SlideShare a Scribd company logo

Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study

L
Luxembourg Institute of Science and Technology

This document discusses strengthening governance of IT through enhancing employee responsibility. It presents a literature review on responsibility concepts and proposes a responsibility model. The model defines key responsibility concepts like accountability, capability, commitment and their relationships. It also applies the model to analyze the COBIT framework's RACI chart for assigning roles and responsibilities. The analysis finds areas where the model could provide improvements to COBIT, such as clarifying different types of responsibilities like being responsible versus accountable. The document concludes that defining an innovative responsibility model can help improve governance of IT.

Related slideshows

Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
 
Accountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdfAccountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdf
 
1 of 26
Download to read offline
The 1st ACM Workshop on Information Security Governance November 13, 2009 Chicago, USA Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study Christophe Feltus, Michaël Petit, Eric Dubois Public Research Center Henri Tudor, Luxembourg-Kirchberg, Luxembourg PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium The research was funded by the National Research Fund of Luxemburg
Introduction : • Governance of IT is becoming more and more necessary  Sarbanes-Oxley Act ▫ Transparency regarding account  Basel II ▫ Management of operational risk and people affectation for that task  ISO/IEC 38500:2008 ▫ Provide 6 principles for corporate governance of IT ▫ One principle dedicated to responsibility • Need for more responsibility, transparency, accountability, ethic, commitment
Introduction : • Companies are used to work with well-known management framework like :  ITIL (IT Information Library) ▫ a public library that focuses on IT services management for high-quality service provision  CIMOSA ▫ an enterprise architecture model to define industrial computer system architecture  ISO/IEC 15504 [7] ▫ a framework for the assessment of software processes  CobiT • As much responsibility models as frameworks
Introduction : • Many responsibility models means : ▫ No consensus between frameworks / no unique one ▫ No interoperability ▫ Many interpretations of the concepts • Objective of the research : ▫ Defining a common responsibility model • Research methodology : ▫ Analyse of the literature ▫ Elaboration of a responsibility model ▫ Successive refinement by comparing it with professional framework

Recommended for you

Definition and validation of a business it alignment method for enterprise go...
Definition and validation of a business it alignment method for enterprise go...Definition and validation of a business it alignment method for enterprise go...
Definition and validation of a business it alignment method for enterprise go...

Definition and validation of a business it alignment method for enterprise governance improvement in the context of processes based organizations

 
by Luxembourg Institute of Science and Technology
The Art of Delegation
The Art of DelegationThe Art of Delegation
The Art of Delegation

This document discusses the art of delegation. It defines delegation as assigning responsibility for tasks to other people. Delegation has benefits like increased efficiency, productivity, employee development and improved trust. However, people often do not delegate due to ego, lack of time, or concerns about accountability. Effective delegation requires clearly defining goals, responsibilities, authority, and accountability. It also requires motivating, training, and holding employees accountable for their work. The document outlines a seven-step process for delegation, including determining goals, defining roles, providing authority and motivation, and establishing accountability and control. It concludes by discussing five degrees of delegation based on levels of approval and oversight required.

 
by Dr. James Wanjagi, PhD - Org Mgt - Leadership, PMP, CMP
delegationmanagementart
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic

This document discusses building a responsibility model using modal logic concepts of accountability, capability, and commitment. It begins with a literature review of existing policy and access control models. The review finds that while concepts like rights, roles, and obligations are addressed, existing models do not fully cover all three responsibility concepts. The document then proposes a preliminary responsibility model and definitions for its components. It suggests a formalization of key concepts using deontic logic adapted from alethic logic. The goal is to provide a framework to define concepts, verify organizational structures, and detect policy issues.

 
by christophefeltus
building a responsibility model using modal logic
Responsibility Responsibility: Foreword • Responsibility : abstract or concret concept ? • Many definitions in the literature • L. Cholvy proposes 3 of them : • Something bad happened and you caused it or could have prevented it • Obligation or moral duty to report or explain you actions or someone else’s action to a given authority (answerability) • Position, which enables you to make decisions in a given organization but implies that you must be prepared to justify your actions (accountablity) • ∆ def 1 def 2 = blame • ∆ def 2 def 3 = answerability ≠ accountability = position (rules)
Responsibility Responsibility: Foreword • D'Arcy McCallum : ▫ Responsibility is not something that you can actually assign to someone ▫ Responsibility, in fact, has to come from within ▫ A person is responsible: we mean that he holds a personal commitment to doing something to some standard of quality ▫ And while you cannot assign responsibility, you can and do assign accountability...with the expectation that a person will execute the activity assigned to them to a standard of quality • Commonly accepted responsibility definitions encompass the idea of “having the obligation to ensure that something happens”.
Accountability Sanction Answerability ComposeCompose 1 11 0..1 1 Compose 1..* Accountability : o Obligation or moral duty to report or explain the action or someone else’s action to a given authority [Cholvy et al.] o Obligation(s) to report the achievement, maintenance or avoidance of some given state [Sommerville et al.] o Accountability is composed of one answerability and zero or one sanction [Fox] Accountability Responsibility
Functional vs. Managerial Obligation Obligation : most frequent concept Functional vs. Structural Obligation [Dobson] : o functional obligation : what a employee must do with respect to a state of affairs (e.g. execute an activity) o structural (managerial) obligation : what a employee must do in order to fulfill a responsibility such as directing, supervising and monitoring Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability ComposeCompose 1 11 0..1 1 Compose 1..* Responsibility

Recommended for you

Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic

This document discusses building a responsibility model using modal logic. It begins with a literature review of existing policy models and engineering methods related to concepts of accountability, capability and commitment. It identifies that while some concepts like rights and roles are commonly addressed, models do not fully cover all responsibility components. The document then proposes a preliminary responsibility model and defines the main concepts of capability, accountability and commitment. It suggests a formalization of these concepts using deontic logic to help analyze organizational structures and policies for consistency and problems.

 
by Luxembourg Institute of Science and Technology
Leadership Training
Leadership TrainingLeadership Training
Leadership Training

This document provides an overview of leadership and supervisory concepts related to establishing authority in an employment relationship. It discusses: - The origins of duties and responsibilities in employment stemming from agency law principles from the 18th century onward. Agents owe principals duties of loyalty and care. - How authority, responsibility, and accountability are interrelated but distinct - authority provides power, responsibility indicates obligation, and accountability is answerability. - Factors like government rules, corporate policies, job descriptions, and budgets help determine the limits of a supervisor's authority. - Disciplinary action aims to correct behavior, prevent negative impacts, and should follow attempts at coaching and training when standards are not met or duties are not

 
by Arnold Rodriguez
supervisor authority - disciplinary action
RACI Approach
RACI ApproachRACI Approach
RACI Approach

Responsibility charting (RACI) is a technique used to clarify roles and responsibilities for activities and decisions within a process. It involves identifying the key activities and decisions, and then defining the participation of roles as either Responsible, Accountable, Consulted, or Informed. This provides clarity around individual responsibilities and accountability, reduces duplication of work, and improves communication and teamwork. The RACI process involves developing responsibility charts through workshops, documenting and communicating the charts, and follow up to ensure the defined roles are being followed. Benefits include increased productivity, reduced errors, streamlined structures, and better planning and training.

 
by Ricky Smith CMRP, CMRT
Soft Accountability Hard Accountability Type of Type of Positive SanctionNegative Sanction Type of Type of OpaqueClear Type of Type of Transparency Generate 1 Compose 1..* Responsibility o Sanction is positive or negative  also : compensation or a remediation [Fox] o Transparency is clear : information access policies & reliable information o Transparency is opaque : information reveled nominally and ponctually Accountability Sanction Answerability Compose 1 11 0..1 1 Compose 1..* Responsibility Compose Accountability, Answerability, Transparency
Rights o Common but not systematically embedded concept o Capability : describes the possession of requisite qualities , skills or resourcs to performan action [Vernadat,F.B.][Yu et. Al][Qingfeng et al.] o Authority : the power to command and control others employees (CIMOSA) o Delegation right : right to transfer some part of the responsibility to another employee Access Right Type of Authority Type of Needed for Right Capability Type of Require 1 0..* Delegation Possibility Type of Accountability Sanction Answerability Compose 1 11 0..1 1 Compose 1..* Responsibility Compose Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..*
1 Delegation Employee Delegation vs. affectation : o Affectation or Assignment is the action of linking an employee to a responsibility o Delegation is the transfer of an employee’s responsibility assignment to another employee  Right to further delegate the same obligation or not [Sommerville]  Delefation of accountability or not [Norman] Employee 1 0..* Commitment Antecedents Commitment Activate Type of1..* 1 Pledge Delegation Require 1 1..*0..* 1..* Is delegated Delegate Concernes Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Right Capability Type of Require 1 0..* Delegation Possibility Type of
Commitment Antecedents Commitment Commitment o Moral engagement to fulfill the action  difficult to integrate in a formalized framework o The psychological attachment felt by the person for the organization; it will reflect the degree to which the individual internalizes or adopts characteristics or perspetives of the organization [O’Reilly and Chapman] o The relative strength of an individual’s identification with and involvement in a particular organization [Mowday] o A structural phenomenon which occurs as a result of individual-organizational transactions and alterations in side-bets or investment over time [Hrebiniak and Alutto] Right Capability Require 1 0..* Employee 1 0..* Activate Type of1..* 1 Pledge Delegation Possibility Delegation Require 1 1..*0..* 1..* Is delegated Delegate Concernes Type of Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Type of 1

Recommended for you

Management Functions jbb 3
Management Functions jbb 3Management Functions jbb 3
Management Functions jbb 3

The document discusses management functions and the POSDCORB model. It defines POSDCORB as an acronym created by Luther Gulick comprising the main functions of management: Planning, Organizing, Staffing, Directing, Coordinating, Reporting, and Budgeting. It then explains each function in the POSDCORB model and the different levels of management, including their typical responsibilities.

 
by Jo Balucanag - Bitonio
Raci r web3_1
Raci r web3_1Raci r web3_1
Raci r web3_1

This document provides an overview of role and responsibility charting (RACI). It defines RACI as a technique for identifying process ambiguities and clarifying roles and responsibilities. The document outlines the basic assumptions around roles as conception, expectation, and behavior. It also describes the RACI process as a 5-step approach to systematically map out decisions, activities, roles and clarify responsibilities using the RACI codes of Responsible, Accountable, Consulted, and Informed. The goal is to ensure roles and expectations are clearly defined and aligned to improve process performance and accountability.

 
by Hari Adavikolanu
OSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSHOSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSH

The document discusses empowerment, accountability, and responsiveness in occupational safety and health (OSH). It defines empowerment as giving employees freedom and authority, accountability as being responsible and answerable, and responsiveness as reacting quickly. It emphasizes clear lines of accountability in safety management and evaluating OSH committee effectiveness. An accountable safety system requires authorized behaviors, objective evaluation, and appropriate consequences.

 
by Moon Girl
osh earearosh empowerment
Continuance Type of AffectiveNormative Type of Type of Commitment Outcomes Citizen Behavior Type of Provide 1 0..* Employee Retention Type of Employee Performance Type of Willingness to Exert Efforts Type of Activate 1..* 1 Side-bets Desire Maintain Membership Belief in Goals And Values Contribute to Contribute to Contribute to Feeling of Obligation Contribute to Type of Type of Type of Type of Commitment Antecedents Commitment Commitment
Complete responsibility model Commitment Antecedents Commitment 1 Employee 1 0..* Activate 1..* 1 Pledge Delegation 0..* 1..* Is delegated Delegate Concernes Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Right Require 1 0..*
The COBIT responsibility model Control Action 11..* Employee Role 0..* 0..* Is hold o COBIT’s control are composed of actions to perform (obligation) o Employees hold roles like CEO, CFO, CIO, PMO, Head Operation, Business Executive,… o COBIT responsibility model is formalized through a RACI chart matrix attached to all 34 COBIT processes. o RACI stands for Responsible, Accountable, Consulted and Informed o Role may be Responsible, Accountable, Consulted and Informed depending on the control and the task to perform. RACI Chart Responsible Accountable Consulted Informed
Control The COBIT responsibility model Employee Role Action 1 0..* 0..* 1..* Is hold RACI Chart o Responsibility and Accountability at the same conceptual level part of the RACI chart o Accountability : the employee who provides direction and authorizes an action o Responsibility : the employee who gets the action done o “An individual assumes his/her responsibility and is usually held accountable”  It is possible or not to be responsible and accountable at the same time o “IT management has the resources and accountability needed to meet service level targets”  Accountability is possessed and as consequence, may be seen as rather a capability (or a right) than an accountability (or an obligation). Responsible Accountable Consulted Informed Affected to 0..* 0..* 0..* 0..* 0..* 0..* 1..* 1..* Affected to Analyzed by Viewable by 0..* 0..* 0..* 0..* 1..* 1..* 1..* 1..* Affected to Affected to Affected to Affected to

Recommended for you

MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONSMANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS

This document outlines an agenda for a leadership bootcamp covering authority, duties, and disciplinary action. It defines key employment law concepts like agency relationships, actual and apparent authority, and duties of loyalty and care that agents owe their principals. The document explains that authority and responsibility arise from assigned duties, and accountability comes from accepting work. It stresses that disciplinary action should follow documented coaching attempts, and is intended to correct behavior rather than punish. The company disciplinary policy emphasizes using discipline as an opportunity for employees to learn.

 
by Arnold Rodriguez
Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action

This document provides an overview and agenda for a leadership bootcamp covering principles of authority, duties, and disciplinary action in the workplace. It discusses how authority is granted from a principal to an agent in an employment relationship, and the duties and responsibilities that agents take on. Reasons for disciplinary action include not meeting performance standards or policies. Disciplinary action should occur when coaching and training have been unsuccessful, resources are not being utilized, or corrective action is needed to prevent negative impacts on the organization. The intent, effect, and perception of policies help define when and how they should be applied and disciplinary actions carried out.

 
by Arnold Rodriguez
History of Disciplinary Authority
History of Disciplinary AuthorityHistory of Disciplinary Authority
History of Disciplinary Authority

This document provides an overview of an employee leadership bootcamp that covers authority, duties, and disciplinary action. It discusses the concepts of agency relationships, principal and agent roles, and how duties create authority and responsibilities for employees. The document also examines when disciplinary action should occur, outlining that it is appropriate when job standards are not met despite coaching and training opportunities. Finally, it stresses the importance of documenting employee performance issues and training to justify any disciplinary measures.

 
by Arnold Rodriguez
agency - duty - supervisor authority
Responsible Control Affected to 0..* The COBIT responsibility model Accountable Consulted Informed Employee Role Action RACI Chart 1 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* Capability Needs 0..* 0..* 1..* 1..* 1..* 1..* 1..* 1..* 1..* Affected to Analyzed by Viewable by Affected to Affected to Affected to Affected to Is hold o Capability doen’s exist systematically in COBIT. It is necessary for an employee to perform an action o Authorithy : ”person or group who has the authority to approve or accept the execution of an action”  A type of right to approved or accept an action. Authority is something provided to the person responsible. I.e. the action ”Assigning sufficient authority to the problem manager”
Capability Needs 0..*Responsible Control Affected to 0..* The COBIT responsibility model Accountable Consulted Informed Employee Role Action RACI Chart 1 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 1..* 1..* 1..* 1..* 1..* 1..* 1..* Affected to Analyzed by Viewable by Affected to Affected to Affected to Affected to Is hold Commitment Pledge 0..* 1 0..* 0..* 1 1 o Assignement/delegation appears sporadically in COBIT and concerns mainly the capability or even the responsibility. o Commitment (appears in many controls but not explicitely defined)  […] employees are mindful of their compliance obligation (commitment antecedent)  “A positive, proactive information control environment, including a commitment to quality and IT security awareness, is established”  “Obtain commitment and participation from the affected employees in the definition and execution of the project […]”
1 Accountability Obligation Sanction Answerability Managerial Obligation Functional Obligation Type of Type of ComposeCompose Compose Compose Compose 1..*11 1 11 1..* 0..1 0..* Right Capability Type of Require 1 0..* ResponsibilityEmployee Affectation /Delegation 1 0..* Commitment Antecedents Commitment Activate Type of1..* 1 Pledge o Obligation, Right, Capability and Commitment are systematically integrated o Accountability no more perceived as an attribute that links an employee to an action and that is on the same level as the responsibility but as a component that composes this responsibility. o Informed no more perceived as a type of allocation/assignment of “role – action” but as a type of right for responsibility. o Consulted is no more seen as a type of allocation/delegation of “role – action” but as a type of responsibility. Proposed integration in COBIT ConsultedType of Informed Type of Responsibility Accountability
Cobit RACI Chart Case Study • Action : Identify system owner’s • From : PO4 Define the IT Processes, Organisation and relationship • RACI : Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I

Recommended for you

CONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptxCONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptx

I just want to share my report in EDM 211 Theories and Principle of Educational Management. Unfortunately, I wasn't able to cite my references for this slide. I hope this will help with your report. Thank you!

 
by Emilio Fer Villa
controllingpreventioncoping
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...

This toolkit provides an overview of the principles behind benefits realisation and some basic tools for use in projects. The toolkit also provide signposts to more sophisticated techniques that are available should a project require them. Benefits management aims to ensure that benefits that have been identified at the start of a project are realised and that any benefits that emerge as the project progresses are properly exploited. As many project benefits are not realised until after the project is closed it is important that appropriate structures are put in place to monitor benefits realisation post project. This toolkit was developed based on best practice at the University of Sheffield. The toolkit was published by the UCISA Project and Change Management Group in September 2016.

 
by Mark Ritchie
benefits realisationchange managementprogramme management
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...

If only i can trust my police! sim an agent based audit solution of access right deployment through open network

 
by christophefeltus
if only i can trust my police! sim an agent based
Enhancement 1 • HO is responsible, he gets the activity done but is not accountable for it. What happen if he doesn’t do it ? • CIO is accountable. He is answerable and sanctionable. HO is responsible and accountable for the task CIO is responsible and accountable for the managerial obligation regarding the task. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
Enhancement 2 • CFO, BE and BPO are consulted. Does it imply something for them ? Consulted is not only a function. It is a responsibility. This means that responibility components needs to be clarify i.e. : the obligation, the accountability, or the right. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
Enhancement 3 • CA, HD, HITA, PMO, CARS are informed. Is the information for everyone absolutly necessary ?  Informed is more a right than a function. Consequently, it should be attached to another task and a link should be created between the information and its use for another task. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
Conclusion • Willingness to improve the governance of IT advocates for the definition of an innovative responsibility model, including meaningful responsibility concept. • Afterward, we have compare the responsibility model with the COBIT RACI chart and we have detected possible improvements. • Identify system owners action has been depicted to illustrate the added value of the model.

Recommended for you

If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...

If only i can trust my police! sim an agent based audit solution of access right deployment through open network

 
by Luxembourg Institute of Science and Technology
Accountability Focused Management Part 1
Accountability Focused Management Part 1Accountability Focused Management Part 1
Accountability Focused Management Part 1

The document discusses accountability focused management and improving the effectiveness of objectives. It introduces key concepts like responsibility, accountability, and paradigms. It then outlines a process for building a shared vision, developing individual charters, identifying continuing vital activities, deriving objectives, and gauging impact. The process aims to shift from a responsibility paradigm to an accountability paradigm in management.

 
by Brice Alvord
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics

Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.

 
by Luxembourg Institute of Science and Technology
Thank you !
References • Christophe Feltus, Preliminary Literature Review of Policy Engineering Methods - Toward Responsibility Concept, International Conference on Information & Communication Technologies: from Theory to Applications (IEEE ICTTA2008), May 2008, Damascus, Syria. • Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability, Capability and Commitment, Fourth International Conference on Availability, Reliability and Security (“ARES 2009 – The International Dependability Conference”), IEEE, March 2009, Fukuoka, Japan. • Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International Conference on Computer Systems and Applications (AICCSA-09) IEEE, May 2009, Rabat, Morocco. • Christophe Feltus, Michaël Petit, François Vernadat, Enhancement of CIMOSA with Responsibility Concept to Conform to Principles of Corporate Governance of IT, 13th IFAC Symposium on Information Control Problems in Manufacturing, June 2009, Moscow, Russia.

More Related Content

Similar to Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study

Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
Luxembourg Institute of Science and Technology
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
Luxembourg Institute of Science and Technology
 
Accountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdfAccountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdf
Staff Connect
 
Definition and validation of a business it alignment method for enterprise go...
Definition and validation of a business it alignment method for enterprise go...Definition and validation of a business it alignment method for enterprise go...
Definition and validation of a business it alignment method for enterprise go...
Luxembourg Institute of Science and Technology
 
The Art of Delegation
The Art of DelegationThe Art of Delegation
The Art of Delegation
Dr. James Wanjagi, PhD - Org Mgt - Leadership, PMP, CMP
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic
christophefeltus
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic
Luxembourg Institute of Science and Technology
 
Leadership Training
Leadership TrainingLeadership Training
Leadership Training
Arnold Rodriguez
 
RACI Approach
RACI ApproachRACI Approach
RACI Approach
Ricky Smith CMRP, CMRT
 
Management Functions jbb 3
Management Functions jbb 3Management Functions jbb 3
Management Functions jbb 3
Jo Balucanag - Bitonio
 
Raci r web3_1
Raci r web3_1Raci r web3_1
Raci r web3_1
Hari Adavikolanu
 
OSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSHOSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSH
Moon Girl
 
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONSMANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
Arnold Rodriguez
 
Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action
Arnold Rodriguez
 
History of Disciplinary Authority
History of Disciplinary AuthorityHistory of Disciplinary Authority
History of Disciplinary Authority
Arnold Rodriguez
 
CONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptxCONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptx
Emilio Fer Villa
 
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
Mark Ritchie
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...
christophefeltus
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...
Luxembourg Institute of Science and Technology
 
Accountability Focused Management Part 1
Accountability Focused Management Part 1Accountability Focused Management Part 1
Accountability Focused Management Part 1
Brice Alvord
 

Similar to Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study (20)

Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
 
Accountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdfAccountability vs Responsibility At Work.pdf
Accountability vs Responsibility At Work.pdf
 
Definition and validation of a business it alignment method for enterprise go...
Definition and validation of a business it alignment method for enterprise go...Definition and validation of a business it alignment method for enterprise go...
Definition and validation of a business it alignment method for enterprise go...
 
The Art of Delegation
The Art of DelegationThe Art of Delegation
The Art of Delegation
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic
 
Building a responsibility model using modal logic
Building a responsibility model using modal logicBuilding a responsibility model using modal logic
Building a responsibility model using modal logic
 
Leadership Training
Leadership TrainingLeadership Training
Leadership Training
 
RACI Approach
RACI ApproachRACI Approach
RACI Approach
 
Management Functions jbb 3
Management Functions jbb 3Management Functions jbb 3
Management Functions jbb 3
 
Raci r web3_1
Raci r web3_1Raci r web3_1
Raci r web3_1
 
OSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSHOSH EAR by Dr Sharudin NIOSH
OSH EAR by Dr Sharudin NIOSH
 
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONSMANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
MANAGEMENT AUTHORITY AND DISCIPLINARY ACTIONS
 
Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action Roots and practices of Disciplinary Action
Roots and practices of Disciplinary Action
 
History of Disciplinary Authority
History of Disciplinary AuthorityHistory of Disciplinary Authority
History of Disciplinary Authority
 
CONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptxCONTROLLING PREVENTION AND COPING.pptx
CONTROLLING PREVENTION AND COPING.pptx
 
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...
 
If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...If only i can trust my police! sim an agent based audit solution of access ri...
If only i can trust my police! sim an agent based audit solution of access ri...
 
Accountability Focused Management Part 1
Accountability Focused Management Part 1Accountability Focused Management Part 1
Accountability Focused Management Part 1
 

More from Luxembourg Institute of Science and Technology

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Luxembourg Institute of Science and Technology
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Luxembourg Institute of Science and Technology
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
Luxembourg Institute of Science and Technology
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
Luxembourg Institute of Science and Technology
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
Luxembourg Institute of Science and Technology
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
Luxembourg Institute of Science and Technology
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
Luxembourg Institute of Science and Technology
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
Luxembourg Institute of Science and Technology
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
Luxembourg Institute of Science and Technology
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
Luxembourg Institute of Science and Technology
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
Luxembourg Institute of Science and Technology
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
Luxembourg Institute of Science and Technology
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
Luxembourg Institute of Science and Technology
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
Luxembourg Institute of Science and Technology
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
Luxembourg Institute of Science and Technology
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
Luxembourg Institute of Science and Technology
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
Luxembourg Institute of Science and Technology
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
Luxembourg Institute of Science and Technology
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
Luxembourg Institute of Science and Technology
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
Luxembourg Institute of Science and Technology
 

More from Luxembourg Institute of Science and Technology (20)

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
 

Recently uploaded

CAPACITY BUILDING:HOW TO GROW YOUR INFLUENCE, INCOME & IMPACT
CAPACITY BUILDING:HOW TO GROW YOUR INFLUENCE, INCOME & IMPACTCAPACITY BUILDING:HOW TO GROW YOUR INFLUENCE, INCOME & IMPACT
CAPACITY BUILDING:HOW TO GROW YOUR INFLUENCE, INCOME & IMPACT
Tochi22
 
Contingency Theory - Case Study-by arab.pdf
Contingency Theory - Case Study-by arab.pdfContingency Theory - Case Study-by arab.pdf
Contingency Theory - Case Study-by arab.pdf
hannyhosny
 
100 quotes that will be changed your life.pdf
100 quotes that will be changed your life.pdf100 quotes that will be changed your life.pdf
100 quotes that will be changed your life.pdf
MatsikoAlex
 
Zoho_Final Report_MGT489: Strategic Management_SmM4.pdf
Zoho_Final Report_MGT489: Strategic Management_SmM4.pdfZoho_Final Report_MGT489: Strategic Management_SmM4.pdf
Zoho_Final Report_MGT489: Strategic Management_SmM4.pdf
Mohammad Tauhidul Islam Khan Rifat
 
Understanding Bias: Its Impact on the Workplace and Individuals
Understanding Bias: Its Impact on the Workplace and IndividualsUnderstanding Bias: Its Impact on the Workplace and Individuals
Understanding Bias: Its Impact on the Workplace and Individuals
sanjay singh
 
Embracing Change_ Volunteerism in the New Normal by Frederik Durda.pdf
Embracing Change_ Volunteerism in the New Normal by Frederik Durda.pdfEmbracing Change_ Volunteerism in the New Normal by Frederik Durda.pdf
Embracing Change_ Volunteerism in the New Normal by Frederik Durda.pdf
Frederik Durda
 
Occupational safrty and health (Ladder safety.ppt
Occupational safrty and health (Ladder safety.pptOccupational safrty and health (Ladder safety.ppt
Occupational safrty and health (Ladder safety.ppt
Optimisticanonymous
 
Certified Administrative Officer CAO.pdf
Certified Administrative Officer CAO.pdfCertified Administrative Officer CAO.pdf
Certified Administrative Officer CAO.pdf
GAFM ACADEMY
 
100 quotes that will be changed your life.pdf
100 quotes that will be changed your life.pdf100 quotes that will be changed your life.pdf
100 quotes that will be changed your life.pdf
MatsikoAlex
 
Behavior Based Safety for Safety Improving Safety Culture
Behavior Based Safety for Safety Improving Safety CultureBehavior Based Safety for Safety Improving Safety Culture
Behavior Based Safety for Safety Improving Safety Culture
aerblog
 

Recently uploaded (10)

CAPACITY BUILDING:HOW TO GROW YOUR INFLUENCE, INCOME & IMPACT
CAPACITY BUILDING:HOW TO GROW YOUR INFLUENCE, INCOME & IMPACTCAPACITY BUILDING:HOW TO GROW YOUR INFLUENCE, INCOME & IMPACT
CAPACITY BUILDING:HOW TO GROW YOUR INFLUENCE, INCOME & IMPACT
 
Contingency Theory - Case Study-by arab.pdf
Contingency Theory - Case Study-by arab.pdfContingency Theory - Case Study-by arab.pdf
Contingency Theory - Case Study-by arab.pdf
 
100 quotes that will be changed your life.pdf
100 quotes that will be changed your life.pdf100 quotes that will be changed your life.pdf
100 quotes that will be changed your life.pdf
 
Zoho_Final Report_MGT489: Strategic Management_SmM4.pdf
Zoho_Final Report_MGT489: Strategic Management_SmM4.pdfZoho_Final Report_MGT489: Strategic Management_SmM4.pdf
Zoho_Final Report_MGT489: Strategic Management_SmM4.pdf
 
Understanding Bias: Its Impact on the Workplace and Individuals
Understanding Bias: Its Impact on the Workplace and IndividualsUnderstanding Bias: Its Impact on the Workplace and Individuals
Understanding Bias: Its Impact on the Workplace and Individuals
 
Embracing Change_ Volunteerism in the New Normal by Frederik Durda.pdf
Embracing Change_ Volunteerism in the New Normal by Frederik Durda.pdfEmbracing Change_ Volunteerism in the New Normal by Frederik Durda.pdf
Embracing Change_ Volunteerism in the New Normal by Frederik Durda.pdf
 
Occupational safrty and health (Ladder safety.ppt
Occupational safrty and health (Ladder safety.pptOccupational safrty and health (Ladder safety.ppt
Occupational safrty and health (Ladder safety.ppt
 
Certified Administrative Officer CAO.pdf
Certified Administrative Officer CAO.pdfCertified Administrative Officer CAO.pdf
Certified Administrative Officer CAO.pdf
 
100 quotes that will be changed your life.pdf
100 quotes that will be changed your life.pdf100 quotes that will be changed your life.pdf
100 quotes that will be changed your life.pdf
 
Behavior Based Safety for Safety Improving Safety Culture
Behavior Based Safety for Safety Improving Safety CultureBehavior Based Safety for Safety Improving Safety Culture
Behavior Based Safety for Safety Improving Safety Culture
 

Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study

  • 1. The 1st ACM Workshop on Information Security Governance November 13, 2009 Chicago, USA Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study Christophe Feltus, Michaël Petit, Eric Dubois Public Research Center Henri Tudor, Luxembourg-Kirchberg, Luxembourg PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium The research was funded by the National Research Fund of Luxemburg
  • 2. Introduction : • Governance of IT is becoming more and more necessary  Sarbanes-Oxley Act ▫ Transparency regarding account  Basel II ▫ Management of operational risk and people affectation for that task  ISO/IEC 38500:2008 ▫ Provide 6 principles for corporate governance of IT ▫ One principle dedicated to responsibility • Need for more responsibility, transparency, accountability, ethic, commitment
  • 3. Introduction : • Companies are used to work with well-known management framework like :  ITIL (IT Information Library) ▫ a public library that focuses on IT services management for high-quality service provision  CIMOSA ▫ an enterprise architecture model to define industrial computer system architecture  ISO/IEC 15504 [7] ▫ a framework for the assessment of software processes  CobiT • As much responsibility models as frameworks
  • 4. Introduction : • Many responsibility models means : ▫ No consensus between frameworks / no unique one ▫ No interoperability ▫ Many interpretations of the concepts • Objective of the research : ▫ Defining a common responsibility model • Research methodology : ▫ Analyse of the literature ▫ Elaboration of a responsibility model ▫ Successive refinement by comparing it with professional framework
  • 5. Responsibility Responsibility: Foreword • Responsibility : abstract or concret concept ? • Many definitions in the literature • L. Cholvy proposes 3 of them : • Something bad happened and you caused it or could have prevented it • Obligation or moral duty to report or explain you actions or someone else’s action to a given authority (answerability) • Position, which enables you to make decisions in a given organization but implies that you must be prepared to justify your actions (accountablity) • ∆ def 1 def 2 = blame • ∆ def 2 def 3 = answerability ≠ accountability = position (rules)
  • 6. Responsibility Responsibility: Foreword • D'Arcy McCallum : ▫ Responsibility is not something that you can actually assign to someone ▫ Responsibility, in fact, has to come from within ▫ A person is responsible: we mean that he holds a personal commitment to doing something to some standard of quality ▫ And while you cannot assign responsibility, you can and do assign accountability...with the expectation that a person will execute the activity assigned to them to a standard of quality • Commonly accepted responsibility definitions encompass the idea of “having the obligation to ensure that something happens”.
  • 7. Accountability Sanction Answerability ComposeCompose 1 11 0..1 1 Compose 1..* Accountability : o Obligation or moral duty to report or explain the action or someone else’s action to a given authority [Cholvy et al.] o Obligation(s) to report the achievement, maintenance or avoidance of some given state [Sommerville et al.] o Accountability is composed of one answerability and zero or one sanction [Fox] Accountability Responsibility
  • 8. Functional vs. Managerial Obligation Obligation : most frequent concept Functional vs. Structural Obligation [Dobson] : o functional obligation : what a employee must do with respect to a state of affairs (e.g. execute an activity) o structural (managerial) obligation : what a employee must do in order to fulfill a responsibility such as directing, supervising and monitoring Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability ComposeCompose 1 11 0..1 1 Compose 1..* Responsibility
  • 9. Soft Accountability Hard Accountability Type of Type of Positive SanctionNegative Sanction Type of Type of OpaqueClear Type of Type of Transparency Generate 1 Compose 1..* Responsibility o Sanction is positive or negative  also : compensation or a remediation [Fox] o Transparency is clear : information access policies & reliable information o Transparency is opaque : information reveled nominally and ponctually Accountability Sanction Answerability Compose 1 11 0..1 1 Compose 1..* Responsibility Compose Accountability, Answerability, Transparency
  • 10. Rights o Common but not systematically embedded concept o Capability : describes the possession of requisite qualities , skills or resourcs to performan action [Vernadat,F.B.][Yu et. Al][Qingfeng et al.] o Authority : the power to command and control others employees (CIMOSA) o Delegation right : right to transfer some part of the responsibility to another employee Access Right Type of Authority Type of Needed for Right Capability Type of Require 1 0..* Delegation Possibility Type of Accountability Sanction Answerability Compose 1 11 0..1 1 Compose 1..* Responsibility Compose Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..*
  • 11. 1 Delegation Employee Delegation vs. affectation : o Affectation or Assignment is the action of linking an employee to a responsibility o Delegation is the transfer of an employee’s responsibility assignment to another employee  Right to further delegate the same obligation or not [Sommerville]  Delefation of accountability or not [Norman] Employee 1 0..* Commitment Antecedents Commitment Activate Type of1..* 1 Pledge Delegation Require 1 1..*0..* 1..* Is delegated Delegate Concernes Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Right Capability Type of Require 1 0..* Delegation Possibility Type of
  • 12. Commitment Antecedents Commitment Commitment o Moral engagement to fulfill the action  difficult to integrate in a formalized framework o The psychological attachment felt by the person for the organization; it will reflect the degree to which the individual internalizes or adopts characteristics or perspetives of the organization [O’Reilly and Chapman] o The relative strength of an individual’s identification with and involvement in a particular organization [Mowday] o A structural phenomenon which occurs as a result of individual-organizational transactions and alterations in side-bets or investment over time [Hrebiniak and Alutto] Right Capability Require 1 0..* Employee 1 0..* Activate Type of1..* 1 Pledge Delegation Possibility Delegation Require 1 1..*0..* 1..* Is delegated Delegate Concernes Type of Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Type of 1
  • 13. Continuance Type of AffectiveNormative Type of Type of Commitment Outcomes Citizen Behavior Type of Provide 1 0..* Employee Retention Type of Employee Performance Type of Willingness to Exert Efforts Type of Activate 1..* 1 Side-bets Desire Maintain Membership Belief in Goals And Values Contribute to Contribute to Contribute to Feeling of Obligation Contribute to Type of Type of Type of Type of Commitment Antecedents Commitment Commitment
  • 14. Complete responsibility model Commitment Antecedents Commitment 1 Employee 1 0..* Activate 1..* 1 Pledge Delegation 0..* 1..* Is delegated Delegate Concernes Concern11 Obligation Functional Obligation Managerial Obligation Type of Type of Concern 1..* 0..* Accountability Sanction Answerability Compose 1 11 0..1 Compose 1..* Responsibility Compose Right Require 1 0..*
  • 15. The COBIT responsibility model Control Action 11..* Employee Role 0..* 0..* Is hold o COBIT’s control are composed of actions to perform (obligation) o Employees hold roles like CEO, CFO, CIO, PMO, Head Operation, Business Executive,… o COBIT responsibility model is formalized through a RACI chart matrix attached to all 34 COBIT processes. o RACI stands for Responsible, Accountable, Consulted and Informed o Role may be Responsible, Accountable, Consulted and Informed depending on the control and the task to perform. RACI Chart Responsible Accountable Consulted Informed
  • 16. Control The COBIT responsibility model Employee Role Action 1 0..* 0..* 1..* Is hold RACI Chart o Responsibility and Accountability at the same conceptual level part of the RACI chart o Accountability : the employee who provides direction and authorizes an action o Responsibility : the employee who gets the action done o “An individual assumes his/her responsibility and is usually held accountable”  It is possible or not to be responsible and accountable at the same time o “IT management has the resources and accountability needed to meet service level targets”  Accountability is possessed and as consequence, may be seen as rather a capability (or a right) than an accountability (or an obligation). Responsible Accountable Consulted Informed Affected to 0..* 0..* 0..* 0..* 0..* 0..* 1..* 1..* Affected to Analyzed by Viewable by 0..* 0..* 0..* 0..* 1..* 1..* 1..* 1..* Affected to Affected to Affected to Affected to
  • 17. Responsible Control Affected to 0..* The COBIT responsibility model Accountable Consulted Informed Employee Role Action RACI Chart 1 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* Capability Needs 0..* 0..* 1..* 1..* 1..* 1..* 1..* 1..* 1..* Affected to Analyzed by Viewable by Affected to Affected to Affected to Affected to Is hold o Capability doen’s exist systematically in COBIT. It is necessary for an employee to perform an action o Authorithy : ”person or group who has the authority to approve or accept the execution of an action”  A type of right to approved or accept an action. Authority is something provided to the person responsible. I.e. the action ”Assigning sufficient authority to the problem manager”
  • 18. Capability Needs 0..*Responsible Control Affected to 0..* The COBIT responsibility model Accountable Consulted Informed Employee Role Action RACI Chart 1 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 0..* 1..* 1..* 1..* 1..* 1..* 1..* 1..* Affected to Analyzed by Viewable by Affected to Affected to Affected to Affected to Is hold Commitment Pledge 0..* 1 0..* 0..* 1 1 o Assignement/delegation appears sporadically in COBIT and concerns mainly the capability or even the responsibility. o Commitment (appears in many controls but not explicitely defined)  […] employees are mindful of their compliance obligation (commitment antecedent)  “A positive, proactive information control environment, including a commitment to quality and IT security awareness, is established”  “Obtain commitment and participation from the affected employees in the definition and execution of the project […]”
  • 19. 1 Accountability Obligation Sanction Answerability Managerial Obligation Functional Obligation Type of Type of ComposeCompose Compose Compose Compose 1..*11 1 11 1..* 0..1 0..* Right Capability Type of Require 1 0..* ResponsibilityEmployee Affectation /Delegation 1 0..* Commitment Antecedents Commitment Activate Type of1..* 1 Pledge o Obligation, Right, Capability and Commitment are systematically integrated o Accountability no more perceived as an attribute that links an employee to an action and that is on the same level as the responsibility but as a component that composes this responsibility. o Informed no more perceived as a type of allocation/assignment of “role – action” but as a type of right for responsibility. o Consulted is no more seen as a type of allocation/delegation of “role – action” but as a type of responsibility. Proposed integration in COBIT ConsultedType of Informed Type of Responsibility Accountability
  • 20. Cobit RACI Chart Case Study • Action : Identify system owner’s • From : PO4 Define the IT Processes, Organisation and relationship • RACI : Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • 21. Enhancement 1 • HO is responsible, he gets the activity done but is not accountable for it. What happen if he doesn’t do it ? • CIO is accountable. He is answerable and sanctionable. HO is responsible and accountable for the task CIO is responsible and accountable for the managerial obligation regarding the task. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • 22. Enhancement 2 • CFO, BE and BPO are consulted. Does it imply something for them ? Consulted is not only a function. It is a responsibility. This means that responibility components needs to be clarify i.e. : the obligation, the accountability, or the right. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • 23. Enhancement 3 • CA, HD, HITA, PMO, CARS are informed. Is the information for everyone absolutly necessary ?  Informed is more a right than a function. Consequently, it should be attached to another task and a link should be created between the information and its use for another task. Activity  Function  CFO Business Executive CIO Business Process Owner Head Operation Chief Architect Head Development Head IT Administration PMO Compliance, Audit, Risk and Security Identify System Owners C C A C R I I I I I
  • 24. Conclusion • Willingness to improve the governance of IT advocates for the definition of an innovative responsibility model, including meaningful responsibility concept. • Afterward, we have compare the responsibility model with the COBIT RACI chart and we have detected possible improvements. • Identify system owners action has been depicted to illustrate the added value of the model.
  • 26. References • Christophe Feltus, Preliminary Literature Review of Policy Engineering Methods - Toward Responsibility Concept, International Conference on Information & Communication Technologies: from Theory to Applications (IEEE ICTTA2008), May 2008, Damascus, Syria. • Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability, Capability and Commitment, Fourth International Conference on Availability, Reliability and Security (“ARES 2009 – The International Dependability Conference”), IEEE, March 2009, Fukuoka, Japan. • Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International Conference on Computer Systems and Applications (AICCSA-09) IEEE, May 2009, Rabat, Morocco. • Christophe Feltus, Michaël Petit, François Vernadat, Enhancement of CIMOSA with Responsibility Concept to Conform to Principles of Corporate Governance of IT, 13th IFAC Symposium on Information Control Problems in Manufacturing, June 2009, Moscow, Russia.