1
Jan 15, 2015
1
How to marry ITIL and COBIT to drive strongGovernance and Continual Service
Improvement
2
SMART - 2008Harpreet Virdee
Director – Western Region , The Manta [email protected]
How to marry ITIL and COBIT to drive strongGovernance and Continual Service Improvement
Welcome! Objective:
• Provide an appreciation of how aligning Governance
3
• Provide an appreciation of how aligning Governance(COBIT 4.1 and Val IT) and CSI (ITIL v3), can make a
happy marriage.
Agenda
• How do COBIT 4.1 and Val IT and ITIL v3frameworks align?
• Why: Why align Governance and ITSM
4
• Why: Why align Governance and ITSMinitiatives?
• How: A practical approach in using COBIT 4.1and the 7 step CSI process together.
Context..How do the frameworksalign?
5
Governance: COBIT 4.1, Val ITService Management: ITIL v2, ITIL v3,
ISO20000
IT Function
Governance
COBIT 4.1 and Val IT Focus: IT as apartner: Enable Value and Compliance
COBIT 4.0 Focus: Governance
Evolution of Governance Practices
Controls &Risk
ProcessOriented
BusinessGoals
Controls andProcesses
Business & ITAlignment Value
Governance
ValueGovernance
6
Time
Audit –Controls
based
Auditors tool:Controls
COBIT 3.0 Focus: Control Environment
Risk Oriented Goals
Control Framework Risk Management
What is CobiT?
IT Governance Institute created CobiT framework is designed to enable
IT represents one of the most valuable assets ofan enterprise and needs to be governed based
on:ValueRiskControl
7
IT Governance Institute createdCobiT framework with the following
characteristics:
Business-focused Process-oriented Controls-based Measurement-driven
CobiT framework is designed to enableIT management to align its activities andoutput with business requirements by:
Making a link to the businessrequirement
Organizing IT activities into agenerally accepted process model
Identifying the major IT resources tobe leveraged
Defining the management controlobjectives to be considered
Are wedoing the
rightthings?
Are wegetting
thebenefits?
Strategic Investment• Affordable Cost• Acceptable Risk• Returns Value
Value Realization• Accountability• Processes• Track Record
What is Val IT?
Val IT = Investment Strategy & Value
8
Are wedoing them
the rightway?
Are wegetting
them donewell?
Enterprise Architecture• Integration• Performance• Change• Risk
Delivery Capabilities• Processes• People• Technology
COBIT = Supports Execution
Governance – Big Picture
COBIT 4.1Governance:Value, Risk &Compliance
9
PO 1Define
StrategicIT Plan
PO 1Define
StrategicIT Plan
PO 4Define IT
Processes,Organisation,Relationships
PO 4Define IT
Processes,Organisation,Relationships
PO 5Manage ITInvestment
PO 5Manage ITInvestment
PO 3Determine
TechnologicalDirection
PO 3Determine
TechnologicalDirection
PO 6Communicate
Aims andDirection
PO 6Communicate
Aims andDirection
PO 7Manage IT
HumanResource
PO 7Manage IT
HumanResource
PO 8ManageQuality
PO 8ManageQuality
PO 9Assess &
Manage ITRisks
PO 9Assess &
Manage ITRisks
PO 10ManageProjects
PO 10ManageProjects
PO 2Define
InformationArchitecture
PO 2Define
InformationArchitecture
Plan & Organize
AI 1Identify
AutomatedSolutions
AI 1Identify
AutomatedSolutions
AI 2Acquire and
MaintainApplicationSoftware
AI 2Acquire and
MaintainApplicationSoftware
AI 3Acquire and
MaintainTechnology
Infrastructure
AI 3Acquire and
MaintainTechnology
Infrastructure
AI 5Procure
ITResources
AI 5Procure
ITResources
AI 7Install andAccredit
Solutions &Changes
AI 7Install andAccredit
Solutions &Changes
AI 6ManageChange
AI 6ManageChange
Acquire & Implement
AI 4Enable
Operation& Use
AI 4Enable
Operation& Use
CobiT 4.1 Overview
10
DS 3Manage
Performanceand Capacity
DS 3Manage
Performanceand Capacity
DS 4Ensure
ContinuousService
DS 4Ensure
ContinuousService
DS 5EnsureSystemSecurity
DS 5EnsureSystemSecurity
DS 6Identify
and AllocateCosts
DS 6Identify
and AllocateCosts
DS 2Manage
Third-partyServices
DS 2Manage
Third-partyServices
DS 1Define andManageServiceLevels
DS 1Define andManageServiceLevels
DS 7Educate
andTrain Users
DS 7Educate
andTrain Users
DS 8Manage
Service Desk& Incident
DS 8Manage
Service Desk& Incident
DS 9Manage
Configuration
DS 9Manage
Configuration
DS 10ManageProblems
DS 10ManageProblems
DS 11Manage
Data
DS 11Manage
Data
DS 12ManagePhysical
Environment
DS 12ManagePhysical
Environment
DS 13Manage
Operations
DS 13Manage
Operations
Deliver & Support
ME 1Monitor &
Evaluate ITPerformance
ME 1Monitor &
Evaluate ITPerformance
ME 3Ensure
RegulatoryCompliance
ME 3Ensure
RegulatoryCompliance
ME 4Provide IT
Governance
ME 4Provide IT
Governance
Monitor & Evaluate
ME 2Monitor &EvaluateInternalControl
ME 2Monitor &EvaluateInternalControl
Service Strategy
ITIL V3 Overview
Service Design Service Transition Service Operations
SS2Financial
Management
SS2Financial
Management
SS1Strategy
Generation
SS1Strategy
Generation
SD2Service LevelManagement
SD2Service LevelManagement
SD1Service
CatalogueManagement
SD1Service
CatalogueManagement
SD3Capacity
Management
SD3Capacity
Management
SD5IT ServiceContinuity
Management
SD5IT ServiceContinuity
Management
ST1Transition &
PlanningSupport
ST1Transition &
PlanningSupport
ST3Service Asset& ConfigurationManagement
ST3Service Asset& ConfigurationManagement
ST2Change
Management
ST2Change
Management
ST5ST5
ST4Release &
DeploymentManagement
ST4Release &
DeploymentManagement
SO1Event
Management
SO1Event
Management
SO2Incident
Management
SO2Incident
Management
SO3Request
SO3Request
11
Continual Service Improvement
SS3Demand
Management
SS3Demand
Management
SS4ServicePortfolio
Management
SS4ServicePortfolio
Management
SD4Availability
Management
SD4Availability
Management
SD6Information
SecurityManagement
SD6Information
SecurityManagement
SD7Supplier
Management
SD7Supplier
Management
ST5Service
Validation &Testing
ST5Service
Validation &Testing
ST6Evaluation
ST6Evaluation
ST7Knowledge
Management
ST7Knowledge
Management
RequestFulfilmentRequestFulfilment
SO4Problem
Management
SO4Problem
Management
SO5Asset
Management
SO5Asset
Management
CSI17-Step
Improvement Process
CSI17-Step
Improvement Process
CSI3Service Reporting
CSI3Service Reporting
CSI2Service Measurement
CSI2Service Measurement
PO 1Define
StrategicIT Plan
PO 1Define
StrategicIT Plan
PO 4Define IT
Processes,Organisation,Relationships
PO 4Define IT
Processes,Organisation,Relationships
PO 5Manage ITInvestment
PO 5Manage ITInvestment
PO 3Determine
TechnologicalDirection
PO 3Determine
TechnologicalDirection
PO 6Communicate
Aims andDirection
PO 6Communicate
Aims andDirection
PO 7Manage IT
HumanResource
PO 7Manage IT
HumanResource
PO 8ManageQuality
PO 8ManageQuality
PO 9Assess &Manage IT
Risks
PO 9Assess &Manage IT
Risks
PO 10ManageProjects
PO 10ManageProjects
PO 2Define
InformationArchitecture
PO 2Define
InformationArchitecture
Plan & Organize
AI 1Identify
AutomatedSolutions
AI 1Identify
AutomatedSolutions
AI 2Acquire and
MaintainApplication
Software
AI 2Acquire and
MaintainApplication
Software
AI 3Acquire and
MaintainTechnology
Infrastructure
AI 3Acquire and
MaintainTechnology
Infrastructure
AI 5Procure ITResources
AI 5Procure ITResources
AI 7Install &Accredit
Solutions &Changes
AI 7Install &Accredit
Solutions &Changes
AI 6ManageChange
AI 6ManageChange
Acquire & Implement
CobiT Processes Addressed by ITIL
AI 4Enable
Operation& Use
AI 4Enable
Operation& Use
12
DS 3Manage
Performanceand Capacity
DS 3Manage
Performanceand Capacity
DS 4Ensure
ContinuousService
DS 4Ensure
ContinuousService
DS 5EnsureSystemSecurity
DS 5EnsureSystemSecurity
DS 6Identify
and AllocateCosts
DS 6Identify
and AllocateCosts
DS 1Define and
ManageServiceLevels
DS 1Define and
ManageServiceLevels
DS 7Educate
andTrain Users
DS 7Educate
andTrain Users
DS 8Manage
Service Desk& Incident
DS 8Manage
Service Desk& Incident
DS 9Manage
Configuration
DS 9Manage
Configuration
DS 10ManageProblems
DS 10ManageProblems
DS 11Manage
Data
DS 11Manage
Data
DS 12ManagePhysical
Environment
DS 12ManagePhysical
Environment
DS 13Manage
Operations
DS 13Manage
Operations
Deliver & Support
ME 1Monitor &Evaluate ITPerformance
ME 1Monitor &Evaluate ITPerformance
ME 3Ensure
RegulatoryCompliance
ME 3Ensure
RegulatoryCompliance
ME 4Provide ITGovernance
ME 4Provide ITGovernance
Monitor & Evaluate
ME 2Monitor &EvaluateInternalControl
ME 2Monitor &EvaluateInternalControl
DS 2Manage
Third-partyServices
DS 2Manage
Third-partyServices
COBIT ME1 and ITIL 7 step improvementprocess alignment
7 step Improvement process: What is it?
• The goal of the Seven Step Improvementprocess is to continually define whatshould and can be measured and totransform the raw data collected into ameaningful set of corrective action byusing various methods and toolsthroughout the service lifecycle
ME1: What is it?
• Monitoring is needed to make sure that ITworks on the right things in accordancewith business demands and priorities.
• This process includes defining relevantperformance indicators, a systematicand timely reporting of performance
13
throughout the service lifecycle
• 7 step Improvement process: Why do Icare?
• Are we providing business value? Toensure that IT is providing value throughmeasuring and taking corrective action.
results, and prompt actions upondeviations.
ME1: Why do I care?
• It is not clear if IT and its service providersare doing the right things for theorganization.
Why should we align?
Why align Governance and
14
Why align Governance andITSM initiatives?
Current State versus Desired State
Current State Desired State andBenefits
•IT has too many `standardterminologies`•Multiple initiatives with commongoals are not aligned:
•Same goals: Enabling business,CSI
15
goals are not aligned:• Project silos• Inefficient use of resources
•Audit and ITSM don’t speak.
•A common language
•Program (Governance and ITSM)vision and goals are aligned, usecommon approach, shareknowledge.
The Manta Group Service Architecture
About The Manta GroupIdeal Future State
16www.mantagroup.com pg.00
How to effectively use CSI – 7 stepimprovement process and COBIT together
ITILs Deming Cycle – Align to Business StrategyCSI - 7 Step Improvement Process & Metric Types
17
CSI - 7 Step Improvement Process & Metric TypesCOBITs: Business Balanced Score Card
COBITs Goals & MetricsOutputs:
Dashboard Example
ITIL: Continual Service Improvement Model
What is the Vision?
Baseline: COBIT ME1 MMModel
Business: COBITBalanced Scorecard
Where are we now?
How do we keep themomentum going?
18
18
ITIL 7 Step Imp Process
Measurable TargetsCOBIT: Goals & Metrics
Where do we want to be?
How do we get there?
Did we get there? Compliance. COBITME1 Controls.
momentum going?
ITIL: Continual Service Improvement Model
What is the Vision?
Baseline: COBIT ME1 MMModel
Business: COBITBalanced Scorecard
Where are we now?
How do we keep themomentum going?
19
19
ITIL 7 Step Imp Process
Measurable TargetsCOBIT: Goals & Metrics
Where do we want to be?
How do we get there?
Did we get there? Compliance. COBITME1 Controls.
momentum going?
Business Demand AnalysisWho Cares?
BusinessDemands
Balanced Score Card1. Financial2. Customer3. Internal
20
3. Internal4. Learning and Growth
Plan & Organize Acquire & Implement
Deliver & SupportMonitor & Evaluate
CobiT 34 Governance Objectives
Financial Perspective (FP)1. Provide a Good ROI of IT Enabled
business investments2. Manage IT Related Business Risk3. Improve Corporate Governance and
Transparency
Customer Perspective (CP)4. Improve Customer Orientation and
Service
Internal Perspective (IP)10. Improve and Maintain Business
Processes Functionalities11. Lower Process Costs12. Provide Compliance with External
Laws, Regulations & Contracts13. Provide Compliance with Internal
Policies14. Manage Business Change15. Improve and Maintain Operational and
Demand Drivers Analysis(Who Cares)
21
Service5. Offer Competitive Products and
Services6. Establish Service Continuity and
Availability7. Create Agility in Responding to
Changing Business Environment8. Achieve Cost Optimization of Service
Delivery9. Obtain Reliable & Useful Information
for Strategic Decision Making
15. Improve and Maintain Operational andStaff Productivity
Learning and Growth Perspective (LGP)16. Manage Product & Business
Innovation17. Acquire & Maintain Skilled and
Motivated People
ITIL: Continual Service Improvement Model
What is the Vision?
Baseline: COBIT ME1 MMModel
Business: COBITBalanced Scorecard
Where are we now?
How do we keep themomentum going?
22
22
ITIL 7 Step Imp Process
Measurable TargetsCOBIT: Goals & Metrics
Where do we want to be?
How do we get there?
Did we get there? Compliance. COBITME1 Controls.
momentum going?
Best Practices Tool: Where are we now
The Green dotsindicate the Target
23
indicate the TargetMaturity score.
Processes with highseverity need to bemore mature,processes with lowseverity may be over-controlled.
ITIL: Continual Service Improvement Model
What is the Vision?
Baseline: COBIT ME1 MMModel
Business: COBITBalanced Scorecard
Where are we now?
How do we keep themomentum going?
24
24
ITIL 7 Step Imp Process
Measurable TargetsCOBIT: Goals & Metrics
Where do we want to be?
How do we get there?
Did we get there? Compliance. COBITME1 Controls.
momentum going?
What Target Metrics – ITIL principles
CSFsValue, Quality, Performance,
Compliance
25
KPIsQuantitative, Qualititative
Metric TypesProcess, Service, Technology
What Target Metrics – COBIT approach
Business Goals for IT
Improve Customer Orientation and Services (4)
IT Goals Mapped to Process
Ensure Service Availability as required (23)
Manage Performance and Capacity (DS3)
26
Manage Performance and Capacity (DS3)
Process Goal and Metric
Goal: Meet response time SLAs
Metric: % Not Met
Activity Goal and Metric
Goal: Provide and manage system capacity
Metric: % asset under capacity review
Example: Process Milestone Tracking Dashboard
Step 1. Translate Program Objectives to Process Goals and Metrics
Overall Project ObjectivesComplete by Achieved/ Measured by
Cascaded Process-Level Objectives
General
Service Improvement Objectives
Ensure there is a greater focus on the quality of ITin terms of reliability, availability and capacity.
Implement availability and capacity monitoring for theAdvantage and Clipper services. Implement stronglinks between the SLM, Change, Release andApplications Development processes to theAvailability and Capacity processes.
27
in terms of reliability, availability and capacity. Availability and Capacity processes.Ensure Service Management processes areimplemented using the ITIL framework. Theseprocesses must be controlled, repeatable andproducing quality management information.
Measured by the Process Maturity objectives (seesection below).
ensure the better management of Major Incidents.
Develop and implement a major incident process thatensures controlled identification, management,recovery and assessment. Measure and show animproved MTBF of Major Incidents.
Reduce the impact of Major Incidents.Show improvement by measuring and demonstratinga reduced MTTR of Major Incidents.
Example: Sample Performance DashboardProcess Category Weighted
AverageTarget Key Performance Indicator
Red Green
Incident Management Performance 10% <75% 75-100% % of Incidents with Service Restored within 1 day
Quality 30% <80% 80-100%% Tickets Complete and Accurate(tickets rated on priority,categorization, and resolution)
Value 50% <75% 75-100% % Tickets Resolved within SLA targets
Compliance 10% <80% 80-100% % Tickets Submitted by Service/Support Desk
Problem Management Performance 25% <90% 90-100% % Root cause with permanent fix identified
Quality
28
Quality 20% <80% 80-100% % Root Cause Known within Target times
Value 30% >1% <=1%% Repeated Problems after known error fix has been successfullyimplemented
Compliance25% >10% 10% % Problem Records raised based on Critical and High priority
Change Management*Performance 30% <95% 95-100% % RFC s Successfully Implemented
Quality 10% <90% 90-100%% RFC not sent back to draft or rejected due to updates requiredby Change Management
Value 30% >2% 2% % RFC Emergencies due to production failure
Compliance 30% >1% 1%% Infrastructure Incident records from Changes that bypassed theprocess
ConfigurationManagement*
Quality ? <80% 90-100%% of time that CI Attributes and/or CI Additions are completed forAll Risk Level 1&2 Changes
Value ? <80% 90-100%% of Incident, Problem or Change for which the CI is associated toService Records (Infrastructure Related)
ITIL: Continual Service Improvement Model
What is the Vision?
Baseline: COBIT ME1 MMModel
Business: COBITBalanced Scorecard
Where are we now?
How do we keep themomentum going?
29
29
ITIL 7 Step Imp ProcessME1 Control Objectives
Measurable TargetsCOBIT: Goals & Metrics
Where do we want to be?
How do we get there?
Did we get there? Compliance. COBITME1 Controls.
momentum going?
CSI – 7 step improvement process
1. Definewhat should
measure
2. Definewhat canmeasure
7.ImplementCorrective
Actions
30
3. GatherData
4. ProcessData
(process)
5. AnalyzeData
(trends)
6. PresentData
ME 1 Control Objectives
ME1.1MonitoringApproach
ME1.2Definition andCollection ofMonitoring
Data
ME1.6RemedialActions
31
ME1.3Monitoring
Method
ME1.4PerformanceAssessment
ME1.5Board andExecutiveReporting
Process Milestone Tracking Dashboard
Step 2. Identify in red the key process milestones (per processto achieve a ‘foundational level’ IM and CfM/SACM example below
Implementation Milestones (key milestones shown in red) Complete by Measure by
Incident ManagementThe process is formally documented 1
A process manager has been appointed 1
A process owner has been identified 1
A clear definition exists (aligned to ITIL) of what an Incident is 1
The Incident Management process fousses on restoring service to the user
32
The Incident Management process fousses on restoring service to the user 1
A Service Desk exists and has been established as the SPoC for IT queries 1
Incidents are detected and reported by end users and back office funtions 1
All reported Incidents are registered in the CMDB 1
Procedures exist for the registration of Incidents 1
Implementation Milestones (key milestones shown in red) Complete by Measure byConfiguration ManagementThe process is formally documented 1Process Signed-offThe process documentation has been formally commnicated to all required staffThe CMDB is part of an integrated SM toolsetA Configuration Manager has been appointed 1A process owner has been identified 1The scope of Configuration Mgt includes the entire IT InfrastructureAll supported hardware items are registered in the CMDB
ITIL: Continual Service Improvement Model
What is the Vision?
Baseline: COBIT ME1 MMModel
Business: COBITBalanced Scorecard
Where are we now?
How do we keep themomentum going?
33
33
ITIL 7 Step Imp ProcessME1 Control Objectives
Measurable TargetsCOBIT: Goals & Metrics
Where do we want to be?
How do we get there?
Did we get there? Compliance. COBITME1 Controls.
momentum going?
Process Milestone Tracking Dashboard
Step 3. Review and Track progress against milestones periodically
Target Today BaselineIM 3.00 2.86 2.50
PM 3.00 1.51 1.00CHM 3.00 3.13 2.00CFM 3.00 1.87 0.50
RM 3.00 2.20 0.50SLM 3.00 2.13 1.00
34
AVM 3.00 2.28 0.50CPM 3.00 1.56 0.50ITSC
M 3.00 2.84 1.50
01122334455
IM PM CHM CFM RM SLM AVM CPM ITSCMCO
BIT
Mat
urity
Leve
l
Target
Today
Baseline
ITIL: Continual Service Improvement Model
What is the Vision?
Baseline: COBIT ME1 MMModel
Business: COBITBalanced Scorecard
Where are we now?
How do we keep themomentum going?
35
35
ITIL 7 Step Imp ProcessME1 Control Objectives
Measurable TargetsCOBIT: Goals & Metrics
Where do we want to be?
How do we get there?
Did we get there? Compliance. COBITME1 Controls.
momentum going?
BPe Roadmap – Phased Approach
36
Keep Momentum Going?
Behavioural Change
Reward
37
Reward
Compliance
Key Take-Aways• COBIT provides business alignment to IT processes and
Goals• ITIL 7 step improvement provides an operational process• COBIT provides controls to assess compliance of the
processes• Both highly complementary
38
• Make a happy marriage..
Thank You
Question & Answer
39
Harpreet VirdeeDirector – Western Region, The Manta Group