In the summer of 2014, the chief information officer (CIO) of a shared service center (SSC) owned by 3 different, culturally diverse types of companies asked the author to perform an assessment based on COBIT 5. The most pressing question the CIO needed to answer for his organization’s board of directors (BoD) was, “Are we in control of IT?” One year later, the consultant’s goal is to evaluate whether the CIO and the managers of the SSC are making progress in answering the board’s question with, “Yes, we are in control of IT because of ….” This article describes the work that had to be done (using combined knowledge of ISO/IEC 38500, COBIT 4.1 and COBIT 5) to make COBIT 5 more applicable and support the one-year-later assessment at the SSC.
Approach
The approach followed the COBIT Assessor Guide: Using COBIT 5 to create a plan and discuss it with the CIO and his management team. The first survey was conducted in 2014. In 2015, a second survey on the improvements made was completed. The things that make this custom-made approach successful are specific products such as:
- The adapted specific goals cascade for SSCs
- The COBIT 5: Enabling Processes guide
- Graphical, coherent process schemes in Visio depicting the processes within the scope of the project (figure 1)
- The COBIT 4.1 controls translated to the COBIT 5 processes
- A list of possible risk areas matching all process steps of COBIT 5
Figure 1—Detailed BAI06 Manage Changes Process
Source: Jörg Schorning. Reprinted with permission.
All previously mentioned tailor-made tools were built upon the standard ISACA documentations, e.g., the assessor guide and its approach (figure 2).
Figure 2—Standard Approach Assessment With COBIT 5
Source: Jörg Schorning. Reprinted with permission.
Assessment Outcome
The assessment outcome has an impact on several different levels of responsibility including within the single process, in relation to other processes, and regarding accountability toward the owner and stakeholders:
- Detailed level—First, the outcomes were presented in a detailed manner describing how to improve the individual processes to close the gap toward the target capability. These outcomes were discussed with the process owners. The main goal was to make the process owners aware of the growth and benefits of the process capability. For example, the process BAI02 Manage requirements definition can help bridge the gap toward capability by making the process owner accountable for the decisions on the requirements, driven by the needs of the business. Because the process owner was not comfortable with the requirements definition, he let the SSC decide what was good for his business. Making the process owners accountable and supporting their collaboration within the committes responsible agreeing on the requirements and the requirements definition process enable better decision making on the needed requirements for business applications, addressing the advisable level of detail, availability, security, etc.
- Overall level—Next, the outcomes were aggregated (based on causes) from a challenge point of view and presented and discussed with the SSC CIO and management team. The outcomes focused on points of improvement that would make the most impact. For the SSC, this meant maintaining the processes that were identified as most impactful and improving those that could be most effective in closing the gap by addressing specific challenges and irregularities.
- Creating accountability—Two of the most common themes that emerged in the survey were poor governance and the lack of an accountability framework. The goal of the SSC sessions was to improve the expectations the BoD has of the SSC by developing an agreed-upon charter to deliver the appropriate services. Figure 3 shows an example detail of an accountability framework, showing roles combined with COBIT 5 processes and process steps.
Figure 3—Detail of a COBIT 5 Accountability Framework
Source: Jörg Schorning. Reprinted with permission.
- Improvements—The improvements the SSC management team need to make to be more successful include:
- Increasing transparency to the business by delivering key performance indicators (KPIs) concerning the business needs relative to the performance of the IT processes
- Involving the business side in making decisions even if the business side does not take accountability or responsibility
- Showing and recording more benefits of being in control of IT
- Being more clear about risk, but letting the business decide what risk appetite it feels comfortable with and suits the enterprise
- Making sure the team creates enough alignment between IT and business at each domain of COBIT 5
Are There Benefits of a COBIT 5 Self-assessment for a Shared Service Center?
The answer is yes. The COBIT 5 guidance is comprehensive, but performing a quick self-assessment is not easy. The consultant had to develop several tailor-made products based on COBIT 5 and COBIT 4.1 to do the assessment within a short time frame and make it repeatable.
The COBIT 5 approach was reviewed by the SSC accountant and found to be solid based on the accountant’s experience and knowledge of other frameworks. Today, the SSC is functioning quite well, but some improvements are still required to reach the target levels.
The most important conclusion reached in this case was that the business must take more accountability and responsibility. Employees and managers of the SSC have the responsibility to address this with the business functions they support.
As of this writing, the SSC has made progress in closing the gap, but it needs the absolute cooperation of the business and the BoD. A discussion based on COBIT 5 and ISO/IEC 38500 has been started. The role and the tasks of the CIO must be more clearly defined and formalized in an agreed-upon charter. The members of the BoD and IT steering committee must take responsibility for governance and develop a solid and transparent accountability framework.
We now know from experience that changing 3 different types of business views (members of the SSC) of IT takes commitment and creates tension, but is worthwhile.
In 2016, a new self-assessment is planned to measure whether the changes have become part of the daily business in the processes and, hopefully, the business will be a solid, accountable partner and not only a sponsor of the self-assessment. Due to this understanding, COBIT 5’s Evaluate, Direct and Monitor (EDM) domain can be part of the future assessment. For the moment, the business is in control of IT, but there are important improvements still to be made. In the process assessment in figure 4, there are no EDM processes found (though the goals cascade pointed them out), because the BoD was not ready to take part in this survey. In 2016, the BoD will be accountable for the self-assessment.
Figure 4—The Target and Gap Process Capability in Scope
Source: ISACA, COBIT Assessor Guide: Using COBIT 5, USA, 2013.
Conclusion
It is important for stakeholders to understand that they do not need to rely only on the knowledge of the good practices found in the COBIT publications, but rather can begin by skipping the unnecessary parts and focus on those parts that make substantial contributions to the business. To obtain and remain in control means, “Less is more.” Create or find the information that specifically fits your organization’s needs and purpose. This only works in consultation with the business starting with the appropriate goals cascade. As an SSC, this means working and balancing in different dimensions for more than 1 company with different strategic goals that can be made transparent and understandable.
Author’s Note
The author wishes to thank Evert Obdeijn and Johan Zonneveld for giving feedback during the writing process.
Jörg Schorning, COBIT Assessor, COBIT Foundation, COBIT Implementation
Is a trained COBIT 5 specialist and enterprise architect at NOVIUS Consulting Group in The Netherlands. He is especially interested in governance issues between business and IT. Schorning has been using COBIT 5 in his daily work as an architect, interim IT manager and consultant since 2012. He has a strong focus on making COBIT 5 practical and useful to his clients.