1

Marrying COBIT and ITIL for

Effective Governance

April 2008
Harpreet Virdee
Partner, The Manta Group
harpreet.virdee@mantagroup.com

2
 Marrying COBIT and ITIL for
Effective Governance
Welcome! Objective:

• Provide an appreciation of why and how Governance

(COBIT 4.1) initiatives and ITSM (ITIL v2/v3,
ISO20000) can make a happy marriage.

3
Agenda

• Context: How do COBIT 4.1 and ITSM (ITIL v2

and ITIL v3) frameworks align?

• Why: Why align Governance and ITSM

initiatives?

• How: A practical approach in using COBIT and

ITIL together.

4
Context..How do the frameworks
align?

Governance: COBIT 4.1, Val IT

Service Management: ITIL v2, ITIL v3,
ISO20000

5
 Evolution of Governance Practices
IT Function
COBIT 4.1 and Val IT Focus: IT as a
partner: Enable Value and Compliance
Value
Governance
Controls and Business & IT
Processes Value
Alignment

COBIT 4.0 Focus: Governance

Governance

Governance Controls & Process Business

Risk Oriented Goals

COBIT 3.0 Focus: Control Environment

Audit – Auditors tool:
Controls Controls
based
Control Framework Risk Management

Time

6
 Val IT Approach: Enterprise Value,
Governance of IT Investments
Val IT = Investment Strategy & Value

Strategic Investment
Are we Are we Value Realization
• Affordable Cost doing the getting • Accountability
• Processes
• Acceptable Risk right the
• Returns Value • Track Record
things? benefits?

Enterprise Architecture Are we Are we Delivery Capabilities

• Integration
doing them getting • Processes
• Performance • People
• Change the right them done • Technology
• Risk way? well?

COBIT = Supports Execution

7


Planning & Organization
• Are Business and IT strategy aligned?
• Is business achieving optimum use of its IT
resources?
• Does everyone in business understand IT
objectives?
• Are IT risks understood and being
managed?
• Are the quality of IT systems and services
appropriate for business needs?
 Monitor
• Can IT performance be measured?
• Can problems be detected before it is
too late?
• Is independent assurance needed to
ensure critical areas are operating as
intended?
CobiT 4.1 Overview
 Acquire & Implement
• Are projects likely to deliver solutions
that meet business needs?
• Are projects likely to deliver on time
and within budget?
• Will the new or revised systems work
properly when implemented?
• Will changes be made without
upsetting current business operations?
 Delivery & Support
• Are IT services being delivered in line with
business priorities?
• Are IT costs optimised?
• Is the work force able to use IT systems
productively?
• Are adequate performance requirements
such as security, integrity and availability
in place?
8
 CobiT 4.1 Overview

Plan & Organize  Acquire & Implement

PO 4 AI 2 AI 3
PO 1 PO 2 AI 1 AI 4
PO 3 Define IT PO 5 Acquire and Acquire and
Define Define Identify Enable
Determine Processes, Manage IT Maintain Maintain
Strategic Information Technological Automated Operation
Organisation, Investment Application Technology
IT Plan Architecture Solutions & Use
Direction Relationships Software Infrastructure

PO 9 AI 7
PO 6 PO 7 AI 5
PO 8 PO 10 AI 6 Install and
Communicate Manage IT Assess & Procure
Manage Manage Manage Accredit
Aims and Human Manage IT IT
Quality Projects Change Solutions &
Direction Resource Risks Resources
Changes

 Monitor & Evaluate  Deliver & Support

ME 2 DS 1
ME 1 DS 2 DS 3 DS 4 DS 5 DS 6
Monitor & Define and
Monitor & Manage Manage Ensure Ensure Identify
Evaluate Manage
Evaluate IT Third-party Performance Continuous System and Allocate
Internal Service
Performance Services and Capacity Service Security Costs
Control Levels

ME 3 DS 7 DS 8 DS 12
ME 4 DS 9 DS 10 DS 11 DS 13
Ensure Educate Manage Manage
Provide IT Manage Manage Manage Manage
Regulatory and Service Desk Physical
Governance Configuration Problems Data Operations
Compliance Train Users & Incident Environment

9
IT Function
Evolution of Service Management
Service

Practices Management

ITIL V3 Focus: IT alignment & integration.

Strategic Value Chain
Complete lifecycle for solutions
Partner
Integrate with the business

IT Service
Service Management ITIL V2 Focus: Optimization
Process Centric
Partner
Production Oriented
Optimal Levels of Service at Justifiable Costs
Basis for ISO20000

ITIL V1 Focus: Common Approach

Technology IT Infrastructure Common Language and Approach
Align disparate work practices
Provider Management Define a standard approach
Continuous Work in Progress (40+ Books)

Time

10
 ITIL V2 Overview

IT Service
Change Release Availability IT Financial
Continuity
Management Management Management Management
Management

Configuration Capacity
Management Management
ITIL
Service Level Processes Security
Management
Management

Incident Problem Application Infrastructure

Service Desk
Management Management Management Management

11
 ITIL V3 Overview

Service Strategy  Service Design  Service Transition  Service Operations

SO1
SD1 ST1
SS1 SD2 ST2 Event
Service Transition &
Strategy Service Level Change Management
Catalogue Planning
Generation Management Management
Management Support
SO2
SD5 ST3 ST4 Incident
SS2 SD3
IT Service Service Asset Release & Management
Financial Capacity
Management Continuity & Configuration Deployment
Management
Management Management Management
SO3
Request
ST5 Fulfilment
SS3 SD4 SD7
Service ST6
Demand Availability Supplier
Validation & Evaluation
Management Management Management
Testing SO4
Problem
Management
SS4 SD6
ST7
Service Information
Knowledge
Portfolio Security SO5
Management
Management Management Asset
Management

 Continual Service Improvement

CSI1
CSI2 CSI3
7-Step
Service Measurement Service Reporting
Improvement Process

12
 COBIT 4.1
Governance:
Governance – Big Picture Value, Risk &
Compliance

13
 All ITIL v2 Processes are addressed by CobiT 4.1
AI 7
DS 4 DS 6
AI 6 Install and PO 5
Ensure Identify
Manage Accredit Manage IT
Continuous and Allocate
Change Solutions & Investment
Service Costs
Changes

IT Service
DS 9 Change Release Availability IT Financial
Continuity
Manage Management Management Management Management
Configuration Management
DS 3
Manage
Configuration Capacity Performance
Management Management and Capacity
ITIL
DS 1 DS 5
Define and Service Level Processes Security
Management Ensure
Manage Management System
Service Security
Levels
Incident Problem Application Infrastructure
Service Desk
Management Management Management Management

DS 8 AI 2 AI 3
Manage DS 10 Acquire and Acquire and
Service Desk Manage Maintain Maintain
& Incident Problems Application Technology
Software Infrastructure
14
 75% of ITIL V3 processes map to CobiT 4.1
CobiT ITIL V3 – Service Operations

DS 8 SO1
Manage
Event
Service Desk
& Incident
Management

DS 10
Manage SO2
Problems Incident
Management
DS 7
Educate
and
Train Users SO3
Request
Fulfilment
DS 11
Manage
Data

SO4
DS 12 Problem
Manage Management
Physical
Environment

SO5
DS 13 Asset
Manage
Management
Operations

15
 ITIL & CobiT Inter-Operability
Business – IT –
Process Goals/Metrics
Governance Processes
Process & Metrics Oriented
Process Controls
Functions, Roles & RACI

CobiT

ITIL v2
ITIL v3 Process Oriented
Service Oriented
ITIL Process Metrics
broader scope Process Work Flows
High-level Work Flows Detail Role
Role descriptions Descriptions
Toolsets

Detailed Procedures, Work Instructions, Templates

16
 COBIT : Business Goals for IT

Financial Perspective Internal Perspective

1. Expand Market Share 11. Compliance with Laws and Regulations
2. Increase Revenue 12. Compliance with Internal Policies
3. Increase Profit 13. Transparency for Better Decisions
4. Increase Return on Investment 14. Automate and Integrate the Enterprise
5. Optimize Asset Utilization value chain
6. Manage Business Risk 15. Optimize Costs
16. Improve and Maintain Business
Customer Perspective Processes Functionalities
7. Improve Customer Orientation and 17. Improve and Maintain Workforce
Service productivity
8. Offer Competitive Products and
Services Learning and Growth Perspective
9. Assure Service Availability 18. Enable Innovations
10. Agility in Responding to Changing 19. Enable Expansion outsider of Core
Business Environment Strategy
20. Acquire Talent to Support Innovation and
Expansion

17
 ITIL & CobiT Inter-Operability
@ Process Level – Service Level
Management
SLM Service Level SLAs & Contracts
Framework Agreements Reviews
(DS1.1) (DS1.3) (DS1.6)

Definition Operating Level Monitoring CobiT

of Services Agreements and Reporting
(DS1.2) (DS1.4) (DS1.5) (Process
Controls)
ITIL
Identify Monitor Review
(Process
Create SC
and SLAs
Service
Metrics
service
metrics
SLAs, OLAs
and UCs
Workflow &
Activities)

18
 ITIL & CobiT Inter-Operability
@ Metrics Level - Service Level Management
% of Services not in the catalogue
% of service levels reported
% of service levels reported in automated way
# of formal SLA annual review meetings with business
% of service levels review meetings
% of services covered by SLAs
% of SLAs with OLAs
& underpinning contracts?
# or % of Service targets met
and # or % severity breaches?
Are SLA’s, OLAs and
underpinning Contracts current?
% that need review or update?
# of business stakeholders satisfied
that service delivery meets agreed levels
% of users satisfied that service
delivery meets agreed levels. CobiT
(Metrics
aligned
to IT &
Business Goals
Are review meetings held on
time and correctly minuted? ITIL
Process metrics
Documentary evidence that
issues raised at review are
followed-up and resolved?
Are SLAs monitored and
regular reports produced?
Are service levels improving?
19
 ITIL & CobiT Inter-Operability
@ Roles & Responsibility Level
Business Executive (CI)
Head IT Admin (RCI)
Business Process Owner (CI)
Head Operations (RC)

CFO (I) CIO (ACI) Head Development (RCI)

Chief Architect (I)

PMO (CI)
Service Manager (RA) CobiT
(Function,
Compliance,
Roles &
Security, Audit (CI)
RACI)

ITIL
Service Level Detail on
Manager Role Descriptions

20
Why should we align?
Why align Governance and
ITSM initiatives?

21
Current State versus Desired State
Current State
• IT has too many `standard
terminologies`
• Multiple initiatives with
common goals are not aligned:
• Project silos
• Inefficient use of resources
• Governance initiatives are
`compliance` focused versus
value oriented.
• ITSM initiatives – lack of
governance and value focus
Desired State and
Benefits
• A common language
• Program (Governance and
ITSM) vision and goals are
aligned, use common
approach, share knowledge.
• Governance is about value &
compliance. ITSM supports
governance goals.
22
 Ideal Future State About The Manta Group

The Manta Group Service Architecture

www.mantagroup.com pg.00 23
 Why align Governance and Service
Management?
• We don’t know if our IT enabled investments are delivering value?
• Perception 40% of all IT spending bought no return to the organization
2004 IBM research - 1000 CIOs
(Gartner 2006 & ITGI research on 1600 projects).

 Service Management is a critical component of overall Governance

 Bridges the gap between business & IT goals (COBIT) and fulfilling these
goals via effective service management (ITIL).

 The goals are the same: Business Alignment, Value, and Compliance.

 The frameworks are complementary. (ITIL – more process details, COBIT:

Measurement, Goals and Controls).
Why have separate efforts?....

24
How can we use them together?

A practical approach in using COBIT and ITIL

together

25
RAPID Approach

26
1. Need to have a common Governance
Vision and Scope.

Example: Governance Visioning Workshop

27
 The Manta Group
CobiT Governance Visioning Approach

Adopt and Adapt CobiT Governance Framework for Customer Environments

Demand Drivers Consequence Drivers Mitigation Drivers

Analysis
What Business needs,
imperatives, priorities, goals
and strategies are dependent
on the IT governance
framework?
Analysis Analysis
What will/can go wrong in What level of mitigation
the absence of a maturity is required to
standardized IT governance establish a standardized IT
framework? governance framework?

“Who Cares?” “So What?” “Now What?”

Value Risk Control

1. Employ high insight to effort ratio.

2. Produce comprehensive & detailed assessment.
3. Results in meaningful priorities for Customer IT Governance Framework.

28
PO: Domain Summary example: Maturity versus Consequence

Plan and Organize

Maturity (Now What)
0

PO1 - IT Strategy
0.5
PO5 PO2 - Information Architecture
1 PO4
PO3 -Technology Direction
1.5 PO7 PO6 PO3 PO8
PO2
PO4 - Process & Organization
2
PO1 PO9
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
PO5 - Manage Investment
2.5 PO10
Consequences
(So What)
3 PO6 - Communication Strategy

3.5 PO7 - Manage HR

4 PO8 - Manage Quality

4.5 PO9 - Manage Risk

5
PO10 - Manage Projects

29
PO 10

PO4 Define the IT Processes, Organization & Relationships

PO4.1 IT Process Framework
-1
Maturity of Controls PO4.2 IT Strategy Committee
Monitor
Under Controlled PO4.3 IT Steering Committee
0

PO4.4 Organizational
Placement of the IT Function

PO4.5 IT Organizational
1 4..2
Structure

PO4.6 Roles and

Responsibilities
4.1
4..7 PO4.7 Responsibility for IT
2 4..3 4..8
4.15 Quality Assurance
-1 0 1 2 3 4 5 6 7 8 9 10 11
PO4.8 Responsibility for Risk,
Security and Compliance
Severity of Concern 4.4
3 4..13 4.5 4..6 PO4.9 Data and System
4.9 Ownership
4.12

PO4.10 Supervision

4.10
4 4.14
4.11 PO4.11 Segregation of Duties

Over Controlled PO4.12 IT Staffing

Monitor Closely
5
PO4.13 Key IT Personnel

PO4.14 Contracted Staff

Policies and Procedures
6

30
 Example: Deliver & Support Gap Assessment
DS 1
DS 2 DS 3 DS 4 DS 5 DS 6
Define and
Manage
Manage Manage Ensure Ensure Identify
Third-party PerformanceContinuous System and Allocate
High Risk
Service
Levels
Services and Capacity Service Security Costs
and
DS 7 DS 8 DS 12
Educate Manage
DS 9
Manage
DS 10
Manage
DS 11
Manage
Manage
DS 13
Manage
Low
and Service Desk Physical
Configuration Problems Data Operations
Train Users & Incident Environment Maturity
DS 1
DS 2 DS 3 DS 4 DS 5 DS 6
Gap Areas of Focus: Define and
Manage
Manage Manage Ensure Ensure Identify
Third-party PerformanceContinuous System and Allocate
DS4 – Ensure Continuous Services Service

DS5 – Ensure System Security

Levels
Services and Capacity Service Security Costs
High
DS 7 DS 8 DS 12
DS7 – Enable & Train Users Educate
and
Manage
Service Desk
DS 9
Manage
DS 10
Manage
DS 11
Manage
Manage
Physical
DS 13
Manage Business
Configuration Problems Data Operations
DS10 – Manage Problems Train Users & Incident Environment Demand
DS 1
DS 2 DS 3 DS 4 DS 5 DS 6
Define and
Manage
Manage Manage Ensure Ensure Identify
Third-party PerformanceContinuous System and Allocate
Gap in
Service
Levels
Services and Capacity Service Security Costs
Responsibility
DS 7 DS 8 DS 12
Educate Manage
DS 9
Manage
DS 10
Manage
DS 11
Manage
Manage
DS 13
Manage and
and Service Desk Physical
Configuration Problems Data Operations
Train Users & Incident Environment Accountability
DS 1
DS 2 DS 3 DS 4 DS 5 DS 6
Define and
Manage Manage Ensure Ensure Identify
Manage
Third-party PerformanceContinuous System and Allocate
Service
Levels
Services and Capacity Service Security Costs
High
DS 7 DS 8 DS 12
Educate
and
Manage
Service Desk
DS 9
Manage
DS 10
Manage
DS 11
Manage
Manage
Physical
DS 13
Manage Relevance
Configuration Problems Data Operations
Train Users & Incident Environment

31
Step 2: Need to have a plan on what you will
implement and how.

Manage this as a Portfolio of Projects

32
Governance Planning
Scope Deliverables:

• Use COBIT to prioritize • Portfolio of prioritized

what governance areas to governance projects
focus on strategically.
• Decide from scope which • Implementation plan
are also under the ITIL
framework.
• Prioritize focus areas
• Look to create portfolio of
projects to cover each
focus area – and look to
adopt additional
frameworks for further
detail.
• Embody – people, process
and automation as factors.

33
Step 3: Implementation & Review

Use COBIT and ITIL content together for

process implementation

34
 How to use COBIT & ITIL together

Metrics Process Roles

• Use COBIT for • Use ITIL to define • Use COBIT for

performance process activities Functional Role
dashboard and workflow and RACI role
strategy mapping
• Use COBIT to
• Use COBIT to validate process • Use ITIL to
align business to controls are in provide a role
IT to process place description
goals and metrics

• Validate process
metrics with ITIL
process KPIs

35
 Conclusion
Top 10 Reasons
1. IT becomes the growth engine of the organization

2. Levels the playing field for IT to have a voice in the executive table

3. Moves IT from cost-centre mentality to value-centre mentality

4. Brings risk into the forefront enabling IT to convey concerns constructively

5. Enables for regulatory compliance

6. Provides business oriented measures to monitor IT performance

7. Promotes IT and Business joint responsibility and accountability

8. Aligns IT goals with business goals

9. Links IT processes to business process

10. Clarifies IT activities, output and contributions

36
 Thank You
Question & Answer
April 2008
Harpreet Virdee
Partner, The Manta Group
harpreet.virdee@mantagroup.com

37