What Does COBIT Stand For - PowerPoint PPT Presentation

1 / 53
About This Presentation
Title:

What Does COBIT Stand For

Description:

Critical Success Factors. Key Performance Indicators. IT ... Critical success factors of controls. Control implementation choices ... Critical ... – PowerPoint PPT presentation

Number of Views:153
Avg rating:3.0/5.0
Slides: 54
Provided by: SWI119
Category:
Tags: cobit | critical | stand

less

Transcript and Presenter's Notes

Title: What Does COBIT Stand For


1
COBIT Management Guidelines released by the IT
Governance Institute July 2000
2
Maturity Models Critical Success Factors Key
Performance Indicators IT Generic Process and
IT Governance Guidelines Management Guidelines
- Conclusion
3
Management GuidelinesQUESTION  What is the
right level of control for my IT such that it
supports my enterprise objectives? ANSWER
You will need CSFs which are the most important
things you need to do based on the choices made
in a Maturity Model, while monitoring through
KPIs whether you will likely reach the goals set
by the KGIs.
4
(No Transcript)
5
Management Guidelines
  • Generic and action oriented
  • For the purpose of
  • IT Control profiling what is important?
  • Awareness where is the risk?
  • Benchmarking - what do others do?
  • Supporting decision making and follow-up
  • Key performance indicators of IT Processes
  • Critical success factors of controls
  • Control implementation choices

6
Maturity Models
7
Maturity Models for Self-Assessment
8
Generic Maturity Model
0 Non-Existent. Complete lack of any recognisable
processes. The organisation has not even
recognised that there is an issue to be
addressed. 1 Initial. There is evidence that the
organisation has recognised that the issues exist
and need to be addressed. There are however no
standardised processes but instead there are ad
hoc approaches that tend to be applied on an
individual or case by case basis. The overall
approach to management is disorganised. 2
Repeatable. Processes have developed to the stage
where similar procedures are followed by
different people undertaking the same task. There
is no formal training or communication of
standard procedures and responsibility is left to
the individual. There is a high degree of
reliance on the knowledge of individuals and
therefore errors are likely. 3 Defined.
Procedures have been standardised and documented,
and communicated through training. It is however
left to the individual to follow these processes,
and it is unlikely that deviations will be
detected. The procedures themselves are not
sophisticated but are the formalisation of
existing practices. 4 Managed. It is possible to
monitor and measure compliance with procedures
and to take action where processes appear not to
be working effectively. Processes are under
constant improvement and provide good practice.
Automation and tools are used in a limited or
fragmented way. 5 Optimised. Processes have been
refined to a level of best practice, based on the
results of continuous improvement and maturity
modelling with other organisations. IT is used in
an integrated way to automate the workflow,
providing tools to improve quality and
effectiveness, making the enterprise quick to
adapt.
9
Generic Maturity Model - Dimensions
  • Understanding and awareness
  • Training and communications
  • Processes and practices
  • Techniques and automation
  • Compliance
  • Expertise

10
Generic Maturity Model - Dimensions
 
11
How to use Benchmark Results
gap and impact analysis
12
In summary
  • Maturity Models
  • Refer to business requirements and the enabling
    aspects at the different levels
  • Are scales that lend themselves to pragmatic
    comparison
  • Are scales where the difference can be made
    measurable in an easy manner
  • Are recognisable as a profile of the enterprise
    in relation to IT governance and control
  • Assist in determining As-Is and To-Be positions
    relative to IT governance and control maturity
  • Lend themselves to support gap analysis to
    determine what needs to be done to achieve a
    chosen level
  • Are neither industry specific nor always
    applicable the nature of the business
    will determine what is an appropriate level

13
Critical Success Factors
14
Critical Success Factors
  • Management oriented IT control implementation
    guidance
  • Most important things that contribute to the IT
    process achieving its goal
  • Strategically
  • Technically
  • Organisationally
  • Process or Procedure
  • Control Statement and Considerations of the
    Waterfall
  • Visible and measurable signs of success
  • Short, focussed and action oriented
  • Leveraging the resources of primary importance in
    this process

15
Critical Success Factors
Guidance from Control Model
  • Responsibility
  • Strict standard
  • Documented control process
  • Control information
  • Evidence and accountability

16
Critical Success Factors
Strategic
17
Critical Success Factors
PO
AI
DS
MO
18
(No Transcript)
19
In summary
  • Critical Success Factors
  • Represent the most important things to do to
    increase the probability of success of the
    process
  • Are observable - usually measurable -
    characteristics of the organisation and process
  • Are either strategic, technological,
    organisational or procedural in nature
  • Focus on obtaining, maintaining and leveraging
    capability and skills
  • Are expressed in terms of the process, not
    necessarily the business

20
Key Performance Indicators
21
Key Performance Indicators
Guidance for measurement can be obtained from the
Balanced Business Scorecard concepts, where goals
and measures from the financial, customer,
process and innovation perspective are set and
monitored
22
Key Performance Indicators
In the Balanced Business Scorecard approach, the
Goal is measured based on its outcome. The
Drivers or Enablers that make it possible to
achieve the goal are measured based on their
performance in support of reaching the goal
The first measure expresses delivery against a
goal and is also called a LAG indicator, as it
is typically measurable after the fact. The
second expresses how well one delivers and is
also called a LEAD indicator, as it predicts
the probability of success
23
Key Performance Indicators
IT is one of the enablers of the business and
will have its own scorecard ...but how are they
linked?
The COBIT model provides for that link through
the definition of the information criteria
24
Key Performance Indicators
  • The degree of importance of each of these
    criteria is a function of the business and the
    environment that the enterprise operates in
  • COBIT then allows selection of those control
    objectives that best fit the degree of
    importance, i.e., the Profile
  • This profile also expresses the enterprises
    position on risk

25
Key Performance Indicators
The goal for IT can then be expressed as
The performance measure of the enabler becomes
the goal for IT, which in turn will have a number
of enablers. These could be the COBIT IT domains.
Here again the measures can be cascaded, the
performance measure of the domain becoming, for
example, a goal for the process
26
Cascaded Performance Indicators
27
Goal
X
Key Performance Indicators
  • KGI for goal
  • measurable indicators
  • of the process achieving
  • its goal
  • f(Business Requirement of the Waterfall)
  • Influenced by the primary and secondary
    information
  • criteria
  • A potential source can be found in COBITs
  • Substantiating Risk section in the
    Audit Guidelines


28
Key Goal Indicators Given that the link between
the business and IT scorecards is expressed in
terms of the information criteria, the KGIs will
usually be stated as
  • Availability of systems and services
  • Absence of integrity and confidentiality risks
  • Cost-efficiency of processes and operations
  • Confirmation of reliability, effectiveness and
    compliance

29
In summary
  • Key Goal Indicators
  • Describe the outcome of the process and are
    therefore lag indicators, i.e., measurable
    after the fact
  • Are indicators of the success of the process, but
    may be expressed as well in terms of the business
    contribution, if that contribution is specific to
    that IT process
  • Focus on the customer and financial dimensions of
    the balanced business scorecard
  • Represent the process goal, i.e., a measure of
    what, a target to achieve
  • May describe a measure of the impact of not
    reaching the process goal
  • Are IT oriented, but business driven
  • Are expressed in precise measurable terms,
    wherever possible
  • Focus on those information criteria that have
    been identified to be of most importance
    for this process

30
Key Performance Indicators
  • KPI for performance
  • measurable indicators of performance
  • of the enabling factors
  • f(Control Statement and Considerations in
    Waterfall)
  • How well they leverage/manage the resources
    needed

31
In summary
  • Key Performance Indicators
  • Are a measure of how well the process is
    performing
  • Predict the probability of success or failure in
    the future, i.e., are LEAD indicators
  • Are process oriented, but IT driven
  • Focus on the process and learning dimensions of
    the balanced scorecard
  • Are expressed in precise, measurable terms
  • Help in improving the IT process

32
Management Guidelines Presentation
33
Management Guidelines Presentation
34
Business Balanced Scorecard
IT Strategic Balanced Scorecard
Financial
Financial
Customer
Customer
Process
Process
Learning
Learning
35
IT Generic Process and IT
Governance Guidelines
36
The COBIT Framework has been enhanced with a
number of improvements driven by Management
Control Performance Management IT Governance
37
IT Generic Process and IT Governance Guidelines
  • Generic guidelines were developed, applying to
    all processes
  • Subsequently these were expanded with CSFs, KGIs
    and KPIs applicable to IT in general
  • This was converged to IT Governance guidelines by
    adding generally applicable IT Governance
    practices and measures
  • The type and amount of information dictated two
    guidelines
  • IT Generic Process
  • IT Governance

38
IT Governance Model
39
Generic Process Guideline
Control over an IT process and its activities
with specific business goals
is determined by the delivery of information to
the business that addresses the required
information criteria and is measured by KGIs
is enabled by creating and maintaining a system
of process and control excellence appropriate for
the business
considers CSFs that leverage specific IT
resources and is measured by KPIs
40
Generic Process Guideline
  • Critical Success Factors
  • IT performance is measured in financial terms, in
    relation to customer satisfaction, for process
    effectiveness and for future capability, and IT
    management is rewarded based on these measures
  • The processes are aligned with the IT strategy
    and with the business goals they are scalable
    and their resources are appropriately managed and
    leveraged
  • Everyone involved in the process is goal focused
    and has the appropriate information on customers,
    on internal processes and on the consequences of
    their decisions
  • A business culture is established, encouraging
    cross-divisional co-operation and teamwork, as
    well as continuous process improvement
  • Control practices are applied to increase
    transparency, reduce complexity, promote
    learning, provide flexibility and allow
    scalability
  • Goals and objectives are communicated across all
    disciplines and are understood
  • It is known how to implement and monitor process
    objectives and who is accountable for process
    performance
  • A continuous process quality improvement effort
    is applied
  • There is clarity on who the customers of the
    process are
  • The required quality of staff (training, transfer
    of information, morale, etc.) and
    availability of skills (recruit, retain,
    re-train) exist

41
Generic Process Guideline
  • Key Goal Indicators
  • Increased level of service delivery
  • Number of customers and cost per customer served
  • Availability of systems and services
  • Absence of integrity and confidentiality risks
  • Cost efficiency of processes and operations
  • Confirmation of reliability and effectiveness
  • Adherence to development cost and schedule
  • Cost efficiency of the process
  • Staff productivity and morale
  • Number of timely changes to processes and systems
  • Improved productivity (e.g., delivery of value
    per employee)

42
Generic Process Guideline
  • Key Performance Indicators
  • System downtime
  • Throughput and response times
  • Amount of errors and rework
  • Number of staff trained in new technology and
    customer service skills
  • Benchmark comparisons
  • Number of non-compliance reportings
  • Reduction in development and processing time

43
IT Generic Process Maturity Model
0 Non-Existent. Complete lack of any recognisable
processes. The organisation has not even
recognised that there is an issue to be
addressed. 1 Initial. There is evidence that the
organisation has recognised that the issues exist
and need to be addressed. There are however no
standardised processes but instead there are ad
hoc approaches that tend to be applied on an
individual or case by case basis. The overall
approach to management is disorganised. 2
Repeatable. There is global awareness of the
issues and processes have developed to the stage
where similar procedures are followed by
different people undertaking the same task. There
is no formal training or communication of
standard procedures and responsibility is left to
the individual. There is a high degree of
reliance on the knowledge of individuals and
therefore errors are likely. 3 Defined. Goals and
objectives are being communicated and understood.
IT processes are aligned with the IT strategy.
Procedures have been standardised and documented,
and communicated through training. It is however
left to the individual to follow these processes,
and it is unlikely that deviations will be
detected. The procedures themselves are not
sophisticated but are the formalisation of
existing practices. 4 Managed. IT processes are
aligned and integrated with the IT strategy and
the business goals. It is possible to monitor and
measure compliance with procedures and to take
action where processes appear not to be working
effectively. Achievement of objective measures is
rewarded. Processes are under constant
improvement and provide good practice. Automation
and tools are used in a limited or fragmented
way. 5 Optimised. Processes have been refined to
a level of best practice, based on the results of
continuous improvement and maturity modelling
with other organisations. IT is used in an
integrated way to automate the workflow,
providing tools to improve quality and
effectiveness, making the enterprise quick to
adapt.
44
IT Governance Guideline
Governance over IT and its processes with goal of
adding value to the business, while balancing
risk versus return
ensures delivery of information to the business
that addresses the required information criteria
and is measured by KGIs
is enabled by creating and maintaining a system
of process and control excellence appropriate for
the business that directs and monitors the
business value delivery of IT
considers CSFs that leverage all IT resources and
is measured by KPIs
45
IT Governance Guideline
  • Critical Success Factors
  • IT governance activities are integrated into the
    enterprise governance process and leadership
    behaviours
  • IT governance focuses on the enterprise goals,
    strategic initiatives, the use of technology to
    enhance the business and on the availability of
    sufficient resources and capabilities to keep up
    with the business demands
  • IT governance activities are defined with a clear
    purpose, documented and implemented, based on
    enterprise needs and with unambiguous
    accountabilities
  • Management practices are implemented to increase
    efficient and optimal use of resources and
    increase the effectiveness of IT processes
  • Organisational practices are established to
    enable sound oversight a control
    environment/culture risk assessment as standard
    practice degree of adherence to established
    standards monitoring and follow up of control
    deficiencies and risks
  • Control practices are defined to avoid breakdowns
    in internal control and oversight
  • There is integration and smooth interoperability
    of the more complex IT processes such as problem,
    change and configuration management
  • An audit committee is established to appoints and
    oversee an independent auditor, focusing
    on IT when driving audit plans, and review the
    results of audits and third-party
    reviews.

46
IT Governance Guideline
  • Key Goal Indicators
  • Enhanced performance and cost management
  • Improved return on major IT investments
  • Improved time to market
  • Increased quality, innovation and risk management
  • Appropriately integrated and standardised
    business processes
  • Reaching new and satisfying existing customers
  • Availability of appropriate bandwidth, computing
    power and IT delivery mechanisms
  • Meeting requirements and expectations of the
    customer of the process on budget and on time
  • Adherence to laws, regulations, industry
    standards and contractual commitments
  • Transparency on risk taking and adherence to the
    agreed organisational risk profile
  • Benchmarking comparisons of IT governance
    maturity
  • Creation of new service delivery channels

47
IT Governance Guideline
  • Key Performance Indicators
  • Improved cost-efficiency of IT processes (costs
    vs. deliverables)
  • Increased number of IT action plans for process
    improvement initiatives
  • Increased utilisation of IT infrastructure
  • Increased satisfaction of stakeholders (survey
    and number of complaints)
  • Improved staff productivity (number of
    deliverables) and morale (survey)
  • Increased availability of knowledge and
    information for managing the enterprise
  • Increased linkage between IT and enterprise
    governance
  • Improved performance as measured by IT balanced
    scorecards

48
IT Governance Maturity Model
0 Non-Existent. There is a complete lack of any
recognisable IT government processes. The
organisation has not even recognised that there
is an issue to be addressed. 1 Initial. There is
evidence that the organisation has recognised
that IT governance issues exist and need to be
addressed. There are, however, no standardised IT
governance processes, but there are instead ad
hoc approaches that tend to be applied on an
individual or case by case basis. The overall
approach to management is disorganised. 2
Repeatable. IT governance processes have
developed to the stage where similar procedures
are followed by different people undertaking the
same task. There is no formal training or
communication of standard procedures and
responsibility is left to the individual. 3
Defined. IT governance procedures have been
standardised and documented, and communicated
through training. It is however left to the
individual to follow these processes and it is
unlikely that deviations will be detected. The
procedures themselves are not sophisticated, but
are the formalisation of existing practices. 4
Managed. It is possible to monitor and measure
compliance with procedures and to take action
where IT governance processes appear not to be
working effectively. Processes are under constant
improvement and provide good practice. Automation
and tools are used in a limited or fragmented
way. 5 Optimised. IT governance processes have
been refined to a level of best practice, based
on the results of continuous improvement and
maturity modelling with other organisations. IT
is used in an integrated way to automate the
workflow, providing tools to improve quality and
effectiveness, making the enterprise quick to
adapt.
49
Management Guidelines Conclusion Value
Proposition Development Process Components Present
ation
50
Management Guidelines Value Proposition
  • Open Standard
  • Framework
  • Control Objectives
  • Implementation Tool Set
  • Management Guidelines
  • Value added products
  • Audit Guidelines
  • How will it look?
  • What is its value?

51
Management Guidelines Development Process
  • Chicago Workshop
  • 4 days
  • 40 people
  • Gartner and PwC
  • Top Experts
  • IT governance
  • Performance management
  • Information security and control
  • Development, QA and Exposure
  • Good Tools
  • Workgroup tools
  • Web based exposure
  • pdf based document distribution
  • Extensive review

52
Management Guidelines Components
  • IT governance guideline
  • Generic IT process guideline
  • For each of the 34 IT processes
  • one maturity model
  • 5 to 7 KGIs
  • 8 to 10 CSFs
  • 6 to 8 KPIs

53
Management Guidelines Presentation
Write a Comment
User Comments (0)
About PowerShow.com