1 | Page Implementing COBIT 5 at ENTSO-E By Greet Volders, CGEIT, COBIT Certified Assessor and Kees de Jong, CIPM, CISSP, SIPP/E COBIT Focus | 11 April 2016 The IT director of the European Network of Transmission System Operators for Electricity (ENTSO-E) undertook a pragmatic approach toward implementing COBIT ® 5 at the organisation beginning in 2014. Now, 2 years later, it is time to share this successful collaboration between the internal IT department, the business organisation and the external consultants and to share how the results were achieved. Taking a practical approach towards implementing a programme for governance of enterprise IT (GEIT) based on COBIT 5, ENTSO-E focused on prioritising the processes, the development of these processes and—most important—the practical issues to overcome during the implementation of a new way of working. About ENTSO-E ENTSO-E represents 42 electricity transmission system operators (TSOs) from 35 countries across Europe (figure 1). ENTSO-E was established and given legal mandates by the EU’s Third Legislative Package for the Internal Energy Market in 2009, which aims at further liberalising gas and electricity markets in the EU. ENTSO-E promotes closer cooperation across Europe’s TSOs to support the implementation of EU energy policy and achieve Europe’s energy and climate policy objectives, which are changing the very nature of the power system. Through its deliverables, ENTSO-E is helping to build the world’s largest electricity market, the benefits of which will be felt by all those in the energy sector as well as by Europe’s overall economy, today and into the future. 1 IT Strategy Background at ENTSO-E ENTSO-E requires the following to be in place to meet its objectives: Infrastructures to enable the passage of huge electricity flows through Europe A 10-year network development plan Publication of summer and winter outlook reports for electricity generation A legal framework for handling energy in Europe An information platform that provides free and equal access to fundamental data and information on pan- European wholesale energy generation, transmission and consumption Technical cooperation between TSOs who are responsible for the bulk transmission of electric power on the main high-voltage electric networks and provide grid access to the electricity market players 2 Figure 1—ENTSO-E Customers and Energy Sources DISCUSS THIS ARTICLE
14
Embed
Implementing COBIT 5 at ENTSO-E - ISACAm.isaca.org/Knowledge-Center/Research/Documents/COBIT-Focus...Implementing COBIT 5 at ENTSO-E By Greet Volders, CGEIT, COBIT Certified Assessor
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1 | P a g e
Implementing COBIT 5 at ENTSO-E By Greet Volders, CGEIT, COBIT Certified Assessor and Kees de Jong, CIPM, CISSP, SIPP/E
COBIT Focus | 11 April 2016
The IT director of the European Network of Transmission System Operators for Electricity (ENTSO-E) undertook a
pragmatic approach toward implementing COBIT®
5 at the organisation beginning in 2014. Now, 2 years later, it is
time to share this successful collaboration between the internal IT department, the business organisation and the
external consultants and to share how the results were achieved.
Taking a practical approach towards implementing a programme for governance of enterprise IT (GEIT) based on
COBIT 5, ENTSO-E focused on prioritising the processes, the development of these processes and—most
important—the practical issues to overcome during the implementation of a new way of working.
About ENTSO-E ENTSO-E represents 42 electricity transmission system operators (TSOs) from 35 countries across Europe
(figure 1). ENTSO-E was established and given legal mandates by the EU’s Third Legislative Package for the
Internal Energy Market in 2009, which aims at further liberalising gas and electricity markets in the EU.
ENTSO-E promotes closer cooperation across Europe’s TSOs to support the implementation of EU energy policy and
achieve Europe’s energy and climate policy objectives, which are changing the very nature of the power system.
Through its deliverables, ENTSO-E is helping to build the world’s largest electricity market, the benefits of which will
be felt by all those in the energy sector as well as by Europe’s overall economy, today and into the future. 1
IT Strategy Background at ENTSO-E ENTSO-E requires the following to be in place to meet its objectives:
Infrastructures to enable the passage of huge electricity flows through Europe
A 10-year network development plan
Publication of summer and winter outlook reports for electricity generation
A legal framework for handling energy in Europe
An information platform that provides free and equal access to fundamental data and information on pan-
European wholesale energy generation, transmission and consumption
Technical cooperation between TSOs who are responsible for the bulk transmission of electric power on the
main high-voltage electric networks and provide grid access to the electricity market players2
Some of the most notable and relevant characteristics of ENTSO-E include:
Multi-national staff representing 20 different nationalities
Highly professional, motivated, educated and knowledgeable staff
Open to and able to cope with change
Political components to organisation
Facilitate more than 100 working groups cover topics from legal issues to IT architecture design with members
from across Europe meeting between 3 and 8 times per year3
Figure 2 shows the organisational structure with particular emphasis on the IT function.
Figure 2—ENTSO-E IT Function Structure
3 | P a g e
Source: ENTSO-E. Reprinted with permission.
The IT manager reports to the 3 governance levels in the organisation (figure 2):
The assembly is made up of representatives from the 41 member TSOs from 34 European countries at the chief
executive officer (CEO) level.
The board consists of 12 elected members.
The ENTSO-E secretary general is the highest executive responsible for the daily operation of the secretariat.
As the IT director began to develop the IT strategy, issues to overcome included:
The current IT manager started in September 2013, and he was the third in a relatively short period.
The board had insisted 1 year earlier on a new IT strategy.
As a result, a concept IT strategy had been defined with the help of 6 TSO IT managers
At the beginning of 2014, the perception at the ENTSO-E Management Team was that the IT strategy was 99%
ready, but the new IT manager wanted to change it and make it more specific. This required some delicate
manoeuvring.
IT Strategy Development The revised IT strategy was based on a governance structure with 3 focus areas, which were presented to and
approved by the assembly. Figure 3 shows the governance structure.
Figure 3—ENTSO-E Governance Structure
Source: ENTSO-E. Reprinted with permission.
4 | P a g e
More detailed targets were then defined in the IT strategy, including:
Pragmatic selection and implementation of best practices and standards
Reviewing all major IT suppliers
Moving all data centre activities to 1 permanent supplier
Moving all application operations to 2 or more permanent suppliers
Focusing on size of IT department (number of staff, ratio of internal/external personnel, refocused data
management development activities)
The overall objective was to develop an IT organisation ready to support the TSO members in the best possible way.
The selection of best practices and standards was one of the detailed targets defined by the IT strategy. The
selection results included:
ITIL as the guiding framework for IT Service Management (ITSM). All IT staff would participate in the foundation
training and obtain their certification, so that a solid knowledge base will be present within the IT staff.
Project management based on PRINCE2, in order to introduce a more structured project management
approach, which will result in more clearly documented relation between the business benefits and the IT
deliverables at the beginning of each project. This decreases the risk of not delivering on time and within
budget.
ISO 27002:2013 as guide for information security, in order to comply with external requirements regarding
security management at ENTSO-E.
Data Management Body of Knowledge (DMBOK) for data management to support the move from a Network
Code delivery organisation towards a data management support organisation.
COBIT 5 for having an overarching governance and management framework and to enable ENTSO-E to
identify the major IT processes that need to be in place to fulfil the enterprise goals. (Notably, COBIT was not
selected in January 2014; the decision was made to start working with COBIT 5 in June 2014.)
Progress Management A structure was set up to manage the progress of this IT strategy (figure 4).
Figure 4—Progress Management Structure
Source: ENTSO-E. Reprinted with permission.
The project steering group consisted of 2 internal managers, the IT manager and the IT strategy programme
manager, who reported to this steering committee.
5 | P a g e
The working group, responsible for data strategy, consisted of representatives from several TSOs, managed by the
internal data management team.
The peer reviews from chief information officers (CIOs) of 6 TSOs were important to validate the IT strategy and
follow the progress and outcome of this IT strategy programme.
The IT manager implemented monthly meetings with his peers to understand what was required from a business
perspective and also keep them in the loop. This was (and still is) done through monthly face-to-face meetings.
After a few months, the need to develop a dashboard to plan and monitor the progress of this program became
clear, and resulted in the development of the dashboard tool described in the next section.
Prioritisation of the Processes by Goals Cascade For the prioritisation of the IT processes, the COBIT 5 Goals Cascade was applied and the team developed its own
tool to manage the different steps in this cascading process.
Most often, the Goals Cascade is used to select those COBIT processes with the highest priority, to develop and
implement, or to perform a process assessment, starting with the goals at the enterprise level. In this case, it was
used to define the prioritisation of the COBIT 5 processes in order to prepare a plan and ensure focus on the right
processes.
This was a 6-step selection process:
Step 1—Identify relevant business drivers for the IT processes.
Step 2—Prioritise the enterprise’s IT processes.
Step 3—Perform a preliminary selection of target processes based on the above prioritisation.
Step 4—Confirm the preliminary selection of target processes with the project sponsor and key stakeholders.
Step 5—Finalize the list of processes.
Step 6—Document the scoping methodology in the IT strategy document.
Step 1: Identify Relevant Business Drivers To identify the business drivers, the IT manager had several discussions with different business partners and
stakeholders, explaining that it is not about IT change, but enabling the business to work better. While doing this, he
had to change the language from IT language to business language, in order to “speak their language”, and also to
highlight that this is not about technology, but about information—their information.
To define the enterprise goals, the IT manager organised meetings with the 6 TSO IT managers to identify the
external priorities and with the IT strategy steering committee to identify the internal priorities and then to come to
a consensus within the ENTSO-E management team, based on the internal and external priorities.
This resulted in the following selection of enterprise goals:
External priorities, defined by the 6 TSO IT managers:
1. Financial transparency
2. Customer-oriented service culture
3. Business service continuity and availability
4. Operational and staff productivity
5. Skilled and motivated people
Internal priorities, defined by the IT strategy steering committee:
1. Stakeholder value of business investments
2. Optimisation of service delivery costs
3. Optimisation of business process functionality
6 | P a g e
4. Optimisation of business process costs
5. Managed business change programmes
Balanced, and final, priorities as approved by the ENTSO-E management team:
1. Stakeholder value of business investments
2. Financial transparency
3. Business service continuity and availability
4. Optimization of service delivery costs
5. Optimization of business process functionality
6. Operational and staff productivity
These priorities were selected from the list of generic enterprise goals, as listed in the COBIT 5 framework.4
Step 2: Prioritize the Enterprise’s IT Processes The final list of enterprise goals was used to start the Goals Cascade. Based on the 2 mapping tables
5 found in the
COBIT 5 framework, a tool through which the cascade was run automatically after having indicated the 6 selected
goals was developed.6
Step 3: Perform a Preliminary Selection of Target Processes The first selection resulted in the following priority range using different colours to indicate the priority of each
process (figure 5).
Figure 5—Preliminary Priority Range of Target Processes
Source: ENTSO-E. Reprinted with permission.
Steps 4 and 5: Confirm the Preliminary Selection With the Project
7 | P a g e
Sponsor and Key Stakeholders and Finalize the List of Processes The preliminary priority range of target processes was not found by the management team to be very clear, so
another way of presenting the priorities, with 3 priority levels, was developed. In addition to the presentation
format, some of the high-priority processes seemed illogical places to start.
For example, problem management had a high priority, compared to e.g., service request and incident
management, configuration management and change management. Without a proper incident management, it is
very difficult (if not impossible) to develop and implement problem management, since the analysis of the incidents
is used as a possible source to identify problems. And in order to solve problems, changes can be initiated, so
proper change management is needed to solve the problems identified.
So, with the IT manager, we re-evaluated the importance and priorities. The outcome was the figure with the
revised prioritisation overview (figure 6)
Figure 6—Revised Process Prioritisation Overview
Source: Greet Volders. Reprinted with permission.
Step 6: Document the Scoping Methodology in the IT Strategy
Document The developed and applied approach was documented in the IT strategy document, which was used to further
detail the actions needed to implement the IT strategy. In addition to developing the IT processes, priority focus was
put on data management. Based on the priorities and other regulations ENTSO-E needed to comply with, a road
map was developed.
8 | P a g e
The first step in defining the road map was to define the roles and responsibilities for the major data management
stakeholders. Figure 7 shows that ENTSO-E will lead IT in directions and priorities of the data management road
map, the work groups will inform IT on what to do, and the IT manager will ask for advice and reviews from the TSO
IT managers and the governance boards to ensure that all data management initiatives are well aligned with other
initiatives within the TSO member community.
Figure 7—Roles and Responsibilities for Major Data Stakeholders
Source: ENTSO-E. Reprinted with permission.
The data management strategy will be based on the following principles:
ENTSO-E management will approve projects. Decisions within the projects will be made by the project steering
committee.
Work groups will define requirements to support stakeholders needs and to create benefits realisation:
o The project manager will present the work groups to ENTSO-E management.
o Work groups will be supported in the beginning of a project through a high-level impact analysis from data
management perspective.
o Work groups will be supported by IT to define business requirements, if needed.
o Work groups will inform IT on related regional and local initiatives.
o Work groups will be involved in the design of the solution and will be informed on the proposed solution to
support the requirements of IT.
TSO IT managers will review the solution from an integration perspective and TSO collaboration perspective:
o TSO IT manager will review the data management reference architecture, identify integration risk and
quality risk, and review whether proposed solutions could be supported by TSOs.
o The IT manager will advise ENTSO-E on risk identified by the TSO IT managers.
o TSO IT managers will inform their board on advice and risk factors as well.
The governance board (composed of committees, expert groups and TSO managers) will perform quality
reviews and control the delivery process. The results of their analysis will be forwarded to the project steering
committee or the ENTSO-E board, depending of their findings. On request, IT will present their data
management initiatives and/or solutions to these boards.
ENTSO-E management
Direct, Evaluate and Monitor
TSO IT managers
Solution Review
Work Groups
Stakeholder Needs
Benefits Realisation
Governance Board
Control Processes
Quality Review
9 | P a g e
How to Visualize the Plan and the Progress In the beginning of the program, an overview of all 37 COBIT processes was developed, which was available on the
extranet and managed on the intranet, to show the progress in a simple, visual way—through links to the process
descriptions and other supporting documents.
In addition to this overview, detailed plans for each process were developed. As working from the detailed plans
became cumbersome, one dashboard for the 37 processes was developed.
The starting point for the dashboard was the COBIT 5 Process Reference Model. The dashboard is completely
managed in a single Excel-file (figure 8).
Figure 8—Process Progress Dashboard
Source: Greet Volders. Reprinted with permission.
For each COBIT 5 process, a specific action plan was developed with targets for five specific questions. These
questions were related to the five levels of the COBIT Process Assessment Model (PAM) (figure 9).
Figure 9—Example status for 1 process
Source: Greet Volders. Reprinted with permission.
IT Management Framework
Score in % Absoluut
score
Question Level 2 Level 3 Level 4Level 5 Due date
100% 3 Documentation exists? 3 3 0 0 17/09/2015
100% 2 Are KPI's defined? 0 2 2 0 15/11/2015
0% 0 Is there reporting? 0 0 0 0 15/12/2015
100% 1 Is an owner assigned? 1 0 0 0 17/09/2015
100% 1 Are users trained? 0 1 0 0 31/10/2015
80% 2,4 Is the job being done? 0 2,4 0 0 30/11/2015
100% 1 Is a supporting tool required and if yes available; if not required 100%0 1 0 0
0% 0 Are there regular verifications of the correct application? 0 0 0 0
0% 0 Cause analysis on deviating results, with corrective actions? 0 0 0 0
0% 0 Improvement actions are identified? 0 0 0 0
Total score per level 4 9,4 2 0
Total score 10,4 Total percentage per level 80% 85% 50% 0%
10 | P a g e
The action list (figure 10) of all processes was consolidated into one sheet to make it easy for all people involved to
check the status and follow up on their own actions.
Figure 10—Action List
Source: Greet Volders. Reprinted with permission.
The planning and follow-up for each achievement is also reported on a single sheet (figure 11), which is based on
the details of each process.
Figure 11—Process Planning and Follow-up
Source: Greet Volders. Reprinted with permission.
The end result is the monitoring of the status of each process in the process progress sheet (figure 12).
Figure 12—Process Progress Sheet
Link Action nr Nr Date actionWhat Due date Who
APO01 APO01-01 1 17/08/15 Validate findings and score 31/08/15 GVO
APO01 APO01-02 2 07/08/15 Complete process description 11/09/15 GVO
APO01 APO01-03 3 22/08/15 Validate process description 17/09/15 KDJ
Greet Volders, CGEIT, COBIT Certified Assessor Is managing consultant and chief executive officer of Voquals N.V., where she advises customers and regularly
conducts training and seminars related to IT governance, process improvement and IT/business alignment, quality
systems, the development and assessment of IT and business processes, and the use of standards and frameworks.
She has been an active member of several development teams for COBIT, including the COBIT Process Assessment
Model. She also specialises in the optimisation of internal processes conforming to Sarbanes-Oxley and CMMI.
Volders is a regular speaker at ISACA®
events such as seminars and trainings for the ISACA Belgium Chapter,
presentations at EuroCACS in 2011, 2012 and 2013, and the COBIT Conference in 2015, where she co-presented this
case study with Kees de Jong.
Kees de Jong, CIPM, CISSP, SIPP/E Is a senior IT director with more than 20 years of experience. Since 2013, he has been with the European Network of
Transmission System Operators since 2013, where he is responsible for implementing the IT strategy. de Jong has a
passion for developing professional, service-oriented, business-focused departments and is an experienced change
manager able to drive culture change. He has handled many difficult and complex projects, programs and contracts
whilst working for many multinational organisations such as Shell, Philips, Hagemeyer, Unilever and other
organisations on 6 continents with many multicultural teams. He has a thorough understanding (often certified) of
many frameworks, including COBIT 5 (including audit) amongst others.
Endnotes 1 European Network of Transmission System Operators for Electricity
2 Ibid. 3 Ibid.
4 ISACA, COBIT 5, USA, 2012, p. 19
5 Ibid., Appendix B and C
6 If you are interested in obtaining this tool, please contact author Greet Volders at [email protected].