This document discusses strengthening governance of IT through enhancing employee responsibility. It presents a literature review on responsibility concepts and proposes a responsibility model. The model defines key responsibility concepts like accountability, capability, commitment and their relationships. It also applies the model to analyze the COBIT framework's RACI chart for assigning roles and responsibilities. The analysis finds areas where the model could provide improvements to COBIT, such as clarifying different types of responsibilities like being responsible versus accountable. The document concludes that defining an innovative responsibility model can help improve governance of IT.
This document discusses the art of delegation. It defines delegation as assigning responsibility for tasks to other people. Delegation has benefits like increased efficiency, productivity, employee development and improved trust. However, people often do not delegate due to ego, lack of time, or concerns about accountability. Effective delegation requires clearly defining goals, responsibilities, authority, and accountability. It also requires motivating, training, and holding employees accountable for their work. The document outlines a seven-step process for delegation, including determining goals, defining roles, providing authority and motivation, and establishing accountability and control. It concludes by discussing five degrees of delegation based on levels of approval and oversight required.
This document discusses building a responsibility model using modal logic concepts of accountability, capability, and commitment. It begins with a literature review of existing policy and access control models. The review finds that while concepts like rights, roles, and obligations are addressed, existing models do not fully cover all three responsibility concepts. The document then proposes a preliminary responsibility model and definitions for its components. It suggests a formalization of key concepts using deontic logic adapted from alethic logic. The goal is to provide a framework to define concepts, verify organizational structures, and detect policy issues.
This document discusses building a responsibility model using modal logic. It begins with a literature review of existing policy models and engineering methods related to concepts of accountability, capability and commitment. It identifies that while some concepts like rights and roles are commonly addressed, models do not fully cover all responsibility components. The document then proposes a preliminary responsibility model and defines the main concepts of capability, accountability and commitment. It suggests a formalization of these concepts using deontic logic to help analyze organizational structures and policies for consistency and problems.
This document provides an overview of leadership and supervisory concepts related to establishing authority in an employment relationship. It discusses:
- The origins of duties and responsibilities in employment stemming from agency law principles from the 18th century onward. Agents owe principals duties of loyalty and care.
- How authority, responsibility, and accountability are interrelated but distinct - authority provides power, responsibility indicates obligation, and accountability is answerability.
- Factors like government rules, corporate policies, job descriptions, and budgets help determine the limits of a supervisor's authority.
- Disciplinary action aims to correct behavior, prevent negative impacts, and should follow attempts at coaching and training when standards are not met or duties are not
Responsibility charting (RACI) is a technique used to clarify roles and responsibilities for activities and decisions within a process. It involves identifying the key activities and decisions, and then defining the participation of roles as either Responsible, Accountable, Consulted, or Informed. This provides clarity around individual responsibilities and accountability, reduces duplication of work, and improves communication and teamwork. The RACI process involves developing responsibility charts through workshops, documenting and communicating the charts, and follow up to ensure the defined roles are being followed. Benefits include increased productivity, reduced errors, streamlined structures, and better planning and training.
The document discusses management functions and the POSDCORB model. It defines POSDCORB as an acronym created by Luther Gulick comprising the main functions of management: Planning, Organizing, Staffing, Directing, Coordinating, Reporting, and Budgeting. It then explains each function in the POSDCORB model and the different levels of management, including their typical responsibilities.
This document provides an overview of role and responsibility charting (RACI). It defines RACI as a technique for identifying process ambiguities and clarifying roles and responsibilities. The document outlines the basic assumptions around roles as conception, expectation, and behavior. It also describes the RACI process as a 5-step approach to systematically map out decisions, activities, roles and clarify responsibilities using the RACI codes of Responsible, Accountable, Consulted, and Informed. The goal is to ensure roles and expectations are clearly defined and aligned to improve process performance and accountability.
The document discusses empowerment, accountability, and responsiveness in occupational safety and health (OSH). It defines empowerment as giving employees freedom and authority, accountability as being responsible and answerable, and responsiveness as reacting quickly. It emphasizes clear lines of accountability in safety management and evaluating OSH committee effectiveness. An accountable safety system requires authorized behaviors, objective evaluation, and appropriate consequences.
This document outlines an agenda for a leadership bootcamp covering authority, duties, and disciplinary action. It defines key employment law concepts like agency relationships, actual and apparent authority, and duties of loyalty and care that agents owe their principals. The document explains that authority and responsibility arise from assigned duties, and accountability comes from accepting work. It stresses that disciplinary action should follow documented coaching attempts, and is intended to correct behavior rather than punish. The company disciplinary policy emphasizes using discipline as an opportunity for employees to learn.
This document provides an overview and agenda for a leadership bootcamp covering principles of authority, duties, and disciplinary action in the workplace. It discusses how authority is granted from a principal to an agent in an employment relationship, and the duties and responsibilities that agents take on. Reasons for disciplinary action include not meeting performance standards or policies. Disciplinary action should occur when coaching and training have been unsuccessful, resources are not being utilized, or corrective action is needed to prevent negative impacts on the organization. The intent, effect, and perception of policies help define when and how they should be applied and disciplinary actions carried out.
This document provides an overview of an employee leadership bootcamp that covers authority, duties, and disciplinary action. It discusses the concepts of agency relationships, principal and agent roles, and how duties create authority and responsibilities for employees. The document also examines when disciplinary action should occur, outlining that it is appropriate when job standards are not met despite coaching and training opportunities. Finally, it stresses the importance of documenting employee performance issues and training to justify any disciplinary measures.
I just want to share my report in EDM 211 Theories and Principle of Educational Management. Unfortunately, I wasn't able to cite my references for this slide.
I hope this will help with your report. Thank you!
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...
This toolkit provides an overview of the principles behind benefits realisation and some basic tools for use in projects. The toolkit also provide signposts to more sophisticated techniques that are available should a project require them.
Benefits management aims to ensure that benefits that have been identified at the start of a project are realised and that any benefits that emerge as the project progresses are properly exploited. As many project benefits are not realised until after the project is closed it is important that appropriate structures are put in place to monitor benefits realisation post project.
This toolkit was developed based on best practice at the University of Sheffield. The toolkit was published by the UCISA Project and Change Management Group in September 2016.
The document discusses accountability focused management and improving the effectiveness of objectives. It introduces key concepts like responsibility, accountability, and paradigms. It then outlines a process for building a shared vision, developing individual charters, identifying continuing vital activities, deriving objectives, and gauging impact. The process aims to shift from a responsibility paradigm to an accountability paradigm in management.
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.
This document provides an agenda and overview for a joint workshop on security modeling hosted by the ArchiMate Forum and Security Forum. The workshop aims to identify opportunities to improve the conceptual and visual modeling of enterprise information security using TOGAF and ArchiMate. The agenda includes introductions, a research spotlight on strengthening role-based access control with responsibility modeling, an open discussion on complementing TOGAF and ArchiMate with enhanced security modeling, and identifying next steps. The workshop purpose is to enable better security architecture decisions and drive usage of TOGAF and ArchiMate for security architecture.
Accountability vs Responsibility At Work.pdfStaff Connect
Understand the key distinctions between accountability vs responsibility at work. Gain insights into how these concepts shape workplace dynamics and enhance productivity. Learn more on our blog!
This document discusses the art of delegation. It defines delegation as assigning responsibility for tasks to other people. Delegation has benefits like increased efficiency, productivity, employee development and improved trust. However, people often do not delegate due to ego, lack of time, or concerns about accountability. Effective delegation requires clearly defining goals, responsibilities, authority, and accountability. It also requires motivating, training, and holding employees accountable for their work. The document outlines a seven-step process for delegation, including determining goals, defining roles, providing authority and motivation, and establishing accountability and control. It concludes by discussing five degrees of delegation based on levels of approval and oversight required.
Building a responsibility model using modal logicchristophefeltus
This document discusses building a responsibility model using modal logic concepts of accountability, capability, and commitment. It begins with a literature review of existing policy and access control models. The review finds that while concepts like rights, roles, and obligations are addressed, existing models do not fully cover all three responsibility concepts. The document then proposes a preliminary responsibility model and definitions for its components. It suggests a formalization of key concepts using deontic logic adapted from alethic logic. The goal is to provide a framework to define concepts, verify organizational structures, and detect policy issues.
This document discusses building a responsibility model using modal logic. It begins with a literature review of existing policy models and engineering methods related to concepts of accountability, capability and commitment. It identifies that while some concepts like rights and roles are commonly addressed, models do not fully cover all responsibility components. The document then proposes a preliminary responsibility model and defines the main concepts of capability, accountability and commitment. It suggests a formalization of these concepts using deontic logic to help analyze organizational structures and policies for consistency and problems.
This document provides an overview of leadership and supervisory concepts related to establishing authority in an employment relationship. It discusses:
- The origins of duties and responsibilities in employment stemming from agency law principles from the 18th century onward. Agents owe principals duties of loyalty and care.
- How authority, responsibility, and accountability are interrelated but distinct - authority provides power, responsibility indicates obligation, and accountability is answerability.
- Factors like government rules, corporate policies, job descriptions, and budgets help determine the limits of a supervisor's authority.
- Disciplinary action aims to correct behavior, prevent negative impacts, and should follow attempts at coaching and training when standards are not met or duties are not
Responsibility charting (RACI) is a technique used to clarify roles and responsibilities for activities and decisions within a process. It involves identifying the key activities and decisions, and then defining the participation of roles as either Responsible, Accountable, Consulted, or Informed. This provides clarity around individual responsibilities and accountability, reduces duplication of work, and improves communication and teamwork. The RACI process involves developing responsibility charts through workshops, documenting and communicating the charts, and follow up to ensure the defined roles are being followed. Benefits include increased productivity, reduced errors, streamlined structures, and better planning and training.
The document discusses management functions and the POSDCORB model. It defines POSDCORB as an acronym created by Luther Gulick comprising the main functions of management: Planning, Organizing, Staffing, Directing, Coordinating, Reporting, and Budgeting. It then explains each function in the POSDCORB model and the different levels of management, including their typical responsibilities.
This document provides an overview of role and responsibility charting (RACI). It defines RACI as a technique for identifying process ambiguities and clarifying roles and responsibilities. The document outlines the basic assumptions around roles as conception, expectation, and behavior. It also describes the RACI process as a 5-step approach to systematically map out decisions, activities, roles and clarify responsibilities using the RACI codes of Responsible, Accountable, Consulted, and Informed. The goal is to ensure roles and expectations are clearly defined and aligned to improve process performance and accountability.
The document discusses empowerment, accountability, and responsiveness in occupational safety and health (OSH). It defines empowerment as giving employees freedom and authority, accountability as being responsible and answerable, and responsiveness as reacting quickly. It emphasizes clear lines of accountability in safety management and evaluating OSH committee effectiveness. An accountable safety system requires authorized behaviors, objective evaluation, and appropriate consequences.
This document outlines an agenda for a leadership bootcamp covering authority, duties, and disciplinary action. It defines key employment law concepts like agency relationships, actual and apparent authority, and duties of loyalty and care that agents owe their principals. The document explains that authority and responsibility arise from assigned duties, and accountability comes from accepting work. It stresses that disciplinary action should follow documented coaching attempts, and is intended to correct behavior rather than punish. The company disciplinary policy emphasizes using discipline as an opportunity for employees to learn.
This document provides an overview and agenda for a leadership bootcamp covering principles of authority, duties, and disciplinary action in the workplace. It discusses how authority is granted from a principal to an agent in an employment relationship, and the duties and responsibilities that agents take on. Reasons for disciplinary action include not meeting performance standards or policies. Disciplinary action should occur when coaching and training have been unsuccessful, resources are not being utilized, or corrective action is needed to prevent negative impacts on the organization. The intent, effect, and perception of policies help define when and how they should be applied and disciplinary actions carried out.
This document provides an overview of an employee leadership bootcamp that covers authority, duties, and disciplinary action. It discusses the concepts of agency relationships, principal and agent roles, and how duties create authority and responsibilities for employees. The document also examines when disciplinary action should occur, outlining that it is appropriate when job standards are not met despite coaching and training opportunities. Finally, it stresses the importance of documenting employee performance issues and training to justify any disciplinary measures.
I just want to share my report in EDM 211 Theories and Principle of Educational Management. Unfortunately, I wasn't able to cite my references for this slide.
I hope this will help with your report. Thank you!
UCISA Toolkit - Effective Benefits Management for Business Change and IT Proj...Mark Ritchie
This toolkit provides an overview of the principles behind benefits realisation and some basic tools for use in projects. The toolkit also provide signposts to more sophisticated techniques that are available should a project require them.
Benefits management aims to ensure that benefits that have been identified at the start of a project are realised and that any benefits that emerge as the project progresses are properly exploited. As many project benefits are not realised until after the project is closed it is important that appropriate structures are put in place to monitor benefits realisation post project.
This toolkit was developed based on best practice at the University of Sheffield. The toolkit was published by the UCISA Project and Change Management Group in September 2016.
Accountability Focused Management Part 1Brice Alvord
The document discusses accountability focused management and improving the effectiveness of objectives. It introduces key concepts like responsibility, accountability, and paradigms. It then outlines a process for building a shared vision, developing individual charters, identifying continuing vital activities, deriving objectives, and gauging impact. The process aims to shift from a responsibility paradigm to an accountability paradigm in management.
Similar to Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study (20)
Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.
Aligning the business operations with the appropriate IT infrastructure is a challenging and critical activity. Without efficient business/IT alignment, the companies face the risk not to be able to deliver their business services satisfactorily and that their image is seriously altered and jeopardized. Among the many challenges of business/IT alignment is the access rights management which should be conducted considering the rising governance needs, such as taking into account the business actors' responsibility. Unfortunately, in this domain, we have observed that no solution, model and method, fully considers and integrates the new needs yet. Therefore, the paper proposes firstly to define an expressive Responsibility metamodel, named ReMMo, which allows representing the existing responsibilities at the business layer and, thereby, allows engineering the access rights required to perform these responsibilities, at the application layer. Secondly, the Responsibility metamodel has been integrated with ArchiMate® to enhance its usability and benefits from the enterprise architecture formalism. Finally, a method has been proposed to define the access rights more accurately, considering the alignment of ReMMo and RBAC. The research was realized following a design science and action design based research method and the results have been evaluated through an extended case study at the Hospital Center in Luxembourg.
This document proposes an innovative systemic approach to risk management across interconnected sectors. It suggests using enterprise architecture models to manage cross-sector risks in Luxembourg's complex ICT ecosystem. The approach would provide regulators an overview of all players and systems, as well as models of different sectors to analyze collected data and risks at a national level, fostering accurate and reactive risk mitigation across economic domains.
This document proposes extending the HL7 standard with a responsibility perspective to better manage access rights to patient health records. It presents the ReMMo responsibility metamodel, which defines actors' responsibilities and associated access rights. The paper aims to align ReMMo with the HL7-based eSanté healthcare platform model in Luxembourg to semantically enhance access controls based on users' real responsibilities rather than just roles. It will first map concepts between the two models, then evaluate the alignment through a prototype applying inference rules.
This document proposes an innovative approach called SIM (Secure Identity Management) that aims to make access management policies closer aligned with business objectives. It does this in two ways:
1) By focusing the policy engineering process on business goals and responsibilities defined in processes, using concepts from the ISO/IEC 15504 standard. This links capabilities and accountabilities to process outcomes and work products.
2) By defining a multi-agent system architecture to automate the deployment of policies across heterogeneous IT components and devices. The agents provide autonomy and ability to adapt rapidly according to context.
The approach was prototyped using open source components and aims to improve how access rights are defined according to business needs and deployed across an organization
This document proposes a methodological approach for specifying services and analyzing service compliance considering the responsibility dimension of stakeholders. The approach includes a product model and process model. The product model has three layers: an informational layer describing service context and concepts, an organizational layer describing business rules and roles, and a responsibility dimension layer linking the two. The process model outlines steps for service architects to identify context, define concepts and rules, specify services, and analyze compliance. The approach is illustrated with an example of managing access rights for sensitive healthcare data exchange between organizations.
This document discusses integrating responsibility aspects into service engineering for e-government. It proposes a multi-layered approach including an ontological layer defining legal concepts, an organizational layer describing roles and stakeholders, an informational layer representing data structures and integrity constraints, and a technical layer representing IT components. A responsibility meta-model is also introduced to align responsibilities across these layers and facilitate interoperability between services that share data. The approach aims to ensure service compliance and manage risks associated with e-government services.
1) The document proposes a dynamic approach for assigning functions and responsibilities to agents in a multi-agent system for critical infrastructure management.
2) The approach uses an agent's reputation, which is based on past performance, to determine which agents receive which responsibilities as crisis situations change over time.
3) Assigning responsibilities dynamically based on reputation allows the system to continue operating effectively if an agent becomes isolated or has reduced capabilities during a crisis.
This document proposes a responsibility modeling language (ReMoLa) to align access rights with business process requirements. ReMoLa is a responsibility-centered meta-model that integrates concepts from the business and technical layers, with the concept of employee responsibility bridging the two. It incorporates four types of obligations from the COBIT framework to refine employee responsibilities and better assign access rights. ReMoLa maps responsibilities to roles in the RBAC model to leverage its advantages for access right management while ensuring responsibilities align with business tasks and employee commitment.
The document describes the NOEMI assessment methodology, which was developed as part of a research project to help very small enterprises (VSEs) improve their IT practices. The methodology aims to assess VSEs' IT capabilities in order to facilitate collaborative IT management across organizations. It was designed to be aligned with common IT standards like ISO/IEC 15504 and ITIL, but adapted specifically for VSEs. The methodology has been tested through several case studies with VSEs in Luxembourg, with promising results.
This document provides a preliminary literature review of policy engineering methods related to the concept of responsibility. It summarizes key access control models and discusses how they address concepts like capability, accountability, and commitment. The document also reviews engineering methods and how they incorporate responsibility considerations. The overall goal is to orient further research towards a new policy model and engineering method that more fully addresses stakeholder responsibility.
This document proposes an extension of the ArchiMate enterprise architecture framework to model multi-agent systems for critical infrastructure governance. The authors develop a responsibility-driven policy concept and metamodel layers to represent agent behavior and organizational policies across technical, application, and organizational layers. The approach is illustrated through a case study of a financial transaction processing system.
This document summarizes an experimental prototype of the OpenSST protocol for secured electronic transactions. OpenSST was developed to achieve high security, simplicity in software engineering, and compatibility with existing standards. The prototype uses OpenSST for the authorization portion of electronic payments in an e-business clearing solution. It describes the OpenSST message format and types, and discusses how OpenSST is implemented in the prototype's three-element architecture of an OpenSST proxy, reverse proxy, and server.
This document proposes an automatic reaction strategy for critical infrastructure SCADA systems. It defines a three-layer metamodel for modeling SCADA components and two types of policies (cognitive and permissive) that govern component behavior. It then presents a two-phase method for identifying these policies from the SCADA architecture and formalizing them to support an automatic reaction strategy. This strategy is modeled as an integral part of the SCADA architecture using the defined metamodel and policy identification method. It includes organizational and application layers with main actors, strategies, and components that realize the reaction policies based on expected automation levels.
This document discusses the NOEMI model, a collaborative management model for ICT processes in SMEs. The model was developed by the Centre Henri Tudor and tested with a cluster of 8 partner SMEs. Key aspects of the model include defining ICT activities across 5 domains, assessing each SME's capabilities, and having an operational team manage activities for the cluster under a coordination committee. The experiment showed improved cost control, management, and partner satisfaction compared to alternatives like outsourcing or hiring individual IT staff. The research is now ready for market transfer as the successful model is adopted long-term by participating SMEs.
The document proposes an agent-based architecture for multi-level security incident reaction in distributed telecommunication networks. The architecture has three levels: a low level interface with the infrastructure, an intermediate level using multi-agent systems to correlate alerts and deploy reactions across domains, and a high level for global supervision and policy management. The architecture was designed based on requirements like scalability, availability, autonomy, and robust reaction and alert management across distributed systems. It was successfully tested for implementing data access control policies.
This document proposes a multi-agent architecture for incident reaction in information system security. The architecture has three layers - low level interacts directly with the infrastructure, intermediate level correlates alerts and deploys reaction actions using multi-agent systems, and high level provides supervision and manages business policies. The architecture was tested for data access control and aims to quickly and efficiently react to attacks while ensuring policy compliance. The document discusses requirements like scalability, autonomy, and global supervision. It also describes the key components of alert management, reaction decision making, and policy definition/deployment to implement the architecture using a multi-agent approach.
More from Luxembourg Institute of Science and Technology (20)
CAPACITY BUILDING:HOW TO GROW YOUR INFLUENCE, INCOME & IMPACTTochi22
Don't wish for less problems but for more capacity.
In this slideshare, you will discover the importance of capacity and different critical areas you must build to achieve your dream life.
To get the recording of this seminar, join our community on Clubhouse @ High Impact Makers
Understanding Bias: Its Impact on the Workplace and Individualssanjay singh
In the presentation, I delve into what bias is, the different types of biases that commonly occur, and the profound negative impacts they have on both workplace dynamics and individual well-being. Understanding these aspects is the first step towards creating a more equitable and supportive work culture.
Embracing Change_ Volunteerism in the New Normal by Frederik Durda.pdfFrederik Durda
The new normal has not diminished the spirit of volunteerism; rather, it has transformed it, opening up new avenues for individuals to connect with and support their communities. As we continue to adapt, volunteerism will remain a vital force in building resilient, compassionate, and inclusive societies.
Certified Administrative Officer CAO.pdfGAFM ACADEMY
The Certified Administrative Officer (CAO) is a gold-standard certification awarded exclusively by the Global Academy of Finance and Management ®. Earning this designation demonstrates that you have skills and experience in office administration which includes events coordination, time management, resource management, Microsoft Office applications, and business communication.
REQUIREMENTS
The Certified Administrative Officer designation requires a diploma or a bachelor's degree in business and administration, or related field.
Two years experience in office administration
Final year graduates with industrial attachment will be considered.
In addition to educational requirements, candidates must have knowledge in Microsoft Office applications, and business communication skills.
To apply: https://gafm.com.my/digital-certification/application-for-certification/
Behavior Based Safety for Safety Improving Safety Culture
Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study
1. The 1st ACM Workshop on
Information Security Governance
November 13, 2009
Chicago, USA
Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI
Chart Case Study
Christophe Feltus, Michaël Petit, Eric Dubois
Public Research Center Henri Tudor, Luxembourg-Kirchberg, Luxembourg
PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium
The research was funded by the National Research Fund of Luxemburg
2. Introduction :
• Governance of IT is becoming more and more
necessary
Sarbanes-Oxley Act
▫ Transparency regarding account
Basel II
▫ Management of operational risk and people affectation for that task
ISO/IEC 38500:2008
▫ Provide 6 principles for corporate governance of IT
▫ One principle dedicated to responsibility
• Need for more responsibility, transparency,
accountability, ethic, commitment
3. Introduction :
• Companies are used to work with well-known
management framework like :
ITIL (IT Information Library)
▫ a public library that focuses on IT services management for high-quality
service provision
CIMOSA
▫ an enterprise architecture model to define industrial computer system
architecture
ISO/IEC 15504 [7]
▫ a framework for the assessment of software processes
CobiT
• As much responsibility models as frameworks
4. Introduction :
• Many responsibility models means :
▫ No consensus between frameworks / no unique one
▫ No interoperability
▫ Many interpretations of the concepts
• Objective of the research :
▫ Defining a common responsibility model
• Research methodology :
▫ Analyse of the literature
▫ Elaboration of a responsibility model
▫ Successive refinement by comparing it with
professional framework
5. Responsibility
Responsibility: Foreword
• Responsibility : abstract or concret concept ?
• Many definitions in the literature
• L. Cholvy proposes 3 of them :
• Something bad happened and you caused it or could have prevented it
• Obligation or moral duty to report or explain you actions or someone
else’s action to a given authority (answerability)
• Position, which enables you to make decisions in a given organization
but implies that you must be prepared to justify your actions
(accountablity)
• ∆ def 1 def 2 = blame
• ∆ def 2 def 3 = answerability ≠ accountability = position (rules)
6. Responsibility
Responsibility: Foreword
• D'Arcy McCallum :
▫ Responsibility is not something that you can actually assign to someone
▫ Responsibility, in fact, has to come from within
▫ A person is responsible: we mean that he holds a personal commitment
to doing something to some standard of quality
▫ And while you cannot assign responsibility, you can and do assign
accountability...with the expectation that a person will execute the
activity assigned to them to a standard of quality
• Commonly accepted responsibility definitions
encompass the idea of “having the obligation to ensure
that something happens”.
7. Accountability
Sanction Answerability
ComposeCompose
1
11
0..1
1
Compose
1..*
Accountability :
o Obligation or moral duty to report or explain the action or someone else’s action to a given
authority [Cholvy et al.]
o Obligation(s) to report the achievement, maintenance or avoidance of some given state
[Sommerville et al.]
o Accountability is composed of one answerability and zero or one sanction [Fox]
Accountability
Responsibility
8. Functional vs. Managerial Obligation
Obligation : most frequent concept
Functional vs. Structural Obligation [Dobson] :
o functional obligation : what a employee must do with respect to a state of affairs (e.g.
execute an activity)
o structural (managerial) obligation : what a employee must do in order to fulfill a
responsibility such as directing, supervising and monitoring
Concern11
Obligation
Functional
Obligation
Managerial
Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
ComposeCompose
1
11
0..1
1
Compose
1..*
Responsibility
9. Soft Accountability
Hard Accountability
Type of
Type of
Positive SanctionNegative Sanction
Type of Type of
OpaqueClear
Type of Type of
Transparency
Generate
1
Compose
1..*
Responsibility
o Sanction is positive or negative also : compensation or a remediation [Fox]
o Transparency is clear : information access policies & reliable information
o Transparency is opaque : information reveled nominally and ponctually
Accountability
Sanction Answerability
Compose
1
11
0..1
1
Compose
1..*
Responsibility
Compose
Accountability, Answerability, Transparency
10. Rights
o Common but not systematically embedded concept
o Capability : describes the possession of requisite qualities , skills or resourcs to performan action
[Vernadat,F.B.][Yu et. Al][Qingfeng et al.]
o Authority : the power to command and control others employees (CIMOSA)
o Delegation right : right to transfer some part of the responsibility to another employee
Access Right
Type of
Authority
Type
of
Needed
for
Right
Capability
Type of
Require
1 0..*
Delegation
Possibility
Type
of
Accountability
Sanction Answerability
Compose
1
11
0..1
1
Compose
1..*
Responsibility
Compose
Concern11
Obligation
Functional
Obligation
Managerial
Obligation
Type of Type of
Concern
1..* 0..*
11. 1
Delegation
Employee
Delegation vs. affectation :
o Affectation or Assignment is the action of linking an employee to a responsibility
o Delegation is the transfer of an employee’s responsibility assignment to another employee
Right to further delegate the same obligation or not [Sommerville]
Delefation of accountability or not [Norman]
Employee
1 0..*
Commitment
Antecedents
Commitment
Activate
Type of1..* 1
Pledge
Delegation
Require
1
1..*0..*
1..*
Is delegated
Delegate
Concernes
Concern11
Obligation
Functional
Obligation
Managerial
Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
Compose
1
11
0..1
Compose
1..*
Responsibility
Compose
Right
Capability
Type of
Require
1 0..*
Delegation
Possibility
Type
of
12. Commitment
Antecedents
Commitment
Commitment
o Moral engagement to fulfill the action difficult to integrate in a formalized framework
o The psychological attachment felt by the person for the organization; it will reflect the degree to which the
individual internalizes or adopts characteristics or perspetives of the organization [O’Reilly and Chapman]
o The relative strength of an individual’s identification with and involvement in a particular organization
[Mowday]
o A structural phenomenon which occurs as a result of individual-organizational transactions and alterations
in side-bets or investment over time [Hrebiniak and Alutto]
Right
Capability
Require
1 0..*
Employee
1 0..*
Activate
Type of1..* 1
Pledge
Delegation
Possibility
Delegation
Require
1
1..*0..*
1..*
Is delegated
Delegate
Concernes
Type
of
Concern11
Obligation
Functional
Obligation
Managerial
Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
Compose
1
11
0..1
Compose
1..*
Responsibility
Compose
Type of
1
13. Continuance
Type of
AffectiveNormative
Type of Type of
Commitment
Outcomes
Citizen
Behavior
Type of
Provide
1 0..*
Employee
Retention
Type of
Employee
Performance
Type of
Willingness to
Exert Efforts
Type of
Activate
1..*
1
Side-bets Desire Maintain
Membership Belief in Goals
And Values
Contribute to
Contribute to
Contribute to
Feeling of Obligation
Contribute to
Type of Type of
Type of
Type of
Commitment
Antecedents
Commitment
Commitment
14. Complete responsibility model
Commitment
Antecedents
Commitment
1
Employee
1 0..*
Activate
1..* 1
Pledge
Delegation
0..*
1..*
Is delegated
Delegate
Concernes
Concern11
Obligation
Functional
Obligation
Managerial
Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
Compose
1
11
0..1
Compose
1..*
Responsibility
Compose
Right
Require
1 0..*
15. The COBIT responsibility model
Control
Action
11..*
Employee
Role
0..*
0..*
Is hold
o COBIT’s control are composed of actions to perform (obligation)
o Employees hold roles like CEO, CFO, CIO, PMO, Head Operation, Business Executive,…
o COBIT responsibility model is formalized through a RACI chart matrix attached to all 34
COBIT processes.
o RACI stands for Responsible, Accountable, Consulted and Informed
o Role may be Responsible, Accountable, Consulted and Informed depending on the control
and the task to perform.
RACI Chart
Responsible
Accountable
Consulted
Informed
16. Control
The COBIT responsibility model
Employee
Role
Action
1
0..*
0..*
1..*
Is hold
RACI Chart
o Responsibility and Accountability at the same conceptual level part of the RACI chart
o Accountability : the employee who provides direction and authorizes an action
o Responsibility : the employee who gets the action done
o “An individual assumes his/her responsibility and is usually held accountable”
It is possible or not to be responsible and accountable at the same time
o “IT management has the resources and accountability needed to meet service level targets”
Accountability is possessed and as consequence, may be seen as rather a capability (or a right) than an
accountability (or an obligation).
Responsible
Accountable
Consulted
Informed
Affected to
0..*
0..*
0..*
0..*
0..*
0..*
1..*
1..*
Affected
to
Analyzed
by
Viewable by
0..*
0..*
0..*
0..*
1..*
1..*
1..*
1..*
Affected to
Affected to
Affected to
Affected to
17. Responsible
Control Affected to
0..*
The COBIT responsibility model
Accountable
Consulted
Informed
Employee
Role
Action
RACI Chart
1
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
Capability
Needs
0..*
0..*
1..*
1..*
1..*
1..*
1..*
1..*
1..*
Affected
to
Analyzed
by
Viewable by
Affected to
Affected to
Affected to
Affected to
Is hold
o Capability doen’s exist systematically in COBIT. It is necessary for an employee to
perform an action
o Authorithy : ”person or group who has the authority to approve or accept the
execution of an action”
A type of right to approved or accept an action. Authority is something provided to the person
responsible. I.e. the action ”Assigning sufficient authority to the problem manager”
18. Capability
Needs
0..*Responsible
Control Affected to
0..*
The COBIT responsibility model
Accountable
Consulted
Informed
Employee
Role
Action
RACI Chart
1
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..*
1..*
1..*
1..*
1..*
1..*
1..*
1..*
Affected
to
Analyzed
by
Viewable by
Affected to
Affected to
Affected to
Affected to
Is hold
Commitment Pledge
0..*
1
0..*
0..*
1
1
o Assignement/delegation appears sporadically in COBIT and concerns mainly the
capability or even the responsibility.
o Commitment (appears in many controls but not explicitely defined)
[…] employees are mindful of their compliance obligation (commitment antecedent)
“A positive, proactive information control environment, including a commitment to quality and IT
security awareness, is established”
“Obtain commitment and participation from the affected employees in the definition and execution
of the project […]”
19. 1
Accountability Obligation
Sanction Answerability
Managerial
Obligation
Functional
Obligation
Type of Type of
ComposeCompose
Compose
Compose
Compose
1..*11
1
11
1..*
0..1
0..*
Right
Capability
Type of
Require
1 0..*
ResponsibilityEmployee
Affectation
/Delegation
1 0..*
Commitment
Antecedents
Commitment
Activate
Type of1..* 1
Pledge
o Obligation, Right, Capability and Commitment are systematically integrated
o Accountability no more perceived as an attribute that links an employee to an action and that
is on the same level as the responsibility but as a component that composes this responsibility.
o Informed no more perceived as a type of allocation/assignment of “role – action” but as a type
of right for responsibility.
o Consulted is no more seen as a type of allocation/delegation of “role – action” but as a type of
responsibility.
Proposed integration in COBIT
ConsultedType of
Informed
Type of
Responsibility
Accountability
20. Cobit RACI Chart Case Study
• Action : Identify system owner’s
• From : PO4 Define the IT Processes, Organisation and relationship
• RACI :
Activity
Function
CFO
Business
Executive
CIO
Business
Process
Owner
Head
Operation
Chief
Architect
Head
Development
Head IT
Administration
PMO
Compliance,
Audit, Risk
and Security
Identify
System
Owners
C C A C R I I I I I
21. Enhancement 1
• HO is responsible, he gets the activity done but is not accountable
for it. What happen if he doesn’t do it ?
• CIO is accountable. He is answerable and sanctionable.
HO is responsible and accountable for the task
CIO is responsible and accountable for the managerial obligation
regarding the task.
Activity
Function
CFO
Business
Executive
CIO
Business
Process
Owner
Head
Operation
Chief
Architect
Head
Development
Head IT
Administration
PMO
Compliance,
Audit, Risk
and Security
Identify
System
Owners
C C A C R I I I I I
22. Enhancement 2
• CFO, BE and BPO are consulted. Does it imply something for them ?
Consulted is not only a function. It is a responsibility.
This means that responibility components needs to be clarify i.e. :
the obligation, the accountability, or the right.
Activity
Function
CFO
Business
Executive
CIO
Business
Process
Owner
Head
Operation
Chief
Architect
Head
Development
Head IT
Administration
PMO
Compliance,
Audit, Risk
and Security
Identify
System
Owners
C C A C R I I I I I
23. Enhancement 3
• CA, HD, HITA, PMO, CARS are informed. Is the information for
everyone absolutly necessary ?
Informed is more a right than a function. Consequently, it should
be attached to another task and a link should be created between the
information and its use for another task.
Activity
Function
CFO
Business
Executive
CIO
Business
Process
Owner
Head
Operation
Chief
Architect
Head
Development
Head IT
Administration
PMO
Compliance,
Audit, Risk
and Security
Identify
System
Owners
C C A C R I I I I I
24. Conclusion
• Willingness to improve the governance of IT advocates
for the definition of an innovative responsibility model,
including meaningful responsibility concept.
• Afterward, we have compare the responsibility model
with the COBIT RACI chart and we have detected
possible improvements.
• Identify system owners action has been depicted to
illustrate the added value of the model.
26. References
• Christophe Feltus, Preliminary Literature Review of Policy Engineering Methods - Toward
Responsibility Concept, International Conference on Information & Communication
Technologies: from Theory to Applications (IEEE ICTTA2008), May 2008, Damascus, Syria.
• Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability,
Capability and Commitment, Fourth International Conference on Availability, Reliability and
Security (“ARES 2009 – The International Dependability Conference”), IEEE, March 2009,
Fukuoka, Japan.
• Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards
Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International
Conference on Computer Systems and Applications (AICCSA-09) IEEE, May 2009, Rabat,
Morocco.
• Christophe Feltus, Michaël Petit, François Vernadat, Enhancement of CIMOSA with
Responsibility Concept to Conform to Principles of Corporate Governance of IT, 13th IFAC
Symposium on Information Control Problems in Manufacturing, June 2009, Moscow, Russia.