Governing ITIL with CobiT

ITIL is clear that it does not stand alone, and in fact, you cannot "do ITIL" without some form of governance. But what does "governance" mean? ITIL requires a framework of policy, process, procedures and metrics that can give direction to IT operations (and ITIL activities.) Control Objectives for IT (CobiT) does just this.

We’ve all heard the saying that, “…if you can’t measure it you can’t control it, and if you can’t control it you can’t manage it.” This has never been truer than when “it” refers to IT. As IT professionals we’ve probably all had an opportunity to work in really well-managed IT shops, as well as those that would even make Dilbert cringe. When you compare the two, the well-managed IT organizations knew where they were going (destination), they knew how they were going to get there (roadmap), and they all knew where they were (current location).

The poorly managed IT shops? For the most part, they didn’t know where they were headed (no communicated objective), so any road would get them there (wandering aimlessly). Essentially they were lost.

Unfortunately many IT organizations turn to the ITIL and the potential of IT Service Management as if it alone will lead them to some “promised land.” They go off and get trained, and go back to work and try to “do ITIL.” The result is often just a marginally “less lost” IT shop. Why is that? How does an IT organization ensure its destination is the right one? How does it know it’s on the right path? How does it determine where it is on that path? Following I introduce the idea of governing ITIL with CobiT.

IT Governance

The IT Infrastructure Library was never intended to be a stand-alone set of good practices. Its primary focus is to bring a process-oriented approach to the delivery of the IT infrastructure as a set of services, and the direct support of those services. Issues of managing process deployment resources, quality, and security all require the integration of other frameworks and methods to enable the ITIL’s IT Service Management processes to achieve their purpose. Still it’s not enough. This is where IT Governance comes in. One possible answer is to use Control Objectives for IT (CobiT) to establish the governance framework for IT Service Management using ITIL.

IT Governance ties IT goals to those of the enterprise. It ensures that IT delivers valuable services through the optimal use of its resources, while understanding the risks involved and the establishment of goals and metrics to track organizational performance.

IT Governance Focus Areas

• Strategic Alignment – Link IT & Business Goals
• Value Delivery – Optimize the Cost & Value of IT Services
• Resource Management – Optimize Resource Investment
• Risk Management – Understand the Enterprise’s Appetite for Risk
• Performance Management – Track & Monitor Achievements

CobiT’s Role in IT Governance

Control Objectives for IT (CobiT) was developed by the IT Governance Institute (www.ITGI.org) to advance international thinking and standards in directing and controlling enterprise information technology. CobiT supports IT Governance through its framework of 34 IT processes. This framework ensures business and IT alignment, maximizes IT enablement of business processes, optimizes IT resources and manages risk.

CobiT Ensures:

IT & Business Alignment

IT Enabled Business Processes

IT Resource Optimization

IT Management of Risks

CobiT’s framework accomplishes this by focusing on the business’ requirement for information, and the structured (process) utilization of IT resources. It groups its 34 processes into four domains; plan & organize, acquire & implement, deliver & support and monitor & evaluate. Each process has a high-level control objective (the desired outcome) and one or more detailed control objectives that address the requirements of the actual activities that it performs. The framework utilizes a structured approach in describing each; it details the process, what business requirement it is intended to fulfill, its focus area, how it is to be achieved, and how it will be measured. It also details how to assess each process’ maturity (capability, control & coverage).

In effect, CobiT’s framework establishes what needs to be done to provide the information the enterprise needs to achieve its goals. It does this by the establishing control objectives that link the business goals in a cascading set of IT goals and metrics. These extend from the strategic alignment of business’ IT capability requirements all the way down to the tactical management of those processes involved in achieving those goals.

ITIL or CobiT? Yes

By now you’ve probably asked yourself, “Why do we need yet another framework?”

It’s a good question, but it must be put into perspective. CobiT addresses the need for an IT organization to unambiguously understand the need for technology-enabled business change. It does this by tying the business’ use of information to the processes and resources used by IT to deliver that information. The IT Infrastructure Library addresses a subset of the 34 CobiT processes that relate to the delivery (defining services, quality of service and plan for its delivery) and support (direct support for the restoration of service and changes to the infrastructure) of IT services. While there is an overlap in some process areas, that overlap enables the integration of the CobiT and ITIL frameworks.

Probably the best way to look at it is that CobiT addresses what needs to be controlled and how that is to be measured, and ITIL addresses how IT services are to be delivered and supported. Even then we still don’t have a complete picture because both CobiT and the ITIL frameworks require the integration of program/project, quality and security management methods, but that is the subject of yet another DITY Newsletter.

So, the question is not about choosing between CobiT and ITIL, but one of “How does an IT organization go about the adoption and integration of CobiT and ITIL?” Simply put, “some assembly is required.” CobiT’s control objectives are implemented via control practices. These practices are realized through the establishment of a cascading set of policies and guidelines, development and documentation of the processes and detailed procedures and the establishment of a set of cascading performance metrics.

SUMMARY:

When implemented properly, both CobiT and ITIL provide the necessary framework of good practices that enable and IT organization to clearly align itself with the goals of the business, manage its resources to enable those goals through the optimized delivery of information needed by the business, and the deliver IT services and provide for their direct support.