Ontario Pension Board (OPB) administers a major government-sponsored defined benefit pension plan. OPB recognized the need to ensure it had the people, processes and technology to provide better and more personalized service to all clients and stakeholders. As part of an internal review of its information technology (IT), OPB’s IT Services & Project Management Office (PMO) engaged The Manta Group to use the COBIT 4.0 framework to support a self-assessment of its IT functions. Control Objectives for Information and related Technology (COBIT) provided OPB with a comprehensive framework for IT governance that helped identify strategies to close gaps, optimize IT investments, ensure effective service delivery and provide a measure against which to judge when things go right.
Ontario Pension Board (OPB) administers the Public Service Pension Plan (PSPP), a major defined benefit pension plan sponsored by the government of Ontario, Canada. With more than CAN $15 billion in assets, 150 employees, 34,600 active members, 36,900 pensioners and 4,800 deferred members, the PSPP is one of Canada’s largest pension plans. It is also one of the country’s oldest pension plans, dating back to the early 1920s. Membership is made up of eligible employees of the provincial government and its agencies, boards and commissions. OPB manages investment-related processes in accordance with relevant legislation.
The PSPP is a defined benefit pension plan. This means retired members receive a pension benefit based on a preset formula that takes into account each member’s earnings history and years of service with the plan. To fund the pension promise, members and employers make contributions to the plan.OPB’s promise is fourfold:
The total cost of operating the PSPP in 2006 was CAN $41.6 million. OPB has a well-defined operating structure and high professional standards, and places considerable emphasis on a solid governance framework to ensure that OPB:
The Board delegates the day-to-day administration to OPB’s management team. During 2006, OPB moved forward with a multiyear action plan aimed at ensuring that OPB has the people, processes and technology needed to protect the pension promise and provide better and more personalized service to all clients and stakeholders. The action plan includes IT system upgrades, an elevation of service delivery, increased training and development efforts, redesign of annual pension statements, client satisfaction surveys, and educational and advocacy initiatives.
OPB will accomplish this by transforming IT technology resources by re-engineering and leveraging current technologies and frameworks, such as imaging, enterprise content management, workflow and service-oriented architecture. The business goal is to provide better, faster, smarter service to clients. This is a significant undertaking, and it was deemed necessary by IT Services and PMO management that enhancements to the current service delivery methods and tools, along with improved IT governance and control, would be necessary to ensure the success of the project and supporting operational infrastructure. OPB has a quality management system accredited to ISO 9001:2000 and saw an opportunity to leverage other best practice standards.
OPB engaged The Manta Group, which offers four sets of main consulting services: Governance, Portfolio Management, Service Management, and Risk and Compliance. The Manta Group recommended using Control Objectives for Information and related Technology (COBIT), published by the IT Governance Institute (ITGI) as the IT governance framework. The company has solid experience using COBIT within government, retail, media and finance sectors in Canada.
The Manta Group developed its COBIT Assessment Framework to accelerate assessment and reduce the costs of adopting COBIT 4.0. The framework uses a high insight-to-effort methodology, tailored to the client. This approach facilitates rapid assessment and identification of under-controlled targets for quick-win results by analyzing customer demand for technology against risks and capabilities and value. This approach is aimed not just at assessing maturity but also at determining what level of maturity is desirable and why.
The scope of the project was for The Manta Group to assess the IT functions as an input to OPB’s review of its current outsourcing model. This included performing a gap analysis to identify opportunities for servicing the business. Recommendations were made in relation to the possible refinement and enhancement of IT Services & PMO functions to align the overall services being delivered to the business.
The Manta Group worked with OPB to use COBIT 4.0 to:
The assessment included the entire 34 COBIT control objectives and the supporting 215 detailed control objectives. A self-evaluation methodology was used to assess the level of maturity and impact of the 34 COBIT control objectives. An audit approach was not used; hence, the results are based upon perceived conformance as opposed to using objective evidence.
OPB’s IT management team and staff members successfully assessed the entire 34 COBIT control objectives and the supporting 215 detailed control objectives. Each of the 34 COBIT control objectives and their supporting detailed control objectives were allocated to either management or staff to assess according to their familiarity with the subject matter.
OPB’s management team assessed PO1, PO2, PO3, PO5, PO7, PO9, AI5, DS4, DS6 and ME4. Twelve OPB staff assessed PO4, PO6, PO8, PO10, AI1, AI2, AI3, AI4, AI6, AI7, ME1, ME2 and ME3
The project was conducted in four components: familiarization/rationalization, assessment, recommendations and knowledge transfer.
A familiarization workshop was conducted using COBIT as the framework for discussion to establish the terms of reference and seek a common understanding of COBIT terminology. Follow-up interviews were conducted with IT Services, PMO and outsourcing stakeholders to communicate and validate the vision. The deliverable was an introductory COBIT familiarization presentation.
Assessment took place through facilitated self-assessment workshops by IT Services & PMO management at which the current state of maturity within the OPB organization and future state was discussed, using each COBIT control objective. The purpose was to build consensus on the gaps between the current state and future state of OPB services and how they are delivered, keeping in mind the outsourcing relationship. Additional workshops were held with staff members to identify their assessment of the current situation for input to the overall assessment. The deliverable was a service assessment and gap analysis document.
Using the outputs from the vision and assessment phases in conjunction with the inputs provided by OPB, The Manta Group drew up recommendations aimed at bridging the identified gaps. The deliverable was a final report, including control environment, service assessment and gap analysis complete with recommendations.
In addition, part of the role provided by The Manta Group was to transfer relevant knowledge to OPB’s IT organization, enabling the ongoing assessment of its IT performance with use of consulting services limited to advisory type of engagements for specific topics.
The goals for using COBIT for the assessment were to provide greater understanding of best practice IT services and governance, for input to future IT outsourcing models, service to business, and the alignment of roles and responsibilities. Specifically, OPB sought to understand the impacts to its current outsourcing model and identify gaps to allow identification of additional enhancements (people, processes, technology, etc.) necessary to bridge any gaps that are identified.
The COBIT assessment findings were as follows:
OPB is currently working on implementing the recommendations from the self-assessment and will use COBIT to reassess the effectiveness of this continual improvement event. The internal audit function at OPB reports to the Audit Committee of the Board. A recent internal audit of the key OPB transformation project leveraged the COBIT assessment report as part of its findings.
COBIT provided OPB with a greater understanding of a comprehensive framework for IT governance. As part of OPB’s organizational changes to support the delivery of the business goals, COBIT enabled focus on key areas, such as risk management, to be brought out. The PMO is currently enhancing its project risk management and plans to dovetail this into OPB’s enterprisewide framework, currently under development. COBIT provided a means for greater understanding of what makes up a comprehensive IT services function, with supporting controls. The self-evaluation process, using COBIT, established a greater understanding with the IT branch, enabling development of a service catalogue and better alignment with OPB’s outsource service provider.