What Does COBIT Stand For

1
COBIT Management Guidelines released by the IT
Governance Institute July 2000
2
Maturity Models Critical Success Factors Key
Performance Indicators IT Generic Process and
IT Governance Guidelines Management Guidelines
- Conclusion
3
Management GuidelinesQUESTION  What is the
right level of control for my IT such that it
supports my enterprise objectives? ANSWER
You will need CSFs which are the most important
things you need to do based on the choices made
in a Maturity Model, while monitoring through
KPIs whether you will likely reach the goals set
by the KGIs.
4
(No Transcript)
5
Management Guidelines

• Generic and action oriented
• For the purpose of
• IT Control profiling what is important?
• Awareness where is the risk?
• Benchmarking - what do others do?
• Supporting decision making and follow-up
• Key performance indicators of IT Processes
• Critical success factors of controls
• Control implementation choices

6
Maturity Models
7
Maturity Models for Self-Assessment
8
Generic Maturity Model
0 Non-Existent. Complete lack of any recognisable
processes. The organisation has not even
recognised that there is an issue to be
addressed. 1 Initial. There is evidence that the
organisation has recognised that the issues exist
and need to be addressed. There are however no
standardised processes but instead there are ad
hoc approaches that tend to be applied on an
individual or case by case basis. The overall
approach to management is disorganised. 2
Repeatable. Processes have developed to the stage
where similar procedures are followed by
different people undertaking the same task. There
is no formal training or communication of
standard procedures and responsibility is left to
the individual. There is a high degree of
reliance on the knowledge of individuals and
therefore errors are likely. 3 Defined.
Procedures have been standardised and documented,
and communicated through training. It is however
left to the individual to follow these processes,
and it is unlikely that deviations will be
detected. The procedures themselves are not
sophisticated but are the formalisation of
existing practices. 4 Managed. It is possible to
monitor and measure compliance with procedures
and to take action where processes appear not to
be working effectively. Processes are under
constant improvement and provide good practice.
Automation and tools are used in a limited or
fragmented way. 5 Optimised. Processes have been
refined to a level of best practice, based on the
results of continuous improvement and maturity
modelling with other organisations. IT is used in
an integrated way to automate the workflow,
providing tools to improve quality and
effectiveness, making the enterprise quick to
adapt.
9
Generic Maturity Model - Dimensions

• Understanding and awareness
• Training and communications
• Processes and practices
• Techniques and automation
• Compliance
• Expertise

10
Generic Maturity Model - Dimensions
 
11
How to use Benchmark Results
gap and impact analysis
12
In summary

• Maturity Models
• Refer to business requirements and the enabling
  aspects at the different levels
• Are scales that lend themselves to pragmatic
  comparison
• Are scales where the difference can be made
  measurable in an easy manner
• Are recognisable as a profile of the enterprise
  in relation to IT governance and control
• Assist in determining As-Is and To-Be positions
  relative to IT governance and control maturity
• Lend themselves to support gap analysis to
  determine what needs to be done to achieve a
  chosen level
• Are neither industry specific nor always
  applicable the nature of the business
  will determine what is an appropriate level

13
Critical Success Factors
14
Critical Success Factors

• Management oriented IT control implementation
  guidance
• Most important things that contribute to the IT
  process achieving its goal
• Strategically
• Technically
• Organisationally
• Process or Procedure
• Control Statement and Considerations of the
  Waterfall
• Visible and measurable signs of success
• Short, focussed and action oriented
• Leveraging the resources of primary importance in
  this process

15
Critical Success Factors
Guidance from Control Model

• Responsibility
• Strict standard
• Documented control process
• Control information
• Evidence and accountability

16
Critical Success Factors
Strategic
17
Critical Success Factors
PO
AI
DS
MO
18
(No Transcript)
19
In summary

• Critical Success Factors
• Represent the most important things to do to
  increase the probability of success of the
  process
• Are observable - usually measurable -
  characteristics of the organisation and process
• Are either strategic, technological,
  organisational or procedural in nature
• Focus on obtaining, maintaining and leveraging
  capability and skills
• Are expressed in terms of the process, not
  necessarily the business

20
Key Performance Indicators
21
Key Performance Indicators
Guidance for measurement can be obtained from the
Balanced Business Scorecard concepts, where goals
and measures from the financial, customer,
process and innovation perspective are set and
monitored
22
Key Performance Indicators
In the Balanced Business Scorecard approach, the
Goal is measured based on its outcome. The
Drivers or Enablers that make it possible to
achieve the goal are measured based on their
performance in support of reaching the goal
The first measure expresses delivery against a
goal and is also called a LAG indicator, as it
is typically measurable after the fact. The
second expresses how well one delivers and is
also called a LEAD indicator, as it predicts
the probability of success
23
Key Performance Indicators
IT is one of the enablers of the business and
will have its own scorecard ...but how are they
linked?
The COBIT model provides for that link through
the definition of the information criteria
24
Key Performance Indicators

• The degree of importance of each of these
  criteria is a function of the business and the
  environment that the enterprise operates in

• COBIT then allows selection of those control
  objectives that best fit the degree of
  importance, i.e., the Profile
• This profile also expresses the enterprises
  position on risk

25
Key Performance Indicators
The goal for IT can then be expressed as
The performance measure of the enabler becomes
the goal for IT, which in turn will have a number
of enablers. These could be the COBIT IT domains.
Here again the measures can be cascaded, the
performance measure of the domain becoming, for
example, a goal for the process
26
Cascaded Performance Indicators
27
Goal
X
Key Performance Indicators

• KGI for goal
• measurable indicators
• of the process achieving
• its goal
• f(Business Requirement of the Waterfall)
• Influenced by the primary and secondary
  information
• criteria
• A potential source can be found in COBITs
• Substantiating Risk section in the
  Audit Guidelines

28
Key Goal Indicators Given that the link between
the business and IT scorecards is expressed in
terms of the information criteria, the KGIs will
usually be stated as

• Availability of systems and services
• Absence of integrity and confidentiality risks
• Cost-efficiency of processes and operations
• Confirmation of reliability, effectiveness and
  compliance

29
In summary

• Key Goal Indicators
• Describe the outcome of the process and are
  therefore lag indicators, i.e., measurable
  after the fact
• Are indicators of the success of the process, but
  may be expressed as well in terms of the business
  contribution, if that contribution is specific to
  that IT process
• Focus on the customer and financial dimensions of
  the balanced business scorecard
• Represent the process goal, i.e., a measure of
  what, a target to achieve
• May describe a measure of the impact of not
  reaching the process goal
• Are IT oriented, but business driven
• Are expressed in precise measurable terms,
  wherever possible
• Focus on those information criteria that have
  been identified to be of most importance
  for this process

30
Key Performance Indicators

• KPI for performance
• measurable indicators of performance
• of the enabling factors
• f(Control Statement and Considerations in
  Waterfall)
• How well they leverage/manage the resources
  needed

31
In summary

• Key Performance Indicators
• Are a measure of how well the process is
  performing
• Predict the probability of success or failure in
  the future, i.e., are LEAD indicators
• Are process oriented, but IT driven
• Focus on the process and learning dimensions of
  the balanced scorecard
• Are expressed in precise, measurable terms
• Help in improving the IT process

32
Management Guidelines Presentation
33
Management Guidelines Presentation
34
Business Balanced Scorecard
IT Strategic Balanced Scorecard
Financial
Financial
Customer
Customer
Process
Process
Learning
Learning
35
IT Generic Process and IT
Governance Guidelines
36
The COBIT Framework has been enhanced with a
number of improvements driven by Management
Control Performance Management IT Governance
37
IT Generic Process and IT Governance Guidelines

• Generic guidelines were developed, applying to
  all processes
• Subsequently these were expanded with CSFs, KGIs
  and KPIs applicable to IT in general
• This was converged to IT Governance guidelines by
  adding generally applicable IT Governance
  practices and measures
• The type and amount of information dictated two
  guidelines
• IT Generic Process
• IT Governance

38
IT Governance Model
39
Generic Process Guideline
Control over an IT process and its activities
with specific business goals
is determined by the delivery of information to
the business that addresses the required
information criteria and is measured by KGIs
is enabled by creating and maintaining a system
of process and control excellence appropriate for
the business
considers CSFs that leverage specific IT
resources and is measured by KPIs
40
Generic Process Guideline

• Critical Success Factors
• IT performance is measured in financial terms, in
  relation to customer satisfaction, for process
  effectiveness and for future capability, and IT
  management is rewarded based on these measures
• The processes are aligned with the IT strategy
  and with the business goals they are scalable
  and their resources are appropriately managed and
  leveraged
• Everyone involved in the process is goal focused
  and has the appropriate information on customers,
  on internal processes and on the consequences of
  their decisions
• A business culture is established, encouraging
  cross-divisional co-operation and teamwork, as
  well as continuous process improvement
• Control practices are applied to increase
  transparency, reduce complexity, promote
  learning, provide flexibility and allow
  scalability
• Goals and objectives are communicated across all
  disciplines and are understood
• It is known how to implement and monitor process
  objectives and who is accountable for process
  performance
• A continuous process quality improvement effort
  is applied
• There is clarity on who the customers of the
  process are
• The required quality of staff (training, transfer
  of information, morale, etc.) and
  availability of skills (recruit, retain,
  re-train) exist

41
Generic Process Guideline

• Key Goal Indicators
• Increased level of service delivery
• Number of customers and cost per customer served
• Availability of systems and services
• Absence of integrity and confidentiality risks
• Cost efficiency of processes and operations
• Confirmation of reliability and effectiveness
• Adherence to development cost and schedule
• Cost efficiency of the process
• Staff productivity and morale
• Number of timely changes to processes and systems
• Improved productivity (e.g., delivery of value
  per employee)

42
Generic Process Guideline

• Key Performance Indicators
• System downtime
• Throughput and response times
• Amount of errors and rework
• Number of staff trained in new technology and
  customer service skills
• Benchmark comparisons
• Number of non-compliance reportings
• Reduction in development and processing time

43
IT Generic Process Maturity Model
0 Non-Existent. Complete lack of any recognisable
processes. The organisation has not even
recognised that there is an issue to be
addressed. 1 Initial. There is evidence that the
organisation has recognised that the issues exist
and need to be addressed. There are however no
standardised processes but instead there are ad
hoc approaches that tend to be applied on an
individual or case by case basis. The overall
approach to management is disorganised. 2
Repeatable. There is global awareness of the
issues and processes have developed to the stage
where similar procedures are followed by
different people undertaking the same task. There
is no formal training or communication of
standard procedures and responsibility is left to
the individual. There is a high degree of
reliance on the knowledge of individuals and
therefore errors are likely. 3 Defined. Goals and
objectives are being communicated and understood.
IT processes are aligned with the IT strategy.
Procedures have been standardised and documented,
and communicated through training. It is however
left to the individual to follow these processes,
and it is unlikely that deviations will be
detected. The procedures themselves are not
sophisticated but are the formalisation of
existing practices. 4 Managed. IT processes are
aligned and integrated with the IT strategy and
the business goals. It is possible to monitor and
measure compliance with procedures and to take
action where processes appear not to be working
effectively. Achievement of objective measures is
rewarded. Processes are under constant
improvement and provide good practice. Automation
and tools are used in a limited or fragmented
way. 5 Optimised. Processes have been refined to
a level of best practice, based on the results of
continuous improvement and maturity modelling
with other organisations. IT is used in an
integrated way to automate the workflow,
providing tools to improve quality and
effectiveness, making the enterprise quick to
adapt.
44
IT Governance Guideline
Governance over IT and its processes with goal of
adding value to the business, while balancing
risk versus return
ensures delivery of information to the business
that addresses the required information criteria
and is measured by KGIs
is enabled by creating and maintaining a system
of process and control excellence appropriate for
the business that directs and monitors the
business value delivery of IT
considers CSFs that leverage all IT resources and
is measured by KPIs
45
IT Governance Guideline

• Critical Success Factors
• IT governance activities are integrated into the
  enterprise governance process and leadership
  behaviours
• IT governance focuses on the enterprise goals,
  strategic initiatives, the use of technology to
  enhance the business and on the availability of
  sufficient resources and capabilities to keep up
  with the business demands
• IT governance activities are defined with a clear
  purpose, documented and implemented, based on
  enterprise needs and with unambiguous
  accountabilities
• Management practices are implemented to increase
  efficient and optimal use of resources and
  increase the effectiveness of IT processes
• Organisational practices are established to
  enable sound oversight a control
  environment/culture risk assessment as standard
  practice degree of adherence to established
  standards monitoring and follow up of control
  deficiencies and risks
• Control practices are defined to avoid breakdowns
  in internal control and oversight
• There is integration and smooth interoperability
  of the more complex IT processes such as problem,
  change and configuration management
• An audit committee is established to appoints and
  oversee an independent auditor, focusing
  on IT when driving audit plans, and review the
  results of audits and third-party
  reviews.

46
IT Governance Guideline

• Key Goal Indicators
• Enhanced performance and cost management
• Improved return on major IT investments
• Improved time to market
• Increased quality, innovation and risk management
• Appropriately integrated and standardised
  business processes
• Reaching new and satisfying existing customers
• Availability of appropriate bandwidth, computing
  power and IT delivery mechanisms
• Meeting requirements and expectations of the
  customer of the process on budget and on time
• Adherence to laws, regulations, industry
  standards and contractual commitments
• Transparency on risk taking and adherence to the
  agreed organisational risk profile
• Benchmarking comparisons of IT governance
  maturity
• Creation of new service delivery channels

47
IT Governance Guideline

• Key Performance Indicators
• Improved cost-efficiency of IT processes (costs
  vs. deliverables)
• Increased number of IT action plans for process
  improvement initiatives
• Increased utilisation of IT infrastructure
• Increased satisfaction of stakeholders (survey
  and number of complaints)
• Improved staff productivity (number of
  deliverables) and morale (survey)
• Increased availability of knowledge and
  information for managing the enterprise
• Increased linkage between IT and enterprise
  governance
• Improved performance as measured by IT balanced
  scorecards

48
IT Governance Maturity Model
0 Non-Existent. There is a complete lack of any
recognisable IT government processes. The
organisation has not even recognised that there
is an issue to be addressed. 1 Initial. There is
evidence that the organisation has recognised
that IT governance issues exist and need to be
addressed. There are, however, no standardised IT
governance processes, but there are instead ad
hoc approaches that tend to be applied on an
individual or case by case basis. The overall
approach to management is disorganised. 2
Repeatable. IT governance processes have
developed to the stage where similar procedures
are followed by different people undertaking the
same task. There is no formal training or
communication of standard procedures and
responsibility is left to the individual. 3
Defined. IT governance procedures have been
standardised and documented, and communicated
through training. It is however left to the
individual to follow these processes and it is
unlikely that deviations will be detected. The
procedures themselves are not sophisticated, but
are the formalisation of existing practices. 4
Managed. It is possible to monitor and measure
compliance with procedures and to take action
where IT governance processes appear not to be
working effectively. Processes are under constant
improvement and provide good practice. Automation
and tools are used in a limited or fragmented
way. 5 Optimised. IT governance processes have
been refined to a level of best practice, based
on the results of continuous improvement and
maturity modelling with other organisations. IT
is used in an integrated way to automate the
workflow, providing tools to improve quality and
effectiveness, making the enterprise quick to
adapt.
49
Management Guidelines Conclusion Value
Proposition Development Process Components Present
ation
50
Management Guidelines Value Proposition

• Open Standard
• Framework
• Control Objectives
• Implementation Tool Set
• Management Guidelines
• Value added products
• Audit Guidelines
• How will it look?
• What is its value?

51
Management Guidelines Development Process

• Chicago Workshop
• 4 days
• 40 people
• Gartner and PwC
• Top Experts
• IT governance
• Performance management
• Information security and control
• Development, QA and Exposure
• Good Tools
• Workgroup tools
• Web based exposure
• pdf based document distribution
• Extensive review

52
Management Guidelines Components

• IT governance guideline
• Generic IT process guideline
• For each of the 34 IT processes
• one maturity model
• 5 to 7 KGIs
• 8 to 10 CSFs
• 6 to 8 KPIs

53
Management Guidelines Presentation