Often there is confusion about scope and role of “governance” within IT. On one hand, there is recognition of the fact that IT as function needs to be aligned with all corporate governance elements, e.g. values, policies compliance requirements. On the other hand, IT itself is talking about applying its own governance over all aspects of its services, processes and functions.
To be clear about the meaning and scope of governance in theory: There is no such thing like an own or dedicated governance system for IT outside of, or in parallel to enterprise governance. Since the goal of enterprise governance is value creation by realizing benefit while optimizing risks and resources, IT has to contribute to exactly this goal of enterprise governance.
What is the objective of IT Governance?
With IT becoming increasingly critical to the success of enterprises, implementing IT governance has become imperative. IT must deliver value against business and governance requirements.
This cannot be achieved without adopting and implementing a governance and control framework that can:
- Link IT to business requirements.
- Make IT performance against business requirements measurable and transparent.
- Organize IT activities into a generally understood and accepted process model.
- Identify major resources that can be leveraged.
- Define the management control objectives that need to be considered.
IT Governance and Service Management
Defining and delivering Services (value, outcome, risk and resource optimization) to the business or to customers is the ultimate mission of any IT organization. In contrary to the common believe and practice – project delivery is not the ultimate goal. Projects are for new or updated services only and project management governance is an IT activity according to a defined process (methodology).
IT Governance ensures business requirements are linked to IT Services. IT is being measured based on service performance, including performance measures for setting up new or changed services via projects. Services are being organized by defined and accepted processes, functions (organizations, people and technology- All those are leveraged resources or, in COBIT terms, enablers. Services, processes, organization, people and technology are being managed by a set of control objectives -usually structured as an “IT balanced scorecard”. Usually, IT Service Management is being implemented by making use of the ITIL® V3 Frame Work.
COBIT and ITIL® V3 Frame Work
COBIT is an IT governance and control framework that focuses on what should be covered in processes and procedures.
ITIL® provides detailed guidance on how the processes or procedures should be designed and focuses on how to plan, design and implement effective service management processes.
The scope of COBIT is broader than the scope of ITIL® V3 Service Management:
The COBIT Process Reference Model spans both sides, Governance (Evaluate, Direct and Monitor) and Management (Align, Plan and Organize) of IT, whereas the ITIL® V3 Frame Work covers the management areas of IT only.
Governance and Management
There is a clear distinction between governance and management, suggesting that governance enables the creation of a setting in which others can manage their tasks effectively. So IT governance and IT management are two separate entities. IT service management can be considered to be part of the IT management domain, which leaves IT governance in the business or information management. In theory, and according to the ISO Standard ISO/IEC 38500 for Corporate governance of information technology, IT Governance is a discipline the CEO is accountable for. That means, all processes in the governance area of the COBIT model are within the accountability of the CEO and his board.
Further, COBIT guidance focuses on four aspects of governance that need to be addressed for effective IT governance:
- Direct and control
The two key concepts of IT governance are: Direct and Control:
- Direct: Management provides direction. To provide effective direction, management needs to communicate the intended objectives. In addition, management directs people to implement the objectives.
- Control: Control ensures that the objective is achieved as intended, and no undesired incidents occur.
Direct and control principles are part of the processes in the Governance areas of COBIT’s Process Reference Model:
- EDM01 Set and Maintain the Governance Framework
- EDM02 Ensure Value Optimisation
- EDM03 Ensure Risk Optimisation
- EDM04 Ensure Resource Optimisation
- EDM05 Ensure Stakeholder Transparency
As already said, “direct and control” and respective processes belong to the enterprise board under the accountability of the CEO.
Setting Objectives and Measure belongs to IT Management. Respective processes can be found at the Align, Plan and Organize Management level of COBITs Process Reference Model.
COBIT: What’s in it for the Governance of Service management processes?
1. By leveraging COBIT® guidance, an enterprise can ensure that its service management effort is aligned with its overall business, governance and internal control requirements. COBIT provides a frame work for cascading enterprise goals down to IT goals and further to process goals. Make use of this mechanism to:
- Identify the processes you need to run IT according to business and service needs.
- Set the right goals and objectives for the identified processes.
Processes identified can be defined and implemented either way: by making use of the COBIT Processes Model or the ITIL® V3 Frame Work.
2. Have a look to the Align, Plan and Organize Management level of COBIT’s Process Reference Model. Either some of the process elements are defined already or make use of the process practices, goals and matrices as suggested by COBIT. Process candidates for ensuring governance over IT processes are APO01, Define the Management Framework for IT and MEA01 Monitor and Evaluate Performance and Conformance.
3. COBIT supports the definition of an IT‐related Goal Metrics (Balanced Score Card, BSC). Part of this goal metrics are process related KPIs (picture below).
4. COBIT provides an understandable, logical, repeatable, reliable and robust methodology for assessing the capability of IT processes. Process assessments enable an organization to review its maturity baseline and to define improvement steps according to enterprise and IT goals.
To sum it up: COBIT 5.0 provides an excellent opportunity for IT Service process governance regardless, what best practice frame work has been used to define the processes.