Introduction:
Optimal value can be realized from leveraging COBIT only if it is effectively adopted and adapted to suit each enterprise’s unique environment. Each implementation approach will also need to address specific challenges, including managing changes to culture and behavior.
ISACA provides practical and extensive implementation guidance in its publication COBIT 5 Implementation, which is based on a continual improvement life cycle. It is not intended to be a prescriptive approach nor a complete solution, but rather a guide to avoid commonly encountered pitfalls, leverage good practices and assist in the creation of successful outcomes. The guide is also supported by an implementation tool kit containing a variety of resources that will be continually enhanced. Its content includes:
• Self-assessment, measurement and diagnostic tools
• Presentations aimed at various audiences
• Related articles and further explanations
The purpose of this chapter is to introduce the implementation and continual improvement life cycle at a high level and to highlight a number of important topics from COBIT 5 Implementation such as:
• Making a business case for the implementation and improvement of the governance and management of IT
• Recognising typical pain points and trigger events
• Creating the appropriate environment for implementation
• Leveraging COBIT to identify gaps and guide the development of enablers such as policies, processes, principles, organisational structures, and roles and responsibilities
Considering the Enterprise Context:
The governance and management of enterprise IT do not occur in a vacuum. Every enterprise needs to design its own implementation plan or road map, depending on factors in the enterprise’s specific internal and external environment such as the enterprise’s:
• Ethics and culture
• Applicable laws, regulations and policies
• Mission, vision and values
• Governance policies and practices
• Business plan and strategic intentions
• Operating model and level of maturity
• Management style
• Risk appetite
• Capabilities and available resources
• Industry practices
It is equally important to leverage and build on existing enterprise governance enablers.
The optimal approach for the governance and management of enterprise IT will be different for every enterprise, and the context needs to be understood and considered to adopt and adapt COBIT effectively in the implementation of governance and management of enterprise IT enablers. COBIT is often underpinned with other frameworks, good practices and standards, and these, too, need to be adapted to suit specific requirements.
Key success factors for successful implementation include:
• Top management providing the direction and mandate for the initiative, as well as visible ongoing commitment and support
• All parties supporting the governance and management processes to understand the business and IT objectives
• Ensuring effective communication and enabling of the necessary changes
• Tailoring COBIT and other supporting good practices and standards to fit the unique context of the enterprise
• Focusing on quick wins and prioritizing the most beneficial improvements that are easiest to implement
Creating the Appropriate Environment:
It is important for implementation initiatives leveraging COBIT to be properly governed and adequately managed. Major IT-related initiatives often fail due to inadequate direction, support and oversight by the various required stakeholders, and the implementation of governance or management of IT enablers leveraging COBIT is no different. Support and direction from key stakeholders are critical so that improvements are adopted and sustained. In a weak enterprise environment (such as an unclear overall business operating model or lack of enterprise-level governance enablers), this support and participation are even more important.
Enablers leveraging COBIT should provide a solution addressing real business needs and issues rather than serving as ends in themselves. Requirements based on current pain points and drivers should be identified and accepted by management as areas that need to be addressed. High-level health checks, diagnostics or capability assessments based on COBIT are excellent tools to raise awareness, create consensus and generate a commitment to act. The commitment and buy-in of the relevant stakeholders need to be solicited from the beginning. To achieve this, implementation objectives and benefits need to be clearly expressed in business terms and summarized in a business case outline.
Once commitment has been obtained, adequate resources need to be provided to support the programme. Key programme roles and responsibilities should be defined and assigned. Care should be taken on an ongoing basis to maintain commitment from all affected stakeholders.
Appropriate structures and processes for oversight and direction should be established and maintained. These structures and processes should also ensure ongoing alignment with enterprise-wide governance and risk management approaches.
Visible support and commitment should be provided by key stakeholders such as the board and executives to set the ‘tone at the top’ and ensure commitment for the programme at all levels.
Recognizing Pain Points and Trigger Events:
There are a number of factors that may indicate a need for improved governance and management of enterprise IT.
By using pain points or trigger events as the launching point for implementation initiatives, the business case for governance or management of enterprise IT improvement can be related to practical, everyday issues being experienced. This will improve buy-in and create the sense of urgency within the enterprise that is necessary to kick off the implementation. In addition, quick wins can be identified and value-add can be demonstrated in those areas that are the most visible or recognizable in the enterprise. This provides a platform for introducing further changes and can assist in gaining widespread senior management commitment and support for more pervasive changes.
Examples of some of the typical pain points for which new or revised governance or management of IT enablers can be a solution (or part of a solution), as identified in COBIT 5 Implementation, are:
• Business frustration with failed initiatives, rising IT costs and a perception of low business value
• Significant incidents related to IT risk, such as data loss or project failure
• Outsourcing service delivery problems, such as consistent failure to meet agreed-on service levels
• Failure to meet regulatory or contractual requirements
• IT limiting the enterprise’s innovation capabilities and business agility
• Regular audit findings about poor IT performance or reported IT quality of service problems
• Hidden and rogue IT spending
• Duplication or overlap between initiatives or wasting resources, such as premature project termination
• Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction
• IT-enabled changes failing to meet business needs and delivered late or over budget
• Board members, executives or senior managers who are reluctant to engage with IT, or a lack of committed and satisfied business sponsors for IT
• Complex IT operating models
In addition to these pain points, other events in the enterprise’s internal and external environment can signal or trigger a focus on the governance and management of IT. Examples are:
• Merger, acquisition or divestiture
• A shift in the market, economy or competitive position
• A change in the business operating model or sourcing arrangements
• New regulatory or compliance requirements
• A significant technology change or paradigm shift
• An enterprise-wide governance focus or project
• A new CEO, CFO, CIO, etc.
• External audit or consultant assessments
• A new business strategy or priority
Enabling Change:
Successful implementation depends on implementing the appropriate change (the appropriate governance or management enablers) in the appropriate way. In many enterprises, there is a significant focus on the first aspect—core governance or management of IT—but not enough emphasis on managing the human, behavioral and cultural aspects of the change and motivating stakeholders to buy into the change.
It should not be assumed that the various stakeholders involved in, or impacted by, new or revised enablers will readily accept and adopt the change. The possibility of ignorance and/or resistance to change needs to be addressed through a structured and proactive approach. Also, optimal awareness of the implementation programme should be achieved through a communication plan that defines what will be communicated, in what way and by whom, throughout the various phases of the programme.
Sustainable improvement can be achieved either by gaining the commitment of the stakeholders (investment in winning hearts and minds, the leaders’ time, and in communicating and responding to the workforce) or, where still required, by enforcing compliance (investment in processes to administer, monitor and enforce). In other words, human, behavioral and cultural barriers need to be overcome so that there is a common interest to properly adopt change, instill a will to adopt change, and to ensure the ability to adopt change.
A Life Cycle Approach:
The implementation life cycle provides a way for enterprises to use COBIT to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are the:
1. Core continual improvement life cycle—This is not a one-off project.
2. Enabling of change—Addressing the behavioral and cultural aspects
3. Management of the programme
As discussed previously, the appropriate environment needs to be created to ensure the success of the implementation or improvement initiative.
Phase 1 starts with recognizing and agreeing to the need for an implementation or improvement initiative. It identifies the current pain points and triggers and creates a desire to change at executive management levels.
Phase 2 is focused on defining the scope of the implementation or improvement initiative using COBIT’s mapping of enterprise goals to IT-related goals to the associated IT processes, and considering how risk scenarios could also highlight key processes on which to focus. High-level diagnostics can also be useful for scoping and understanding high-priority areas on which to focus. An assessment of the current state is then performed, and issues or deficiencies are identified by carrying out a process capability assessment. Large-scale initiatives should be structured as multiple iterations of the life cycle—for any implementation initiative exceeding six months there is a risk of losing momentum, focus and buy-in from stakeholders.
During phase 3, an improvement target is set, followed by a more detailed analysis leveraging COBIT’s guidance to identify gaps and potential solutions. Some solutions may be quick wins and others more challenging and longer-term activities. Priority should be given to initiatives that are easier to achieve and those likely to yield the greatest benefits.
Phase 4 plans practical solutions by defining projects supported by justifiable business cases. A change plan for implementation is also developed. A well-developed business case helps to ensure that the project’s benefits are identified and monitored.
The proposed solutions are implemented into day-to-day practices in phase 5. Measures can be defined and monitoring established, using COBIT’s goals and metrics to ensure that business alignment is achieved and maintained and performance can be measured. Success requires the engagement and demonstrated commitment of top management as well as ownership by the affected business and IT stakeholders.
Phase 6 focuses on the sustainable operation of the new or improved enablers and the monitoring of the achievement of expected benefits.
During phase 7, the overall success of the initiative is reviewed, further requirements for the governance or management of enterprise IT are identified, and the need for continual improvement is reinforced.
Over time, the life cycle should be followed in an iterative way while building a sustainable approach to the governance and management of enterprise IT.
Getting Started: Making The Business Case:
To ensure the success of implementation initiatives leveraging COBIT, the need to act should be widely recognized and communicated within the enterprise. This can be in the form of a ‘wake-up call’ (where specific pain points are being experienced, as discussed previously) or an expression of the improvement opportunity to be pursued and, very important, the benefits that will be realized. An appropriate level of urgency needs to be instilled and the key stakeholders should be aware of the risk of not taking action as well as the benefits of undertaking the programme.
The initiative should be owned by a sponsor, involve all key stakeholders and be based on a business case. Initially, this can be at a high level from a strategic perspective—from the top down—starting with a clear understanding of the desired business outcomes and progressing to a detailed description of critical tasks and milestones as well as key roles and responsibilities. The business case is a valuable tool available to management in guiding the creation of business value. At a minimum, the business case should include the following:
• The business benefits targeted, their alignment with business strategy and the associated benefit owners (who in the business will be responsible for securing them). This could be based on pain points and trigger events.
• The business changes needed to create the envisioned value. This could be based on health checks and capability gap analysis and should clearly state both what is in scope and what is out of scope.
• The investments needed to make the governance and management of enterprise IT changes (based on estimates of projects required)
• The ongoing IT and business costs
• The expected benefits of operating in the changed way
• The risk inherent in the previous bullets, including any constraints or dependencies (based on challenges and success factors)
• Roles, responsibilities and accountability related to the initiative
• How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and metrics)
The business case is not a one-time static document, but a dynamic operational tool that must be continually updated to reflect the current view of the future so that a view of the viability of the programme can be maintained.
It can be difficult to quantify the benefits of implementation or improvement initiatives, and care should be taken to commit only to benefits that are realistic and achievable. Studies conducted across a number of enterprises could provide useful information on benefits that have been achieved.
Optimal value can be realized from leveraging COBIT only if it is effectively adopted and adapted to suit each enterprise’s unique environment. Each implementation approach will also need to address specific challenges, including managing changes to culture and behavior.
ISACA provides practical and extensive implementation guidance in its publication COBIT 5 Implementation, which is based on a continual improvement life cycle. It is not intended to be a prescriptive approach nor a complete solution, but rather a guide to avoid commonly encountered pitfalls, leverage good practices and assist in the creation of successful outcomes. The guide is also supported by an implementation tool kit containing a variety of resources that will be continually enhanced. Its content includes:
• Self-assessment, measurement and diagnostic tools
• Presentations aimed at various audiences
• Related articles and further explanations
The purpose of this chapter is to introduce the implementation and continual improvement life cycle at a high level and to highlight a number of important topics from COBIT 5 Implementation such as:
• Making a business case for the implementation and improvement of the governance and management of IT
• Recognising typical pain points and trigger events
• Creating the appropriate environment for implementation
• Leveraging COBIT to identify gaps and guide the development of enablers such as policies, processes, principles, organisational structures, and roles and responsibilities
Considering the Enterprise Context:
The governance and management of enterprise IT do not occur in a vacuum. Every enterprise needs to design its own implementation plan or road map, depending on factors in the enterprise’s specific internal and external environment such as the enterprise’s:
• Ethics and culture
• Applicable laws, regulations and policies
• Mission, vision and values
• Governance policies and practices
• Business plan and strategic intentions
• Operating model and level of maturity
• Management style
• Risk appetite
• Capabilities and available resources
• Industry practices
It is equally important to leverage and build on existing enterprise governance enablers.
The optimal approach for the governance and management of enterprise IT will be different for every enterprise, and the context needs to be understood and considered to adopt and adapt COBIT effectively in the implementation of governance and management of enterprise IT enablers. COBIT is often underpinned with other frameworks, good practices and standards, and these, too, need to be adapted to suit specific requirements.
Key success factors for successful implementation include:
• Top management providing the direction and mandate for the initiative, as well as visible ongoing commitment and support
• All parties supporting the governance and management processes to understand the business and IT objectives
• Ensuring effective communication and enabling of the necessary changes
• Tailoring COBIT and other supporting good practices and standards to fit the unique context of the enterprise
• Focusing on quick wins and prioritizing the most beneficial improvements that are easiest to implement
Creating the Appropriate Environment:
It is important for implementation initiatives leveraging COBIT to be properly governed and adequately managed. Major IT-related initiatives often fail due to inadequate direction, support and oversight by the various required stakeholders, and the implementation of governance or management of IT enablers leveraging COBIT is no different. Support and direction from key stakeholders are critical so that improvements are adopted and sustained. In a weak enterprise environment (such as an unclear overall business operating model or lack of enterprise-level governance enablers), this support and participation are even more important.
Enablers leveraging COBIT should provide a solution addressing real business needs and issues rather than serving as ends in themselves. Requirements based on current pain points and drivers should be identified and accepted by management as areas that need to be addressed. High-level health checks, diagnostics or capability assessments based on COBIT are excellent tools to raise awareness, create consensus and generate a commitment to act. The commitment and buy-in of the relevant stakeholders need to be solicited from the beginning. To achieve this, implementation objectives and benefits need to be clearly expressed in business terms and summarized in a business case outline.
Once commitment has been obtained, adequate resources need to be provided to support the programme. Key programme roles and responsibilities should be defined and assigned. Care should be taken on an ongoing basis to maintain commitment from all affected stakeholders.
Appropriate structures and processes for oversight and direction should be established and maintained. These structures and processes should also ensure ongoing alignment with enterprise-wide governance and risk management approaches.
Visible support and commitment should be provided by key stakeholders such as the board and executives to set the ‘tone at the top’ and ensure commitment for the programme at all levels.
Recognizing Pain Points and Trigger Events:
There are a number of factors that may indicate a need for improved governance and management of enterprise IT.
By using pain points or trigger events as the launching point for implementation initiatives, the business case for governance or management of enterprise IT improvement can be related to practical, everyday issues being experienced. This will improve buy-in and create the sense of urgency within the enterprise that is necessary to kick off the implementation. In addition, quick wins can be identified and value-add can be demonstrated in those areas that are the most visible or recognizable in the enterprise. This provides a platform for introducing further changes and can assist in gaining widespread senior management commitment and support for more pervasive changes.
Examples of some of the typical pain points for which new or revised governance or management of IT enablers can be a solution (or part of a solution), as identified in COBIT 5 Implementation, are:
• Business frustration with failed initiatives, rising IT costs and a perception of low business value
• Significant incidents related to IT risk, such as data loss or project failure
• Outsourcing service delivery problems, such as consistent failure to meet agreed-on service levels
• Failure to meet regulatory or contractual requirements
• IT limiting the enterprise’s innovation capabilities and business agility
• Regular audit findings about poor IT performance or reported IT quality of service problems
• Hidden and rogue IT spending
• Duplication or overlap between initiatives or wasting resources, such as premature project termination
• Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction
• IT-enabled changes failing to meet business needs and delivered late or over budget
• Board members, executives or senior managers who are reluctant to engage with IT, or a lack of committed and satisfied business sponsors for IT
• Complex IT operating models
In addition to these pain points, other events in the enterprise’s internal and external environment can signal or trigger a focus on the governance and management of IT. Examples are:
• Merger, acquisition or divestiture
• A shift in the market, economy or competitive position
• A change in the business operating model or sourcing arrangements
• New regulatory or compliance requirements
• A significant technology change or paradigm shift
• An enterprise-wide governance focus or project
• A new CEO, CFO, CIO, etc.
• External audit or consultant assessments
• A new business strategy or priority
Enabling Change:
Successful implementation depends on implementing the appropriate change (the appropriate governance or management enablers) in the appropriate way. In many enterprises, there is a significant focus on the first aspect—core governance or management of IT—but not enough emphasis on managing the human, behavioral and cultural aspects of the change and motivating stakeholders to buy into the change.
It should not be assumed that the various stakeholders involved in, or impacted by, new or revised enablers will readily accept and adopt the change. The possibility of ignorance and/or resistance to change needs to be addressed through a structured and proactive approach. Also, optimal awareness of the implementation programme should be achieved through a communication plan that defines what will be communicated, in what way and by whom, throughout the various phases of the programme.
Sustainable improvement can be achieved either by gaining the commitment of the stakeholders (investment in winning hearts and minds, the leaders’ time, and in communicating and responding to the workforce) or, where still required, by enforcing compliance (investment in processes to administer, monitor and enforce). In other words, human, behavioral and cultural barriers need to be overcome so that there is a common interest to properly adopt change, instill a will to adopt change, and to ensure the ability to adopt change.
A Life Cycle Approach:
The implementation life cycle provides a way for enterprises to use COBIT to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are the:
1. Core continual improvement life cycle—This is not a one-off project.
2. Enabling of change—Addressing the behavioral and cultural aspects
3. Management of the programme
As discussed previously, the appropriate environment needs to be created to ensure the success of the implementation or improvement initiative.
Phase 1 starts with recognizing and agreeing to the need for an implementation or improvement initiative. It identifies the current pain points and triggers and creates a desire to change at executive management levels.
Phase 2 is focused on defining the scope of the implementation or improvement initiative using COBIT’s mapping of enterprise goals to IT-related goals to the associated IT processes, and considering how risk scenarios could also highlight key processes on which to focus. High-level diagnostics can also be useful for scoping and understanding high-priority areas on which to focus. An assessment of the current state is then performed, and issues or deficiencies are identified by carrying out a process capability assessment. Large-scale initiatives should be structured as multiple iterations of the life cycle—for any implementation initiative exceeding six months there is a risk of losing momentum, focus and buy-in from stakeholders.
During phase 3, an improvement target is set, followed by a more detailed analysis leveraging COBIT’s guidance to identify gaps and potential solutions. Some solutions may be quick wins and others more challenging and longer-term activities. Priority should be given to initiatives that are easier to achieve and those likely to yield the greatest benefits.
Phase 4 plans practical solutions by defining projects supported by justifiable business cases. A change plan for implementation is also developed. A well-developed business case helps to ensure that the project’s benefits are identified and monitored.
The proposed solutions are implemented into day-to-day practices in phase 5. Measures can be defined and monitoring established, using COBIT’s goals and metrics to ensure that business alignment is achieved and maintained and performance can be measured. Success requires the engagement and demonstrated commitment of top management as well as ownership by the affected business and IT stakeholders.
Phase 6 focuses on the sustainable operation of the new or improved enablers and the monitoring of the achievement of expected benefits.
During phase 7, the overall success of the initiative is reviewed, further requirements for the governance or management of enterprise IT are identified, and the need for continual improvement is reinforced.
Over time, the life cycle should be followed in an iterative way while building a sustainable approach to the governance and management of enterprise IT.
Getting Started: Making The Business Case:
To ensure the success of implementation initiatives leveraging COBIT, the need to act should be widely recognized and communicated within the enterprise. This can be in the form of a ‘wake-up call’ (where specific pain points are being experienced, as discussed previously) or an expression of the improvement opportunity to be pursued and, very important, the benefits that will be realized. An appropriate level of urgency needs to be instilled and the key stakeholders should be aware of the risk of not taking action as well as the benefits of undertaking the programme.
The initiative should be owned by a sponsor, involve all key stakeholders and be based on a business case. Initially, this can be at a high level from a strategic perspective—from the top down—starting with a clear understanding of the desired business outcomes and progressing to a detailed description of critical tasks and milestones as well as key roles and responsibilities. The business case is a valuable tool available to management in guiding the creation of business value. At a minimum, the business case should include the following:
• The business benefits targeted, their alignment with business strategy and the associated benefit owners (who in the business will be responsible for securing them). This could be based on pain points and trigger events.
• The business changes needed to create the envisioned value. This could be based on health checks and capability gap analysis and should clearly state both what is in scope and what is out of scope.
• The investments needed to make the governance and management of enterprise IT changes (based on estimates of projects required)
• The ongoing IT and business costs
• The expected benefits of operating in the changed way
• The risk inherent in the previous bullets, including any constraints or dependencies (based on challenges and success factors)
• Roles, responsibilities and accountability related to the initiative
• How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and metrics)
The business case is not a one-time static document, but a dynamic operational tool that must be continually updated to reflect the current view of the future so that a view of the viability of the programme can be maintained.
It can be difficult to quantify the benefits of implementation or improvement initiatives, and care should be taken to commit only to benefits that are realistic and achievable. Studies conducted across a number of enterprises could provide useful information on benefits that have been achieved.
No comments:
Post a Comment