ISACA Journal
Volume 2, 2,018 


HelpSource Q&A 


Q  Traditionally, our organization has a policy to adopt established technology solutions. However, new innovative technology-based products are now available that could enhance our business operations, so we are considering adopting these products. What precautions should we keep in mind?

A  Until a few years ago, many organizations did not adopt new technologies unless they were proven, stabilized and in use. The primary reason for this stance was to avoid the possible risk of new technology failing to deliver expected results. However, the past two decades have witnessed an evolution and, therefore, revolution in information technology and its use. This has resulted in many new products becoming available to users in rapid succession. Organizations that traditionally adopted a wait-and-watch approach are now forced to adopt new technology-based solutions to stay relevant in the current environment.

Reluctance to adopt new technologies may be because organizational leaders are not willing to invest in new and innovative projects based on traditional return on investment (ROI) measurements rather than looking at enhancements in overall business value.1 Building a business case using the existing framework of IT strategy aligned to business strategy typically lacks the vision to see the disruption in technology innovations. To overcome this challenge, it is necessary for business leaders to view, as part of business strategy, the technological advances that could disrupt their current view of the marketplace. A case in point is how financial sector organizations have embraced innovations to stay relevant in the marketplace. Some examples of this are mobile banking, automatic payments using near-field communication (NFC) technology and distributed journals using blockchain technology.

Innovations based on technology can be broadly classified into two categories: technology-enabled and technology-centric. The technology-enabled innovations help organizations to become more efficient in delivering services. Technology-centric innovations bring in entirely different approaches that change existing or create new business models. The technology-enabled type is where organizations seem to show more interest.2 An excellent example of this is the new technology for transaction-oriented payment systems that has been adopted by the banking industry.

The ramifications of the second type of innovations—technology-centric—are typically challenging for businesses to understand. Some of the actions a business could take to better understand such innovations include:

  • Setting up a small team whose key responsibilities are to scan the marketplace, look at various innovations taking place and understand their ramifications for the business
  • Setting up a small team to try to adopt innovative solutions on a pilot scale to see the impact they would have on the business and IT strategy. This team will require a budget, both for human resources as well as infrastructure, for experimenting with the innovations.
  • Conducting a risk assessment to ensure that the risk associated with working with any new technology is within the risk appetite and risk tolerance limits of the organization
  • Considering enterprise architecture and how a new solution can be implemented, if it can, within the boundaries of the existing enterprise architecture or to evolve to a better architecture
  • Defining a governance framework to measure benefits from new technologies

ISACA provides guidance for adopting innovations in various ways:3, 4, 5, 6, 7 The COBIT 5 framework recognizes the importance of innovations and includes guidance on the topic, such as:

  • “Product and business innovation culture” under the enterprise goals section Learning and Growth
  • “Knowledge, expertise and initiatives for business innovation” under IT goals

In the process reference model, APO04 Manage Innovation addresses the need and process to manage innovations within enterprise IT. The six management practices in this process provide appropriate guidance in adopting new technologies in a methodical way.

COBIT 5 also provides guidance on developing metrics for measuring benefits from adopting new and innovative technologies.

Q As a part of performance measurement process for IT, we wish to revisit current performance metrics that were implemented a few years back. Which is the best approach to adopt while reviewing existing metrics and developing new metrics?

A Performance measurement is a requirement for any organization to ensure that the organization’s objectives are achieved. This is also applicable to IT-related metrics. The majority of global standards and frameworks, such as ITIL, COBIT 5 and International Organization of Standardization (ISO) standards, prescribe using metrics. COBIT 5 provides a list of generic metrics for each IT-related process defined in its process reference model. ITIL defines three types of metrics: service metrics, process metrics and technology metrics.

When developing these metrics, the sequence of development must be considered since IT is used within organizations for delivering service to the organization’s stakeholders (customers).

Service metrics provide an end-to-end measurement of service performance. Some examples of service-level metrics include:

  • Results of a customer satisfaction survey that indicate the customers’ level of satisfaction with services provided by the organization.
  • Cost of executing a transaction or delivering service from the time a customer logs in.
  • Average time to complete a specific service, not just a process. A service may consist of multiple processes.

Service-level metrics can be used to develop process-level metrics, since a service may consist of multiple processes. Process-level metrics must take input from service-level metrics.

Process metrics measure specific aspects of a process, such as:

  • Average time required to complete activities of the process
  • Average wait time for a customer to complete a transaction
  • Percentage of employees attended on time
  • Percentage of services completed within and out of expected time lines

Process metrics provide information about the functioning of processes. Metrics related to critical processes that directly impact customer service levels or achievement of business objectives may be considered for management reporting.

Technology metrics take inputs from service metrics and process metrics to measure specific aspects of the IT infrastructure and equipment such as:

  • Response time required for user authentication
  • Central Processing Unit (CPU)/bandwidth/storage utilization
  • Network status—speed, integrity of information, receipt or acknowledgment
  • Average uptime (availability of technology)

COBIT 5: Enabling Processes8 provides suggestions for metrics for enterprise and IT goals. It also provides metrics for process goals that can be used to develop metrics for the organization.


1 Horne, A.; B. Foster; “IT Governance Is Killing Innovation,” Harvard Business Review, 22 August 2013,
2 Raval, V.; “Information Ethics: Information Technology and Innovation Ethics,” ISACA Journal, vol. 2, 2015,
3 ISACA, “Innovation Insights,” July 2015,
4 Op cit Raval
5 ISACA, Business Innovation Scoring Calculations, USA, 2015,
6 Delmar, Y.; “Leveraging Metrics for Business innovation: Where Measurement Meets Transformation in IT Governance,” ISACA Journal, vol. 4, 2014,
7 ISACA, “What Is COBIT 5?,”
8 ISACA, COBIT 5: Enabling Process, USA, 2012,

Has worked in IT, IT governance, IS audit, information security and IT risk management. He has 40 years of experience in various positions in different industries. Currently, he is a freelance consultant and visiting faculty member at the National Institute of Bank Management, India.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.