IT Governance Blog on IT governance, risk management, compliance and information security.

Risk is not something that organisations have a tendency to manage in an effective way. Many organisations give tacit recognition to risk management in their processes or have different people handling different aspects of it.

Times when risk management could be a mere afterthought for organisations are past. It is now essential, if not mandated in law, that organisations take effective steps to manage risk within the organisation.

In the spring of 2011 I wrote an article for this blog titled ‘ISO 31000, the Icelandic volcanic ash crisis and how to cope in similar situations’. This detailed how many organisations had been affected by the eruption of a volcano in Iceland and how to cope using the new (at the time) International Standard for risk management – ISO 31000 .

At the time of writing that article there was not much guidance available on implementing the new risk management standard. This void has now been filled by BS 31100   – which provides guidance on implementing a risk management process that meets the requirements laid down in ISO 31000.

Effective risk management needn’t be exclusive to larger organisations. With the standards above risk management can be employed by any organisation that wants or needs to manage risk effectively.

As most people in the UK will be aware, the current economic woes that beset the UK economy started with the first run on a UK bank since 1886 – the bank in question was Northern Rock.

No one seemed aware in the heady days of 2007 that the cycle of boom and bust had returned. The first anyone here knew about it was from the long queues that started to appear outside every branch of the bank with customers wanting to withdraw their hard-earned savings.

It is very rare that one can firmly grasp why these disasters occur, but it is easy to understand why Northern Rock nearly collapsed after reading The Fall of Northern Rock by Brian Walters.

Brian, previously an employee of Northern Rock, has first-hand experience of what it was like to work for the bank. In the book he remembers how the bank was so hugely successful, he also details what lead to its spectacular collapse.

Having read the book it is easy to understand why in the days of cheap credit it was easy for a financial institution to expand. It is also easy to understand why, given the massive freeze in the credit markets, why the bank collapsed so spectacularly.

The question that comes to mind have we really learnt anything from the crisis and put in place systems to prevent such things happening again?

Sure, banks are now required to hold more capital, also banking regulation has been strengthened. Even a standard has been published for UK financial organisations to follow to help them ensure they are compliant with the relevant legislation, BS 8453:2011

Me thinks we haven’t really learnt that much – may be those in positions of influence at UK financial should read this book and learn how to not repeat the same mistakes as those at Northern Rock……we’d all be better off if they did!

Having undertaken a major cost cutting initiative myself recently within IT Governance, I was wondering what a book on cost cutting could actually tell me. So I decided to spend some time reading a book that had at least an interesting title, in this case Cut Costs Not Corners .

On reading the book I was surprised at how many aspects of cost cutting there were that I hadn’t even considered. Many people will be familiar with a lot of the traditional methods for cost cutting, so there’s no need for me to go into them here. They make up about 20-30% of the book, the rest is dedicated to innovative, new ways to cut costs within organisations.

The book’s main focus is on the role of the chief cost cutting officer (CCCO) as the person responsible for a continuous cost-cutting programme. Having covered the role that the CCCO should play in a cost-cutting programme i.e. the lead role, the book then moves on to provide practical steps that CCCOs in any organisation can take to cut costs whilst not cutting corners.

Cutting costs needn’t mean compromising on quality, and this is one of the key messages the author gets across in the book. He also shows how cutting costs should be a continuous process, not just something done in a recession.

There are two things for sure, chief cost cutting officers, your company needs you and you need this book

Here at IT Governance we often have customers wanting to become certified in project management and enquiring about PRINCE2 courses. But what many don’t seem to realise is that with a PRINCE2 course you’ll become certified in the methodology of PRINCE2, not the fundamentals of project management.

If you want to grasp the fundamentals of project management, you’d be much better off studying for the APM Introductory Certificate in Project Management (APMIC). This course provides an introduction to the basics of project management.

That’s not to say PRINCE2 qualifications are not both valid and highly regarded. PRINCE2 is a vital tool in the arsenal of day-to-day project management. Anything that can improves one’s implementation and use of PRINCE2, such as a PRINCE2 course and formal accreditation at the end of it, should be seen in a positive light.

If you simply need to be aware of the PRINCE2 methodology and how it functions, plus the terminology used within in it, then a PRINCE2 Foundation course either via eLearning or a classroom-based course is the ideal solutions. The Foundation qualification is the first step on the rung of PRINCE2 qualifications.

For project management professionals that need a comprehensive understanding of the method, they will need to become PRINCE2 Practitioners. They will, of course, first have to sit and pass the PRINCE2 Foundation exam having studied using an accredited course. They will then, again, need to use an accredited course to study for and pass the PRINCE2 Practitioner exam. Courses are available combining study for both qualifications into one are available, in various formats including e-Learning and classroom-based courses.

Should you already have achieved your PRINCE2 Foundation qualification and only need to pass the Practitioner exam, then courses covering just the Practitioner syllabus that include the cost of the exam are available to enable this too. The formats these courses come in are either via e-Learning or classroom-based as usual.

So, the question is, to be or not to be, PRINCE2 certified?

Management of Portfolios (MoP^™), from the OGC, is a new set of guidance for the effective and efficient management of portfolios of projects and programmes.

In these post-recessionary days we are often faced with common questions such as ‘do we have a budget for this?’, ‘should we be doing this?’ or ‘are these risks worth taking?’ Both individuals and organisations are a lot more careful with how they handle their investments. The days of when projects were loosely managed with project managers having carte blanche to spend thousands without having a clear idea of the costs, risks and benefits are over.

MoP seeks to address this gap in the market that has existed up until now. It allows organisations to ensure that investments in any portfolios of projects and programmes are right for them and identify how they will contribute to their strategic objectives. MoP achieves this by ensuring:

• The programmes and projects undertaken are prioritised in terms of their contribution to the organisation’s strategic objectives and overall level of risk
• Programmes and projects are managed consistently to ensure efficient and effective delivery
• Benefits realisation is maximised to provide the greatest return (in terms of strategic contribution and efficiency savings) from the investment made.

(Bullet points taken from Management of Portfolios Overview by Craig Kilford)

At the core of MoP are the five principles of portfolio management, and two cycles. These cycles are focused on the planning and delivery of portfolios, and their constituent parts and practices work with the context of the five principles.

The five principles of portfolio management are as follows:

1. Senior Management Commitment
2. Governance Alignment
3. Strategy Alignment
4. Portfolio Office
5. Energised Change Culture.

The first of the two cycles, the Portfolio Definition Cycle, deals with planning of a portfolio. Its key stages are: Understand, Categorise, Prioritise, Balance and Plan.

This cycle helps the organisation to understand the scope of the portfolio, prioritise the order of tasks, understand how all the resources need to be managed, and create a portfolio strategy and delivery plan based on all these understandings.

The second cycle, the Portfolio Delivery Cycle, is tasked with the effective and efficient delivery of the portfolio strategy and delivery plan created by the Portfolio Definition Cycle. Its key elements are: Management Control, Benefits Management, Financial Management, Risk Management, Stakeholder Engagement, Organisational Governance and Resource Management.
This second cycle is also tasked with adapting the portfolio according to changes in strategic objectives, project and programme delivery and lessons learned.

MoP is designed to be used in any organisation, it does not matter whether you currently have in place any formal methods for programme or project management. Though having such methods in place will make the use of MoP more robust, any organisation can benefit from implementation.

The core MoP guidance is available from the IT Governance online store in various formats. We offer all of the current official books in our MoP Core Guidance and Study Kit. http://www.itgovernance.co.uk/catalog/772  

We will be offering a selection of courses as soon as the MoP qualification scheme is launched.

With the updated version of ITILv3 due for release in the second half of this year, I was wondering what will change in this ‘refreshed’ version? Well, it seems, on the face of it, not much. The main changes being made to the framework are to correct errors and inconsistencies and to aid clarity and completeness.

The biggest wholesale change in the methodology is the review of the Service Strategy publication. Based on user feedback, the guidance in this particular title is being thoroughly overhauled. It was felt that, out of all the five core titles, Service Strategy was in need of the most attention. The core concepts in the manual will remain the same, as they will in all the other core books, but the terminology employed and how they are explained will change.

The idea behind the whole ITIL ‘refresh’ is that the guidance becomes easier to navigate, learn, read, teach and implement. However, the ethos and original principles behind the ITILv3 framework will not be changing.

A lot of people at this point will be wondering whether they will need to spend vast sums of money updating their ITILv3 qualifications. The answer, in short, is no.  Whilst there will be some minor changes to the syllabuses,  due to the Service Strategy update and the other amendments, there will be no need to re-take examinations or to take bridging exams.

If you are thinking of becoming ITILv3 certified, and are putting off doing so because of the update, don’t delay. The qualification you receive now will be just as valid as it will be after the updated version of the framework has been released.

There is also no need to put off implementing the framework. The core guidance will remain the same, just enhanced by the amendments. There has never been a better time than during a recession to implement best practice guidance and enhance organisational performance.

A final subtle change that is being made to the core books is the use of ‘v3’. With the impending withdrawal of ITILv1 and v2, the core books will only labelled with the name ITIL. So long ‘ITILv3’, hello ‘ITIL’.

Keep checking back on the IT governance website for the latest news on the ITIL update. We’ll be offering the new version of the core books for pre-order in various formats in advance of the launch.

BSI (British Standard Institute) has just released a new version of the first part of its project management standard, BS6079. It might come as a surprise to some that there is even a standard for project management available considering frameworks, such as PMBOK and PRINCE2^™, exist.

On closer investigation it becomes clear there are quite a few standards on project management available, both from BSI and International Standards Organisation (ISO), all of which can be found on our website.

(more…)

CEH, CHFI, ECSA, ENSA, and Security5

The EC-Council, one of the leading certification bodies for the IT security industry, offers a wide range of professional certifications for security professionals. Amongst these are many different levels of qualification.

Career Academy have launched a range of EC-Council endorsed courses that cover a wide selection of these qualifications. All of the current Career Academy (EC-Council endorsed) courses are now available from IT Governance’s EC-Council Campus.

Read on for details of the EC-Council qualifications with available e-learning courses.

(more…)

With the launch of the new ISO 20000-5 standard, new advice and guidance on how to implement a service management system (SMS) than ever before is now available. What does the new standard deliver? Well, it offers the following advice and guidance:

• An exemplar implementation on how to implement an SMS that meets the requirements of ISO 20000-1
• It adds additional guidance on how to achieve ISO 20000-1 certification
• Offers advice and guidance to service providers on how to plan and implement improvements
• It includes advice on development of a business case, the start up project, and a list of the main activities required to implement ISO 20000-1 successfully
• Additional  topics covered include developing objectives, developing policies, document and record management. Sample process documentation is also included.

(more…)

I am now nearing the end of my ITILv3 Foundation studies, having used one of the market-leading distance learning courses http://www.itgovernance.co.uk/products/1359 to study for the exam. So, the thing that next springs to mind is what to study for next, and how to study?

With this conundrum in mind, I am faced with an enviable task as I work for the leading reseller of IT governance-related classroom and distance learning courses. Which option to choose next, I ask myself?

To be honest, I fancy progressing my ITIL studies on to the next level, Intermediate, as most people will after completing their Foundation studies. The ITILv3 Intermediate qualifications are structured around two streams, the Lifecycle and the Capability streams. You can take courses from either stream to count toward your ITIL Expert certification.
(more…)