Introduction:
Users of COBIT 4.1, Risk IT and Val IT are familiar with the process maturity models included in those frameworks. These models are used to measure the current or ‘as-is’ maturity of an enterprise’s IT-related processes, to define a required ‘to-be’ state of maturity, and to determine the gap between them and how to improve the process to achieve the desired maturity level.
The COBIT 5 product set includes a process capability model, based on the internationally recognized ISO/IEC 15504 Software Engineering—Process Assessment standard. This model will achieve the same overall objectives of process assessment and process improvement support, i.e., it will provide a means to measure the performance of any of the governance (EDM-based) processes or management (PBRM-based) processes, and will allow areas for improvement to be identified.
However, the new model is different from the COBIT 4.1 maturity model in its design and use, and for that reason, the following topics are discussed:
• Differences between the COBIT 5 and the COBIT 4.1 models
• Benefits of the COBIT 5 model
• Summary of the differences that COBIT 5 users will encounter in practice
• Performing a COBIT 5 capability assessment
Although this approach will provide valuable information about the state of processes, processes are just one of the seven governance and management enablers. By consequence, process assessments will not provide the full picture on the state of governance of an enterprise. For that, the other enablers need to be assessed as well.
Differences Between the COBIT 4.1 Maturity Model and the COBIT 5 Process Capability Model:
Using the COBIT 4.1 maturity model for process improvement purposes—assessing a process maturity, defining a target maturity level and identifying the gaps—required using the following COBIT 4.1 components:
• First, an assessment needed to be made whether control objectives for the process were met.
• Next, the maturity model included in the management guideline for each process could be used to obtain a maturity profile of the process.
• In addition, the generic maturity model in COBIT 4.1 provided six distinct attributes that were applicable for each process and that assisted in obtaining a more detailed view on the processes’ maturity level.
• Process controls are generic control objectives—they also needed to be reviewed when a process assessment was made. Process controls partially overlap with the generic maturity model attributes.
There are six levels of capability that a process can achieve, including an ‘incomplete process’ designation if the practices in it do not achieve the intended purpose of the process:
• 0 Incomplete process—The process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the process purpose.
• 1 Performed process (one attribute)—The implemented process achieves its process purpose.
• 2 Managed process (two attributes)—The previously described performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained.
• 3 Established process (two attributes)—The previously described managed process is now implemented using a defined process that is capable of achieving its process outcomes.
• 4 Predictable process (two attributes)—The previously described established process now operates within defined limits to achieve its process outcomes.
• 5 Optimizing process (two attributes)—The previously described predictable process is continuously improved to meet relevant current and projected business goals.
Each capability level can be achieved only when the level below has been fully achieved. For example, a process capability level 3 (established process) requires the process definition and process deployment attributes to be largely achieved, on top of full achievement of the attributes for a process capability level 2 (managed process).
There is a significant distinction between process capability level 1 and the higher capability levels. Process capability level 1 achievement requires the process performance attribute to be largely achieved, which actually means that the process is being successfully performed and the required outcomes obtained by the enterprise. The higher capability levels then add different attributes to it. In this assessment scheme, achieving a capability level 1, even on a scale to 5, is already an important achievement for an enterprise. Note that each individual enterprise shall choose (based on cost-benefit and feasibility reasons) its target or desired level, which very seldom will happen to be one of the highest.
The most important differences between an ISO/IEC 15504-based process capability assessment and the current COBIT 4.1 maturity model (and the similar Val IT and Risk IT domain-based maturity models) can be summarized as follows:
• The naming and meaning of the ISO/IEC 15504-defined capability levels are quite different from the current COBIT 4.1 maturity levels for processes.
• In ISO/IEC 15504, capability levels are defined by a set of nine process attributes. These attributes cover some ground covered by the current COBIT 4.1 maturity attributes and/or process controls, but only to a certain extent and in a different way.
Requirements for an ISO/IEC 15504:2-compliant process reference model prescribe that in the description of any process that will be assessed, i.e., any COBIT 5 governance and/or management process:
• The process is described in terms of its purpose and outcomes.
• The process description shall not contain any aspects of the measurement framework beyond level 1, which means that any characteristic of a process attribute beyond level 1 cannot appear inside a process description. Whether a process is measured and monitored, or whether it is formally described, etc., cannot be part of a process description or any of the management practices/activities underneath. This means that the process descriptions—as included in COBIT 5: Enabling Processes—contain only the necessary steps to achieve the actual process purpose and goals.
• Following from the previous bullets, the common attributes applicable to all enterprise processes, which produced duplicate control objectives in the COBIT® 3rd Edition publication and were grouped into the process control (PC) objectives in COBIT 4.1, are now defined in levels 2 to 5 of the assessment model.
Differences in Practice:
From the previous descriptions, it is clear that there are some practical differences associated with the change in process assessment models. Users need to be aware of these changes and be prepared to take them into account in their action plans.
The main changes to be considered include:
• Although it is tempting to compare assessment results between COBIT 4.1 and COBIT 5 because of apparent similarities to the number scales and words used to describe them, such a comparison is difficult because of the differences in scope, focus and intent.
• In general, scores will be lower with the COBIT 5 process capability model. In the COBIT 4.1 maturity model, a process could achieve a level 1 or 2 without fully achieving all the process’s objectives; in the COBIT 5 process capability level, this will result in a lower score of 0 or 1.
The COBIT 4.1 and COBIT 5 capability scales can be considered to ‘map’ approximately:
• There is no longer a specific maturity model per process included with the detailed process contents in COBIT 5 because the ISO/IEC 15504 process capability assessment approach does not require this and even prohibits this approach. Instead, the approach defines the information required in the ‘process reference model’ (the process model to be used for the assessment):
– Process description, with the purpose statements
– Base practices, which are the equivalent of process governance or management practices in COBIT 5 terms
– Work products, which are the equivalent of the inputs and outputs in COBIT 5 terms
• The COBIT 4.1 maturity model produced a maturity profile of an enterprise. The main purpose of this profile was to identify in which dimensions or for which attributes there were specific weaknesses that needed improvement. This approach was used by enterprises when there was an improvement focus rather than a need to obtain one maturity number for reporting purposes. In COBIT 5 the assessment model provides a measurement scale for each capability attribute and guidance on how to apply it, so for each process an assessment can be made for each of the nine capability attributes.
• The maturity attributes in COBIT 4.1 and the COBIT 5 process capability attributes are not identical. They overlap/map to a certain extent, as shown in figure 21. Enterprises having used the maturity model attributes approach in COBIT 4.1 can reuse their existing assessment data and reclassify them under the COBIT 5 attribute assessments.
Benefits of The Changes:
The benefits of the COBIT 5 process capability model, compared to the COBIT 4.1 maturity models, include:
• Improved focus on the process being performed, to confirm that it is actually achieving its purpose and delivering its required outcomes as expected.
• Simplified content through elimination of duplication, because the COBIT 4.1 maturity model assessment required the use of a number of specific components, including the generic maturity model, process maturity models, control objectives and process controls to support process assessment.
• Improved reliability and repeatability of process capability assessment activities and evaluations, reducing debates and disagreements between stakeholders on assessment results.
• Increased usability of process capability assessment results, because the new model establishes a basis for more formal, rigorous assessments to be performed, for both internal and potential external purposes.
• Compliance with a generally accepted process assessment standard and therefore strong support for the process assessment approach in the market.
Performing Process Capability Assessments in COBIT 5:
The ISO/IEC 15504 standard specifies that process capability assessments can be performed for various purposes and with varying degrees of rigor Purposes can be internal, with a focus on comparisons between enterprise areas and/or process improvement for internal benefit, or they can be external, with a focus on formal assessment, reporting and certification.
The COBIT 5 ISO/IEC 15504-based assessment approach continues to facilitate the following objectives that have been a key COBIT approach since 2000 to:
• Enable the governance body and management to benchmark process capability.
• Enable high-level ‘as-is’ and ‘to-be’ health checks to support the governance body and management investment decision making with regard to process improvement.
• Provide gap analysis and improvement planning information to support definition of justifiable improvement projects.
• Provide the governance body and management with assessment ratings to measure and monitor current capabilities.
This section describes how a high-level assessment can be performed with the COBIT 5 process capability model to achieve these objectives.
The assessment distinguishes between assessing capability level 1 and the higher levels. Indeed, as described previously, process capability level 1 describes whether a process achieves its intended purpose, and is therefore a very important level to achieve—as well as foundational in enabling higher capability levels to be reached.
Assessing whether the process achieves its goals—or, in other words, achieves capability level 1—can be done by:
1. Reviewing the process outcomes as they are described for each process in the detailed process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what degree each objective is achieved. This scale consists of the following ratings:
• N (Not achieved)—There is little or no evidence of achievement of the defined attribute in the assessed process. (0 to 15 percent achievement)
• P (Partially achieved)—There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable. (15 to 50 percent achievement)
• L (Largely achieved)—There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process. (50 to 85 percent achievement)
• F (Fully achieved)—There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process. (85 to 100 percent achievement)
2. In addition, the process (governance or management) practices can be assessed using the same rating scale, expressing the extent to which the base practices are applied.
3. To further refine the assessment, the work products also may be taken into consideration to determine the extent to which a specific assessment attribute has been achieved.
Although defining target capability levels is up to each enterprise to decide, many enterprises will have the ambition to have all their processes achieve capability level 1. (Otherwise, what would be the point of having these processes?) If this level is not achieved, the reasons for not achieving this level are immediately obvious from the approach explained above, and an improvement plan can be defined:
1. If a required process outcome is not consistently achieved, the process does not meet its objective and needs to be improved.
2. The assessment of the process practices will reveal which practices are lacking or failing, enabling implementation and/or improvement of those practices to take place and allowing all process outcomes to be achieved. For higher process capability levels, the generic practices are used, taken from ISO/IEC 15504:2. They provide generic descriptions for each of the capability levels.
Users of COBIT 4.1, Risk IT and Val IT are familiar with the process maturity models included in those frameworks. These models are used to measure the current or ‘as-is’ maturity of an enterprise’s IT-related processes, to define a required ‘to-be’ state of maturity, and to determine the gap between them and how to improve the process to achieve the desired maturity level.
The COBIT 5 product set includes a process capability model, based on the internationally recognized ISO/IEC 15504 Software Engineering—Process Assessment standard. This model will achieve the same overall objectives of process assessment and process improvement support, i.e., it will provide a means to measure the performance of any of the governance (EDM-based) processes or management (PBRM-based) processes, and will allow areas for improvement to be identified.
However, the new model is different from the COBIT 4.1 maturity model in its design and use, and for that reason, the following topics are discussed:
• Differences between the COBIT 5 and the COBIT 4.1 models
• Benefits of the COBIT 5 model
• Summary of the differences that COBIT 5 users will encounter in practice
• Performing a COBIT 5 capability assessment
Although this approach will provide valuable information about the state of processes, processes are just one of the seven governance and management enablers. By consequence, process assessments will not provide the full picture on the state of governance of an enterprise. For that, the other enablers need to be assessed as well.
Differences Between the COBIT 4.1 Maturity Model and the COBIT 5 Process Capability Model:
4.1 Maturity Model |
Using the COBIT 4.1 maturity model for process improvement purposes—assessing a process maturity, defining a target maturity level and identifying the gaps—required using the following COBIT 4.1 components:
• First, an assessment needed to be made whether control objectives for the process were met.
• Next, the maturity model included in the management guideline for each process could be used to obtain a maturity profile of the process.
• In addition, the generic maturity model in COBIT 4.1 provided six distinct attributes that were applicable for each process and that assisted in obtaining a more detailed view on the processes’ maturity level.
• Process controls are generic control objectives—they also needed to be reviewed when a process assessment was made. Process controls partially overlap with the generic maturity model attributes.
5 Capability Model |
There are six levels of capability that a process can achieve, including an ‘incomplete process’ designation if the practices in it do not achieve the intended purpose of the process:
• 0 Incomplete process—The process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the process purpose.
• 1 Performed process (one attribute)—The implemented process achieves its process purpose.
• 2 Managed process (two attributes)—The previously described performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained.
• 3 Established process (two attributes)—The previously described managed process is now implemented using a defined process that is capable of achieving its process outcomes.
• 4 Predictable process (two attributes)—The previously described established process now operates within defined limits to achieve its process outcomes.
• 5 Optimizing process (two attributes)—The previously described predictable process is continuously improved to meet relevant current and projected business goals.
Each capability level can be achieved only when the level below has been fully achieved. For example, a process capability level 3 (established process) requires the process definition and process deployment attributes to be largely achieved, on top of full achievement of the attributes for a process capability level 2 (managed process).
There is a significant distinction between process capability level 1 and the higher capability levels. Process capability level 1 achievement requires the process performance attribute to be largely achieved, which actually means that the process is being successfully performed and the required outcomes obtained by the enterprise. The higher capability levels then add different attributes to it. In this assessment scheme, achieving a capability level 1, even on a scale to 5, is already an important achievement for an enterprise. Note that each individual enterprise shall choose (based on cost-benefit and feasibility reasons) its target or desired level, which very seldom will happen to be one of the highest.
The most important differences between an ISO/IEC 15504-based process capability assessment and the current COBIT 4.1 maturity model (and the similar Val IT and Risk IT domain-based maturity models) can be summarized as follows:
• The naming and meaning of the ISO/IEC 15504-defined capability levels are quite different from the current COBIT 4.1 maturity levels for processes.
• In ISO/IEC 15504, capability levels are defined by a set of nine process attributes. These attributes cover some ground covered by the current COBIT 4.1 maturity attributes and/or process controls, but only to a certain extent and in a different way.
Requirements for an ISO/IEC 15504:2-compliant process reference model prescribe that in the description of any process that will be assessed, i.e., any COBIT 5 governance and/or management process:
• The process is described in terms of its purpose and outcomes.
• The process description shall not contain any aspects of the measurement framework beyond level 1, which means that any characteristic of a process attribute beyond level 1 cannot appear inside a process description. Whether a process is measured and monitored, or whether it is formally described, etc., cannot be part of a process description or any of the management practices/activities underneath. This means that the process descriptions—as included in COBIT 5: Enabling Processes—contain only the necessary steps to achieve the actual process purpose and goals.
• Following from the previous bullets, the common attributes applicable to all enterprise processes, which produced duplicate control objectives in the COBIT® 3rd Edition publication and were grouped into the process control (PC) objectives in COBIT 4.1, are now defined in levels 2 to 5 of the assessment model.
Differences in Practice:
From the previous descriptions, it is clear that there are some practical differences associated with the change in process assessment models. Users need to be aware of these changes and be prepared to take them into account in their action plans.
The main changes to be considered include:
• Although it is tempting to compare assessment results between COBIT 4.1 and COBIT 5 because of apparent similarities to the number scales and words used to describe them, such a comparison is difficult because of the differences in scope, focus and intent.
• In general, scores will be lower with the COBIT 5 process capability model. In the COBIT 4.1 maturity model, a process could achieve a level 1 or 2 without fully achieving all the process’s objectives; in the COBIT 5 process capability level, this will result in a lower score of 0 or 1.
The COBIT 4.1 and COBIT 5 capability scales can be considered to ‘map’ approximately:
• There is no longer a specific maturity model per process included with the detailed process contents in COBIT 5 because the ISO/IEC 15504 process capability assessment approach does not require this and even prohibits this approach. Instead, the approach defines the information required in the ‘process reference model’ (the process model to be used for the assessment):
– Process description, with the purpose statements
– Base practices, which are the equivalent of process governance or management practices in COBIT 5 terms
– Work products, which are the equivalent of the inputs and outputs in COBIT 5 terms
• The COBIT 4.1 maturity model produced a maturity profile of an enterprise. The main purpose of this profile was to identify in which dimensions or for which attributes there were specific weaknesses that needed improvement. This approach was used by enterprises when there was an improvement focus rather than a need to obtain one maturity number for reporting purposes. In COBIT 5 the assessment model provides a measurement scale for each capability attribute and guidance on how to apply it, so for each process an assessment can be made for each of the nine capability attributes.
• The maturity attributes in COBIT 4.1 and the COBIT 5 process capability attributes are not identical. They overlap/map to a certain extent, as shown in figure 21. Enterprises having used the maturity model attributes approach in COBIT 4.1 can reuse their existing assessment data and reclassify them under the COBIT 5 attribute assessments.
Benefits of The Changes:
The benefits of the COBIT 5 process capability model, compared to the COBIT 4.1 maturity models, include:
• Improved focus on the process being performed, to confirm that it is actually achieving its purpose and delivering its required outcomes as expected.
• Simplified content through elimination of duplication, because the COBIT 4.1 maturity model assessment required the use of a number of specific components, including the generic maturity model, process maturity models, control objectives and process controls to support process assessment.
• Improved reliability and repeatability of process capability assessment activities and evaluations, reducing debates and disagreements between stakeholders on assessment results.
• Increased usability of process capability assessment results, because the new model establishes a basis for more formal, rigorous assessments to be performed, for both internal and potential external purposes.
• Compliance with a generally accepted process assessment standard and therefore strong support for the process assessment approach in the market.
Performing Process Capability Assessments in COBIT 5:
The ISO/IEC 15504 standard specifies that process capability assessments can be performed for various purposes and with varying degrees of rigor Purposes can be internal, with a focus on comparisons between enterprise areas and/or process improvement for internal benefit, or they can be external, with a focus on formal assessment, reporting and certification.
The COBIT 5 ISO/IEC 15504-based assessment approach continues to facilitate the following objectives that have been a key COBIT approach since 2000 to:
• Enable the governance body and management to benchmark process capability.
• Enable high-level ‘as-is’ and ‘to-be’ health checks to support the governance body and management investment decision making with regard to process improvement.
• Provide gap analysis and improvement planning information to support definition of justifiable improvement projects.
• Provide the governance body and management with assessment ratings to measure and monitor current capabilities.
This section describes how a high-level assessment can be performed with the COBIT 5 process capability model to achieve these objectives.
The assessment distinguishes between assessing capability level 1 and the higher levels. Indeed, as described previously, process capability level 1 describes whether a process achieves its intended purpose, and is therefore a very important level to achieve—as well as foundational in enabling higher capability levels to be reached.
Assessing whether the process achieves its goals—or, in other words, achieves capability level 1—can be done by:
1. Reviewing the process outcomes as they are described for each process in the detailed process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what degree each objective is achieved. This scale consists of the following ratings:
• N (Not achieved)—There is little or no evidence of achievement of the defined attribute in the assessed process. (0 to 15 percent achievement)
• P (Partially achieved)—There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable. (15 to 50 percent achievement)
• L (Largely achieved)—There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process. (50 to 85 percent achievement)
• F (Fully achieved)—There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process. (85 to 100 percent achievement)
2. In addition, the process (governance or management) practices can be assessed using the same rating scale, expressing the extent to which the base practices are applied.
3. To further refine the assessment, the work products also may be taken into consideration to determine the extent to which a specific assessment attribute has been achieved.
Although defining target capability levels is up to each enterprise to decide, many enterprises will have the ambition to have all their processes achieve capability level 1. (Otherwise, what would be the point of having these processes?) If this level is not achieved, the reasons for not achieving this level are immediately obvious from the approach explained above, and an improvement plan can be defined:
1. If a required process outcome is not consistently achieved, the process does not meet its objective and needs to be improved.
2. The assessment of the process practices will reveal which practices are lacking or failing, enabling implementation and/or improvement of those practices to take place and allowing all process outcomes to be achieved. For higher process capability levels, the generic practices are used, taken from ISO/IEC 15504:2. They provide generic descriptions for each of the capability levels.