• Bookmark

Drive Transparent and Measurable Value With COBIT 5 Process Metrics

By Okanlawon Zachy Olorunojowon, CISA, CGEIT, COBIT Assessor, COBIT Foundation, COBIT Implementation, COBIT Trainer, CSX Foundation, PMP, Prosci Change Management

COBIT Focus | 18 December 2017

Okanlawon Zachy Olorunojowon “If you cannot measure it, you cannot manage it” is a saying that applies to governance of enterprise IT (GEIT) just as much as it does to the entire organization. Not only would one fail the test of effective governance and management without metrics, but improvement would lag and proof of value would be, at best, unfounded. The Corporate Executive Board indicated that 2 of the attributes of a world-class IT organization include measuring IT strategic impact and creating a business value framework.1 Proactive and business-driven metrics are critical to delivering transparent IT value in any organization. The metrics in COBIT 5 can be adapted by an organization of any size in any industry to manage, improve and deliver transparent measurable business impact.

The COBIT 5 goals cascade, which translates stakeholder (including internal and external customers) needs into specific actionable goals at various levels within the enterprise, facilitates alignment and integration of business and IT strategy. COBIT 5 combines the goals cascade and the balanced scorecard (BSC)2 perspectives (financial, customer, internal, and learning and growth) to ensure that metrics at all levels (enterprise and IT-related) track the achievement of overall objectives and priorities of the organization. Since goals can only be achieved through effective practices and processes, COBIT 5 further provides enabling processes and activities required for goal attainment. Because they are the critical underpinning, processes also must have associated metrics to support the enterprise and IT-related metrics developed. Examples of the goals and their related metrics included in ISACA’s COBIT 5: Enabling Processes publication3 are shown in figures 1, 2 and 3.

Figure 1—Sample Enterprise Goals and Metrics
Figure 1
Source: ISACA COBIT 5: Enabling Processes, USA, 2012.

Figure 2—Sample IT-Related Goals and Metrics
Figure 2
Source: ISACA COBIT 5: Enabling Processes, USA, 2012.

Figure 3—Sample Process Goals and Metrics for Evaluate, Direct and Monitor (EDM) 01 and EDM 02
Figure 3
Source: ISACA COBIT 5: Enabling Processes, USA, 2012.

Where Is the Real Value of IT?

If the chief financial officer (CFO) is questioning whether the organization is getting real value from IT or if staff conversations around the office water cooler indicate concern about the quality of IT service received, it might be that the business value of IT is not transparent enough. Agreed-to metrics, supported by real data from credible sources, would communicate process effectiveness, show the contribution of IT to the strategic priorities of the organization and get stakeholders on IT’s side.

Where to Begin?

Stakeholders expressing concerns and asking questions could present to IT leadership an initial option of developing process metrics to prove the value of IT. However, formulating process metrics is not the place to start. The creators of the BSC suggest that framing the financial and customer perspectives (from the COBIT standpoint: stakeholder needs and enterprise and IT-related goals) should come first.4 Next, organizations need to identify processes critical to achieving their strategy and then design relevant measures. This sequence enables internal process metrics to focus on the most value for customers and other stakeholders. When process metrics are out of order, they might fail to measure the right objective, cascade through the organization appropriately, gain broad acceptance and/or strengthen the culture of performance measurement.

Metrics Criteria

The first principle of COBIT 5—meeting stakeholder needs—has to be front and center when designing process metrics. According to the UK National Computing Centre, the metrics, among other enterprise-specific considerations, should be:

  • Defined using a common language appropriate for and understandable by the stakeholders
  • Approved by the stakeholders
  • Aligned with the culture and style of the organization
  • Based on targets derived from strategic IT objectives
  • Contain a mix of objective and subjective measures
  • Flexible and responsive to changing priorities and requirements
  • Maintain specific, measurable, actionable, relevant and timely (SMART) concepts5

Adapting the COBIT 5 Metrics for the Organization

As an example, this article assumes that practitioners have elected to address stakeholders’ needs (see first column in figure 4) regarding IT value delivery. They may do so by adapting COBIT 5 metrics in the following steps:

  • Step 1: Interview a broad selection of stakeholders and review organizational documents for the organization’s vision, mission, strategic plans, priorities and key performance indicators (KPIs). Map the value delivery needs to the enterprise goals as shown in figure 4. There are 7 COBIT 5 generic enterprise goals that help address the need to get value from IT and increase user satisfaction with quality of IT services. This article focuses on enterprise goals 1 and 6. See figure 1 for the metrics relating to these enterprise goals, and adapt them to suit the organization’s needs.

Figure 4—Stakeholder Need Mapped to Enterprise Goal
Figure 4
Source: ISACA COBIT 5: Enabling Processes, USA, 2012. View Large Graphic.

  • Step 2: The enterprise goals and metrics need to drive the IT-related goals and metrics. The relationship between the enterprise and IT-related goals mapping is shown in figure 5. IT goals 1 (Alignment of IT and business strategy) and 7 (Delivery of IT services in line with business requirement) both have primary relationships with the selected enterprise goals in step 1.

Figure 5—Enterprise Goals and IT-Related Goals Mapping
Figure 5
Source: ISACA COBIT 5: Enabling Processes, USA, 2012. View Large Graphic.

  • Step 3 : The rubber meets the road as the focus shifts to the critical processes that would deliver on the strategic goals. Many processes have primary relationships with both or either of the selected IT-related goals and need to be considered. Figure 6 illustrates process considerations to achieve IT-related goals.

Figure 6—IT-Related Goals and Relevant Process Mapping
Figure 6
Source: ISACA COBIT 5: Enabling Processes, USA, 2012. View Large Graphic.

For purposes of this article, the focus is on EDM02: Ensure Benefit Delivery, which has 3 goals and 7 related metrics (figure 7).

Figure 7—EDM Process Goals and Metrics
Figure 7

Source Data for the Metric

It is important to decide up-front how the data for the selected measures will be collected, who will collect and report them, when and to whom they will be reported, and what corrective action will be taken if the measured results do not meet the target. Getting the metrics data from the right sources is a key step for ensuring credibility and broad acceptance of the output. The second principle of COBIT 5—covering the enterprise end to end—should guide the metrics data collection effort. It is critical to engage and consult relevant stakeholders across the enterprise (not just IT) in designing or selecting the appropriate metrics. A responsible, accountable, consulted, informed (RACI) chart (figure 8) can be helpful at this stage.

Figure 8—EDM 02 Process RACI Chart
Figure 8
Source: ISACA COBIT 5: Enabling Processes, USA, 2012. View Large Graphic.


A member of a client’s staff once asked, “Have you come across any documents that talk about implementing the metrics from COBIT 5?” He was pointed to the COBIT 5: Enabling Processes metrics and the KPI Library developed by ServiceNow, which has COBIT 4.1 metrics. He came back asking how people have approached the gathering of the metrics and identifying the sources of the data. In response, he was reminded of the COBIT 5 principles, particularly Principle 1—Meeting Stakeholders Needs and Principle 2—Covering the Enterprise End to End. In other words, it is important to talk to stakeholders regarding the metrics that are meaningful to them and the business. Metrics data may come from stakeholders via many sources, including surveys and interviews. The critical element is to be sure to include all parts of the organization while collecting and communicating the metrics data and results.

The metrics in COBIT 5 lend support to performance measurement and transparency to stakeholders regarding whether IT delivers value or not. It is a show-and-tell world. Seeing the value IT delivers in concrete terms through effective performance measurement is one of the benefits of adopting and adapting COBIT 5 metrics.

Okanlawon Zachy Olorunojowon, CISA, CGEIT, COBIT Assessor, COBIT Foundation, COBIT Implementation, COBIT Trainer, CSX Foundation, PMP, Prosci Change Management

Is an international consultant on governance of enterprise IT, an executive advisor and trainer, and a project delivery and change management leader with more than 18 years of IT experience spanning systems development, enterprise information systems implementation, IT operations, strategic project delivery, and governance and management of enterprise IT. Previously a chief information officer and head of IT with financial institutions in Nigeria, he is currently a project director with the government of British Columbia, Canada, overseeing provincial systems implementations. A past president of the ISACA Victoria Chapter (British Columbia, Canada), Olorunojowon speaks often at ISACA Training Weeks across the United States and has trained and/or advised C-level executives within the governments of Brunei and British Columbia.


1 Enterprise Guide, The Anatomy of a World-Class IT Organization, September 2013
2 Norton, D. P.; Kaplan, R. S.; The Balanced Scorecard: Translating Strategy Into Action, Harvard Business Review Press, 1996
3 ISACA, COBIT 5: Enabling Processes, USA, 2012
4 Op cit Norton and Kaplan
5 National Computing Centre, IT Governance: Developing a Successful Governance Strategy, United Kingdom, 2005