Refining IT Processes Using COBIT
By Stephen Reingold, CISA
erhaps the most compelling reason for refining IT processes is the potential for IT and business management to change the way they think about IT services. As organizations begin to examine and refine IT processes, there is a good chance that management will start challenging assumptions and ask questions such as, “Why are we doing this?” or “Should we be doing something else?” Other benefits of continually refining IT processes include (but are not limited to): • Increased IT process efficiency and effectiveness • Greater IT process and product quality • Increased strategic and tactical alignment between IT and the business • Improved productivity While an organization can expect to realize one or more of these benefits, it may actually experience a paradigm shift in the way it views and delivers IT services.
How Can COBIT Help?
Control Objectives for Information and related Technology (COBIT) can be used to facilitate each of the three IT process refinement steps shown in figure 1. Step 1: Evaluate Current IT Processes COBIT’s maturity models define six process maturity levels against which the maturity (or sophistication) of IT processes may be gauged. There are six maturity levels, ranging from “nonexistent” to “optimized.” COBIT Management Guidelines defines these six maturity levels as follows: • 0 Nonexistent: Management processes are not applied at all. • 1 Initial: Processes are ad hoc and disorganized. • 2 Repeatable: Processes follow a regular pattern. • 3 Defined: Processes are documented and communicated. • 4 Managed: Processes are monitored and measured. • 5 Optimized: Best practices are followed and automated. COBIT’s maturity models also define six IT management practice groupings against which the six maturity levels from Management Guidelines are applied at increasing levels. The six IT management practice groupings consist of: 1. Understanding and awareness of risks and control issues 2. Training and communication applied on the issues 3. Process and practices that are implemented 4. Techniques and automation to make processes more effective and efficient 5. Degree of compliance to internal policy, laws and regulations 6. Type and extent of expertise employed While it is certainly possible to benchmark all of an organization’s IT processes (COBIT Framework defines 34 such processes), one might want to select a smaller, more manageable number of processes to benchmark. By objectively assessing each of the selected IT processes against the six IT management practice groupings, the organization can quickly see where the IT process strengths and weaknesses lie.
IT process refinement follows a life cycle approach (figure 1).1, 2 As seen in figure 1, step 3 feeds back into step 1. The results of each IT process refinement evaluation are fed back into step 1, and the process starts all over again. Figure 1—IT Process Refinement Cycle
Step 1: Evaluate current IT processes. Step 2: Identify process improvement goals.
Step 3: Evaluate improvement efforts.
Figure 2—Assessing Business Risks
IT Management Domain: IT Process: Manage changes Manage service levels Legend: 0-1 Maturity level: low Understanding and Awareness Training and Communication Implementation of Processes and Practices 3 5 4-5 Maturity level: high Techniques and Automation Compliance Expertise
2 1 2-3 Maturity level: medium
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2005
Figure 2 contains an example of how one might graphically depict the findings. As can be seen from figure 2, it is easy to determine the strengths and weaknesses of each IT processes. Considerations for Benchmarking To kick off the benchmarking activities, the right people must be involved, including user representative(s), the IT process owner, members of the IT department and an auditor. The primary advantage of including auditors in an organization’s benchmarking exercise is that they have a broad, cross-organizational perspective of IT processes. Step 2: Identify IT Process Improvement Goals The results of step 1 can be used to identify IT process improvement goals. Essentially, anything that falls between maturity levels of 0 and 3 requires some level of improvement. Users who are most impacted by each of the IT processes chosen for review should be consulted to determine which IT processes (and IT process refinement opportunities) are most important to the organization. How Much Improvement? According to COBIT, The right maturity level will be influenced by the enterprise’s business objectives and operating environment. Specifically, the level of control maturity will depend on the enterprise’s dependence on IT, the technology sophistication and, most important, the value of its information. Organizations should not try to move too far up the maturity ladder at once (e.g., from a 1 to a 4). As indicated earlier, IT process refinement should be viewed as an iterative process. Improving IT processes gradually has the additional benefit of giving organizations an opportunity to gauge progress and learn from experience. Another major benefit of improving gradually is that it may reduce the initial resistance that comes whenever change is introduced. Step 3: Evaluate Improvement Efforts In addition to maturity models, COBIT Management Guidelines defines key goal indicators (KGIs) and key performance indicators (KPIs) that can be used to measure IT process refinements: • KGIs tell management—after the fact—whether an IT process has achieved its business requirements.
• KPIs define measures to determine how well the IT process is performing in enabling the goal to be reached. KGIs and KPIs can be used to evaluate the result of process refinement efforts. KPIs are best suited to measuring improvements in efficiency, since they are process-oriented, and KGIs are best suited to evaluating improvements in effectiveness, since they are business goal-oriented. A manageable number of KGIs and KPIs (between three and five) for which information is readily available should be selected. For the three to five KGIs and KPIs selected for each IT process refinement effort, how the selected IT processes stack up against each of the KGIs and KPIs should be determined before undertaking the refinement of those processes.
IT process refinement is not only beneficial for improving process efficiency and effectiveness, but also for changing the way IT and business managers view IT services. The three-step model presented demonstrates how an organization can refine its IT processes, not once, but continually. COBIT’s maturity models may be used to facilitate an organization’s IT process refinement efforts.
META Group; “IT Process Refinement and Performance Measurement: Leveraging Best Practices Executive Briefing,” 2004 2 ITGI; Control Objectives for Information and related Technology (COBIT) 3rd Edition, Management Guidelines, 2000
Stephen Reingold, CISA has been working for the internal audit division of the government of Ontario, Canada, for more than five years. In addition to auditing data security and Internet application security, Reingold has performed extensive SDLC and security consultations with clients.
The opinions expressed by the author are personal and do not necessarily represent the views of either the Management Board Secretariat or the Ontario, Canada, government.