Enterprise governance & Digital
transformation – Lectures
Lecture 1
Jerome Kerviel at Societe Generale
This man has cost French bank Societe Generale €4.9 billion in the biggest fraud in financial
history in 2008. €24.9 billion was actually equivalent to the market value of the bank!
He is accused of making fraudulent transactions involving European index futures that were
beyond his permitted trading limits, then creating false transactions to cover his tracks.
There were a lot of holes within the IT governance framework.
He used others’ username and passwords.
They say that the senior management team share the responsibility.
He didn’t have any limit in the transactions.
If you manage the enterprise properly, this shouldn’t happen.
The French Finance Minister was investigating the case and wants to “understand why
control did not work… and recommend additional controls.’’
Controls can be everything; people, processes, passwords, etc.
The government report indicated:
Failure to set and monitor gross trading limits held by each trader; apparently,
Kerviel did not even have a defined gross exposure limit
Breaches in the access control mechanisms: It is alleged that Kerviel sometimes used
the login and passwords of his colleagues to conduct factious trades
Lack of independent confirmation of both external and (wrong) internal
counterparties to the trades that had been made
Inadequate follow-up by management as and when alarms were raised, particularly
when one of the clearing houses alerted the bank about the unusual positions in
Kerviel’s book
Failure to review all transactions executed by each trader.
Segregation of duty: separation of duty. In the banking/financial/transaction industry, the
person who can execute, approve, plan, etc. the transaction should be different people. If
one person covers all the roles, it’s easy to be fraudulent.
Concept of segregation:
operating tasks
approval tasks
monitoring tasks
auditing tasks
1
,Penalty: he had to pay up the € 4.9 billion and sentenced 3 years in prison. And he was
banned from the financial service industry.
Immediately after, he was offered a job as IT consultant.
What is IT Governance?
Definition: Aligning IT with the business objectives
The role of IT in business: more about appraison
CIO sitting in the board of directors: IT have equivalent say
IT Governance vs IT Management
IT Governance Institute makes a clear distinction between IT Governance and IT
Management.
IT Management is more on the operational level; managing the daily activities.
Responsibility of the managers.
IT Governance is more related to the risk management. In the responsibility of the
CIO and board of directors.
IT Governance
Governance ensures that stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives to be achieved; setting direction
through prioritization and decision making; and monitoring performance and compliance
against agreed-on direction and objectives.
IT Management
Management plans, builds, runs and monitors activities in alignment with the direction set
by the governance body to achieve the enterprise objectives.
IT Governance concepts
It’s not only about the rights, but also about responsibility.
The CIO usually may or may not be included in the board of directors. It depends on
the type of organization.
The IT auditor should be in the internal control department. They should be
independent. They need to be organized in the IT governance framework.
1. IT governance is “the framework for the leadership, organizational structures and
business processes, standards and compliance with these standards, which ensures
that the organization's information systems support and enable the achievement of
its strategies and objectives”.
2. IT governance is “specifying the decision rights and accountability framework to
encourage desirable behavior in using IT”
Governance Arrangement Matrix (EXAM question)
Decisions: items of IT governance/concepts
Archetype: the stereotype examples. Different stereotypes of models.
IT Governance concepts
IT principles: clarifying the business role of IT
2
, IT architecture: defining integration and standardization in a set of policies,
relationships and technical choices.
IT infrastructure: determining shared and enabling services such as
telecommunication networks, servers, databases, intranet. But also human
infrastructure of knowledge, skills, standards and experience binds components.
Business application needs: specifying the business need for purchased or internally
developed IT applications
IT investment and prioritization: choosing which initiatives to fund and how much to
spend
Archetypes
Business Monarchy: group of business executives or individual executives. Includes
committees of senior business executives (may include CIO). Excludes IT executives
acting independently.
IT Monarchy: individuals or groups of IT executives. IT professionals make IT
decisions
Feudal: business unit leaders, key process owners or their delegates. Business unit
takes the lead; they don’t care about others.
Federal: c-level executives and business groups (for example business units or
processes); may also include IT executives as additional participants (depends on the
situation). Equivalent of the central and state governments working together. They
are not at all working isolated. They should ensure information can be communicated
across different units. So, others can be involved as well.
IT Duopoly: IT executives and one other group. Means you have two dominating
parties. IT should have a role and the other party might come from the C-level or
business level.
Anarchy: each individual user. Everybody can make a decision (so actually nobody
can make a decision). Already abandoned in most companies.
Key players in IT Governance archetypes
How enterprise actually governance IT (EXAM question)
3
transformation – Lectures
Lecture 1
Jerome Kerviel at Societe Generale
This man has cost French bank Societe Generale €4.9 billion in the biggest fraud in financial
history in 2008. €24.9 billion was actually equivalent to the market value of the bank!
He is accused of making fraudulent transactions involving European index futures that were
beyond his permitted trading limits, then creating false transactions to cover his tracks.
There were a lot of holes within the IT governance framework.
He used others’ username and passwords.
They say that the senior management team share the responsibility.
He didn’t have any limit in the transactions.
If you manage the enterprise properly, this shouldn’t happen.
The French Finance Minister was investigating the case and wants to “understand why
control did not work… and recommend additional controls.’’
Controls can be everything; people, processes, passwords, etc.
The government report indicated:
Failure to set and monitor gross trading limits held by each trader; apparently,
Kerviel did not even have a defined gross exposure limit
Breaches in the access control mechanisms: It is alleged that Kerviel sometimes used
the login and passwords of his colleagues to conduct factious trades
Lack of independent confirmation of both external and (wrong) internal
counterparties to the trades that had been made
Inadequate follow-up by management as and when alarms were raised, particularly
when one of the clearing houses alerted the bank about the unusual positions in
Kerviel’s book
Failure to review all transactions executed by each trader.
Segregation of duty: separation of duty. In the banking/financial/transaction industry, the
person who can execute, approve, plan, etc. the transaction should be different people. If
one person covers all the roles, it’s easy to be fraudulent.
Concept of segregation:
operating tasks
approval tasks
monitoring tasks
auditing tasks
1
,Penalty: he had to pay up the € 4.9 billion and sentenced 3 years in prison. And he was
banned from the financial service industry.
Immediately after, he was offered a job as IT consultant.
What is IT Governance?
Definition: Aligning IT with the business objectives
The role of IT in business: more about appraison
CIO sitting in the board of directors: IT have equivalent say
IT Governance vs IT Management
IT Governance Institute makes a clear distinction between IT Governance and IT
Management.
IT Management is more on the operational level; managing the daily activities.
Responsibility of the managers.
IT Governance is more related to the risk management. In the responsibility of the
CIO and board of directors.
IT Governance
Governance ensures that stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives to be achieved; setting direction
through prioritization and decision making; and monitoring performance and compliance
against agreed-on direction and objectives.
IT Management
Management plans, builds, runs and monitors activities in alignment with the direction set
by the governance body to achieve the enterprise objectives.
IT Governance concepts
It’s not only about the rights, but also about responsibility.
The CIO usually may or may not be included in the board of directors. It depends on
the type of organization.
The IT auditor should be in the internal control department. They should be
independent. They need to be organized in the IT governance framework.
1. IT governance is “the framework for the leadership, organizational structures and
business processes, standards and compliance with these standards, which ensures
that the organization's information systems support and enable the achievement of
its strategies and objectives”.
2. IT governance is “specifying the decision rights and accountability framework to
encourage desirable behavior in using IT”
Governance Arrangement Matrix (EXAM question)
Decisions: items of IT governance/concepts
Archetype: the stereotype examples. Different stereotypes of models.
IT Governance concepts
IT principles: clarifying the business role of IT
2
, IT architecture: defining integration and standardization in a set of policies,
relationships and technical choices.
IT infrastructure: determining shared and enabling services such as
telecommunication networks, servers, databases, intranet. But also human
infrastructure of knowledge, skills, standards and experience binds components.
Business application needs: specifying the business need for purchased or internally
developed IT applications
IT investment and prioritization: choosing which initiatives to fund and how much to
spend
Archetypes
Business Monarchy: group of business executives or individual executives. Includes
committees of senior business executives (may include CIO). Excludes IT executives
acting independently.
IT Monarchy: individuals or groups of IT executives. IT professionals make IT
decisions
Feudal: business unit leaders, key process owners or their delegates. Business unit
takes the lead; they don’t care about others.
Federal: c-level executives and business groups (for example business units or
processes); may also include IT executives as additional participants (depends on the
situation). Equivalent of the central and state governments working together. They
are not at all working isolated. They should ensure information can be communicated
across different units. So, others can be involved as well.
IT Duopoly: IT executives and one other group. Means you have two dominating
parties. IT should have a role and the other party might come from the C-level or
business level.
Anarchy: each individual user. Everybody can make a decision (so actually nobody
can make a decision). Already abandoned in most companies.
Key players in IT Governance archetypes
How enterprise actually governance IT (EXAM question)
3
