ITIL and COBIT
in combination
Assessing Process Maturity
Ken, we've seen a number
of theoretical articles written on mixing ITIL and COBIT but you've actually
had practical experience in combining these standards what did you want to
achieve?
In my previous experience as
Executive Audit Manager, IT & T at Commonwealth Bank had demonstrated that
using both of these de facto standards separately for auditing purposes left
gaps in our analysis of the processes and control over them. When we used
COBIT, at that time Version 3, with a traditional audit approach we found that
the COBIT processes were very much silo focused and this resulted in a large
amount of duplication of effort by the audit team. Further, we did not get an
end-to-end view of the processes under audit review and the group
audited did not like the final outcome.
So you needed an end to
end view, and ITIL provides this more effectively than COBIT?
Yes, we decided to use ITIL next
time when we conducted this audit again. However, to reduce the amount of
effort and to get better engagement from the auditee we decided to use Control
Self Assessment (CSA) through facilitated workshops. To enable this to occur we
developed a series of ITIL CSA statements. Whilst the outcome was positive from
the auditee’s point-of-view and the amount of audit effort required was
significantly reduced we found that the approach whilst it gave us an
end-to-end view it lack sufficient exposure to the controls/governance
environment.
I guess that sent you
back to the drawing board, to get greater Governance information
We then decided to use a
combination of ITIL and COBIT with CSA and facilitated workshops for audit next
time it was undertaken. The combination, say approx. 75% ITIL and 25% COBIT
gave us a view that span end-to-end of the IT processes and the governance over
them. The outcome of the audits using this combination significantly improved
the quality of the deliverables, which were appreciated both by the auditee,
executive management of the organisation and the IT outsourcer. Further, with
the outcomes from the CSA Workshops we were also able to identify where the IT
service provider was in terms of their processes maturity using COBIT’s generic
maturity model.
How you were able to
apply this learning immediately when you went to TAB as CIO?
The lessons that I learnt from
this experience were then transition into a new role as CIO of Tab Limited
(Tab). At Tab we made a strategic decision to implement ITIL to move the
organisation’s IT service management from a reactive to a proactive
environment, whilst at the same time driving down our IT costs. In parallel
with the ITIL implementation we implemented the COBIT governance model. Again
the 75% ITIL and 25% COBIT combination was use with great success as measured
by:
-
Significant improvement in availability from 97% to 99.8% across the IT
infrastructure (over 8000 operating systems)
-
Increased customer satisfaction rating from 2.75 to 4.25 out of 5
-
Over 14% reduction in operating expenditure ($6 million) with 50% reduction in
capital expenditure ($7.7 million)
-
Increased business service levels
See Note
What was the main
contribution of each standard to your work?
As in my reply to your earlier
question we used approx. 75% ITIL and 25% COBIT. The rational behind this is
that both standards have strengths, however if you implemented both it comes at
a significant cost to the enterprise and we wanted to outcomes that were cost
effective for the organisation. Therefore, we identified that for ITL it was
around 75% and COBIT 25% when used in combination. If we increased ITIL say to
85% and reduced COBIT to 15% we found that the level of IT Governance was not
strong enough to minimise the leveI of operational risks that the business
would accept. I know there are those out there who will disagree with me.
However, when you are running IT like a business you need to consider the
bottom-line. When we increased the level of COBIT to 35% and reduced ITIL to
65% we lost efficiency of operations and our customers were not happy with a
reduction in the level of service and the increased in costs that additional IT
Governance imposed. Therefore, experience had shown us that the 75:25 ratio
between ITIL and COBIT was a good fit for our business model.
Did you use consultants or
was there sufficient in-house expertise?
We initially engaged an ITIL
Consultant for 6 week period to assist us develop the ITIL CSA statements
covering 10 ITIL processes, which map across to 10 COBIT processes. However,
after using the ITIL CSA statements in the audit, we decided to expand the 10
processes to 14 with the addition of 4 COBIT specific processes. Given that
there was no ITIL documentation covering these processes, for example Strategic
IT Planning, we developed our own ITIL equivalent.
How long did it take to
develop these new assessment sets?
We spent several weeks extracting
information from COBIT to develop the CSA statements to compliment the ITIL CSA
statements. Testing the effectiveness of the combination of ITIL and COBIT CSA
statements was undertaken using a facilitated workshop. The outcome was a
significant improvement. However, we had to reduce the number of CSA statements
that we could cover during a 2-hour workshop and fine-tune the wording to get
the desired outcome.
Most assessments use
questions, how did those assessing the process capability respond to statements
rather than the more familiar ITIL questions?
The value from using CSA
statements rather using questions is that, if you use ITIL questions you
just get a choice of a YES or NO answer. What we were looking for was a
response that was granular using a 5-point scale i.e. Agree, Slightly Agree,
Neither Agree or Disagree, Slightly Disagree and Disagree. From this we could
then query the CSA Workshop attendees on their responses gathering further
information to improve the quality of the answers. The 5-point rating was later
used as input in determining their process maturity level.
What methodology did you
use for assessing the Maturity Level, and would you alter this if you had to do
this again?
We initially used the COBIT
Generic Maturity Model. However, we found that the audience of our audit
reports was more familiar with the CMM capability model. Therefore, we adapted
our input criteria for determining the process maturity rating to take in
affect the difference between COBIT’s Generic Maturity Model (6-point scale) to
CMM (5-point scale).
You did this with COBIT
V3, does COBIT V4 remove the need to combine or is there still value in the
combination?
With the release of COBIT V4 we
have reviewed the changes and whilst there has been an improvement we believe
that the combination of ITIL and COBIT is the best option. We have made some
changes to the CSA statements to take into account COBIT V4 changes. However,
with the planned release of ITIL V3 we believe that the two defacto standards
are getting closer together and hopefully the need to have the combination will
no longer be required.
What were the most
significant problems you had to overcome
The most significant problem was
developing the CSA Statements and getting the right balance between ITIL and
COBIT that was effective and deliver the outcome that we were seeking, namely:
-
Reduce the amount audit effort required;
-
Engage the auditee from the outset;
-
Deliver an outcome that the auditee valued;
What would you recommend
to others?
I would recommend that they
utilise both ITIL and COBIT in combination to deliver the best of both worlds
i.e. ITIL for IT Service Management and COBIT for IT Governance. As stated in
my earlier responses, my experience in having used both standards from an IT
Auditor and as a former CIO that value is delivered by the use of both!
|
