Using ITIL and COBIT 2019 for an integrated I&T framework
White Paper
White Paper
- White Paper
- IT Services
- Problem management
- Service management
- ITIL
July 17, 2021 |
25 min read
- White Paper
- IT Services
- Problem management
- Service management
- ITIL
Organizations adopting frameworks to create value for their stakeholders often believe that they need to select just one to implement.
This white paper from Axelos and ISACA, Using ITIL® 4 and COBIT® 2019 to Create an Integrated I&T Framework Environment, upends this misperception, outlining how each framework has evolved and illustrating the synergies that exist between the two.
1. The framework environment
The framework environment
For many people, frameworks are effective tools for building structures, organizing thoughts, planning events, and architecting businesses. They do have limitations, but they can provide valuable information, support, and guidance for compiling many small moving parts into something that can be used to create value.
This paper discusses two frameworks: ITIL® 4 and COBIT® 20191. It explores the recent evolution of both frameworks and discusses how they can be used holistically in organizations to balance the performance and conformance of information and technology (I&T) resources and services.
ITIL and COBIT have both undergone significant updates to support the growing trends of the Fourth Industrial Revolution. These updates were in part due to the rapid evolution of information and technology and the drive for digital transformation as strategic enablers to enterprises.
Many enterprises have successfully adopted these frameworks in a single environment to create value for their stakeholders. However, many still believe that the framework users should pick one or the other. This could not be further from the truth.
ITIL and COBIT have different purposes and roles. ITIL 4 focuses on value co-creation through service management. COBIT focuses on governing and managing enterprise I&T to create value for stakeholders, as well as mitigating risks and optimizing resources.
For example, from a service management perspective, service consumers experience value when there is a seamless ability to utilize IT services without being constrained by I&T. From a governance and management perspective, an enterprise should be confident that the IT processes and practices are designed and controlled in a manner that enables service performance while ensuring that risks are addressed, legal and regulatory requirements are met, and the cost/benefit ratio is reasonable.
Figure 1.1 ITIL and COBIT synergies
ITIL and COBIT complement each other but have unique starting points. Although there is no perfect way to illustrate their relationship, Figure 1.1 shows that the convergence between ITIL and COBIT come from the governance versus value perspectives.
However, their utility in these areas is different. ITIL enables service management; COBIT assists with balancing performance and conformance.
Although these frameworks are excellent tools that assist organizations in achieving their goals and creating value, there can be some misconceptions on exactly what they are and what they are not. Table 1.1 outlines their purposes.
ITIL and COBIT are Principled frameworks that are flexible | ITIL and COBIT are not: Technical frameworks designed to manage all technologies |
---|---|
Intended to be modified to meet the needs of the enterprise stakeholders | Descriptions of business processes and services |
Based on multiple relevant industry frameworks, standards, and bodies of knowledge | Prescriptive guidance |
Continuous improvement and implementation models that provide a phased, iterative approach to adoption | Dictations of how or by whom decisions should be made |
Table 1.1 What the ITIL and COBIT frameworks are and are not
1 COBIT 2019 is the latest iteration of the COBIT Framework.
2. ITIL 4
ITIL 4
ITIL 4 reshapes much of the established IT and service management (IT&SM) practices in the wider context of customer experience, value streams, and digital transformation. It also embraces new ways of working, such as Lean, Agile, and DevOps. ITIL 4 provides the guidance organizations need to address service management challenges and utilize the potential of modern technology. It is designed to ensure a flexible, coordinated, and integrated system for the effective governance and management of IT-enabled services, always maintaining a focus on value co-creation.
Frameworks are often designed around a high-level concept. In ITIL, this is the service value system (SVS).2 The SVS, shown in Figure 2.1, represents how organizational components and activities facilitate value creation through IT-enabled services.
Figure 2.1 The ITIL 4 service value system
2 A model representing how all the components and activities of an organization work together to facilitate value creation.
3. COBIT 2019
COBIT 2019
COBIT is a widely adopted governance and management framework for enterprise I&T with roots in IT audit and controls. Recent changes to COBIT include:
- information about tailoring governance systems based on organizational context by using ‘design factors’
- references to industry frameworks and standards
- new governance and management objectives
- governance components, which replace governance enablers in the former version of COBIT.
COBIT’s target audience is internal stakeholders, such as boards, executive management, business managers, IT managers, risk management, and assurance providers. External stakeholders include regulators, business partners, and IT vendors.
Where ITIL 4 has the SVS, COBIT 2019 has the COBIT Core, which relates to generic governance and management objectives organized in a reference model of five key domains. There are other key aspects of COBIT, such as principles, governance components, design factors, focus areas, and implementation guidance. Figure 3.1 shows the COBIT 2019 framework, which includes all of these aspects.
Figure 3.1 The COBIT 2019 framework4. Comparing the ITIL SVS components and COBIT 2019 core
Comparing the ITIL SVS components and COBIT 2019 core
4.1 SERVICE VALUE CHAIN
The central focus of the ITIL SVS is the service value chain, shown in Figure 4.1. The service value chain is a flexible operating model for the creation, delivery, and continual improvement of services. There are six service value chain activities that have multiple applications and support value streams.3
As a value stream progresses, it is further enhanced by the ITIL practices. The ITIL practices each support multiple value chain activities. Additionally, the ITIL guiding principles, which include ‘focus on value’, ‘think and work holistically’, and ‘collaborate and promote visibility’, help with decision-making and enable a common approach to service management.
Because COBIT focuses more on the what versus the how of I&T governance and management, COBIT does not have a model comparable to the ITIL service value chain. Where each activity in the service value chain transforms information artifacts (inputs into outputs), COBIT can help identify useful process controls. As is described in later sections, COBIT processes are analogous to ITIL practices.
Additionally, the COBIT components provide guidance on ensuring the proper governance of the value streams. This guidance might include example policies, suggested roles via RACI charts, cultural and behavioural suggestions, inputs and outputs, and suggested skills and competencies.
4.2 PRACTICES
ITIL definition: Practice
A set of organizational resources designed to perform work or accomplish an objective
When service providers reorganize their structure around processes, silos are created and resources can be used inefficiently. This is because of a lack of focus on the activities required to create valuable outcomes. This is why ITIL 4 focuses on practices, which include processes within them but are much more focused on the activities required to create desired outcomes.
ITIL has three types of practices: general management practices, service management practices and technical management practices. There are 34 ITIL practices, and these can be mapped to the COBIT 2019 governance and objectives, as shown in Table 4.1. Each of these objectives relates to a process of the same name.
ITIL 4 practices | COBIT 2019 objectives | |
---|---|---|
General management | Architecture management | Managed Enterprise Architecture (APO03) |
Continual improvement | Managed Quality (APO11) Managed Performance and Conformance Monitoring (MEA01) | |
Information security management | Managed Security (APO13) Managed Security Services (DSS05 | |
Knowledge management | Managed Knowledge (BA018) | |
Measurement and reporting | Ensured Stakeholder engagement (EDM05) | |
Organizational change management Portfolio management | Managed Organizational Change (BAI05) Managed Portfolio (APO05) | |
Relationship management | Managed Relationships (APO08) | |
Risk management | Ensured Risk Optimization (EDM03) Managed Risk (APO12) | |
Service financial management | Managed Budget and Cost (APO06) | |
Strategy management | Managed Strategy (APO02) | |
Supplier management | Managed Vendors (APO10) | |
Workforce and talent management | Managed Human Resources (APO07) | |
Service management | Availability management | Managed Availability and Capacity (BAI04) |
Business analysis | Managed Requirements Definition (BAI02) | |
Capacity and performance management | Managed Availability and Capacity (BAI04) | |
Change enablement | Managed IT changes (BAI06) | |
Incident management | Managed Service Requests and Incidents (DSS02) | |
IT asset management | Managed Assets (BAI09) | |
Monitoring and event management | Managed Operations (DSS01) | |
Problem management | Managed Problems DSS01) | |
Release management | Managed IT Change Acceptance and Transitioning (BAI07) | |
Service catalogue management | Managed Service Agreements (APO09) | |
Service configuration management | Managed Configuration (BAI10) | |
Service continuity management | Managed Continuity (DSS04) | |
Service design | Managed Solutions Identification and Build (BAI03) | |
Service desk | Managed Service Requests and Incidents (DSS02) | |
Service level management | Managed Service Agreements (APO09) | |
Service request management | Managed Service Requests and Incidents (DSS02) | |
Service validation and testing | Managed IT Change Acceptance and Transitioning (BAI07) | |
Technical management | Deployment management | Managed IT Change Acceptance andTransitioning (BAI07) |
Infrastructure and platform management | Managed Solutions Identification management and Build (BAI03) | |
Service validation and testing | Managed Solutions Identification management and Build (BAI03) |
4.2.1 COBIT processes versus ITIL practices
In COBIT, there are 40 governance and management objectives organized into five domains, as illustrated in Table 4.2. Each of these objectives is related to one process component. These objectives are described in the following ways:
- high-level information, including the domain name, objective/process name, description, and purpose statement
- goals cascade information (see below for more information), including supported alignment goals, enterprise goals, and example metrics
- related components, specifically the process component
- related industry guidance for each of the components (frameworks, standards, and bodies of knowledge).
COBIT processes are similar to ITIL practices. Furthermore, each COBIT process is broken down into key management practices: guidance that can be used to realize the aims of the process. Each practice is supported by activities, which essentially provide more detailed guidance on that aspect of the practice.
COBIT 2019 governance and management objectives | ||||
---|---|---|---|---|
Governance | Management | |||
EDM Evaluate, Direct and Monitor | APO Align, Plan and Organize | BAI Build, Acquire and Implement | DSS Deliver, Service and Support | MEA Monitor, Evaluate and Assess |
Ensured Governance Framework Setting and Maintenance Ensured Benefits Delivery Ensured Risk Optimization Ensure Resource Optimization Ensure Stakeholder Engagement | Managed I&T FrameworkManaged Strategy Managed Enterprise Architecture Managed Innovation Managed Portfolio Managed Budget and Costs Managed Human Resources Managed Relationships Managed Service Agreements Managed Vendors Managed Quality Manged Risk Managed Security Managed Data | Managed Programs Managed Requirements Definition Managed Solutions Identification and Build Managed Availability and Capacity Managed Organizational Change Manage IT Change Acceptance and Transitioning Managed Knowledge Merged Assets Managed Configuration Managed Projects | Managed Operations Managed Service Requests and Incidents Managed Problems Managed Continuity Managed Security Services Managed Business Process Controls | Managed Performance and Conformance Monitoring Managed System of Internal Control Managed Compliance with External Requirements Managed Assurance |
Table 4.2 COBIT 2019 governance management domains, objectives and processes
The COBIT processes are generally equivalent to the ITIL practices, although the COBIT perspective on a process has a slightly different goal. Each COBIT process is further broken down into practices. These used to be called control objectives in earlier versions of COBIT, but today are defined guidance for achieving process goals. Each COBIT practice is supported by activities. Activities are the guidance for achieving practice goals. Figure 4.2 illustrates a general alignment between the ITIL practices and COBIT processes.
Figure 4.2 Alignment of ITIL 4 practices and COBIT 2019 processes
4.3 GUIDING PRINCIPLES
ITIL 4 and COBIT are both based on principles: overarching tenets that guide organizations and individuals in their pursuit of delivering value.
The ITIL 4 guiding principles are universal, enduring recommendations that guide decision-making at all levels of the organization. Organizations should consider all of the guiding principles, not just one or two.
The ITIL guiding principles are:
- Focus on value: Everything that the organization does must map, directly or indirectly, to value for the stakeholders.
- Start where you are: Understand the current state and do not build something new without considering what is currently available.
- Progress iteratively with feedback: Organize work into smaller, manageable sections that can be completed in a timely manner and use feedback to ensure ongoing actions are focused and appropriate.
- Collaborate and promote visibility: Work and consequences should be made visible, hidden agendas avoided, and information shared to the greatest degree possible.
- Think and work holistically: Consider the whole and not just the parts. Results are delivered through the integration of information, technology, organization, people, practices, partners, and agreements.
- Keep it simple and practical: If a process, service, action, or metric fails to provide value, eliminate it.
COBIT adopted the use of principles in the COBIT 5 release and has since expanded on those principles to ensure a proper focus on the governance and management of enterprise I&T. COBIT 2019 was developed based on two sets of principles: governance system principles, which describe the core requirements of a governance system; and governance framework principles, which are for a framework that can be used to build a governance system.
As they do in ITIL, the COBIT principles embody the core messages of the framework and individually or collectively act as guides for the adoption of service management or governance of enterprise I&T. The principles interact with each other and they should be considered holistically, although some will be more relevant than others in certain situations.
As they do in ITIL, the COBIT principles embody the core messages of the framework and individually or collectively act as guides for the adoption of service management or governance of enterprise I&T. The principles interact with each other and they should be considered holistically, although some will be more relevant than others in certain situations.
The COBIT governance system principles are:
- Provide stakeholder value Satisfy stakeholder needs to generate value from the use of I&T. Value reflects a balance among benefits, risks, and resources. Enterprises need an actionable strategy and governance system to realize this value.
- Holistic approach A governance system is built from a number of components that can be of different types and that work together in a holistic way.
- Dynamic governance system When design factors change (such as a change in strategy or technology), the impact of these changes on the system must be considered.
- Governance is distinct from management A governance system should clearly distinguish between governance and management activities and structures.
- Tailored to enterprise needs Customized to the enterprise’s needs using a set of design factors as parameters to customize and prioritize the governance system components.
- End-to-end governance system Focus not only on the IT function but also on all technology and information processing the enterprise uses to achieve its goals, regardless of its location in the enterprise.
The governance framework principles are:
- Based on a conceptual model Identify the key components and relationships among components to maximize consistency and allow automation.
- Open and flexible Allow for the addition of new content and the ability to address new issues flexibly while maintaining integrity and consistency.
- Aligned to major standards These include relevant major related standards, frameworks, and regulations.
There is no way to directly map the ITIL and COBIT principles on a one-to-one basis. This means that they can all be used collectively to offer powerful guidance to any effort. However, two ITIL principles have a very close connection to COBIT and are key to the success of any framework adoption. These are the principles of ‘focus on value’ and ‘think and work holistically’.
4.4 GOVERNANCE
In ITIL, governance is an important part of the SVS (see Figure 2.1) and is defined as the means by which an organization is directed and controlled. This definition aligns with the COBIT view of governance, which is encapsulated in the governance system principle ‘governance is distinct from management’. This important message is repeated in the COBIT Core, which separates the governance and management domains (see Table 4.2). The COBIT governance domain is EDM (evaluate, direct, and monitor), which is where the governing body evaluates strategic options, directs management, and monitors progress towards organizational goals.
The four COBIT management domains are:
- APO (align, plan, and organize), which addresses the organization’s overall strategy and supporting activities for I&T
- BAI (build, acquire, and implement), which addresses the definition, acquisition, and implementation, and integration of I&T solutions
- DSS (deliver, service, and support), which addresses the operational delivery and support of I&T services, including security
- MEA (monitor, evaluate, and assess), which addresses performance monitoring and conformance of I&T with internal performance targets, internal control objectives, and external requirements.
Under each of these domains are forty governance and management objectives. These objectives logically are broken into governance objectives (there are 5 of these) and management objectives (there are 35 of these).
4.5 CONTINUAL IMPROVEMENT
Continual improvement, like governance, is a key part of the ITIL SVS; its importance is stressed throughout the entire ITIL 4 framework. Continual improvement is crucial for adopting and adapting best practices, and organizations that continually improve services, value streams, practices, or any other business area are generally more successful. Continual improvement is so important that there is an ITIL practice guide dedicated to it.4
In COBIT, the management domain MEA is comparable. Being a governance and management framework, COBIT certainly emphasizes continual improvement, but it is slightly more controlled than ITIL. This is because the COBIT framework is rooted in the auditing and control disciplines. It was originally developed as a tool for auditors, so it focused on the practices and activities required to ensure a proper balance between performance and conformance.
The MEA domain includes the managed performance and conformance monitoring, managed system of internal control, managed compliance with external requirements, and managed assurance objectives, which all have elements of continual improvement. Another relevant objective is the managed quality objective from the APO domain. COBIT embeds continual improvement into the governance and management objectives in all five domains, just as ITIL embeds continual improvement throughout the entire SVS. There is an inherent focus on improvement within each of COBIT’s processes, descriptions, purpose statements, suggested metrics, and practices.
For example, the references to improvements in COBIT’s DSS03 Managed Problems process are shown in italics below:
- Description Identify and classify problems and their root causes. Provide timely resolution to prevent recurring incidents. Provide recommendations for improvements.
- Purpose Increase availability, improve service levels, reduce costs, improve customer convenience and satisfaction by reducing the number of operational problems, and identify root causes as part of problem resolution.
- Example metric Percent of products and services that meet or exceed customer satisfaction targets.
- Example practice DSS03.05 Perform proactive problem management. Collect and analyse operational data (especially incident and change records) to identify emerging trends that may indicate problems. Log problem records to enable assessment.
ITIL 4’s continual improvement model, shown in Figure 4.3, can be used as a high-level guide to support improvement initiatives.
Figure 4.3 The ITIL continual improvement model
COBIT has a comparable model: the implementation model (see Figure 6.2). The implementation model provides an iterative approach framework that can be used to assist in governance system implementations and adoptions.
These two models have slightly different purposes, but they can be used together to ensure effective continual improvement during any type of adoption or implementation. An important note is that the COBIT implementation method has a specific perspective called ‘Continual Improvement’ which aligns well with both frameworks’ focus on continual improvement. (For more, see section 6.1.)
3 A series of steps an organization undertakes to create and deliver products and services to consumers.
4 www.axelos.com/professional-development-member/my-axelos-dashboard/my-axelos-content-hub-items/itil-4-practices/continual-improvement-itil-4-practiceContinual Improvement: ITIL 4 Practice Guide
5. Dimensions and components
Dimensions and components
ITIL 4 and COBIT 2019 have underlying dimensions (ITIL) and components (COBIT) to their models. These enable a holistic approach to framework adoption and provide critical support to value-creating activities. Each of these should be considered complete lists; organizations should not only consider one or two, but the entire list.
ITIL identifies four dimensions that support the adoption of service management best practice. These dimensions should be considered throughout the entire SVS. They are:
- organizations and people
- information and technology
- partners and suppliers
- value streams and processes.
COBIT governance system components contribute to the good operations of the enterprise’s governance system over I&T and help to satisfy governance and management objectives. The components are shown in Figure 5.1.
Figure 5.1 COBIT Components of a Governance System
Each of these components individually and collectively contributes to the successful deployment of the framework. Each of the governance and management objectives in the COBIT Framework is described and illustrated using the governance components. These components interact with each other, which results in a holistic governance system for I&T. Table 5.1 identifies the ITIL dimensions and COBIT components and shows how they map to each other.
The four dimensions of service management | COBIT 2019 components |
---|---|
Organizations and people | Organizational structures Decision-making entities in an enterprise. Culture, ethics, and behaviour Communication of desired behaviours, awareness of desired behaviours, incentives, and rules and norms. People, skills, and competencies Knowledge, skills, and abilities for various roles required to support governance and management objectives. |
Information and technology Information, knowledge, and technology necessary for the management of services. | Services, infrastructure, and applications Infrastructure, technology, and applications that provide the enterprise with the governance system for I&T processing. Information flows and items Information produced and used by the enterprise that is required for the effective functioning of its governance system. |
Partners and suppliers Relationships with other organizations involved in the design, development, deployment, delivery, support, and/or continual Improvement of services. It also incorporates contracts and other agreements. | Services, infrastructure, and applications Infrastructure, technology, and applications that provide the enterprise with the governance system for I&T processing. |
Value streams and processes The integrated and coordinated value chain activities that enable value creation through products and services. Processes include activities that transform inputs to outputs and describe what is done to accomplish an objective. | Process Collection of practices and activities that achieve objectives and produce a set of outputs that support the achievement of IT-related goals. Principles, policies, and procedures The translation of desired behaviour into practical guidance. |
Table 5.1 ITIL dimensions and COBIT components
The ITIL dimensions and COBIT components have a lot in common. Considering definitions above, as well as a practical application of the dimensions, each of these has links with the COBIT components.
5.1.1 ORGANIZATIONS AND PEOPLE
ITIL’s organizations and people dimension aligns with three COBIT components: organizational structures; people, skills, and competencies; and culture, ethics, and behaviour. The central link between these is people. People, whether they are customers, employees, suppliers, or other stakeholders, are a key part of organizations.
Other links between this dimension and these components include:
- skills and competencies
- management/leadership styles
- communication/collaboration
- roles and responsibilities
- formal organizational structures
- culture
- staff required to create, deliver, support, and improve a service.
Within the organizational structures component, the process practices are further explained using a RACI chart. COBIT suggests which roles should be accountable and responsible, but it does not give prescriptive guidance; every organization is different and requires different structures and systems of authority to accomplish work.
5.1.2 INFORMATION AND TECHNOLOGY
The information and technology dimension primarily aligns with two COBIT components: information flows and items and services, infrastructure, and applications.
Both ITIL 4 and COBIT recognize the difference between IT and I&T: IT generally refers to an IT department or organization, and I&T describes the various resources that support service delivery and business operations. COBIT uses information as a way to understand all information flows and items that interact with process practices.
It is important to highlight the services, infrastructure, and applications component in COBIT. Because COBIT does not have a focus similar to the SVS, it uses this component to identify all services and systems to support IT&SM.
5.1.3 PARTNERS AND SUPPLIERS
The partners and suppliers dimension does not directly align with a COBIT component, but it has an indirect relationship to the Services, Infrastructure and Applications component. In COBIT this refers to internal and external providers of the tools, products, and services that an enterprise needs to meet governance and management objectives. In ITIL 4, this dimension encompasses the organization’s relationships and agreements with other organizations. COBIT also addresses this in two of the management objectives: ‘managed vendors’ and ‘managed service agreements’.
5.1.4 VALUE STREAMS AND PROCESSES
The value streams and processes dimension links primarily with two COBIT components: processes and principles, policies, and procedures.
In ITIL, value streams include all of the coordinated and integrated activities undertaken to deliver services. In comparison, the COBIT component process includes practices, activities, example metrics and related industry guidance (standards, frameworks, and compliance requirements) specific to each process.
6. Designing and implementing the frameworks
Designing and implementing the frameworks
6.1 COBIT DESIGN AND IMPLEMENTATION
COBIT provides content that is useful when implementing an enterprise governance system. It can also be used to adopt a service management framework.
The COBIT 2019 Design Guide identifies a series of design factors that can be used to design and create a tailored governance system for any enterprise. As shown in Figure 6.1, these factors are wide ranging and can help practitioners to identify which governance and management objectives should be prioritized.
Figure 6.1 COBIT design factors
Once an organization identifies all of the unique aspects of each design factor, the application of the COBIT design factors identify which governance and management objectives are most relevant and valuable to an enterprise based on its unique context. As enterprise strategy and context change, the design factors identify the areas of focus that will bring the most benefit to the enterprise.
For example, if an enterprise defines a new strategic direction (design factor 1), identifies new significant risks (design factor 3), or decides to move key services to the cloud (design factor 8), there may be a completely different set of governance or management objectives that support value delivery and alignment. This is a very important aspect, since it can identify areas that should be considered based on the organization’s unique attributes. Because each governance and management objective is related to a process in COBIT, this can assist the organization by determining which of the ITIL 4 practices require different levels of control in order to support the SVS.
For example, if an organization is creating a value stream and identifies that the ITIL 4 practice ‘information security management’ is required, they can also use complementary guidance from the COBIT objective ‘managed information security’.
Additionally, COBIT includes an implementation model, shown in Figure 6.2. This model includes seven steps for implementing an enterprise governance over an IT initiative. It is very similar to and aligns with the ITIL 4 continual improvement model (see Figure 4.3). In addition to the seven phases, the model identifies three different perspectives, which are shown as rings in Figure 6.2.
The innermost perspective of the COBIT implementation model is called the continual improvement lifecycle. This perspective synchronizes key continual improvement efforts in each phase of the lifecycle. For example, in Phase 7 of the model inner perspective indicates ‘monitor and evaluate’. This is expanded upon in the COBIT Implementation Guide publication.
6.2 THE COBIT GOALS CASCADE
A key model in the COBIT framework is the goals cascade, shown in Figure 6.3. This tool supports the design factor ‘enterprise goals’; it helps IT service providers support the enterprise strategy. Organizations can use a series of goals and their relationships to ensure proper alignment of governance and management objectives, as well as the components that support them.
In this model, stakeholder needs can be mapped directly into enterprise goals. There are 13 enterprise goals, which are organized into the balanced scorecard dimensions: financial, customer, internal, and growth. These enterprise goals are mapped using primary and secondary relationships to alignment goals. Alignment goals are a critical link to the governance and management objectives. As with enterprise goals, there are 13 alignment goals, which are also organized into the balanced scorecard dimensions.
The ITIL planning and evaluation model, shown in Figure 6.4, is relevant here and also identifies cascading goals as a key enabler. Once an organization understands its mission and vision statements, they can cascade their objectives in a similar fashion to the COBIT goals cascade. Those objectives can then influence the strategy of organization or another level of that organization.
These are extremely useful tools for adopting frameworks and aligning strategies. For example, an organization can conduct a goals cascade by mapping their stakeholder needs into the COBIT goals cascade. After conducting an analysis of the goals relationships, a set of governance and management objectives will be identified.
Because each of these objectives will be described using the seven governance components, the organization can determine:
- which processes and practices will facilitate the goals’ achievement
- which new or changed policies are required
- who or what the key decision authorities and organizational structures are
- what cultural and behavioural aspects are relevant
- which information requirements and flows are critical
- which services, structures, and applications are significant.
This goals cascade can fully support the ITIL guiding principle focus on value. Key stakeholders’ and service consumers’ needs can be inserted into a goals cascade, which can then be used to identify the most significant, valuable areas.
This can also be used to identify in which areas the service provider must be at a higher state of capability or maturity than others.
6.3 PERFORMANCE MANAGEMENT
Performance management is an essential part of a governance and management system because it is important to know how well the system and all the components of the enterprise are working, as well as how they can be improved. Performance management includes concepts and methods such as capability levels and maturity levels. COBIT uses the term ‘COBIT performance management (CPM)’ to describe these activities. CPM is an integral part of COBIT that largely aligns to and extends CMMI® Development 2.0 concepts.
Process activities and components can be associated with capability levels. Maturity levels can be associated with focus areas (a collection of governance and management objectives and underlying components) and will be achieved if all required capability levels are achieved. Each of these assessment types are measured with a 0-5 scale and can be used as measurements in current and future gap analyses.
This has an important connection to the ITIL guiding principle of ‘start where you are’, which can be supported by creating performance measurements to determine what can be re-used and how the desired state can drive improvements.
7. Conclusion
Conclusion
No single framework can do everything the organization needs. Fortunately, ITIL 4 and COBIT 2019 can be used together to support value creation.
For an organization to create value for its stakeholders, it must first understand the proper balance of performance and conformance. Where performance refers to the ability to successfully co-create value with service consumers, organizations must ensure that they provide the proper control mechanisms and assurance measures to enable service delivery in an environment that meets internal control and external and legal/regulatory obligations. You can deliver excellent services, but if you do not implement the proper controls and protections required by your industry, you have failed.
This is where both frameworks are suitable models. If an organization is overly conformant to every single requirement, then they will fail at service performance. Likewise, if they are very low in their conformance posture, they may find themselves facing massive fines and negative press. As mentioned earlier, COBIT has a unique view of the governance and management of enterprise I&T, while ITIL 4 focuses on the delivery of services. Where COBIT’s governance perspective can assist in controls and protections, ITIL can assist in the performance of services. Therefore, you cannot simply pick one or the other, nor can you adopt them independently.
Use these frameworks as a part of your overall governance framework structure and leverage the synergies between them to ensure a proper balance of performance and conformance.
8. About the author
About the author
Mark Thomas CGEIT, CRISC, CDPSE, COBIT Assessor IT GRC expert
Mark is an internationally known Governance, Risk and Compliance expert specializing in information assurance, IT risk, IT strategy, privacy, and digital transformation. Mark has a wide array of international industry experience including government, health care, finance/banking, manufacturing, and technology services. He has held roles spanning from CIO to IT consulting and is considered a thought leader in frameworks such as COBIT, NIST, ITIL and multiple ISO standards.