CoBIT
-
Upload
rajesh-saxena -
Category
Documents
-
view
8 -
download
7
description
Transcript of CoBIT
-
I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 4 , 2 0 0 5
Linking Business Goals to IT Goals and COBIT ProcessesBy Wim Van Grembergen, Steven De Haes and Jan Moons
Information technology has become pervasive in todaysdynamic and often turbulent business environments. While,in the past, business executives could delegate, ignore oravoid IT decisions, this is now impossible in most sectors andindustries. In this context, many organizations have startedwith the implementation of IT governance to achieve the fusionbetween business and IT and to obtain the needed ITinvolvement of senior management.1 IT governance can bedefined as the leadership and organizational structures andprocesses that ensure that IT sustains and extends theorganizations strategy and objectives.2 As described in thisdefinition, a crucial element of IT governance is achieving abetter link between business and IT, also referred to as strategicalignment. However, this relationship is complex and addressesaligning business goals to IT goals and processes.
To gain a more thorough and pragmatic understanding ofhow business goals drive IT goals in different industries andhow the IT goals are supported by IT processes, the ITGovernance Institute (ITGI) assigned a research project to theITAG Research Institute of the University of AntwerpManagement School (www.uams.be/itag).
This article summarizes results and conclusions of the firstphase of this research. The material will be refined in furtherresearch initiatives during 2005. It appears that defining thelink between business goals and IT goals was not always aneasy exercise for interviewees and that many of the identifiedgoals were very high-level and generic.
Pilot Study MethodologyTo achieve more insight into the complex relationship
among business goals, IT goals and IT processes, eightdifferent industries were analyzed: financial, health,government, retail, pharmaceutical, utilities, IT services andconsulting, and transportation. Within each industry, interviewswere conducted with an IT manager, a business manager and asenior consultant/expert of the sector. During these interviews,questionnaires were used to identify the most importantbusiness goals and the IT goals contributing to those goals. Inaddition, COBIT processes were identified that support theachievement of the reported IT goals. These relationships weresummarized for each industry in two matrices and supplementedwith background information on the major characteristics, valuedrivers and risk drivers of the industry under review.
The reported results regarding the characteristics and thevalue and risk drivers are a synthesis of the answers of theinterviewees and, consequently, their perception. The IT
goals/business goals matrices are based on the informationcollected during the interviews. Whenever IT and/or businessgoals were similar, they are labelled by one unique term. TheIT goals/COBIT matrices are based on the input of theinterviewed consultants and, when necessary, arecomplemented by the researchers. For reasons of concisenessand manageability, the list of COBIT processes is reduced to the15 most important COBIT processes as selected in 2001 by theInformation Systems Audit and Control Association.
Specific Research ResultsAs an example, this section will summarize the results of
two sectors from which well-balanced results were obtained:the financial and the pharmaceutical sectors. For each sector,the most important characteristics and value and risk driversare described. Next, two matrices are shown, one presentingthe links between business goals and IT goals (figures 1and 3) and one between COBIT processes and IT goals (figures 2 and 4). Reading these matrices in combinationenables a better understanding of how IT processes support IT goals, which in turn support business goals. In the matrices,a distinction is made between primary (P) and secondary (S)relationships.
The Financial SectorCharacteristics of the financial sector include:
Very high transaction volumes with little hard-copy evidence Complex data processing for each transaction Stringent security measures for each transaction dictated by
law and the nature of the data Criticality of availability of systems and datamost IT
systems have to be available 24/7. This had been adiscriminating feature between financial institutions but nowis a basic requirement.
Increasing emphasis on timely processing or straight-throughprocessingthe immediate and automated processing of anentire transaction
High reliance on IT, perhaps more so than in any othersector/industry
High IT budgets often accounting for approximately 15percent of the entire annual company budget
Not a first mover in IT but an early follower. Adoptingtechnologies that have not yet matured might backfire in thishighly visible sector.
Highly regulated by national and international laws andstandards, such as Basel II
Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
-
I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 4 , 2 0 0 5
Value and Risk Drivers of the Financial Sector Value drivers:
Diminishing transaction costsBecause of highertransaction volumes, even small improvements may lead tosubstantial cost reductions.
Introduction of new and innovative services, such as e-banking
Increasing emphasis on customer orientation instead ofproduct orientation
Risk drivers Security breachesBecause high-visibility security
breaches, whether small or large, are widely noticed, theyinevitably have important implications.
High-liability factorThe huge amounts of money beingprocessed by the financial institutions lead to high liability,and even apparently insignificant mistakes can lead toconsiderable losses.
Many changes in a short span of timePressured by ever-tightening legislation (e.g., Basel II and Sarbanes-Oxley)and competition (e.g., the introduction of Internet bankingapplications), the financial sector has been forced to makemany changes to its IT architecture in a relatively shortperiod of time.
Business Goals
Inte
grat
ion a
nd co
nsol
idat
ion
of d
iffer
ent I
T dep
artm
ents
Deve
lopi
ng in
nova
tive I
T ser
vices
with
a fo
cus o
n inf
orm
atio
n sec
urity
Fulfi
lling
SLA
s with
busin
ess
dep
artm
ents
Incr
easin
g IT d
epar
tmen
t effi
cienc
y
IT G
oals
IT di
saste
r rec
over
y and
busin
ess c
ontin
uity
IT go
vern
ance
/IT st
rate
gic a
lignm
ent
IT m
easu
res t
o sat
isfy B
asel
II re
quire
men
ts
Lowe
ring c
ost o
f tra
nsac
tion p
roce
ssin
g
Mak
ing I
T mea
sura
ble
Optim
izing
the I
T inf
rastr
uctu
re
Rapi
d dev
elop
men
t of n
ew IT
serv
ices
Redu
cing e
xtern
al st
aff
Stan
dard
izing
IT sy
stem
s
Achieving compliance with Basel II regulations S S PImproving competitiveness through IT P P S PImproving customer orientation and service P S P S S P SPostmerger integration and consolidation P S S S S Reducing operational cost P P S S P P P P P Reducing transaction cost P S S P P S S Risk management S P S S P P S P SShortening service development life cycle S S P Tailoring solutions for different target groups P S
P = PrimaryS = Secondary
Plan and Organize
Inte
grat
ion a
nd co
nsol
idat
ion
of d
iffer
ent I
T dep
artm
ents
Deve
lopi
ng in
nova
tive I
T ser
vices
with
a fo
cus o
n inf
orm
atio
n sec
urity
Fulfi
lling
SLA
s with
busin
ess
dep
artm
ents
Incr
easin
g IT d
epar
tmen
t effi
cienc
y
IT G
oals
IT di
saste
r rec
over
y and
busin
ess c
ontin
uity
IT go
vern
ance
/IT st
rate
gic a
lignm
ent
IT m
easu
res t
o sat
isfy B
asel
II re
quire
men
ts
Lowe
ring c
ost o
f tra
nsac
tion p
roce
ssin
g
Mak
ing I
T mea
sura
ble
Optim
izing
the I
T inf
rastr
uctu
re
Rapi
d dev
elop
men
t of n
ew IT
serv
ices
Redu
cing e
xtern
al st
aff
Stan
dard
izing
IT sy
stem
s
1 Define a strategic IT plan P S S P S P S P P P P 3 Determine technological direction P S P P S P P 5 Manage the IT investment S S S P P S S S P 9 Assess risks P P S P S S S S10 Manage projects S S P S S SAcquire and Implement 1 Identify automated solutions S S S S S S S 2 Acquire and maintain application software S P P S P S S S 5 Install and accredit systems P P S S S S S 6 Manage changes P P S S S SDeliver and Support 1 Define and manage service levels S P S S P 4 Ensure continuous service P P S 5 Ensure systems security P S P S 10 Manage problems and incidents S S S S11 Manage data S S PMonitor and Evaluate 1 Monitor the processes S P P P P P
P = PrimaryS = Secondary
Figure 2IT Goals, COBIT Processes Matrix
Figure 1IT Goals, Business Goals Matrix
-
I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 4 2 0 0 5
The Pharmaceutical SectorCharacteristics of the pharmaceutical sector include:
Large market capitalization Considerable growth rateFive years ago, the sector had a
yearly growth rate of 23 percent and currently has a yearlygrowth of about 9 percent.
Importance of research and development (R&D) High reliance of R&D on ITMost pharmaceutical
companies have a large investment in IT. A respondentmentioned that approximately 19 percent of theorganizations sales revenue is invested in IT. In thesecompanies, IT is not considered an overhead but a crucialenabler of business activities.
Importance of engineering new molecules Highly regulatedThe US Food and Drug Administration
(FDA), for example, has an enormous set of rules with whichpharmaceutical companies have to comply, impacting bothR&D and sales.
Value and risk drivers of the pharmaceutical sector include: Value drivers:
Improved development programsBecause the corebusiness of most pharmaceutical companies is creating andmarketing new molecules, one of the most important valuedrivers is creating a more efficient molecule developmentprogram.
OutsourcingMany pharmaceutical companies areoutsourcing the design of new molecules to smaller bioengineering entities.
Patent creationPatents are necessary to protect R&Dinvestments.
Protection of informationWith only a few moleculesdiscovered per year, confidentiality and protection of theinformation regarding these molecules is paramount.
Risk drivers: Regulatory controlIn an attempt by government agencies
to guarantee the quality of the molecules, rules andregulations are imposed for every aspect of thedevelopment process. This often inhibits creativity.Regulations also have an impact on IT systems. Forexample, all scientific data regarding pharmaceuticalproducts have to be preserved for at least 30 years, which
may hinder the upgrade to more modern systems. Increased R&D budget Diminished yields on R&DIt becomes more and more
difficult to engineer successful molecules. While R&Dprovides a multitude of molecules, only very few make it tothe manufacturing stage. Even the most successfulcompanies produce only around three to four newmolecules per year. The risk that the huge R&D investmentdoes not deliver the expected results is very real.
Leakage of information to competitors International price differences of drugs
General Research ResultsAfter analysis of all sectors, it was found that 46 percent of
all business goals and 37 percent of all IT goals provided by theinterviewees could be considered specific to their sector, i.e.,they are not equally important for all other sectors. Examplesare achieving compliance with Basel II regulations as aspecific business goal for the financial sector and taking ITmeasures to satisfy FDA requirements as a specific IT goal forthe pharmaceutical sector. On the other hand, more than 50percent of all goals are generic, such as improving customerorientation and service, IT disaster recovery and businesscontinuity and standardizing IT systems.
The business goals and IT goals that were mentioned mostfrequently are summarized in figure 5. The links betweenthose business and IT goals are set by the researchers as anexample; they are not based on the input of the interviewees. Itappears that the most frequently mentioned business goals arerather high-level and generic. The IT goals are at a lower levelbut still generic.
The matrix in figure 6 maps the five most frequentlymentioned IT goals to the 15 most important COBIT processes.These links are again filled out by the development team as anexample.
ConclusionsThis eight-sector research project provides a view of the
links between business and IT goals, and the relationshipsbetween COBIT processes and IT goals. It appears that defining
Business Goals
Cent
raliz
atio
n of c
ontro
l ove
r IT s
yste
ms
Deve
lopi
ng an
d im
plem
entin
g new
and
inn
ovat
ive ap
plica
tions
Educ
atin
g per
sonn
el to
wor
k effi
cient
ly
with
new
appl
icatio
ns
Impr
ovin
g IT c
ost e
fficie
ncy
IT G
oals
Inve
stiga
ting I
T offs
horin
g pos
sibili
ties
IT di
saste
r rec
over
y and
busin
ess c
ontin
uity
Prot
ectin
g dat
a and
syste
ms
Stan
dard
izing
IT sy
stem
s
Takin
g IT m
easu
res t
o sat
isfy
FDA
requ
irem
ents
Achieving compliance with FDA regulations S P PDefending patents SDeveloping new molecules P S P SFuture-proofing the organization S P S S S S S SImproving operational excellence P S P P PImproving organizational structure S S S SImproving R&D processes P SIncreasing revenue SNetworking and strategic alliances S SProtecting of information S S P P
P = PrimaryS = Secondary
Figure 3IT Goals, Business Goals Matrix
-
Plan and Organize
Cent
raliz
atio
n of c
ontro
l ove
r IT s
yste
ms
Deve
lopi
ng an
d im
plem
entin
g new
and
inn
ovat
ive ap
plica
tions
Educ
atin
g per
sonn
el to
wor
k effi
cient
ly
with
new
appl
icatio
ns
Impr
ovin
g IT c
ost e
fficie
ncy
IT G
oals
Inve
stiga
ting I
T offs
horin
g pos
sibili
ties
IT di
saste
r rec
over
y and
busin
ess c
ontin
uity
Prot
ectin
g dat
a and
syste
ms
Stan
dard
izing
IT sy
stem
s
Takin
g IT m
easu
res t
o sat
isfy
FDA
requ
irem
ents
1 Define a strategic IT plan P P S 3 Determine technological direction S P 5 Manage the IT investment S P P S 9 Assess risks S S S S S10 Manage projects SAcquire and Implement 1 Identify automated solutions P S S 2 Acquire and maintain application software P S S 5 Install and accredit systems P S S 6 Manage changes S P S S S SDeliver and Support 1 Define and manage service levels S P S 4 Ensure continuous service S S P S 5 Ensure systems security S S S P S 10 Manage problems and incidents S S S S S11 Manage data S S S SMonitor and Evaluate 1 Monitor the processes S
P = PrimaryS = Secondary
I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 4 , 2 0 0 5
the link among business goals, IT goals and IT processes was adifficult exercise for the interviewees, and that many of thementioned business and IT goals were generic. The givenexamples of linking IT processes to IT goals and businessgoals can provide guidance for in-house COBITimplementations, more specifically in defining those ITprocesses on which to focus.
Conclusions are tentative because they are based on alimited set of arbitrarily chosen interviewees per sector. Toaccredit more value to the results, a more detailed study isneeded based on in-depth case studies and a larger number ofrespondents. Detailed research could provide more insight inthe cascade starting from high-level strategic business goals tolower-level operational IT goals and processes. This cascadewould more closely represent a real-life business scenario.
Endnotes1 Van Grembergen, W.; Strategies for Information Technology
Governance, Idea Group Publishing, 2003. Van Grembergen,W.; S. De Haes; IT Governance and Its Mechanisms,
Information Systems Control Journal, volume 1, 2004. Weill,P.; J.W. Ross; IT Governance: How Top Performers ManageIT Decision Rights for Superior Results, Harvard BusinessSchool Press, 2004.
2 IT Governance Institute, Board Briefing on IT Governance,2nd Edition, 2003
Related ReadingBroadbent, M.; P. Weill; Leveraging the New Infrastructure:How Market Leaders Capitalize on Information Technology,1998
Benson, J. R.; From Business Strategy to IT Action: RightDecisions for a Better Bottom Line, 2004
Van Grembergen, W.; Strategies for Information TechnologyGovernance, 2004
IT Governance Institute, IT Governance Global Status Report,2004
Authors Note:Thanks to Erik Guldentops for sharing his ideas on the
ITAG Research Institute project and placing it in the context ofthe further COBIT developments. The results of the research areowned by ITGI and will be leveraged to improve the COBITframework, more specifically in linking COBIT processes to ITgoals and the IT goals to the business objectives andgovernance processes that drive them.
Wim Van Grembergen is professor and chair of the Information Systems ManagementDepartment at the Economics and Management Faculty of theUniversity of Antwerp (Belgium) and executive professor atthe University of Antwerp Management School (UAMS)(Belgium). Van Grembergen is engaged in the continuous
Figure 4IT Goals, COBIT Processes Matrix
Business Goals
Impr
ovin
g IT c
ost d
elive
ry
IT G
oals
IT di
saste
r rec
over
y and
busin
ess c
ontin
uity
IT go
vern
ance
/IT st
rate
gic a
lignm
ent
Prot
ectin
g dat
a and
syste
ms
Stan
dard
izing
IT sy
stem
s
Being a caring organization for employees S Improving customer orientation and service P PImproving operational excellence S S P S SIncreasing profitability S S SReducing operational cost P S P
P = PrimaryS = Secondary
-
I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 4 , 2 0 0 5
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntaryorganization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Auditand Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journaldoes not attest to the originality of authors' content.
Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from theassociation. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articlesowned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of theassociation or the copyright owner is expressly prohibited.
www.isaca.org
development of the COBIT framework. He is also a member ofthe Academic Relations Task Force of ISACA and is currentlyconducting research projects for ISACA on IT governance. VanGrembergen is a frequent speaker at academic and professionalmeetings and conferences and has served in a consultingcapacity to a number of firms. He is a member of the board ofdirectors of IT companies, including an IT consultancy firmand an IT firm servicing a Belgian financial group. Recentlyhe established at UAMS the ITAG Research Institute, whichaims to contribute to the understanding of IT alignment andgovernance through research and dissemination of theknowledge via publications, conferences and seminars(www.uams.be/itag). He can be contacted [email protected].
Steven De Haesis responsible for the Information Systems Managementexecutive programs at UAMS. He is engaged in research in thedomain of IT governance and conducts research in this
capacity for ISACA. Currently, he is preparing a Ph.D. on thepractices and mechanisms of IT governance. He has publishedseveral articles on IT governance, most recently in theInformation Systems Control Journal, the Journal forInformation Technology Case Studies and Applications(JITCA), and the proceedings of the Hawaiian InternationalConference on System Sciences (HICSS). He can be contactedat [email protected].
Jan Moonsis research assistant at the Management Information SystemsDepartment of the University of Antwerp. He has severalteaching assignments and is working on a Ph.D. in this domain.He is engaged in specific research assignments of the ITAGResearch Institute of the University of Antwerp ManagementSchool.
Plan and Organize
Impr
ovin
g IT c
ost d
elive
ry
IT di
saste
r rec
over
y and
busin
ess c
ontin
uity
IT go
vern
ance
/IT st
rate
gic a
lignm
ent
Prot
ectin
g dat
a and
syste
ms
Stan
dard
izing
IT sy
stem
s
1 Define a strategic IT plan P S P P 3 Determine technological direction S P S P 5 Manage the IT investment P P S 9 Assess risks P P P10 Manage projects P PAcquire and Implement 1 Identify automated solutions S S P 2 Acquire and maintain application software S P 5 Install and accredit systems S S S 6 Manage changes S S SDeliver and Support 1 Define and manage service levels P S S 4 Ensure continuous service P S 5 Ensure systems security P S 10 Manage problems and incidents S P P11 Manage data P SMonitor and Evaluate 1 Monitor the processes S S S S S
P = PrimaryS = Secondary
IT G
oals
Figure 6Most Frequently Mentioned IT Goals and COBIT Processes