1. Management Guidelines IT Governance Institute
COBIT:
Management Guidelines
released by the
IT Governance Institute
July 2000

2. Maturity Models
Critical Success Factors
Key Performance Indicators
IT Generic Process and
IT Governance Guidelines
Management Guidelines - Conclusion

3. Management Guidelines QUESTION : « What is the right level of control for my IT such that it supports my enterprise objectives? » ANSWER : “You will need CSFs which are the most important things you need to do based on the choices made in a Maturity Model, while monitoring through KPIs whether you will likely reach the goals set by the KGIs.”
In order to ensure that management reaches its business objectives, it must direct and manage IT activities to reach an effective balance between managing risks and realising benefits. Management is looking for the answer to:
What is the right level of control in IT?
What are the right decisions that lead to a balance between managing risks and realising benefits?
The Management Guidelines, representing a major investment in the COBIT 3rd Edition, provide some answers to these questions and they are expressed in terms that management can use:
Maturity Models
CSFs
KPIs
KGIs

4. Indicators? Measures? Scales?
Management has traditionally asked these basic questions:
How do I keep the ship on course?
How do I achieve results that are satisfactory to all my
stakeholders, shareholders, customers and partners?
How can I adapt my organization in a timely manner?
Current management toolsets talk about dashboards, scorecards and benchmarks. The elements that are missing are that for dashboards one needs indicators, for scorecards one needs measures and for benchmarks one needs scales.
This is the basic premise used in the development of the Management Guidelines.
Scales?

5. Management Guidelines
Generic and action oriented
For the purpose of
IT Control profiling – what is important?
Awareness – where is the risk?
Benchmarking - what do others do?
Supporting decision making and follow-up
Key performance indicators of IT Processes
Critical success factors of controls
Control implementation choices
The basic intent of the Management Guidelines is to provide generic and action oriented guidelines for the purpose of:
defining what is important for management
increasing awareness about risk and risk management
creating the tool to answer the question: What are the others
doing?
This toolset was built to help management’s decision support process through defining KPIs of IT processes (What are the right indicators that tell me that the process is working?), critical success factors (What is the most important thing to do?), benchmarks (Where am I, where do I want to be and what are others doing?) and then a tool set to help make the right choices.
The Management Guidelines assist enterprise and IT management in determining the appropriate level of control over IT so that it supports enterprise objectives. They support self-assessment of strategic organisational status, identification of actions to improve IT processes and monitoring the performance of these IT processes.

6. Maturity Models

7. Maturity Models for Self-Assessment
The development was guided by the Software Engineering Institute’s efforts in the late 80’s in building maturity models for software development. The Management Guidelines expand this basic concept by applying it to the management of IT processes. The principles were used to define a set of levels that allow an organisation to assess where it is relative to the control and governance over IT. These levels are presented on a scale that moves from non-existent, on the left, to optimized, on the right.
By using such a scale, an organisation can determine where it is, define where it wants to go and, if it identifies a gap, it can do an analysis to translate the findings into projects. Reference points can be added to the scale. Comparisons can be performed with what others are doing, if that data is available, and the organisation can determine where emerging international standards and industry best practices are pointing for the effective management of security and control.

8. Generic Maturity Model
0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed.
1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised.
2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.
3 Defined. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.
4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
The basis for definition is a very generic and simple maturity model:
indicated as a zero level, is the stage where the organisation has no recognisable processes
the first level is an initial stage where the organisation only starts recognising that it has an issue relative to poorly defined IT management processes and that it needs to do something about control
at the second level, some processes begin to be repeatable. IT staff are performing the same processes, not necessarily documented, and dependent on key people to make them repeatable
at the third level, the organisation starts documenting its practices, so that others besides key people can start performing similar activities
then there is a managed level, where the policies and procedures are more sophisticated and the performance measurement has become formalised
finally, at the optimised level, best practices are utilised, there is continuous improvement and IT is considered an enabler of the entrprise’s goals
This is the very simple and generic maturity model that was used as a basis
for developing the specific maturity models for each of the 34 COBIT
processes.

9. Understanding and awareness Training and communications
Generic Maturity Model - Dimensions
Understanding and awareness
Training and communications
Processes and practices
Techniques and automation
Compliance
Expertise
The basic maturity model presented was expanded by adding key new dimensions, such as the ones presented here.

10. Generic Maturity Model - Dimensions
UNDERSTANDING AND AWARENESS
TRAINING AND COMMUNICATION
PROCESSES AND PRACTICES
TECHNIQUES AND AUTOMATION
COMPLIANCE
EXPERTISE 1
recognition
sporadic communication on the issues
ad hoc approaches to process and practices 2
awareness
communication on the overall issue and need
similar/common processes emerge; largely intuitive
common tools are emerging
inconsistent monitoring in isolated areas 3
understand need to act
informal training supports individual initiative
existing practices defined, standardised and documented; sharing of the better practices
currently available techniques are used; minimum practices are enforced; tool-set becomes standardised
inconsistent monitoring globally; measurement processes emerge; IT Balanced Scorecard ideas are being adopted; occasional intuitive application of root cause analysis
involvement of IT specialists 4
understand full requirements
formal training supports a managed program
process ownership and responsibilities assigned; process is sound and complete; internal best practices applied;
mature techniques applied; standard tools enforced; limited, tactical use of technology
IT Balanced Scorecards implemented in some areas with exceptions noted by management; root cause analysis being standardised
involvement of all internal domain experts 5
advanced forward-looking understanding
training and communications supports external best practices and use of leading edge concepts/techniques
best external practices applied
sophisticated techniques are deployed; extensive, optimised use of technology
global application of IT Balance Scorecard and exceptions are globally and consistently noted by management; root cause analysis consistently applied
use of external experts and industry leaders for guidance
This table illustrates how the dimensions identified earlier can be introduced into the maturity model. Additional and better practices are then integrated at certain levels of maturity. Of course, new dimensions can be added by each organisation as it implements these management guidelines, depending on what management considers to be strategic in accomplishing its goals.
By defining the resulting maturity model, the organisation can then assess where it is along the desired dimensions and processes and then decide where it wants to be. Comparisons with external benchmarks and industry best practices can provide additional capabilities to identify the most effective use of the organisation’s resources.

11. How to use Benchmark Results
The analysis of the current and desired stage of maturity will identify gaps and provide a basis for deciding on corrective actions. Individual or related groups of gaps can then be addressed with specific and well defined projects that will close these gaps. Impact analysis can then be performed to prioritise these projects according to benefit, cost and risk.
…gap and impact analysis

12. In summary Maturity Models
Refer to business requirements and the enabling aspects at the different levels
Are scales that lend themselves to pragmatic comparison
Are scales where the difference can be made measurable in an easy manner
Are recognisable as a “profile” of the enterprise in relation to IT governance and control
Assist in determining As-Is and To-Be positions relative to IT governance and control maturity
Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level
Are neither industry specific nor always applicable; the nature of the business will determine what is an appropriate level
SUMMARY
Maturity models refer to the business requirements and the enabling aspects at the different levels of organisational capability. They use scales that lend themselves to pragmatic comparisons by providing clear differentiation. They are measurable and recognisable. They support gap analysis and help define “as-is” and “to-be” positions.
The maturity models are generic and do not have industry specific characteristics. Using the concepts presented in this section, each organisation can customise the definition of each level by adding new dimensions that reflect its culture and competitive environment.
The models do not imply that the optimised level is necessarily the ideal level to be at. The chosen level has to reflect the available resources and the desired alignment of the IT strategy with the overall organisational strategy.
The selection of the appropriate level in the maturity model is supported by identifying CSFs, which are defined in the next section of the presentation.

13. Critical Success Factors

14. Critical Success Factors
Management oriented IT control implementation guidance
Most important things that contribute to the IT process achieving its goal
Strategically
Technically
Organisationally
Process or Procedure
Control Statement and Considerations of the ‘Waterfall’
Visible and measurable signs of success
Short, focussed and action oriented
Leveraging the resources of primary importance in this process
The CSFs are defined as the most important things for management to do, conditions to be met or statuses to be reached, so that success in controlling IT processes is achieved. They can be strategic or policy related, a technical implementation of a control feature, an organizational change or a newly developed process or procedure. They are expressed as a function of the enabling statement and are related to the considerations of the high-level COBIT objectives.

15. Critical Success Factors
Guidance from Control Model
Responsibility
Strict standard
Documented control process
Control information
Evidence and accountability
Some guidance in defining CSFs comes from the standard control model, where management sets objectives for activities and the activities provide control information, which is then compared against defined norms and action is taken when a deviation occurs.
This simple model defines a number of requirements for control over processes, including responsibility for the activity and reporting, good standards of operation, documented control process and clear accountability.

16. Critical Success Factors
Strategic
Tactical
Administrative
CSFs apply at multiple layers: strategic, tactical and administrative. The typical management sequence of plan, do, check and correct occurs at many organisational layers. Doing at the strategic level becomes planning at the tactical level and doing at the tactical level becomes planning at the administrative level. Control happens at different layers in different forms.

17. Critical Success FactorsPO AI DS MO
Important CSFs for getting IT under control can be identified by considering the IT governance model. Based on this model, in order to ensure that management reaches its business objectives, it must direct and manage IT activities to reach an effective balance between managing risks and realising benefits. To accomplish this, management needs to identify the most important activities to be performed, measure progress towards achieving goals and determine how well the IT processes are performing.
The CSFs were defined to support the objectives of the IT governance model. The KGIs and KPIs presented in the next sections are defined to support monitoring the performance of the organisation relative to these objectives.

18. The concept of cascading, as explained earlier with the standard control model, also applies to the governance model, where inside each activity is another governance model. Governance occurs at the board of directors level, at the executive and middle management layer, as well as at the day-to-day supervisory level. To be successful, control needs to be considered and integrated at all levels of the organisation.

19. In summary Critical Success Factors
Represent the most important things to do to increase the probability of success of the process
Are observable - usually measurable - characteristics of the organisation and process
Are either strategic, technological, organisational or procedural in nature
Focus on obtaining, maintaining and leveraging capability and skills
Are expressed in terms of the process, not necessarily the business
SUMMARY
CSFs are the most important things to do, conditions to be met or statuses to be reached in order to increase the probability of success of the process. They are of different kinds: strategic, technological, organisational or procedural. Their selection is influenced by the desired maturity model level that the organisation wants to reach. They focus on obtaining, maintaining and leveraging the capability and skills of the organisation.
The Management Guidelines include a set of generic CSFs that apply to all IT processes in general and a set that applies specifically to IT governance. These two sets provide strategic direction and also ensure that the CSFs defined for the specific 34 IT processes of COBIT are process specific and not redundant.

20. Key Performance Indicators

21. Key Performance Indicators
Guidance for measurement can be obtained from the Balanced Business Scorecard concepts, where goals and measures from the financial, customer, process and innovation perspective are set and monitored
In defining how to measure the performance of IT processes and their alignment with the overall organisation goals, the basic concepts of the balanced business scorecard provide insights. The balanced business scorecard, first defined by Robert Kaplan and David Norton, includes the following perspectives: Customer, Financial, Internal Process, and Learn and Innovate.
The customer and financial perspectives emphasise the organisations’ response to external factors, while the internal processes, and the learn and innovate perspectives address how the organisation is managing its resources to achieve overall objectives and goals.

22. Key Performance Indicators
In the Balanced Business Scorecard approach, the Goal is measured based on its outcome. The Drivers or Enablers that make it possible to achieve the goal are measured based on their performance in support of reaching the goal
This diagram illustrates the balanced business scorecard relationship between goals and their enablers. In this example, IT enables a business goal by providing the information needed to support business processes and organisational objectives. Goals are measured based on their outcomes, while enablers are measured based on their performance in support of the goal. The difference between the two measures is that a goal is measured after the fact and its measure is thus a lag indicator.
The first measure expresses delivery against a goal and is also called a ‘LAG indicator’, as it is typically measurable after the fact. The second expresses how well one delivers and is also called a ‘LEAD indicator’, as it predicts the probability of success

23. ? Key Performance Indicators
IT is one of the enablers of the business and will have its own scorecard
...but how are they linked?
Financial
Customer
Process
Learning ?
Business Objectives
and Measures
IT Objectives
Expanding on the basic principles of the balanced business scorecard, IT can be considered as a major enabler of the business and will have its own scorecard. Thus, the scorecards for IT and business relate to each other. The approach taken by the Management Guidelines, within the COBIT Framework, is to consider that IT delivers to the business the information that the business needs to achieve its objectives. The requirements for delivery of this information are defined in terms of the information criteria identified for all the COBIT high-level control objectives.
The COBIT model provides for that link through the definition
of the information criteria

24. Key Performance Indicators
The degree of importance of each of these criteria is a function of the business and the environment that the enterprise operates in
COBIT then allows selection of those control objectives that best fit the degree of importance, i.e., the Profile
This profile also expresses the enterprise’s position on risk
The information criteria vary according to the business. For example, in the banking environment, integrity and confidentiality requirements are extremely high. In another environment, efficiency may be more important. By ranking the information criteria, the enterprise can also quantify its position on the risk associated with the level to which the information criteria are met.

25. Key Performance Indicators
The goal for IT can then be expressed as
The relationship between the IT enabler and the business goals can then be expressed in terms of the specific information criteria that need to be delivered. The key information criteria are defined for each IT process in the COBIT Framework.
The performance measure of the enabler becomes the goal for IT, which in turn will have a number of enablers. These could be the COBIT IT domains. Here again the measures can be cascaded, the performance measure of the domain becoming, for example, a goal for the process

26. Cascaded Performance Indicators
A further extension of the concept is to show that these scorecards can be cascaded. The business has a scorecard, where IT is the enabler and IT’s measures are performance measures. In the IT strategic scorecard, these measures become IT’s goals. Planning and organization, as an example of a COBIT domain, are enablers for IT and become goals for the process below it.

27. X Goal Key Performance Indicators KGI for goal; measurable indicators
of the process achieving
its goal
f(Business Requirement of the ‘Waterfall’)
Influenced by the primary and secondary information
criteria
A potential source can be found in COBIT’s
‘Substantiating Risk’ section in the Audit Guidelines
The balanced business scorecard provides for two types of measures, one which looks at the performance of the enablers, henceforth called a KPI, and another, which looks at the goals (measures of outcome), called a KGI. KGIs need to be defined to support measuring the outcome in satisfying the business requirement of the COBIT high-level control objective. The ‘Substantiating Risk’ section in the COBIT Audit Guidelines also provides direction on how to express to management the absence or inefficiency of control; it provides goal measurements, usually in negative terms, because this is used if there are problems in the control environment found by an auditor.

28. Key Goal Indicators
Given that the link between the business and IT scorecards is expressed in terms of the information criteria, the KGIs will usually be stated as:
Availability of systems and services
Absence of integrity and confidentiality risks
Cost-efficiency of processes and operations
Confirmation of reliability, effectiveness and compliance
KGIs in the IT environment are usually expressed using the information criteria defined in the high-level control objectives of COBIT, as the availability of systems and services, absence of integrity and confidentiality risks, cost-efficiency of processes and operations and confirmation of reliability, effectiveness and compliance.

29. In summary Key Goal Indicators
Describe the outcome of the process and are therefore ‘lag’ indicators, i.e., measurable after the fact
Are indicators of the success of the process, but may be expressed as well in terms of the business contribution, if that contribution is specific to that IT process
Focus on the customer and financial dimensions of the balanced business scorecard
Represent the process goal, i.e., a measure of “what”, a target to achieve
May describe a measure of the impact of not reaching the process goal
Are IT oriented, but business driven
Are expressed in precise measurable terms, wherever possible
Focus on those information criteria that have been identified to be of most importance for this process
SUMMARY
The KGIs are a measure of the outcome of the process and they are lag indicators, as they indicate that the process has been successful after the fact. They are expressed in terms of the business contribution of the process. Recalling the four perspectives of the balanced business scorecard, KGIs focus primarily on the customer and the financial perspectives of the scorecard. The process and learning perspectives of the balanced business scorecard are primarily enablers, as they allow the organisation to be successful in the future. KGIs are IT oriented, but business driven.

30. Key Performance Indicators
KPI for performance;
measurable indicators of performance
of the enabling factors
f(Control Statement and Considerations in ‘Waterfall’)
How well they leverage/manage the resources needed
KPIs are needed to monitor the enablers of the processes and they measure how well resources are managed. They are defined to reflect the control statement and considerations of the COBIT control objective.

31. In summary Key Performance Indicators
Are a measure of “how well” the process is performing
Predict the probability of success or failure in the future, i.e., are ‘LEAD’ indicators
Are process oriented, but IT driven
Focus on the process and learning dimensions of the balanced scorecard
Are expressed in precise, measurable terms
Help in improving the IT process
SUMMARY.
KPIs measure how well a process is performing. A reference to them may be found in the COBIT control statements and control considerations, the same place where ideas can be found for many of the CSFs. They measure how well the organisation leverages the resources needed in the process. They predict the probability of success, so they are lead indicators. They are process oriented, but IT driven as opposed to KGIs, which are IT oriented but business driven. They focus on the process and learning dimensions of the balanced scorecard.

32. Management Guidelines Presentation
All the concepts discussed earlier can be linked as presented in this diagram. Goals support business objectives and are measured by KGIs. The enabler provides information with the criteria needed to support the business goal, considers CSFs that leverage specific IT resources and is measured by KPIs.

33. Management Guidelines Presentation
This is another way to express the relationships presented in the previous slide. The business goal has to address the required information criteria and has an outcome that is measured by KGIs. The goal is enabled by the control statement which considers CSFs to leverage specific IT resources. The performance of the enabler is measured by KPIs.
This updated “waterfall” model is used in the Management Guidelines to integrate the newly defined measures of performance with the current high-level control objectives.

34. MO AI PO DS REQUIREMENTS INFORMATION Business Balanced Scorecard
Financial
Customer
Process
Learning
IT Development Balanced Scorecard
REQUIREMENTS PO
Business Balanced Scorecard
IT Strategic Balanced Scorecard
Financial
Customer
Financial
Customer DS
Process
Financial
Customer
Process
Learning
IT Operational Balanced Scorecard
Process
Learning
How can the concepts presented earlier be further expanded and integrated? What is the relationship between the goals and enablers of the balanced business scorecard and COBIT’s domains and IT processes? This diagram presents an extension of the balanced business scorecard. IT is an enabler of the business and consists of development and operational components, which have their own IT scorecards. The business has specific requirements and IT responds to those requirements by providing the required information, according to the information criteria specified in COBIT.
The IT strategic balanced scorecard, where we define how we respond to the business requirements maps into COBIT’s Planning and Organisation (PO) domain. The IT development component is an enabler of the PO domain and has its own IT balanced scorecard that maps into the Acquire and Implement (AI) domain. The IT operational component is also an enabler for the processes in the PO domain, has its own IT balanced scorecard and maps into the Delivery and Support (DS) domain. Across all of these is the Monitoring (MO) domain.
Learning
INFORMATION

35. IT Generic Process and IT Governance Guidelines

36. • Performance Management • IT Governance
The COBIT Framework has been enhanced with a number of improvements driven by:
• Management Control
• Performance Management
• IT Governance
Many organisations recognise the potential benefits that technology can yield. Successful organisations, however, understand and manage the risks associated with implementing new technologies. They need to reach a balance between managing risks and realising benefits. Management needs new concepts and tools to provide strategic direction and monitor performance.
The COBIT Management Guidelines provide the tools that allow management to self-assess and make choices for control implementation and improvements over its information and related technology. These guidelines assist in aligning the IT organisation with the goals of the enterprise and provide performance measurements to ensure that these goals are achieved.

37. IT Generic Process and IT Governance Guidelines
Generic guidelines were developed, applying to all processes
Subsequently these were expanded with CSFs, KGIs and KPIs applicable to IT in general
This was converged to IT Governance guidelines by adding generally applicable IT Governance practices and measures
The type and amount of information dictated two guidelines
IT Generic Process
IT Governance
The Management Guidelines include CSFs, KGIs, KPIs and Maturity Models for all of COBIT’s 34 high-level control objectives. In addition, guidelines were developed for the overall, IT generic processes and for IT governance. These guidelines support the broader goals of the organisation.

38. IT Governance Model
In order to ensure that management reaches its business objectives, it must direct and manage IT activities to reach an effective balance between managing risks and realising benefits. The guidelines shown in the following slides present the CSFs, KGIs, KPIs and Maturity Models developed to support this management need.

39. Generic Process Guideline
Control over an IT process and its activities with specific business goals
is determined by the delivery of information to the business that addresses the required information criteria and is measured by KGIs
is enabled by creating and maintaining a system of process and control excellence appropriate for the business
To support the overall organisation, IT needs to address business goals, support them with the required information and perform its activities effectively by leveraging IT resources. Performance measures are defined for managing progress towards the goal.
considers CSFs that leverage specific IT resources and is measured by KPIs

40. Generic Process Guideline
Critical Success Factors
IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability, and IT management is rewarded based on these measures
The processes are aligned with the IT strategy and with the business goals; they are scalable and their resources are appropriately managed and leveraged
Everyone involved in the process is goal focused and has the appropriate information on customers, on internal processes and on the consequences of their decisions
A business culture is established, encouraging cross-divisional co-operation and teamwork, as well as continuous process improvement
Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and allow scalability
Goals and objectives are communicated across all disciplines and are understood
It is known how to implement and monitor process objectives and who is accountable for process performance
A continuous process quality improvement effort is applied
There is clarity on who the customers of the process are
The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, re-train) exist
See slide.

41. Generic Process Guideline
Key Goal Indicators
Increased level of service delivery
Number of customers and cost per customer served
Availability of systems and services
Absence of integrity and confidentiality risks
Cost efficiency of processes and operations
Confirmation of reliability and effectiveness
Adherence to development cost and schedule
Cost efficiency of the process
Staff productivity and morale
Number of timely changes to processes and systems
Improved productivity (e.g., delivery of value per employee)
See slide.

42. Generic Process Guideline
Key Performance Indicators
System downtime
Throughput and response times
Amount of errors and rework
Number of staff trained in new technology and customer service skills
Benchmark comparisons
Number of non-compliance reportings
Reduction in development and processing time
See slide

43. IT Generic Process Maturity Model
0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed.
1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised.
2 Repeatable. There is global awareness of the issues and processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.
3 Defined. Goals and objectives are being communicated and understood. IT processes are aligned with the IT strategy. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.
4 Managed. IT processes are aligned and integrated with the IT strategy and the business goals. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Achievement of objective measures is rewarded. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
The basis for definition is a very generic and simple maturity model:
indicated as a zero level, is the stage where the organisation has no recognisable processes
the first level is an initial stage where the organisation only starts recognising that it has an issue relative to poorly defined IT management processes and that it needs to do something about control
at the second level, some processes begin to be repeatable. IT staff are performing the same processes, not necessarily documented, and dependent on key people to make them repeatable
at the third level, the organisation starts documenting its practices, so that others besides key people can start performing similar activities
then there is a managed level, where the policies and procedures are more sophisticated and the performance measurement has become formalised
finally, at the optimised level, best practices are utilised, there is continuous improvement and IT is considered an enabler of the entrprise’s goals
This is the very simple and generic maturity model that was used as a basis for developing the specific maturity models for each of the 34 COBIT processes.

44. IT Governance Guideline
Governance over IT and its processes with goal of adding value to the business, while balancing risk versus return
ensures delivery of information to the business that addresses the required information criteria and is measured by KGIs
is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value delivery of IT
While the generic process guideline is process management and effectiveness oriented, the IT governance guideline also addresses the need to reach a balance between managing risks and realising benefits. It indicates CSFs and performance measures oriented towards directing and monitoring IT processes.
considers CSFs that leverage all IT resources and is measured by KPIs

45. IT Governance Guideline
Critical Success Factors
IT governance activities are integrated into the enterprise governance process and leadership behaviours
IT governance focuses on the enterprise goals, strategic initiatives, the use of technology to enhance the business and on the availability of sufficient resources and capabilities to keep up with the business demands
IT governance activities are defined with a clear purpose, documented and implemented, based on enterprise needs and with unambiguous accountabilities
Management practices are implemented to increase efficient and optimal use of resources and increase the effectiveness of IT processes
Organisational practices are established to enable: sound oversight; a control environment/culture; risk assessment as standard practice; degree of adherence to established standards; monitoring and follow up of control deficiencies and risks
Control practices are defined to avoid breakdowns in internal control and oversight
There is integration and smooth interoperability of the more complex IT processes such as problem, change and configuration management
An audit committee is established to appoints and oversee an independent auditor, focusing on IT when driving audit plans, and review the results of audits and third-party reviews.
See slide.

46. IT Governance Guideline
Key Goal Indicators
Enhanced performance and cost management
Improved return on major IT investments
Improved time to market
Increased quality, innovation and risk management
Appropriately integrated and standardised business processes
Reaching new and satisfying existing customers
Availability of appropriate bandwidth, computing power and IT delivery mechanisms
Meeting requirements and expectations of the customer of the process on budget and on time
Adherence to laws, regulations, industry standards and contractual commitments
Transparency on risk taking and adherence to the agreed organisational risk profile
Benchmarking comparisons of IT governance maturity
Creation of new service delivery channels
See slide.

47. IT Governance Guideline
Key Performance Indicators
Improved cost-efficiency of IT processes (costs vs. deliverables)
Increased number of IT action plans for process improvement initiatives
Increased utilisation of IT infrastructure
Increased satisfaction of stakeholders (survey and number of complaints)
Improved staff productivity (number of deliverables) and morale (survey)
Increased availability of knowledge and information for managing the enterprise
Increased linkage between IT and enterprise governance
Improved performance as measured by IT balanced scorecards
See slide.

48. IT Governance Maturity Model
0 Non-Existent. There is a complete lack of any recognisable IT government processes. The organisation has not even recognised that there is an issue to be addressed.
1 Initial. There is evidence that the organisation has recognised that IT governance issues exist and need to be addressed. There are, however, no standardised IT governance processes, but there are instead ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised.
2 Repeatable. IT governance processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual.
3 Defined. IT governance procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated, but are the formalisation of existing practices.
4 Managed. It is possible to monitor and measure compliance with procedures and to take action where IT governance processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 Optimised. IT governance processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
See slide.

49. Management Guidelines – Conclusion
Value Proposition
Development Process
Components
Presentation

50. Management Guidelines Value Proposition
Open Standard
Framework
Control Objectives
Implementation Tool Set
Management Guidelines
Value added products
Audit Guidelines
How will it look?
What is its value?
The Management Guidelines have been added as an open standard component of COBIT. Integrated with the Framework, they provide additional capabilities to support self-assessment, alignment with overall organisational goals and measurement of performance. They provide management with a toolset that, in addition to control, also addresses manageability.
They represent a significant investment in COBIT. They will evolve and the experience of business end users, IT management, and security, audit and control practitioners will be reflected in future editions of COBIT. The Management Guidelines will support an increasingly pro-active role for all these professionals, providing a more strategic and benefit realisation perspective in controlling and managing the IT organisation.

51. Management Guidelines Development Process
Chicago Workshop
4 days
40 people
Gartner and PwC
Top Experts
IT governance
Performance management
Information security and control
Development, QA and Exposure
Good Tools
Workgroup tools
Web based exposure
pdf based document distribution
Extensive review
The Management Guidelines were developed, in an interactive workshop, by a worldwide group of 40 IT management, security, audit and control professionals. They represented industry, government, academic and professional services organisations. Gartner and PricewaterhouseCoopers provided conceptual input, workshop facilitation and review. The COBIT Steering Committee provided development guidelines and conducted the quality assurance process.

52. Management Guidelines Components
IT governance guideline
Generic IT process guideline
For each of the 34 IT processes
one maturity model
5 to 7 KGIs
8 to 10 CSFs
6 to 8 KPIs
As described earlier, two generic guidelines were developed. For each of COBIT’s high-level control objectives, a number of KGIs, CSFs and KPIs were defined, as indicated. The resulting guidelines are generic, not industry specific and organisations need to consider their application and extension based on their strategic needs, resource availability and cultural factors. The basic concepts presented in the framework of the Management Guidelines provide a basis for adapting them to the needs of individual organisations.

53. Management Guidelines Presentation
In closing, this illustrates one more time how the Management Guidelines integrate and present the new and existing concepts and functionality of COBIT, at the high-level control objective level. Goals support business objectives and are measured by KGIs. The IT enabler provides information with the criteria needed to support the business goal, considers CSFs that leverage specific IT resources and is measured by KPIs. Together with the Maturity Models, the KGIs, CSFs and KPIs result in a toolset that will provide management with new options in directing, controlling and managing IT.