
outsourcing and ERP implementations) that financial information. (External
expose the organisation to higher levels of auditor attestation on internal
risk. financial controls is not a
requirement).
Managing Information The Board is to Ensure Information Assets are Managed Effectively
Information  Ensure information assets are managed Direct and control the effective  Manage information assets
Management effectively management of information assets effectively, ensuring the integrity
and availability of information and
information systems in a timely
manner.
 Manage information throughout
the life cycle by implementing
suitable processes
 Identify, classified, retained,
stored, archived, protect and make
available when required for
business and legal purposes any
Information records providing
evidence of business activity which
are important information assets
Information Privacy Ensure privacy of information where required Direct and control the appropriate Identify and treated all personal
identification and treatment of all information processed as an
personal information considered a important business asset, including
business asset and ensure being processed in accordance with
compliance with applicable laws. applicable laws
Information Security  Ensure that an information security Direct and control the strategy for, Implement the information security
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board
management system is implemented
according to an applicable information
security framework.
 Oversee the development of the information
security strategy and delegate its
implementation to IT management.
Compliance Proper IT Governance Assists Directors in Assuring Conformance with Obligations (Regulatory, Legislation, Common Law, Contractual) concerning the
Acceptable Use of IT
Compliance with  Establish a review process to ensure
Obligations compliance with laws, regulations and
contractual requirements.
 Ensure that all relevant IT laws are adhered
by ensuring that an effective compliance
framework is and processes are
implemented.
 Consider any standards, guidelines or
practices that would be relevant to the IT
organisation.
A Single, Holistic Ensure that all compliance efforts are
Approach to integrated across the organisation
Compliance
CIO/CTO
and establishment and
implementation of information
security management framework
and systems
 Direct and control the process to  Identify the IT laws, regulations
identify and comply with laws,
regulations and contractual
requirements
 Identify compliance
requirements, optimise and
evaluate the response, obtaining
assurance that the requirements
have been complied with and,
finally, integrating IT’s
compliance reporting with the
rest of the business.
Direct and control the process to
integrate all compliance initiatives
related to IT across the
organisation
IT Management
strategy and an information security
management system in accordance
with an appropriate information
security framework.
and contractual requirements that
the organisation must comply
with.
 Implement systems to address the
compliance requirements
Optimise and evaluate the
compliance requirements and
report on any non compliance
 Find a practical way to deal with
compliance considering the ever-
increasing number of regulators,
regulations, legislation and
contractual obligations
 Adopt a process-orientated
approach, starting with a single,
generally accepted baseline of
controls to which additional
regulatory and statutory controls
are then added to achieve
compliance with external
regulators and internal
DOMAIN  ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
requirements
 Consider how IT can be used to
assist with managing its and
business compliance obligations
Compliance should be Ensure that all compliance efforts are Direct and control the process to  Sustainability comes through
made Sustainable sustainable maintain and sustain all controls being:
compliance initiatives related to IT  Enabled through documented
processes
 Supported by the capability of
people
 Made effective through
automation
 Regularly monitored