Home / Resources / News and Trends / Newsletters / COBIT Focus / 2017 / Portfolio, Program and Project Management Using COBIT 5


Portfolio, Program and Project Management Using COBIT 5

Author: Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Date Published: 6, September 2017

Many organizations attribute their success to being able to execute their strategic goals and objectives. Execution will be successful if it is measured and if corrective actions are taken at appropriate times when there are deviations. Thus, there has to be a plan that should enable measurement, help track progress and enable corrective action to be taken at the right time to keep the execution on track. One such tool that enables the organization to track its execution is a portfolio/program/project management tool.

A program is group of projects that are working toward achieving one goal. Among the skills that every organization requires, program and project management skills are important and find pride of place. Successful project management requires adoption of a structured approach to deal with projects, programs and portfolios. Hence, it is important for the organization to establish the practice of portfolio/program/project management and provide it with top management support. Establishment of a portfolio/program/project practice will enable the organization to reduce, if not eliminate, unsuccessful projects that cost organizations dearly in terms of time, expense and quality of deliverables meeting stakeholders’ expectations.

Organizations can learn from the experiences of other organizations in different industries, so it would be useful for organizations to adopt globally accepted best practices in the form of a defined organizational framework for program and project management. An ideal framework would be one based on the Project Management Institute’s (PMI) A Guide to the Project Management Body of Knowledge ( PMBOK Guide ) or Projects in Controlled Environments ( PRINCE2) version 2.

As technology pervades every sphere of activity in life, businesses, too, are heavily dependent on leveraging technology to capture their customers’ attention. Increasing dependency on information and related technology requires an organization to initiate and execute various programs for adopting and leveraging technology-based solutions. The portfolio of IT-related programs and projects is becoming larger. Considering the investment in IT solutions, it is appropriate for organizations to adopt IT governance practices based on the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 38500 Information technology—Governance of IT for the organization standard, using COBIT 5 as a framework.

This article has mentioned 2 standards already, and a couple of questions come to mind: Should organizations need to adopt many standards? Can COBIT 5 help program and project management frameworks? Since the PMBOK Guide is a widely accepted knowledge base that is used by organizations, mapping its structure with COBIT 5 provides an answer to these questions. This article provides direction on how to map COBIT 5 with the PMBOK Guide knowledge base by describing PMI’s PMBOK Guide and COBIT 5, then comparing both.

PMI’s Knowledge Base

PMI has done research in the practices of program and project management and PMBOK Guide has become a de facto industry standard. Typically, organizations use standards published by PMI to define a portfolio, program and project management framework ( figure 1).

Figure 1—PMI Publications

Name of Publication

A Guide to the Project Management Body of Knowledge 5 th Edition

The Standard for Program Management 3 rd Edition

The Standard for Portfolio Management 3 rd Edition

Organizational Project Management Maturity Model (OPM3) 3 rd Edition

Each of these publications focuses on providing knowledge and guidance on specific aspects of the project management framework and helps the reader to understand the intricacies of portfolio, program and project management. PMBOK Guide describes 47 processes for project management, grouped in 5 process groups, illustrated in figure 2.

Figure 2— PMBOK Guide Process Groups

Process Group



Processes for initiating a project


Processes for planning a project


Processes for executing project

Controlling and Monitoring

Processes for controlling and monitoring progress of project. Typically works iteratively with the executing process group.


Processes for closing and documenting lessons learned

Source: Excerpted from PMI, A Guide to the Project Management Body of Knowledge 5 th Edition, p. 49

The relationship of these process groups with the project management life cycle is depicted in figure 3.

Figure 3—Project Management Life Cycle (From PMBOK Guide)

Source: Adapted from from PMI, A Guide to the Project Management Body of Knowledge 5 th Edition, p. 50

The list of processes in each process group is shown in figure 4.

Figure 4—Process Groups and Processes

Process Groups






1. Develop Project Charter
2. Identify Stakeholders

1. Develop Project Management Plan
2. Plan Scope Management
3. Collect requirements
4. Define Scope
5. Create Work Breakdown Structure (WBS)
6. Plan Schedule Management
7. Define Activities Definition
8. Sequence Activities
9. Estimate Activity Resources
10. Estimate Activity Durations
11. Develop Schedule
12. Plan Cost Management
13. Estimate Cost
14. Determine Budget
15. Plan Quality Management
16. Plan Human Resources Management
17. Plan Communications Management
18. Plan Risk Management
19. Identify Risk
20. Perform Qualitative Risk Analysis
21. Perform Quantitative Risk Analysis
22. Plan Risk Responses
23. Plan Procurements Management
24. Plan Stakeholder Management

1. Direct and Manage Project Execution
2. Perform Quality Assurance
3. Acquire Project Team
4. Development Project Team
5. Manage Project Team
6. Manage Communications
7. Conduct Procurements
8. Manage Stakeholder Engagement

1. Monitor and Control Project Work
2. Perform Integration Change Control
4. Verify Scope
5. Control Scope
6. Control Schedule
7. Control Cost
8. Control Quality
9. Control Communications
10. Control Risk
11. Control Procurements
12. Control Stakeholder Engagement

1. Close Project or Phase
2. Close Procurements

The processes are also grouped into 10 knowledge areas as described in figure 5.

Figure 5—Knowledge Areas and Associated Processes

Knowledge Areas


Develop Project Charter

Develop Project Management Plan

Direct and Manage Project Execution

Monitor and Control Project Work

Perform Integration Change Control

Close Project or Phase


Plan Scope Management

Collect Requirements

Create Work Breakdown Structure

Define Scope

Verify Scope

Control Scope


Plan Schedule Management

Define Activities Definition and Sequence Activities

Estimate Activity Resources

Estimate Activity Durations

Develop Schedule

Control Schedule


Plan Cost Management

Estimate Cost and Determine Budget

Control Cost


Plan Quality Management

Perform Quality Assurance

Control Quality

Human Resources

Plan Human Resources Management

Acquire Project Team

Development Project Team

Manage Project Team


Plan Communications Management

Manage Communications

Control Communications


Plan Risk Management

Identify Risk

Perform Qualitative Risk Analysis

Perform Quantitative Risk Analysis

Plan Risk Responses

Control Risk


Plan Procurements Management

Conduct Procurements

Control Procurements

Close Procurements

Figure 6 describes the relationship of project, program and portfolio management required at the organization level.

Figure 6—Project Management at the Organization Level





Projects have defined objectives. Scope is progressively elaborated throughout the project life cycle.

Programs have a larger scope and provide more significant benefits.

Portfolios have an organizational scope that changes with the strategic objectives of the organization.


Project managers expect change and implement processes to keep change managed and controlled.

Program managers expect change from both inside and outside the program and are prepared to manage it.

Portfolio managers continuously monitor changes in the broader internal and external environment.


Project managers progressively elaborate high-level information into detailed plans throughout the project life cycle.

Program managers develop the overall program plan and create high-level plans to guide detailed planning at the component level.

Portfolio managers create and maintain necessary processes and communication relative to the aggregate portfolio.


Project managers manage the project team to meet the objectives.

Program managers manage the program staff and project managers. They provide vision and leadership.

Portfolio managers manage or coordinate portfolio staff (or program/project staff) responsible for the aggregate portfolio.


Success is measured by product and project quality, timeliness, budget compliance and degree of customer satisfaction.

Success is measured by the degree to which the program satisfies the needs and benefits for which it was undertaken.

Success is measured in terms of the aggregate investment performance and benefit realization of the portfolio.


Project managers monitor and control the deliverables of the project as per objectives.

Program managers monitor the progress of program components to ensure that the overall goals, schedule, budget and benefits shall be met.

Portfolio managers monitor strategic changes and aggregate resource allocation, performance results and risk of the portfolio.

Source: Adapted from from PMI, A Guide to the Project Management Body of Knowledge 5 th Edition, p. 50

The PMI standards and body of knowledge describe the processes and activities in detail in the publications mentioned earlier.

Mapping With COBIT 5

COBIT 5 is a comprehensive IT governance framework. Project management is a subset of overall IT governance. Figure 7 shows the overall framework of IT governance.

Figure 7—ISO/IEC 38500:2008 IT Governance Model

Source: Adapted from International Organization for Standardization ISO 38500

COBIT 5 can be used as a benchmark for reviewing and implementing governance and management of enterprise IT. It has a set of 5 principles and 7 enablers that are the building blocks of the framework. These principles and enablers make COBIT 5 an effective tool for implementing governance of enterprise IT (GEIT) and help enterprises in various ways, such as simplifying complex issues, delivering trust and value, managing risk, reducing potential public embarrassment, protecting intellectual property, and maximizing opportunities.

The 5 principles of COBIT 5 ( figure 8) are applicable to program and project management:

  1. Meeting stakeholder needs—The programs and projects are part of enterprise ecosystems and are initiated considering stakeholder needs from the enterprise.
  2. Covering enterprise end-to-end—The program and project management framework is common for the entire enterprise, including IT. COBIT 5 is also a framework that covers enterprise IT.
  3. Applying a single integrated framework—COBIT 5 addresses program and project management.
  4. Enabling a holistic approach—This principle covers 7 enablers, including governance resources and management resources, which are also part of the program and project management framework.
  5. Separating governance from management—This helps in differentiating portfolio management, which is more a governance function, from program and project management, which are more operational.

Figure 8—Five Principles of COBIT 5

Source: ISACA, COBIT 5, USA, 2012

The 7 enablers of COBIT 5 are also associated with the program and project management ( figure 9):

  • Principles, policies and frameworks—Organizations need to define policies, procedures and guidelines for program and project management based on the organizations’ principles.
  • Processes—COBIT 5 defines 37 generic processes. Although process BAI01 Manage programs and projects is directly associated with program and project management, there are other processes also required for establishing a framework.
  • Organizational structures—This refers to the key decision-making entities in an enterprise, including portfolio, program and project management.
  • Culture, ethics and behavior—The culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.
  • Information—It is pervasive throughout any organization and includes all information produced and used by the enterprise. Information is required for keeping the organization running and well governed, including portfolio, program and project management.
  • Services, infrastructure and applications—These include the infrastructure, technology and applications that are required for executing projects, and often projects’ outcomes generate services and applications that shall be hosted for the benefit of organizations.
  • People, skills and competencies—These are linked to people and are required for the successful completion of programs and projects.

Figure 9—Seven Enablers of Governance

Source: ISACA, COBIT 5, USA, 2012

COBIT 5 Process Reference Model

COBIT 5 contains a process reference model ( figure 10) consisting of 37 generic processes required for the governance and management of enterprise IT. These processes are organized in 5 groups:

  1. Evaluate Direct and Monitor (EDM)
  2. Align, Plan and Organize (APO)
  3. Build, Acquire and Implement (BAI)
  4. Deliver, Service and Support (DSS)
  5. Monitor, Evaluate and Assess (MEA)

Figure 10—COBIT 5 Process Reference Model
View Large Graphic
Source: ISACA, COBIT 5, USA, 2012; View Large Graphic

These processes are described in detail in COBIT 5: Enabling Processes . The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into 2 main areas—governance and management—with management further divided into domains of processes:

  • The governance domain contains 5 governance processes. Within each process, Evaluate, Direct and Monitor (EDM) practices are defined.
  • The management domains are in line with the responsibility areas of Plan, Build, Run and Monitor (PBRM).

COBIT 5: Enabling Processes consists of:

  • A process description, which describes the process function
  • A process purpose statement, which describes the objectives of the process
  • IT-related goals, which are applicable for the process and are derived from business goals. Each IT-related goal is associated with a set of generic measurement metrics for measuring performance.
  • Process goals, which are derived from process goals cascaded from IT and business goals. Each process goal is associated with or related to a set of generic metrics.
  • Each process contains a set of management practices that may be considered as subprocesses. These are associated with a generic responsible, accountable, consulted and informed (RACI) chart. The RACI charts of COBIT 5 use functional descriptions to define generic positions. Organizations should customize these to reflect the positions preidentified in their own organization chart.
  • Each management practice contains a set of inputs and outputs required for the process and associated with a set of activities.

Governance processes are common across the organization and are applicable for portfolio, program and project management areas. From other process groups (excluding BAI01), other processes are partially applicable for program and project management.

Mapping COBIT 5 and PMI Standards

Although it may not be possible to cover an entire mapping in the scope of this article, the following approach has been adopted to carry out mapping. The steps to be followed for mapping are:

  1. Identify the processes from the COBIT 5 process reference model that are required for portfolio, program and project management. This can be done by looking into the activities defined by the different processes.
  2. Identify the matching activities from the PMI standards ( figure 1) for portfolio, program and project management.
  3. Map these activities with the activities of the identified COBIT processes.
  4. Identify work products (input and output).
  5. Prepare a RACI chart for each.
  6. Identify gaps, i.e., activities of PMI that do not match with COBIT 5 and COBIT 5 activities that do not have a matching activity in the PMI standards.

This approach will help ensure that all activities defined by PMI standards are getting mapped within COBIT 5. A word of caution: These frameworks need to be adapted to the organization’s ways of working, which are dictated by its customers’ needs. Care must be taken to not let the framework jeopardize business.


Mapping of COBIT 5 with PMI standards is useful in providing assurance that the COBIT 5 framework can be used as an “single integrated framework” across organizations. This is an initial article; more will follow as different processes are mapped.


Has worked in IT, IT governance, IS audit, information security and IT risk management. He has 40 years of experience in various positions in different industries. Currently, he is a freelance consultant and visiting faculty member at the National Institute of Bank Management, India.