In COBIT 5, we are taught that enterprises exist to create value for their stakeholders. A truism if ever there was one. Consequently, every enterprise will have value creation as an objective. The COBIT 5 framework helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. So the value is defined by the benefits to the stakeholders. Many organizations and individuals confuse value with price. When someone buys your product or service, they do so because the product or service has certain value to them. The customer will determine when the price is right or not. But how does the customer get value?
What is not obvious from the definition is that value is defined by the customer, not the stakeholders, not the service provider, not IT. The customer! We call this the “voice of the customer” (VOC). It is imperative that we understand the VOC. We can do this through focus groups, surveys, contextual inquiry or interaction. Here is where the magic happens. There are critical questions to ask:
- Who is my customer? It might be the ultimate user or the next person in the value chain. Do not confuse customer, user and stakeholder. The customer is the person or entity that pays.
- What does my customer want? Some wants are requirements and some are wishes. We need to determine and select the most important requirements and wishes—sometimes called Must have, Should have, Could have, Would like, but won’t get (MoSCoW) prioritization1—that most affect the customer’s value experience. We could also use the Kano Model2 to classify the various quality criteria as delighters/exciters, satisfiers and dissatisfiers.
- What activities add value to my customer? Not everything is valued. Some activities constitute gold plating3 or are the result of featherbedding.4 You could do a suppliers, inputs, process, outputs, customers (SIPOC) diagram5 or a Value Stream Map6 to suss out value-add activities.
- Which activities are my customers willing to pay for? Usually these are those attributes of your deliverable that satisfy the critical requirements and wishes. Ultimately, somebody has to pay. Your service requires funding somehow. Either your customer thinks it has value and will pay or your customer thinks it has no value and you will pay.
The customer must provide requirements for the requested information. This is the hard part. The customer may define any number of characteristics for the information. Fortunately, COBIT 5 provides a comprehensive list of information quality criteria described as intrinsic (conforming), contextual (applicable) and security/accessibility (available). The criteria breakdown is impressive and includes:
- Accuracy—Who wants inaccurate information as it is not much use for decision making?
- Completeness—Who wants information that is incomplete or does not cover the task for which you intend to use it?
- Availability—How do you use it when it is not there when you need it or it is irretrievable?
So we need to figure out what is critical to quality (CTQ). Quality is not what you put into the business, it is what your customer gets out of the business. No more, no less. So what are the criteria of quality? Well, when our product is information we must identify what variables most affect the performance regarding the CTQ elements or, to put it another way, the internal performance measures. The customer cannot say, “I will know it when I see it.” Typically, we cannot meet all the requirements or wishes of our stakeholders, so we must make choices for conflicts and limitations. You should develop a CTQ tree to prioritize customer requirements and wishes. The CTQ connects the VOC with the IT outcomes which, in turn, translate into performance targets. This is the linkage that demonstrates value to the customer.
Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005 Lead Risk Manager, ISO 28000 FC, ISO 31000 Lead Risk Manager, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SFC, SSGB, RESILIA FC
Is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor/Implementing NIST Cybersecurity Framework using COBIT 5, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager, ISO 20000 Foundation/Lead Implementer/Lead Auditor, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.
1 Daily Scrum, MoSCoW Prioritization
2 Kano Model, What Is the Kano Model?
3 Stellman, A.; “Why ‘Gold Plating’ Is a Lousy Name,” Stellman-greene.com, 9 June 2007
4 Featherbedding, “The requiring of an employer usually under a union rule or safety statute to hire more employees than are needed or to limit production,” Merriam-Webster
5 iSixSigma, SIPOC Diagram
6 iSixSigma, Value Stream Mapping