1 Hi, I am Karen Bard, the Chief Marketing Officer for Ion My Care. This presentation focuses on how to get things just right to achieve both good governance and appropriate risk management. Recent failures in corporations and major IT projects has brought the attention of boards to focus on the IT Function and its Governance Processes. Every head of IT faces the challenge of demonstrating adequate process in both of these areas. Pressure from boards to deliver stakeholder value has cascaded downward to ensure due care at all levels within the organization. Demonstrating due care can be achieved with the right framework coupled with the proper corporate culture. Corporate culture is critical but not the subject of this talk. This is a subject all on its own. And good luck to those who are tackling that issue. However, I will provide some guidance for developing a solid framework for good governance and risk management.

2 I am fairly new to this industry but in having conversations with those of you that have been around awhile it has been interesting to hear the common threads between the industries. Lack of Standards Lack of Integration Need for human resources The paradigm of automating what we do rather than innovating your business Therefore, I believe that what I have to say will be relevant to you. For those of you that have read my background and know that I come from the oil and gas industry, I hate to disappoint you in the fact that your are not going to get a talk full of oil and gas disaster stories. Lives at risk and regulation is inherent to both industries and thus, (click) we will start with this statement. I have seen this statement a lot recently. The point I wish to make is that the first thing that comes to my mind when thinking about these topics is an enormous amount of process generating even larger amounts of data. Thus the follow up question of (Click) Can you ….. Governance and Risk Management is not about being data overloaded and information starved. It is about taking the time to find the right information supported by the right systems with data integrity at the foundation. This allows us to (click) focus on the right activities, triggering appropriate responses to build and sustain the business while managing the appropriate level of risk.

3 The first challenge of the day is how do I keep your interest. But, before we get started, I would like to clarify what we will be focusing on regarding Governance. I think of two things when the word Governance is mentioned. First (Click) Regulation. This occupies a lot of time and is the source of a lot of stress when undergoing an audit. However, that isn’t what we will be talking about. But if we were, (click) I think a good analogy would be this children’s story with the big bad wolf symbolizing the Regulators. The second thing I think of, and what we will focus on today (click) is how do you demonstrate the value of your companies investment in IT. For this analogy we will use (click) Goldilocks and the Three Bears. So let me take you through an old children’s story that teaches us about picking and choosing the right tools that fit you and your needs to enable the business and recognize the appropriate level of risk that you accept knowingly through your decisions and actions.

4 The story of Goldilocks and the three Bears. It starts with the bears making a decision to leave the house and let their porridge cool down. And, the bears accepted a level of risk by leaving their door unlocked. Along comes Goldilocks and she decided to freely enter and look around trying out the porridge, the chairs and the beds. But in the end she too slipped up and got caught in the house when the bears returned. As we go through each chapter, the porridge, the chairs and the beds, we will talk about key lessons for governance and the counterpart lessons in risk management. We will conclude with the encounter where we will review the key insights and finish with a humorous anecdote if you choose to stay with the status quo.

5 Four principles of IT Governance For IT Investment there are 2 1)Align IT with the business strategy and deliver the functionality and services the organization needs to do what it wants to do. 2. IT and other new technologies should enable the organization to do new things never possible before not just automate the way it has always been done. For Managing Must Haves – Covering the Right to be in Business there is 1 3. IT-related services and functionality should be delivered at the maximum economical value, or in the most efficient manner, ensuring that resources are used responsibly. The last principle is for Risk Management and Security 4. All risks relating to IT should be known and managed, and IT resources should be secured. Saying this is fairly easy, but achieving it is quite difficult in practice. Think about how easy it is for you or your corporation to state that you support world peace and/or work to reduce world hunger. It is politically correct and reflects well on both of you. Easy to say; a little harder to demonstrate. Governance lays a foundation for that proof.

6 Principles of Risk Management: Risk management is usually focused on negative outcomes. We need to remember that risk can have positive effects. What if your marketing strategy is too successful? Beyond your wildest dreams. What risks would you be facing then? Thus risk management also includes harnessing those things that will help to achieve the goals and objectives of your business. There are three risk types to be managed. Uncertainty based Hazard Based Opportunity based In my experience it is this last risk type that is so often overlooked. (Click) In making decisions to do the right thing you consciously accept a certain level of risk whether or not you have the appropriate tolerance, culture or mitigation plan. The problem with risk management is that. ‘You don’t know what you don’t know.’

7 Asking why! Goldie goes through 3 bowls before she finds the right one and eats it all up. Papa bear’s is too hot, while Mamma bear’s is too cold and baby bear’s, of course, is just right and gets eaten all up. Now why are they all different if momma bear made one batch? And why isn’t baby bear’s the coldest since it is in the smallest bowl and would logically cool the fastest? We all ask why to a certain extent before we approve any strategy, funding, portfolio, project etc. But do we ask it enough times? Do we actually find the source of the problem to ensure we are doing the right thing and not just putting a bandaid on a symptom. (Click) I would propose that in most instances we do not. Functional silos are a major contributor to this. TELL the CIO MORNING TEA STORY Once we think we know what it is we should do the other two questions of legality and ethics come in to play. I would suggest that if you are bending, stretching or breaking legal or ethical boundaries then things are getting too hot! Perhaps there should be another one added here. All of these are fairly internal in nature. Perhaps an outward looking question of ‘Are our clients ready to accept this technology?’ If not what else needs to be done to get them ready if we move forward?

8 Do you truly have the right risk tolerance for the strategy you have put in place? Do you find the risk you are accepting a little too hot to handle? If so, what tactics do you use to reduce the risk or cool it down a bit? But don’t stop there. (Click) Be aware that different functions have different risk tolerance levels. What is acceptable for one is not acceptable for another. In addition, due to other projects their risk tolerance may change based on the timing of your projects. (Click) Last but not least is understanding the full range of potential outcomes. I don’t know how many probability results I have seen where they arbitrarily remove certain possibilities. In the oil and gas industry, we don’t really know what the full upside is, but it is inevitably optimistic. But we do know the downside potential that there can be a non-economic result, or worse yet a non-commercial result, and even worse that we could find absolutely nothing. But those downside scenarios are often ignored for some reason or another. The usual culprits are politics and egos. As work climbs up the ladder through the organization, person after person has systematically increased or reduced risk by clipping the ends of possible outcomes. Unfortunately, this can lead to a very bad culture where management knows that this process goes on, and thus biases there views by applying fudge factors or filters to everything they hear. But the workers catch on and so they start compensating what they report up by those same fudge factors. A culture of this type is very dangerous to live in. Be aware that it happens and try and break it.

9 The chairs are either too hard, too soft and then of course just right. But here the story has a little twist. Goldilocks actually breaks the chair that she chooses so how could it have been just right? (click) Aligning with the business has gotten much play time over the past few years and most of us find it simply just too hard. I was lucky in my position at Santos in that it just was so easy, like a nice soft chair. Why? Because I came from the oil and gas business. So adopting their governance processes into the IT support function was natural. The benefits were that the business felt that quality assurance was finally in place because they understood and recognized the process. In addition, we adopted the same economic criteria and jargon used by the business for approving projects. Thus, executives may not understand all the boring details of needed infrastructure standards, rationalization and integration. But when they heard a return on investment of a certain amount, they knew exactly what the investment benefit they could expect out of approving the project or budget. The Key issue for me in aligning with the business is to separate out two portfolios; the first for keeping the lights on and maintaining the right to be in business. This is an expense to be managed. The second portfolio should be the investment into the business to help enable it and sustain its capabilities. But then there is the issue of how do we allocate the budget in that portfolio to the different corporate goals? How do you decide what needs to be done; how to split your funding; how to manage your activity in an already overloaded business. Getting executives to prioritize the corporate goals is hard. They usually put the one that falls mostly in their area of responsibility at the top. It is difficult because they are normally inter-dependant. Here is a trick. I took the 6 corporate goals and paired them off into unique sets. I then put each pair individually in front of each executive and had them rank on a normalized scale the priority they would give to each. I then averaged all the results and applied these factors to the portfolio and proposed the budget of projects we could afford to do in support of each corporate goal. This allowed a very productive discussion on project priorities and alignment with other business activities. (Click) Too many times we are soft on the engagement of stakeholders. Fear of having too many opinions unable to make a decision to move forward is usually the root cause for limiting the engagement. But, the ultimate blame goes to you for the solution not solving the problem or creating new ones ‘supposedly unforeseen’. You need to throw a wide net to involve all stakeholders but balance this with the proper decision rights which is the heart of what governance is all about. Who has the right to make what decisions? But also, who has the right to have a say? Engaging the business and keeping it engaged is a major problem. I find it very interesting in human behaviour where the business comes to you with a problem/solution they want fixed/implemented. You have marketed the fact that ‘there is no such thing as an IT project, just business projects’. And yet, as soon as you approve the project out of the IT budget, the business steps back, says it is an IT project and complains when it is stalled out due to lack of business resources costs begin to escalate and then the end product is really not what they said they wanted. Governance is about understanding the roles and responsibilities we all have. (Click) Alignment does not stop at an internal view. There are so many activities outside of our business that influences internal behaviour and decision making. Don’t forget to apply the same processes, questions and controls to an external view as you do with the internal view.

10 Patience, what most of us lack. (Click) Managing expectations between instilling change that is sustainable vs. having immediate ‘ financial’ results from our efforts. Time, Time and Patience. Balance of quick wins and long term human behaviour changes. (Click) Risk management is not a one off activity. You don’t’ do it once a year for corporate planning and you don’t do it once at the beginning of a project and then forget about it. It is almost a what can possibly go wrong today with your coffee in the morning and I am so proud nothing happened today on your way home type of activity. A constant, everyday process. Health and safety are very key issues in the oil and gas business. Having any accident in operations is very detrimental for business. Therefore, health and safety are the first things talked about and risk management is inherent in insuring both. But in other areas of the business, risk management is more of an after thought. Probably, because we aren’t usually in a life threatening position. But what we are safeguarding is the life of the corporation. If we safeguard that as closely as we do real life then perhaps risk management will have its proper respect. I have been on many projects in many different corporations and invariably they have a risk management process that includes a register. What is the risk, what is the impact, what is the mitigation plan etc. Everyone starts with the best of intentions, but I have yet to see a risk register be kept up to date and actively worked to the end of the project, except my own of course. It never maintains the priority is should have. My philosophy is that I manage everything from a risk perspective. You can not manage all risk because there are things that do happen that you don’t foresee. But if you manage what you do know well so much less will go wrong. (Click) IT maturity has had a large amount of air time as well recently. There are processes and diagrams galore out there on the subject. But again, like risk appetite it varies across you corporation from function to function or department to department. Gaining IT maturity can be expensive. Stop and ask yourself, ‘Do we need the same level of maturity across all functions?’ The answer is probably not. So work to achieve what is appropriate not the one size fits all rule.

11 Governance is a tool by which you can make two choices. You can go down two basic paths one of blame or one of responsibility. The mechanisms of governance allow you to know what exactly went wrong and who is the responsible party. This can be easily used to instil a culture of blame and finger pointing. However, the business benefits of governance and risk management are to learn from your experiences both good and bad. It is human nature to focus only on what went wrong, but equal focus needs to be placed on your strengths as well as your weaknesses. After all they are two sides of the same coin. Every strength has a corresponding weakness associated with it. By focusing on the strengths you build upon them and identify areas of weakness. By focusing on what goes wrong, you can build, learn and hopefully never repeat the same mistakes. Put a positive culture in place regarding governance and risk management. Stay above the line in the zone of responsibility, not below the line in the zone of blame.

12 Can the benefit stated actually be achieved? Is it real? (Click) In identifying and calculating benefit; understanding the dependency that is inherent to everything is important. A typical example is upgrading an automated financial system that will provide you with greater accuracy and thus some financial benefit. You know, just because the software is capable of doing that it doesn’t make it so if the data you provide still has the same impreciseness. (Click) Identifying all the benefits. I recommend that two people be responsible for identifying benefits. There are benefits from the business and from the IT function. Let me give you an example. A business case was proposed to turn on an oracle financial module that we already owned, just weren’t using. Cost was in learning how to use it. Benefit was a cut down in number of staff for invoicing and accounts receivable. They were going to release a couple of employees and re-deploy some others to a higher activity that also provided financial benefit. The project met all economic and risk criteria and would be approved. But, it wasn’t quite yet. One of the team on the approval committee asked one of those darn questions? First a statement. This is a no brainer, $2.5 billion goes through that system every year why wouldn’t we want our money sooner? But what is the financial benefit to the company of receiving that income faster? In other words what would we be the benefit of us either depositing it early and earning interest or being able to invest that money faster into new opportunities. If not captured up front you will never revisit the issue again. Why is it important? It is important for you to demonstrate the full value of your companies investment in technology. It helps you demonstrate the management of your own function as well as delivering value in other areas as well. It allows you to have an investment discussion rather than a cost discussion. (Click) Do the metrics you put in place really make sense? Are they real or superficial? Be willing to change them if they aren’t working for you. Process vs. technology Can you accelerate the benefits by changing process ahead of technology implementation? Engaging the business to change process and behaviour before you implement technology can accelerate the benefit to the business. Implementing technology before changing process only magnifies what was wrong to begin with. Technology is usually not the root cause of most failures; people and process are.

13 (Click) How do you know if you are heading for a train wreck? Lead indicators are some times evasive and hard to find. Playing with data to find correlations can be fruitful. David’s story on finding a lead indicator of 6 months.. (Click) Metrics can be similar in nature to Lead Indicators. They are hard to find and get them right. Do your metrics trigger action? Do they cause you to take some action? If not, then they don’t pass the ‘So What test’ and need to be changed. (Click) Do you have something planned up front or do you figure out what to do after the OMG we messed up statement comes out of your mouth.

14 (Click) You can start with Risk Management and put that in place and then build your governance program. But without risk management you can not claim to have good governance. And you don’t have to wait for corporate to put something in place. If you are a project manager, start with your projects, if you are a division manager, start setting the example there. (Click) Remember that the culture around governance and risk management is not a state of being. It is not an end game. Start small on key issues and slowly push in a positive direction. Work at it and mould it to where it needs to be and continue to keep in step with the changes to your business from within and from without. (Click) Do to differences in culture, IT maturity, systems complexities and most importantly differences in these areas across the business there is no fixed solution. Trial and error will be required.

15 Elements of a poor governance program leveraged from Minter Ellison Lawyers. I have taken the liberty of changing the order. Lets have all the functions compete with one another. Translation - instead of supporting 1 company lets support 7. Don’t involve anyone from the business. They don’t really know what they want. 8. Definitely better to keep them totally in the dark. That way they don’t really know what to blame you for later. 7. Budget over run? No problem, cut the testing. They can test it as they use it. If we do that then why not throw the standards out the window. Not following them will certainly help the budget. 5. If we aren’t going to follow standards then why don’t we have multiple processes, tailored to every prima donna in the company? 4. Make sure no one has accountability but everyone can be blamed in the end so we can pick the right fall guy. 3. If we can get away with that, then push it further and make IT the King of the Mountain. The universe revolves around the IT department doesn’t it? 2. To make all of this easier to achieve lets make everything more complicated than is necessary. 1. Ultimately, we want to sustain this culture of failure.

16 Thank you for your time and I hope that you have gleamed some insight in how you can make an impact on Governance and Risk Management not only in the areas that you are directly responsible for but by setting a good example so that others will want to follow you.

Governance and Risk Management Karen C. Bard Chief Marketing Officer I.on My Care

The Devil is in the Detail Can you see the forest for all the trees?

Enabling the business for Growth and Sustainability Keeping the Executives out of Jail Governance

Table of Contents Chapter 1………….……….The Bears Governance Chapter 2…….........…...…Goldilocks Risk Management Chapter 3………….……The Porridge 1st Lesson in Governance 1st Lesson in Risk Management Chapter 4 …………………..The Chair 2nd Lesson in Governance 2nd Lesson in Risk Management Chapter 5 ……..……………..The Bed 3rd Lesson in Governance 3rd Lesson in Risk Management Chapter 6…….……….The Encounter Conclusions Chapter 7………….Back to Normal? Anecdotes

Chapter 1 Doing the Right thing for the Right reason for the Right benefits. Governance The Bears

Chapter 2 Having the Right tolerance with the Right culture with the Right mitigation Goldilocks Risk Management

Chapter 3 Right Thing Do you ask 'Why' enough times? Can we do it legally? Should we do it ethically? The Porridge Governance

Chapter 3 Right Tolerance Have you identified the real upside and downside? Risk Management How does it vary across the corporation? What is your appetite for risk?

Chapter 4 Right Reason Are you aligned with the business? Have you engaged All stakeholders? Are you aligned with outside influences? The Chairs Governance

Chapter 4 Right Culture Can you find the right balance between time for change vs. the need for results? How often do you think about Risk Management? What is the individual IT Maturity of each function? Risk Management

Chapter 4 Right Culture Risk Management Culture is a varying state of being and hard to get right the first time.

Chapter 5 Right Benefit Do you understand all the dependencies? Have you identified all the benefits? Can you find the right metrics to ensure measurable results? The Beds Governance

Chapter 5 Right Mitigation Can you find good lead indicators? Can your metrics pass the 'So What Test'? Do you actually have a plan for each risk factor? Risk Management

Chapter 6 Conclusions The Encounter You can’t claim Good Governance without Good Risk Management. Changing your culture will take time and patience. A one size fits all attitude will not work?

Chapter 7 Anecdotes Create a culture of failure. Over complicate things. The IT department is king. Responsibility without accountability Encourage creative processes. Who needs standards? Testing? What Testing? Keep them in the dark. Why involve them? Compete, compete, compete. Paul Kallenbach and Luke Scanlon, Minter Ellison Lawyers

The End