DISCUSS THIS ARTICLE

Portfolio, Program and Project

Management Using COBIT 5, Part 3
By Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA,
PMP, and Eswar Muthukrishnan, CISA, CPISI, MCA, PGDM
COBIT Focus | 29 January 2018

This is the continuation of a series of articles published in COBIT Focus beginning in September 2017. The first article1
discussed the approach for mapping COBIT® 5 with the Project Management Institute (PMI’s) standards and publication
A Guide to the Project Management Body of Knowledge (PMBOK Guide ). The second article discussed the differences
between PMI standards and COBIT 5 at a high level.2

PMI published the standards shown in figure 1 that have been adopted by many organizations. Each of these
publications has identified and defined processes for implementing these standards. Each standard has a different
number of processes, as shown in the second column of figure 1.

Figure 1—PMI Publications

Name of Publication Process Number of Processes
Groups
A Guide to the Project Management Body of Knowledge 5th Edition 3 15
The Standard for Program Management 3rd Edition 5 36
The Standard for Portfolio Management 3rd Edition 5 47

This article provides a mapping of the portfolio management standards with the COBIT 5 processes. The approach shown
in figure 2 was developed to map the PMI standards with COBIT 5 processes.

PMI has revised the publications noted with a fourth edition, updating portfolio3 and program management.4 A sixth
edition of PMBOK5 was published in September 2017. However, since this mapping was undertaken prior to these
publications, the standards listed in figure 1 are described herein. The changes in new editions shall be discussed
subsequently.

Figure 2—Approach for Mapping PMI Standards With COBIT 5 Processes

1|Page
Since PMI standards are in depth, there are few gaps in activities. COBIT 5 has not specifically identified these activities,
but references them.

Portfolio Management
Portfolio management is the highest level of the organization that is responsible for defining, authorizing and supervising
programs and projects. Considering it is the highest level in the organizational structure, it should align programs and
projects with the organization’s objectives and strategies. Therefore, the portfolio management processes should include
governance processes (Evaluate, Direct and Monitor).
The PMI portfolio management standard identifies 5 different knowledge areas for defining processes:
1. Strategic management
2. Governance management
3. Performance management
4. Communication management
5. Risk management

Portfolio management standards emphasize that organizations need to ensure that their portfolio management processes
are defined in alignment with organizational strategy. The standard recommends that organizations categorize processes
into 3 groups:
1. Defining processes
2. Aligning processes
3. Controlling and managing processes

PMI’s portfolio management standard6 identifies 16 generic processes for portfolio management in 3 process groups
(figure 3). These processes are interlinked and need to be implemented by considering their interdependencies with the
3 process groups based on the knowledge areas. For example, the knowledge area Governance Management has
processes in all 3 process groups since COBIT 5 is a framework for governance of enterprise IT (GEIT). When mapping
processes related to governance, one needs to consider knowledge areas. Process groups help establish
interdependencies.

Figure 3—Portfolio Management Processes

Process Knowledge Area
Process Description
Group

Defining Strategic Develop Portfolio Strategic Align portfolio objectives with enterprise
Management Plan strategic objectives and goals.

2|Page
 Process Knowledge Area
Process Description
Group

Develop Portfolio Charter Define objectives, scope, deliverables, success

criteria and time lines, and identify
stakeholders.

Define Portfolio Roadmap Identify portfolio components, dependencies,

milestones and deliverables.
Governance Develop Portfolio Develop a plan for governing and managing
Management Management Plan portfolio activities, change management,
performance monitoring and reporting,
processes for procurement, and compliance.

Define Portfolio Identify and list components including

programs, projects, resources, cost and time
lines.

Performance Define Portfolio Develop a plan to manage the performance of

Management Performance Management the portfolio and its components to ensure that
Plan the organization’s objectives are achieved.

Communication Define Portfolio Identify stakeholders, determine communication

Management Communication requirements and develop a communication
Management Plan plan.

Risk Management Define Portfolio Risk Develop a portfolio risk management plan.
Management Plan

Aligning Strategic Manage Strategic Change Evaluate strategic changes within the
Management organization and their impact on portfolio
objectives and deliverables, and update the
portfolio management plan as needed.

Governance Optimize Portfolio Continuously analyze the components to ensure

Management that resources are effectively performing to
achieve the organization’s objectives.

Performance Manage Supply and Manage the availability of resources for each
Management Demand component of the portfolio.

Manage Portfolio Value Capture, measure and report value creation by

the portfolio.

Communication Manage Portfolio Execute the communication plan.

Management Information

Risk Management Manage Portfolio Risks Execute the portfolio risk management plan.

Authorizing Governance Authorize Portfolio Authorize portfolio components and resources

and Management (a necessary process for governance).
Controlling
Provide Portfolio Oversight Monitor the performance of the portfolio
relative to its alignment with defined objectives
and provide directions in cases where deviation
is observed.

3|Page
The portfolio management standard of PMI is for organizations that have multiple portfolios, whereas the primary focus of
COBIT 5 is the IT portfolio. Considering this, the effort has been made to map PMI’s processes with those of COBIT 5.
Since direct mapping is not possible, the management practices of the process reference model of COBIT 5 was
considered. The ISACA® publication COBIT® 5: Enabling Processes provides a detailed description of processes at
activity levels, hence it was used while mapping. The mapping is shown in figure 4.

The sequence processes are considered based on relevance to the PMI’s process, to which the COBIT 5 process gets
mapped. For example, since Defining Strategic Plan directly relates to APO02 Manage Strategy and indirectly relates to
EDM 02 Ensure Benefits Delivery, the sequence is not as it appears in PRM of COBIT 5.

Figure 4—Portfolio Management Standard and COBIT 5 Process Mapping

PMI's Portfolio Process
Standard Processes Group COBIT 5 Process COBIT 5 Management Practices

Develop Portfolio Strategic Defining APO02 Manage Strategy APO02.05 Define the strategic plan and
Plan road map.

EDM02 Ensure Benefits EDM02.01 Evaluate value optimization.

Delivery EDM02.02 Direct value optimization.
EDM02.03 Monitor value optimization.

Develop Portfolio Charter Defining APO02 Manage Strategy APO02.05 (Indirect) Define the strategic
plan and road map.

APO05 Manage Portfolio APO05.05 Maintain portfolios.

Define Portfolio Roadmap Defining APO02 Manage Strategy APO02.05 Define the strategic plan and
road map.

APO05 Manage Portfolio APO05.01 Establish the target

investment mix.
APO05.02 Determine the availability and
sources of funds.
APO05.03 Evaluate and select programs
to fund.

Develop Portfolio Defining APO02 Manage Strategy APO02.05 Define the strategic plan and
Management Plan road map.

APO05 Manage Portfolio APO05.03 Evaluate and select programs

to fund.
APO05.05 Maintain portfolios.

Define Portfolio Defining APO02 Manage Strategy APO02.05 Define the strategic plan and
road map.

Define Portfolio
Performance Management
Plan
Defining APO02 Manage Strategy
APO05 Manage Portfolio
APO02.05 Define the strategic plan and
road map.
APO05.01 Establish the target
investment mix.
APO05.04 Monitor, optimize and report
on investment portfolio performance.
APO05.06 Manage benefits achievement.

4|Page
 PMI's Portfolio Process
Standard Processes Group COBIT 5 Process COBIT 5 Management Practices

Define Portfolio Defining APO05 Manage Portfolio APO05.01 Establish the target
Communication investment mix.
Management Plan APO05.02 Determine the availability and
sources of funds.
APO05.03 Evaluate and select programs
to fund.
APO05.04 Monitor, optimize and report
on investment portfolio performance.
APO05.05 Maintain portfolios.
APO05.06 Manage benefits achievement.

APO02 Manage Strategy APO02.06 Communicate the IT strategy

and direction.

Define Portfolio Risk Defining APO05 Manage Portfolio APO05.01 Establish the target
Management Plan investment mix.

APO12 Manage Risk APO12.01 Collect data.

APO12.02 Analyze risk.
APO12.03 Maintain a risk profile.
APO12.04 Articulate risk.
APO12.05 Define a risk management
action portfolio.
APO12.06 Respond to risk.

Manage Strategic Change Aligning APO02 Manage Strategy APO02.01 Understand enterprise
direction.

APO05 Manage Portfolio APO05.04 Monitor, optimize and report

on investment portfolio performance.
APO05.05 Maintain portfolios.

Optimize Portfolio Aligning APO05 Manage Portfolio APO05.01 Establish the target
investment mix.
APO05.02 Determine the availability and
sources of funds.
APO05.03 Evaluate and select programs
to fund.
APO05.04 Monitor, optimize and report
on investment portfolio performance.
APO05.05 Maintain portfolios.
APO05.06 Manage benefits achievement.

Manage Supply and Aligning APO05 Manage Portfolio APO05.01 Establish the target
Demand investment mix.
APO05.02 Determine the availability and
sources of funds.
APO05.03 Evaluate and select programs
to fund.
APO05.04 Monitor, optimize and report
on investment portfolio performance.
APO05.05 Maintain portfolios.
APO05.06 Manage benefits achievement.

5|Page
 PMI's Portfolio Process
Standard Processes Group COBIT 5 Process COBIT 5 Management Practices

Manage Portfolio Value Aligning APO05 Manage Portfolio APO05.06 Manage benefits achievement.

EDM02 Ensure Benefit EDM02.01 Evaluate value optimization.

Delivery EDM02.02 Direct value optimization.
EDM02.03 Monitor value optimization.

Manage Portfolio Aligning APO05 Manage Portfolio APO05.04 Monitor, optimize and report
Information on investment portfolio performance.
APO05.05 Maintain portfolios.

Manage Portfolio Risks Aligning APO05 Manage Portfolio APO05.01 Establish the target
investment mix.

APO12 Manage Risk APO12.01 Collect data.

APO12.02 Analyze risk.
APO12.03 Maintain a risk profile.
APO12.04 Articulate risk.
APO12.05 Define a risk management
action portfolio.
APO12.06 Respond to risk.

Authorize Portfolio Authorizing APO02 Manage Strategy APO02.04 Conduct a gap analysis.
and
Controlling

Provide Portfolio Oversight Authorizing APO02 Manage Strategy APO02.01 Understand enterprise
and direction.
Controlling
APO05 Manage Portfolio APO05.04 Monitor, optimize and report
on investment portfolio performance.
APO05.06 Manage benefits achievement.

MEA01 Monitor, Evaluate MEA01.01 Establish a monitoring

and Assess Performance
and Conformance
approach.
MEA01.02 Set performance and
conformance targets.
MEA01.03 Collect and process
performance and conformance data.
MEA01.04 Analyze and report
performance.
MEA01.05 Ensure the implementation of
corrective actions.

Conclusion
Mapping of COBIT 5 with PMI standards is useful in providing assurance that the COBIT 5 framework can be used as a
“single integrated framework” across organizations. This is the third article covering a high-level mapping of the portfolio
management standard. Future articles will discuss mapping of PMI’s program management standard and project
management standard (PMBOK) processes with the COBIT 5 process reference model.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Is a freelance consultant and visiting faculty member at the National Institute of Bank Management, India . He has worked
in IT, IT governance, IS audit, information security and IT risk management. He has 40 years of experience in various

6|Page
positions in different industries.

Eswar Muthukrishnan, CISA, CPISI, MCA, PGDM

Is a freelance consultant with more than 24 years of experience in IT and IT services in the telecommunications industry.
He has held roles such as chief information officer and vice president of service delivery of IT and ITES, program
management, transition management.

Endnotes
1
Bak shi, S.; “Portfolio, Program and Project Management Using COBIT 5,” COBIT Focus, 11 September 2017
2
Bak shi, S.; E. Muthuk rishnan; “Portfolio, Program and Project Management Using COBIT 5, Part 2,” COBIT Focus, 2
January 2018
3
The Standard for Portfolio Management 4th Edition, USA, 2017
Project Management Institute,
4
Project Management Institute, The Standard for Program Management 4 th Edition, USA, 2017
Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide) 6
5 th

Edition, USA, 2017

Project Management Institute, The Standard for Portfolio Management, 3 Edition, USA, 2013
6 rd

7|Page