“COBIT® 5 Only As Good As the People Who Use It.” Date: March 2014 Prepared by: Gary Hardy, COBIT Lead Author and Owner of IT Winners

Content Seven TIPS for COBIT 5 Implementation: Tip #1 – Get Business Buy-In Tip #2 – Change Mindsets and Attitudes Tip #3 – Initiate a Transformation Program Tip #4 – No Big Bang — Continual Improvement in Steps Tip #5 – Focus on Business Benefits Tip #6 – Deliver Outcomes Instead of Outputs Tip #7 – Learn from Best Practices

1

Learn from the Expert Gary Hardy is the architect of the ITpreneurs IT governance training portfolio and one of the originators of the COBIT framework. He’s been a lead developer of all the COBIT versions, including COBIT 5. He also has the distinction of being the lead author of all the versions of the COBIT Implementation Guide. His core business activities include consulting, training, and running his own company, IT Winners in South Africa. Recognized globally as a thought leader and implementation expert with over 30 years’ experience, Gary has guided numerous public and private enterprises in implementing IT performance improvements and governance and management practices. He’s also an expert advisor to one of the world’s largest and most significant COBIT-based IT governance improvement programs.

2

Seven TIPS for COBIT 5 Implementation Over the past decade, the term “governance” has moved to the forefront of business thinking. The pressing need to deliver more value from IT, and a growing number of risk and compliance challenges, are the primary factors for this evolution. COBIT 5 is a business-driven framework, which guides good IT-related practices for all stakeholders of an enterprise, with a focus on delivering value from IT. The COBIT 5 Implementation guide provides the latest thinking and best practices for improving IT governance. Building on the principles and concepts learned in the COBIT 5 Foundation Course, the COBIT 5 Implementation Course uses a combination of practical, hands-on exercises and presentations to enable participants to apply these methods in practice. IT governance and COBIT expert, Gary Hardy, shares his implementation tips below. These are based on his many years of real world experiences and those of others in his network around the world. Learn how do apply these tips by attending the COBIT 5 Implementation Course.

Tip #1 Get Business Buy-In The increased focus on IT by executive management has highlighted the need for better governance and management of IT. The concept—and actual practice of IT governance—have gained significant momentum and acceptance in recent years. This is driving the need for IT best practices to be aligned to business and governance requirements. It has shifted management’s attention away from just technology solutions towards defining the beneficial outcomes desired from the use of IT. Executive management is increasingly paying special attention to the use of IT, given that IT is now so intrinsic to the execution of business strategy and operations. IT accounts for a very significant proportion of an enterprise's costs, yet many fail to optimize these costs and obtain a good return from their IT-related investments. Enterprises are also dealing with an increasing amount of regulation, especially those operating globally. Getting executive management involved and buying in to IT governance implementation is critical. Analysts have often reported that as many as three out of four IT projects fail. This is usually because they are not initiated with a sound business case, sponsored by senior management, and then managed properly as programs, to ensure that benefits are realized. Implementing IT governance is no different and, in fact, even more important to drive properly from a business-benefit perspective as they are not typical “IT projects”. COBIT-based implementation and improvement initiatives, therefore, need to be sponsored by executive management and be based on agreed business benefits. The practice of using a business case, defining measurable business outcomes and benefits, makes sure that the improvements are based on real business needs and that good governance disciplines are followed to monitor the return on investment to ensure successful delivery of the improvement objectives. This is one of the most significant areas where the use of COBIT will add value. Why? Because COBIT tends to involve business and senior management and encourages adoption of good governance practices, structures and activities that drive benefits from ITrelated activities.

3

The objective is to provide sufficient commitment, direction and control of activities so that there is alignment with enterprise objectives and appropriate implementation support from the board, executive management and key management committees.

COBIT 5 Implementation training will help you learn how to connect with executives and develop business cases.

Tip #2 Change Mindsets and Attitudes Many executives and business users regard anything related to IT as mysterious, technical and risky. As a result, they have not been sufficiently involved in the application of proven techniques to ensure that the use of IT is governed and managed effectively as an integral part of doing business and governing the enterprise. IT is a topic that can no longer be avoided, as using IT has become a part of everyone’s working environment. From a business perspective, the financial consequences of poorly managed IT services can be very significant, either failing to enable real business benefits, or because of costly losses due to failed projects or unreliable service delivery. IT is often the largest category of expenditure after staffing costs; and it can be a difficult task to acquire a clear and complete picture of exactly how much is being spent, on what types of technology assets and processes, and where in the enterprise. In far too many cases, IT costs are not understood and budgets are spread across business units and functions with no overall oversight resulting in unnecessarily high IT costs. The most common indicators of poor oversight of IT are:  Board members or senior managers reluctant to engage with IT.  Potential senior-level sponsors failing to take ownership for the IT aspects of business initiatives.  Business executives and IT executives not communicating amongst themselves, nor trusting one another.  IT leaders and experts not understanding the business requirements.  Business leaders not understanding the potential for IT-enabled innovation.  IT service providers slow to respond to add value.  IT services not aligned or prioritized based on business needs.  IT risks are not understood or managed effectively in conjunction with business risks.  Metrics to measure IT service performance not relevant to the business users. Experience has shown that changing mindsets is probably the biggest challenge when implementing IT Governance using COBIT. The Implementation approach focuses on the needs of stakeholders and the enablement of change. Implementing change works best when the affected role-players are empowered to drive and develop the improved practices themselves. Use of consultants and advisors is most effective when they act as enabling facilitators transferring skills, experiences and proven approaches to the affected role-players and stakeholders, rather than taking over the task.

COBIT 5 Implementation training will help you learn how to deal with stakeholders, role-players, and enable change with COBIT 5.

4

Tip #3 Initiate a Transformation Program While the goal is to make continual improvement an on-going natural “business as usual” way of working, it will require a change of attitude and mindset and become a transformation program. Improvement initiatives will generate improvement actions that should then be managed as a program based on a business case with defined business objectives. For these reasons, the implementation approach is based on empowering business and IT stakeholders and role-players, to take ownership of IT governance-related initiatives. The implementation program will be closed when the initiative is generating a measurable benefit and the new way of working has become embedded in on-going business activity. The COBIT 5 implementation approach emphasizes the importance of program management when driving value from continual improvement. Executive management should allocate clear roles and responsibilities for directing the improvement program. One of the best ways to formalize oversight and direction of the IT governance program and all IT-related activities is to establish an IT executive committee. This committee acts on behalf of the board (to which it is accountable) and is responsible for how IT is used within the enterprise and for making key IT-related decisions affecting the enterprise. It should have a clearly defined mandate, and is best chaired by a business executive (ideally a board member) and staffed by senior business executives representing the major business units, as well as the chief information officer (CIO), and, if required, other senior IT managers. Internal audit and risk functions should provide an advisory role. Information systems have now become pervasive in the sense that they are built into the strategy of the business. IT is strategic because: • Success with IT demands a change in culture and mindset. • IT is enterprise-wide. Not just for the “IT function”. • Information is a strategic asset. • No such thing as an “IT project”. Let’s consider these “IT-enabled business initiatives”. Delivering IT solutions and services and IT governance is not just about technology; it’s about business processes and organizational changes enabled by IT.

COBIT 5 Implementation training will help you learn how to apply program management.

Tip #4 No Big Bang — Continual Improvements in Steps Optimal value can be realized from leveraging COBIT, only, if it is effectively adopted and adapted to suit the unique environment of an enterprise. Each implementation approach will need to address specific challenges, including managing changes to culture and behaviour. COBIT 5 Implementation is based on a continual improvement lifecycle similar to the ITIL approach, but with a much greater emphasis on business drivers. The COBIT approach is not intended to be a prescriptive approach nor a complete solution, but rather a guide to avoid commonly encountered pitfalls, leverage best practices; and assist in the creation of successful business outcomes and deliver business benefits to enterprises. Improvement happens progressively, a step at a time, to avoid approaches that are complex. The big bang approach definitely will not work. COBIT 5 Implementation helps leverage the COBIT components and other best practices and standards, when analyzing gaps and designing solutions and prioritizing improvements to deliver quick wins and benefits progressively. COBIT 5 Implementation also guides change enablement so that there is a clear vision of the improvement target, supported by stakeholders with the willingness and 5

involvement of the affected role players. The vision usually has to be implemented progressively in manageable steps. An Improvement Register is a good vehicle for recording and maintaining the status of improvements. Improvement will only occur if there is a management commitment to invest in continual improvement. Management should also encourage and reward process owners to make improvements, and then provide the necessary resources to sustain the new way of working.

COBIT 5 Implementation training will help you learn how to apply the COBIT 5 Continual Improvement Lifecycle.

Tip #5 Focus on Business Benefits Proven practices in realizing value from IT, reducing risk and delivering reliable and secure IT services are embodied in COBIT 5—and adopting them does not have to be complex or expensive. Opportunity, cost and risk make IT operationally critical and strategic to enterprise success, so implementing good professional management practices should be an enterprise initiative driven by business need and by executive management, rather than a lower level activity that can easily suffer from lack of commitment or misalignment with strategic objectives. IT governance-related activities across the enterprise should be managed just like the rest of the business. The best way to achieve this is to focus on: • Executive and business engagement. • Clear vision, policies and objectives. • The basics—applying good management practices. • Transparency—plain language communications and metrics. • Collaborative positive team work—“all on the same page”. Every enterprise needs to tailor the use of COBIT to suit its individual requirements, and experience has shown that adoption of these potentially helpful best practices can be costly and unfocused, if they are not driven by business priorities and requirements. Applying the COBIT 5 value management processes—and use of a value management office for the program—will drive and monitor delivery of benefits from the continual improvement. It will also demonstrate how these practices can be adopted for all IT-related investments.

COBIT 5 Implementation training will help you learn how to connect with the business and identify business benefits.

Tip #6 Deliver Outcomes Instead of Outputs By using pain points or trigger events to initiate IT governance initiatives, the business case for improvement will be related to issues being experienced, and will clarify the desired business outcomes (such as reduction in incidents, improved service reliability, lower costs, etc.) from the investment in improvement of governance and management practices guided by COBIT. This is an essential step to make sure the requirement for IT governance is properly understood as desired outcomes. The initiative then focuses on delivery of these outcomes, rather than a COBIT implementation approach that is driven by COBIT as the solution. This being a classic weakness in IT-related activities and a trap many enthusiastically fall into. Too often, IT governance implementation projects focus on outputs and gravitate too quickly towards delivery of policies and process documents, which have no value unless they are adopted and work effectively to deliver value-adding outcomes, such as faster and more reliable changes. 6

Focusing on business outcomes also enhances the likelihood of business involvement, business alignment and, thus, delivery of real business benefits. Executives are faced with risky and challenging IT decisions that are key to delivering successful outcomes, for example: • • • • • • • • •

Business and IT alignment—who is accountable for defining business needs? Agility—can we react in time to new opportunities? Service levels—acceptable quality, reliability and availability? Outsourcing, off-shoring cloud—beneficial or risky? Network security—are we protected? Portable data devices—are we losing data? Regulations—do we comply? Budgets—why are IT costs so high? Investments—do we have a business case and ROI?

Poor IT governance can result in many of the following damaging consequences affecting performance and reputation, such as: • • • • • • • • •

Failed IT initiatives Rising costs Late project deliveries Low business benefit from IT Significant IT incidents Poor service delivery Ineffective IT HR practices Regulatory or contractual issues Audit findings

COBIT 5 Implementation training will help you learn how to recognize pain points, trigger events and desired improvement outcomes.

Tip #7 Learn from Best Practices The adoption of proven best practices help guide professional behaviour, increase effectiveness and efficiency, and result in reliable and trusted activities. They avoid “re-inventing wheels” and disagreements between business, IT, risk and assurance stakeholders and save time in developing approaches. However, every enterprise is different and there is no “one-size-fits-all”. COBIT 5 and other best practices will help to realize value from IT investments and IT services by identifying benefits, such as: • • • • • •

Improving the achievability, predictability and repeatability of successful business outcomes. Aligning the allocation of resources with business and stakeholders’ needs. Gaining the confidence and increased involvement of business sponsors and users. Improving the quality, responsiveness and reliability of IT solutions and services. Reducing risks, incidents and project failures. Improving the business’s ability to manage and monitor IT benefit realization.

The enterprise will also benefit from increased efficiencies and reduced costs by: • • • • • • •

Avoiding the reinvention of proven practices. Reducing dependency on technology experts. Increasing the potential to utilize less experienced, but properly trained, staff. Overcoming IT experts working in isolation and not following agreed processes. Increasing standardization leading to cost reduction. Making it easier to leverage external assistance through the use of industry-standard processes. In a climate of increasing regulation and concern about IT-related risks, adopting best practices will help to minimize compliance issues by: 7

   

Making compliance and the application of internal controls “normal business practice”. Demonstrating processes aligned with proven industry best practices. Improving trust and confidence from management and partners. Creating respect from organizations and individuals outside of the business.

Adherence to best practices also helps strengthen supplier/customer relations, make contractual obligations easier to monitor and enforce, and harmonize multi-supplier outsourcing contracts. They can also help to improve the market position of those service providers seen to be compliant with accepted global standards such as ISO/IEC 20000, ISO/IEC 27002 and ISAE 3402. While implementation should be guided by COBIT5 and other standards and best practices, specific solutions must be developed that are suitable for adoption and use within the enterprise. Where tools are used, it is best to choose proven tools aligned with best practices and then adapt working practices to align with the tools. Modifying toolsets will create future maintenance headaches, increase costs and diminish the benefits of the tool design. Best practices exist to save time, avoid re-inventing wheels and to learn from successful experience and expert guidance. From these experiences, they have been shown to deliver superior results. COBIT is one of the most popular frameworks for helping enterprises deliver superior results from the use of IT. COBIT and other best practices such as ITIL, however, need to be understood to be applied effectively, and are only as good as the people who use them. Business and IT professionals need to understand how to use COBIT to deliver value to the enterprises they serve. Only then is the value of their personal contribution recognized and the value of COBIT demonstrated, when measurable business benefits have resulted from the contribution of role-players and their use of COBIT. Education is therefore essential. A lack of skills or a culture that doesn’t understand the value of best practices can be the biggest obstacles to COBIT adoption. The comprehensive ITpreneurs training schemes, that support the understanding and application of COBIT and other relevant best practices such as ITIL, are critical to support implementation activity. Mixing business and IT professionals in COBIT classes, especially when run in-house, has been proven to greatly increase the mutual understanding of issues and potential solutions, break down cultural barriers, and encourage a holistic team approach to implementing improvements.

COBIT 5 Implementation training will help you learn how to avoid reinventing the wheel and personally improve your performance.

8

Acknowledgements ITpreneurs is pleased to share with you a deeper knowledge of various frameworks and domains— connecting their usage and application for the betterment of the IT profession. Our appreciation goes to the industry experts who generously share their invaluable knowledge and experience with us. Our special thanks goes to Gary Hardy for his work on this white paper

Contacts Gary Hardy Lead Author of COBIT and Owner of IT Winners Tel: +27 (0) 21 794 4324 | +27 (0) 82 857 0727 [email protected] www.itwinners.com 7 Fern Close - Constantia 7806 Cape Town RSA

May Sau Marketing Manager, ITpreneurs Tel: +31 (0) 10 71 10 260 [email protected] www.itpreneurs.com Weena 324-326 3012 NJ Rotterdam The Netherlands

Copyright and Trademark Information Copyright © 2014 ITpreneurs. All rights reserved. COBIT® is a trademark of ISACA® registered in the United States and other countries.

9