March 17, 2010, 12:40 PM — The journey began in 2005, when the Ontario Municipal Employees Retirement System (OMERS) engaged us as an adviser to assist them in defining their governance model. This included the roles and responsibilities of IT staff as well as the outsourcing vendor for key ITIL (Information Technology Infrastructure Library) service support processes.
They were trying to address some operational process gaps between IT and the outsourcing vendor. Concurrently, OMERS was implementing other initiatives, such as CMMI (Capability Maturity Model Integration), for the application development team and the PMO (Project Management Office), to evolve their current process maturity and efficiency. In 2007, a subsequent need to implement IT controls and enhance the IT governance framework was identified to address corporate governance needs as well as provide a common language for internal and external audit groups. COBIT was selected to address this latest need, as it provided a generally accepted internal control framework for IT governance.
COBIT (Control Objectives for Information and Related Technology) is an IT governance and control framework that provides leading practices across four domains and 34 processes. IT governance "consists of the leadership, organisational structures and processes that ensure that the enterprise's IT sustains and extends the organisation's strategies and objectives."
The COBIT implementation at OMERS not only defined the organizational structures, processes, and controls, but it provided a management tool for IT to monitor performance against targets (enforcing the framework) and executive reporting to the board and C-level suite.
Renga Ramasawmy, vice-president, information technology operations at OMERS, oversaw the project from the beginning and was there to reap the benefits.
"The biggest impact was the efficiency gains achieved on internal and external audits, and IT controls reviews," says Ramasawmy. "We have also achieved better clarity of roles and responsibilities, and efficient executive reporting to provide greater transparency to IT performance."
This project spanned three phases:
* Enhancement of the governance framework using the COBIT Plan, and Organize, Acquire, and Implement domain processes. This included defining roles and responsibilities using RACI charts (Responsible/Accountable/Consulted/Informed). In addition, processes were further defined in detail through the use of SOPs (Standard Operating Procedures).