COBIT5: Implementation
A Business Framework for the Governance and Management of Enterprise IT
COBIT5® is a registered trademark of ISACA. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 0: Introduction
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
2
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Module 0: Agenda • • • • • • • • •
Administration Copyright and Acknowledgement “Do’”s and “Don’t”s Administration Course Information Participant Introduction Learning Objectives Course Topics Examination Information, Procedures and Tips
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
3
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Copyright & Acknowledgements •
COBIT5® is a registered trademark of AXELOS® Limited
• This document is exclusively created for and by 4P Advisory Services, an ISACA Partner through Peoplecert.
No part of this documents can be directly
/indirectly copied in any form. • Any one doing so is legally liable for financial damages to be paid to and the Author of this document. • Anyone informing the breach may suitably be rewarded. • Feedback & Inquiries:
[email protected]
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
4
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Do’s and Don’ts DO
DON’T
Get involved
Use Laptops, Tablets, Smart phones, Smart Watches
Ask questions
Talk to the colleagues in the class
Share experiences
Lead to irrelevant out of scope discussions
Keep an open mind
Be disruptive
Take calls outside the room
Not do homework
Agree to disagree!
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
5
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Administration Fire safety Planned fire alarm tests Evacuation procedures and fire exits Toilets/ Washrooms Security of belongings Course timings and breaks Mobiles/blackberries Photo ID and pencils for examinations Lots of questions/discussion please!
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
6
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Course Information Course Structure and Approach Presentation sessions Group exercises Case Studies Exam preparation Course Materials @ (www.isaca.org) – COBIT5® Kit can be downloaded. – COBIT5® Implementation Guide can be downloaded.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
7
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Course Syllabus Information The syllabus is presented by syllabus areas. This is the unit of learning which may relate to a chapter from the manual/guidance or several concepts commonly grouped together in a training course module. The following syllabus areas are identified. • IP Initiate the program (What are the drivers? ‐Phase 1) • DP Define Problems & Opportunities (Where are we now and where do we want to be? ‐Phases 2 & 3) • PE Plan & Execute the program (What needs to be done & How do we get there? ‐Phases 4 & 5) • RB Realize Benefits and Review effectiveness (Did we get there and how do we keep the momentum going? ‐Phases 6 & 7)
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
8
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Course Reference Information Reference Material: • COBIT 5 Implementation Guide • COBIT 5 Enabling Processes Guide • The COBIT 5 Toolkit (contains tools that will be referenced and used in the training)
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
9
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
COBIT5 Publications COBIT 5 Publications: COBIT 5* COBIT 5 Implementation COBIT 5: Enabling Processes COBIT 5: Enabling Information COBIT 5 Professional Guides COBIT 5 for Information Security COBIT 5 for Assurance COBIT 5 for Risk COBIT5 Assessment Programme Publications Process Assessment Model Self‐Assessment Guide Assessor Guide *The COBIT5 Framework No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
10
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Exam Information •
COBIT 5 Implementation: Delivery Computer (web) or Paper based Type 4 Multiple choice questions (20 items each) Single response, one of four possible answers Multiple response, X of Y possible answers Matching response Assertion response Each question is awarded one (1) mark Duration 150 minutes Pass Mark 50% (40 or more marks) Open Book : ‘COBIT 5 Implementation’ book only Prerequisites COBIT 5 Foundation Certificate
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
11
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Participant Introductions • Trainer’s Introduction • Participant’s Introduction • Name • Role & experience in the IT Governance domain • Professional experience • Current role & corresponding responsibilities • What you know about the topics under coverage? • What you expect from the session?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
12
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Learning Objective •
Analyse the enterprise drivers
•
Apply the implementation challenges, their root causes and success factors
•
Assess current process capability
•
Determine target process capability
•
Scope and plan improvements
•
Consider practical implementation factors
•
Identify and avoid potential pitfalls
•
Leverage the latest good practices
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
13
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Course Modules :1 of 2 Module 3 IP Initiate the program (What are the drivers? ‐ Phase 1) Module 4 Module 2 DP: DP Define Problems & Introduction to COBIT5 and Opportunities Implementation Practices IC Introduction to COBIT‐ Principles, Module 3.1 DP Define Problems & Opportunities (Where are we now Enablers, Processes and PRM Phase 2) (Process Reference Model) Module 3.2 DP Define Problems & CS Case Study and Discussions Opportunities (Where do we want to PM CSI Model and Program be? ‐ Phases 3) Management for COBIT Implementation Module 1 Introduction to COBIT
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
14
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
Course Modules: 2 of 2 Module 5 PE: PE Plan & Execute the program 4.1 PE Plan & Execute the program (What needs to be done? – Phase 4) – Change Enablement? 4.2 PE Plan & Execute the program (How do we get there? – Phase 5)
Module 6 RB: Realize Benefits and Review effectiveness 5.1 RB Realize Benefits and Review effectiveness (Did we get there? ‐ Phase 6) 5.2 RB Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7) Module 7 CE&CI Change Enablement and Continuous Improvement Module 8 COBIT 5 Assessment Steps
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
15
0
COBIT5: Implementation COBIT5 Implementation
Introduction
4P Advisory Services
About ISACA ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT‐related risk and compliance. Founded in 1969, the non‐profit, independent, ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISCTM) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfil their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
16
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 1: Introduction to Governance and COBIT5 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
17
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Corporate Governance vs. IT Governance Corporate governance is the set of processes, customs, policies, laws, management practices and institutions affecting the way an entity is controlled and managed. It incorporates all the relationships among the many stakeholders involved and aims to organise them to meet the goals of the organisation in the most effective and efficient manner possible. An effective corporate governance strategy allows an organisation to manage all aspects of its business in order to meet its objectives. Information technology governance, however, is a subset discipline of Corporate Governance. Although it is sometimes mistaken as a field of study on its own, IT Governance is actually a part of the overall Corporate Governance Strategy of an organisation.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
18
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Learning Outcomes Understand the concepts relating to the structure and format of the framework, the drivers and business benefits of using the COBIT 5 framework, Specifically to identify: o The drivers for the development of COBIT 5, specifically the needs for the next generation of ISACA’s guidance on the enterprise governance and management of IT. o The benefits to the enterprise stakeholders by using the COBIT 5 framework
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
19
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Defining Governance Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through Prioritisation and decision making; and monitoring performance, compliance and progress a against agreed direction and objectives Governance is about Negotiating and deciding amongst different stakeholders’ value interests. Wikipedia: Governance refers to "all processes of governing, whether undertaken by a government, market or network, whether over a family, tribe, formal or informal organization or territory and whether through laws, norms, power or language.“ ISACA: Governance—Exercise of authority; control; government; arrangement
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
20
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Defining Management •
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
21
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Purpose of Governance & Management Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT5 process reference model allows us to focus easily on the relevant enterprise activities. Purpose of a Governance Framework like COBIT5: To help enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels
Key Activities of Governance : • Set principles and policies. • Sets direction and is responsible to the Owners and stakeholders Key component of a Governance System: Setting up the Governance Framework Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson. Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
22
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Why COBIT 5 Developed? COBIT 5: ISACA Board of Directors directive: “Tie together and reinforce all ISACA knowledge assets with COBIT.” Provide a renewed and authoritative governance and management framework for enterprise information and related technology Integrate all other major ISACA frameworks and guidance Align with other major frameworks and standards
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
23
1
COBIT5: Implementation COBIT5 Implementation
Introduction to COBIT Introduction
4P Advisory Services
The Evolution of COBIT 5
Governance of Enterprise IT IT Governance
BMIS
Evolution
(2010)
Management Val IT 2.0 (2008)
Control
Risk IT
Audit
(2009)
COBIT2
COBIT1
1996
1998
COBIT3
2000
COBIT4.0/4.1
2005/7
COBIT 5
2012
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
24
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
COBIT 5 Scope Not simply IT; not only for big business! COBIT 5 is about governing and managing information Whatever medium is used End to end throughout the enterprise Information is equally important to: Global, multinational business National and local government Charities and not for profit enterprises Small to medium enterprises and Clubs and associations
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
25
1
COBIT5: Implementation COBIT5 Implementation
Introduction to COBIT Introduction
4P Advisory Services
Benefits Information is the business currency of the 21st Century Information has a life cycle: it is created, used, retained, disclosed and destroyed Technology plays a key role in these actions. Technology is becoming pervasive in all aspects of business and personal life Every form of enterprise needs to be able to rely on quality information to support quality executive decisions!
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
26
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Enterprise Benefits Enterprises and their executives strive to: Maintain quality information to support business decisions. Generate business value from IT‐enabled investments, i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT. Achieve operational excellence through reliable and efficient application of technology. Maintain IT‐related risk at an acceptable level. Optimise the cost of IT services and technology. How can these benefits be realised to create enterprise stakeholder value?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
27
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Stakeholder Value Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets. Enterprise boards, executives and management have to embrace IT like any other significant part of the business. External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
28
1
COBIT5: Implementation COBIT5 Implementation
Introduction to COBIT Introduction
4P Advisory Services
Benefits . . . COBIT 5 : Defines the starting point of governance and management activities with the stakeholder needs related to enterprise IT Creates a more holistic, integrated and complete view of enterprise governance and management of IT that is consistent, provides an end‐to‐end view on all IT‐related matters and provides a holistic view Creates a common language between IT and business for the enterprise governance and management of IT Is consistent with generally accepted corporate governance standards, and thus helps to meet regulatory requirements
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
29
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Examples: Factors, which may indicate a need for the improved governance of enterprise IT: Significant incidents related to IT risk, such as data loss or project failure, have been experienced. Lack of confidence in IT management IT investments and risks were being managed by various IT departments in isolation, resulting in duplicated efforts in some areas and gaps in others. Lack of information consistency and accountability across all IT groups. IT goals and perspectives not clearly aligned to the organizational goals.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
30
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
The COBIT 5 Format Simplified COBIT 5 directly addresses the needs of the viewer from different perspectives Development continues with specific practitioner guides COBIT 5 is initially in 3 volumes: 1. The Framework 2. Process Reference Guide 3. Implementation Guide COBIT 5 is based on: 5 principles and 7 enablers
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
31
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
COBIT5: Principles
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
32
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Principle 1: Meeting Stakeholder Needs The COBIT 5 goals cascade allows the definition of priorities for Implementation Improvement Assurance of enterprise governance of IT In practice, the goals cascade: Defines relevant and tangible goals and objectives at various levels of responsibility Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects Clearly identifies and communicates how enablers are used to achieve enterprise goals No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
33
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Principle 2: Covering the Enterprise End–to–End
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
34
1
COBIT5: Implementation COBIT5 Implementation
Introduction to COBIT Introduction
4P Advisory Services
Principle 3 ‐ Single Integrated Framework.
One Simple Architecture
Completeness in Enterprise Coverage
Alignment with other relevant framework s & Standards
Integration of Knowledge across domains Single Integrated Framework
ISO/ IEC 15504 for Assessment
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
35
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Principle 4: Enabling a Holistic Approach
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
36
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Principle 5 ‐ Governance and Management Defined
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
37
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
COBIT 5 Product Family
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
38
1
COBIT5: Implementation COBIT5 Implementation
Introduction to COBIT Introduction The COBIT5 Integrator Model links COBIT 5 to existing ISACA guidance publications.
4P Advisory Services
COBIT and Other IT Governance Frameworks COSO
COBIT ISO 27002 ISO 9000
WHAT
ITIL 2011
HOW
SCOPE OF COVERAGE
Source ISACA No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
39
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
COBIT 5 Mapping Specifics ..1 ISO/IEC 38500 o ISO’s 6 principles map to COBIT 5 The following areas and domains are covered by ITIL 2011: o A subset of process in the DSS domain o A subset of processes in the BAI domain o Some processes in the APO domain ISO/IEC 27000 (currently 27001:2013) o Security and IT‐related processes in domains EDM, APO and DSS o Some monitoring of security monitoring activities in MEA ISO/IEC 31000 o Risk management related activities in EDM and APO
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
40
1
Introduction to COBIT Introduction
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
COBIT 5 Mapping Specifics ..2 TOGAF (The Open Group Architecture Framework) o Resource‐related processes in EDM o TOGAF components of the architecture board and governance areas o Enterprise architecture processes of APO PRINCE2 o Programme and project management processes in the BAI domain o Portfolio related processes in the APO domain CMMI o Some Organizational and quality‐related processes in the APO domain o Application –building and acquisition related processes in BAI
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
41
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 2: An Introduction to COBIT5 Implementation
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
42
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
COBIT 5 Implementation ISACA has developed the COBIT5 framework to help enterprises implement sound governance enablers. Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework. Best practices and standards are also available to underpin COBIT5. However, frameworks, best practices and standards are useful only if they are adopted and adapted effectively. There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully. COBIT 5 Implementation Guide provides the guidance on how to do this. COBIT5‐Ver2‐Implementation.pdf
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
43
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
COBIT 5 Implementation cont.
The COBIT 5 Implementation Guide was released at the same time as the COBIT 5 Framework and COBIT 5 Enabling Processes Information and information technology are increasingly part of every aspect of business. The need to drive more value from IT investments and manage an increasing array of IT‐related risk has never been greater Increasing regulation and legislation is also raising awareness of the importance of good governance
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
44
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Challenges to Success What are the drivers? Where are we now and where do we want to be? What needs to be done? How do we get there? Did we get there and how do we keep the momentum going?
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
45
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Roles in Creating an Appropriate Environment
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
46
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
RACI chart for Creating an Appropriate Environment
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
47
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Components of the Lifecycle Program Management 1. Initiate program 2. Define problems and opportunities 3. Define roadmap 4. Develop program plan 5. Execute plan 6. Realize benefits 7. Review program effectiveness 8. Sustain
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
48
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
COBIT 5 Implementation
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
49
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Enterprise Internal and External factors Understanding the Enterprise Internal and external factors as they apply to change management such as: o Ethics and culture o Applicable laws, regulations and policies o Mission, vision and values o Governance policies and practices o Business plans and strategic intentions o Operating Model o Management style o Risk appetite o Capabilities and available resources o Industry practices No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
50
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Key Success Factors Top Management providing the direction and mandate for the initiative as well as on‐going commitment All parties supporting the governance and management processes to understand the business and IT objectives. Ensuring effective communication and enablement of the necessary changes Tailoring COBIT and other supporting good practices and standards to fit the unique context of the enterprise and Focusing on quick wins and prioritising the most beneficial improvements that are easiest to implement.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
51
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Continuous Improvement through 7 enablers
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
52
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: IT Governance Initiative A major financial services organization has recently been purchased by a large overseas competitor and is now subject to new overseas compliance regulations. Following the takeover the local organization is now known as the ‘local office’ and the purchaser is known as the ‘Overseas Head Office’.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
53
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Background and Current Issues The organization currently is experiencing issues with change management. As a result of the takeover, further changes are being introduced which the existing processes cannot handle. The problems are being exacerbated by the size and the volume of the required changes. Although the takeover from the overseas company is recent, Overseas Regulators are already seeking visibility of compliance. Prior to being taken over the current Board had on‐going concerns with IT security. These concerns are expected to increase given the demands of passing information overseas to the new Overseas Head Office. Also prior to the takeover, relationships between IT and the Enterprise were not good due to previous IT project failures and lack of visibility of project benefits. Staff morale has been very low with an above average staff turnover. Due to the recent takeover, there have been senior management changes and a further increase in staff turnover due to the job uncertainty. The organization has a new and inexperienced team in IT Governance.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
54
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Current projects in place There are two existing projects underway: HR Project ‐ There is currently a HR project in progress to address the high level of staff turnover. Its objective is to reduce the current turnover levels. IT Security – The local office has recently engaged a team of external security specialists to review the current level of IT security and to recommend appropriate solutions.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
55
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Roles and Responsibilities An extract of the organizational structure of the Financial Services Organisation (not including the Overseas Head Office) is given below.
IT Management consists of the CIO and his direct reports. The Audit Manager is from the Overseas Head Office and is responsible for the local Audit team The IT Governance, Risk and Compliance (IT GRC) Manager is newly appointed and has recently attended a COBIT 5 course. The Technical Support Manager has been with the enterprise for over 20 years and takes a very ‘hands on’ approach. This role is responsible for ensuring the ongoing availability of the network infrastructure. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
56
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: IT Governance Initiative Start‐up As a result of the overseas compliance regulations the IT Governance, Risk and Compliance (IT GRC) Manager has decided to launch a major IT Governance Initiative. The initiative will incorporate the compliance requirements mandated by the Overseas Head Office in addition to improvements in governance and change management. The existing projects will be included within the scope. The Overseas Head Office will sponsor the programme and the IT GRC Manager has been appointed as the Programme Manager. However, some problems have already been experienced: • Although the IT GRC Manager has launched an initiative it is not clear who is supporting the initiative and which processes are required to be targeted. • Current attempts by the IT GRC Manager to get the initiative off the ground have currently been unsuccessful.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
57
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Mapping of Processes to Issues The IT GRC Manager completed a small assessment of the issues facing the new organisation including the two existing projects on HR and Security and a report summarising their security issues. He discovered more issues related to the existing change management and HR and Security problems. He has mapped these to risks and recommended the following COBIT processes to be included in the improvement programme in order to assist and leverage best practice for the following Issues and Problem areas: PROBLEMS & ISSUES
RISKS
1. HR ISSUES APO07 ‐ High turnover. ‐ Skills & competences not matched to business requirements. ‐ No process for contract staff.
COBIT PROCESSES APO07
Departure or unavailability of key IT staff. ‐ Lack of business understanding by IT staff ‐ Lack of or mismatch of IT‐related skills. Contractual obligations by contractors not met.
APO07 APO07
APO07
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
58
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Mapping of Processes to Issues PROBLEMS & ISSUES 2. Security Issues ‐ Access by external contractors poorly controlled
RISKS
COBIT PROCESSES
Users circumventing logical access rights ‐ DSS05; DSS04 Users obtaining access to unauthorized information. ‐No policy and process for End ‐Loss/disclosure of portable media, lap DSS05 Point security including mobile tops mobile devices etc. devices. ‐ Accidental disclosure of sensitive information.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
59
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Mapping of Processes to Issues PROBLEMS & ISSUES 3. Change Management Issues ‐ New organisation cannot cope with change requests for processes.
RISKS
COBIT PROCESSES BAI05 Business managers not involved in important BAI05 It investment decision making regarding new applications, prioritisations or new technology opportunities
4. Project Delivery Issues BAI01/ BAI02 ‐ Poor project delivery in terms ‐ Projects failing due to cost delays, scope BAI01 of on time and to budget. creep or changed business priorities ‐ Insufficient quality of project deliverables due to software, documentation or compliance with functional requirements. ‐Failure to understand business ‐ Business not assuming accountability over IT BAI02 requirements. areas such as functional requirements.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
60
2
An Introduction to COBIT5 Implementation Practices
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Plan and Execute the Program Awareness of the business’ frustration about the lack of visibility of the compliance program has reached the Overseas Head Office. As a result of this, the Overseas Head Office has instructed the Financial Services Organization to quickly solve this issue relating to the poor relationships between IT and the business. The instruction has come down for IT to solve this as part of the Governance Initiative. The IT GRC Manager is already overloaded with work and hence has asked one of his junior members of his team to take ownership of the task. He has told the junior member that the solution to this issue will be to include information relating to the compliance program on the Financial Services Organization’s existing Intranet. Access to this Intranet is already available to the business. Due to budget constraints, there will be a limit on the amount of information that can be added to the Intranet. This work must be done in‐house.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
61
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 3: IP Initiate the program
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
62
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Continual Improvement Life cycle Phase‐1
Ref .”Figure 15 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
63
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Roles in Phase 1
Ref .”Figure 16 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
64
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 1 Description (1/4)
Ref .”Figure 17 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
65
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 1 Description (2/4)
Ref .”Figure 17 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
66
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 1 Description (3/4)
Ref .”Figure 17 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
67
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 1 Description (4/4)
Ref .”Figure 17 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
68
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase‐1 RACI Chart
Ref .”Figure 18 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
69
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 1 – What Are the Drivers? The Basics Initiate the Programme Establish desire to change: Recognise need to act
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
70
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 1 – What Are the Drivers? Need for new or improved IT governance organization is usually recognized by pain points and/or trigger events Board and executive management should: Analyze pain points to identify root cause Look for opportunities during trigger events The goal of this phase of the lifecycle includes: Outlining the business case Identification of stakeholders and roles & responsibilities IT governance program “wake‐up call” and kick‐off communications
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
71
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 1 – SWOT?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
72
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 1 ‐ Typical Pain Points Failed IT initiatives Rising costs Perception of low business value for IT investments Significant incidents related to IT risk (e.g. data loss) Service delivery problems Failure to meet regulatory or contractual requirements Audit findings for poor IT performance or low service levels Hidden and/or rogue IT spending
Resource waste through
duplication or overlap in IT initiatives Insufficient IT resources IT staff burnout / dissatisfaction IT enabled changes frequently failing to meet business needs (late deliveries or budget overruns) Multiple and complex IT assurance efforts Board members or senior managers that are reluctant to engage with IT © 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
73
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 1 ‐ Relevant Trigger Events Merger, acquisition or divestiture Shift in the market, economy or competitive position Change in business operating model or sourcing arrangements New regulatory or compliance requirements Significant technology change or paradigm shift
An enterprise‐wide governance
focus or project A new CIO, CFO, COO or CEO External audit or consultant assessments A new business strategy or priority
By using pain points or trigger events as the launching point for IT governance initiatives, the business case for GEIT improvement can be related to issues being experienced, which will improve buy‐in to the business case. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
74
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Additional Phase 1 Information In trying to understand where the Financial Services Organization currently stands in respect to Governance, the IT GRC Manager has identified a number of issues: The local office management is confused about what the Initiative is trying to achieve and doesn’t appear to be fully engaged Concerns have also been expressed as to the potential cost of the proposed Initiative for what appears to be very little benefit. Suggestions have even been made that if the Overseas Head Office wants the work completing then it should pay for it Additionally, the long standing relationship issue between IT and Business Management caused by previous project failures is still very much in existence
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
75
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 001 1. Which reason is a root cause for a lack of Senior Management buy‐in to an improvement initiative according to the COBIT 5 Implementation Guide? A. Lack of dedicated resources. B. Poor perception of the credibility of the IT function. C. Best practices are copied and are NOT adopted. D. Continual improvement is NOT part of the culture. 2. Which reason is a root cause of why IT could have difficulty in getting the required business participation according to the COBIT 5 Implementation Guide? A. Barriers between IT and the business inhibit participation. B. IT budget committed to infrastructure. C. Priorities incorrectly allocated. D. Fear of revealing inadequate practices. 3. Which reason is a root cause for the lack of current enterprise policy and direction within an organization according to the COBIT 5 Implementation Guide? A. IT budget committed to infrastructure. B. Best practices are copied and are NOT adopted. C. Overly optimistic goals. D. Weak enterprise risk management. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
76
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 001 4. Which 2 documents are Inputs to Phase 1? A. Outline Business Case for the Governance Initiative. B. Reports showing the volume of changes since the takeover. C. A report from HR on staff turnover. D. A list of stakeholders at the local office and Overseas Head Office. E. Documented approval from the CEO to proceed. 5. Which 2 documents are Outputs from Phase 1? A. A process for engaging local Management about the Governance Initiative. B. A report showing the local office’s capability to cope with the required amount of process change as a result of the Governance Initiative. C. An agreed list of the local office’s Roles and Responsibilities for the Governance Initiative. D. Reports showing the volume of changes since the takeover. E. Report on the Security issues. 6. Which 2 activities are Programme Management tasks performed during Phase 1? A. Understand full impact of the Governance Initiative. B. Raise awareness of compliance issues with the local office. C. Obtain buy‐in and approval from the CEO to proceed. D. Produce outline Governance Initiative business case. E. Identify other project dependencies such as the Security and HR projects. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
77
3
IP: Initiate the program (What are the drivers? ‐ Phase 1)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 001 7. Which 2 activities are Change Enablement tasks performed during Phase 1? A. Obtain approval from the CEO to proceed. B. Produce outline Governance Initiative business case. C. Understand full impact of the Governance Initiative. D. Raise awareness of compliance issues with the local office. Issue the change plan based on the overseas compliance requirements. 8. Which 2 activities are Continual Improvement tasks performed during Phase 1? A. Ensure the understanding of the Overseas Head Office’s compliance requirements for the local office is correct. B. Understand full impact of the Governance Initiative. C. Raise awareness of compliance issues with the local office. D. Identify other project dependencies such as the Security and HR projects. E. Raise local Management’s awareness of the importance of the Initiative.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
78
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 4: DP Define Problems & Opportunities
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
79
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 4.1: Phase 2 Where are we now?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
80
4.1
DP Define Problems & Opportunities (Where are we now Phase 2)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Continual Improvement Life Cycle Phase‐2
Ref .”Figure 19 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
81
4.1
DP Define Problems & Opportunities (Where are we now Phase 2)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Roles in Phase 2
Ref .”Figure 20 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
82
4.1
DP Define Problems & Opportunities (Where are we now Phase 2)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 2 Description (1/5)
Ref .”Figure 21 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
83
4.1
DP Define Problems & Opportunities (Where are we now Phase 2)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 2 Description (2/5)
Ref .”Figure 21 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
84
4.1
DP Define Problems & Opportunities (Where are we now Phase 2)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 2 Description (3/5)
Ref .”Figure 21 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
85
4.1
DP Define Problems & Opportunities (Where are we now Phase 2)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 2 Description (4/5)
Ref .”Figure 21 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
86
4.1
DP Define Problems & Opportunities (Where are we now Phase 2)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 2 Description (5/5)
Ref .”Figure 21 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
87
4.1
DP Define Problems & Opportunities (Where are we now Phase 2)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase‐2 RACI Chart
Ref .”Figure 22 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
88
4.1
DP Define Problems & Opportunities (Where are we now Phase 2)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 2 – Where are We Now? Define the problems and opportunities [Programme Management] o Understand the pain points that have been identified as governance problems o Take advantage of trigger events that provide opportunity for improvement Form a powerful guiding team [Change Enablement] o Knowledge of the business environment o Insight into influencing factors Assess the current state [Continual Improvement Life cycle attribute] o Identify the IT goals in respect to enterprise goals o Identify the most important processes o Understand management risk appetite o Understand the maturity of existing governance o Related processes © 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
89
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 4.2: Phase 3 Where do we want to be?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
90
4.2
DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Continual Improvement Life Cycle Phase‐3
Ref .”Figure 23 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
91
4.2
DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Roles in Phase 3
Ref .”Figure 24 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
92
4.2
DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 3 Description (1/5)
Ref .”Figure 25 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
93
4.2
DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 3 Description (2/5)
Ref .”Figure 25 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
94
4.2
DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 3 Description (3/5)
Ref .”Figure 25 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
95
4.2
DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 3 Description (4/5)
Ref .”Figure 25 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
96
4.2
DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 3 Description (5/5)
Ref .”Figure 25 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
97
4.2
DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 3 RACI Chart
Ref .”Figure 26 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
98
4.2
DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 3 – Where Do We Want to Be? Define the roadmap o Describe the high level change enablement plan and objectives Communicate desired vision o Develop a communication strategy o Communicate the vision o Articulate the rationale and benefits of the change o Set the tone at the top Define target state and perform gap analysis o Define the target for improvement o Analyze the gaps o Identify potential improvements
© 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
9 9
99
4
DP Define Problems & Opportunities
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Additional Phase 2 & 3 Information The CIO approached the IT GRC manager and is not convinced that he has captured all of the COBIT processes needed to mitigate the risks associated with their issues.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
100
4
DP Define Problems & Opportunities
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 002 1. Which 2 reasons are root causes of the inability to gain the backing of local business management, according to the COBIT 5 Implementation Guide? A. The recent takeover has left uncertainty and the threat of further changes. B. The priorities of the Initiative are NOT in line with the objectives of the local office. C. There is poor communication about the expected successes of the Initiative. D. More change is being enforced and the current processes are unable to cope with the existing amount of change. E. The implementation solution appears to have too many manual workarounds. 2. Which 2 reasons are root causes of why the cost of the IT Governance Initiative appears to exceed any benefit at the local office, according to the COBIT 5 Implementation Guide? A. There is a perception that there is a lack of required compliance skills at the local office. B. Structure of the IT Governance Initiative does NOT demonstrate what the benefits will be at this stage of the programme. C. The recent takeover has left uncertainty and the threat of further changes. D. Budget funds have already been spent on the takeover and this is seen as a further drain on resources. E. There is poor communication about the expected successes of the Initiative.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
101
4
DP Define Problems & Opportunities
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 002 3. Which 2 actions are success factors which should help resolve the current lack of trust between the local office IT function and Business Management, according to the COBIT 5 Implementation Guide? A. Produce a RACI matrix for Governance related roles for the local office. B. Educate the business by running a COBIT 5 training course. C. Produce a plan of expected changes for the year ahead which take account of the compliance requirements. D. Only implement improvements that add value to the local office. E. Ensure all resources are full time and dedicated to the Governance Initiative. 4. Which 2 actions are success factors should help resolve the inability to gain support from the local office’s business management, according to the COBIT 5 Implementation Guide? A. Produce a RACI matrix for Governance related roles for the local office. B. Only implement improvements that add value to the local office. C. Express the Governance Initiative in terms that are relevant to business management. D. Set up a regular Compliance forum which includes members of both local and Overseas Business Management and local IT Management. E. Ensure all resources are full time and dedicated to the Governance Initiative
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
102
4
DP Define Problems & Opportunities
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 002 5. Which 2 actions are success factors should help resolve the concerns that the local office has regarding the cost of improvements outweighing any potential benefits, according to the COBIT 5 Implementation Guide? A. Liaise with Business Management to identify initiatives that can be resolved quickly. B. Secure secondments* of compliance staff from the overseas office. C. Ensure all resources are full time and dedicated to the Governance Initiative. D. Only implement improvements that add value to the local office. E. Focus on the change process as an area to be tackled by the Initiative. 6. There is a current lack of ownership for both the business and IT in respect of who has a role to play in this Governance Initiative. Which CE task is executed to address the concern of lack of ownership for the Governance Initiative at the local office during Phase 2? A. Engage with HR about producing a communications plan about the future benefits of the Initiative. B. Develop an escalation process. C. Elect key representatives from the local office and the Overseas Head Office. D. Create steering committees for relevant parts of the Initiative.
*Secondment : A temporary transfer of an official or worker to another position or employment. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
103
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 5: PE Plan & Execute the program
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
104
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 5.1: Phase 4 What needs to be done?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
105
5.1
PE Plan & Execute the program (What needs to be done? – Phase 4)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Continual Improvement Life Cycle Phase 4
Ref .”Figure 27 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
106
5.1
PE Plan & Execute the program (What needs to be done? – Phase 4)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Roles In Phase 4
Ref .”Figure 28 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
107
5.1
PE Plan & Execute the program (What needs to be done? – Phase 4)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 4 Description (1/5)
Ref .”Figure 29 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
108
5.1
PE Plan & Execute the program (What needs to be done? – Phase 4)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 4 Description (2/5)
Ref .”Figure 29 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
109
5.1
PE Plan & Execute the program (What needs to be done? – Phase 4)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 4 Description (3/5)
Ref .”Figure 29 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
110
5.1
PE Plan & Execute the program (What needs to be done? – Phase 4)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 4 Description (4/5)
Ref .”Figure 29 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
111
5.1
PE Plan & Execute the program (What needs to be done? – Phase 4)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 4 Description (5/5)
Ref .”Figure 29 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
112
5.1
PE Plan & Execute the program (What needs to be done? – Phase 4)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 4 RACI Chart
Ref .”Figure 30 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
113
5.1
PE Plan & Execute the program (What needs to be done? – Phase 4)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 4 – What Needs to Be Done? Develop program plan Prioritize potential initiatives Develop formal and justifiable projects Use plans that include contribution and program objectives Empower role players and identify quick wins High benefit, easy implementations should come first Obtain buy‐in by key stakeholders affected by the change Identify strengths in existing processes and leverage accordingly Design and build improvements Plot improvements onto a grid to assist with prioritization Consider approach, deliverables, resources needed, costs, estimated time scales, project dependencies and risks © 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
114
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 5.2: Phase 5 How do we get there?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
115
5.2
PE Plan & Execute the program (How do we get there? – Phase 5)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Continual Improvement Life Cycle Phase 5
Ref .”Figure 31 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
116
5.2
PE Plan & Execute the program (How do we get there? – Phase 5)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Roles in Phase 5
Ref .”Figure 32 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
117
5.2
PE Plan & Execute the program (How do we get there? – Phase 5)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 5 Description
Ref .”Figure 33 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
118
5.2
PE Plan & Execute the program (How do we get there? – Phase 5)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 5 Description
Ref .”Figure 33 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
119
5.2
PE Plan & Execute the program (How do we get there? – Phase 5)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 5 Description
Ref .”Figure 33 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
120
5.2
PE Plan & Execute the program (How do we get there? – Phase 5)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 5 Description
Ref .”Figure 33 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
121
5.2
PE Plan & Execute the program (How do we get there? – Phase 5)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 5 RACI Chart
Ref .”Figure 34 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
122
5.2
PE Plan & Execute the program (How do we get there? – Phase 5)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 5 – How Do We Get There? Execute the plan Execute projects according to an integrated program plan Provide regular update reports to stakeholders Document and monitor the contribution of projects while managing risks identified Enable operation and use Build on the momentum and credibility of quick wins Plan cultural and behavioral aspects of the broader transition Define measures of success Implement improvements Adopt and adapt best practices to suit the enterprise’s approach to policies and process changes © 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
123
5
PE Plan & Execute the program
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Additional Phase 4 & 5 Information The CIO approached the IT GRC manager and is not convinced that he has captured all of the COBIT processes needed to mitigate the risks associated with their issues
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
124
5
PE Plan & Execute the program
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 003 1. Which 2 additional processes should be selected to help mitigate all of the risks associated with the security issues (issue 2)? A. APO07 B. DSS01 C. BAI06 D. APO01 E. APO08 2. Which 2 additional processes should be selected to help mitigate the risks of projects failing due to cost, delays, scope creep or changed business priorities associated with the project delivery issues (issue 4)? A. BAI03 B. APO03 C. EDM04 D. MEA01 E. APO06
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
125
5
PE Plan & Execute the program
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Additional Phase 4 & 5 Information Using the Scenario, answer the following questions about change enablement tasks. The project is now at Phase 4 ‘What needs to be done?’ The IT GRC Manager called a Project planning meeting and decided on some Change Enablement objectives in order to ‘get things moving’. Decide whether the action taken by the IT GRC Manager to address each objective is an appropriate Phase 4 Change Enablement (CE) task and select the response that supports your decision.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
126
5
PE Plan & Execute the program
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 003 3. Objective 1:‐ Obtain buy‐in from the local office. Action: The IT GRC Manager has held a workshop with key members of business and IT to review and confirm the proposed change management process? Is this action an appropriate Phase 4 CE task for Objective No 1? A. No, because any required changes will be enforced through local management or the Overseas Head Office. B. No, because the commitment to make the change should have been obtained in Phase 3. C. Yes, because consulting affected stakeholders will help make them responsible to accept results. D. Yes, because this will ensure the change management process is implemented as a quick win.
4. Objective 2:‐ Speed up the implementation for a new Change process which will apply to both the business and IT. Action: The IT GRC Manager has decided to implement an IT version of the change response plans. Is this action an appropriate Phase 4 CE task to address Objective No 2? A. No, because engagement should have been made with all affected areas prior to the implementation e.g. the business management. B. No, because the implementation of the change response plan should have been performed at Phase 3. C. Yes, because a Phase 4 CE task is about understanding what IT solutions will be needed to support the Overseas Head Office compliance requirements. D. Yes, because a Phase 4 CE task is to prioritize and select improvements.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
127
5
PE Plan & Execute the program
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 003 5. Objective 3:‐ Build on Phase 2 ‘Where are we now’ and identify tasks that don’t take long to implement. Action: The IT GRC Manager has decided to go ahead and implement quick wins in as short as time as possible without immediate consultation with the business. Is this action an appropriate Phase 4 CE task to address Objective No 3? A. No, because changes to existing processes at the local office should be designed during Phase 1. B. No, because visibility of the changes by methods such as a workshop is needed. C. Yes, because providing the concept of the change has been proven. D. Yes, because a Phase 4 activity is to perform a gap analysis to identify the improvements needed to the change management process. 6. Objective 4:‐ Leverage existing processes (from the Overseas Head Office). Action: The IT GRC Manager has obtained details of a number of compliance related processes from the Overseas Head Office which are used successfully to manage Compliance. The plan is to adapt these processes for use at the local office. Is this action an appropriate Phase 4 CE task to address Objectives No 4? A. No, because changes to existing processes at the local office should have been designed during Phase 1. B. No, because the processes should be implemented ‘as is’ if they have been used successfully at the Overseas Head Office. C. Yes, because a Phase 4 CE task is to identify existing strengths. D. Yes, because identifying work already performed in the organisation prevents duplication of effort and encourages re‐use. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
128
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 6: RB: Realize benefits and review effectiveness
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
129
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 6.1: Phase 6 Did we get there?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
130
6.1
RB: Realize Benefits and Review effectiveness (Did we get there? ‐ Phase 6)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Continual Improvement Life Cycle Phase 6
Ref .”Figure 35 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
131
6.1
RB: Realize Benefits and Review effectiveness (Did we get there? ‐ Phase 6)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Roles in Phase 6
Ref .”Figure 36 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
132
6.1
RB: Realize Benefits and Review effectiveness (Did we get there? ‐ Phase 6)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 6 Description (1/3)
Ref .”Figure 37 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
133
6.1
RB: Realize Benefits and Review effectiveness (Did we get there? ‐ Phase 6)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 6 Description (2/3)
Ref .”Figure 37 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
134
6.1
RB: Realize Benefits and Review effectiveness (Did we get there? ‐ Phase 6)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 6 Description (3/3)
Ref .”Figure 37 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
135
6.1
RB: Realize Benefits and Review effectiveness (Did we get there? ‐ Phase 6)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 6 RACI Chart
Ref .”Figure 38 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
136
6.1
RB: Realize Benefits and Review effectiveness (Did we get there? ‐ Phase 6)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 6 – Did We Get There? Realize benefits o Monitor the overall performance of the program against business case objectives o Monitor and measure the investment performance Embed new approaches o Provide transition from project mode to business as usual mode o Monitor whether new roles and responsibilities have been taken on o Track and assess objectives of the change response plans o Maintain communication and ensure communication between appropriate stakeholders continues Operate and measure o Set targets for each metric o Measure metrics against targets o Communicate results and adjust targets as necessary © 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
137
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 6.2: Phase 7 How do we keep the momentum going?
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
138
6.2
RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Continual Improvement Life Cycle Phase 7
Ref .”Figure 39 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
139
6.2
RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Roles in Phase 7
Ref .”Figure 40 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
140
6.2
RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 7 Description (1/3)
Ref .”Figure 41 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
141
6.2
RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 7 Description (2/3)
Ref .”Figure 41 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
142
6.2
RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 7 Description (3/3)
Ref .”Figure 41 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
143
6.2
RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 7 RACI Chart
Ref .”Figure 42 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
144
6.2
RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Phase 7 – How Do We Keep Momentum? Continual improvements – keeping the momentum is critical to sustainment of the lifecycle Review the program benefits o Review program effectiveness through a program review gate Sustain o Conscious reinforcement (reward achievers) o Ongoing communication campaign (feedback on performance) o Continuous top management commitment Monitor and evaluate o Identify new governance objectives based on program experience o Communicate lessons learned and further improvement requirements for the next iteration of the cycle © 2012 ISACA. All Rights Reserved.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
145
6
RB: Realize Benefits and Review effectiveness
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Case Study Scenario: Additional Phase 6 & 7 Information The following questions about the root causes of the challenges encountered when identifying whether the implementation has met its objectives. The IT GRC Manager decided to speak to a number of key members of the local office Management to gauge feedback on the Governance Initiative. The following issues were obtained from various members of local office staff:‐ • The change management process is seen as too hard to understand and has resulted in low usage of the process within the local office. Additionally there was feedback that the solution looked like it was a direct copy of the Overseas Head Office process without consideration of local factors. • The IT staff working on the Initiative is de‐motivated as they felt they had been left to manage the project with little or no assistance from the Business Management. • A lot of feedback was asking the question ‘what have we achieved?’ as there was a belief that very little had changed and concerns were raised as to the overall value of the Initiative.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
146
6
RB: Realize Benefits and Review effectiveness
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 004 1. Which 2 actions are success factors that should help to resolve the lack of take up of the change management process? A. Obtain compliance input from the Overseas Head Office auditors. B. Involve the business process owners in the future refinement of the change process. C. Ensure all resources are full time and dedicated to the Governance Initiative. D. Arrange a training course for users of the change process. E. Produce a RACI matrix for Governance related roles for the local office. 2. Which 2 actions are success factors that should help to resolve the de‐motivation of the IT staff working on the Governance Initiative? A. Produce a RACI matrix for Governance related roles for the local office. B. Seek to second a Compliance resource from the Overseas Head Office. C. Organise a road show with the Business Management ‐ Revisiting stakeholders. D. Ensure all resources are full time and dedicated to the Governance Initiative. E. Arrange a training course for users of the change process.
*Secondment : A temporary transfer of an official or worker to another position or employment. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
147
6
RB: Realize Benefits and Review effectiveness
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 004 3. Which 2 actions are success factors that should help to resolve the concern raised over the overall value of the Governance Initiative? A. Issue a Compliance health check showing progress made. B. Arrange a training course for users of the change process. C. Seek to second a compliance resource from the Overseas Head Office. D. Issue a compliance article on the Intranet site in business terms. E. Produce a RACI matrix for Governance related roles for the local office. 4. Which 2 documents are Inputs to the Phase 6 review of the Change Management process? A. Revised process documentation. B. A signed‐off copy of the Change Management Procedure. C. IT and business measures added into the ongoing monitoring of the change process, (post‐ project). D. A copy of the Change Management process before the implementation. E. A copy of the Benefits of the Change Process.
*Secondment : A temporary transfer of an official or worker to another position or employment. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
148
6
RB: Realize Benefits and Review effectiveness
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 004 5. Which 2 documents are Outputs of the Phase 6 review of the Change Management process? A. A signed off copy of the Business Case. B. Revised process documentation. C. Business and IT agreed measures to monitor the change process. D. A signed off copy of the Change Management Procedure. E. Identification of the appropriate Change agents within the local office. 6. Which 2 activities are Programme Manager tasks to be performed during the Phase 6 review of the Change Management process? A. Review if the Change Management process is meeting its original intentions. B. Understand what went well and what didn’t. C. Develop an escalation procedure to Management. D. Communicate the results of the Change Management procedure to relevant Business and IT parties. E. Produce a report of the success factors required to be met for a successful implementation of the Change Management process.
*Secondment : A temporary transfer of an official or worker to another position or employment. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
149
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 7: The Inner Layers: Change Enablement and Continuous Improvement No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
150
7
CE&CI Change Enablement and Continuous Improvement
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
The Relationship: IMPL‐ Prg M‐ CE ‐ CI
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
151
7
CE&CI Change Enablement and Continuous Improvement
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Change enablement relationships to Programme management Steps The seven phases and shown as the program management steps they relate to. The below table outlines the seven enablers (the second or red circle) and the relationship to the seven program management steps (the outer ring or dark blue ring).:
PHASE & PROGRAMME STEP
CHANGE ENABLER RELATED CONTINUAL IMPROVEMENT TO THAT STEP LIFE CYCLE
Initiate Program
Establish Desire to change
Recognise need to act
Define Problems & Opportunities Form Implementation Team
Assess current state
Define Road Map
Communicate Outcome
Define target state
Plan Programme
Identify role players
Build improvement
Execute Plan
Operate and use
Implement Improvements
Realise Benefits
Embed new approaches
Operate and Measure
Review Effectiveness
Sustain
Monitor and Evaluate
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
152
7
CE&CI Change Enablement and Continuous Improvement
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Making the Business Case ie.: Justification to the Board The characteristics of a good business case: o The importance of a business case cannot be over stated. An appropriate level of urgency needs to be instilled and the key stakeholders should be aware of the risk of not taking action. An initiative should be owned by a sponsor (senior), involve all key stakeholders, and be based on a business case. o Initially this can be a high‐level business case dealing with the strategic benefits and costs and then progress to a more detailed business case. It is a valuable tool available to management in guiding the creation of business value.
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
153
7
CE&CI Change Enablement and Continuous Improvement
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Characteristics of Good Business Case At a minimum a Business case should include: o The business benefits that will be realized o The business changes required o The investments needed o The on‐going IT operating costs o Constraints and dependencies derived from the risk assessment o Roles, responsibilities and accountabilities relative to other initiative o How the investment and value creation will be monitored throughout the economic life cycle
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
154
7
CE&CI Change Enablement and Continuous Improvement
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Exercise 005
Make a project Plan for the COBIT5 Implementation with typical timelines. Allocate teams the relevant roles Decide and Highlight the “Target State” metrics, compared to the current ones.
*Secondment : A temporary transfer of an official or worker to another position or employment. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
155
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
Module 8: Process Assessment / Verification
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
156
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Overview
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
157
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
COBIT 5 Process Reference Model
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
158
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Components of ISO/IEC 15504 Process Assessment
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
159
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
Assessment Process Activities 1 – Initiation 2 – Planning the Assessment 3 – Briefing 4 – Data Collection 5 – Data Validation 6 – Process Attribute Rating 7 – Reporting the Results
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
160
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
1. Initiation Identify the sponsor and define the purpose of the assessment why it is being carried out Define the scope of the assessment which processes are being assessed what constraints, if any, apply to the assessment Identify any additional information that needs to be gathered, Select the assessment participants, the assessment team and define the roles of team members, Define assessment inputs and outputs Have them approved by the sponsor
161 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
161
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
2. Planning the Assessment An assessment plan describing all activities performed in conducting the assessment is developed and documented together with an assessment schedule Identify the project scope, Secure the necessary resources to perform the assessment Determine the method of collating, reviewing, validating and documenting the information required for the assessment Co‐ordinate assessment activities with the Organizational Unit being assessed
162 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
162
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
3. Briefing The Assessment Team Leader ensures that the assessment team understands the assessment input, process and output Brief the Organizational Unit on the performance of the assessment PAM, assessment scope, scheduling, constraints, roles and responsibilities, resource requirements, etc.
163 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
163
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
4. Data Collection The assessor obtains (and documents) an understanding of the process(es) including process purpose, inputs, outputs and work products, sufficient to enable and support the assessment Data required for evaluating the processes within the scope of the assessment is collected in a systematic manner The strategy and techniques for the selection, collection, analysis of data and justification of the ratings are explicitly identified and demonstrable Each process identified in the assessment scope is assessed on the basis of objective evidence The objective evidence gathered for each attribute of each process assessed must be sufficient to meet the assessment purpose and scope Objective evidence that supports the assessors’ judgement of process attribute ratings is recorded and maintained in the Assessment Record. This Record provides evidence to substantiate the ratings and to verify compliance with the requirements. 164 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
164
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
5. Data Validation Actions are taken to ensure that the data is accurate and sufficiently covers the assessment scope, including seeking information from first hand, independent sources; using past assessment results; and holding feedback sessions to validate the information collected. Some data validation may occur as the data is being collected
165 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
165
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
6. Process Attribute Rating For each process assessed, a rating is assigned for each process attribute up to and including the highest capability level defined in the assessment scope The rating is based on data validated in the previous activity Traceability shall be maintained between the objective evidence collected and the process attribute ratings assigned For each process attribute rated, the relationship between the indicators and the objective evidence is recorded
166 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
166
8
Process Assessment / Verification
COBIT5: Implementation COBIT5 Implementation
4P Advisory Services
7. Reporting the Results The results of the assessment are analysed and presented in a report The report also covers any key issues raised during the assessment such as: • observed areas of strength and weakness • findings of high risk i.e. magnitude of gap between assessed capability and desired/required capability
167 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
167
Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments
No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.
168
