1 / 53

C OBI T : Management Guidelines released by the IT Governance Institute July 2000

C OBI T : Management Guidelines released by the IT Governance Institute July 2000. Maturity Models Critical Success Factors Key Performance Indicators IT Generic Process and IT Governance Guidelines Management Guidelines - Conclusion.

valdemar-astrid
Download Presentation

C OBI T : Management Guidelines released by the IT Governance Institute July 2000

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COBIT: Management Guidelines released by the IT Governance Institute July 2000

  2. Maturity Models Critical Success Factors Key Performance Indicators IT Generic Process and IT Governance Guidelines Management Guidelines - Conclusion

  3. Management GuidelinesQUESTION : « What is the right level of control for my IT such that it supports my enterprise objectives? »ANSWER : “You will need CSFs which are the most important things you need to do based on the choices made in a Maturity Model, while monitoring through KPIs whether you will likely reach the goals set by the KGIs.”

  4. Indicators? Measures? Scales?

  5. Management Guidelines • Generic and action oriented • For the purpose of • IT Control profiling –what is important? • Awareness – where is the risk? • Benchmarking - what do others do? • Supporting decision making and follow-up • Key performance indicators of IT Processes • Critical success factors of controls • Control implementation choices

  6. Maturity Models

  7. Maturity Models for Self-Assessment

  8. Generic Maturity Model 0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed. 1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised. 2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely. 3 Defined. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices. 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

  9. Generic Maturity Model - Dimensions • Understanding and awareness • Training and communications • Processes and practices • Techniques and automation • Compliance • Expertise

  10. UNDERSTANDING AND AWARENESS TRAINING AND COMMUNICATION PROCESSES AND PRACTICES TECHNIQUES AND AUTOMATION COMPLIANCE EXPERTISE 1 recognition sporadic communication on the issues ad hoc approaches to process and practices 2 awareness communication on the overall issue and need similar/common processes emerge; largely intuitive common tools are emerging inconsistent monitoring in isolated areas 3 understand need to act informal training supports individual initiative existing practices defined, standardised and documented; sharing of the better practices currently available techniques are used; minimum practices are enforced; tool-set becomes standardised inconsistent monitoring globally; measurement processes emerge; IT Balanced Scorecard ideas are being adopted; occasional intuitive application of root cause analysis involvement of IT specialists 4 understand full requirements formal training supports a managed program process ownership and responsibilities assigned; process is sound and complete; internal best practices applied; mature techniques applied; standard tools enforced; limited, tacticaluse of technology IT Balanced Scorecards implemented in some areas with exceptions noted by management; root cause analysis being standardised involvement of all internal domain experts 5 advanced forward-looking understanding training and communications supports external best practices and use of leading edge concepts/techniques best external practices applied sophisticated techniques are deployed; extensive, optimised use of technology global application of IT Balance Scorecard and exceptions are globally and consistently noted by management; root cause analysis consistently applied use of external experts and industry leaders for guidance Generic Maturity Model - Dimensions

  11. How to use Benchmark Results …gap and impact analysis

  12. In summary • Maturity Models • Refer to business requirements and the enabling aspects at the different levels • Are scales that lend themselves to pragmatic comparison • Are scales where the difference can be made measurable in an easy manner • Are recognisable as a “profile” of the enterprise in relation to IT governance and control • Assist in determining As-Is and To-Be positions relative to IT governance and control maturity • Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level • Are neither industry specific nor always applicable; the nature of the business will determine what is an appropriate level

  13. Critical Success Factors

  14. Critical Success Factors • Management oriented IT control implementation guidance • Most important things that contribute to the IT process achieving its goal • Strategically • Technically • Organisationally • Process or Procedure • Control Statement and Considerations of the ‘Waterfall’ • Visible and measurable signs of success • Short, focussed and action oriented • Leveraging the resources of primary importance in this process

  15. Critical Success Factors Guidance from Control Model • Responsibility • Strict standard • Documented control process • Control information • Evidence and accountability

  16. Tactical Administrative Critical Success Factors Strategic

  17. Critical Success Factors PO AI DS MO

  18. In summary • Critical Success Factors • Represent the most important things to do to increase the probability of success of the process • Are observable - usually measurable - characteristics of the organisation and process • Are either strategic, technological, organisational or procedural in nature • Focus on obtaining, maintaining and leveraging capability and skills • Are expressed in terms of the process, not necessarily the business

  19. Key Performance Indicators

  20. Key Performance Indicators Guidance for measurement can be obtained from the Balanced Business Scorecard concepts, where goals and measures from the financial, customer, process and innovation perspective are set and monitored

  21. Key Performance Indicators In the Balanced Business Scorecard approach, the Goal is measured based on its outcome. The Drivers or Enablers that make it possible to achieve the goal are measured based on their performance in support of reaching the goal The first measure expresses delivery against a goal and is also called a ‘LAG indicator’, as it is typically measurable after the fact. The second expresses how well one delivers and is also called a ‘LEAD indicator’, as it predicts the probability of success

  22. Business Objectives and Measures IT Objectives and Measures Financial Customer Financial Process ? Customer Learning Process Learning Key Performance Indicators IT is one of the enablers of the business and will have its own scorecard ...but how are they linked? The COBIT model provides for that link through the definition of the information criteria

  23. Key Performance Indicators • The degree of importance of each of these criteria is a function of the business and the environment that the enterprise operates in • COBIT then allows selection of those controlobjectives that best fit the degree of importance, i.e., the Profile • This profile also expresses the enterprise’s position on risk

  24. Key Performance Indicators The goal for IT can then be expressed as The performance measure of the enabler becomes the goal for IT, which in turn will have a number of enablers. These could be the COBIT IT domains. Here again the measures can be cascaded, the performance measure of the domain becoming, for example, a goal for the process

  25. Cascaded Performance Indicators

  26. Goal X Key Performance Indicators • KGI for goal; • measurable indicators • of the process achieving • its goal • f(Business Requirement of the ‘Waterfall’) • Influenced by the primary and secondary information • criteria • A potential source can be found in COBIT’s • ‘Substantiating Risk’ section in the Audit Guidelines

  27. Key Goal Indicators Given that the link between the business and IT scorecards is expressed in terms of the information criteria, the KGIs will usually be stated as: • Availability of systems and services • Absence of integrity and confidentiality risks • Cost-efficiency of processes and operations • Confirmation of reliability, effectiveness and compliance

  28. In summary • Key Goal Indicators • Describe the outcome of the process and are therefore ‘lag’ indicators, i.e., measurable after the fact • Are indicators of the success of the process, but may be expressed as well in terms of the business contribution, if that contribution is specific to that IT process • Focus on the customer and financial dimensions of the balanced business scorecard • Represent the process goal, i.e., a measure of “what”, a target to achieve • May describe a measure of the impact of not reaching the process goal • Are IT oriented, but business driven • Are expressed in precise measurable terms, wherever possible • Focus on those information criteria that have been identified to be of most importance for this process

  29. Key Performance Indicators • KPI for performance; • measurable indicators of performance • of the enabling factors • f(Control Statement and Considerations in ‘Waterfall’) • How well they leverage/manage the resources needed

  30. In summary • Key Performance Indicators • Are a measure of “how well” the process is performing • Predict the probability of success or failure in the future, i.e., are ‘LEAD’ indicators • Are process oriented, but IT driven • Focus on the process and learning dimensions of the balanced scorecard • Are expressed in precise, measurable terms • Help in improving the IT process

  31. Management Guidelines Presentation

  32. Management Guidelines Presentation

  33. MO AI IT Development Balanced Scorecard REQUIREMENTS PO Financial Customer Process Learning DS IT Operational Balanced Scorecard Financial Customer INFORMATION Process Learning Business Balanced Scorecard IT Strategic Balanced Scorecard Financial Financial Customer Customer Process Process Learning Learning

  34. IT Generic Process and IT Governance Guidelines

  35. The COBIT Framework has been enhanced with a number of improvements driven by: • Management Control • Performance Management • IT Governance

  36. IT Generic Process and IT Governance Guidelines • Generic guidelines were developed, applying to all processes • Subsequently these were expanded with CSFs, KGIs and KPIs applicable to IT in general • This was converged to IT Governance guidelines by adding generally applicable IT Governance practices and measures • The type and amount of information dictated two guidelines • IT Generic Process • IT Governance

  37. IT Governance Model

  38. Generic Process Guideline Control over an IT process and its activities with specific business goals is determined by the delivery of information to the business that addresses the required information criteria and is measured by KGIs is enabled by creating and maintaining a system of process and control excellence appropriate for the business considers CSFs that leverage specific IT resources and is measured by KPIs

  39. Generic Process Guideline Critical Success Factors • IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability, and IT management is rewarded based on these measures • The processes are aligned with the IT strategy and with the business goals; they are scalable and their resources are appropriately managed and leveraged • Everyone involved in the process is goal focused and has the appropriate information on customers, on internal processes and on the consequences of their decisions • A business culture is established, encouraging cross-divisional co-operation and teamwork, as well as continuous process improvement • Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and allow scalability • Goals and objectives are communicated across all disciplines and are understood • It is known how to implement and monitor process objectives and who is accountable for process performance • A continuous process quality improvement effort is applied • There is clarity on who the customers of the process are • The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, re-train) exist

  40. Generic Process Guideline Key Goal Indicators • Increased level of service delivery • Number of customers and cost per customer served • Availability of systems and services • Absence of integrity and confidentiality risks • Cost efficiency of processes and operations • Confirmation of reliability and effectiveness • Adherence to development cost and schedule • Cost efficiency of the process • Staff productivity and morale • Number of timely changes to processes and systems • Improved productivity (e.g., delivery of value per employee)

  41. Generic Process Guideline • Key Performance Indicators • System downtime • Throughput and response times • Amount of errors and rework • Number of staff trained in new technology and customer service skills • Benchmark comparisons • Number of non-compliance reportings • Reduction in development and processing time

  42. IT Generic Process Maturity Model 0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed. 1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised. 2 Repeatable. There is global awareness of the issues and processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely. 3 Defined. Goals and objectives are being communicated and understood. IT processes are aligned with the IT strategy. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices. 4 Managed. IT processes are aligned and integrated with the IT strategy and the business goals. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Achievement of objective measures is rewarded. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

  43. IT Governance Guideline Governance over IT and its processes with goal of adding value to the business, while balancing risk versus return ensures delivery of information to the business that addresses the required information criteria and is measured by KGIs is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value delivery of IT considers CSFs that leverage all IT resources and is measured by KPIs

  44. IT Governance Guideline Critical Success Factors • IT governance activities are integrated into the enterprise governance process and leadership behaviours • IT governance focuses on the enterprise goals, strategic initiatives, the use of technology to enhance the business and on the availability of sufficient resources and capabilities to keep up with the business demands • IT governance activities are defined with a clear purpose, documented and implemented, based on enterprise needs and with unambiguous accountabilities • Management practices are implemented to increase efficient and optimal use of resources and increase the effectiveness of IT processes • Organisational practices are established to enable: sound oversight; a control environment/culture; risk assessment as standard practice; degree of adherence to established standards; monitoring and follow up of control deficiencies and risks • Control practices are defined to avoid breakdowns in internal control and oversight • There is integration and smooth interoperability of the more complex IT processes such as problem, change and configuration management • An audit committee is established to appoints and oversee an independent auditor, focusing on IT when driving audit plans, and review the results of audits and third-party reviews.

  45. IT Governance Guideline Key Goal Indicators • Enhanced performance and cost management • Improved return on major IT investments • Improved time to market • Increased quality, innovation and risk management • Appropriately integrated and standardised business processes • Reaching new and satisfying existing customers • Availability of appropriate bandwidth, computing power and IT delivery mechanisms • Meeting requirements and expectations of the customer of the process on budget and on time • Adherence to laws, regulations, industry standards and contractual commitments • Transparency on risk taking and adherence to the agreed organisational risk profile • Benchmarking comparisons of IT governance maturity • Creation of new service delivery channels

  46. IT Governance Guideline • Key Performance Indicators • Improved cost-efficiency of IT processes (costs vs. deliverables) • Increased number of IT action plans for process improvement initiatives • Increased utilisation of IT infrastructure • Increased satisfaction of stakeholders (survey and number of complaints) • Improved staff productivity (number of deliverables) and morale (survey) • Increased availability of knowledge and information for managing the enterprise • Increased linkage between IT and enterprise governance • Improved performance as measured by IT balanced scorecards

  47. IT Governance Maturity Model 0 Non-Existent. There is a complete lack of any recognisable IT government processes. The organisation has not even recognised that there is an issue to be addressed. 1 Initial. There is evidence that the organisation has recognised that IT governance issues exist and need to be addressed. There are, however, no standardised IT governance processes, but there are instead ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised. 2 Repeatable. IT governance processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. 3 Defined. IT governance procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated, but are the formalisation of existing practices. 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where IT governance processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimised. IT governance processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

  48. Management Guidelines – Conclusion • Value Proposition • Development Process • Components • Presentation

  49. Management Guidelines Value Proposition • Open Standard • Framework • Control Objectives • Implementation Tool Set • Management Guidelines • Value added products • Audit Guidelines • How will it look? • What is its value?

More Related