ONE PART ITIL, ONE PART COBIT

Framework Overload

Considering the many challenges faced by IT service providers today, leveraging frameworks to assist in managing and controlling IT services is a logical, yet difficult task. With so many best practices in the market today, how can you know which ones are applicable? There are several methodologies and frameworks competing for the attention of IT leadership, and they all have valuable contributions. If you are looking for a good overview of these, watch this webinar where I discuss this in more depth: https://www.brighttalk.com/webcast/845/60841.

Frameworks are becoming so popular because the rising demand for best practices is driven by requirements to be more competitive while holding costs down and ensuring the performance and conformance of IT services. Historically, IT Service Providers were self-directed and considered cost centers. Today, best practices help these providers focus on meeting enterprise objectives. As IT moves up the list of strategic goal priorities, justifying technology investments grows – therefore the need for best practices.

With the overall goal of providing value to the business, consider two core tenets of every IT service provider: provide value in delivered services, and ensure proper governance and control of the processes that support them. This is where the IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) play a valuable role.

ITIL is a widely adopted approach for IT Service Management that helps identify, plan, deliver and support IT services to the business and is detailed within five core publications (Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement. ) It enables delivery of appropriate services that continually ensure benefits delivery and business goal achievement.

COBIT is the latest edition of ISACA’s globally accepted GEIT framework that provides an end-to-end business view of the governance and management of enterprise IT by integrating other major industry frameworks such as ITIL, TOGAF, PRINCE2, and related ISO standards. COBIT effectively helps govern enterprise IT with five principles and seven enablers.

Pick one or use both?

So, where would I start? It depends on what you are trying to accomplish. From my experience, most organizations are in one of three situations (or worse, more than one.) I’ve described these below, with my suggestion on which framework seems to make the most sense to lead with.

Integration objectives

Remember, the goal is to implement and manage IT services to achieve business benefits while meeting governance and control requirements. Because of its high level approach, broad coverage, and foundation on many existing practices, COBIT can easily be used as the integrator that brings multiple practices under one framework which links those to business objectives. With this in mind, the following table will help you understand how COBIT and ITIL fit together.

Critical Success Factors

Whichever approach you choose, there are a few critical success factors that should always be considered when adopting frameworks:

Focus on value. This is why IT service providers exist – to realize benefits while optimizing risks and resources. Don’t get caught up into adopting framework capabilities unless they have a real positive impact to your business.
Management commitment. Without it, you’re spinning your wheels. Leadership must be involved in any framework adoption. Grassroots movements sound great, but business priorities must be understood, communicated, and monitored by management.
Process ownership and accountability. Processes don’t manage themselves. Identify process owners and ensure that they are accountable. Use RACI charts to assist in determining who is Responsible, Accountable, Consulted and Informed.
Training and communication. Certifications aren’t required but are certainly a plus. Consider foundation level training (at a minimum) for both ITIL and COBIT. One challenge I see is that when a limited number of people at a company are trained, they fail to effectively communicate and transfer that knowledge across the organization. Create a communication and training plan that supports the goals of your framework adoption.
Continual improvement and measurements. Embrace and embed a service culture. Don’t just stop improving once you’ve started seeing initial wins. Ensure that the culture continually improves on successes, and base these on measurements. Both ITIL and COBIT have excellent models to help here.

Need a little more information? Check out this webinar by APMG:
http://www.apmg-international.com/en/news-events/webinars/256696.aspx.

Good luck!

COBIT 2019 Governance and Management Objectives Domains

Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.

COBIT2019 Gov and Mgt Objectives Domains

COBIT Governance and Management Objectives link to Processes.

This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.

Getting from the COBIT “Core” to a tailored governance system

One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.

As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.

What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.

Linking the COBIT2019 Core to a tailored system.

Design Factors and Focus Areas

In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.

Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:

Enterprise strategy
Enterprise goals
Risk profile
I&T-related issues
Threat landscape
Compliance requirements
Role of IT
Sourcing model for IT
IT implementation methods
Technology adoption strategy
Enterprise size
Future factors

If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.

Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.

Impact of Design Factors.

A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:

Small and medium enterprises
Cybersecurity
Digital transformation
Cloud computing
Privacy
DevOps

As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.

Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.

Workflow for designing a tailored governance system

COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.

Steps to creating a tailored governance system using the COBIT Design Guide.

By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.

Linking the Design Guide and Implementation Guides

The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.

In case you are not familiar with this, the COBIT implementation roadmap looks like this:

The Seven Phases of the COBIT Implementation Roadmap. 2018 ©Information Systems Audit and Control Association, Inc. (ISACA).

The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.

COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.

The Design Guide and Implementation Guide have a very distinct relationship and specific uses.

Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:

COBIT Design and Implementation Guide Relationships.

You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.

Using tools to assist in designing your new governance system

Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:

Introduction and instructions
A canvas tab that consolidates results including target capability levels
One tab for each design factor
Summary tabs that graphically represent the outcomes of steps 2 and 3
Mapping tables for design factors

I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.

Closing and suggestions

We’ve covered a lot of ground in this post. I hope it has been valuable in helping you understand how leverage COBIT 2019 to truly create a governance and management framework that is customized to meet your specific enterprise needs.

As always, your thoughts and comments are appreciated on this post, as well as my Twitter posts @escoute1.

ONE PART ITIL, ONE PART COBIT

Digital Trust Isn’t a Fad; It’s a Requirement in Today’s High Velocity Environment

DON’T WAIT FOR A RISK EVENT TO HAPPEN BEFORE YOU ADDRESS YOUR ENTERPRISE RISKS.

DON’T WAIT FOR A RISK EVENT TO HAPPEN BEFORE YOU ADDRESS YOUR ENTERPRISE RISKS.

RISK APPETITE – MORE IMPORTANT NOW THAN EVER

RESURRECTING THE THREE LINES OF DEFENSE MODEL

STAY ON TOP OF IT GOVERNANCE TRENDS WITH THE NEWLY UPDATED CGEIT CERTIFICATION

WHAT DOES A GOOD IT GOVERNANCE STRUCTURE LOOK LIKE?

REVIEW OF IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 2019.

ASSESSING POLICY FRAMEWORK MATURITY

DON’T LET YOUR DIGITAL TRANSFORMATION EFFORTS OUTPACE YOUR ABILITY TO GOVERN THEM – REVIEW AND ASSESS YOUR POLICY FRAMEWORK NOW