Академический Документы
Профессиональный Документы
Культура Документы
[ITG-253 v2.00]
1
Introduction
APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -27- New Horizons
Module
Introduction
1 CobiT 5 Foundation with Case Study (ITG-253 v2.00)
Overview modules
Module 1 - Introduction
Module 2 - Overview
Module 3 - Principles
Module 4 - Enablers
Module 5 - Implementation
Module 6 - Process capability
Course schedule
Facilities
Exam requirements
Exam requirements:
50 questions
40 minutes
50% pass rate
Closed book
Exam preparation:
Approximately hrs
Test questions
Self study
Questions?
2
Overview
APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -37- New Horizons
Module
Overview
2 CobiT 5 Foundation with Case Study (ITG-253 v1.20)
Source: http://edition.cnn.com/2013/08/14/tech/web/new-york-times
IT Management remains an issue for many organizations. Outages still occur. Some examples of
major IT disruptions (with considerable impact on the organization):
ING internet banking failure (feb 2013): ING customers are unable to withdraw money
from ATMs, account balance inquiries show wrong amounts. Big headlines on the TV news,
newspaper, trending topic on Twitter etc. -> Serious loss of business reputation for ING
NYSE Euronext trading impossible. Trading opening postponed for an hour due to technical
errors (6 june 2013)
Failures at Baggage handling systems at opening day of Heathrows T5 terminal (mar 2008):
flights cancelled, serious delays of departures and arrivals, thousands of customers unable to
collect their luggage for days. -> Special report by House of Commons Transport Committee
13 August 2013, the website of the New York Times was down for 3 hours following
scheduled maintenance. Rather then reporting the news (at the time breaking news about the
Egyptian police and army trying to break up protests resulting in reportedly- hundreds of
casualties) the NY Times made the news itself, e.g. on CNN.
Source:http://downdetector.com/status/att/archive
Even if you do not monitor your own performance as a company, your (disgruntled) customers will
do it for you. For instance this website keeps track of the outages of the all problems and outages
of AT&T services in the US.
Governance
Enterprise
Governance
Corporate Business
Governance Governance
(conformance) (performance)
Value creation
Accountability
Resource
Assurance
Utilization
Governance
Definition of enterprise governance: a set of responsibilities and practices exercised by the board
and executive management with the goals of providing strategic direction, ensuring that objectives
are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises
resources are used responsibly.
Conformance is also called corporate governance and covers issues such as board structure, roles
and executive remuneration. Codes and/or standards can generally address this dimension with
compliance being subject to assurance / audit. The conformance view takes a historical view (what
has happened?).
Performance, also called business governance, focuses on strategy and value creation, and on
helping the board make strategic decisions , understand its appetite for risk and its key drivers
of performance and identify its key points of decision making. This is not easy to encorporate in a
business code or standard and subsequently audited. Here typically instruments such as best
practices are widely used. The performance view looks forward (what do we want to happen?).
1. Human assets
2. Financial assets
3. Physical assets
4. IP assets Governance
5. Information and IT assets of Enterprise
6. Relationship assets IT (GEIT)
Weill and Ross (IT Governance How top performers manage IT decision rights for superior results)
Governance of enterprise IT
Enterprise IT objectives
Enterprise IT objectives'
Cobit 5 recognises 17 enterprise goals, all contributing to the enterprise objectives. These enterprise
goals will return in the goals cascade in module 2, principle 1 Meeting stakeholder needs.
1. Stakeholder value of business investments
2. Portfolio of competitive products and services
3. Managed business risk (safeguarding of assets)
4. Compliance with external laws and regulations
5. Financial transparency
6. Customer-oriented service culture
7. Business service continuity and availability
8. Agile responses to a changing business environment
9. Information-based strategic decision making
10. Optimisation of service delivery costs
11. Optimisation of business process functionality
12. Optimisation of business process costs
13. Managed business change programmes
14. Operational and staff productivity
Cobit 5
Cobit 5
Additional drivers
Improved relationship between business needs and IT objectives;
Better value creation through effective and innovative use of
enterprise IT;
Increased financial return from the governance over enterprise IT by
obtaining the greatest value from investments in technology;
Increased business user satisfaction with IT engagement
and services;
Increased compliance with relevant laws, regulations and policies ;
Connection to, and, where relevant , alignment with, other major
frameworks and standards in the marketplace.
Additional drivers
Connection to, and, where relevant , alignment with, other major frameworks and standards in the
marketplace, such as:
Information Technology Infrastructure Library (ITIL)
The Open Group Architecture Forum (TOGAF)
Project Management Body of Knowledge (PMBOK)
Projects IN Controlled Environments 2 (PRINCE2)
Committee of Sponsoring Organisations (COSO)
International Organization for Standardisation (ISO) standards
Integrate all other major ISACA frameworks and guidance such as:
Val IT
Risk IT
BMIS
ITAF
Board Briefing on IT Governance
Taking Governance Forward
COBIT 5 defines the starting point of governance and management activities with the
stakeholder needs related to enterprise IT.
COBIT 5 is consistent with generally accepted corporate governance standards, and thus
helps to meet regulatory requirements.
COBIT 5 focuses initially on the needs of the stakeholder. One of the key benefits of COBIT
5 is that it is first and foremost a business framework. Business management have something
to enable them to have that business conversation with IT management.
COBIT 5 is a top- down view of business needs that create a goals cascade. This goal
cascade drives the need to meet the expectations of the stakeholder right through the
enterprise.
COBIT 5 also encourages a common language throughout the enterprise so that
stakeholders understand IT and IT meets their business need.
Governance of Enterprise IT
IT Governance
BMIS
Evolution
(2010)
Management
Val IT 2.0
(2008)
Control
Risk IT
(2009)
Audit
Inital focus on audit, control and security (remember that ISACA has it roots in assurance ITAF,
CISA and security BMIS , CISM), evolving to management and governance. However Cobit
4.1 was not complete for governance, one also had to include other ISACA models, especially
RiskIT and ValIT.
3
Principles
APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -55- New Horizons
Module
Principles
3 CobiT 5 Foundation with Case Study (ITG-253 v2.00)
5 principles
1. Meeting
Stakeholder
Needs
5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Principle 1
1. Meeting
Stakeholder
Needs
5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Stakeholder Drivers
Step 1
Stakeholder Needs
Benefits Risk Resource
Realisation Optimisation Optimisation
Step 2
Enterprise Goals
Step 3
IT Related Goals
Step 4
Enabler Goals
Goals cascade
Translating the stakeholder needs into enterprise goals requires an actionable strategy.
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Stakeholder
Needs
Drive
Governance Objective: Value Creation
Stakeholder needs
Enterprises exist to create value for their stakeholders. Consequently, any enterprise commercial
or not-for-profit will have value creation as a governance objective. Value creation means realsing
benefits at an optimal resource cost while optimising risk. Benefits do not necessarily have to be
financial (e.g. revenue or profit). They can also be public service (for government organisations).
An organisation has multiple stakeholders, the most important value for one stakeholder does not
necessarily have to be the most important value for another stakeholder. So many stakeholders, so
many needs. These needs may even be conflicting. Governance has to balance between stakeholder
needs; negotiating and deciding amongst different stakeholders value interests. The governance
system therefore must consider all stakeholders and their respective needs.
Questions of Questions of
internal stakeholders external stakeholders
How do I get value from the use How do I know the enterprises
of IT? operations are secure and reliable?
How do I manage performance How do I know the enterprise is
of IT? compliant with applicable rules
How can I best exploit and regulations?
new technology for new How do I know the enterprise is
strategic opportunities? maintaining an effective system of
How do I best build and structure internal control?
my IT department? etc.
etc.
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
1. Meeting
Stakeholder
Needs
Card dimensions
Financial Customer
1. Stakeholder value of business investments 6. Customer oriented service culture
2. Portfolio of competitive products and services 7. Business service continuity and availability
3. Managed business risk (safeguarding of assets) 8. Agile responses to a changing business environment
4. Compliance with external laws and regulations 9. Information based strategic decision making
5. Financial transparency 10. Optimisation of service delivery costs
1. Meeting
Stakeholder
Needs
Enterprise Goal
Optimisation of business
Optimisation of business
Optimisation of service
Portfolio of competitive
Financial transparency
products and services
change programmes
laws and regulations
a changing business
Stakeholder value of
Managed business
Customer oriented
Agile responses to
strategic decision
innovation culture
Business service
Information-base
service culture
process costs
delivery costs
environment
productivity
policies
making
people
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Learning and
IT-related Goal Financial Customer Internal
Growth
01 Alignment of IT and business strategy P P S P S P P S P S P S S
IT compliance and support for business compliance with external
02 S P P
laws and regulations
Financial
09 IT agility S P S S P P S S S P
Excerpt; for the complete table refer to Appendix B (p. 50) of the
Cobit 5 Framework
APMG 2012; 2012 ISACA. All Rights Reserved. Slide 9
1. Meeting
Stakeholder
Needs
Financial Customer
1. Alignment of IT and business strategy 7. Delivery of IT services in line with
2. IT compliance and support for business business requirements
compliance with external rules and regulations 8. Adequate use of applications, information and
3. Commitment of executive management for making technology solutions
IT-related decisions
4. Managed IT-related business risk
5. Realised benefits from IT-enabled investments and
services portfolio
6. Transparency of IT costs, benefits and risks
1. Meeting
Stakeholder
Needs
IT-related Goal
services portfolio
applications
processes
innovation
standards
solutions
IT agility
strategy
policies
making
risk
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Alignment of IT and
EDM01 P S P S S S P S S S S S S S S S
business strategy
IT compliance and
support for business
Evaluate, Direct and Monitor
EDM02 P S P P P S S S S S S P
compliance with external
laws and regulations
Commitment of executive
EDM03 management for making S S S P P S S P S S P S S
IT-related decisions
Managed IT-related
EDM04 S S S S S S S P P S P S
business risk
Achieving IT-related goals requires the successful application and use of a number of enablers.
The enabler concept is explained in detail in Module 4. Enablers include processes, organisational
structures and information, and for each enabler a set of specific relevant goals can be defined in
support of the IT-related goals.
Processes are one of the enablers, and Cobit 5, a business framework for the governance and
management of enterprise IT (appendix C) contains a mapping between IT-related goals and the
relevant COBIT 5 processes, which then contain related process goals. Similarly goals must be
defined for the other enablers.
Exercise 1
Principle 2
1. Meeting
Stakeholder
Needs
5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Principle 2
End-to-end:
Cobit 5 integrates GEIT into enterprise governance
Cobit 5 covers all functions and processes required to govern and manage enterprise
information and related technology wherever the information is processed
Cobit 5 addresses all relevant internal and external IT services as well as internal and external
business processes
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Governance Governance
Enablers Scope
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Governance
Instruct and
Delegate Set Direction
Align
Owners and Governing Operations
Management
Stakeholders Body and Execution
Accountable Monitor Report
Management
You can see here that principle 5, separating governance from management, is reflected in the roles,
activities and relationships. Governance (the governing body) deals with owners and stakeholders,
management deals with operations and execution.
Principle 3
1. Meeting
Stakeholder
Needs
5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
ISO/IEC 38500
ISO/IEC 31000
Align, Plan and Organize TOGAF
ISO/IEC 27000
Prince2/PMBOK
CMMI
ISO/IEC 38500 is the standard for corporate governance of information technology. It is based on
6 principles:
1. Responsibility
2. Strategy
3. Acquisition
4. Performance
5. Conformance
6. Human behaviour
Comparison with other standards: typically these standards cover parts of one or more of the five
COBIT 5 (process) domains. These domains will be explained in detail in Module 4 Enablers.
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
COBIT 5 COBIT 5:
(framework) Assessment program
Translations of the COBIT 5 framework are available in Spanish, Chinese, Japanese, German,
Romanian, Russian, Arabic, French, Lithuanian, Hebrew, Thai, Turkish and Italian.
Principle 4
1. Meeting
Stakeholder
Needs
5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
7 categories of enablers
Resources
COBIT 5 Enablers
Enablers are factors that, individually and collectively, influence whether something will workin this
case, governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e.
the enabler goals are based on the IT-related goals (which are based on the enterprise goals refer
to Principle 1: meeting stakeholder needs).
Principles, policies and frameworks are the vehicle to translate the desired behavior into
practical guidance for day-to-day management.
Processes describe an organized set of practices and activities to achieve certain objectives
and produce a set of outputs in support of achieving overall IT-related goals.
Organizational structures are the key decision-making entities in an enterprise.
Culture, ethics and behavior of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
Information is pervasive throughout any organization and includes all information produced
and used by the enterprise. Information is required for keeping the organization running and
well governed, but at the operational level, information is very often the key product of the
enterprise itself.
Services, infrastructure and applications include the infrastructure, technology and
applications that provide the enterprise with information technology processing and services.
Principle 5
1. Meeting
Stakeholder
Needs
5. Separating
Governance 2. Covering the
From Enterprise
Management End-to-end
COBIT 5
Principles
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Governance
Ensure that stakeholder needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives to
be achieved
setting direction through prioritisation and decision making
Monitoring performance and compliance against agreed-on direction
and objectives
Management:
Plans, builds, runs and monitors activities in alignment with
the direction set by the governance body to achieve the
enterprise objectives
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
1. Meeting
Stakeholder
Needs
3. Applying a
4. Enabling a
Single
Holistic
Integrated
Approach
Framework
Business Needs
Governance Domain
Evaluate
Management
Domain
An enterprise can organise its processes as it sees fit, as long as all necessary governance and
management objectives are covered. Smaller enterprises may have fewer processes; larger and
more complex enterprises may have many processes, all to cover the same objectives.
COBIT 5 includes a process reference model. This reference model clearly distinguishes governance
processes and management processes. The processes are grouped in 5 domains.
All governance processes are in the EDM (Evaluate, Direct and Monitor) domain
The management processes are distributed over the 4 PBRM domains: Plan (APO), Build (BAO),
Run (DSS) and Monitor (MEA).
4
Enablers
APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -83- New Horizons
Module
Enablers
4 CobiT 5 Foundation with Case Study (ITG-253 v1.20)
What is an enabler?
Stakeholders
Goals
Life cycle
Good practices
}
Are stakeholder needs addressed? Lag
Are enabler goals achieved? indicators
Enterprises expect positive outcomes from the application and use of enablers. To manage
performance of the enablers, the
The first two bullets deal with the actual outcome of the enabler. They are also called outcome
measures and represent the consequences of actions previously taken. Outcome measures
frequently focus on results at the end of a time period and characterize historical performance. They
are also referred to as key goal indicators (KGIs) and are used to indicate whether goals have been
met. These can be measured only after the fact and, therefore, are called lag indicators.
The last two bullets deal with the actual functioning of the enabler itself. They are also called
performance drivers and are measures that are considered the drivers of the lag indicators. They
can be measured before the outcome is clear and, therefore, are called lead indicators. There is
an assumed relationship between the two that suggests that improved performance in a leading
Enablers overview
Enabler Dimension
Are Stakeholders
Are Enabler Goals )S ,IFE #YCLE Are Good Practices
Management
Needs
Achieved? Managed? Applied?
Addressed?
Resources
Enablers are factors that, individually and collectively, influence whether something will workin this
case, governance and management over enterprise IT. Enablers are driven by the goals cascade,
i.e., higher-level IT-related goals define what the different enablers should achieve.
Principles, policies and frameworks are the vehicle to translate the desired behavior into
practical guidance for day-to-day management.
Processes describe an organized set of practices and activities to achieve certain objectives
and produce a set of outputs in support of achieving overall IT-related goals.
Organizational structures are the key decision-making entities in an enterprise.
Culture, ethics and behavior of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
Information is pervasive throughout any organization and includes all information produced
and used by the enterprise. Information is required for keeping the organization running and
well governed, but at the operational level, information is very often the key product of the
enterprise itself.
Services, infrastructure and applications include the infrastructure, technology and
applications that provide the enterprise with information technology processing and services.
People, skills and competencies are linked to people and are required for successful
completion of all activities and for making correct decisions and taking corrective actions.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
frameworks
Applications
Resources
Enabler Dimension
Are Stakeholders
Are Enabler Goals )S ,IFE #YCLE Are Good Practices
Management
Needs
Achieved? Managed? Applied?
Addressed?
Links and relationships between principles, policies and frameworks and other enablers:
Principles, policies and frameworks reflect the culture, ethics and values of the enterprise.
They influence and direct behavior.
Processes are the most important vehicle for executing policiesExamples: architectural
policies (defined in
Organizational structures can define and implement policies
Policies are part of information
Stakeholders 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Internal stakeholders
Board
Executive management
Compliance officers
Risk managers
External stakeholders
Regulatory agencies
Shareholders
Service providers and customers
External auditors
Stakeholders
Stakeholders for principles and policies can be internal and external to the enterprise.
The stakes are twofold: Some stakeholders define and set policies, others have to align to, and
comply with, policies.
Goals 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Policies &RAMEWORKS
Principles s #OMPREHENSIVE
s %FFECTIVE
s ,IMITED IN NUMBER s /PEN FLEXIBLE
s %FFICIENT
s 3IMPLE s #URRENT
s .ON
INTRUSIVE
s !VAILABLE ACCESSIBLE
$ECISION MAKING
Goals
Principles, policies and frameworks are instruments to communicate the rules of the enterprise,
in support of the governance objectives and enterprise values, as defined by the board and
executive management.
Policies provide more detailed guidance on how to put principles into practice and they influence
how decision making aligns with the principles. Good policies are:
EffectiveThey achieve the stated purpose.
EfficientThey ensure that principles are implemented in the most efficient way.
Non-intrusiveThey appear logical for those who have to comply with them, i.e., they do not
create unnecessary resistance.
Example:
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Agenda setting
Monitoring Analysis
Life cycle
Policies have a life cycle that has to support the achievement of the defined goals. Frameworks are
key because they provide a structure to define consistent guidance. For example, a policy framework
provides the structure in which a consistent set of policies can be created and maintained, and it
also provides an easy point of navigation within and between individual policies.
Depending on the external environment in which the enterprise operates, there can be varying
degrees of regulatory requirements for strong internal control and, as a consequence, a strong policy
framework. A key attention point to be taken into account regarding frameworks and policies is the
currency of policiesIf and when policies are reviewed and updated, are there strong mechanisms in
place to ensure that people are aware of these updates, that the newest version is easily accessible
(see previous point), and that obsolete information is properly archived or disposed?
Agenda setting: there may be a need to consult on issues that for the engagement purposes
are still at an 'open-ended' stage, in that the consultation owners do not want the dialogue to
be shaped by specific policy statements.
Analysis: Define the agenda, state a position relating to the items on that agenda, and seek
evidence and knowledge from others.
Creating the policy: There is a draft document for formal consultation, potentially greater
need to target and identify specific stakeholders/participants, and possibly with options to be
assessed in more detail e.g. through simulation of decision-making, or risk analysis.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Good practices
Generally recognized governance and management frameworks can provide valuable guidance on
the actual statements to be included in policies.
Policies should be aligned with the enterprises risk appetite. Policies are a key component of an
enterprises system of internal control, whose purpose it is to manage and contain risk. As part of
risk governance activities, the enterprises risk appetite is defined, and this risk appetite should be
reflected in the policies. A risk-averse enterprise has stricter policies than a risk-aggressive enterprise.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Resources
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Enabler Dimension
Are Stakeholders
Are Enabler Goals )S ,IFE #YCLE Are Good Practices
Management
Needs
Achieved? Managed? Applied?
Addressed?
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Feedback
Stakeholders 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Internal stakeholders
Board
Management (all levels)
Staff
External stakeholders
Customers
Business partners
Service providers
Stakeholders
Processes have internal and external stakeholders, with their own roles; stakeholders and their
responsibility levels are documented in RACI charts.
External stakeholders may include customers, business partners (especially when producing goods
and/or services in a value chain e.g. companies such as Nike, car manufacturers etc.), service
providers (especially when IT and/or business process are outsourced) and regulators.
Internal stakeholders may include the board, management, staff and volunteers.
Goals 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Goals
Process goals are defined as a statement describing the desired outcome of a process. An outcome
can be an artefact, a significant change of a state or a significant capability improvement of other
processes. They are part of the goals cascade, i.e., process goals support IT-related goals, which in
turn support enterprise goals.
At each level of the goals cascade, hence also for processes, metrics are defined to measure the
extent to which goals are achieved. Metrics can be defined as a quantifiable entity that allows
the measurement of the achievement of a process goal. Metrics should be SMARTspecific,
measurable, actionable, relevant and timely.
To manage the enabler effectively and efficiently, metrics need to be defined to measure the
extent to which the expected outcomes are achieved. In addition, a second aspect of performance
management of the enabler describes the extent to which good practice is applied. Here also,
associated metrics can be defined to help with the management of the enabler.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Intrinsic goals
Contextual goals
Accessibility and security goals
Intrinsic goals Does the process have intrinsic quality? Is it accurate and in line with good
practice? Is it compliant with internal and external rules?
Contextual goals Is the process customised and adapted to the enterprises specific situation?
Is the process relevant, understandable, easy to apply?
Accessibility and security goals The process remains confidential, when required, and is
known and accessible to those who need it.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Adjusted
Life cycle
Life cycle Each process has a life cycle. It is defined, created, operated, monitored, and adjusted/
updated or retired. Generic process practices such as those defined in the COBIT process
assessment model based on ISO/IEC 15504 can assist with defining, running, monitoring and
optimising processes.
In this case, the process managers would need to design and define the process first. They can
use several elements from COBIT 5: Enabling Processes to design processes, i.e., to define
responsibilities and to break the process down into practices and activities, and define process
work products (inputs and outputs). In a later stage, the process needs to be made more robust and
efficient, and for that purpose the process managers can raise the capability level of the process. The
ISO/IEC 15504-inspired COBIT 5 Process Capability Model and the process capability attributes
can be used for that purpose such as:
Process capability level 2 requires the achievement of two attributes: Performance
Management and Work Product Management. The first attribute requires a number of
planning-phase-related activities:
Objectives for the performance of the process are defined.
Performance of the process is planned.
Responsibilities for performing the process are defined.
Resources are identified.
Etc.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Good practices
Practices:
For each COBIT 5 process, the governance/management practices provide a complete set of
high-level requirements for effective and practical governance and management of enterprise
IT. They are:
Statements of actions to deliver benefits, optimise the level of risk and optimise the use
of resources
Aligned with relevant generally accepted standards and good practices
Generic and therefore needing to be adapted for each enterprise
Covering business and IT role players in the process (end-to-end)
The enterprise governance body and management need to make choices relative to these
governance and management practices by:
Selecting those that are applicable and deciding on those that will be implemented
Adding and/or adapting practices where required
Defining and adding non-IT-related practices for integration in business processes
Choosing how to implement them (frequency, span, automation, etc.)
Accepting the risk of not implementing those that may apply
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Good practices
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
6. Services,
Infrastructure and
7. People, Skills and
Competencies
(PRM)
Applications
Resources
Business Needs
Governance Domain
Evaluate
Management
Domain
One of the guiding principles in COBIT is the distinction made between governance and management.
In line with this principle, every enterprise would be expected to implement a number of governance
processes and a number of management processes to provide comprehensive governance and
management of enterprise IT.
When considering processes for governance and management in the context of the enterprise, the
difference between types of processes lies within the objectives of the processes:
Governance processes Governance processes deal with the stakeholder governance
objectivesvalue delivery, risk optimisation and resource optimisationand include practices
and activities aimed at evaluating strategic options, providing direction to IT and monitoring
the outcome (EDMin line with the ISO/IEC 38500 standard concepts).
Management processes In line with the definition of management, practices and activities
in management processes cover the responsibility areas of PBRM (an evolution of the COBIT
4.1 domains) enterprise IT, and they have to provide end-to-end coverage of IT.
Although the outcome of both types of processes is different and intended for a different audience,
internally, from the context of the process itself, all processes require planning, building or
implementation, execution and monitoring activities within the process.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
(PRM)
Applications
Resources
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Resources
Links between processes and the other enabler categories exist through the following relationships:
Processes need information (as one of the types of inputs) and can produce information (as a
work product)
Processes need organisational structures and roles to operate, as expressed through RACI
charts (e.g. IT steering committee, enterprise risk committee, board, audit, CIO, CEO)
Processes produce, and also require, service capabilities (infrastructure, applications, etc.)
Processes can, and will, depend on other processes
Processes produce, or need, policies and procedures to ensure consistent implementation
and execution
Cultural and behavioural aspects determine how well processes are executed
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Enabler Dimension
Are Stakeholders
Are Enabler Goals )S ,IFE #YCLE Are Good Practices
Management
Needs
Achieved? Managed? Applied?
Addressed?
Roles/structures 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Roles/structures
According to Mintzberg the organisation structure is the sum total of the ways in which the
organisation divides its labour into distinct tasks and then achieves coordination among them.
The organisation then has 5 coordination mechanisms to form the organisation structure:
Mutual adjustment
Direct supervision
Standardisation of processes
Standardisation of output
Standardisation of skills
Some of these mechanisms are more suited to a certain stage in the organisation (structure)
life cycle.
Stakeholders 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Internal stakeholders
Individual members of the structure
Organisational entities (e.g. departments, business units etc.)
Staff
External stakeholders
Customers
Business partners
Service providers
Stakeholders
Their roles vary, and include decision making, influencing and advising. The stakes of each of the
stakeholders also vary, i.e., what interest do they have in the decisions made by the structure?
Goals 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Proper mandate
Well-defined operating principles
(application of good practices)
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Life cycle
Different structures are typically used during each stage in the organisational life cycle:
Entrepreneurial stage: organization is informal and non-bureaucratic. Control is based on the
owners personal supervision. Creativity causes growth. Crisis: Need for leadership. As the
organization starts to grow, the larger number of employees causes problems. Entrepreneurs
must either adjust the structure of the organization to accommodate continued growth or else
bring in strong managers.
Collectivity stage: the provision of clear direction causes growth. Crisis: the need for
delegation with control. Lower-level employees find themselves restricted by the strong
top-down control. The organization needs to find mechanisms to control and coordinate
departments without direct supervision from the top.
Formalisation stage: he addition of internal systems (rules, procedures and control systems)
causes growth. Crisis: Too much red tape. The organization seems bureaucratized. Middle
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Operating principles
Composition
Span of control
Level of authority / decision rights
Delegation of authority
Escalation procedures
Good practices
A number of good practices for organisational structures can be distinguished such as:
Operating principlesThe practical arrangements regarding how the structure will operate,
such as frequency of meetings, documentation and housekeeping rules
CompositionStructures have members, who are internal or external stakeholders.
Span of controlThe boundaries of the organisational structures decision rights
Level of authority/decision rightsThe decisions that the structure is authorised to take
Delegation of authorityThe structure can delegate (a subset of) its decision rights to other
structures reporting to it.
Escalation proceduresThe escalation path for a structure describes the required actions in
case of problems in making decisions.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Resources
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Enabler Dimension
Are Stakeholders
Are Enabler Goals )S ,IFE #YCLE Are Good Practices
Management
Needs
Achieved? Managed? Applied?
Addressed?
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Visible organisational
structures and processes (hard Artefacts
to decipher)
Unconscious, taken-for-granted
beliefs, perceptions, thoughts Underlying
and feelings (ultimate source of assumptions
values and actions)
The culture of a group can be defined as a pattern of shared basic assumptions that was learned
by a group as it solved its problems of external adaptation and internal integration, that has worked
well enough to be considered valid and, therefore, to be taught to new members as the correct
way to perceive, think, and feel in relation to those problems. (Schein, Organizational culture and
leadership, 2004).
Behaviour is derivative, not central. The above definition of culture emphasises that (overt)
behaviour is always determined both by the he cultural predisposition (the perceptions, thoughts,
and feelings that are patterned) and by the situational contingencies that arise from the immediate
external environment.
Stakeholders 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Internal stakeholders
Executive and non-executive board members
HR Managers
Remuneration board
Stakeholders
As with Principles, policies and frameworks the stakes are twofold: some stakeholders, e.g.,
legal officers, risk managers, HR managers, remuneration boards and officers, deal with defining,
implementing and enforcing desired behaviours, and others have to align with the defined rules
and norms.
Goals 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Behaviour towards
taking risk
Organisational
ethics
Goals
Goals for the culture, ethics and behaviour enabler relate to:
Organisational ethics, determined by the values by which the enterprise wants to live
Individual ethics, determined by the personal values of each individual in the enterprise and
depending to an important extent on external factors such as religion, ethnicity, socioeconomic
background, geography and personal experiences
Individual behaviours, which collectively determine the culture of an enterprise. Many
factors, such as the external factors mentioned above, but also interpersonal relationships in
enterprises, personal objectives and ambitions, drive behaviours. Some types of behaviours
that can be relevant in this context include:
Behaviour towards taking risk - How much risk does the enterprise feel it can absorb and
which risk is it willing to take?
Behaviour towards following policy - To what extent will people embrace and/or comply
with policy?
Behaviour towards negative outcomes - How does the enterprise deal with negative
outcomes, i.e., loss events or missed opportunities? Will it learn from them and try to
adjust, or will blame be assigned without treating the root cause?
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Life cycle
An organisational culture, ethical stance and individual behaviours, etc., all have their life cycles.
Starting from an existing culture, an enterprise can identify required changes and work towards their
implementation. Several toolsdescribed in the good practicescan be used.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Good practices
Good practices for creating, encouraging and maintaining desired behaviour throughout the
enterprise include:
Communication throughout the enterprise of desired behaviours and the underlying
corporate values
Awareness of desired behaviour, strengthened by the example behaviour exercised by senior
management and other champions
Incentives to encourage and deterrents to enforce desired behaviour. There is a clear link
between individual behaviour and the HR reward scheme that an enterprise puts in place.
Rules and norms, which provide more guidance on desired organisational behaviour. This links
very clearly to the principles and policies that an enterprise puts in place.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Resources
Exercise 2 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Enabler Dimension
Are Stakeholders
Are Enabler Goals )S ,IFE #YCLE Are Good Practices
Management
Needs
Achieved? Managed? Applied?
Addressed?
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
IT Processes
Data Value
Information Knowledge
Transform Transform Create
Information can be considered as being one stage in the information cycle of an enterprise. In
the information cycle business processes generate and process data, transforming them into
information and knowledge, and ultimately generating value for the enterprise. The scope of the
information enabler mainly concerns the information phase in the information cycle, but the aspects
of data and knowledge are also covered in COBIT 5.
Stakeholders 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Internal stakeholders
External stakeholders
Categories of roles:
Specific data or information roles
Generic roles (meta level)
Stakeholders
Can be internal or external to the enterprise. The generic model also suggests that, apart from
identifying the stakeholders, their stakes need to be identified, i.e., why they care or are interested
in the information. With respect to which information stakeholders exist, different categories of roles
in dealing with information are possible, ranging from detailed proposalse.g., suggesting specific
data or information roles such as architect, owner, steward, trustee, supplier, beneficiary, modeller,
quality manager, security managerto more general proposalsfor instance, distinguishing amongst
information producers, information custodians and information consumers:
Information producer, responsible for creating the information
Information custodian, responsible for storing and maintaining the information
Information consumer, responsible for using the information
These categories refer to specific activities with regard to the information resource. Activities
depend on the life cycle phase of the information; therefore, to find a category of roles that has
an appropriate level of granularity for the IM, the information life cycle dimension of the IM can be
used. This means that information stakeholder roles can be defined in terms of information life cycle
phases, e.g., information planners, information obtainers, information users.
At the same time, this means that the information stakeholder dimension is not an independent
dimension; different life cycle phases have different stakeholders.
Goals 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Intrinsic quality
accuracy, objectivity, believability, reputation
Contextual and representational quality:
relevancy, completeness, currency, appropriate amount
of information, concise, consistent, interpretability,
understandability, ease of manipulation
Security / accessibility quality:
availability / timeliness, restricted access
Goals
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Plan
Design
Build / acquire / create / implement
Use / operate
Store
Share
Use
Evaluate / monitor
Update / dispose
Life cycle
The full life cycle of information needs to be considered, and different approaches may be required
for information in different phases of the life cycle. The COBIT 5 information enabler distinguishes
the following phases:
Plan The phase in which the creation and use of the information resource is prepared.
Activities in this phase may refer to the identification of objectives, the planning of the
information architecture, and the development of standards and definitions, e.g., data
definitions, data collection procedures.
Design
Build/acquire/Create/Implement The phase in which the information resource is
acquired. Activities in this phase may refer to the creation of data records, the purchase of
data and the loading of external files.
Use/operate, which includes:
Store The phase in which information is held electronically or in hard copy (or even
just in human memory). Activities in this phase may refer to the storage of information in
electronic form (e.g., electronic files, databases, data warehouses) or as hard copy (e.g.,
paper documents).
Share The phase in which information is made available for use through a distribution
method. Activities in this phase may refer to the processes involved in getting the
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Good practices
Cobit 5 distinguishes six levels or layers to define and describe properties of information. These
six levels present a continuum of attributes, ranging from the physical world of information, where
attributes are linked to information technologies and media for information capturing, storing,
processing, distribution and presentation, to the social world of information use, comprehension
and action.
Physical world layer: The world where all phenomena that can be empirically observed
take place
Information carrier/media The attribute that identifies the physical carrier of the
information, e.g., paper, electric signals, sound waves
Empiric layer: The empirical observation of the signs used to encode information and their
distinction from each other and from background noise
Information access channel The attribute that identifies the access channel of the
information, e.g., user interfaces
Syntactic layer The rules and principles for constructing sentences in natural or artificial
languages. Syntax refers to the form of information.
Code/language Attribute that identifies the representational language/format used for
encoding the information and the rules for combining the symbols of the language to form
syntactic structures.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Resources
6. Services,
Infrastructure and
7. People, Skills and
Competencies
and applications
Applications
Resources
Enabler Dimension
Are Stakeholders
Are Enabler Goals )S ,IFE #YCLE Are Good Practices
Management
Needs
Achieved? Managed? Applied?
Addressed?
Stakeholders 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Stakeholders
Service capabilities (the combined term for services, infrastructure and applications) stakeholders
can be internal and external. The service owner is an important internal stakeholder. Important
external stakeholders may be compliancy and regulatory overseers.
Users of services can also be internal business usersand external to the enterprisepartners,
clients, suppliers.
The stakes of each of the stakeholders need to be identified and will either be focussed on delivering
adequate services or on receiving requested services from providers.
Goals 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Goals
Goals of the service level capability will be expressed in terms of servicesapplications, infrastructure,
technologyand service levels, considering which services and service levels are most economical
for the enterprise. Again, goals will relate to the services and how they are provided, as well as their
outcomes, i.e., contribution towards successfully supported business processes.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Plan
Design
Build / acquire / create / implement
Use / operate
Evaluate / monitor
Update / dispose
Life cycle
Service capabilities have a life cycle. The future or planned service capabilities are typically
described in a target architecture. It covers the building blocks, such as future applications and
the target infrastructure model, and also describes the linkages and relationships amongst these
building blocks.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Good practices
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Resources
6. Services,
Infrastructure and
7. People, Skills and
Competencies
and competencies
Applications
Resources
Enabler Dimension
Are Stakeholders
Are Enabler Goals )S ,IFE #YCLE Are Good Practices
Management
Needs
Achieved? Managed? Applied?
Addressed?
Stakeholders 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Internal stakeholders
Business managers
Project managers
Recruiters
Staff (systems developers, technical IT specialists, etc.)
External stakeholders
Partners
Competitors
Trainers
Stakeholders
Skills and competencies stakeholders are internal and external to the enterprise. Different
stakeholders assume different rolesbusiness managers, project managers, partners, competitors,
recruiters, trainers, developers, technical IT specialists, etc.and each role requires a distinct skill set.
Goals 5. Information
1. Principles, Policies and Frameworks
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Goals
Goals for skills and competencies relate to education and qualification levels, technical skills,
experience levels, knowledge and behavioural skills required to provide and perform successfully
process activities, organisational roles, etc. Goals for people include correct levels of staff availability
and turnover rate.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Life cycle
Skills and competencies have a life cycle. An enterprise has to know what its current skill base
is, and plan what it needs to be. This is influenced by (amongst other issues) the strategy and
goals of the enterprise. Skills need to be developed (e.g., through training) or acquired (e.g.,
through recruitment) and deployed in the various roles within the organisational structure.
Skills may need to be disposed of, e.g., if an activity is automated or outsourced.
Periodically, such as on an annual basis, the enterprise needs to assess the skill base to
understand the evolution that has occurred, which will feed into the planning process for the
next period.
This assessment can also feed into the reward and recognition process for human resources.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Good practices
Define the need for objective skill requirements for each role played by the various
stakeholders. This can be described through different skill levels in different skill categories.
For each appropriate skill level in each skill category, a skill definition should be available.
The skill categories correspond with the IT-related activities undertaken, e.g., information
management, business analysis.
Use external sources of good practice, such as the Skills Framework for the Information Age
(SFIA),17 which provides comprehensive skill definitions.
Examples of potential skill categories, mapped to COBIT 5 process domains can be found in
the Cobit Framework, figure 39 (p. 88).
Note: the skill categories and competencies mentioned here are primarily based on content skills.
Bear in mind that behavioral skills are at least as important as these content skills.
6. Services,
Infrastructure and
7. People, Skills and
Competencies
Applications
Resources
Resources
5
Implementation
APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -157- New Horizons
Module
Implementation
5 CobiT 5 Foundation with Case Study (ITG-253 v2.00)
To ensure that real business needs and issues are addressed, it helps to create a business case
outline. Presenting a business case (outline) to the responsible business managers ensures the
focus on actual solutions for the business.
In addition to pain points it is possible to use trigger events to create the appropriate environment
for implementation and change. The pain points refer to the content (why should we start
the implementation) whereas the trigger events refer to the timing (when should we start the
implementation).
Business case
Business case
The business case is not a one-time static document, but a dynamic operational tool that must be
continually updated to
reflect the current view of the future so that a view of the viability of the programme can be maintained.
It can be difficult to quantify the benefits of implementation or improvement initiatives, and care
should be taken to commit only to benefits that are realistic and achievable.
The business case is a valuable tool available to management in guiding the creation of business
value. At a minimum, the business case should include the following:
The business benefits targeted, their alignment with business strategy and the associated
business owner (who in the business will be responsible for securing them). This could be
based on pain points and trigger events.
The business changes needed to create the envisioned value. This could be based on health
checks and capability gap analyses and should clearly state both what is in scope and what is
out of scope.
The investments needed (one-off costs) to make the governance and management of
enterprise IT changes (based on estimates of projects required)
The ongoing IT and business costs
The expected benefits of operating in the changed way. Note that these benefits must
contribute substantially to the targeted business benefits but do not have to be identical
necessarily. You may not be able to realise all targeted business changes on the one hand,
and there may be collateral benefits (i.e. additional benefits) on the other hand.
The risk inherent in the previous bullets, including any constraints and dependencies (based
on challenges and success factors)
Enabling change
Successful implementation
implementing the appropriate change
in the appropriate way
Enabling change
It should not be assumed that the various stakeholders involved in, or impacted by, new or revised
enablers will readily accept and adopt the change. The possibility of ignorance and/or resistance
to change needs to be addressed through a structured and proactive approach. Also, optimal
awareness of the implementation programme should be achieved through a communication plan
that defines what will be communicated, in what way and by whom, throughout the various phases
of the programme.
Sustainable improvement can be achieved either by gaining the commitment of the stakeholders
(investment in winning hearts and minds, the leaders time, and in communicating and responding
to the workforce) or, where still required, by enforcing compliance (investment in processes to
administer, monitor and enforce). In other words, human, behavioural and cultural barriers need
to be overcome so that there is a common interest to properly adopt change, instil a will to adopt
change, and to ensure the ability to adopt change.
The implementation life cycle provides a way for enterprises to use COBIT to address the complexity
and challenges
typically encountered during implementations. The three interrelated components of the life cycle
are the:
1. Core continual improvement life cycleThis is not a one-off project.
2. Enablement of changeAddressing the behavioural and cultural aspects
3. Management of the programme
The
eep 1. Wha
W e K Going? t Are
Th
Do ntum Initia eD
ow e iew te P riv
H om Rev veness rog er
s
M cti ra
7.
fe m
?
Ef Establ
is
To C h D
in
sta ha es
ng ir
Su
2.
?
De Oppo
ere
Wh Problems and
e
its
fin
Reco
itor
t Th
ere
on Nee gnis
nef
e
M Andate d
Act To e
Im Team
Approac ew
alu
hes
6. Did We Ge
Are W
Realise Be
ple
Ev Program Management
Embed N
Form
rtunities
menta n
(Outer Ring)
And e
Assrrent
re
Cu tate
Operat
Measu
e Now?
ess
tio
Change Enablement
(Middle Ring)
I m en
ta g e t e
I m men
m ro
pl
e
r in
t -
e
p
m e te
ef
te
B e?
v
ts -
co ica
T
Op Re
B u il d
An
S
5. H
p
I m pr o v- (Inner Ring)
ut u n
Ma
er u
d
Ex
t To
te e m e nts
a
m
ow
ec
se m
ad
Co O an
ut
Do
Ro
W
I d e n tif y R ol d
e
la
W
e
e
n fi n
W
P lay ers
e
et
De
G
Th D
e re
re
?
Pla n
Program me he
W
4. W 3.
hat N ne?
eeds To B e Do
1. Programme management
Initiate a programme
2. Change management
Establish desire to change
3. Continual improvement
Recognize the need to act
If a person does not see the necessity of change, there will be no change. This goes beyond
(rationally) understanding the need for change, it has to be felt. And change must be effected soon:
there must be a sense of urgency. Change Management guru Kotter suggests that for change to be
successful, 75% of a company's management needs to "buy into" the change. In other words, you
have to work really hard on Phase 1, and spend significant time and energy building urgency, before
moving onto the next steps. Don't panic and jump in too fast because you don't want to risk further
short-term losses if you act without proper preparation, you could be in for a very bumpy ride.
This isn't simply a matter of showing people poor performance statistics or talking about audit
findings. Open an honest and convincing dialogue about what's happening in the enterprise and
the environment. If many people start talking about the change you propose, the urgency can build
and feed on itself.
1. Programme management
Define problems and opportunities
2. Change management
Form implementation team
3. Continual improvement
Assess current state
1. Programme management
Define road map
2. Change management
Communicate outcome
3. Continual improvement
Define target state
1. Programme management
Plan programme
2. Change management
Identify role players
3. Continual improvement
Build improvements
1. Programme management
Execute plan
2. Change management
Operate and use
3. Continual improvement
Implement improvements
1. Programme management
Realise benefits
2. Change management
Embed new approaches
3. Continual improvement
Operate and measure
1. Programme management
Review effectiveness
2. Change management
Sustain
3. Continual improvement
Monitor and evaluate
6
Process Capability
APMG 2012; COBIT is a trademark of ISACA registered in the United States and other countries
T h e W o r l d s L a r g e s t I T Tr a i n i n g C o m p a n y -181- New Horizons
Module
Process Capability
6 CobiT 5 Foundation with Case Study (ITG-253 v2.00)
Process Assessment
Model
What: Foundation
How: Assessor
Roles and
Responsibilities
Based on ISO15504
Based on ISO15504
Cobit5 Process Capability Assessment is based on the ISO 15504 (standard reference model for
process maturity).
Process attribute
Process assessment model (PAM) A model suitable for the purpose of determining
process capability, based on one or more process reference model (PRM)
Process purpose The high-level measurable objectives of performing the process and the
likely outcomes of effective implementation of the process
Process outcome An observable result of a process (Note: an outcome is an artefact, a
significant change of state or the meeting of specified constraints)
Process capability A characterization of the ability of a process to meet current or
projected business goals
Process capability level A point on the six-point ordinal scale (of process capability)
that represents the capability of the process; each level builds on the capability of the
level below
Process capability level rating A representation of the achieved process capability
level derived from the process attribute ratings for an assessed process
Process attribute A measurable characteristic of capability applicable to any process
Capability indicator
Generic practices (GP)
Generic work products (GWP)
Capability levels
5 Capability Level based on 9 process attributes
PA 2.1Performance management
Level 2: Managed process
PA 2.2 Work product management
Capability levels
Optimizing: the process is continuously improved to meet relevant current and projected
business goals
Predictable: the process is enacted consistently within defined limits
Established: a defined process is used based on a standard process
Managed: the process is managed and work products are established, controlled
and maintained
Performed: the processes is implemented and achieves its process purpose
Incomplete: the process is not implemented or fails to achieve its purpose
Each capability level can be achieved only when the level below has been fully achieved. For
example, a process capability level 3 (established process) requires the process definition and
process deployment attributes to be largely achieved, on top of full achievement of the attributes for
a process capability level 2 (managed process).
N Not achieved (0 to 15% achievement) - There is little or no evidence of achievement of the
defined attribute in the assessed process.
P Partially achieved (>15% to 50% achievement) - There is evidence of an approach to
and some achievement of the defined attribute in the assessment approach. Some aspects of
achievement of the attribute may be unpredictable.
L Largely achieved (>50% to 85% achievement) - There is evidence of a systematic
approach to, and significant achievement of, the defined attribute in the assessed process.
Some weakness related to this attribute may exist in the assessed process.
F Fully achieved (>85% to 100% achievement) - There is evidence of a complete and
systematic approach to and full achievement of the defined attribute in the assessed process.
No significant weakness related to this attribute exist in the assessed process.
CAPABILITY
Dimension
Level 5: Optimizing
Level 4: Predictable
Level 3: Established
Level 2: Managed
Level 1: Performed
Level 0: Incomplete
PROCESS
Dimension
(depe Proc
nding
on Pro esses A
cess R Z
eferen
ce Mo
del us
ed)
Remember that ISO15504 is generic, so you may use any PRM. For Cobit it can be either Cobit 5
PRM or Cobit 4.1 PRM. However it does not have to be restricted to Cobit!
It was actually developed in Software Development / Software Improvement area -> PRM used
ISO12207 (for Software Development) or ISO15288 (Systems Engineering)
PAM Cobit 5
CAPABILITY
Dimension
Level 0: Incomplete
PROCESS
EDM Dimension
APO
BAI
DSS
Cobit
5 PR M
MEA
PAM Cobit 5
There is a significant distinction between process capability level 1 and the higher capability levels.
Process capability level 1 achievement requires the process performance attribute to be largely
achieved, which actually means that the process is being successfully performed and the required
outcomes obtained by the enterprise. The higher capability levels then add different attributes to
it. In this assessment scheme, achieving a capability level 1, even on a scale to 5, is already an
important achievement for an enterprise. Note that each individual enterprise shall choose (based
on cost-benefit and feasibility reasons) its target or desired level, which very seldom will happen to
be one of the highest.
COBIT5 Process
COBIT5 Process Assessment Model -
Assessment Model -
Capability Indicators
Performance Indicators
Process Outcomes
The ISO/IEC 15504 standard specifies that process capability assessments can be performed
for various purposes and with varying degrees of rigour. Purposes can be internal, with a focus on
comparisons between enterprise areas and/or process improvement for internal benefit, or they can
be external, with a focus on formal assessment, reporting and certification.
The COBIT 5 ISO/IEC 15504-based assessment approach continues to facilitate the following
objectives that have been a key COBIT approach since 2000 to:
Enable the governance body and management to benchmark process capability
Enable high-level as is and to be health checks to support the governance body and
management investment decision making with regard to process improvement
Provide gap analysis and improvement planning information to support definition of justifiable
improvement projects
Provide the governance body and management with assessment ratings to measure and
monitor current capabilities
Assessing whether the process achieves its goalsor, in other words, achieves capability level 1
can be done by:
1. Reviewing the process outcomes as they are described for each process in the detailed
process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what
degree each objective is achieved. This scale consists of the following ratings:
N (Not achieved)There is little or no evidence of achievement of the defined attribute in
the assessed process. (0 to 15 percent achievement)
P (Partially achieved)There is some evidence of an approach to, and some achievement
of, the defined attribute in the assessed process. Some aspects of achievement of the
attribute may be unpredictable. (15 to 50 percent achievement)
L (Largely achieved)There is evidence of a systematic approach to, and significant
achievement of, the defined attribute in the assessed process. Some weakness related to
this attribute may exist in the assessed process. (50 to 85 percent achievement)
F (Fully achieved)There is evidence of a complete and systematic approach to, and full
achievement of, the defined attribute in the assessed process. No significant weaknesses
related to this attribute exist in the assessed process. (85 to 100 percent achievement)
2. In addition, the process (governance or management) practices can be assessed using the
same rating scale, expressing the extent to which the base practices are applied.
Performance Management)
Overview of generic work products