This document discusses I.T. strategy, risk management, and governance. It begins with an introduction of Steve Howse, the president of Millington & Associates, and his background. The document then discusses what I.T. strategy and governance entail and why they are important. It introduces the "20 questions" framework as a tool to assess I.T. strategy, risk, and governance. The questions are categorized into strategic issues, internal control issues, and risk issues. The document dives deeper into examples of risks and what organizations can do to address risks such as dedicating board members to I.T. committees and ensuring business continuity plans are tested.

1. I.T. Strategy, Risk
Management & Governance
Steve Howse, C.Dir.
President, Millington & Associates Inc.
steve@millington.ca

2. President, Millington & Associates Inc.
• Facilitator, Strategist, Communications & PR, I.T.
Assessments & Risk Mitigation, Governance
• 16 years Corporate Leadership
Forum Chair, MacKay CEO Forums
• The CEO peer learning group partnered with Canada’s Best
Managed Companies.
Adjunct Professor,
• DeGroote School of Business, McMaster University
- Strategy, B2B Marketing, International Business
• Executive Education
- Sales Leadership, Strategic Planning, Crisis Management
• The Director’s College
- IT Strategy, Corporate Reputation Management
Professional Speaker
• Conferences, Corporate Events, Sales Rallies
Board Appointments
Numerous For Profit and NFP Boards

3. What is IT Strategy &
Governance
• Assure IT assets are leveraged effectively
• Understand the risk & rewards, therefore making informed
choices
• Understand IT capacity & capability and assess alignment
with organizational goals and objectives
• Appropriate exposure and discussion at the board level
• Measurement and course correction

4. June 12, 2015
• Cyber attacks raid small firms too: City's NoMoreClipboard a victim
• Store your medical records in one place online, be able to update them from your
own home when needed and, more importantly, be able to share them with a
physician or other health care group before you get to a doctor’s office or
emergency room.
• But what happened last month to the NoMoreClipboard network – as well as the
network for the Fort Wayne medical software company behind it – is also the
latest in a growing trend plaguing the health care industry as a whole:
• They were hacked.
• People’s names, addresses, dates of birth and Social Security numbers as well
as other information were all vulnerable for nearly three weeks in May until
officials with Medical Informatics Engineering – the parent company of
NoMoreClipboard – discovered the hack.

5. Why is IT Governance Important?
• Target: Credit Card information
– Target spent $61 million through Feb. 1 responding to the
breach, according to its fourth-quarter report to investors.
– Target’s profit for the holiday shopping period fell 46 percent
• Others in 2014: K-Mart; Home Depot, Dairy Queen & Goodwill
• Bell Mobility - Billing
• TJX (Winners / HomeSense) hacker stole client info including
credit cards

6. TJX
• What are the key learnings?
• What could have been done differently?

7. Carol Meyrowitz, President and Chief Executive Officer
of The TJX Companies, stated:
"From the inception of our Company, our customers have
always come first. We deeply regret any inconvenience
our customers may have experienced as a result of the
criminal attack on our computer system”.

8. • Estimated costs to TJX related to this settlement were
reflected as part of the $107 million (after tax) reserve
for estimated potential losses…
• Future non-cash charges of $21 million (after tax)
anticipated to be taken in fiscal 2009.

9. May 8, 2013: Nearly 70% of
Canadian businesses hit by cyber
attacks, says year-long survey
• Over a one-year period, 69 per cent of Canadian businesses said
they experienced some type of cyber attack
• Dubbed the Study of the Impact of Cyber Crime on Businesses in
Canada, the survey followed 520 small, medium and large
Canadian businesses over the course of one year and tracked how
their bottom line was affected by cyber crime.
• "About a quarter (26 per cent) of those interviewed say that attacks
had a considerable impact on their business both in terms of
financial loss and reputational damage with financial fraud being
the biggest threat," the report states.

10. Take A Moment – Once
Around The Room
• List 3 concerns you have about IT
strategy & Risk
1.
2.
3.

11. Areas to Address
Strategic Issues
1. Strategy and
Planning
2. Technology Trends
3. Performance
4. Personnel
Internal Control
Issues
5. Governance
Risk Issues
6. Risk and Controls
7. Personal Information
and Privacy
8. E- Business
9. Availability
10. Legal Issues

12. The Bart Study
• The questions are a
good idea
• Those who use them
have higher performance
• Some questions are
over-asked
• Only 40ish percent use
them
• Everyone uses them
after a problem
Going to the Gym
• Everyone believes exercise
is a good idea
• Exercise leads to physical
and mental wellness
• Doing one exercise over
and over will have little
result
• Most people can’t find the
time to go
• Everyone takes care of
their health after a scare
Bring the 20 questions to meetings – process makes you SMART

13. Strategic Issues
I Strategy & Planning
1. Does management have:
– A plan that is monitored and updated
– Link to annual and long term budget
– Basis for project prioritization
II Technology Trends
2. Does management have:
– Procedures to investigate trends
– Assess them in efforts to better position the company

14. Strategic cont’d
III Performance
3. Does the IT department have
– Key Performance Indicators in place
– Monitored & benchmarked to industry standards
4. Is the same same in place for 3rd
Party Providers
Annual report cards, penalty clauses
IV Personnel
5-6. Has management processes:
– Identified required skills
– Attract, develop and retain key personnel

15. Internal Control Issues
V Governance
7. Has the Board:
– Created an IT subcommittee (OR)
– Assigned 1 member
- Investment in, processes & use of IT
7. Has Management:
– Assigned IT corp. governance to sufficient senior
management
– Communicated IT policies to personnel
7. What compliance policies are in place
– SOX, CSA

16. Risk Issues
VI Risk & Controls
10. Does risk assessment occur for:
– Internal systems and processes
– Outsourced services & third party communications
– Any other services
– HOW ARE THE RESULTS ACTED UPON
10. How does management ensure data integrity in regard to:
1. Relevance, completeness, accuracy & timeliness
2. Appropriate use
• How often are systems audited for
– Risk mitigation
– Controls in place for major business processes

17. How big is your dog?

18. Lets take a deeper look into Risk
Management at the board level

24. Risk cont’d
VII Personal Information Privacy
13. An individual assigned to Privacy:
– Policy, legislation and compliance
14. Identify and comply with legislation in regard to
protecting personal information
VIII E-Business
15. Review of risks and controls for E-Biz transactions
16. What protection (internal & external) is in place to
protect against financial loss or embarrassment

25. Risk cont’d
IX Availability
17. What availability policies are in place for systems and data
18. Does the organization understand
– The impact of service interruptions
– The need for business continuance / disaster recovery
– If Business Continuance (BCP) are tested and improved
regularly
X Legal Issues
19. Has management considered and addresses:
– Software, hardware, service agreements & copyright laws
20. Has the above policies been disseminated to all personnel

26. Top Risks of 2014
• Overreliance on one security monitoring software:
• Technology innovations that outpace security:
• Outdated operating systems:
• Lack of encryption:
• Data on user-owned mobile devices:
• Lack of management support:
• Challenges recruiting and retaining qualified IT staff
• Segregation of duties

27. What we can do?
• The Millington Way – be vulnerable
Be open about what you don’t understand
• Bring the 20 question books with you to board
meetings
Submit the 20 questions as an agenda item
Assign to committee for a report/assessment based
on 20 questions
Review the report by committee (audit/risk)
Submit report to board for approval
Add to Internal Audit reporting process

28. • Dedicate 1 Board member or form an IT Committee or a Risk
Committee
Qualifications: Work for a Tech company; former CIO, Risk
Expert, sits on other boards
• Ensure the CTO / CIO reports to the CEO and not the CFO
–Not a budget controlled area
–CEO needs a strong understanding
• Invite the CTO to joint strategy sessions
–Ask for a risk assessment of strategic plan
• Benchmark the IT knowledge of the Board as it relates to the
company
–As it relates to your industry

29. • Ensure Business Continuance plans are in place and
tested regularly
Including a Crisis Communications Plan
• Ensure Internal Audit measures IT
Both internal and external systems
Consider a Chief Risk Officer
• Complete an assessment of your vulnerabilities
The board can hire a firm to attack the system

30. Questions & Discussions?
Steve Howse
Millington & Associates
steve@millington.ca
416-452-4813

31. Areas to Address – The 20 Questions
Strategic Issues
1. Strategy and Planning
2. Technology trends
3. Performance
4. Personnel
Internal Control Issues
5. Governance
Risk Issues
6. Risk and Controls
7. Personal Information
and Privacy
8. E- Business
9. Availability
10. Legal Issues