GovernIT: A Software for Decision-making Support on Automated IT Governance Models

We developed a software tool named GovernIT to support the creation and evolution of computer-driven Information Technology (IT) governance models. This software automates the design of decision-making grants to coordinate interactions among IT units. It also allows the assessment of business drivers and IT risks to automate the generation of implementation roadmaps for decision-support mechanisms. The software has been used by students of an IT Governance Course to assess undesirable IT behaviors for 21 organizations, to design their target IT governance model, and to generate their IT process implementation roadmap. The results of this implementation evidences the positive impact of dynamic governance models on IT risks and efficiency

Quantifying Risk Propagation Within a Network of Business Processes and IT Services

Nowadays, the organic nature of business processes and the increasingly complex and dynamic business environment make organizations face severe operational risks. However, current risk analysis methods of Information Technology (IT) resources ignore inter-process correlation and thus inter-process risk propagation. This gap needs a solution since the rigid alignment of organizations cause the risks which propagate throughout the whole organization to be the most serious operational risks. This paper presents a holistic approach for quantifying risk propagation in business processes based on the risk analysis of their underlying IT and human resources. This approach adapts financial techniques to quantify the level of risk that average and severe events on IT resources generate on individual business processes, and to quantify the risk propagation impact among dependent processes. This approach was applied to an enterprise modeling case study to quantify risk propagation for different risk epicenter scenarios. The results show that the proposed approach is capable of finding and quantifying both direct and indirect dependencies among operational assets within an organization. A high level of accuracy was observed when comparing the actual value of the process risk and the projected value considering risk propagation