ISACA Journal
Volume 2, 2,014 

Features 

COBIT 5 Processes From a Systems Management Perspective 

Myles Suer, Chane Cullens and Don Brancato 

COBIT 5 establishes a governance layer and does a good job of capturing stakeholder needs, driving enterprise, IT and enabler goals. COBIT 5 fosters the use of balanced scorecards and goal cascades to help IT leaders show that IT is managing its ship for the good of the enterprise. This includes its metric recommendations for enterprise and IT goals.

COBIT relates process to a life cycle of plan, design, build, operate, monitor and update. How do COBIT’s 13 Align, Plan and Organize (APO) processes; 10 Build, Acquire and Implement (BAI) processes; six Deliver, Service and Support (DSS) processes; and three Monitor, Evaluate and Assess (MEA) processes relate to one another? IT’s primary goal is business services delivery; as important as it is to define each of these processes, it is also important to understand how these processes relate to one another to optimize IT’s ability to deliver the right service at the right time for the right price. For example, the management of service requests and incidents, and the management of change and change transition and acceptance are intimately interrelated. Poor change management dramatically impacts the quality of the service request and incident processes.1

Systems thinking offers an answer to many of these issues:

In systems thinking, we must consciously recognize that everything we do has affected and does affect everything else we have done or will do. Systems thinking involves us moving away from seeing single or isolated elements, structures, functions and events to seeing the processes by which they interrelate to one another…. It is this process of diagnosis and discovery that will ultimately give us a practical guide to finding systems solutions to our systems’ problems. As leaders, we really do not deal with problems today—we deal with messes of problems which require more holistic or systems solutions.2

This quote represents IT today. IT managers do not deal with isolated problems. They deal with messes of problems. IT leaders need to recognize that the quality of solutions definition processes determines the quality of requirements created, the issues that are discovered in the build, the bugs that are found in quality testing and the number of incidents that are in service delivery. All of these are related.

The quality at each stage is determined by the confluence of people, process and technology (figure 1). Together, these make answering most of the aforementioned issues difficult at best. For this reason, a systems viewpoint is a valuable way to view the COBIT processes as interrelating and providing data for successful process layers. Further, IT management is a system of systems or, at the very least, a system of processes.

Figure 1
Figure 2

All COBIT components can be viewed as a single system or as interconnected value streams.3

Viewing IT as a Corporate Value Chain

Viewing IT as a corporate value chain requires that everything IT does be synthesized into a set of core value-added functions. Figure 2 is a view of this value chain.

The primary activities that IT performs—the places where it adds value—can be summarized into three activities:

  1. Automation of business capabilities
  2. Management of those capabilities once they have gone into production
  3. Servicing of end-user requests and issues relating to subscribing to business capabilities, dispatching people to fix client issues and instantiating business capabilities—services and applications

HP has identified four value streams (figure 3) that cover the core process of the COBIT 5 process reference model and, even more important, how these value streams relate to the organization and to each other to create an end-to-end IT management system.

Figure 3

A key element of this is the notion of a conceptual model feeding a logical model, which, in turn, feeds a physical service model. Once strategic demand enters the planned portfolio, a conceptual service model needs to be developed against which requirements can be constructed and built. This includes drafting a proposed solution that reflects enterprise needs/expectations and the laying out of service warranty expectations. Next, a logical service model that describes what the components of the service are and, in turn, relates the model to existing capabilities needs to be developed. This should then be followed by an actual service model. By starting the service modeling early, it can drive up reuse of capabilities, technology and knowledge. In the end, agility increases while cost and risk are reduced.

Strategy to Portfolio Linkages

Figure 4Strategy to portfolio (figure 4) defines how well the IT portfolio of services matches the enterprise’s business strategy. IT leaders must recognize that they are not in the IT business, but rather the business of their firm—e.g., banking, insurance, manufacturing. The strategy-to-portfolio value stream is concerned with the quality of management of the portfolio, the innovation that is being produced for the portfolio, the quality of new solutions being identified, the management of instantiation within programs and projects, and the effectiveness and efficiency of spend for services and innovation.

Strategy to portfolio includes COBIT 5 processes/activities for APO02 (strategy), APO03 (enterprise architecture), APO04 (innovation) and APO05 (portfolio). In this value stream, enterprise architecture drives the current state of the portfolio and all proposed additions to the portfolio. Additions are captured as innovation proposals/contracts representing demand and then integrated as demand management. These are then added as development (to be procured) items to the proposed portfolio. While not explicitly called out, goals are captured here in the form of proposals—a separate process manages the capture, reconciliation and realization of benefits. The enterprise architect’s role involves applying standards and governance; using COBIT, the enterprise architect is able to measure the variance between the anticipated future state and the ongoing processes to get there.

In this integrated form, the key elements identified by COBIT 5 are viewed as one system and include:

  • Defining the strategic plan and road map where initiatives are prioritized by enterprise need
  • Selecting opportunities and solutions that are aligned to business strategy
  • Ensuring that the established budgets are transparent to monitor implementation and use of innovation
  • Identifying opportunities, risk and constraints for IT to enhance the business
  • Collecting data to enable effective IT-related risk identification, analysis and reporting

The key COBIT processes directly linked to strategy to portfolio are:

  • APO02 Manage strategy
  • APO03 Manage enterprise architecture
  • APO04 Manage innovation
  • APO08 Manage relationships
  • APO12 Manage risk
  • APO13 Manage security

Requirements to Deployment

The requirements-to-deploy value stream (figure 5) describes how well IT manages development and delivery—the delivery of strategic demand. This value chain is concerned with the quality of the requirements process, the predictability of programs and projects, the end-to-end quality delivered, the change process, and the use and measurement of performance against service agreements. Here, service designers create/negotiate service level agreements (SLAs)/operational level agreements (OLAs) that evolve as the client and application mature over time.

Figure 5

The requirements-to-deploy value stream includes the COBIT 5 processes of BAI01 (programs and project), BAI02 (requirements), APO09 (service agreements), APO11 (quality), BAI07 (change acceptance and transitioning), and BAI06 (changes). Here, requirements are captured at the same time as a project is initiated. Part of assuming that a quality level is part of the project is the establishment of a planned service agreement in what the IT Infrastructure Library (ITIL) calls the service design phase. When this phase is completed, a deployment package is created and change acceptance and transitioning begins; this results in a change being created (i.e., a ticket).

Again, in this integrated form, the key elements identified by COBIT 5 are viewed as one system and include:

  • Integrating quality management into solutions for development and service delivery
  • Collecting and analyzing risk data
  • Developing and maintaining a project plan
  • Defining and maintaining business and technical requirements
  • Designing, building and testing solution components
  • Documenting, tracking, performing and reporting on change

The key COBIT processes directly linked to a requirement to deploy are:

  • APO11 Manage quality
  • APO12 Manage risk
  • APO13 Manage security
  • BAI01 Manage programs and projects
  • BAI02 Manage requirements definition
  • BAI03 Manage solutions identification and build
  • BAI04 Manage availability and capacity
  • BAI06 Manage changes
  • BAI07 Manage change acceptance and transitioning

Request to Fulfill

Figure 6The request-to-fulfill value stream (figure 6) focuses on how well IT manages its overarching request and fulfillment activities. This is clearly operational demand. The request-to-fulfill value stream aims to “increase user productivity and minimize disruptions through quick resolution of user queries.”4 As a process, it touches multiple IT disciplines including, but not limited to:

  • Service requests
  • Change management
  • Asset management
  • Configuration management
  • Supplier management (including cloud supplier management)

Request to fulfill is built upon service requests and change processes, but adds functions to complete the end-to-end processes. As indicated in figure 6, request to fulfill establishes the notion of a catalog and the notion of financial consumption in the form of subscription management, billing/chargeback and usage management. This is a choice IT organizations need to make; the current best practice is for it to be included. At this phase, the notion of service leasing should be envisioned, and its complement and elasticity allowed to evolve: As services are requested, they either fall into disuse or are abandoned altogether as business/mission capability changes (i.e., business agility). IT must ensure efficiency by keeping systems highly utilized.

There are also items that have been added here that are not explicit in COBIT 5. These include catalog management, subscription management and usage management. These support the rights aspects of asset management/software compliance and the implications of request, budgeting and actual usage. In this integrated form, the key elements are already identified by COBIT 5, but here it is viewed as one system and includes:

  • Monitoring supplier performance and compliance
  • Organizing, identifying, classifying and using knowledge
  • Managing data for the asset life cycle
  • Managing user identity and logical access

The key COBIT processes directly linked to request to fulfill are:

  • APO10 Manage suppliers
  • APO12 Manage risk
  • APO13 Manage security
  • BAI06 Manage changes
  • BAI08 Manage knowledge
  • BAI09 Manage assets
  • DSS05 Manage security services

Detect to Correct

Figure 7The detect-to-correct value stream (figure 7) concerns how well the IT organization prevents services and the supporting infrastructure from breaking down or degrading and how well it manages issues or events when the inevitable happens—something breaks. Simply put, this value chain aims to, as COBIT 5 suggests, increase user productivity and minimize disruptions. The detect-to-correct value stream touches many IT activity categories, including:

  • Capacity
  • Availability
  • Operations
  • Incident
  • Knowledge
  • Problem
  • Quality (CSI)
  • Security

The goal is clearly process optimization. Instead of viewing each area as discrete processes, they are viewed as part of one system that aims to ensure that services perform as agreed and that issues are routinely and holistically resolved. This process considers asset management and configuration management as a single process.

In this integrated form, the key elements identified by COBIT 5 are viewed as one system and include:

  • Documenting, tracking, performing and reporting on change
  • Monitoring internal and external IT services
  • Identifying, investigating, resolving and closing events, incidents and problems
  • Monitoring for security-related issues
  • Monitoring, collecting and analyzing performance and conformance data

The key COBIT processes directly linked to detect to correct are:

  • APO12 Manage risk
  • APO13 Manage security
  • BAI06 Manage changes
  • DSS01 Manage operations
  • DSS02 Manage service requests and incidents
  • DSS03 Manage problems
  • DSS05 Manage security services
  • MEA01 Monitor, evaluate and assess performance and conformance

Overarching View

The previously described streams have been put together into one flow that shows all the linkages among the processes and how the processes touch one another (figure 8).

Figure 8
Click to view large image.

Conclusion

Every IT approach has a unique viewpoint on helping IT be more agile and efficient at meeting the needs of the business. The IT value chain viewpoint, which focuses on the data linkages across the service life cycle, complements the COBIT viewpoint of governance and management. This article has described a systems approach to COBIT 5, using COBIT 5 as the overarching system. Conscious recognition is given to the concept that everything done in IT management has affected and does affect everything else in IT management. The goal is to provide an understanding of the challenges in IT management and the importance of how everything touches and affects one another. Clearly, the people, process and technology elements of the IT management system cannot be viewed in isolation. The value streams of strategy to portfolio, requirement to deploy, request to fulfill and detect to correct align to support a singular value chain that supports business capability. The system has to improve to improve any one part.

Endnotes

1 Based on a private case study of a major US financial institution. Multiple additional sources.
2 Haines, Stephen G.; Strategic and Systems Thinking, 2007
3 Michael Porter pioneered the value chain strategy several years ago as a mechanism to evaluate business competitive advantage. According to Porter, a value chain is the interlinking activities that a firm performs to deliver a valuable product or service to the marketplace.
4 ISACA, COBIT 5, USA, 2012, www.isaca.org/cobit

Myles Suer is a senior manager for IT performance management at HP. Suer has 20 years of experience leading new product initiatives at startups and large companies. He is also adjunct faculty at the John Sperling School of Business at the University of Phoenix.

Chane Cullens is a director of strategy in HP’s software group. Cullens has been involved with IT management software and practices for 15 years. He was inducted into the Oregon State University’s Academy of Distinguished Engineers.

Don Brancato is the chief enterprise architect with HP Software for its federal business. Brancato has more than 20 years of experience and expertise as an enterprise architect, software engineer, quality assurance engineer and software manager/director.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.