IT Governance Blog

CobiT definition:

Assess the current capability and performance of solution and service delivery to establish a baseline against which future
requirements can be compared. Define performance in terms of IT’s contribution to business objectives, functionality, stability,
complexity, costs, strengths and weaknesses.

Bill says,

Baselines are always important. In IT it is particularly important to measure the baseline from the perspective of what it takes to “keep the lights on.” That is the operational aspect of your business, without any of the projects that are driving to push the business forward.

When I measured our baseline we looked at it from three perspectives - the basic “keep the lights on”, the continuous improvement and the new business drivers. It’s important to properly budget for keeping the lights on and continuous improvement - in my mind that is the price of admission. Then you work with the business to get funding for those special projects that help drive the business in some way, either by saving money or increasing revenue.

So the third step in building the Strategic IT Plan is to assess current capability in whatever breakdown makes sense to you and to establish baselines for how you are performing in those areas.

CobiT definition:

Establish processes of bi-directional education and reciprocal involvement in strategic planning to achieve business and IT
alignment and integration. Mediate between business and IT imperatives so priorities can be mutually agreed.

Bill says,

Business-IT alignment is a tough nut to crack. It is very easy to allow yourself to fall into the trap of just being there to service whatever the business wants. It’s critical to get them involved in the planning, if for no other reason that they understand better the impact when the ask for things out of cycle.

Within IT Value Management it was said that we must ensure that each project in our portfolio has a solid business case backed by the business. This control objective is about establishing the processes that ensure that is done correctly.

What is key to remember is that while for IT the concept business-IT alignment is a hot topic that is well understand by senior managers and even line managers and staff, it is not even on the radar screen for the business units. IT is a service organization to them just like HR, for example, and unless you make a continued focus on being viewed as an asset you will never be thought of as more than a service organization.

Ensuring that the processes defined in this control objective are put in place will go a long way to helping you achieve the goal of being a strategic partner to your business.

So the second step in building the Strategic IT Plan is to establish processes that ensure the business understands the importance of alignment and that they are involved, and benefit directly from, the strategic planning process.

CobiT definition:

Work with the business to ensure that the enterprise portfolio of IT-enabled investments contains programmes that have solid
business cases. Recognise that there are mandatory, sustaining and discretionary investments that differ in complexity and degree of
freedom in allocating funds. IT processes should provide effective and efficient delivery of the IT components of programmes and
early warning of any deviations from plan, including cost, schedule or functionality, that might impact the expected outcomes of the
programmes. IT services should be executed against equitable and enforceable service level agreements (SLAs). Accountability for
achieving the benefits and controlling the costs should be clearly assigned and monitored. Establish fair, transparent, repeatable and
comparable evaluation of business cases, including financial worth, the risk of not delivering a capability and the risk of not
realising the expected benefits.

Bill says:

Pretty common sense - they are starting with an assumption that you may want to prove the worth of IT.  So within CobiT IT Governance Framework, IT Value Management is all about establishing that the things IT is working on are important and aligned with the goals of the business.  There are some words I have taken the liberty to bold above (not bold in the original text):

Portfolio - Does Senior management understand what you are working on?  Probably not.  It is critical to maintain a portfolio to keep them aware.

Solid Business Cases - How many of you say “yes” to everything the business asks for?  And regrets it?  Start saying “not yet” and help them craft a business case.

Accountability - Is this the project manager or the appropriate IT manager?  Is it the CIO?  Here, I would say it is the IT Manager.

Monitored - We are not good at monitoring.  We need a strong project portfolio dashboard.  Without it we depend a lot on email and it isn’t working.  Figure out how to properly monitor progress to goals.

So the first step in building the Strategic IT Plan is to properly account for the value IT is bringing to the business.

CobiT definition:

IT strategic planning is required to manage and direct all IT resources in line with the business strategy and priorities. The IT
function and business stakeholders are responsible for ensuring that optimal value is realised from project and service portfolios.
The strategic plan improves key stakeholders’ understanding of IT opportunities and limitations, assesses current performance,
identifies capacity and human resource requirements, and clarifies the level of investment required. The business strategy and
priorities are to be reflected in portfolios and executed by the IT tactical plan(s), which specifies concise objectives, action plans and
tasks that are understood and accepted by both business and IT.

Control over the IT process of
Define a strategic IT plan

that satisfies the business requirement for IT of
sustaining or extending the business strategy and governance requirements whilst being transparent
about benefits, costs and risks

by focusing on
incorporating IT and business management in the translation of business requirements into
service offerings, and the development of strategies to deliver these services in a transparent
and effective manner

is achieved by
• Engaging with business and senior management in aligning IT strategic planning
with current and future business needs
• Understanding current IT capabilities
• Providing for a prioritisation scheme for the business objectives that quantifies
the business requirements

and is measured by
• Percent of IT objectives in the IT strategic plan that support the
strategic business plan
• Percent of IT projects in the IT project portfolio that can be directly
traced back to the IT tactical plans
• Delay between updates of IT strategic plan and updates of IT
tactical plans

Control Objectives:

PO1 Define a Strategic IT Plan

PO1.1 IT Value Management
PO1.2 Business-IT Alignment
PO1.3 Assessment of Current Capability and Performance
PO1.4 IT Strategic Plan
PO1.5 IT Tactical Plans
PO1.6 IT Portfolio Management

Check out the links for details on the control objectives.

The first domain in CobiT is Plan and Organize(PO).  It is made up of 10 processes and 74 control objectives.  This article will serve as the main table of contents to each of the 10 processes that make up this CobiT domain.  Each will link to the primary article describing the control objectives for that process, and finally that page will include links to the details of each control objective.  If you don’t see links it is because I haven’t written those articles yet.

I have been lax in writing about CobiT and in implementing it. There is always something else taking precedent; but it’s that time of year again and this time I am confident that we are going to move forward with much improved IT Governance. I find I learn about something much more when I write about it and not just read it and so I am going to spend the next few months going through each of the processes that make up CobiT and provide my own commentary on each. We’ll see if anything interesting comes up.

CobiT is organized into 4 domains: Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS) and Monitor and Evaluate (ME). Across these 4 domains are 34 processes and within each of those are control objectives.

I plan to write on each of the control objectives. It should be an exhaustive but interesting exercise.