Presentation is loading. Please wait.

Presentation is loading. Please wait.

Management Guidelines IT Governance Institute

Similar presentations


Presentation on theme: "Management Guidelines IT Governance Institute"— Presentation transcript:

1 Management Guidelines IT Governance Institute
COBIT: Management Guidelines released by the IT Governance Institute July 2000

2 Maturity Models Critical Success Factors Key Performance Indicators IT Generic Process and IT Governance Guidelines Management Guidelines - Conclusion

3 Management Guidelines QUESTION : « What is the right level of control for my IT such that it supports my enterprise objectives? » ANSWER : “You will need CSFs which are the most important things you need to do based on the choices made in a Maturity Model, while monitoring through KPIs whether you will likely reach the goals set by the KGIs.” In order to ensure that management reaches its business objectives, it must direct and manage IT activities to reach an effective balance between managing risks and realising benefits. Management is looking for the answer to: What is the right level of control in IT? What are the right decisions that lead to a balance between managing risks and realising benefits? The Management Guidelines, representing a major investment in the COBIT 3rd Edition, provide some answers to these questions and they are expressed in terms that management can use: Maturity Models CSFs KPIs KGIs

4 Indicators? Measures? Scales?
Management has traditionally asked these basic questions: How do I keep the ship on course? How do I achieve results that are satisfactory to all my stakeholders, shareholders, customers and partners? How can I adapt my organization in a timely manner? Current management toolsets talk about dashboards, scorecards and benchmarks. The elements that are missing are that for dashboards one needs indicators, for scorecards one needs measures and for benchmarks one needs scales. This is the basic premise used in the development of the Management Guidelines. Scales?

5 Management Guidelines
Generic and action oriented For the purpose of IT Control profiling – what is important? Awareness – where is the risk? Benchmarking - what do others do? Supporting decision making and follow-up Key performance indicators of IT Processes Critical success factors of controls Control implementation choices The basic intent of the Management Guidelines is to provide generic and action oriented guidelines for the purpose of: defining what is important for management increasing awareness about risk and risk management creating the tool to answer the question: What are the others doing? This toolset was built to help management’s decision support process through defining KPIs of IT processes (What are the right indicators that tell me that the process is working?), critical success factors (What is the most important thing to do?), benchmarks (Where am I, where do I want to be and what are others doing?) and then a tool set to help make the right choices. The Management Guidelines assist enterprise and IT management in determining the appropriate level of control over IT so that it supports enterprise objectives. They support self-assessment of strategic organisational status, identification of actions to improve IT processes and monitoring the performance of these IT processes.

6 Maturity Models

7 Maturity Models for Self-Assessment
The development was guided by the Software Engineering Institute’s efforts in the late 80’s in building maturity models for software development. The Management Guidelines expand this basic concept by applying it to the management of IT processes. The principles were used to define a set of levels that allow an organisation to assess where it is relative to the control and governance over IT. These levels are presented on a scale that moves from non-existent, on the left, to optimized, on the right. By using such a scale, an organisation can determine where it is, define where it wants to go and, if it identifies a gap, it can do an analysis to translate the findings into projects. Reference points can be added to the scale. Comparisons can be performed with what others are doing, if that data is available, and the organisation can determine where emerging international standards and industry best practices are pointing for the effective management of security and control.

8 Generic Maturity Model
0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed. 1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised. 2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely. 3 Defined. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices. 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt. The basis for definition is a very generic and simple maturity model: indicated as a zero level, is the stage where the organisation has no recognisable processes the first level is an initial stage where the organisation only starts recognising that it has an issue relative to poorly defined IT management processes and that it needs to do something about control at the second level, some processes begin to be repeatable. IT staff are performing the same processes, not necessarily documented, and dependent on key people to make them repeatable at the third level, the organisation starts documenting its practices, so that others besides key people can start performing similar activities then there is a managed level, where the policies and procedures are more sophisticated and the performance measurement has become formalised finally, at the optimised level, best practices are utilised, there is continuous improvement and IT is considered an enabler of the entrprise’s goals This is the very simple and generic maturity model that was used as a basis for developing the specific maturity models for each of the 34 COBIT processes.

9 Understanding and awareness Training and communications
Generic Maturity Model - Dimensions Understanding and awareness Training and communications Processes and practices Techniques and automation Compliance Expertise The basic maturity model presented was expanded by adding key new dimensions, such as the ones presented here.

10 Generic Maturity Model - Dimensions
UNDERSTANDING AND AWARENESS TRAINING AND COMMUNICATION PROCESSES AND PRACTICES TECHNIQUES AND AUTOMATION COMPLIANCE EXPERTISE 1 recognition sporadic communication on the issues ad hoc approaches to process and practices 2 awareness communication on the overall issue and need similar/common processes emerge; largely intuitive common tools are emerging inconsistent monitoring in isolated areas 3 understand need to act informal training supports individual initiative existing practices defined, standardised and documented; sharing of the better practices currently available techniques are used; minimum practices are enforced; tool-set becomes standardised inconsistent monitoring globally; measurement processes emerge; IT Balanced Scorecard ideas are being adopted; occasional intuitive application of root cause analysis involvement of IT specialists 4 understand full requirements formal training supports a managed program process ownership and responsibilities assigned; process is sound and complete; internal best practices applied; mature techniques applied; standard tools enforced; limited, tactical use of technology IT Balanced Scorecards implemented in some areas with exceptions noted by management; root cause analysis being standardised involvement of all internal domain experts 5 advanced forward-looking understanding training and communications supports external best practices and use of leading edge concepts/techniques best external practices applied sophisticated techniques are deployed; extensive, optimised use of technology global application of IT Balance Scorecard and exceptions are globally and consistently noted by management; root cause analysis consistently applied use of external experts and industry leaders for guidance This table illustrates how the dimensions identified earlier can be introduced into the maturity model. Additional and better practices are then integrated at certain levels of maturity. Of course, new dimensions can be added by each organisation as it implements these management guidelines, depending on what management considers to be strategic in accomplishing its goals. By defining the resulting maturity model, the organisation can then assess where it is along the desired dimensions and processes and then decide where it wants to be. Comparisons with external benchmarks and industry best practices can provide additional capabilities to identify the most effective use of the organisation’s resources.

11 How to use Benchmark Results
The analysis of the current and desired stage of maturity will identify gaps and provide a basis for deciding on corrective actions. Individual or related groups of gaps can then be addressed with specific and well defined projects that will close these gaps. Impact analysis can then be performed to prioritise these projects according to benefit, cost and risk. …gap and impact analysis

12 In summary Maturity Models
Refer to business requirements and the enabling aspects at the different levels Are scales that lend themselves to pragmatic comparison Are scales where the difference can be made measurable in an easy manner Are recognisable as a “profile” of the enterprise in relation to IT governance and control Assist in determining As-Is and To-Be positions relative to IT governance and control maturity Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level Are neither industry specific nor always applicable; the nature of the business will determine what is an appropriate level SUMMARY Maturity models refer to the business requirements and the enabling aspects at the different levels of organisational capability. They use scales that lend themselves to pragmatic comparisons by providing clear differentiation. They are measurable and recognisable. They support gap analysis and help define “as-is” and “to-be” positions. The maturity models are generic and do not have industry specific characteristics. Using the concepts presented in this section, each organisation can customise the definition of each level by adding new dimensions that reflect its culture and competitive environment. The models do not imply that the optimised level is necessarily the ideal level to be at. The chosen level has to reflect the available resources and the desired alignment of the IT strategy with the overall organisational strategy. The selection of the appropriate level in the maturity model is supported by identifying CSFs, which are defined in the next section of the presentation.

13 Critical Success Factors

14 Critical Success Factors
Management oriented IT control implementation guidance Most important things that contribute to the IT process achieving its goal Strategically Technically Organisationally Process or Procedure Control Statement and Considerations of the ‘Waterfall’ Visible and measurable signs of success Short, focussed and action oriented Leveraging the resources of primary importance in this process The CSFs are defined as the most important things for management to do, conditions to be met or statuses to be reached, so that success in controlling IT processes is achieved. They can be strategic or policy related, a technical implementation of a control feature, an organizational change or a newly developed process or procedure. They are expressed as a function of the enabling statement and are related to the considerations of the high-level COBIT objectives.

15 Critical Success Factors
Guidance from Control Model Responsibility Strict standard Documented control process Control information Evidence and accountability Some guidance in defining CSFs comes from the standard control model, where management sets objectives for activities and the activities provide control information, which is then compared against defined norms and action is taken when a deviation occurs. This simple model defines a number of requirements for control over processes, including responsibility for the activity and reporting, good standards of operation, documented control process and clear accountability.

16 Critical Success Factors
Strategic Tactical Administrative CSFs apply at multiple layers: strategic, tactical and administrative. The typical management sequence of plan, do, check and correct occurs at many organisational layers. Doing at the strategic level becomes planning at the tactical level and doing at the tactical level becomes planning at the administrative level. Control happens at different layers in different forms.

17 Critical Success Factors
PO AI DS MO Important CSFs for getting IT under control can be identified by considering the IT governance model. Based on this model, in order to ensure that management reaches its business objectives, it must direct and manage IT activities to reach an effective balance between managing risks and realising benefits. To accomplish this, management needs to identify the most important activities to be performed, measure progress towards achieving goals and determine how well the IT processes are performing. The CSFs were defined to support the objectives of the IT governance model. The KGIs and KPIs presented in the next sections are defined to support monitoring the performance of the organisation relative to these objectives.

18 The concept of cascading, as explained earlier with the standard control model, also applies to the governance model, where inside each activity is another governance model. Governance occurs at the board of directors level, at the executive and middle management layer, as well as at the day-to-day supervisory level. To be successful, control needs to be considered and integrated at all levels of the organisation.

19 In summary Critical Success Factors
Represent the most important things to do to increase the probability of success of the process Are observable - usually measurable - characteristics of the organisation and process Are either strategic, technological, organisational or procedural in nature Focus on obtaining, maintaining and leveraging capability and skills Are expressed in terms of the process, not necessarily the business SUMMARY CSFs are the most important things to do, conditions to be met or statuses to be reached in order to increase the probability of success of the process. They are of different kinds: strategic, technological, organisational or procedural. Their selection is influenced by the desired maturity model level that the organisation wants to reach. They focus on obtaining, maintaining and leveraging the capability and skills of the organisation. The Management Guidelines include a set of generic CSFs that apply to all IT processes in general and a set that applies specifically to IT governance. These two sets provide strategic direction and also ensure that the CSFs defined for the specific 34 IT processes of COBIT are process specific and not redundant.

20 Key Performance Indicators

21 Key Performance Indicators
Guidance for measurement can be obtained from the Balanced Business Scorecard concepts, where goals and measures from the financial, customer, process and innovation perspective are set and monitored In defining how to measure the performance of IT processes and their alignment with the overall organisation goals, the basic concepts of the balanced business scorecard provide insights. The balanced business scorecard, first defined by Robert Kaplan and David Norton, includes the following perspectives: Customer, Financial, Internal Process, and Learn and Innovate. The customer and financial perspectives emphasise the organisations’ response to external factors, while the internal processes, and the learn and innovate perspectives address how the organisation is managing its resources to achieve overall objectives and goals.

22 Key Performance Indicators
In the Balanced Business Scorecard approach, the Goal is measured based on its outcome. The Drivers or Enablers that make it possible to achieve the goal are measured based on their performance in support of reaching the goal This diagram illustrates the balanced business scorecard relationship between goals and their enablers. In this example, IT enables a business goal by providing the information needed to support business processes and organisational objectives. Goals are measured based on their outcomes, while enablers are measured based on their performance in support of the goal. The difference between the two measures is that a goal is measured after the fact and its measure is thus a lag indicator. The first measure expresses delivery against a goal and is also called a ‘LAG indicator’, as it is typically measurable after the fact. The second expresses how well one delivers and is also called a ‘LEAD indicator’, as it predicts the probability of success

23 ? Key Performance Indicators
IT is one of the enablers of the business and will have its own scorecard ...but how are they linked? Financial Customer Process Learning ? Business Objectives and Measures IT Objectives Expanding on the basic principles of the balanced business scorecard, IT can be considered as a major enabler of the business and will have its own scorecard. Thus, the scorecards for IT and business relate to each other. The approach taken by the Management Guidelines, within the COBIT Framework, is to consider that IT delivers to the business the information that the business needs to achieve its objectives. The requirements for delivery of this information are defined in terms of the information criteria identified for all the COBIT high-level control objectives. The COBIT model provides for that link through the definition of the information criteria

24 Key Performance Indicators
The degree of importance of each of these criteria is a function of the business and the environment that the enterprise operates in COBIT then allows selection of those control objectives that best fit the degree of importance, i.e., the Profile This profile also expresses the enterprise’s position on risk The information criteria vary according to the business. For example, in the banking environment, integrity and confidentiality requirements are extremely high. In another environment, efficiency may be more important. By ranking the information criteria, the enterprise can also quantify its position on the risk associated with the level to which the information criteria are met.

25 Key Performance Indicators
The goal for IT can then be expressed as The relationship between the IT enabler and the business goals can then be expressed in terms of the specific information criteria that need to be delivered. The key information criteria are defined for each IT process in the COBIT Framework. The performance measure of the enabler becomes the goal for IT, which in turn will have a number of enablers. These could be the COBIT IT domains. Here again the measures can be cascaded, the performance measure of the domain becoming, for example, a goal for the process

26 Cascaded Performance Indicators
A further extension of the concept is to show that these scorecards can be cascaded. The business has a scorecard, where IT is the enabler and IT’s measures are performance measures. In the IT strategic scorecard, these measures become IT’s goals. Planning and organization, as an example of a COBIT domain, are enablers for IT and become goals for the process below it.

27 X Goal Key Performance Indicators KGI for goal; measurable indicators
of the process achieving its goal f(Business Requirement of the ‘Waterfall’) Influenced by the primary and secondary information criteria A potential source can be found in COBIT’s ‘Substantiating Risk’ section in the Audit Guidelines The balanced business scorecard provides for two types of measures, one which looks at the performance of the enablers, henceforth called a KPI, and another, which looks at the goals (measures of outcome), called a KGI. KGIs need to be defined to support measuring the outcome in satisfying the business requirement of the COBIT high-level control objective. The ‘Substantiating Risk’ section in the COBIT Audit Guidelines also provides direction on how to express to management the absence or inefficiency of control; it provides goal measurements, usually in negative terms, because this is used if there are problems in the control environment found by an auditor.

28 Key Goal Indicators Given that the link between the business and IT scorecards is expressed in terms of the information criteria, the KGIs will usually be stated as: Availability of systems and services Absence of integrity and confidentiality risks Cost-efficiency of processes and operations Confirmation of reliability, effectiveness and compliance KGIs in the IT environment are usually expressed using the information criteria defined in the high-level control objectives of COBIT, as the availability of systems and services, absence of integrity and confidentiality risks, cost-efficiency of processes and operations and confirmation of reliability, effectiveness and compliance.

29 In summary Key Goal Indicators
Describe the outcome of the process and are therefore ‘lag’ indicators, i.e., measurable after the fact Are indicators of the success of the process, but may be expressed as well in terms of the business contribution, if that contribution is specific to that IT process Focus on the customer and financial dimensions of the balanced business scorecard Represent the process goal, i.e., a measure of “what”, a target to achieve May describe a measure of the impact of not reaching the process goal Are IT oriented, but business driven Are expressed in precise measurable terms, wherever possible Focus on those information criteria that have been identified to be of most importance for this process SUMMARY The KGIs are a measure of the outcome of the process and they are lag indicators, as they indicate that the process has been successful after the fact. They are expressed in terms of the business contribution of the process. Recalling the four perspectives of the balanced business scorecard, KGIs focus primarily on the customer and the financial perspectives of the scorecard. The process and learning perspectives of the balanced business scorecard are primarily enablers, as they allow the organisation to be successful in the future. KGIs are IT oriented, but business driven.

30 Key Performance Indicators
KPI for performance; measurable indicators of performance of the enabling factors f(Control Statement and Considerations in ‘Waterfall’) How well they leverage/manage the resources needed KPIs are needed to monitor the enablers of the processes and they measure how well resources are managed. They are defined to reflect the control statement and considerations of the COBIT control objective.

31 In summary Key Performance Indicators
Are a measure of “how well” the process is performing Predict the probability of success or failure in the future, i.e., are ‘LEAD’ indicators Are process oriented, but IT driven Focus on the process and learning dimensions of the balanced scorecard Are expressed in precise, measurable terms Help in improving the IT process SUMMARY. KPIs measure how well a process is performing. A reference to them may be found in the COBIT control statements and control considerations, the same place where ideas can be found for many of the CSFs. They measure how well the organisation leverages the resources needed in the process. They predict the probability of success, so they are lead indicators. They are process oriented, but IT driven as opposed to KGIs, which are IT oriented but business driven. They focus on the process and learning dimensions of the balanced scorecard.

32 Management Guidelines Presentation
All the concepts discussed earlier can be linked as presented in this diagram. Goals support business objectives and are measured by KGIs. The enabler provides information with the criteria needed to support the business goal, considers CSFs that leverage specific IT resources and is measured by KPIs.

33 Management Guidelines Presentation
This is another way to express the relationships presented in the previous slide. The business goal has to address the required information criteria and has an outcome that is measured by KGIs. The goal is enabled by the control statement which considers CSFs to leverage specific IT resources. The performance of the enabler is measured by KPIs. This updated “waterfall” model is used in the Management Guidelines to integrate the newly defined measures of performance with the current high-level control objectives.

34 MO AI PO DS REQUIREMENTS INFORMATION Business Balanced Scorecard
Financial Customer Process Learning IT Development Balanced Scorecard REQUIREMENTS PO Business Balanced Scorecard IT Strategic Balanced Scorecard Financial Customer Financial Customer DS Process Financial Customer Process Learning IT Operational Balanced Scorecard Process Learning How can the concepts presented earlier be further expanded and integrated? What is the relationship between the goals and enablers of the balanced business scorecard and COBIT’s domains and IT processes? This diagram presents an extension of the balanced business scorecard. IT is an enabler of the business and consists of development and operational components, which have their own IT scorecards. The business has specific requirements and IT responds to those requirements by providing the required information, according to the information criteria specified in COBIT. The IT strategic balanced scorecard, where we define how we respond to the business requirements maps into COBIT’s Planning and Organisation (PO) domain. The IT development component is an enabler of the PO domain and has its own IT balanced scorecard that maps into the Acquire and Implement (AI) domain. The IT operational component is also an enabler for the processes in the PO domain, has its own IT balanced scorecard and maps into the Delivery and Support (DS) domain. Across all of these is the Monitoring (MO) domain. Learning INFORMATION

35 IT Generic Process and IT Governance Guidelines

36 • Performance Management • IT Governance
The COBIT Framework has been enhanced with a number of improvements driven by: • Management Control • Performance Management • IT Governance Many organisations recognise the potential benefits that technology can yield. Successful organisations, however, understand and manage the risks associated with implementing new technologies. They need to reach a balance between managing risks and realising benefits. Management needs new concepts and tools to provide strategic direction and monitor performance. The COBIT Management Guidelines provide the tools that allow management to self-assess and make choices for control implementation and improvements over its information and related technology. These guidelines assist in aligning the IT organisation with the goals of the enterprise and provide performance measurements to ensure that these goals are achieved.

37 IT Generic Process and IT Governance Guidelines
Generic guidelines were developed, applying to all processes Subsequently these were expanded with CSFs, KGIs and KPIs applicable to IT in general This was converged to IT Governance guidelines by adding generally applicable IT Governance practices and measures The type and amount of information dictated two guidelines IT Generic Process IT Governance The Management Guidelines include CSFs, KGIs, KPIs and Maturity Models for all of COBIT’s 34 high-level control objectives. In addition, guidelines were developed for the overall, IT generic processes and for IT governance. These guidelines support the broader goals of the organisation.

38 IT Governance Model In order to ensure that management reaches its business objectives, it must direct and manage IT activities to reach an effective balance between managing risks and realising benefits. The guidelines shown in the following slides present the CSFs, KGIs, KPIs and Maturity Models developed to support this management need.

39 Generic Process Guideline
Control over an IT process and its activities with specific business goals is determined by the delivery of information to the business that addresses the required information criteria and is measured by KGIs is enabled by creating and maintaining a system of process and control excellence appropriate for the business To support the overall organisation, IT needs to address business goals, support them with the required information and perform its activities effectively by leveraging IT resources. Performance measures are defined for managing progress towards the goal. considers CSFs that leverage specific IT resources and is measured by KPIs

40 Generic Process Guideline
Critical Success Factors IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability, and IT management is rewarded based on these measures The processes are aligned with the IT strategy and with the business goals; they are scalable and their resources are appropriately managed and leveraged Everyone involved in the process is goal focused and has the appropriate information on customers, on internal processes and on the consequences of their decisions A business culture is established, encouraging cross-divisional co-operation and teamwork, as well as continuous process improvement Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and allow scalability Goals and objectives are communicated across all disciplines and are understood It is known how to implement and monitor process objectives and who is accountable for process performance A continuous process quality improvement effort is applied There is clarity on who the customers of the process are The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, re-train) exist See slide.

41 Generic Process Guideline
Key Goal Indicators Increased level of service delivery Number of customers and cost per customer served Availability of systems and services Absence of integrity and confidentiality risks Cost efficiency of processes and operations Confirmation of reliability and effectiveness Adherence to development cost and schedule Cost efficiency of the process Staff productivity and morale Number of timely changes to processes and systems Improved productivity (e.g., delivery of value per employee) See slide.

42 Generic Process Guideline
Key Performance Indicators System downtime Throughput and response times Amount of errors and rework Number of staff trained in new technology and customer service skills Benchmark comparisons Number of non-compliance reportings Reduction in development and processing time See slide

43 IT Generic Process Maturity Model
0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed. 1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised. 2 Repeatable. There is global awareness of the issues and processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely. 3 Defined. Goals and objectives are being communicated and understood. IT processes are aligned with the IT strategy. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices. 4 Managed. IT processes are aligned and integrated with the IT strategy and the business goals. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Achievement of objective measures is rewarded. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt. The basis for definition is a very generic and simple maturity model: indicated as a zero level, is the stage where the organisation has no recognisable processes the first level is an initial stage where the organisation only starts recognising that it has an issue relative to poorly defined IT management processes and that it needs to do something about control at the second level, some processes begin to be repeatable. IT staff are performing the same processes, not necessarily documented, and dependent on key people to make them repeatable at the third level, the organisation starts documenting its practices, so that others besides key people can start performing similar activities then there is a managed level, where the policies and procedures are more sophisticated and the performance measurement has become formalised finally, at the optimised level, best practices are utilised, there is continuous improvement and IT is considered an enabler of the entrprise’s goals This is the very simple and generic maturity model that was used as a basis for developing the specific maturity models for each of the 34 COBIT processes.

44 IT Governance Guideline
Governance over IT and its processes with goal of adding value to the business, while balancing risk versus return ensures delivery of information to the business that addresses the required information criteria and is measured by KGIs is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value delivery of IT While the generic process guideline is process management and effectiveness oriented, the IT governance guideline also addresses the need to reach a balance between managing risks and realising benefits. It indicates CSFs and performance measures oriented towards directing and monitoring IT processes. considers CSFs that leverage all IT resources and is measured by KPIs

45 IT Governance Guideline
Critical Success Factors IT governance activities are integrated into the enterprise governance process and leadership behaviours IT governance focuses on the enterprise goals, strategic initiatives, the use of technology to enhance the business and on the availability of sufficient resources and capabilities to keep up with the business demands IT governance activities are defined with a clear purpose, documented and implemented, based on enterprise needs and with unambiguous accountabilities Management practices are implemented to increase efficient and optimal use of resources and increase the effectiveness of IT processes Organisational practices are established to enable: sound oversight; a control environment/culture; risk assessment as standard practice; degree of adherence to established standards; monitoring and follow up of control deficiencies and risks Control practices are defined to avoid breakdowns in internal control and oversight There is integration and smooth interoperability of the more complex IT processes such as problem, change and configuration management An audit committee is established to appoints and oversee an independent auditor, focusing on IT when driving audit plans, and review the results of audits and third-party reviews. See slide.

46 IT Governance Guideline
Key Goal Indicators Enhanced performance and cost management Improved return on major IT investments Improved time to market Increased quality, innovation and risk management Appropriately integrated and standardised business processes Reaching new and satisfying existing customers Availability of appropriate bandwidth, computing power and IT delivery mechanisms Meeting requirements and expectations of the customer of the process on budget and on time Adherence to laws, regulations, industry standards and contractual commitments Transparency on risk taking and adherence to the agreed organisational risk profile Benchmarking comparisons of IT governance maturity Creation of new service delivery channels See slide.

47 IT Governance Guideline
Key Performance Indicators Improved cost-efficiency of IT processes (costs vs. deliverables) Increased number of IT action plans for process improvement initiatives Increased utilisation of IT infrastructure Increased satisfaction of stakeholders (survey and number of complaints) Improved staff productivity (number of deliverables) and morale (survey) Increased availability of knowledge and information for managing the enterprise Increased linkage between IT and enterprise governance Improved performance as measured by IT balanced scorecards See slide.

48 IT Governance Maturity Model
0 Non-Existent. There is a complete lack of any recognisable IT government processes. The organisation has not even recognised that there is an issue to be addressed. 1 Initial. There is evidence that the organisation has recognised that IT governance issues exist and need to be addressed. There are, however, no standardised IT governance processes, but there are instead ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised. 2 Repeatable. IT governance processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. 3 Defined. IT governance procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated, but are the formalisation of existing practices. 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where IT governance processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimised. IT governance processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt. See slide.

49 Management Guidelines – Conclusion
Value Proposition Development Process Components Presentation

50 Management Guidelines Value Proposition
Open Standard Framework Control Objectives Implementation Tool Set Management Guidelines Value added products Audit Guidelines How will it look? What is its value? The Management Guidelines have been added as an open standard component of COBIT. Integrated with the Framework, they provide additional capabilities to support self-assessment, alignment with overall organisational goals and measurement of performance. They provide management with a toolset that, in addition to control, also addresses manageability. They represent a significant investment in COBIT. They will evolve and the experience of business end users, IT management, and security, audit and control practitioners will be reflected in future editions of COBIT. The Management Guidelines will support an increasingly pro-active role for all these professionals, providing a more strategic and benefit realisation perspective in controlling and managing the IT organisation.

51 Management Guidelines Development Process
Chicago Workshop 4 days 40 people Gartner and PwC Top Experts IT governance Performance management Information security and control Development, QA and Exposure Good Tools Workgroup tools Web based exposure pdf based document distribution Extensive review The Management Guidelines were developed, in an interactive workshop, by a worldwide group of 40 IT management, security, audit and control professionals. They represented industry, government, academic and professional services organisations. Gartner and PricewaterhouseCoopers provided conceptual input, workshop facilitation and review. The COBIT Steering Committee provided development guidelines and conducted the quality assurance process.

52 Management Guidelines Components
IT governance guideline Generic IT process guideline For each of the 34 IT processes one maturity model 5 to 7 KGIs 8 to 10 CSFs 6 to 8 KPIs As described earlier, two generic guidelines were developed. For each of COBIT’s high-level control objectives, a number of KGIs, CSFs and KPIs were defined, as indicated. The resulting guidelines are generic, not industry specific and organisations need to consider their application and extension based on their strategic needs, resource availability and cultural factors. The basic concepts presented in the framework of the Management Guidelines provide a basis for adapting them to the needs of individual organisations.

53 Management Guidelines Presentation
In closing, this illustrates one more time how the Management Guidelines integrate and present the new and existing concepts and functionality of COBIT, at the high-level control objective level. Goals support business objectives and are measured by KGIs. The IT enabler provides information with the criteria needed to support the business goal, considers CSFs that leverage specific IT resources and is measured by KPIs. Together with the Maturity Models, the KGIs, CSFs and KPIs result in a toolset that will provide management with new options in directing, controlling and managing IT.


Download ppt "Management Guidelines IT Governance Institute"

Similar presentations


Ads by Google