Governing Information Technology Through COBIT [1]

Erik Guldentops
IT Governance Institute, USA

Copyright 2004, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited.

Abstract

Board oversight of information technology has not kept pace with the rapid growth of IT as a critical driver of business success. However, this is shortsighted, since effective governance over IT Governance protects shareholder value; makes clear that IT risks are quantified and understood; directs and controls IT investment, opportunity, benefits and risks; aligns IT with the business while accepting IT as a critical input to and component of the strategic plan; sustains current operations and prepares for the future; and is an integral part of a global governance structure.

Like most other governance activities, IT Governance engages both board and executive management. Among the board's responsibilities are reviewing and guiding corporate strategy, setting and monitoring achievement of management's performance objectives, and ensuring the integrity of the organisation's systems. Management's focus is generally on cost-efficiency, revenue enhancement and building capabilities, all of which are enabled by information, knowledge and the IT infrastructure.

The four main focus areas for IT Governance are driven by stakeholder value. Two are outcomes: value delivery and risk mitigation. Two are drivers: strategic alignment and performance measurement.

Action plans for implementing effective IT Governance, from both a board and an executive management point of view, consist of activities, outcome measures, best practices, critical success factors and performance drivers. In addition, organisations must assess how well they are currently performing and be able to identify where and how improvements can be made. The use of maturity models simplifies this task and provides a pragmatic, structured approach for measurement.

Control Objectives for Information and related Technology (COBIT), a third edition of which was issued by the IT Governance Institute in 2000, incorporates material on IT Governance and a Management Guidelines component. COBIT presents an international and generally accepted IT control framework enabling organisations to implement an IT Governance structure throughout the enterprise.

The Management Guidelines consist of maturity models, critical success factors, key goal indicators and key performance indicators. This structure delivers a significantly improved framework responding to management's need for control and measurability of IT by providing tools to assess and measure the organisation's IT environment against COBIT's 34 IT processes.

[1]The information in this chapter is based primarily on Control Objectives for Information and Related Technology (COBIT), published by the IT Governance Institute. Control Objectives for Information and Related Technology (COBIT) 3rd Edition, IT Governance Institute, 2000. Reprinted by permission.

What is IT Governance and Why is IT Important?

As information technology has become a critical driver of business success, boards of directors have not kept pace. IT demands thorough and thoughtful board governance, yet such oversight has often been lacking because IT has been seen as an operations matter best left to management, and board members lacked interest or expertise in technology issues.

While boards have always scrutinized business strategy and strategic risks, IT has tended to be overlooked, despite the fact that it involves large investments and huge risks. Reasons include:

• The technical insight required to understand how IT enables the enterprise — and creates risks and opportunities
• The tradition of treating IT as an entity separate to the business
• The complexity of IT, even more apparent in the extended enterprise operating in a networked economy

Closing the IT Governance gap has become imperative as it becomes more difficult to separate an organisation's overall strategic mission from the underlying IT strategy that enables that mission to be fulfilled.

IT Governance is ultimately important because expectations and reality often do not match. Boards expect management to juggle a myriad of responsibilities: deliver quality IT solutions on time and on budget, harness and exploit IT to return business value and leverage IT to increase efficiency and productivity while managing IT risks. However, boards frequently see business losses, damaged reputations or weakened competitive positions, unmet deadlines, higher-than-expected costs, lower-than-expected quality and failures of IT initiatives to deliver promised benefits.

IT Governance extends the board's mission of defining strategic direction and ensuring that objectives are met, risks are managed and resources are used responsibly. Pervasive use of technology has created a critical dependency on IT that calls for a specific focus on IT Governance. Such governance should ensure that an organization's IT sustains and extends its strategies and objectives.

Effective IT Governance:

• Protects shareholder value
• Makes clear that IT risks are quantified and understood
• Directs and controls IT investment, opportunity, benefits and risks
• Aligns IT with the business while accepting IT as a critical input to and component of the strategic plan, influencing strategic opportunities
• Sustains current operations and prepares for the future
• Is an integral part of a global governance structure

Whom Does IT Concern?

Like most other governance activities, IT Governance intensively engages both board and executive management in a cooperative manner. However, due to complexity and specialisation, this governance layer must rely heavily on the lower layers in the enterprise to provide the information needed in its decision-making and evaluation activities. To have effective IT Governance in the enterprise, the lower layers need to apply the same principles of setting objectives, providing and getting direction, and providing and evaluating performance measures. As a result, good practices in IT Governance need to be applied throughout the enterprise.

What Can They do About IT?

Among the board's responsibilities are reviewing and guiding corporate strategy, setting and monitoring achievement of management's performance objectives, and ensuring the integrity of the organisation's systems.

How Should the Board Address the Challenges?

The board should drive enterprise alignment by:

• Ascertaining that IT strategy is aligned with enterprise strategy
• Ascertaining that IT delivers against the strategy through clear expectations and measurement
• Directing IT strategy to balance investments between supporting and growing the enterprise
• Making considered decisions about where IT resources should be focused

The board should direct management to deliver measurable value through IT by:

• Delivering on time and on budget
• Enhancing reputation, product leadership and cost-efficiency
• Providing customer trust and competitive time-to-market

The board should also measure performance by:

• Defining and monitoring measures together with management to verify that objectives are achieved and to measure performance to eliminate surprises
• Leveraging a system of Balanced Business Scorecards maintained by management that form the basis for executive management compensation

The board should manage enterprise risk by:

• Ascertaining that there is transparency about the significant risks to the organisation
• Being aware that the final responsibility for risk management rests with the board
• Being conscious that risk mitigation can generate cost-efficiencies
• Considering that a proactive risk management approach can create competitive advantage
• Insisting that risk management be embedded in the operation of the enterprise
• Ascertaining that management has put processes, technology and assurance in place for information security to ensure that:
  • Business transactions can be trusted
  • IT services are usable, can appropriately resist attacks and recover from failures
  • Critical information is withheld from those who should not have access to it

How Should Executive Management Address the Expectations?

The executive's focus is generally on cost-efficiency, revenue enhancement and building capabilities, all of which are enabled by information, knowledge and the IT infrastructure. Because IT is an integral part of the enterprise, and as its solutions become more and more complex (outsourcing, third-party contracts, networking, etc.), adequate governance becomes a critical factor for success. To this end, management should:

• Embed clear accountabilities for risk management and control over IT into the organisation
• Cascade strategy, policies and goals down into the enterprise and align the IT organisation with the enterprise goals
• Provide organisational structures to support the implementation of IT strategies and an IT infrastructure to facilitate the creation and sharing of business information
• Measure performance by having outcome measures [2], [3], [4] for business value and competitive advantage that IT delivers and performance drivers to show how well IT performs
• Focus on core business competencies IT must support, i.e., those that add customer value, differentiate the enterprise's products and services in the marketplace, and add value across multiple products and services over time
• Focus on important IT processes that improve business value, such as change, applications and problem management. Management must become aggressive in defining these processes and their associated responsibilities.
• Focus on core IT competencies that usually relate to planning and overseeing the management of IT assets, risks, projects, customers and vendors
• Have clear external sourcing strategies, focussing on the management of third-party contracts and associated service level and on building trust between organisations, enabling interconnectivity and information sharing

[2]In this document, "stakeholder" is used to indicate anyone who has either a responsibility for or an expectation from the enterprise's IT, e.g., shareholders, directors, executives, business and technology management, users, employees, governments, suppliers, customers and the public.

[3]In this document, "board of directors" and "board" are used to indicate the body that is ultimately accountable to the stakeholders of the enterprise.

[4]The COBIT control framework refers to key goal indicators (KGIs) and key performance indicators (KPIs) for the Balanced Business Scorecard concepts of outcome measures and performance drivers.

What Does IT Cover?

Fundamentally, IT Governance is concerned about two things: that IT delivers value to the business and that IT risks are mitigated. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise. Both need measurement, for example, by a Balanced Scorecard. This leads to the four main focus areas for IT Governance, all driven by stakeholder value. Two of them are outcomes: value delivery and risk mitigation. Two of them are drivers: strategic alignment and performance measurement.

IT Strategic Alignment IT Alignment is a Journey, Not a Destination

The key question is whether a firm's investment in IT is in harmony with its strategic objectives (intent, current strategy and enterprise goals) and thus building the capabilities necessary to deliver business value. This state of harmony is referred to as "alignment". It is complex, multifaceted and never completely achieved. It is about continuing to move in the right direction and being better aligned than competitors. This may not be attainable for many enterprises because enterprise goals change too quickly, but is nevertheless a worthwhile ambition because there is real concern about the value of IT investment.

Alignment of IT has been synonymous with IT strategy, i.e., does the IT strategy support the enterprise strategy? For IT Governance, alignment encompasses more than strategic integration between the (future) IT organisation and the (future) enterprise organisation. It is also about whether IT operations are aligned with the current enterprise operations. Of course, it is difficult to achieve IT alignment when enterprise units are misaligned.

IT Value Delivery IT Value is in the Eye of the Beholder

The basic principles of IT value are delivery on time, within budget and with the benefits that were promised. In business terms, this is often translated into: competitive advantage, elapsed time for order/service fulfillment, customer satisfaction, customer wait time, employee productivity and profitability. Several of these elements are either subjective or difficult to measure, something all stakeholders need to be aware of.

The value that IT adds to the business is a function of the degree to which the IT organisation is aligned with the business and meets the expectations of the business. The business has expectations relative to the contents of the IT deliverable:

• Fit for purpose, meeting business requirements
• Flexibility to adopt future requirements
• Throughput and response times
• Ease of use, resiliency and security
• Integrity, accuracy and currency of information

The business also has expectations regarding the method of working:

• Time-to-market
• Cost and time management
• Partnering success
• Skill set of IT staff

To manage these expectations, IT and the business should use a common language for value which translates business and IT terminology and is based wholly on fact.

Performance Measurement In IT, if You re Playing the Game and Not Keeping Score, You re Just Practising

Strategy has taken on a new urgency as enterprises mobilise intangible and hidden assets to compete in an information-based global economy. Balanced Scorecards translate strategy into action to achieve goals with a performance measurement system that goes beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow. At the heart of these scorecards is management information supplied by the IT infrastructure. IT also enables and sustains solutions for the actual goals set in the financial (enterprise resource management), customer (customer relationship management), process (intranet and workflow tools) and learning (Knowledge Management) dimensions of the scorecard.

IT needs its own scorecard. Defining clear goals and good measures that unequivocally reflect the business impact of the IT goals is a challenge and needs to be resolved in co-operation among the different governance layers within the enterprise. The linkage between the Business Balanced Scorecard and the IT Balanced Scorecard is a strong method of alignment.

Risk Management It s the IT Alligators You Don t See that Will Get You

Enterprise risk comes in many varieties, not only financial risk. Regulators are specifically concerned about operational and systemic risk, within which technology risk and information security issues are prominent. Infrastructure protection initiatives in the U.S. and the UK point to the utter dependence of all enterprises on IT infrastructures and the vulnerability to new technology risks. The first recommendation these initiatives make is for risk awareness of senior corporate officers.

Therefore, the board should manage enterprise risk by:

• Ascertaining that there is transparency about the significant risks to the organisation and clarifying the risk-taking or risk-avoidance policies of the enterprise
• Being aware that the final responsibility for risk management rests with the board, so, when delegating to executive management, making sure the constraints of that delegation are communicated and clearly understood
• Being conscious that the system of internal control put in place to manage risks often has the capacity to generate cost-efficiency
• Considering that a transparent and proactive risk management approach can create competitive advantage that can be exploited
• Insisting that risk management is embedded in the operation of the enterprise, responds quickly to changing risks and reports immediately to appropriate levels of management, supported by agreed principles of escalation (what to report, when, where and how)

What Questions Should be Asked?

While it is not the most efficient IT Governance process, asking tough questions is an effective way to get started. Of course, those responsible for governance want good answers to these questions. Then they want action. Then they need follow-up. It is essential to determine, along with the action, who is responsible to deliver what by when.

An extensive checklist of questions is provided in Board Briefing on IT Governance. The questions focus on three objectives: questions asked to discover IT issues, to find out what management is doing about them, and to self-assess the board's governance over them. For example:

To Uncover IT Issues

• How often do IT projects fail to deliver what they promised?
• Are end users satisfied with the quality of the IT service?
• Are sufficient IT resources, infrastructure and competencies available to meet strategic objectives?

To Find Out How Management Addresses the IT Issues

• How well are enterprise and IT objectives aligned?
• How is the value delivered by IT being measured?
• What strategic initiatives has executive management taken to manage IT's criticality relative to maintenance and growth of the enterprise, and are they appropriate?

To Self Assess IT Governance Practices

• Is the board regularly briefed on IT risks to which the enterprise is exposed?
• Is IT a regular item on the agenda of the board and is it addressed in a structured manner?
• Does the board articulate and communicate the business objectives for IT alignment?

How is IT Accomplished?

Action plans for implementing effective IT Governance, from both a board and an executive management point of view, are provided in detail in Board Briefing on IT Governance. These plans consist of the following elements:

• Activities list what is done to exercise the IT Governance responsibilities and the subjects identify those items that typically get onto an IT Governance agenda.
• Outcome measures relate directly to the subjects of IT Governance, such as the alignment of business and IT objectives, cost-efficiencies realised by IT, capabilities and competencies generated and risks and opportunities addressed.
• Best practices list examples of how the activities are being performed by those who have established leadership in governance of technology.
• Critical success factors are conditions, competencies and attitudes that are critical to being successful in the practices.
• Performance drivers provide indicators on how IT Governance is achieving, as opposed to the outcome measures that measure what is being achieved. They often relate to the critical success factors.

The plans list IT Governance activities and link a set of subjects and practices to them. Practices are classified to reflect the IT Governance area(s) to which they provide the greatest contribution: value delivery, strategic alignment, risk management and/or performance (V, A, R, P). A list of critical success factors is provided in support of the practices. Finally, two sets of measures are listed: outcome measures that relate to the IT Governance subjects and performance drivers that relate to how activities are performed and the associated practices and critical success factors.

How Does Your Organisation Compare?

For effective governance of IT to be implemented, organisations need to assess how well they are currently performing and be able to identify where and how improvements can be made. This applies to both the IT Governance process itself and to all the processes that need to be managed within IT.

The use of maturity models greatly simplifies this task and provides a pragmatic and structured approach for measuring how well developed your processes are against a consistent and easy-to-understand scale:

• 0 = Non-existent. Management processes are not applied at all.
• 1 = Initial. Processes are ad hoc and disorganised.
• 2 = Repeatable. Processes follow a regular pattern.
• 3 = Defined. Processes are documented and communicated.
• 4 = Managed. Processes are monitored and measured.
• 5 = Optimised. Best practices are followed and automated.

(For a complete description of the various maturity levels, see Board Briefing on IT Governance.)

Using this technique the organisation can:

• Build a view of current practices by discussing them in workshops and comparing to example models
• Set targets for future development by considering model descriptions higher up the scale and comparing to best practices
• Plan projects to reach the targets by defining the specific changes required to improve management
• Prioritise project work by identifying where the greatest impact will be made and where it is easiest to implement

Introducing COBIT

Control Objectives for Information and related Technology (COBIT) was initially published by the Information Systems Audit and Control Foundation™ (ISACF™ in 1996, and was followed by a second edition in 1998. The third edition, which incorporates all-new material on IT Governance and Management Guidelines, was issued by the IT Governance Institute in 2000. COBIT presents an international and generally accepted IT control framework enabling organisations to implement an IT Governance structure throughout the enterprise.

Since its first issuance, COBIT has been adopted in corporations and by governmental entities throughout the world.

All portions of COBIT, except the Audit Guidelines, are considered an open standard and may be downloaded on a complimentary basis from the Information Systems Audit and Control Association's web site, www.isaca.org/cobit.htm. The Audit Guidelines are available on a downloadable basis to ISACA members only.

The COBIT Framework

Business orientation is the main theme of COBIT. It begins from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. It is designed to be employed as comprehensive guidance for management and business process owners. Increasingly, business practice involves the full empowerment of business process owners so they have total responsibility for all aspects of the business process. In particular, this includes providing adequate controls. COBIT promotes a process focus and process ownership.

The COBIT Framework provides a tool for the business process owner that facilitates the discharge of this responsibility. The Framework starts from a simple and pragmatic premise:

In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.

The Framework continues with a set of 34 high-level Control Objectives, one for each of the IT processes, grouped into four domains:

• Planning and Organisation: This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place.
• Acquisition and Implementation: To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the lifecycle is continued for these systems.
• Delivery and Support: This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training. In order to deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls.
• Monitoring: All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain thus addresses management's oversight of the organisation's control process and independent assurance provided by internal and external audit or obtained from alternative sources.

Corresponding to each of the 34 high-level control objectives is an Audit Guideline to enable the review of IT processes against COBIT's 318 recommended detailed control objectives to provide management assurance and/or advice for improvement.

The Management Guidelines further enhance and enable enterprise management to deal more effectively with the needs and requirements of IT Governance. The guidelines are action-oriented and generic and provide management direction for getting the enterprise's information and related processes under control, for monitoring achievement of organisational goals, for monitoring performance within each IT process and for benchmarking organisational achievement.

COBIT also contains an Implementation Tool Setthat provides lessons learned from those organisations that quickly and successfully applied COBIT in their work environments. It has two particularly useful tools — Management Awareness Diagnostic and IT Control Diagnostic — to assist in analyzing an organisation's IT control environment.

Over the next few years, the management of organisations will need to demonstrably attain increased levels of security and control. COBIT is a tool that allows managers to bridge the gap with respect to control requirements, technical issues and business risks and communicate that level of control to stakeholders. COBIT enables the development of clear policy and good practice for IT control throughout organisations worldwide. Thus, COBIT is designed to be the break-through IT Governance tool that helps in understanding and managing the risks and benefits associated with information and related IT.

The COBIT Control Objectives

For the purposes of COBIT, the following definitions are provided. "Control" is adapted from the COSO Report (Internal Control — Integrated Framework, Committee of Sponsoring Organisations of the Treadway Commission, 1992) and "IT Control Objective" is adapted from the SAC Report (Systems Auditability and Control Report, The Institute of Internal Auditors Research Foundation, 1991 and 1994).

Control is defined as the policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

IT Control Objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.

To satisfy business objectives, information needs to conform to certain criteria, which COBIT refers to as business requirements for information. In establishing the list of requirements, COBIT combines the principles embedded in existing and known reference models:

• Quality requirements — Quality, Cost, Delivery
• Fiduciary requirements (COSO Report) — Effectiveness and Efficiency of operations; Reliability of Information; Compliance with laws and regulations
• Security requirements — Confidentiality; Integrity; Availability

Starting the analysis from the broader Quality, Fiduciary and Security requirements, seven distinct, certainly overlapping, categories were extracted. COBIT's working definitions are as follows:

• Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.
• Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.
• Confidentiality concerns the protection of sensitive information from unauthorised disclosure.
• Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.
• Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
• Compliance deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria.
• Reliability of Information relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities.

The IT resources identified in COBIT can be explained/defined as follows:

• Data are objects in their widest sense (i.e., external and internal), structured and non-structured, graphics, sound, etc.
• Application Systems are understood to be the sum of manual and programmed procedures.
• Technology covers hardware, operating systems, database management systems, networking, multimedia, etc.
• Facilities are all the resources to house and support information systems.
• People include staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services.

COBIT consists of high-level control objectives for each process which identify which information criteria are most important in that IT process, state which resources will usually be leveraged and provide considerations on what is important for controlling that IT process. The underlying theory for the classification of the control objectives is that there are, in essence, three levels of IT efforts when considering the management of IT resources. Starting at the bottom, there are the activities and tasks needed to achieve a measurable result. Activities have a lifecycle concept while tasks are more discrete. The lifecycle concept has typical control requirements different from discrete activities. Processes are then defined one layer up as a series of joined activities or tasks with natural (control) breaks. At the highest level, processes are naturally grouped together into domains. Their natural grouping is often confirmed as responsibility domains in an organisational structure and is in line with the management cycle or lifecycle applicable to IT processes.

Thus, the conceptual framework can be approached from three vantage points: (1) information criteria, (2) IT resources and (3) IT processes.

It is clear that all control measures will not necessarily satisfy the different business requirements for information to the same degree.

• Primary is the degree to which the defined control objective directly impacts the information criterion concerned.
• Secondary is the degree to which the defined control objective satisfies only to a lesser extent or indirectly the information criterion concerned.
• Blank could be applicable; however, requirements are more appropriately satisfied by another criterion in this process and/or by another process.

Similarly, all control measures will not necessarily impact the different IT resources to the same degree. Therefore, the COBIT Framework specifically indicates the applicability of the IT resources that are specifically managed by the process under consideration (not those that merely take part in the process). This classification is made within the COBIT Framework, based on a rigorous process of input from researchers, experts and reviewers, using the strict definitions previously indicated.

Each high-level control objective is accompanied by detailed control objectives, 318 in all, providing additional detail on how control should be exercised over that particular process. In addition, extensive audit guidelines are included for building on the objectives.

Sample high-level control objectives, with their related detailed control objectives, are provided at the end of the chapter for PO9, the Assess Risks process in the Planning and Organisation domain, and DS5, the Ensure System Security process in the Delivery and Support domain.

COBIT s Management Guidelines

COBIT's Management Guidelines consist of maturity models, critical success factors (CSFs), key goal indicators (KGIs) and key performance indicators (KPIs). This structure delivers a significantly improved framework responding to management's need for control and measurability of IT by providing management with tools to assess and measure their organisation's IT environment against COBIT's 34 IT processes.

COBIT's Management Guidelines are generic and action-oriented for the purpose of addressing the following types of management concerns:

• Performance measurement — What are the indicators of good performance?
• IT control profiling — What's important? What are the critical success factors for control?
• Awareness — What are the risks of not achieving our objectives?
• Benchmarking — What do others do? How do we measure and compare?

An answer to these requirements of determining and monitoring the appropriate IT security and control level is the definition of specific:

• Benchmarking of IT control practices (expressed as maturity models)
• Performance indicators of the IT processes — for their outcome and their performance
• Critical success factors for getting these processes under control

The Management Guidelines are consistent with and build upon the principles of the Balanced Business Scorecard. [5] In "simple terms", these measures will assist management in monitoring their IT organisation by answering the following questions:

1. What is the management concern?

   Make sure that the enterprise needs are fulfilled.

2. Where is it measured?

   On the Balanced Business Scorecard as a key goal indicator, representing an outcome of the business process.

3. What is the IT concern?

   That the IT processes deliver on a timely basis the right information to the enterprise, enabling the business needs to be fulfilled. This is a critical success factor for the enterprise.

4. Where is that measured?

   On the IT Balanced Scorecard, as a key goal indicator representing the outcome for IT, which is that information is delivered with the right criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability).

5. What else needs to be measured?

   Whether the outcome is positively influenced by a number of critical success factors that need to be measured as key performance indicators of how well IT is doing.

Each element of the Management Guidelines will be examined in further detail.

Maturity Models

IT management is constantly on the lookout for benchmarking and self-assessment tools in response to the need to know what to do in an efficient manner. Starting from COBIT's processes and high-level control objectives, the process owner should be able to incrementally benchmark against that control objective. This creates three needs:

• A relative measure of where the organisation is
• A manner to decide efficiently where to go
• A tool for measuring progress against the goal

The approach to maturity models for control over IT processes consists of developing a method of scoring so that an organisation can grade itself from non-existent to optimised (from 0 to 5). This approach is based on the maturity model that the Software Engineering Institute defined for the maturity of the software development capability. [6] Whatever the model, the scales should not be too granular, as that would render the system difficult to use and suggest a precision that is not justifiable.

In contrast, one should concentrate on maturity levels based on a set of conditions that can be unambiguously met. Against levels developed for each of COBIT's 34 IT processes, management can map:

• The current status of the organisation — where the organisation is today
• The current status of (best-in-class in) the industry — the comparison
• The current status of international standard guidelines — additional comparison
• The organisation's strategy for improvement — where the organisation wants to be

For each of the 34 IT processes, there is an incremental measurement scale, based on a rating of 0 through 5. The scale is associated with generic qualitative maturity model descriptions ranging from Non-existent to Optimised as follows:

• 0 Non-existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed.
• 1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case-bycase basis. The overall approach to management is disorganised.
• 2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.
• 3 Defined. Procedures have been standardised and documented, and communicated through training. It is, however, left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.
• 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
• 5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

The maturity model scales help professionals explain to managers where IT management shortcomings exist and set targets for where they need to be by comparing their organisation's control practices to the best practice examples. The right maturity level will be influenced by the enterprise's business objectives and operating environment. Specifically, the level of control maturity depends on the enterprise's dependence on IT, its technology sophistication and, most importantly, the value of its information.

A strategic reference point for an organisation to improve security and control could also consist of looking at emerging international standards and best-in-class practices. The emerging practices of today may become the expected level of performance of tomorrow and are therefore useful for planning where an organisation wants to be over time.

In summary, maturity models:

• Refer to business requirements and the enabling aspects at the different maturity levels
• Are a scale that lends itself to pragmatic comparison, where differences can be made measurable in an easy manner
• Help setting "as-is" and "to-be" positions relative to IT Governance, security and control maturity
• Lend themselves to gap analysis to determine what needs to be done to achieve a chosen level
• Avoid, where possible, discrete levels that create thresholds that are difficult to cross
• Increasingly apply critical success factors
• Are not industry-specific nor always applicable. The type of business defines what is appropriate.

Critical Success Factors

Critical success factors provide management with guidance for implementing control over IT and its processes. They are the most important things to do that contribute to the IT process achieving its goals. They are activities that can be of a strategic, technical, organisational, process or procedural nature. They are usually dealing with capabilities and skills and have to be short, focused and action-oriented, leveraging the resources that are of primary importance in the process under consideration.

A number of critical success factors can be deduced that apply to most IT processes:

Applying to IT in General

• IT processes are defined and aligned with the IT strategy and the business goals.
• The customers of the process and their expectations are known.
• Processes are scalable and their resources are appropriately managed and leveraged.
• The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, retrain) exist.
• IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability. IT management is rewarded based on these measures.
• A continuous quality improvement effort is applied.

Applying to Most IT Processes

• All process stakeholders (users, management, etc.) are aware of the risks, of the importance of IT and the opportunities it can offer, and provide strong commitment and support.
• Goals and objectives are communicated across all disciplines and understood; it is known how processes implement and monitor objectives, and who is accountable for process performance.
• People are goal-focused and have the right information on customers, on internal processes and on the consequences of their decisions.
• A business culture is established, encouraging cross-divisional co-operation, teamwork and continuous process improvement.
• There is integration and alignment of major processes, e.g., change, problem and configuration management.
• Control practices are applied to increase efficient and optimal use of resources and improve the effectiveness of processes.

Applying to IT Governance

• Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and scalability, and avoid breakdowns in internal control and oversight.
• Practices that enable sound oversight are applied: a control environment and culture; a code of conduct; risk assessment as a standard practice; self-assessments; formal compliance on adherence to established standards; monitoring and follow-up of control deficiencies and risk.
• IT Governance is recognised and defined, and its activities are integrated into the enterprise governance process, giving clear direction for IT strategy, a risk management framework, a system of controls and a security policy.
• IT Governance focuses on major IT projects, change initiatives and quality efforts, with awareness of major IT processes, the responsibilities and the required resources and capabilities.
• An audit committee is established to appoint and oversee an independent auditor, drive the IT audit plan and review the results of audits and third party opinions.

In summary, critical success factors are:

• Essential enablers focused on the process or supporting environment
• A thing or a condition that is required to increase the probability of success of the process
• Observable — usually measurable — characteristics of the organisation and process
• Either strategic, technological, organisational or procedural in nature
• Focused on obtaining, maintaining and leveraging capability and skills
• Expressed in terms of the process, not necessarily the business

Key Goal Indicators

A key goal indicator, representing the process goal, is a measure of what has to be accomplished. It is a measurable indicator of the process achieving its goals, often defined as a target to achieve. By comparison, a key performance indicator is a measure of how well the process is performing.

How are business and IT goals and measures linked? The COBIT Framework expresses the objectives for IT in terms of the information criteria that the business needs in order to achieve the business objectives, which will usually be expressed in terms of:

• Availability of systems and services
• Absence of integrity and confidentiality risks
• Cost-efficiency of processes and operations
• Confirmation of reliability, effectiveness and compliance

The goal for IT can then be expressed as delivering the information that the business needs in line with these criteria. These information criteria are provided in the Management Guidelines with an indication whether they have primary or secondary importance for the process under review. In practice, the information criteria profile of an enterprise would be more specific. The degree of importance of each of the information criteria is a function of the business and the environment in which the enterprise operates.

Key goal indicators are lag indicators, as they can be measured only after the fact, as opposed to key performance indicators, which are lead indicators, giving an indication of success before the fact. They also can be expressed negatively, i.e., in terms of the impact of not reaching the goal.

Key goal indicators should be measurable as a number or percentage. These measures should show that information and technology are contributing to the mission and strategy of the organisation. Because goals and targets are specific to the enterprise and its environment, many key goal indicators have been expressed with a direction, e.g., increased availability, decreased cost. In practice, management has to set specific targets which need to be met, taking into account past performance and future goals.

In summary, key goal indicators are:

• A representation of the process goal, i.e., a measure of what, or a target to achieve
• The description of the outcome of the process and therefore lag indicators, i.e., measurable after the fact
• Immediate indicators of the successful completion of the process or indirect indicators of the value the process delivered to the business
• Possibly descriptions of a measure of the impact of not reaching the process goal
• Focused on the customer and financial dimensions of the Balanced Business Scorecard
• IT-oriented but business-driven
• Expressed in precise, measurable terms wherever possible
• Focused on those information criteria that have been identified as most important for this process

Key Performance Indicators

Key performance indicators are measures that tell management that an IT process is achieving its business requirements by monitoring the performance of the enablers of that IT process. Building on Balanced Business Scorecard principles, the relationship between key performance indicators and key goal indicators is as follows: key performance indicators are short, focused and measurable indicators of performance of the enabling factors of the IT processes, indicating how well the process enables the goal to be reached. While key goal indicators focus on what, the key performance indicators are concerned with how. They often are a measure of a critical success factor and, when monitored and acted upon, identify opportunities for the improvement of the process. These improvements should positively influence the outcome and, as such, key performance indicators have a cause-effect relationship with the key goal indicators of the process.

While key goal indicators are business-driven, key performance indicators are process-oriented and often express how well the processes and the organisation leverage and manage the needed resources. Similar to key goal indicators, they often are expressed as a number or percentage. A good test of a key performance indicator is to see whether it really does predict success or failure of the process goal and whether or not it assists management in improving the process.

Some generic key performance indicators follow that usually are applicable to all IT processes:

Applying to IT in General

• Reduced cycle times (i.e., responsiveness of IT production and development)
• Increased quality and innovation
• Utilisation of communications bandwidth and computing power
• Service availability and response times
• Satisfaction of stakeholders (survey and number of complaints)
• Number of staff trained in new technology and customer service skills

Applying to most IT Processes

• Improved cost-efficiency of the process (cost vs. deliverables)
• Staff productivity (number of deliverables) and morale (survey)
• Amount of errors and rework

Applying to IT Governance

• Benchmark comparisons
• Number of non-compliance reportings

In summary, key performance indicators:

• Are measures of how well the process is performing
• Predict the probability of success or failure in the future, i.e., are lead indicators
• Are process-oriented, but IT-driven
• Focus on the process and learning dimensions of the Balanced Business Scorecard
• Are expressed in precisely measurable terms
• Help in improving the IT process when measured and acted upon
• Focus on those resources identified as the most important for this process

[5]"The Balanced Business Scorecard — Measurements that Drive Performance," Robert S. Kaplan and David P. Norton, Harvard Business Review, January–February 1992.

[6]"Capability Maturity Model SM for Software," Version 1.1. Technical Report CMU/SEI-93-TR-024, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, February 1993.

Management Guidelines for Selected COBIT Processes

Although COBIT consists of 34 high-level IT control practices, through extensive testing and surveying, the 15 most important have been identified. At the end of the chapter, COBIT's Management Guideline for seven of these 15 processes is included, outlining critical success factors, key goal indicators, key performance indicators and a maturity model for each.

References

Control Objectives for Information and related Technology (COBIT) 3rd Edition, IT Governance Institute, 1998, www.isaca.org/cobit.htm. (All sections of COBIT, except the Audit Guidelines, can be downloaded on a complimentary basis.)

Board Briefing on IT Governance, IT Governance Institute, 2001, www.ITgovernance.org/resources.htm.

Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2001, www.ITgovernance.org/resources.htm.

Endnotes

1 In this document, "stakeholder" is used to indicate anyone who has either a responsibility for or an expectation from the enterprise's IT, e.g., shareholders, directors, executives, business and technology management, users, employees, governments, suppliers, customers and the public.

2 In this document, "board of directors" and "board" are used to indicate the body that is ultimately accountable to the stakeholders of the enterprise.

3 The COBIT control framework refers to key goal indicators (KGIs) and key performance indicators (KPIs) for the Balanced Business Scorecard concepts of outcome measures and performance drivers.

4 "The Balanced Business Scorecard — Measurements that Drive Performance," Robert S. Kaplan and David P. Norton, Harvard Business Review, January–February 1992.

5 "Capability Maturity Model SM for Software," Version 1.1. Technical Report CMU/SEI-93-TR-024, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, February 1993.

* The information in this chapter is based primarily on Control Objectives for Information and Related Technology (COBIT), published by the IT Governance Institute. Control Objectives for Information and Related Technology (COBIT) 3rd Edition, IT Governance Institute, 2000. Reprinted by permission.