ISACA – Round Table: Marriage counselling using COBIT
The session had 3 main objectives.
- To create awareness for COBIT as an instrument for the target audience.
- To use a simulation game to allow delegates to experiment with using COBIT to both assess and scope improvement suggestions.
- Capture common recognized IT governance related issues for which COBIT helps provide a solution.
Eppo Luppes from KPN Consulting introduced the session and revealed the top 3 ABC (Attitude, Behavior, Culture) Business and IT alignment worst practices. These top 3 are the results of global workshops with thousands of organizations using the ABC cards as an awareness and assessment instrument. These top cards were discussed in relation to the Value creation proposition within COBIT. A simple and straightforward Value creation proposition based on three main elements: Benefits Realisation, Risk Optimisation and Resource Optimisation (see figure below).
These ABC practices and the business & IT alignment problem have been issues for more than 10 years. ‘Alignment’ is still a TOP concern, as Information week reported in an article covering the latest ‘Society of Information managers(SIM)’ survey. A recent ISACA study (Benchmarking and Business value assessment of COBIT 5) also reveals ‘More business involvement in the Governance of Enterprise IT (GEIT) is required’ and highlighting a low maturity score on benefits realization’.
So who needs to break through these issues and how? That is what this Round Table would explore.
The Grab@Pizza simulation
Grab@Pizza is an interactive business simulation experience in which delegates can use COBIT guidance to transform the business use of, and value from IT within the simulated game environment. It is a form of ‘experiential learning’. Combining this with formal learning a perfect match is made to ensure that theory and practice “stick” in the delegates minds.
Grab@Pizza is a very successful company selling millions of Pizza’s every year. But after 6 months in the current year, the sales figures are far below expectations. IT is posing a significant business risk due to downtime and the inability of IT to respond to changing business needs (Risk Optimization). The CEO urged the Business Manager to make a challenging recovery plan. This plan is based on a 6 month strategy to bring the sales and profit back on target (Benefit realization). Existing IT capabilities are poor, resources are tied up in ‘Keeping the lights on’ rather than supporting and enabling new innovations. The IT department must ensure the appropriate capabilities are in place to execute the strategic plan and sufficient, appropriate and effective resources are provided to ensure both benefits realization and risk mitigation( Resource optimization).
COBIT in ACTION
Two teams played the Grab@Pizza organization. Each team had 4 groups of observers who would act as COBIT assessors (and advisors). During the game round the observers would assess the teams’ capabilities and observe the impact on benefits realization. During the de-brief of the game the observers would give advice on how the team can improve their capabilities.
The observer groups focused on the following 4 areas, representing governance, strategic, tactical and operational aspects. These 4 areas were chosen because of time constraints and because we wanted the delegates to get a taste of the breadth and depth of COBIT:
|COBIT process area||Level||Primary value area|
|EDM01: Ensure governance framework setting and maintenance
|APO02: Manage Strategy
|BAI06: Manage Changes
|DSS02: Manage Service Requests and Incident
DSS03: Manage Problems
Observations and discoveries
APO02 Manage strategy:
- Level of stakeholder satisfaction with scope of the planned portfolio of programs and services
- Number of business disruptions due to IT service incidents
- Percent of business stakeholders satisfied that IT service delivery meets agreed service levels
The Business managers in the simulation threw demands ‘over the wall’ – The Business told IT what they wanted and told them to get on with it! IT said they would do it. There was no agreement on the business strategy and planning, no agreements on reporting, nor checks or controls to manage the strategy realization. The business adopted an attitude of managing by HOPING.
The business was not engaged or involved in decision making or prioritization of investments and resources and blamed IT. IT blamed the business for not getting involved and not sharing information.
The business demanded everything. Now! giving all project demands to IT (No overall portfolio or program). Some of the demands were longer term and low benefits, but this strategic planning was not communicated, if it had been it would have prevented wasting scarce change resources.
The business knew the impact of outages and disruptions in terms of lost revenue but did not share this with IT, nor did they request a strategy for reducing business disruptions, or ask for service level reports to demonstrate this. The IT Service level management (SLM) function was using the Service Level Agreement (SLA) as an instrument of defense, rather than exploring business impact of outages (e.g lost revenue and aligning the SLA to this).
The team had created a ‘them and us’ culture and attitude of ‘blame and mistrust’ within 10 minutes!”
BAI06 Manage Changes:
- Categorise all requested changes (e.g., business process, infrastructure, operating systems, networks, application systems, purchased/packaged application software) and relate affected configuration items.
- Prioritise all requested changes based on the business and technical requirements, resources required, and the legal, regulatory and contractual reasons for the requested change.
There was a pile of changes at the change management desk, with little insight as to where they all came from and how they would contribute to benefits realization or risk reduction.
The business was not represented in a CAB (Change Advisory Board), in one team there was no CAB. The decision making seemed to be who shouts the loudest!
IT took its responsibility for ‘managing risks’ seriously and the change priority mechanism was driven by IT.
Governance is more than just telling people what you want and HOPING things will happen, and then when they don’t – pointing the finger of blame!”
As game leader I played the CEO. The business team promised me I would have my 20 million revenue growth as the changes WOULD be made. In the end the changes were not made. I failed to get my value or benefits!
In the other Team, where Eppo was the acting CEO, the marketing director got directly involved with deciding which changes should be prioritized, bypassing the service level managers and creating an inefficient use of resources. Nobody was aware in this team of the urgency of a possible bankrupcy if the all important year-end was not met.
DSS02 Manage Service Requests and Incidents
- Prioritise service requests and incidents based on SLA service definition of business impact and urgency
DSS03 Manage Problems
- Identify problems through the correlation of incident reports, error logs and other problem identification resources. Determine priority levels and categorisation to address problems in a timely manner based on business risk and service definition.
IT support did not know the business impact and priority of various incidents, they made assumptions as to what should be solved first. IT support did not use the Service Level management or Business Relationship Management functions to discover and share this information. As a result, in one team loss of revenue was high.
Problem management was unable to prioritize and decide on resource allocation for problems as they did not know the impact of outages. Also they were unable to make a business case for a problem related RfC’s (Requests for Change) based upon impact on business benefits or risk. Problem management also had no insight into the business strategy to be able to match the potential impact of existing problems to changing business use of It services.
RfCs were requested from the incident and problem team, however operations had already submitted the same RfC. Duplication of effort resulting in wasted resources. This was caused by poor communication and team working and lack of process integration.
EDM01: Ensure governance framework setting and maintenance
- Understand the enterprise’s decision-making culture and determine the optimal decision-making model for IT.
- Ensure that communication and reporting mechanisms provide those responsible for oversight and decision-making with appropriate information
There were no effective, formally agreed decision making mechanisms at a strategic, tactical or operational level (no strategic steering committee, no business representation in the CAB or formal mechanism to decide resource allocation to changes, no business input to the prioritizing incidents and resources for resolution processes).
There were no formal agreements made on reporting mechanisms nor the content of the reports to ENABLE effective decision making.
The result of all these identified non-compliance with COBIT practices: neither team realized ‘business benefits’ and one team lost revenue due to downtime of critical systems. Both business & IT were frustrated, there was little trust and a culture of blame.
The groups of observers gave feedback to the teams using COBIT. The COBIT framework helped the observers and the teams to both ‘identify non-compliance’ and ‘scope recommendations’ for both business and IT.
The observers (auditors/controllers) used COBIT to help foster a dialogue between Business and IT, helping align decision making and provide the ability to steer on benefits, effectively allocate scarce resources and manage risks in line with agreed business needs.
At the end of the session delegates were informed of the ISACA global survey results into the maturity of COBIT processes and capabilities, and were invited to participate in a Dutch survey.
Finally the delegates were reminded of the Cartoon:
Many of the attendees recognized in their own organizations the issues that arose in the game and the ‘them and us’ culture between business and IT.
The question is would delegates take up the challenge to fulfill the marriage guidance counsellor role in THEIR organization – using instruments such as COBIT? Or will Business & IT be staring at each other across the breakfast table grumbling and moaning about each other whilst the research organizations make more money doing business & IT alignment research and surveys?