Integrating ITIL and COBIT 5 to optimize IT Process and

service delivery

Johan Muliadi Kerta

“Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” ― H. James Harrington

Bina Nusantara

IT Governance

IT Governance

Domains

Value Delivery

Risk Management

Resource Management

Performance Measurement

Strategic Alignment

Bina Nusantara

Source : ISACA

IT Governance and Business Alignment

Bina Nusantara

Business Strategy •  Business Scope •  Competencies •  Business governance

IT Strategy •  Technology scope •  System competencies •  IT Governance

Organizational Infrastructure •  Administrative infrastructure •  Processes •  Capabilities

IT Infrastructure •  Architecture •  Processes •  Capabilities

Business Domain IT Domain

Strategic Fit

Functional Integration

Source: Henderson, J.; N. Venkatraman: “Strategic Alignment: Leveraging Information Technology for Transforming Organizations”, IBM Journal, Vol. 32, No. 1, 1993

IT Governance in Business

Bina Nusantara

Although there are several methodologies and frameworks competing for the attention of IT leadership, the following are some of the most popular and applicable today. •  Service Management: ITIL, MOF, USMBOK •  IT Governance: COBIT •  Enterprise Architecture: TOGAF •  Project/Portfolio Management: PMBOK, PRINCE2, P3O, BABOK •  International Standards: ISO38500, ISO20000, ISO27000 •  Application/Software Development: SWEBOK, SDLC, Agile •  Process & Quality Management: BPM-CBOK, Six Sigma, CMMI

Bina Nusantara

Control Objectives for Information and Related Technology (COBIT)

•  COBIT helps enterprises : –  Maintain high-quality information to support business decisions –  Achieve strategic goals and realize business benefits through

the effective and innovative use of IT –  Achieve operational excellence through reliable, efficient

application of technology –  Maintain IT-related risk at an acceptable level –  Optimize the cost of IT services and technology –  Support compliance with relevant laws, regulations, contractual

agreements and policies

Bina Nusantara

COBIT Ensures: •  ︎IT & Business Alignment •  ︎IT Enabled Business Processes ︎ IT Resource

Optimization •  ︎IT Management of Risks

Bina Nusantara

•  COBIT’s framework accomplishes this by focusing on the business’ requirement for information, and the structured (process) utilization of IT resources.

•  Each process has a high-level control objective (the desired outcome) and one or more detailed control objectives that address the requirements of the actual activities that it performs.

•  The framework utilizes a structured approach in describing each; it details the process, what business requirement it is intended to fulfill, its focus area, how it is to be achieved, and how it will be measured.

•  It also details how to assess each process’ maturity (capability, control & coverage).

Bina Nusantara

•  In effect, COBIT’s framework establishes what needs to be done to provide the information the enterprise needs to achieve its goals.

•  It does this by the establishing control objectives that link the business goals in a cascading set of IT goals and metrics.

•  These extend from the strategic alignment of business’ IT capability requirements all the way down to the tactical management of those processes involved in achieving those goals.

Bina Nusantara

The COBIT 5 processes are split into governance and management “areas”. These 2 areas contain a total of 5 domains and 37 processes: •  Governance of Enterprise IT

–  Evaluate, Direct and Monitor (EDM) – 5 processes

•  Management of Enterprise IT –  Align, Plan and Organise (APO) – 13 processes –  Build, Acquire and Implement (BAI) – 10 processes –  Deliver, Service and Support (DSS) – 6 processes –  Monitor, Evaluate and Assess (MEA) - 3 processes

Bina Nusantara

COBIT 4.1 Process – as Comparison •  34 Information Technology control objectives:

–  11 planning and organization –  6 acquisition and implementation –  13 delivery and support –  4 monitoring

•  318 detailed control objectives & audit guidelines: –  3-30 detailed control objectives per process

•  Each IT process is supported by: –  8-10 Critical Success Factors –  5-7 Key Goal Indicators –  6-8 Key Performance Indicators

Bina Nusantara

ISACA completed the rollout from COBIT 4.1 to COBIT 5. COBIT 5 provides an end-to-end business view of the governance of enterprise IT that reflects the central role of both information and technology in creating value for enterprises.

Bina Nusantara

Enterprises already engaged in implementation activities can transition to COBIT 5 and incorporate this into future iterations of their improvement cycles

•  COBIT 5 builds on previous versions of COBIT (including Val IT and Risk IT).

•  Some new changes include: •  Increased focus on enablers •  New process reference model •  New and modified processes

Management practices (formerly control objectives) – New maturity model

•  COBIT 5 has clarified management level processes and integrated COBIT 4.1, Val IT and Risk IT content into one process reference model

15

COBIT  5  Product  Family    

Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved.

COBIT  5  Principles  

16

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.

Process Reference Model

Bina Nusantara

Source: COBIT® 5, © 2012 ISACA® All rights reserved.

Bina Nusantara

Maturity Level Condition Level 5 Optimized Processes refined to level of best practice

Automation integrates workflow Level 4 Managed Process compliance monitored & measured

Constant improvement, some automation Level 3 Defined Standard, documented procedures based on

existing practice with no process assurance Level 2 Repeatable Similar procedures followed by people

performing the same task, but no training Level 1 Initial Ad hoc processes developed case by case

Recognition of issues to be addressed Level 0 Non-existent Complete lack of recognizable processes No

recognition of issues to be addressed

Control Maturity People Process Technology Maturity Model

Level 1 – Non Reliable No Responsibility

No Policy No Procedures Missing Control Design

Non Existent

Level 2 - Informal Informal Responsibility New Personnel Non-Routine

Informal/Ineffective Policy Informal/Ineffective Procedures Informal/Ineffective Control Design Informal/Ineffective Control Activity

Manual Initial / Ad-Hoc

Level 3 - Standardized

Formal Responsibility Adequate Personnel Routine

Formal/Effective Policy Formal/Effective Procedures Formal/Effective Control Design Formal/Effective Control Activity

Manual Repeatable But Intuitive

Level 4 – Monitored

Limited Automation Periodic Compliance Testing Periodic Reporting

Limited Automation Periodic Compliance Testing Periodic Reporting Periodic Update/Change Improvement

Automated Defined Processes

Level 5 - Optimized

Automation Real-Time Monitoring Daily Reporting

Automation Real-Time Monitoring Daily Reporting As Required Update/Change Improvement

Automated Managed And Measureable

Bina Nusantara

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.

Level 2: Repeatable • Solve problems based on experience • Heroic efforts

Level 3: Definable • Focus on defined processes • Problems viewed as unforeseen

circumstances Level 4: Manageable • Metrics and monitoring • Integrity of processes is audited

Level 5: Optimal • Processes are self-tuning • Training replacements is critical

Level 1: Ad Hoc •  Problems come from

outside •  Change is the enemy

Capability Maturity Model

What is ITIL and ITSM? •  ITIL=Information Technology Infrastructure Library •  Systematic approach to high quality IT service delivery •  Documented best practice for IT Service Management •  Provides common language with well-defined terms •  Developed in 1980s by what is now The Office of Government

Commerce •  IT Service Management (ITSM): The implementation and management

of IT Services processes aligned to meet the needs of the business with an appropriate mix of people, processes and technology

•  itSMF also involved in maintaining best practice documentation in ITIL –  itSMF is global, independent, not-for-profit

*Infrastructure: People, Process, Technology

Why ITIL? •  Mature, best practice framework •  A "de facto standard " (almost) •  Integrated, holistic set of processes •  Well-established training programs •  Corporate certification (BS15000) •  Support infrastructure in itSMF and consulting

ITIL •  ITIL is a well established, easily accessible, affordable process model for

IT service management that is built around a set of best practices. A well-established service and consulting industry has been built around ITIL, especially in Europe. ITIL is better known for its back-office operational process definitions than for its application management processes.

•  ITIL is based on defining best-practice processes for IT service delivery and support, rather than defining a broad-based control framework. ITIL is more-prescriptive about the tasks involved in those processes and, as such, its primary target audience is IT and service management. ITIL's structure enables incremental adoption, which facilitates continuous improvement.

•  ITIL has a much narrower scope than CobiT (Control Objectives for Information and Related Technology), but CobiT and ITIL are not mutually exclusive and can be combined to provide a powerful IT governance, control and best-practice framework in IT service management.

Source: Gartner Research

ITIL® V3 – The Service Lifecycle •  Business and IT integration •  Measuring IT in business value

outcomes •  Global sourcing •  Changing architectures - SOA,

service virtualisation •  Convergence of strategy,

governance and management •  Compliance and control •  Complexity of services and systems •  Balancing stability v.

responsiveness •  Predictive as well as proactive

ITIL® Service Management (Old Version)

IT Service Support

IT Service Delivery

Capacity

IT Continuity IT Finance

Availability Service Level

Management

Change

Incident

Release

Problem Service Desk

Configuration

Use

rs

Cus

tom

ers

ITIL Maturity

Bina Nusantara

1980’s

2001

2007 and 2011

What about v3? •  ITIL started in 80s.

–  40 publications! •  v2 came along in 2000-2002

–  Still Large and complex –  8 Books –  Talks about what you should do

•  v3 in 2007 and 2011 –  Much simplified and rationalised to 5 books –  Much clearer guidance on how to provide service –  Easier, more modular accreditation paths –  Keeps tactical and operational guidance –  Gives more prominence to strategic ITIL guidance relevant to senior

staff –  Aligned with ISO20000 standard for service management

Bina Nusantara

Combining COBIT and ITIL for Powerful IT Governance

•  Control Objectives for Information and Related Technology (COBIT) was originally an IS audit tool oriented to risk mitigation.

•  CobiT establishes what formal IS processes, practices and controls should be in place, and the minimum results they should predictably deliver.

•  ITIL and COBIT can combine well together. ITIL maps reasonably neatly into the COBIT high-level governance and audit framework, but although they are trying to achieve different things, they are not contradictory and have few interface problems.

•  COBIT is a complementary framework to ITIL. •  CobiT's processes and control objectives are segmented into four domains

–  Planning and Organization –  Acquisition and Implementation –  Delivery and Support –  Monitoring.

•  COBIT is based on established frameworks, such as the Software Engineering Institute's Capability Maturity Model, ISO 9000 and the Information Technology Infrastructure Library (ITIL).

•  Unlike ITIL, COBIT does not include process steps and tasks because it is a control framework rather than a process framework. COBIT focuses on what an enterprise needs to do, not how it needs to do it.

•  ITIL is based on defining best-practice processes for IT service delivery and support, rather than defining a broad-based control framework. ITIL is more-prescriptive about the tasks involved in those processes and, as such, its primary target audience is IT and service management.

•  Many of the COBIT processes — particularly those in the delivery and support domain — map well onto one or more ITIL processes, such as service level, configuration, problem, incident, or financial management.

•  The development processes of the two frameworks are not linked and both would benefit from closer collaboration. However, they are unlikely to contradict each other in any substantive way.

Combining COBIT and ITIL for Powerful IT Governance

Combining COBIT and ITIL for Powerful IT Governance

ITIL and COBIT are actually highly complimentary and can help organizations achieve the following key integration objectives. •  Implement and manage IT Service Management

processes to achieve business goals while meeting governance requirements.

•  Enable clear process goals which are driven by business goals coupled with a meaningful measurement scheme.

•  Ensure IT governance and control by providing benefits realization, risk optimization, and resource optimization.

Bina Nusantara

Because of its high level approach, broad coverage, and is based on many existing practices, COBIT can easily be used as the integrator that brings multiple practices under one framework and links those to business objectives

Organizations wanting to adopt ITIL need effective GEIT for a successful implementation. COBIT provides this broad based framework.

Bina Nusantara

COBIT - “What to do” •  Assists in goal alignment by

cascading. •  Defines processes based on

business requirements. •  Separates governance from

management. •  Intended to support GEIT and is

applicable to most organizations.

ITIL - “How to do it” •  Defines best practice processes

for Service Management and includes process activities.

•  Processes are more comprehensive and described with activities and flowcharts to assist in implementation.

•  Processes can be easily mapped to the COBIT Framework to create effective guidance.

Bina Nusantara

IT Service Management Tools •  Manage Engine – ServiceDesk

Plus •  http://www.manageengine.com/

products/service-desk/

Bina Nusantara

Recommendations ü  IT service management will be a prerequisite for demonstrating

business value. Success requires commitment and perseverance. ü  IT service management requires fundamental cultural and

behavioral change. Pay careful attention to organizational change management issues.

ü  Success in IT service management is based on repeatable processes. Use ITIL as the basis for IT operational processes and then focus on continually improving them.

ü  Seek opportunities to learn from and copy best-practice processes. ü  Measure ICT costs and relate results to process analysis to find

saving and improvement opportunities for optimization.

Thank You

Q&A and Discussion

Bina Nusantara