Home‎ > ‎

IT Governance

Improving systems processes through IT Service Management, CobiT and ITIL

Governance, Risk, Compliance (GRC)

Figure 1. Governance, Risk, Compliance elements

Figure 2. Risk Management overview

Scope of Compliance Area

Area for Considerations


Which regulations are most relevant?

Compliance sustainability must be integral to compliance strategy


Organisational structure must meet specific requirements (or intent) of each regulation. E.g., CEO and chairman being different persons


Processes must be documented and practiced

Audits or reviews must be undertaken to evaluate effectiveness and regulatory compliance

Applications and data

Applications must be re-designed, re-implemented and continuously tested to support each regulation

Data protection and handling according to each regulation


Designed and available to meet needs of each regulation. E.g., off-site records may need to be maintained


Control environment

Organisational structure

The internal control environment provides a framework for planning, executing, controlling and monitoring activities to achieve overall objectives. While important, no one structure provides any preferred internal control environment.

Assignment of authority and responsibility

Similar to organisational structure; defines assignment and integration of its total work effort.

Human resource policies and practices

Covers personnel hiring, orientation, training, evaluating, counselling, promoting, compensating and appropriate remedial action. While published polices and guidance material may exist, actual practices send strong messages to employees regarding expectations of internal control compliance, ethical behaviour and competence.

Business Analysis activities

Figure 3. Business Analysis Lifecycle, SDLC overlay[1]


Initiation, ITIL Service Life Cycle Phase: Service Strategy[2]


Predecessors, Timing

Input Documents


Interview Planning, Questions

1. Kick-off meeting; identify opportunities and challenges

Main issues, costs and possible benefits; redo as needed

Change request

ITIL: Initial Request for Change (RFC)

·         Pareto chart

·         Cause and effect graph

·         Interim cost-benefit analysis (ROI, payback period)

ITIL: Interim Business Impact Analysis (BIA)

·         Major problems expected?

·         Frequency?

·         Missed opportunities?

·         Costs and benefits of change?

·         Risks?

2. Identify stakeholders and interests

RFC made, triggering the project

Initial business case

ITIL: High-level RFC

Vision document:

·         Problem statement

·         Problem position statement

·         Stakeholders and interests table

·         Objectives

·         Features

·         Who will be affected by success or failure?

·         Users?

·         Customer?

·         Sign-off authority?

·         Each stakeholder’s interest?

3. Impact on business services and processes

Stakeholder and interests identified

Stakeholder and interests table.


·         As-is business use-case model


·         Configuration Management System (CMS)

·         Business Services catalogue

·         Technical Services catalogue

·         Exisiting S(L)As

·         Interim BIA

·         Impact of proposed changes on business services


·         To-be business use case[3] diagrams, business use cases, actors and business use-case descriptions

Alternatives to UML:

·         Interim business perspective Data Flow Diagrams (DFD)


·         Interim business Service Level Requirements (S(L)R)

·         Updated Business Service Portfolio

·         Existing business service and end-to-end processes affected?

·         Gap between requirement and present?

·         New business services or processes?

·         Expected impact on business, and other services and components, for each service?

4. Business Impact Analysis

Analyse risk at the beginning of each iteration. Reassess.

·         Vision document

·         Interim Business Impact Analysis

·         Impact of proposed changes on business services

·         Interim Risk analysis


·         Interim BIA

·         Interim Risk Analysis

·         Threats that negatively impact outcome?

·         Desirable events (opportunities) with positive impact?

For each risk,

·         Likelihood of occurrence?

·         Impact on the business?

·         Best risk-coping strategy?

Requirements: Setup and planning

Initial cost-benefit, BIA review, approval to proceed

·         Vision document


·         BIA

·         Requirements work plan

·         Requirements attributes table templates

·         Requirements traceability matrix templates


CMS framework, Service Portfolio updates

·         Requirement-management process able to address questions?

·         Degree of requirements tracking?

·         Adequate documentation (facts) on each requirement?

Requirements: update requirement attributes and traceability matrices with info on features and business services

·         Requirements traceability matrix set up

·         Requirements attribute table set up

·         Vision document

·         Overview of business services


·         Use-case diagrams

·         Business use cases

·         Actors

·         Business use-case descriptions

·         Business use-case documents


·         BIA

·         RFC, Business Service Portfolio

Updates to requirements attributes table and traceability matrix


Updates for Service Portfolio, S(L)R, CMS

·         Author?

·         Responsible owner?

·         Verify if supported in final product?

·         Likelihood of changes?


Discovery, ITIL Service Life Cycle Phase: Service Design

Adapted to agile[4]

·         Short iterations, e.g. two week sprints

·         Many iterations

·         Minimal requirements analysis and documentation, except to minimise risk and address architectural concerns

·         Frequent re-planning

·         Constant collaboration

·         Continuous testing

·         No baselining of requirements for change management

·         Requirements may be changed at any time by the product owner while they are not being implemented.

[1] Howard Podeswa. Business Analyst’s Handbook. Cengage Learning, 2008.

[2] The Initiation phase corresponds to planning and the first steps of analysis in Service Agreements (itSMF-NL, Benyon and Johnston, 2006)

[3] A business use-case description defines the interaction across the business boundary and is usually expressed using a text narrative. The text may be augmented with an activity diagram with one partition for the business and one for each actor.

[4] Jim Highsmith. “What is Agile Software Development?” in Crosstalk, the Journal of Defense Software Engineering, October 2002. http://www.stsc.hill.af.mil/Crosstalk/2002/10/highsmith.html