CoBIT

I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 4 , 2 0 0 5

Linking Business Goals to IT Goals and COBIT ProcessesBy Wim Van Grembergen, Steven De Haes and Jan Moons

Information technology has become pervasive in todaysdynamic and often turbulent business environments. While,in the past, business executives could delegate, ignore oravoid IT decisions, this is now impossible in most sectors andindustries. In this context, many organizations have startedwith the implementation of IT governance to achieve the fusionbetween business and IT and to obtain the needed ITinvolvement of senior management.1 IT governance can bedefined as the leadership and organizational structures andprocesses that ensure that IT sustains and extends theorganizations strategy and objectives.2 As described in thisdefinition, a crucial element of IT governance is achieving abetter link between business and IT, also referred to as strategicalignment. However, this relationship is complex and addressesaligning business goals to IT goals and processes.

To gain a more thorough and pragmatic understanding ofhow business goals drive IT goals in different industries andhow the IT goals are supported by IT processes, the ITGovernance Institute (ITGI) assigned a research project to theITAG Research Institute of the University of AntwerpManagement School (www.uams.be/itag).

This article summarizes results and conclusions of the firstphase of this research. The material will be refined in furtherresearch initiatives during 2005. It appears that defining thelink between business goals and IT goals was not always aneasy exercise for interviewees and that many of the identifiedgoals were very high-level and generic.

Pilot Study MethodologyTo achieve more insight into the complex relationship

among business goals, IT goals and IT processes, eightdifferent industries were analyzed: financial, health,government, retail, pharmaceutical, utilities, IT services andconsulting, and transportation. Within each industry, interviewswere conducted with an IT manager, a business manager and asenior consultant/expert of the sector. During these interviews,questionnaires were used to identify the most importantbusiness goals and the IT goals contributing to those goals. Inaddition, COBIT processes were identified that support theachievement of the reported IT goals. These relationships weresummarized for each industry in two matrices and supplementedwith background information on the major characteristics, valuedrivers and risk drivers of the industry under review.

The reported results regarding the characteristics and thevalue and risk drivers are a synthesis of the answers of theinterviewees and, consequently, their perception. The IT

goals/business goals matrices are based on the informationcollected during the interviews. Whenever IT and/or businessgoals were similar, they are labelled by one unique term. TheIT goals/COBIT matrices are based on the input of theinterviewed consultants and, when necessary, arecomplemented by the researchers. For reasons of concisenessand manageability, the list of COBIT processes is reduced to the15 most important COBIT processes as selected in 2001 by theInformation Systems Audit and Control Association.

Specific Research ResultsAs an example, this section will summarize the results of

two sectors from which well-balanced results were obtained:the financial and the pharmaceutical sectors. For each sector,the most important characteristics and value and risk driversare described. Next, two matrices are shown, one presentingthe links between business goals and IT goals (figures 1and 3) and one between COBIT processes and IT goals (figures 2 and 4). Reading these matrices in combinationenables a better understanding of how IT processes support IT goals, which in turn support business goals. In the matrices,a distinction is made between primary (P) and secondary (S)relationships.

The Financial SectorCharacteristics of the financial sector include:

Very high transaction volumes with little hard-copy evidence Complex data processing for each transaction Stringent security measures for each transaction dictated by

law and the nature of the data Criticality of availability of systems and datamost IT

systems have to be available 24/7. This had been adiscriminating feature between financial institutions but nowis a basic requirement.

Increasing emphasis on timely processing or straight-throughprocessingthe immediate and automated processing of anentire transaction

High reliance on IT, perhaps more so than in any othersector/industry

High IT budgets often accounting for approximately 15percent of the entire annual company budget

Not a first mover in IT but an early follower. Adoptingtechnologies that have not yet matured might backfire in thishighly visible sector.

Highly regulated by national and international laws andstandards, such as Basel II

Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.


Value and Risk Drivers of the Financial Sector Value drivers:

Diminishing transaction costsBecause of highertransaction volumes, even small improvements may lead tosubstantial cost reductions.

Introduction of new and innovative services, such as e-banking

Increasing emphasis on customer orientation instead ofproduct orientation

Risk drivers Security breachesBecause high-visibility security

breaches, whether small or large, are widely noticed, theyinevitably have important implications.

High-liability factorThe huge amounts of money beingprocessed by the financial institutions lead to high liability,and even apparently insignificant mistakes can lead toconsiderable losses.

Many changes in a short span of timePressured by ever-tightening legislation (e.g., Basel II and Sarbanes-Oxley)and competition (e.g., the introduction of Internet bankingapplications), the financial sector has been forced to makemany changes to its IT architecture in a relatively shortperiod of time.

Business Goals

Inte

grat

ion a

nd co

nsol

idat

ion

of d

iffer

ent I

T dep

artm

ents

Deve

lopi

ng in

nova

tive I

T ser

vices

with

a fo

cus o

n inf

orm

atio

n sec

urity

Fulfi

lling

SLA

s with

busin

ess

dep

artm

ents

Incr

easin

g IT d

epar

tmen

t effi

cienc

y

IT G

oals

IT di

saste

r rec

over

y and

busin

ess c

ontin

uity

IT go

vern

ance

/IT st

rate

gic a

lignm

ent

IT m

easu

res t

o sat

isfy B

asel

II re

quire

men

ts

Lowe

ring c

ost o

f tra

nsac

tion p

roce

ssin

g

Mak

ing I

T mea

sura

ble

Optim

izing

the I

T inf

rastr

uctu

re

Rapi

d dev

elop

men

t of n

ew IT

serv

ices

Redu

cing e

xtern

al st

aff

Stan

dard

izing

IT sy

stem

s

Achieving compliance with Basel II regulations S S PImproving competitiveness through IT P P S PImproving customer orientation and service P S P S S P SPostmerger integration and consolidation P S S S S Reducing operational cost P P S S P P P P P Reducing transaction cost P S S P P S S Risk management S P S S P P S P SShortening service development life cycle S S P Tailoring solutions for different target groups P S

P = PrimaryS = Secondary

Plan and Organize

Inte

grat

ion a

nd co

nsol

idat

ion

of d

iffer

ent I

T dep

artm

ents

Deve

lopi

ng in

nova

tive I

T ser

vices

with

a fo

cus o

n inf

orm

atio

n sec

urity

Fulfi

lling

SLA

s with

busin

ess

dep

artm

ents

Incr

easin

g IT d

epar

tmen

t effi

cienc

y

IT G

oals

IT di

saste

r rec

over

y and

busin

ess c

ontin

uity

IT go

vern

ance

/IT st

rate

gic a

lignm

ent

IT m

easu

res t

o sat

isfy B

asel

II re

quire

men

ts

Lowe

ring c

ost o

f tra

nsac

tion p

roce

ssin

g

Mak

ing I

T mea

sura

ble

Optim

izing

the I

T inf

rastr

uctu

re

Rapi

d dev

elop

men

t of n

ew IT

serv

ices

Redu

cing e

xtern

al st

aff

Stan

dard

izing

IT sy

stem

s

1 Define a strategic IT plan P S S P S P S P P P P 3 Determine technological direction P S P P S P P 5 Manage the IT investment S S S P P S S S P 9 Assess risks P P S P S S S S10 Manage projects S S P S S SAcquire and Implement 1 Identify automated solutions S S S S S S S 2 Acquire and maintain application software S P P S P S S S 5 Install and accredit systems P P S S S S S 6 Manage changes P P S S S SDeliver and Support 1 Define and manage service levels S P S S P 4 Ensure continuous service P P S 5 Ensure systems security P S P S 10 Manage problems and incidents S S S S11 Manage data S S PMonitor and Evaluate 1 Monitor the processes S P P P P P


Figure 2IT Goals, COBIT Processes Matrix

Figure 1IT Goals, Business Goals Matrix

I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 4 2 0 0 5

The Pharmaceutical SectorCharacteristics of the pharmaceutical sector include:

Large market capitalization Considerable growth rateFive years ago, the sector had a

yearly growth rate of 23 percent and currently has a yearlygrowth of about 9 percent.

Importance of research and development (R&D) High reliance of R&D on ITMost pharmaceutical

companies have a large investment in IT. A respondentmentioned that approximately 19 percent of theorganizations sales revenue is invested in IT. In thesecompanies, IT is not considered an overhead but a crucialenabler of business activities.

Importance of engineering new molecules Highly regulatedThe US Food and Drug Administration

(FDA), for example, has an enormous set of rules with whichpharmaceutical companies have to comply, impacting bothR&D and sales.

Value and risk drivers of the pharmaceutical sector include: Value drivers:

Improved development programsBecause the corebusiness of most pharmaceutical companies is creating andmarketing new molecules, one of the most important valuedrivers is creating a more efficient molecule developmentprogram.

OutsourcingMany pharmaceutical companies areoutsourcing the design of new molecules to smaller bioengineering entities.

Patent creationPatents are necessary to protect R&Dinvestments.

Protection of informationWith only a few moleculesdiscovered per year, confidentiality and protection of theinformation regarding these molecules is paramount.

Risk drivers: Regulatory controlIn an attempt by government agencies

to guarantee the quality of the molecules, rules andregulations are imposed for every aspect of thedevelopment process. This often inhibits creativity.Regulations also have an impact on IT systems. Forexample, all scientific data regarding pharmaceuticalproducts have to be preserved for at least 30 years, which

may hinder the upgrade to more modern systems. Increased R&D budget Diminished yields on R&DIt becomes more and more

difficult to engineer successful molecules. While R&Dprovides a multitude of molecules, only very few make it tothe manufacturing stage. Even the most successfulcompanies produce only around three to four newmolecules per year. The risk that the huge R&D investmentdoes not deliver the expected results is very real.

Leakage of information to competitors International price differences of drugs

General Research ResultsAfter analysis of all sectors, it was found that 46 percent of

all business goals and 37 percent of all IT goals provided by theinterviewees could be considered specific to their sector, i.e.,they are not equally important for all other sectors. Examplesare achieving compliance with Basel II regulations as aspecific business goal for the financial sector and taking ITmeasures to satisfy FDA requirements as a specific IT goal forthe pharmaceutical sector. On the other hand, more than 50percent of all goals are generic, such as improving customerorientation and service, IT disaster recovery and businesscontinuity and standardizing IT systems.

The business goals and IT goals that were mentioned mostfrequently are summarized in figure 5. The links betweenthose business and IT goals are set by the researchers as anexample; they are not based on the input of the interviewees. Itappears that the most frequently mentioned business goals arerather high-level and generic. The IT goals are at a lower levelbut still generic.

The matrix in figure 6 maps the five most frequentlymentioned IT goals to the 15 most important COBIT processes.These links are again filled out by the development team as anexample.

ConclusionsThis eight-sector research project provides a view of the

links between business and IT goals, and the relationshipsbetween COBIT processes and IT goals. It appears that defining

Business Goals

Cent

raliz

atio

n of c

ontro

l ove

r IT s

yste

ms

Deve

lopi

ng an

d im

plem

entin

g new

and

inn

ovat

ive ap

plica

tions

Educ

atin

g per

sonn

el to

wor

k effi

cient

ly

with

new

appl

icatio

ns

Impr

ovin

g IT c

ost e

fficie

ncy

IT G

oals

Inve

stiga

ting I

T offs

horin

g pos

sibili

ties

IT di

saste

r rec

over

y and

busin

ess c

ontin

uity

Prot

ectin

g dat

a and

syste

ms

Stan

dard

izing

IT sy

stem

s

Takin

g IT m

easu

res t

o sat

isfy

FDA

requ

irem

ents

Achieving compliance with FDA regulations S P PDefending patents SDeveloping new molecules P S P SFuture-proofing the organization S P S S S S S SImproving operational excellence P S P P PImproving organizational structure S S S SImproving R&D processes P SIncreasing revenue SNetworking and strategic alliances S SProtecting of information S S P P


Figure 3IT Goals, Business Goals Matrix

Plan and Organize

Cent

raliz

atio

n of c

ontro

l ove

r IT s

yste

ms

Deve

lopi

ng an

d im

plem

entin

g new

and

inn

ovat

ive ap

plica

tions

Educ

atin

g per

sonn

el to

wor

k effi

cient

ly

with

new

appl

icatio

ns

Impr

ovin

g IT c

ost e

fficie

ncy

IT G

oals

Inve

stiga

ting I

T offs

horin

g pos

sibili

ties

IT di

saste

r rec

over

y and

busin

ess c

ontin

uity

Prot

ectin

g dat

a and

syste

ms

Stan

dard

izing

IT sy

stem

s

Takin

g IT m

easu

res t

o sat

isfy

FDA

requ

irem

ents

1 Define a strategic IT plan P P S 3 Determine technological direction S P 5 Manage the IT investment S P P S 9 Assess risks S S S S S10 Manage projects SAcquire and Implement 1 Identify automated solutions P S S 2 Acquire and maintain application software P S S 5 Install and accredit systems P S S 6 Manage changes S P S S S SDeliver and Support 1 Define and manage service levels S P S 4 Ensure continuous service S S P S 5 Ensure systems security S S S P S 10 Manage problems and incidents S S S S S11 Manage data S S S SMonitor and Evaluate 1 Monitor the processes S



the link among business goals, IT goals and IT processes was adifficult exercise for the interviewees, and that many of thementioned business and IT goals were generic. The givenexamples of linking IT processes to IT goals and businessgoals can provide guidance for in-house COBITimplementations, more specifically in defining those ITprocesses on which to focus.

Conclusions are tentative because they are based on alimited set of arbitrarily chosen interviewees per sector. Toaccredit more value to the results, a more detailed study isneeded based on in-depth case studies and a larger number ofrespondents. Detailed research could provide more insight inthe cascade starting from high-level strategic business goals tolower-level operational IT goals and processes. This cascadewould more closely represent a real-life business scenario.

Endnotes1 Van Grembergen, W.; Strategies for Information Technology

Governance, Idea Group Publishing, 2003. Van Grembergen,W.; S. De Haes; IT Governance and Its Mechanisms,

Information Systems Control Journal, volume 1, 2004. Weill,P.; J.W. Ross; IT Governance: How Top Performers ManageIT Decision Rights for Superior Results, Harvard BusinessSchool Press, 2004.

2 IT Governance Institute, Board Briefing on IT Governance,2nd Edition, 2003

Related ReadingBroadbent, M.; P. Weill; Leveraging the New Infrastructure:How Market Leaders Capitalize on Information Technology,1998

Benson, J. R.; From Business Strategy to IT Action: RightDecisions for a Better Bottom Line, 2004

Van Grembergen, W.; Strategies for Information TechnologyGovernance, 2004

IT Governance Institute, IT Governance Global Status Report,2004

Authors Note:Thanks to Erik Guldentops for sharing his ideas on the

ITAG Research Institute project and placing it in the context ofthe further COBIT developments. The results of the research areowned by ITGI and will be leveraged to improve the COBITframework, more specifically in linking COBIT processes to ITgoals and the IT goals to the business objectives andgovernance processes that drive them.

Wim Van Grembergen is professor and chair of the Information Systems ManagementDepartment at the Economics and Management Faculty of theUniversity of Antwerp (Belgium) and executive professor atthe University of Antwerp Management School (UAMS)(Belgium). Van Grembergen is engaged in the continuous

Figure 4IT Goals, COBIT Processes Matrix

Business Goals

Impr

ovin

g IT c

ost d

elive

ry

IT G

oals

IT di

saste

r rec

over

y and

busin

ess c

ontin

uity

IT go

vern

ance

/IT st

rate

gic a

lignm

ent

Prot

ectin

g dat

a and

syste

ms

Stan

dard

izing

IT sy

stem

s

Being a caring organization for employees S Improving customer orientation and service P PImproving operational excellence S S P S SIncreasing profitability S S SReducing operational cost P S P



Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntaryorganization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Auditand Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journaldoes not attest to the originality of authors' content.

Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from theassociation. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articlesowned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of theassociation or the copyright owner is expressly prohibited.

www.isaca.org

development of the COBIT framework. He is also a member ofthe Academic Relations Task Force of ISACA and is currentlyconducting research projects for ISACA on IT governance. VanGrembergen is a frequent speaker at academic and professionalmeetings and conferences and has served in a consultingcapacity to a number of firms. He is a member of the board ofdirectors of IT companies, including an IT consultancy firmand an IT firm servicing a Belgian financial group. Recentlyhe established at UAMS the ITAG Research Institute, whichaims to contribute to the understanding of IT alignment andgovernance through research and dissemination of theknowledge via publications, conferences and seminars(www.uams.be/itag). He can be contacted [email protected].

Steven De Haesis responsible for the Information Systems Managementexecutive programs at UAMS. He is engaged in research in thedomain of IT governance and conducts research in this

capacity for ISACA. Currently, he is preparing a Ph.D. on thepractices and mechanisms of IT governance. He has publishedseveral articles on IT governance, most recently in theInformation Systems Control Journal, the Journal forInformation Technology Case Studies and Applications(JITCA), and the proceedings of the Hawaiian InternationalConference on System Sciences (HICSS). He can be contactedat [email protected].

Jan Moonsis research assistant at the Management Information SystemsDepartment of the University of Antwerp. He has severalteaching assignments and is working on a Ph.D. in this domain.He is engaged in specific research assignments of the ITAGResearch Institute of the University of Antwerp ManagementSchool.

Plan and Organize

Impr

ovin

g IT c

ost d

elive

ry

IT di

saste

r rec

over

y and

busin

ess c

ontin

uity

IT go

vern

ance

/IT st

rate

gic a

lignm

ent

Prot

ectin

g dat

a and

syste

ms

Stan

dard

izing

IT sy

stem

s

1 Define a strategic IT plan P S P P 3 Determine technological direction S P S P 5 Manage the IT investment P P S 9 Assess risks P P P10 Manage projects P PAcquire and Implement 1 Identify automated solutions S S P 2 Acquire and maintain application software S P 5 Install and accredit systems S S S 6 Manage changes S S SDeliver and Support 1 Define and manage service levels P S S 4 Ensure continuous service P S 5 Ensure systems security P S 10 Manage problems and incidents S P P11 Manage data P SMonitor and Evaluate 1 Monitor the processes S S S S S


IT G

oals

Figure 6Most Frequently Mentioned IT Goals and COBIT Processes

CoBIT

Documents

Transcript of CoBIT