by Peter B. Nichol

A process model for measuring relationships with COBIT

Jan 25, 2018
CIOIT LeadershipIT Strategy

Expanding your relationships requires first measuring them to determine how effectively you’re building credibility.

managing business process cycle rotate phases
Credit: Thinkstock

How do you measure the business-partner relationship with your provider organization? Apply COBIT 5.

CIOs have recently reinvigorated the dull IT liaison role by coining it “the business-relationship manager.” This role is accountable for the relationship between information technology and the business partners.

Before business-relationship managers skip off to schedule strategic road-mapping discussions, relationships need to be measured. Asking questions about perceived value realization won’t do it. Inquiring about the benefits received isn’t going to get us there either. This discussion requires metrics—hard, quantifiable metrics that can be measured and monitored over time.

Evolution to COBIT 5

Several frameworks provide insight into robust high-level practices including COSO, ITIL, BiSL, ISO 9000 (quality), ISO 27000 (information security), ISO 31000 (risk management), ISO 38500 (IT governance, CMMI, TOGAF, and PMBOK. However, one framework exceeds all these in providing standardization: COBIT 5.

The Information Systems Audit and Control Association (ISACA) launched the Control Objectives for Information and Related Technologies (COBIT) framework in 1996. ISACA published COBIT 5 in April of 2012. The framework is commonly called Control Objectives for Information and Related Technology (CobiT). The framework concepts—not surprisingly—are extremely relevant to understanding and measuring information technology. COBIT 5 defines best practices for information-technology management.

COBIT is a mature, best-practice framework that has evolved over the last twenty-two years.

  • 1996 Audit: first edition of the framework released, focusing on Audit
  • 1998 Control: second edition of the framework released, adding Control
  • 2000 COBIT3: third edition of the framework released, revising Management Guidelines
  • 2005 COBIT 4.0: fourth edition of the framework released, revising prior editions
  • 2007 COBIT 4.1: minor release, including overall upgrades
  • 2012 COBIT 5: fifth edition and a major overhaul, adding in Val IT 2.0 framework, Risk IT frameworks, concepts from ISACA’s IT Assurance Framework (ITAF), and the Business Model for Information Security (BMIS).

In addition, COBIT 5 is coordinated to major frameworks and standards including ITIL, ISO, PMBOK, PRINCE2, and TOGAF. The COBIT 5 framework is a highly integrated and recognized standard of best practices for information technology management. By using COBIT 5, your organization has already started the journey toward value realization.

COBIT 5 areas and domains

COBIT 5 separates governance from management of the enterprise.

Governance area

  • Evaluate, Direct and Monitor (EDM): ensures governance framework setting and maintenance, benefits delivery, risk optimization, resource optimization, and stakeholder transparency

Management of information technology area

  • Align, Plan and Organize (APO): manages the IT management framework; strategy; enterprise architecture; innovation; portfolio; budget and costs; human resources; relationship; service agreements; suppliers; quality; risk; and security
  • Build, Acquire and Implement (BAI): manages programs and projects; requirements definition; solutions identification and build; availability and capacity; organizational change enablement; change, change acceptance, and transitioning; knowledge; assets; and configuration
  • Deliver, Service and Support (DSS): manages operations, service requests and incidents, problems, continuity, security services, and business-process controls
  • Monitor, Evaluate and Assess (MEA):  monitors, evaluates, and assesses performance and conformance, the system of internal controls, and compliance with external requirements

ISACA defines COBIT 5 as “a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT.” The COBIT 5 organizational enablers span seven categories:

  1. Principles, policies and frameworks: shifting behavior into action
  2. Processes: for consistent practices to achieve consistent results
  3. Organizational structures: enterprise decision design
  4. Culture, ethics and behavior: connecting beliefs to conduct
  5. Information: moving from raw data to actionable knowledge
  6. Services, infrastructures and applications: to improve stability, control, and transparency
  7. People, skills and competencies: translates knowledge into results

Managing relationships with COBIT 5

There are several areas applicable to business-relationship management within COBIT 5. However, Align, Plan, and Organize (APO) is the most applicable and, specifically, within the APO domain, the function labeled Manage Relationships.

The process officially called APO08 Manage Relationships is defined as a way to “manage the relationship between business and IT in a formalized and transparent way that ensures a focus on achieving a common and shared goal of successful enterprise outcomes in support of strategic goals within the constraints of budgets and risk tolerance.”

The process purpose statement, to “create improved outcomes, increased confidence, trust in IT, and effective use of resources” sounds strangely similar to the objective and responsibility of the business-relationship manager (BRM).

Within the Align, Plan, and Organize domain and the APO08 Manage Relationships process, there are five key management practices:

  1. Understand business expectations (APO08.01)
  2. Identify opportunities, risk, and constraints for IT to enhance the business (APO08.02)
  3. Manage the business relationship (APO08.03)
  4. Coordinate and communicate (APO08.04)
  5. Provide input to the continual improvement of services (APO08.05)

Measuring relationships with COBIT 5

The Manage Relationships process is designed to achieve four main objectives with supporting measures:

Alignment of IT and business strategy

  • Percent of enterprise strategic goals and requirements supported by IT strategic goals
  • Level of stakeholder satisfaction with the scope of planned portfolio of programs and services
  • Percent of IT value drivers mapped to business value drivers

Delivery of IT services in line with business requirements

  • Number of business disruptions due to IT service incidents
  • Percent of business stakeholders satisfied that IT service delivery meets agreed-on service levels
  • Percent of users satisfied with the quality of IT service delivery

Enablement and support through integrating applications and technology into business processes

  • Number of business-processing incidents caused by technology integration errors
  • Number of business-process changes that need to be delayed or reworked because of technology integration issues
  • Number of IT-enabled business programs delayed or incurring additional cost due to technology-integration issues
  • Number of applications or critical infrastructures operating in silos and not integrated

Knowledge, expertise, and initiatives for business innovation

  • Level of business executive awareness and understanding of IT innovation possibilities
  • Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
  • Number of approved initiatives resulting from innovative IT ideas

The future of organizational design

Leveraging COBIT 5 enhances the provider organization’s ability to measure the business partner’s relationship adequately. The additional benefit is a best-practices framework that can only improve provider credibility. Adding value begins by measuring value.