Upload
greet-volders
View
224
Download
0
Embed Size (px)
Citation preview
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
1/14
1 | P a g e
Implementing COBIT 5 at ENTSO-EBy Greet Volders, CGEIT and COBIT Certified Assessor.
And Kees de Jong, CISSP, SIPP/E and CIPM.
COBIT Focus | 28 March 2016 English
The IT director of the European Network of Transmission System Operators for Electricity (ENTSO-E) undertook apragmatic approach toward implementing COBIT® 5 at the organisation beginning in 2014. Now, 2 years later, it is timeto share this successful collaboration between the internal IT department, the business organisation and the external
consultant(s), and to share how the results were achieved.
Taking a practical approach towards implementing a programme for governance of enterprise IT (GEIT) based on COBIT5, ENTSO-E focused on prioritising the processes, the development of these processes and —most importantly —thepractical issues to overcome during the implementation of a new way of working.
About ENTSO-EENTSO-E represents 42 electricity transmission system operators (TSOs) from 35 countries across Europe(figure 1). ENTSO-E was established and given legal mandates by the EU’s Third Legislative Package for the InternalEnergy Market in 2009, which aims at further liberalising gas and electricity markets in the EU.
ENTSO-E promotes closer cooperation across Europe’s TSOs to support the implementation of EU energy policy and
achieve Europe’s energy and climate policy objectives, which are changing the very nature of the power system.
Through its deliverables, ENTSO-E is helping to build the world’s largest electricity market, the benefits of which will befelt by all those in the energy sector as well as by Europe’s overall economy, today and into the future.
IT Strategy Background at ENTSO-EENTSO-E requires the following to be in place to meet its objectives: Infrastructures to enable the passage of huge electricity flows through Europe A 10-year network development plan Publication of summer and winter outlook reports for electricity generation A legal framework for handling energy in Europe An information platform that provides free and equal access to fundamental data and information on pan-
European wholesale energy generation, transmission and consumption Technical cooperation between TSOs who are responsible for the bulk transmission of electric power on the main
high-voltage electric networks and provide grid access to the electricity market players
Figure 1 —ENTSO-E Customers and Energy Sources
DISCUSS THIS ARTICLE
http://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/cobit/pages/default.aspxhttps://www.entsoe.eu/about-entso-e/inside-entso-e/member-companies/Pages/default.aspxhttps://www.entsoe.eu/about-entso-e/inside-entso-e/member-companies/Pages/default.aspxhttps://www.entsoe.eu/about-entso-e/inside-entso-e/member-companies/Pages/default.aspxhttps://www.entsoe.eu/about-entso-e/inside-entso-e/official-mandates/Pages/default.aspxhttps://www.entsoe.eu/about-entso-e/inside-entso-e/official-mandates/Pages/default.aspxhttps://www.entsoe.eu/about-entso-e/inside-entso-e/official-mandates/Pages/default.aspxhttps://www.entsoe.eu/major-projects/ten-year-network-development-plan/Pages/index.htmlhttps://www.entsoe.eu/major-projects/ten-year-network-development-plan/Pages/index.htmlhttps://www.entsoe.eu/major-projects/ten-year-network-development-plan/Pages/index.htmlhttps://www.entsoe.eu/publications/system-development-reports/outlook-reports/Pages/default.aspxhttps://www.entsoe.eu/publications/system-development-reports/outlook-reports/Pages/default.aspxhttps://www.entsoe.eu/publications/system-development-reports/outlook-reports/Pages/default.aspxhttps://www.entsoe.eu/about-entso-e/legal-and-regulatory/Pages/default.aspxhttps://www.entsoe.eu/about-entso-e/legal-and-regulatory/Pages/default.aspxhttps://www.entsoe.eu/about-entso-e/legal-and-regulatory/Pages/default.aspxhttps://www.entsoe.eu/news-events/announcements/announcements-archive/Pages/News/Transparency-Towards-Open-Competitive-Internal-Energy-Market.aspxhttps://www.entsoe.eu/news-events/announcements/announcements-archive/Pages/News/Transparency-Towards-Open-Competitive-Internal-Energy-Market.aspxhttps://www.entsoe.eu/news-events/announcements/announcements-archive/Pages/News/Transparency-Towards-Open-Competitive-Internal-Energy-Market.aspxhttps://www.entsoe.eu/news-events/announcements/announcements-archive/Pages/News/Transparency-Towards-Open-Competitive-Internal-Energy-Market.aspxhttps://www.entsoe.eu/about-entso-e/legal-and-regulatory/Pages/default.aspxhttps://www.entsoe.eu/publications/system-development-reports/outlook-reports/Pages/default.aspxhttps://www.entsoe.eu/major-projects/ten-year-network-development-plan/Pages/index.htmlhttps://www.entsoe.eu/about-entso-e/inside-entso-e/official-mandates/Pages/default.aspxhttps://www.entsoe.eu/about-entso-e/inside-entso-e/member-companies/Pages/default.aspxhttp://www.isaca.org/cobit/pages/default.aspx
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
2/14
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
3/14
3 | P a g e
Source: ENTSO-E. Reprinted with permission.
The IT manager reports to the 3 governance levels in the organisation (figure 2): The assembly is made up of representatives from the 41 member TSOs from 34 European countries at the chief
executive officer (CEO) level. The board consists of 12 elected members. The ENTSO-E secretary general is the highest executive responsible for the daily operation of the secretariat.
As the IT director began to develop the IT strategy, issues to overcome included: The current IT manager started in September 2013, and he was the third in a relatively short period. The board had insisted 1 year earlier on a new IT strategy. As a result, a concept IT strategy had been defined with the help of 6 TSO IT managers
At the beginning of 2014, the perception at the ENTSO-E Management Team was that the IT strategy was 99% ready,but the new IT manager wanted to change it and make it more specific. This required some delicate manoeuvring.
IT Strategy DevelopmentThe revised IT strategy was based on a governance structure with 3 focus areas, which were presented to and approvedby the assembly. Figure 3 shows the governance structure.
Figure 3 —ENTSO-E Governance Structure
Source: ENTSO-E. Reprinted with permission.
More detailed targets were then defined in the IT strategy, including: Pragmatic selection and implementation of best practices and standards Reviewing all major IT suppliers
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
4/14
4 | P a g e
Moving all data centre activities to 1 permanent supplier Moving all application operations to 2 or more permanent suppliers Focusing on size of IT department (number of staff, ratio of internal/external personnel, refocused data management
development activities)
The overall objective was to develop an IT organisation ready to support the TSO members in the best possible way.
The selection of best practices and standards was one of the detailed targets defined by the IT strategy. The selectionresults included:
ITIL as the guiding framework for IT Service Management (ITSM). All IT staff would participate in the foundationtraining and obtain their certification, so that a solid knowledge base will be present within the IT staff. Project management based on PRINCE2, in order to introduce a more structured project management approach,
which will result in more clearly documented relation between the business benefits and the IT deliverables at thebeginning of each project. This decreases the risk of not delivering on time and within budget.
ISO 27002:2013 as guide for information security, in order to comply with external requirements regarding securitymanagement at ENTSO-E. Data Management Body of Knowledge (DMBOK) for data management to support the move from a Network Code
delivery organisation towards a data management support organisation. COBIT 5 for having an overarching governance and management framework and to enable ENTSO-E to identify
the major IT processes that need to be in place to fulfil the enterprise goals. (Notably, COBIT was not selected inJanuary 2014; the decision was made to start working with COBIT 5 in June 2014.)
Progress Management A structure was set up to manage the progress of this IT strategy (figure 4).
Figure 4 —Progress Management Structure
Source: ENTSO-E. Reprinted with permission.
The project steering group consisted of 2 internal managers, the IT manager and the IT strategy programme manager,who reported to this steering committee.
The working group, responsible for data strategy, consisted of representatives from several TSOs, managed by theinternal data management team.
The peer reviews from chief information officers (CIOs) of 6 TSOs were important to validate the IT strategy and followthe progress and outcome of this IT strategy programme.
The IT manager implemented monthly meetings with his peers to understand what was required from a businessperspective and also keep them in the loop. This was (and still is) done through monthly face-to-face meetings.
After a few months, the need to develop a dashboard to plan and monitor the progress of this program became clear,
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
5/14
5 | P a g e
and resulted in the development of the dashboard tool described in the next section.
Prioritisation of the Processes by Goals CascadeFor the prioritisation of the IT processes, the COBIT 5 Goals Cascade was applied and the team developed its own tool tomanage the different steps in this cascading process.
Most often, the Goals Cascade is used to select those COBIT processes with the highest priority, to develop andimplement, or to perform a process assessment, starting with the goals at the enterprise level. In this case, it was used todefine the prioritisation of the COBIT 5 processes in order to prepare a plan and ensure focus on the right processes.
This was a 6-step selection process: Step 1 —Identify relevant business drivers for the IT processes. Step 2 —Prioritise the enterprise’s IT processes. Step 3 —Perform a preliminary selection of target processes based on the above prioritisation. Step 4 —Confirm the preliminary selection of target processes with the project sponsor and key stakeholders. Step 5 —Finalize the list of processes. Step 6 —Document the scoping methodology in the IT strategy document.
Step 1: Identify Relevant Business DriversTo identify the business drivers, the IT manager had several discussions with different business partners and
stakeholders, explaining that it is not about IT change, but enabling the business to work better. While doing this, he hadto change the language from IT language to business language, in order to “speak their language”, and also to highlightthat this is not about technology, but about information —their information.
To define the enterprise goals, the IT manager organised meetings with the 6 TSO IT managers to identify the externalpriorities and with the IT strategy steering committee to identify the internal priorities and then to come to a consensuswithin the ENTSO-E management team, based on the internal and external priorities.
This resulted in the following selection of enterprise goals: External priorities, defined by the 6 TSO IT managers:
1. Financial transparency2.
Customer-oriented service culture3.
Business service continuity and availability4.
Operational and staff productivity5.
Skilled and motivated people
Internal priorities, defined by the IT strategy steering committee:1. Stakeholder value of business investments2. Optimisation of service delivery costs3.
Optimisation of business process functionality4. Optimisation of business process costs5.
Managed business change programmes
Balanced, and final, priorities as approved by the ENTSO-E management team:1.
Stakeholder value of business investments2. Financial transparency
3.
Business service continuity and availability4.
Optimization of service delivery costs5. Optimization of business process functionality6.
Operational and staff productivity
These priorities were selected from the list of generic enterprise goals, as listed in the COBIT 5 framework.1
Step 2: Prioritize the Enterprise’s IT ProcessesThe final list of enterprise goals was used to start the Goals Cascade. Based on the 2 mapping tables2 found in the COBIT
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
6/14
6 | P a g e
5 framework, a tool through which the cascade was run automatically after having indicated the 6 selected goals wasdeveloped.3
Step 3: Perform a Preliminary Selection of Target ProcessesThe first selection resulted in the following priority range using different colours to indicate the priority of each process(figure 5).
Figure 5 —Preliminary Priority Range of Target Processes
Source: ENTSO-E. Reprinted with permission.
Steps 4 and 5: Confirm the Preliminary Selection With the ProjectSponsor and Key Stakeholders and Finalize the List of ProcessesThe preliminary priority range of target processes was not found by the management team to be very clear, so anotherway of presenting the priorities, with 3 priority levels, was developed. In addition to the presentation format, some of thehigh-priority processes seemed illogical places to start.
For example, problem management had a high priority, compared to e.g. service request and incident management,configuration management and change management. Without a proper incident management, it is very difficult (if notimpossible) to develop and implement problem management, since the analysis of the incidents is used as a possiblesource to identify problems. And in order to solve problems, changes can be initiated, so proper change management is
needed to solve the problems identified.
So, with the IT manager, we re-evaluated the importance and priorities. The outcome was the figure with the revisedprioritisation overview (figure 7)
Figure 7 —Revised Process Prioritisation Overview
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
7/14
7 | P a g e
Source: Greet Volders. Reprinted with permission.
Step 6: Document the Scoping Methodology in the IT StrategyDocumentThe developed and applied approach was documented in the IT strategy document, which was used to further detail theactions needed to implement the IT strategy. In addition to developing the IT processes, priority focus was put on data
management. Based on the priorities and other regulations ENTSO-E needed to comply with, a road map was developed.
The first step in defining the road map was to define the roles and responsibilities for the major data managementstakeholders. Figure 8 shows that ENTSO-E will lead IT in directions and priorities of the data management road map,the work groups will inform IT on what to do, and the IT manager will ask for advice and reviews from the TSO ITmanagers and the governance boards to ensure that all data management initiatives are well aligned with other initiativewithin the TSO member community.
Figure 8 —Roles and Responsibilities for Major Data Stakeholders
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
8/14
8 | P a g e
Source: ENTSO-E. Reprinted with permission.
The data management strategy will be based on the following principles: ENTSO-E management will approve projects. Decisions within the projects will be made by the project steering
committee. Work groups will define requirements to support stakeholders needs and to create benefits realisation:
o The project manager will present the work groups to ENTSO-E management.o Work groups will be supported in the beginning of a project through a high-level impact analysis from data
management perspective.o Work groups will be supported by IT to define business requirements, if needed.o Work groups will inform IT on related regional and local initiatives.o Work groups will be involved in the design of the solution and will be informed on the proposed solution to
support the requirements of IT. TSO IT managers will review the solution from an integration perspective and TSO collaboration perspective:
o TSO IT manager will review the data management reference architecture, identify integration risk and qualityrisk, and review whether proposed solutions could be supported by TSOs.
o
The IT manager will advise ENTSO-E on risk identified by the TSO IT managers.o TSO IT managers will inform their board on advice and risk factors as well.
The governance board (composed of committees, expert groups and TSO managers) will perform quality reviews andcontrol the delivery process. The results of their analysis will be forwarded to the project steering committee or theENTSO-E board, depending of their findings. On request, IT will present their data management initiatives and/orsolutions to these boards.
How to Visualize the Plan and the ProgressIn the beginning of the program, an overview of all 37 COBIT processes was developed, which was available on theextranet and managed on the intranet, to show the progress in a simple, visual way —through links to the processdescriptions and other supporting documents.
In addition to this overview, detailed plans for each process were developed. As working from the detailed plans becamecumbersome, one dashboard for the 37 processes was developed.
The starting point for the dashboard was the COBIT 5 Process Reference Model. The dashboard is completely managed ina single Excel-file (figure 9).
ENTSO-E
management
Direct, Evaluate
and Monitor
TSO IT
managers
SolutionReview
Work Groups
Stakeholder
Needs
Benefits
RealisationGovernance
Board
Control
Processes
Quality Review
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
9/14
9 | P a g e
Figure 9 —Process Progress Dashboard
Source: Greet Volders. Reprinted with permission.
For each COBIT 5 process, a specific action plan was developed with targets for five specific questions. These questionswere related to the five levels of the COBIT Process Assessment Model (PAM) (figure 10).
Figure 10 —Example status for 1 process
Source: Greet Volders. Reprinted with permission.
The action list (figure 11) of all processes was consolidated into one sheet to make it easy for all people involved tocheck the status and follow up on their own actions.
Figure 11 — Action List
IT Management Framework
Score in % Absoluut
score
Question Level 2 Level 3 Level 4Level 5 Due date
100% 3 Documentation exists? 3 3 0 0 17/09/2015
100% 2 Are KPI's defined? 0 2 2 0 15/11/2015
0% 0 Is there reporting? 0 0 0 0 15/12/2015
100% 1 Is an owner assigned? 1 0 0 0 17/09/2015
100% 1 Are users trained? 0 1 0 0 31/10/2015
80% 2,4 Is the job being done? 0 2,4 0 0 30/11/2015
100% 1 Is a supporting tool required and if yes available; if not requi 0 1 0 0
0% 0 Are there regular veri fi cations of the correct appl ication? 0 0 0 0
0% 0 Cause analysis on deviating results, with corrective actions? 0 0 0 0
0% 0 Improvement actions are identi fied? 0 0 0 0
Total score per level 4 9,4 2 0
10,4 Total percentage per level 80% 85% 50% 0%
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
10/14
10 | P a g e
Source: Greet Volders. Reprinted with permission.
The planning and follow-up for each achievement is also reported on a single sheet (figure 12), which is based on thedetails of each process.
Figure 12 —Process Planning and Follow-up
Source: Greet Volders. Reprinted with permission.
The end result is the monitoring of the status of each process in the process progress sheet (figure 13).
Figure 13 —Process Progress Sheet
Link Action nr Nr Date actio What Due date Who
APO01 APO01-01 1 17/08/15 Validate findings and score 31/08/15 GVO
APO01 APO01-02 2 07/08/15 Complete process description 11/09/15 GVO
APO01 APO01-03 3 22/08/15 Validate process description 17/09/15 KDJ
APO01 APO01-04 4 22/08/15 Define stakeholders & ownership 17/09/15 KDJ
MEA01 MEA01-02 2 07/08/15 Complete process description 31/08/15 GVO
DSS05 DSS05-03 3 22/08/15 Define implementation steps 15/09/15 KBU
MEA01 MEA01-03 3 06/09/15 Validate process description 15/09/15 KDJ
BAI10 BAI10-02 2 07/08/15 Complete process description 31/08/15 GVO
Process name Actual Due date sep/15 okt/15 nov/15 dec/15 jan/16 feb/16 mrt/16 apr/16
Documentation 100% 17/09/2015 groen groen groen groen groen groen groen groen
KPI's 100% 15/11/2015 groen groen groen groen groen groen groen groen
Reporting 0% 15/12/2015 andere kl andere kl andere kl andere kl rood rood rood rood
Owner 100% 17/09/2015 groen groen groen groen groen groen groen groen
Users trained 100% 31/10/2015 groen groen groen groen groen groen groen groen
Job being done 80% 30/11/2015 andere kl andere kl andere kl rood rood rood rood roodDocumentation 100% 31/08/2015 groen groen groen groen groen groen groen groen
KPI's 100% 15/11/2015 groen groen groen groen groen groen groen groen
Reporting 0% 15/12/2015 andere kl andere kl andere kl andere kl rood rood rood rood
Owner 100% 31/08/2015 groen groen groen groen groen groen groen groen
Users trained 100% 31/10/2015 groen groen groen groen groen groen groen groen
Job being done 100% 30/11/2015 groen groen groen groen groen groen groen groen
Documentation 100% 15/10/2015 groen groen groen groen groen groen groen groen
KPI's 80% 15/12/2015 andere kl andere kl andere kl andere kl rood rood rood rood
Reporting 60% 15/01/2016 andere kl andere kl andere kl andere kl andere kl rood rood rood
Owner 100% 31/08/2015 groen groen groen groen groen groen groen groen
Users trained 0% 30/11/2015 andere kl andere kl andere kl rood rood rood rood rood
Job being done 50% 31/12/2015 andere kl andere kl andere kl andere kl rood rood rood rood
APO03
APO02
APO01
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
11/14
11 | P a g e
Source: Greet Volders. Reprinted with permission.
Increasing Knowledge and Awareness A last, but important element in this program was to increase knowledge about COBIT 5 and to map this to the daily worwithin the IT department.
This was accomplished by giving periodic presentations in staff-meetings, providing presentations on COBIT and sendingthe COBIT 5 Framework to the TSO IT managers.
For the internal IT department, a tool was developed that included the following elements: A service catalogue summarising all services provided by the IT department, and divided by services for the members
and services for the internal secretariat organisation A service level agreement (SLA) matrix listing all the services and indicating responsibilities and estimated effort The related service definitions linked from the service catalogue Key performance indicators (KPIs) for each service definition An operational task list where all recurring tasks were added with notifications to the persons assigned “N” days
before the target date and on the target date
Figure 14 shows the interaction among all of these elements.
Figure 14 — Overview of the tools and their interaction
Process Total score Owne r Proces s Titl e Level1 Level2 Level3 Level4 Level5
EDM01 15% KDJ Governance Framework Setting & Maintenance 26% 12% 0% 0% 15% 0%
EDM02 15% KDJ Benefits delivery 26% 12% 0% 0% 15% 0%
EDM03 26% NFR Risk optimisati on 58% 31% 0% 0% 26% 0%
EDM04 15% KDJ Resource optimisation 26% 12% 0% 0% 15% 0%
EDM05 9% KDJ Stakeholder Transparency 26% 3% 0% 0% 9% 0%
APO01 69% KDJ I T Manage me nt Frame work 80% 85% 50% 0% 69% 0%
APO02 73% KDJ Strategy 80% 91% 50% 0% 73% 0%
APO03 51% PVI Ente rpri se Archi te cture 80% 61% 55% 0% 51% 0%
APO04 7% KDJ Innovation 20% 0% 0% 0% 7% 0%APO05 7% KDJ Portfolio 20% 0% 0% 0% 7% 0%
APO06 73% KDJ Budget & Costs 80% 91% 50% 0% 73% 0%
APO07 13% KDJ Human Resources 20% 9% 0% 0% 13% 0%
APO08 7% KDJ Relationships 20% 0% 0% 0% 7% 0%
APO09 76% GVO S ervice Agreements 80% 95% 75% 0% 75% 1%
APO10 57% KDJ Suppliers 80% 68% 63% 0% 57% 0%
APO11 17% GVO Quality 50% 14% 0% 0% 17% 0%
APO12 29% KBU Risk 68% 31% 0% 0% 29% 0%
APO13 47% KBU Security 80% 55% 50% 0% 47% 0%
BAI01 33% BMA Programmes & Projects 80% 36% 0% 0% 33% 0%
BAI02 13% KDJ Requirements Definition 20% 9% 0% 0% 13% 0%
BAI03 3% PVI Solutions Identification & Build 10% 0% 0% 0% 3% 0%
BAI04 59% MKU Avai labi li ty & Capaci ty 80% 72% 55% 0% 59% 0%
BAI05 10% MKU Organisational Change Enablement 10% 9% 0% 0% 10% 0%
BAI06 73% MKU Changes 80% 91% 50% 0% 73% 0%
BAI07 7% MKU Change Acceptance & Transitioning 20% 0% 0% 0% 7% 0%
BAI08 7% JFZ Knowledge 20% 0% 0% 0% 7% 0%BAI09 60% JFZ Assets 80% 73% 0% 0% 43% 17%
BAI10 41% JFZ Configuration 80% 47% 0% 0% 41% 0%
DSS01 85% JFZ Operations 96% 100% 75% 0% 81% 4%
DSS02 83% JFZ Serv ice Reques ts & Inci de nts 90% 100% 75% 0% 83% 0%
DSS03 76% JFZ Problems 94% 88% 65% 0% 67% 9%
DSS04 10% KBU Continuity 10% 9% 0% 0% 10% 0%
DSS05 66% KBU S ecurity Services 80% 81% 50% 0% 66% 0%
DSS06 14% KBU Business Process Controls 22% 15% 0% 0% 14% 0%
MEA01 55% KDJ Performance & Conformance 80% 66% 55% 0% 55% 0%
MEA02 10% KBU The System of Internal Control 10% 9% 0% 0% 10% 0%
MEA03 3% KBU Compliance with External Requirements 10% 0% 0% 0% 3% 0%
Total score
on 28 Oct.
2015
Difference
27 Nov. vs.
28 Oct
PAM level achieved
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
12/14
12 | P a g e
Source: Greet Volders. Reprinted with permission.
All of these tools and elements are available on ENTSO-E’s SharePoint-based intranet; some are Excel files and others arelists or libraries in SharePoint.
Current Status Two Years Later After 1.5 year, we made an evaluation of our achievements. This was done, by going back to the original Governancestructure we wanted to put in place.
On a high level, the project is on track.
We developed policies and standards of highest priority, and these are also applied through the processes.
Moving from project mode to operational resulted in unexpected cost and staffing issues, which need to bemanaged and solved. So there is still some work to do.
The single hosting supplier program is ongoing, but no decision is taken yet.
figure 15 provides this high-level overview of the current state.
Figure 15 — IT Strategy, current status
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
13/14
13 | P a g e
Source: ENTSO-E. Reprinted with permission.
More in detail, we completed a review of all major IT suppliers resulting in: Move all data centre activities to one permanent supplier (ongoing) Move all application operations to two or more permanent suppliers (ongoing) Focus on size of IT department: number of staff, ratio of internal versus external staff and a renewed focus on data
management development activities An IT organisation ready to support the TSO members in the best possible way A final exercise was performed to verify how well the originally defined enterprise goals were being achieved.
Essentially, it was a reverse goals cascade. It started from the percentages achieved for the COBIT 5 processes and an upward calculation was performed to
arrive at the achievement of all 17 generic enterprise goals.
In order to quantify the achievements, we developed a “reversed goals cascade”. This starts from the percentagesachieved for each of the 37 COBIT processes, what we “mapped back” via the IT related goals, to the Enterprise Goals.
The results of this reversed goals cascade, as of October 2015, are shown in figure 16.
Figure 16— Reversed Goals Cascade
Source: Greet Volders. Reprinted with permission.
This exercise shows where progress has been made with the business goals. In this case, the business is quite pleasedwith the overall result, especially as the amount of change for the organisation was astounding.
8/16/2019 Practical Case Implementing COBIT Processes_2016-04
14/14
14 | P a g e
Author’s Note If you would like more information on the tools that were developed, or to get more detailed information, please contactGreet Volders at [email protected].
Greet Volders, Managing Consultant and C.E.O. of Voquals N.V., CGEIT and COBIT Certified Assessor
Greet’s main activity is providing advice for our customers, and regularly she gives trainings & seminars related to ITGovernance, Process Improvement and IT/Business alignment.
Since 2002, Greet is an active member in several development teams for COBIT and the development of COBIT PAM(Process Assessment Model). Next to that she is also specialised in the optimisation of internal processes conform toSOX and CMMI.
In this context, she executed a lot of assessments and audits to check the conformance to COBIT and CMMI in severalcompanies. Preparing companies for a compliancy-audit conforming ISO-standards is another field of expertise.
For more than 15 years, Greet has been giving trainings and presentations about Quality Systems, the development andassessment of IT and Business processes, and the use of standards and frameworks.
Greet is accredited trainer for the COBIT 5 foundationand Assessors’ training.
She is a regular speaker at ISACA events, such as seminars and trainings for ISACA Belgium, presentations at EuroCACS
in 2011, 2012 and 2013, and the COBIT Conference in 2015, where she presented this practical, together with Kees deJong.
Endnotes
1 ISACA, COBIT 5, USA, 2012, p. 192 Ibid ., Appendix B and C
3 If you are interested in obtaining this tool, please contact author Greet Volders at [email protected].
mailto:[email protected]:[email protected]:[email protected]://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/cobit/pages/default.aspxmailto:[email protected]:[email protected]:[email protected]:[email protected]://www.isaca.org/cobit/pages/default.aspxmailto:[email protected]