using cobit to integrate build and run
DESCRIPTION
Lucid IT Presentation:- www.lucidit.com.auGoverning BUILD and RUN with COBITTRANSCRIPT
- 1. Governing BUILD and RUN 11/17/2010 Harold Petersen NUS ISS & Lucid IT Pte LtdGoverning BUILD and RUN 12 November 2010www.iss.nus.edu.sgwww.lucidit.com.sg1
2. Governing BUILD and RUN 11/17/2010 OUR MISSIONDevelop Infocomm Leaders, driveInnovation.OUR VISIONProvide Thought-Leadership inInnovation. 22009 NUS. All Rights Reserved.COBIT in Action Harold Petersen, Director Lucid IT November [email protected] www.lucidit.com.sg www.iss.nus.edu.sgwww.iss.nus.edu.sgwww.lucidit.com.sg2 3. Governing BUILD and RUN 11/17/2010Agenda IT Governance RUN, BUILD Integrating governance of RUN and BUILD Case studies : good, bad, ugly Conclusion : Now lets get realAgenda IT Governance RUN, BUILD Integrating governance of RUN and BUILD Case studies : good, bad, ugly Conclusion : Now lets get realwww.iss.nus.edu.sgwww.lucidit.com.sg3 4. Governing BUILD and RUN11/17/2010IT GovernanceIT governance is the responsibility of executives andthe board of directors, and consists of the leadership,organisational structures and processes that ensure thatthe enterprises IT sustains and extends theorganisations strategies and objectives. IT Governance specifies the decision rights and creates an accountability framework that encourages desirable use of IT - Weill and Ross (IT Governance, 2004) 8Control Framework Corporate Objectives Setting the tone at the topLegislation, etc.(e.g. SOX,Privacy, Fin .Mgt) Enterprise Governance Framework(e.g. COSO, AS8000) IT Governance Framework (e.g. COBIT, ISO/IEC 38500)IT Best Practice Frameworks(e.g. ITIL, CMMi, P3O, PRINCE2, ISO27002) The Organisations Management System 9www.iss.nus.edu.sgwww.lucidit.com.sg 4 5. Governing BUILD and RUN11/17/2010Value.the enterprises IT sustains and extends theorganisations strategies and objectives So what comprises good IT? And how to achieve and enforce it?ISO 38500 ExtendSustain Build the IT services Run the IT serviceswww.iss.nus.edu.sgwww.lucidit.com.sg 5 6. Governing BUILD and RUN 11/17/2010 Governance: the old-fashioned way CobiT CobiT 13www.iss.nus.edu.sgwww.lucidit.com.sg6 7. Governing BUILD and RUN11/17/2010CobiTControl Objectives for Information and relatedTechnology (CobiT) provides an IT governance andcontrol framework to ensure alignment of IT toorganisational objectives Plan and Organise (PO)Provides direction to solutiondelivery (AI) and service deliveryPlan and Organise(DS) Acquire and Implement (AI)Provides the solutions and passesAcquireDeliverthem to be turned into servicesand and Deliver and Support (DS) Implement SupportReceives the solutions and makesthem usable for end users Monitor and Evaluate (ME) Monitor and EvaluateMonitors all processes to ensurethat the direction provided isfollowed14 The CobiT v4 frameworkBUSINESS OBJECTIVES PO1 Define a strategic IT plan.PO2 Define the information architecture.GOVERNANCE OBJECTIVES PO3 Determine technological direction.PO4 Define the IT processes,ME1 Monitor and evaluate IT performance.organisation and relationships.ME2 Monitor and evaluate internal control.PO5 Manage the IT investment.ME3 Ensure regulatory compliance.PO6 Communicate management aimsME4 Provide IT governance.and direction.INFORMATION PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects. Effectiveness Efficiency Confidentiality IntegrityDomains Availability Compliance Reliability.IT RESOURCES Applications Processes InformationDS1 Define and manage service levels.InfrastructureDS2 Manage third-party services. PeopleDS3 Manage performance and capacity.DS4 Ensure continuous service. AI1 Identify automated solutions.DS5 Ensure systems security. AI2 Acquire and maintain applicationDS6 Identify and allocate costs. software.DS7 Educate and train users. AI3 Acquire and maintain technologyDS8 Manage service desk and incidents. infrastructure.DS9 Manage the configuration.AI4 Enable operation and use.DS10 Manage problems.AI5 Procure IT resources.DS11 Manage data.AI6 Manage changes.DS12 Manage the physical environment.AI7 Install and accredit solutions andDS13 Manage operations.Adapted from: IT Governance Institute changes.16www.iss.nus.edu.sgwww.lucidit.com.sg 7 8. Governing BUILD and RUN 11/17/2010Agenda IT Governance RUN, BUILD Integrating governance of RUN and BUILD Case studies : good, bad, ugly Conclusion : Now lets get realPLAN, (part of) BUILD, RUN andIMPROVE:The ITIL Service Lifecyclewww.iss.nus.edu.sgwww.lucidit.com.sg8 9. Governing BUILD and RUN11/17/2010 CobiT ITIL COSOCobiTITIL ITIL ITIL ITILITIL ITILITIL ITILITILITILITILITILITILITILITIL ITILITILITILITIL ITILITIL 19 Detailed CobiT - ITIL Mapping 1/2 CobiT Process - ITIL Lifecycle and/or Process PLAN AND ORGANISE PO1 Define a Strategic Plan- Service Strategy PO2 Define the Information Architecture- Service Design PO3 Determine Technological Direction- Service Strategy PO4 Define the IT Processes, Org & relations- All lifecycle phases PO5 Manage the IT Investment - Service Portfolio Management PO9 Assess and manage IT risks - IT Service Continuity Management ACQUIRE AND IMPLEMENT AI4 Enable Operation and Use - Release Management AI5 Procure IT Resources - Supplier Management AI6 Manage Changes - Change Management AI7 Install and Accredit Solutions and Changes - Change and Release Management20www.iss.nus.edu.sgwww.lucidit.com.sg 9 10. Governing BUILD and RUN 11/17/2010Detailed CobiT - ITIL MappingCobiT Process - ITIL ProcessDELIVER AND SUPPORTDS1 Define and Manage Service Levels - Service Level ManagementDS2 Manage Third-party Services- Supplier ManagementDS3 Manage Performance and Capacity- Capacity and Availability ManagementDS4 Ensure Continuous Service- IT Service Continuity and AvailabilityManagementDS6 Identify and Allocate Costs- Financial Management of IT ServiceDS7 Educate & Train Users- Continual Service Improvement, ServiceDeskDS8 Manage Service Desk and Incidents- Service Desk and Incident ManagementDS9 Manage the Configuration - Configuration ManagementDS10 Manage Problems - Problem ManagementDS13 Manage Operations - Service OperationsMONITOR AND EVALUATE ME1 Monitor & evaluate- Continual Service Improvement 21PLAN &BUILD: P3OP3 Portfolio Management Programme Management Project ManagementO OfficeP3O is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countriesThe P3OSwirl logo is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countriesThis is a Value Added product which is outside the scope of HMSO Core Licence.Sections of the P3O Reference Manual have been reproduced under licence from OGC Lucid IT Pty Ltd, 2010 - All rights reservedwww.iss.nus.edu.sgwww.lucidit.com.sg 10 11. Governing BUILD and RUN 11/17/2010Example portfolio SPMI Regional Symposium 2010Example Prioritisation Project Prioritisation Matrix21.8Alignment with StrategyLow Hanging FruitHard-earned Value1.61.41.210.80.60.4Join the QueueDogs No Go zone0.200510 1520 2530 ComplexitySize of bubble in this model indicates the size of the Investment. This could be tailored to NPV, IRR, etc. SPMI Regional 27 Symposium 2010www.iss.nus.edu.sgwww.lucidit.com.sg 11 12. Governing BUILD and RUN 11/17/2010Example: ITIL/ITSM ImplementationProgrammeProgramme Management Structural Organisational/Cultural Change AlignmentEventProblem SD/Incident ManagementManagementManagementRequest FulfillmentOperations StrategyRelease and Deployment Change Management ManagementService Asset and Configuration ManagementTransition Knowledge ManagementService Catalogue ManagementService Level ManagementDesignAvailabilityCapacityManagement ManagementTools Implementation & Alignment TimePRINCE2 Introduction Principles Themes Processes Tailoring Appendices Glossary Index Crown copyright 2009 Reproduced under licence from OGC 32www.iss.nus.edu.sgwww.lucidit.com.sg 12 13. Governing BUILD and RUN 11/17/2010The PRINCE2 JourneyInitiationSubsequent Final delivery Pre-projectstage delivery stage(s)stage MandateDirecting a ProjectDirecting SU SB SBCPManagingIP Controlling a StageControlling a StageManaging Managing DeliveringProduct Delivery Product Delivery Key SU = Starting up a Project IP = Initiating a Project SB = Managing a Stage Boundary CP = Closing a Project Based on OGC PRINCE2 material. Reproduced under livcence from OGC33CobiT and PRINCE2High Level Mapping of Prince2 with CobiTCOBIT 4.0 Processes and Domains1 2345 678 910 111213Plan and Organise - --++ --+ ++Acquire and Implement + +--- --Deliver and Support - ---- -- - - - - --Monitor and Evaluate+ ---Index(+) Frequently addresses(-) Not or rarely addressed( ) A COBIT IT process does not exist 34www.iss.nus.edu.sgwww.lucidit.com.sg 13 14. Governing BUILD and RUN 11/17/2010 Example High Level P3O Model OrganisationPortfolio Office(permanent)Centre of Excellence Hub Portfolio / Hub Portfolio /Programme Programme OfficeOffice(permanent)(permanent) Standards Skills/training Assurance Knowledge Mgmt Crown copyright 2008 Reproduced under licenceProgramme Project from OGC Office Office (temporary) (temporary) 36SPMI Regional BSCCobiT ITIL COSOCobiTITILITIL ITILMSPITILITILITILITILITILITIL ITIL ITIL Prince2 PMO ITIL pmBOK ITIL ITIL ITIL ITILITILITILITIL ITILITIL37www.iss.nus.edu.sgwww.lucidit.com.sg 14 15. Governing BUILD and RUN 11/17/2010Agenda IT Governance RUN, BUILD Integrating governance of RUN and BUILD Case studies : good, bad, ugly Conclusion : Now lets get realMethodology MapCustomersPlan Build Operate IT Services IT Services IT ServicesISO38500Framework ofPrinciplesGuiding PrinciplesEvaluate, Direct, MonitorWHAT Plan and Acquire AndDeliver AndMonitor and COBIT OrganiseImplementSupportEvaluateContinuousITIL Service Strategy Service Design HOW ServiceTransitionService Operation Service Improvement Val IT BSC PMBoKISO27001Specific TOGAFDETAILED PRINCE2ISO20000Best PracticesMSPHOWSDLCSAMP3O SPICEISO15504 39www.iss.nus.edu.sgwww.lucidit.com.sg 15 16. Governing BUILD and RUN 11/17/2010Integration Dashboard 41 PRINCE2 PMBOK COSO 17799Mappings CMMITIL ISO COBIT Process PO1 ++- --+SummaryPO2 PO3--++++ - --- - + PO4 ++ + + -+ PO5- +-+ -+ PO6 +- + - -+ PO7 +- + - -- PO8 +- - + -+ PO9 ++ + + ++ PO10-- - + ++ AI1 -- + + -+ AI2 +- + + ++ AI3 +- + - -+ AI4 ++ - - -+ AI5 ++ - - +- AI6 ++ + - -+ AI7 ++ + - ++ DS1 ++ - - -- DS2 ++ + - -+ DS3 -+ - - -- DS4 -+ + - -- DS5 ++ + - -- DS6 -+ - - -+ DS7 ++ - - -+ DS8 ++ + - -- DS9 ++ + - -+ DS10++ - - -+ DS11+- + - -+ DS12+- + - -- DS13++ + - -- ME1 ++ - + ++ ME2 +- + - -- ME3 +- + - -- ME4 +- - - -+ 42www.iss.nus.edu.sgwww.lucidit.com.sg 16 17. Governing BUILD and RUN11/17/2010Agenda IT Governance RUN, BUILD Integrating governance of RUN and BUILD Case studies : good, bad, ugly Conclusion : Now lets get realITIL and IT Service Management- Dimensions to consider whenimplementing it -Effective implementation of IT Service Management involves a combination of: Organisational Alignment Effective IT Leadership & Governance People (skills, motivation, training, culture) Processes ITIL and PMO best practices Technology (Applications, infrastructure, tools) Quality framework for continuous improvement44www.iss.nus.edu.sgwww.lucidit.com.sg17 18. www.lucidit.com.sgwww.iss.nus.edu.sgGovernance Governing BUILD and RUN 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0Define a strategic IT plan Define the information architecture Determine Technological Direction Define the IT processes PLAN AND ORGANISE Manage the IT investmentPlan VisionDriversCommunicate management aims and direction Business Go/No GoObjectives(Roadmap) AssessmentManage IT human resources Business CaseManage quality Assess and manage IT risksManage projects PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 Identify automated solutionsAcquire and maintain application softwareAcquire / maintain technology infrastructureBuild Enable operation and useGo Live PlanningProcure IT resources TransitionImplement Process DesignManage changes ACQUIRE AND IMPLEMENTImplementation CobiT Domain Install, Accredit Solutions / Changes AI1 AI2 AI3 AI4 AI5 AI6 AI7Case 1 (Good) Holistic Define and manage service levels Maturity Assessment Manage third-party servicesManage performance and capacity ToolImplementation framework Ensure continuous service Communication and TrainingSelection FunctionalAlignment Ensure systems security Maturity Target Evaluation & DELIVER AND SUPPORTSpecificationOrganisational Identify and allocate costs Educate and train usersManage service desk and incidentsManage the configuration Manage problemsManage data Manage the physical environmentManage operations DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10DS11DS12DS13OptimiseService MaintainImprovementMonitor and evaluate IT performance Monitor and evaluate internal control EVALUATE Ensure regulatory compliance MONITOR ANDProvide IT governance ME1 ME2 ME3 ME4 11/17/201018 19. Governing BUILD and RUN11/17/2010Real improvement : an alive process RFCReportChangeSubmitIntentionOriginator RFC form to CloseStakeholders(OperationsStakeholderApplicationsReview & RFCSecurity Sign offformSLA)ApproveAuthoriseReview &ChangeRFC& scheduleacceptManager(Minor) ImplementationclosureApproveAuthoriseReview &CABRFC (Major& scheduleaccept &Significant) ImplementationClosureChangeBuild &Implement Builders &Test ImplementersChangeChangeStakeholders(OperationsStakeholderApplicationsReview &SecuritySLA) Sign offFrom a change mgt tool workflowlike this 48www.iss.nus.edu.sgwww.lucidit.com.sg19 20. Governing BUILD and RUN 11/17/2010To something like: 49Example KPIs : costs/benefits Costs SGDcccCosts SGDccc 50www.iss.nus.edu.sgwww.lucidit.com.sg 20 21. 0.00.51.01.52.02.53.03.54.04.5 5.0www.lucidit.com.sg Define a strategic IT planwww.iss.nus.edu.sgDefine the information architectureDetermine Technological DirectionDefine the IT processes Governing BUILD and RUNManage the IT investment PLAN AND ORGANISE Communicate management aims and direction Manage IT human resources Quality Management SystemAssess and manage IT risksMood/EnergyManage projects PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10Source: Kubler-RossIdentify automated solutions Acquire and maintain application software Acquire / maintain technology infrastructure DenialEnable operation and use Procure IT resources Manage changesThe journey ACQUIRE AND IMPLEMENTInstall, Accredit Solutions / Changes AI1 AI2 AI3 AI4 AI5 AI6 AI7 AngerDefine and manage service levelsManage third-party services Manage performance and capacityEnsure continuous service NegotiationTimeEnsure systems security DELIVER AND SUPPORTIdentify and allocate costsEducate and train usersStages of Acceptance Manage service desk and incidents Manage the configurationManage problems DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 Acceptance of the Inevitable Manage dataDS11Manage the physical environment DS12 Manage operations Post Implementation MaturityDS13Exploration Monitor and evaluate IT performanceMonitor and evaluate internal controlof PossibilitiesIntegrationLowEnsure regulatory complianceHighEVALUATE Importance Medium MONITOR ANDProvide IT governance ME1 ME2 ME3 ME4 5251 11/17/201021 22. Governing BUILD and RUN 11/17/2010Case 2 (Bad): A vision, but no senseof reality Current state assessment : alarming current state! Months of business case development for a large ITIL programme (zero subsequent BC progress control) Decision to develop their own tool Managers, back-office staff and consultants prepare ITIL processes, but no involvement of the ones who are supposed to execute them Once business case approved, management focuses on other things, programme abandonedImpact: Huge cost, Zero results, ResentmentConclusion: Lack of true senior management steering &commitment beyond initial initiative, No understanding 53of the people aspects GamingWorksReproduced with kind permission of GamingWorkswww.iss.nus.edu.sgwww.lucidit.com.sg 22 23. Governing BUILD and RUN11/17/2010 GamingWorksReproduced with kind permission of GamingWorksCase 3 (Ugly): Academic processes& Academic ITIL champions, not seasoned implementers thattoolsunderstand organisational change Academic current state assessment, full of motherhoodstatements Very detailed process documents that no-one reads Trying to automate each and every step in a tool workflow andover focus on all tool bells and whistlesImpact: People get lost in the tool, No understandingof processes, Resentment, People pretend to comply,KPI reports irrelevant and a waste of timeConclusion: Academic approach, Focus on cheap solution,hiring certified people who however do not have the managementand organisational change skills, tool vendor staff just followacademic functional specifications and build the solution, seniormanagement doesnt realise what they would need to control andimprove 56www.iss.nus.edu.sgwww.lucidit.com.sg23 24. Governing BUILD and RUN 11/17/2010Tool workflow design for ChangeManagementThis cover to be removed inpresentation mode, but notIncluded in handouts as itpotentially contains confidentialinfo 57 GamingWorksReproduced with kind permission of GamingWorkswww.iss.nus.edu.sgwww.lucidit.com.sg 24 25. Governing BUILD and RUN 11/17/2010 Case 4 : P3O assessment Will they have the Will? P3M3 is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries The P3M3Swirl logo is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries This is a Value Added product which is outside the scope of HMSO Core Licence. Sections of the P3O Reference Manual have been reproduced under licence from OGC Lucid IT Pty Ltd, 2010 - All rights reservedSome reallySome quotes:good Project Managers We triedPoor planningportfolio is at the core ofprioritisationI exceeded the issues and tossed it budget: no questions were Theres a difference asked between what we thoughtReal issues are we were buying and what we usually not put on actually got Operationsthe table until lateare under thehammerThere is no reliable Projectsdata to feed portfolio appear on ourcontrols doorstepThePMO is Reluctance to manageOver ambitious or important expectations andto us under resourcedchallenge the boss 60www.iss.nus.edu.sgwww.lucidit.com.sg 25 26. Governing BUILD and RUN11/17/2010 PMO mapping onto P3O model OrganisationPortfolio Office(permanent) PMO 1 Centre ofExcellence Hub Portfolio / Hub Portfolio /N/A(Informal)Programme Programme (Operations)BU Office PortfoliosOffice PMO 2 Standards (permanent) (permanent) Skills/training Assurance Knowledge MgmtProgramme Project(Operations) Office PMO 2Office (temporary) (temporary) Crown copyright 2008 Reproduced under licence from OGC61 Portfolio Management Target Maturity Management Control 5Resource 4Benefits Management3Management 2 1Organisational 0 Financial GovernanceManagementStakeholder RiskManagement Management62www.iss.nus.edu.sgwww.lucidit.com.sg26 27. Governing BUILD and RUN 11/17/2010Project ManagementTarget PRINCE2 ThemesMaturityBusiness Case 5 4Project Progress3Organisation 2 1 0RiskPlansManagementChange Quality 63Project ManagementTargetPRINCE2 Processes MaturityStarting Up a Project 5Directing a4Initiating aProject3Project 2 1Closing a0Controlling a Project Stage ManagingManaging StageProduct 64www.iss.nus.edu.sgwww.lucidit.com.sg 27 28. Governing BUILD and RUN11/17/2010P3O - Target ModelOrganisation Portfolio Office(permanent)Strategic PMOCentre of ExcellenceHub Portfolio /Hub Portfolio / COE ProgrammeProgramme Operations BU OfficePortfolios OfficePMOStandards(permanent)(permanent) Skills/training Assurance Knowledge MgmtProgramme Project Operations OfficePMOOffice(temporary)(temporary) Project Boards Crown copyright 2008 Reproduced under licence from OGC65 H3: Create Viable Value OptionsHORIZON 31. Etc2. Etc Project Management 2010 and BEYOND.. PMO implementation framework PMI Singapore Chapter3. Etc BusinessH2: DriversDevelop new VisionImplementation PlanningFunctionalAssessmentProcess DesignOpportunities Objectives Specification ToolGovernanceBuildEvaluation &(Roadmap)Selection HORIZON 2 Business Case Transition Organisational AlignmentMaintainGo/No Go ServiceGo Live1. Etc Plan Implement ImprovementOptimise2. EtcCommunication and TrainingSPMI Regional Symposium 20103. Etc H1: Extend the CoreHORIZON 1 1. From current templates, pick a few key ones to institutionalise immediately (egproject plans, status reports, project closure reports) 2. Etc 3. Etc Time 66www.iss.nus.edu.sgwww.lucidit.com.sg28 29. Governing BUILD and RUN 11/17/2010Pivotal Questions 1 A sense of running to standstill P3O issues recognised Ambition, workload and resource challenges get priority Will we break that cycle? SPMI Regional Symposium 2010 Business Integrated IT Management & Governance BusinessDrive the ServiceThrough Executed by Governed by RequirementsLifecycleIT Processes IT Functions ControlsIT Service StrategyIT Steering Committee Programmes CIO & Projects Integrated IT Management Process FrameworkIT Service PortfolioStrategy ManagementCommittee IT ManagersBusinessChangeManagement Enterprise Strategy Programme/Project Lifecycle InvestmentPortfolio & Design & GovernanceArchitects Architecture& SecurityIT Service Review Project Pipeline ManagersBuild ProjectDeveloperBoards sBusinessSystemCABProcesses TransitionIntegratorsOperations BusinessManagedManagementServices Service BusinessProcess IT ServiceOperate Owners Operations Operations Process Support Owners Improve Teams ITIL V3, PRINCE2, MSP: Driving the Service Lifecycle HOW & COBIT 4.1 Governance Framework: Driving the WHAT & WHYLucid IT: Working with you to drive the VALUE Lucid ITwww.iss.nus.edu.sgwww.lucidit.com.sg 29 30. Governing BUILD and RUN11/17/2010In Conclusion COBIT clearly describes WHAT of the lifecycle andis ideal as the IT Governance framework for an ITorganisation It cannot be used by itself, but needs support frommultiple selective other frameworks that deliver theHOW of the lifecycle COBIT can glue the other frameworks together in anintegrated approach Thus ensuring business integrated IT Management& Governance delivers business value,but only if There is REAL, PEOPLE focused implementationfollowing AUDIT and GOVERNANCE directionwww.iss.nus.edu.sgwww.lucidit.com.sg30 31. Governing BUILD and RUN 11/17/2010www.iss.nus.edu.sgwww.lucidit.com.sg 31