IT Governance—Practical Case Using COBIT ® QuickStartTM
By Greet Volders
n this project, the COBIT model was used in combination with COBIT QuickStart and the Gartner approach for defining priorities for IT projects based on the company strategy. The following phases have been performed inthis project: • COBIT QuickStart assessment • Presentation to the board and decision of priorities • Setup of an IT business steering committee • Development of the handover procedure from the project team to operations • Business process modelling This project started as an initiative taken by IT management and the company chief executive officer (CEO) with the objective to optimise theprocesses within the IT department and clarify these processes to the business units. As a result of the work performed within the IT department, the organisation realised the need for identifying and developing its own business processes (last phase described in this article). This initiative was fully supported by the president
of the board and the CEO; their support had a positive influence onthe involvement of the business units at all levels (from director to the employee) and improved relations between IT and the user departments. The following sections describe the different steps executed in the project. The last step, development of the business processes, is ongoing.
COBIT QuickStart Assessment
The project started in February 2004 with an assessment of the suitability ofCOBIT QuickStart for this company. As recommended in the QuickStart guide, this suitability assessment was executed by means of a discussion with the chief information officer (CIO), who gave the answers to the questions in figure 1. The outcome of the first assessment, ‘Watch the Heat’, is shown in figure 1.
Figure 1—Suitability Assessment, ‘Watch the Heat’
ee gr isa yD ee tel rD no Ag reeisa tA me wh a Fu gr lly Ag ree So ee
The IT infrastructure is an open, as opposed to closed, system (interconnections with customers, suppliers, etc.) There are IT-related regulations or contractual requirements applying to the enterprise. There is a need to provide outside assurance about IT. Enterprise management is awareof IT issues and wonders whether a minimum baseline is sufficient. Enterprise management has identified the need for significant formal training relative to IT. Some IT practices and procedures have been defined, standardised and documented in a sustainable manner. Enterprise management knows that common tools would make some IT processes more effective and efficient. The IT expert(s) of theenterprise is needed for developing/improving business processes.
The second step of the suitability assessment is the ‘Stay in the Blue Zone’ assessment. The results obtained from asking the related questions are shown in figure 2. For the ‘Stay in the Blue Zone’ assessment, this company definitely did not stay in the blue zone for four out ofseven Figure 2—Results of ‘Stay in the Blue Zone’ Assessment
SCS 4 3 2 1 0 ITE SOC
SCS: Simple command structure SCP: Short communications path SOC: Span of control ITL: IT leadership ITS: IT strategic importance ITE: IT expenditure SEG: Segregation
criteria, and the result of the ‘Watch the Heat’ assessment indicated four red indicators. The immediate consequencewas that COBIT QuickStart is not entirely applicable in this environment, since the assessment highlighted the strategic importance of information and communications technology (ICT) within the company. Despite this result, IT management decided to continue with the QuickStart approach. This limited the scope of the first assessment, which was executed immediately after the suitability...