IT Governance course : COBIT’s Management Guidelines

March 2, 2008

COBIT’s Management Guidelines

COBIT’s Management Guidelines consist of maturity models, critical success factors (CSFs), key goal indicators (KGIs) and key performance indicators (KPIs). This structure delivers a significantly improved framework responding to management’s need for control and measurability of IT by providing management with tools to assess and measure their organisation’s IT environment against COBIT’s 34 IT processes.

COBIT’s Management Guidelines are generic and action-oriented for the purpose of addressing the following types of management concerns:

  • Performance measurement — What are the indicators of good performance?

  • IT control profiling — What’s important? What are the critical success factors for control?

  • Awareness — What are the risks of not achieving our objectives?

  • Benchmarking — What do others do? How do we measure and compare?

An answer to these requirements of determining and monitoring the appropriate IT security and control level is the definition of specific:

  • Benchmarking of IT control practices (expressed as maturity models)

  • Performance indicators of the IT processes — for their outcome and their performance

  • Critical success factors for getting these processes under control

The Management Guidelines are consistent with and build upon the principles of the Balanced Business Scorecard. [5] In "simple terms", these measures will assist management in monitoring their IT organisation by answering the following questions:

  1. What is the management concern?

    Make sure that the enterprise needs are fulfilled.

  2. Where is it measured?

    On the Balanced Business Scorecard as a key goal indicator, representing an outcome of the business process.

  3. What is the IT concern?

    That the IT processes deliver on a timely basis the right information to the enterprise, enabling the business needs to be fulfilled. This is a critical success factor for the enterprise.

  4. Where is that measured?

    On the IT Balanced Scorecard, as a key goal indicator representing the outcome for IT, which is that information is delivered with the right criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability).

  5. What else needs to be measured?

    Whether the outcome is positively influenced by a number of critical success factors that need to be measured as key performance indicators of how well IT is doing.

Each element of the Management Guidelines will be examined in further detail.

Maturity Models

IT management is constantly on the lookout for benchmarking and self-assessment tools in response to the need to know what to do in an efficient manner. Starting from COBIT’s processes and high-level control objectives, the process owner should be able to incrementally benchmark against that control objective. This creates three needs:

  • A relative measure of where the organisation is

  • A manner to decide efficiently where to go

  • A tool for measuring progress against the goal

The approach to maturity models for control over IT processes consists of developing a method of scoring so that an organisation can grade itself from non-existent to optimised (from 0 to 5). This approach is based on the maturity model that the Software Engineering Institute defined for the maturity of the software development capability. [6] Whatever the model, the scales should not be too granular, as that would render the system difficult to use and suggest a precision that is not justifiable.

In contrast, one should concentrate on maturity levels based on a set of conditions that can be unambiguously met. Against levels developed for each of COBIT’s 34 IT processes, management can map:

  • The current status of the organisation — where the organisation is today

  • The current status of (best-in-class in) the industry — the comparison

  • The current status of international standard guidelines — additional comparison

  • The organisation’s strategy for improvement — where the organisation wants to be

For each of the 34 IT processes, there is an incremental measurement scale, based on a rating of 0 through 5. The scale is associated with generic qualitative maturity model descriptions ranging from Non-existent to Optimised as follows:

  • 0 Non-existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed.

  • 1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case-bycase basis. The overall approach to management is disorganised.

  • 2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.

  • 3 Defined. Procedures have been standardised and documented, and communicated through training. It is, however, left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.

  • 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

  • 5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

The maturity model scales help professionals explain to managers where IT management shortcomings exist and set targets for where they need to be by comparing their organisation’s control practices to the best practice examples. The right maturity level will be influenced by the enterprise’s business objectives and operating environment. Specifically, the level of control maturity depends on the enterprise’s dependence on IT, its technology sophistication and, most importantly, the value of its information.

A strategic reference point for an organisation to improve security and control could also consist of looking at emerging international standards and best-in-class practices. The emerging practices of today may become the expected level of performance of tomorrow and are therefore useful for planning where an organisation wants to be over time.

In summary, maturity models:

  • Refer to business requirements and the enabling aspects at the different maturity levels

  • Are a scale that lends itself to pragmatic comparison, where differences can be made measurable in an easy manner

  • Help setting "as-is" and "to-be" positions relative to IT Governance, security and control maturity

  • Lend themselves to gap analysis to determine what needs to be done to achieve a chosen level

  • Avoid, where possible, discrete levels that create thresholds that are difficult to cross

  • Increasingly apply critical success factors

  • Are not industry-specific nor always applicable. The type of business defines what is appropriate.

Critical Success Factors

Critical success factors provide management with guidance for implementing control over IT and its processes. They are the most important things to do that contribute to the IT process achieving its goals. They are activities that can be of a strategic, technical, organisational, process or procedural nature. They are usually dealing with capabilities and skills and have to be short, focused and action-oriented, leveraging the resources that are of primary importance in the process under consideration.

A number of critical success factors can be deduced that apply to most IT processes:

Applying to IT in General

  • IT processes are defined and aligned with the IT strategy and the business goals.

  • The customers of the process and their expectations are known.

  • Processes are scalable and their resources are appropriately managed and leveraged.

  • The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, retrain) exist.

  • IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability. IT management is rewarded based on these measures.

  • A continuous quality improvement effort is applied.

Applying to Most IT Processes

  • All process stakeholders (users, management, etc.) are aware of the risks, of the importance of IT and the opportunities it can offer, and provide strong commitment and support.

  • Goals and objectives are communicated across all disciplines and understood; it is known how processes implement and monitor objectives, and who is accountable for process performance.

  • People are goal-focused and have the right information on customers, on internal processes and on the consequences of their decisions.

  • A business culture is established, encouraging cross-divisional co-operation, teamwork and continuous process improvement.

  • There is integration and alignment of major processes, e.g., change, problem and configuration management.

  • Control practices are applied to increase efficient and optimal use of resources and improve the effectiveness of processes.

Applying to IT Governance

  • Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and scalability, and avoid breakdowns in internal control and oversight.

  • Practices that enable sound oversight are applied: a control environment and culture; a code of conduct; risk assessment as a standard practice; self-assessments; formal compliance on adherence to established standards; monitoring and follow-up of control deficiencies and risk.

  • IT Governance is recognised and defined, and its activities are integrated into the enterprise governance process, giving clear direction for IT strategy, a risk management framework, a system of controls and a security policy.

  • IT Governance focuses on major IT projects, change initiatives and quality efforts, with awareness of major IT processes, the responsibilities and the required resources and capabilities.

  • An audit committee is established to appoint and oversee an independent auditor, drive the IT audit plan and review the results of audits and third party opinions.

In summary, critical success factors are:

  • Essential enablers focused on the process or supporting environment

  • A thing or a condition that is required to increase the probability of success of the process

  • Observable — usually measurable — characteristics of the organisation and process

  • Either strategic, technological, organisational or procedural in nature

  • Focused on obtaining, maintaining and leveraging capability and skills

  • Expressed in terms of the process, not necessarily the business

Key Goal Indicators

A key goal indicator, representing the process goal, is a measure of what has to be accomplished. It is a measurable indicator of the process achieving its goals, often defined as a target to achieve. By comparison, a key performance indicator is a measure of how well the process is performing.

How are business and IT goals and measures linked? The COBIT Framework expresses the objectives for IT in terms of the information criteria that the business needs in order to achieve the business objectives, which will usually be expressed in terms of:

  • Availability of systems and services

  • Absence of integrity and confidentiality risks

  • Cost-efficiency of processes and operations

  • Confirmation of reliability, effectiveness and compliance

The goal for IT can then be expressed as delivering the information that the business needs in line with these criteria. These information criteria are provided in the Management Guidelines with an indication whether they have primary or secondary importance for the process under review. In practice, the information criteria profile of an enterprise would be more specific. The degree of importance of each of the information criteria is a function of the business and the environment in which the enterprise operates.

Key goal indicators are lag indicators, as they can be measured only after the fact, as opposed to key performance indicators, which are lead indicators, giving an indication of success before the fact. They also can be expressed negatively, i.e., in terms of the impact of not reaching the goal.

Key goal indicators should be measurable as a number or percentage. These measures should show that information and technology are contributing to the mission and strategy of the organisation. Because goals and targets are specific to the enterprise and its environment, many key goal indicators have been expressed with a direction, e.g., increased availability, decreased cost. In practice, management has to set specific targets which need to be met, taking into account past performance and future goals.

In summary, key goal indicators are:

  • A representation of the process goal, i.e., a measure of what, or a target to achieve

  • The description of the outcome of the process and therefore lag indicators, i.e., measurable after the fact

  • Immediate indicators of the successful completion of the process or indirect indicators of the value the process delivered to the business

  • Possibly descriptions of a measure of the impact of not reaching the process goal

  • Focused on the customer and financial dimensions of the Balanced Business Scorecard

  • IT-oriented but business-driven

  • Expressed in precise, measurable terms wherever possible

  • Focused on those information criteria that have been identified as most important for this process

Key Performance Indicators

Key performance indicators are measures that tell management that an IT process is achieving its business requirements by monitoring the performance of the enablers of that IT process. Building on Balanced Business Scorecard principles, the relationship between key performance indicators and key goal indicators is as follows: key performance indicators are short, focused and measurable indicators of performance of the enabling factors of the IT processes, indicating how well the process enables the goal to be reached. While key goal indicators focus on what, the key performance indicators are concerned with how. They often are a measure of a critical success factor and, when monitored and acted upon, identify opportunities for the improvement of the process. These improvements should positively influence the outcome and, as such, key performance indicators have a cause-effect relationship with the key goal indicators of the process.

While key goal indicators are business-driven, key performance indicators are process-oriented and often express how well the processes and the organisation leverage and manage the needed resources. Similar to key goal indicators, they often are expressed as a number or percentage. A good test of a key performance indicator is to see whether it really does predict success or failure of the process goal and whether or not it assists management in improving the process.

Some generic key performance indicators follow that usually are applicable to all IT processes:

Applying to IT in General

  • Reduced cycle times (i.e., responsiveness of IT production and development)

  • Increased quality and innovation

  • Utilisation of communications bandwidth and computing power

  • Service availability and response times

  • Satisfaction of stakeholders (survey and number of complaints)

  • Number of staff trained in new technology and customer service skills

Applying to most IT Processes

  • Improved cost-efficiency of the process (cost vs. deliverables)

  • Staff productivity (number of deliverables) and morale (survey)

  • Amount of errors and rework

Applying to IT Governance

  • Benchmark comparisons

  • Number of non-compliance reportings

In summary, key performance indicators:

  • Are measures of how well the process is performing

  • Predict the probability of success or failure in the future, i.e., are lead indicators

  • Are process-oriented, but IT-driven

  • Focus on the process and learning dimensions of the Balanced Business Scorecard

  • Are expressed in precisely measurable terms

  • Help in improving the IT process when measured and acted upon

  • Focus on those resources identified as the most important for this process

Comments »

The URI to TrackBack this entry is: http://itgovernance.blogsome.com/2008/03/02/it-governance-course-cobits-management-guidelines/trackback/

No comments yet.

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>



Anti-spam measure: please retype the above text into the box provided.

Get free blog up and running in minutes with Blogsome | Theme designs available here