Ontario Pension Board 

 

Abstract

Ontario Pension Board (OPB) administers a major government-sponsored defined benefit pension plan. OPB recognized the need to ensure it had the people, processes and technology to provide better and more personalized service to all clients and stakeholders. As part of an internal review of its information technology (IT), OPB’s IT Services & Project Management Office (PMO) engaged The Manta Group to use the COBIT 4.0 framework to support a self-assessment of its IT functions. Control Objectives for Information and related Technology (COBIT) provided OPB with a comprehensive framework for IT governance that helped identify strategies to close gaps, optimize IT investments, ensure effective service delivery and provide a measure against which to judge when things go right.

Background

Ontario Pension Board (OPB) administers the Public Service Pension Plan (PSPP), a major defined benefit pension plan sponsored by the government of Ontario, Canada. With more than CAN $15 billion in assets, 150 employees, 34,600 active members, 36,900 pensioners and 4,800 deferred members, the PSPP is one of Canada’s largest pension plans. It is also one of the country’s oldest pension plans, dating back to the early 1920s. Membership is made up of eligible employees of the provincial government and its agencies, boards and commissions. OPB manages investment-related processes in accordance with relevant legislation.

The PSPP is a defined benefit pension plan. This means retired members receive a pension benefit based on a preset formula that takes into account each member’s earnings history and years of service with the plan. To fund the pension promise, members and employers make contributions to the plan.

OPB’s promise is fourfold:
  • protect the long-term health of the PSPP;
  • invest PSPP’s assets to maximize returns within acceptable risk parameters;
  • keep contribution levels stable and affordable;
  • deliver superior, cost-effective service to all stakeholders.

The total cost of operating the PSPP in 2006 was CAN $41.6 million. OPB has a well-defined operating structure and high professional standards, and places considerable emphasis on a solid governance framework to ensure that OPB:

  • operates effectively and efficiently;
  • prudently invests and manages PSPP’s assets;
  • protects and promotes the best interests of OPB’s clients and other stakeholders;
  • meets applicable legislative requirements.

The Board delegates the day-to-day administration to OPB’s management team. During 2006, OPB moved forward with a multiyear action plan aimed at ensuring that OPB has the people, processes and technology needed to protect the pension promise and provide better and more personalized service to all clients and stakeholders. The action plan includes IT system upgrades, an elevation of service delivery, increased training and development efforts, redesign of annual pension statements, client satisfaction surveys, and educational and advocacy initiatives.

OPB will accomplish this by transforming IT technology resources by re-engineering and leveraging current technologies and frameworks, such as imaging, enterprise content management, workflow and service-oriented architecture. The business goal is to provide better, faster, smarter service to clients. This is a significant undertaking, and it was deemed necessary by IT Services and PMO management that enhancements to the current service delivery methods and tools, along with improved IT governance and control, would be necessary to ensure the success of the project and supporting operational infrastructure. OPB has a quality management system accredited to ISO 9001:2000 and saw an opportunity to leverage other best practice standards.

OPB engaged The Manta Group, which offers four sets of main consulting services: Governance, Portfolio Management, Service Management, and Risk and Compliance. The Manta Group recommended using Control Objectives for Information and related Technology (COBIT), published by the IT Governance Institute (ITGI) as the IT governance framework. The company has solid experience using COBIT within government, retail, media and finance sectors in Canada.

Process

OPB’s IT Services & PMO department used COBIT as the basis for a self-assessment of IT functions as part of its continual improvement process. OPB operates in a highly regulated environment and has a strong desire to use best practices where value can be leveraged in support of its operational and strategic goals and transformation activities. Given OPB’s current adoption of ISO 9001:2000, there was a desire to investigate other more specific IT-related management system frameworks to assess value. OPB has an existing outsourcing arrangement where a number of IT functions are delivered to the business through a third-party service organization. As part of an internal review of IT, OPB’s IT Services & PMO called on the Manta Group to use the COBIT 4.0 framework to support a self-assessment of its IT functions. COBITT’s value was determined to be its presentation of good practices across a domain and process framework in a manageable and logical structure that assists management in identifying strategies to close the gaps, optimize IT investments, ensure effective service delivery, and also provide a measure against which to judge when things go right. OPB has a strong governance focus, and this is driven from a fiduciary perspective and a desire to ensure that an effective and efficient decision-making process exists at all levels of the organization. OPB’s Board of Directors is cognizant of regulations, including Sarbanes-Oxley, and supports a governance framework, such as COBIT, that is aligned to these objectives.

COBIT Assessment Framework

The Manta Group developed its COBIT Assessment Framework to accelerate assessment and reduce the costs of adopting COBIT 4.0. The framework uses a high insight-to-effort methodology, tailored to the client. This approach facilitates rapid assessment and identification of under-controlled targets for quick-win results by analyzing customer demand for technology against risks and capabilities and value. This approach is aimed not just at assessing maturity but also at determining what level of maturity is desirable and why.

Project Scope and Structure

The scope of the project was for The Manta Group to assess the IT functions as an input to OPB’s review of its current outsourcing model. This included performing a gap analysis to identify opportunities for servicing the business. Recommendations were made in relation to the possible refinement and enhancement of IT Services & PMO functions to align the overall services being delivered to the business.

The Manta Group worked with OPB to use COBIT 4.0 to:

  • build a control environment using COBIT for the structure of IT and the services IT needs to deliver to meet business objectives;
  • analyze the current state of service delivery at OPB and the interrelationship with current outsourcing services;
  • clearly define the integration of IT Services, PMO and the outsourcing vendor;
  • conduct a gap assessment between as-is status and to-be model;
  • provide recommendations with an accompanying roadmap to assist OPB in implementing its vision.

The assessment included the entire 34 COBIT control objectives and the supporting 215 detailed control objectives. A self-evaluation methodology was used to assess the level of maturity and impact of the 34 COBIT control objectives. An audit approach was not used; hence, the results are based upon perceived conformance as opposed to using objective evidence.

OPB’s IT management team and staff members successfully assessed the entire 34 COBIT control objectives and the supporting 215 detailed control objectives. Each of the 34 COBIT control objectives and their supporting detailed control objectives were allocated to either management or staff to assess according to their familiarity with the subject matter.

OPB’s management team assessed PO1, PO2, PO3, PO5, PO7, PO9, AI5, DS4, DS6 and ME4. Twelve OPB staff assessed PO4, PO6, PO8, PO10, AI1, AI2, AI3, AI4, AI6, AI7, ME1, ME2 and ME3

The project was conducted in four components: familiarization/rationalization, assessment, recommendations and knowledge transfer.

Familiarization/Rationalization

A familiarization workshop was conducted using COBIT as the framework for discussion to establish the terms of reference and seek a common understanding of COBIT terminology. Follow-up interviews were conducted with IT Services, PMO and outsourcing stakeholders to communicate and validate the vision. The deliverable was an introductory COBIT familiarization presentation.

Assessment

Assessment took place through facilitated self-assessment workshops by IT Services & PMO management at which the current state of maturity within the OPB organization and future state was discussed, using each COBIT control objective. The purpose was to build consensus on the gaps between the current state and future state of OPB services and how they are delivered, keeping in mind the outsourcing relationship. Additional workshops were held with staff members to identify their assessment of the current situation for input to the overall assessment. The deliverable was a service assessment and gap analysis document.

Recommendations

Using the outputs from the vision and assessment phases in conjunction with the inputs provided by OPB, The Manta Group drew up recommendations aimed at bridging the identified gaps. The deliverable was a final report, including control environment, service assessment and gap analysis complete with recommendations.

Knowledge Transfer

In addition, part of the role provided by The Manta Group was to transfer relevant knowledge to OPB’s IT organization, enabling the ongoing assessment of its IT performance with use of consulting services limited to advisory type of engagements for specific topics.

The goals for using COBIT for the assessment were to provide greater understanding of best practice IT services and governance, for input to future IT outsourcing models, service to business, and the alignment of roles and responsibilities. Specifically, OPB sought to understand the impacts to its current outsourcing model and identify gaps to allow identification of additional enhancements (people, processes, technology, etc.) necessary to bridge any gaps that are identified.

Conclusion

The COBIT assessment findings were as follows:

  • Given the current organizational focus and changes at the time of assessment, OPB IT management deemed that most COBIT control objectives were found to meet OPB’s acceptable criteria, from both a process maturity and impact point of view.
  • OPB’s IT organization gained an insight into the COBIT framework and was able to identify specific control objectives that relate to its current outsourcing relationship. This knowledge will support further improvements of IT services in this area.
  • OPB’s IT management was able to identify potential areas for IT Services & PMO roles and responsibility alignment.
  • The assessment of risk and impact by OPB IT management of the following specific control objectives highlighted an additional need for further attention in these areas:
    1. Assess and Manage IT Risks (PO9)
    2. Define Information Architecture (PO2)
    3. Manage Change (AI6)
    4. Enable Operations and Use (AI4)
    5. Service Levels (DS1)
    6. Continuous Service (DS4)
    7. Internal Controls (ME2)

OPB is currently working on implementing the recommendations from the self-assessment and will use COBIT to reassess the effectiveness of this continual improvement event. The internal audit function at OPB reports to the Audit Committee of the Board. A recent internal audit of the key OPB transformation project leveraged the COBIT assessment report as part of its findings.

COBIT provided OPB with a greater understanding of a comprehensive framework for IT governance. As part of OPB’s organizational changes to support the delivery of the business goals, COBIT enabled focus on key areas, such as risk management, to be brought out. The PMO is currently enhancing its project risk management and plans to dovetail this into OPB’s enterprisewide framework, currently under development. COBIT provided a means for greater understanding of what makes up a comprehensive IT services function, with supporting controls. The self-evaluation process, using COBIT, established a greater understanding with the IT branch, enabling development of a service catalogue and better alignment with OPB’s outsource service provider.