Performing a CobiT Assessment

More than maturity

Analysis of process maturity must be augmented by analyzing business demand drivers, degree of concern about consequences in the absence of controls and possibly even the extent to which processes resonate with IT and business personnel. These need to be part and parcel of the assessment.

More and more companies are turning to IT governance to provide clear direction in ensuring that information and technology investments support the business imperatives. CobiT (Control Objectives for Information and Related Technologies) is a powerful, comprehensive framework for IT governance that has gained international recognition and usage precisely because it deals with every aspect of IT.

But its very power and comprehensiveness makes it a very large elephant to digest. So, it is tempting to focus on the part of CobiT that is quantifiable: the Capability Maturity Models.

Yes, you can determine that your organization’s processes for “DS4 Ensure Continuous Service” are at a maturity level of “Repeatable”.

But that doesn’t answer a fundamental question: So what?

Aligning IT to Business

The intent of IT governance and the overriding aim behind CobiT is to align IT to business needs to ensure that IT supports and extends the organization’s objectives and strategies.

So, it only makes sense to ensure that a CobiT assessment is performed in the same spirit. To focus solely on maturity is to fall victim to the same IT-centric thinking that IT governance is intended to correct.

The IT Governance Institute’s VAL IT Framework (www.isaca.org/valit/) portrays the ends and the means of IT contributing to the value creation in the enterprise in terms of four questions: Are we doing the right things? Are we doing them the right way? Are we getting them done well? Are we getting the benefits?

Figure 1
‘Four Ares’ from VAL IT Framework, IT Governance Institute

A CobiT assessment provides answers to these questions as they relate to the organization’s IT processes and controls. Looking at maturity will answer whether you are doing things well and doing them the right way. However, doing the right things and getting the benefits depend on which consequences need to be addressed and the business demands .

Ultimately, the goal of an assessment is to determine where and how to commit scarce resources, valuable time and limited money to improving IT processes and aligning them with business.

The Manta Group CobiT Assessment Framework
The Manta Group CobiT Assessment Framework is an example of an approach that integrates analysis of the three drivers of demand, consequence and mitigation for each of the 34 CobiT processes.

As one of the first management consulting firms in Canada to adopt CobiT as the governing framework to align IT with business, the Manta Group devised the assessment approach as a powerful and efficient way to facilitate a cost-effective assessment of an organization’s IT governance to identify specific mitigation strategies for translation into an action plan.

Figure 2
The Manta Group CobiT Assessment Framework

The result is a comprehensive, reliable approach that provides a high insight-to-effort ratio when examining each of the 34 CobiT 4.0 Control Objectives and its 215 Detailed Control Objectives

Drivers Analysis

Analysis of Demand, Consequences and Mitigation drivers provides three different perspectives. This ensures that IT and Business jointly prioritize which of the 34 CobiT processes to address. The three-way analysis also provides perspectives from different time frames, as Consequences tend to reflect past experience, Mitigation drivers focus on current maturity and Demand Drivers express future needs.

Demand Drivers

Demand Driver Analysis focuses on determining which processes deliver key support to the ongoing and future business strategy. CobiT 4.0 has provided a powerful tool with its mapping of 20 Business Goals via IT goals to individual processes. Analysis requires identifying and translating the organization’s strategic issues and imperatives into CobiT Business Goals to determine which supporting processes are key.

Demand Driver Analysis provides a platform for IT and business to jointly agree on the contribution of CobiT processes and control objectives in addressing business needs for compliance, operational efficiency, outsourcing options, audit mandate, strategic transformation and other key decisions pertinent to information and related technology.

Consequence Drivers

How much does it matter if the processes or controls are absent? In other words, what can go wrong and to what degree is that a concern?

This is a key consideration in determining which processes are important to your organization and how mature those processes need to be. (Also, asking” who will die” tends to rivet people’s attention on the concrete importance of a process or detailed control objective.)

Consequence drivers are analyzed based on risk by balancing the likelihood that what could go wrong will, against the impact on the organization. This reveals the level of concern specific to factors and considerations unique to the organization.

Through facilitated workshops, Consequence Driver Analysis is performed for all 215 detailed control objectives to provide a realistic assessment of each of the 34 high level processes. What is important is that the risk-based assessment enables the IT and business stakeholders to collectively assess risk using a consistent set of metrics.

Mitigation Drivers

Mitigation Driver Analysis examines the maturity of controls – the part most usually associated with the idea of a CobiT assessment.

CobiT provides capability maturity models tailored to each of the 34 high level objectives. But that does not prevent an assessment from looking at the maturity of the 215 detailed control objectives. There is significant value in going to that level of detail since it builds an accurate portrait of process maturity.

Analysis Reports

Clear, concise reports for both IT and Business management are an important consideration and can take various forms.

One example is the quadrant report format, which the Manta Group uses to combine the assessment results into a powerful disclosure tool to determine:

• Controls that require investment (i.e. are Under Controlled) because the current maturity level does not match the consequences and so poses risk.
• Controls eligible for scaling back (i.e. are Over Controlled) because the current maturity level exceeds requirements posed by the consequences.
• Controls to monitor (i.e. Monitor Quadrant) as the current maturity level seems to suffice considering the risk posed by the severity of concern.
• Controls to monitor closely (i.e. Closely Monitor Quadrant) as the high risk posed by the severity of concern warrants ongoing scrutiny to ensure that the control maturity is sustained.

In the case of the Manta Group quadrant reports, the bubble size is used to indicate the degree to which a particular process supports business demands as determined by the Business Demand Driver Analysis. Figures 3 and 4 depict a comprehensive view of CobiT objectives for PO Domain and for DS8.

Figure 3
Plan and Organize Domain Quadrant Report

Figure 4
DS8 Quadrant Report

Resonance

Evaluating resonance provides an additional and effective filter to refine an assessment by identifying which processes staff and personnel view as most relevant to day to day work.
The processes that resonate most with staff will be the ones where efforts to improve maturity will generate enthusiasm and cooperation rather than apathy and resistance.

Assessment Scope

The scope of a CobiT assessment can be comprehensive (looking at all 34 processes and 215 detailed control objectives), thematic (looking only at those processes specific to SOX/C-198 or outsourcing), by domain or even zero in on a single process itself.

As CobiT gains in recognition, many organizations decide to perform a broad assessment either as the first step in adopting CobiT or to explore the value of CobiT. A comprehensive assessment is an excellent method of leveraging the benefits of an assessment by using it is an introductory, case-driven course to build a foundation-level understanding of CobiT and IT governance while exposing business representatives to the full dimension of IT responsibilities.

Likewise, an assessment can take many different forms: interviews, workshops, questionnaires or a combination of all three.

The Manta Group has found that workshop-oriented sessions are a valuable and efficient method to derive the benefits from an assessment process by promoting understanding of and identification with IT challenges. When business people come away from the workshops admitting that they had no idea of how much IT must deal with – allies have been won.

Regardless of the scope and format, the assessment incorporates a number of considerations to obtain maximum value and ensure success:

• Validation of the applicability of each process to the organization’s Business and IT environment through full use of the 215 CobiT detailed objectives as a system of cross-reference.
• Leveraging CobiT benchmark information available through www.itgi.org as a source of input for what is considered a best practice for a comparable organization.
• Opportunity for staff with or without substantial knowledge of CobiT to participate and contribute meaningfully in the assessment.
  
• Facilitation and generation of consensus and understanding among IT and Business personnel engaged in the assessment.
• Fully transparent methodology understandable to all involved.
• Measurable milestones by dealing with CobiT domain-by-domain and process-by-process.
• Provision of clear, concise reports for management utilizing spreadsheets or charts.
• Assessment results that can be used to build an action plan by leveraging industry best practices

Summary

Through the process of Demand-Consequences-Mitigation Drivers Analysis, both IT and Business effectively map the attributes of 34 CobiT control objectives and supporting 215 CobiT detailed objectives into the specific characteristics of their Business and IT environments through common metrics and repeatable processes.

Demand-Consequences-Mitigation Drivers Analysis enables both IT and Business to gain an in-depth understanding of CobiT relevance and value, positioning them to effectively assess those processes whose improvement offers the highest potential returns and the most likelihood of success.

This approach delivers far more value than an assessment restricted to maturity and is much more in line with the purpose of CobiT and IT governance. Not only will the assessment results be more rigorous but they will be more meaningful to a greater array of business and IT personnel.

For more information please go to:

www.mantagroup.com
COBIT and IT Governance Case Study: Ontario Pension Board
COBIT and IT Governance Case Study: Region of Peel
COBIT and IT Governance Case Study: The Manta Group