The COBIT 5 framework is built on five basic principles, which are covered in detail, and includes extensive guidance on enablers for governance and management of enterprise IT.
The COBIT 5 product family includes the following products:
• COBIT 5 (the framework)
• COBIT 5 enabler guides, in which governance and management enablers are discussed in detail. These include:
– COBIT 5: Enabling Processes
– COBIT 5: Enabling Information (in development)
– Other enabler guides (check www.isaca.org/cobit)
• COBIT 5 professional guides, which include:
– COBIT 5 Implementation
– COBIT 5 for Information Security (in development)
– COBIT 5 for Assurance (in development)
– COBIT 5 for Risk (in development)
– Other professional guides (check www.isaca.org/cobit)
• A collaborative online environment, which will be available to support the use of COBIT 5
Executive summary
Information is a key resource for all enterprises, and from the time that information is created to the moment that it is destroyed, technology plays a significant role. Information technology is increasingly advanced and has become pervasive in enterprises and in social, public and business environments.
As a result, today, more than ever, enterprises and their executives strive to:
• Maintain high-quality information to support business decisions.
• Generate business value from IT-enabled investments, i.e., achieve strategic goals and realise business benefits through
effective and innovative use of IT.
• Achieve operational excellence through the reliable and efficient application of technology.
• Maintain IT-related risk at an acceptable level.
• Optimise the cost of IT services and technology.
• Comply with ever-increasing relevant laws, regulations, contractual agreements and policies.
Over the past decade, the term ‘governance’ has moved to the forefront of business thinking in response to examples
demonstrating the importance of good governance and, on the other end of the scale, global business mishaps.
Successful enterprises have recognised that the board and executives need to embrace IT like any other significant part of
doing business. Boards and management—both in the business and IT functions—must collaborate and work together, so
that IT is included within the governance and management approach. In addition, legislation is increasingly being passed
and regulations implemented to address this need.
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance
and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by maintaining a
balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables IT to be governed and
managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of
responsibility, considering the IT-related interests of internal and external stakeholders. COBIT 5 is generic and useful for
enterprises of all sizes, whether commercial, not-for-profit or in the public sector.
COBIT 5 is based on five key principles (shown in figure 2) for governance and management of enterprise IT:
• Principle 1: Meeting Stakeholder Needs—Enterprises exist to create value for their stakeholders by maintaining a
balance between the realisation of benefits and the optimisation of risk and use of resources. COBIT 5 provides all of the
required processes and other enablers to support business value creation through the use of IT. Because every enterprise
has different objectives, an enterprise can customise COBIT 5 to suit its own context through the goals cascade,
translating high-level enterprise goals into manageable, specific, IT-related goals and mapping these to specific processes
and practices.
• Principle 2: Covering the Enterprise End-to-end—COBIT 5 integrates governance of enterprise IT into enterprise governance:
– It covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.
– It considers all IT-related governance and management enablers to be enterprisewide and end-to-end, i.e., inclusive of everything and everyone—internal and external—that is relevant to governance and management of enterprise information and related IT.
• Principle 3: Applying a Single, Integrated Framework—There are many IT-related standards and good practices, each providing guidance on a subset of IT activities. COBIT 5 aligns with other relevant standards and frameworks at a high level, and thus can serve as the overarching framework for governance and management of enterprise IT.
• Principle 4: Enabling a Holistic Approach—Efficient and effective governance and management of enterprise IT require a holistic approach, taking into account several interacting components. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. Enablers are broadly defined as anything that can help to achieve the objectives of the enterprise. The COBIT 5 framework defines seven categories of enablers:
– Principles, Policies and Frameworks
– Processes
– Organisational Structures
– Culture, Ethics and Behaviour
– Information
– Services, Infrastructure and Applications
– People, Skills and Competencies
• Principle 5: Separating Governance From Management—The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes. COBIT 5’s view on this key distinction between governance and
management is:
– Governance
Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making;
and monitoring performance and compliance against agreed-on direction and objectives.
In most enterprises, overall governance is the responsibility of the board of directors under the leadership of the chairperson. Specific governance responsibilities may be delegated to special organisational structures at an appropriate level, particularly in larger, complex enterprises.
– Management
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
In most enterprises, management is the responsibility of the executive management under the leadership of the chief executive officer (CEO).
Together, these five principles enable the enterprise to build an effective governance and management framework that optimises information and technology investment and use for the benefit of stakeholders.
COBIT 5 provides the next generation of ISACA’s guidance on the enterprise governance and management of IT. It builds on more than 15 years of practical usage and application of COBIT by many enterprises and users from business, IT, risk, security and assurance communities. The major drivers for the development of COBIT 5 include the need to:
• Provide more stakeholders a say in determining what they expect from information and related technology (what benefits at what acceptable level of risk and at what costs) and what their priorities are in ensuring that expected value is actually being delivered. Some will want short-term returns and others long-term sustainability. Some will be ready to take a high risk that others will not. These divergent and sometimes conflicting expectations need to be dealt with effectively.
Furthermore, not only do these stakeholders want to be more involved, but they want more transparency regarding how this will happen and the actual results achieved.
• Address the increasing dependency of enterprise success on external business and IT parties such as outsourcers, suppliers, consultants, clients, cloud and other service providers, and on a diverse set of internal means and mechanisms to deliver the expected value
• Deal with the amount of information, which has increased significantly. How do enterprises select the relevant and credible information that will lead to effective and efficient business decisions? Information also needs to be managed effectively and an effective information model can assist.
• Deal with much more pervasive IT; it is more and more an integral part of the business. Often, it is no longer satisfactory to have IT separate even if it is aligned to the business. It needs to be an integral part of the business projects, organisational structures, risk management, policies, skills, processes, etc. The roles of the chief information officer
(CIO) and the IT function are evolving. More and more people within the business functions have IT skills and are, or will be, involved in IT decisions and IT operations. IT and business will need to be better integrated.
• Provide further guidance in the area of innovation and emerging technologies; this is about creativity, inventiveness, developing new products, making the existing products more compelling to customers and reaching new types of customers. Innovation also implies streamlining product development, manufacturing and supply chain processes to
deliver products to market with increasing levels of efficiency, speed and quality.
• Cover the full end-to-end business and IT functional responsibilities, and cover all aspects that lead to effective governance and management of enterprise IT, such as organisational structures, policies and culture, over and above processes
• Get better control over increasing user-initiated and user-controlled IT solutions
• Achieve enterprise:
– Value creation through effective and innovative use of enterprise IT
– Business user satisfaction with IT engagement and services
– Compliance with relevant laws, regulations, contractual agreements and internal policies
– Improved relations between business needs and IT objectives
• Connect to, and, where relevant, align with, other major frameworks and standards in the marketplace, such as
Information Technology Infrastructure Library (ITIL ® ), The Open Group Architecture Forum (TOGAF ® ), Project
Management Body of Knowledge (PMBOK ® ), PRojects IN Controlled Environments 2 (PRINCE2 ® ), Committee of
Sponsoring Organizations of the Treadway Commission (COSO) and the International Organization for Standardization (ISO) standards. This will help stakeholders understand how various frameworks, good practices and standards are positioned relative to each other and how they can be used together.
• Integrate all major ISACA frameworks and guidance, with a primary focus on COBIT, Val IT and Risk IT, but also considering the Business Model for Information Security (BMIS), the IT Assurance Framework (ITAF), the publication titled Board Briefing on IT Governance, and the Taking Governance Forward (TGF) resource, such that COBIT 5
covers the complete enterprise and provides a basis to integrate other frameworks, standards and practices as one single framework
Different products and other guidance covering the diverse needs of various stakeholders will be built from the main
COBIT 5 knowledge base. This will happen over time, making the COBIT 5 product architecture a living document. The latest COBIT 5 product architecture can be found on the COBIT pages of the ISACA web site (www.isaca.org/cobit).
The COBIT 5 framework contains seven more chapters:
• Chapter 2 elaborates on Principle 1, Meeting Stakeholder Needs. It introduces the COBIT 5 goals cascade. The enterprise goals for IT are used to formalise and structure the stakeholder needs. Enterprise goals can be linked to IT-related goals, and these IT-related goals can be achieved through the optimal use and execution of all enablers, including processes. This set of connecting goals is called the COBIT 5 goals cascade. The chapter also provides examples of typical governance and management questions that stakeholders may have about enterprise IT.
• Chapter 3 elaborates on Principle 2, Covering the Enterprise End-to-end. It explains how COBIT 5 integrates governance of enterprise IT into enterprise governance by covering all functions and processes within the enterprise.
• Chapter 4 elaborates on Principle 3, Applying a Single Integrated Framework, and describes briefly the COBIT 5 architecture that achieves the integration.
• Chapter 5 elaborates on Principle 4, Enabling a Holistic Approach. Governance of enterprise IT is systemic and supported by a set of enablers. In this chapter, enablers are introduced and a common way of looking at enablers is presented: the generic enabler model.
• Chapter 6 elaborates on Principle 5, Separating Governance From Management, and discusses the difference between management and governance, and how they interrelate. The high-level COBIT 5 process reference model is included as an example.
• Chapter 7 contains an introduction to Implementation Guidance. It describes how the appropriate environment can be created, the enablers required, typical pain points and trigger events for implementation, and the implementation and continual improvement life cycle. This chapter is based on the publication titled COBIT ® 5 Implementation, where full details on how to implement governance of enterprise IT based on COBIT 5 can be found.
• Chapter 8 elaborates on The COBIT 5 Process Capability Model in the COBIT Assessment Programme approach (www.isaca.org/cobit-assessment-programme) scheme, how it differs from COBIT 4.1 process maturity assessments, and how users can migrate to the new approach.
The appendices contain reference information, mappings and more detailed information on specific subjects:
• Appendix A. References used during COBIT 5 development are listed.
• Appendix B. Detailed Mapping Enterprise Goals—IT-related Goals describes how enterprise goals typically are supported by one or more IT-related goals.
• Appendix C. Detailed Mapping IT-related Goals—IT-related Processes describes how COBIT processes support the achievement of IT-related goals.
• Appendix D. Stakeholder Needs and Enterprise Goals describes how typical stakeholder needs relate to COBIT 5 enterprise goals.
• Appendix E. Mapping of COBIT 5 With the Most Relevant Related Standards and Frameworks
• Appendix F. Comparison Between the COBIT 5 Information Model and the COBIT 4.1 Information Criteria
• Appendix G. Detailed Description of the COBIT 5 Enablers builds on chapter 5 and includes more details on the different enablers, including a detailed enabler model describing specific components, and is illustrated with a number of examples.
• Appendix H. Glossary
Enterprises exist to create value for their stakeholders. Consequently, any enterprise—commercial or not—will have value creation as a governance objective. Value creation means realising benefits at an optimal resource cost while optimising risk. (See figure 3.) Benefits can take many forms, e.g., financial for commercial enterprises or public service for government entities.
Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting—things to each of them. Governance is about negotiating and deciding amongst different stakeholders’ value interests. By consequence, the governance system should consider all stakeholders when making benefit, risk and resource assessment decisions. For each decision, the following questions can and should be asked: For whom are the benefits? Who bears the risk? What resources are required?
Every enterprise operates in a different context; this context is determined by external factors (the market, the industry, geopolitics, etc.) and internal factors (the culture, organisation, risk appetite, etc.), and requires a customised governance and management system.
Stakeholder needs have to be transformed into an enterprise’s actionable strategy. The COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific, actionable and customised enterprise goals, IT-related goals and enabler goals. This translation allows setting specific goals at every level and in every area of the enterprise in support of the overall goals and stakeholder requirements, and thus effectively supports alignment between enterprise needs and IT solutions and services.
The COBIT 5 goals cascade is shown in figure 4.
Step 1. Stakeholder Drivers Influence Stakeholder Needs
Stakeholder needs are influenced by a number of drivers, e.g., strategy changes, a changing business and regulatory
environment, and new technologies.
Step 2. Stakeholder Needs Cascade to Enterprise Goals
Stakeholder needs can be related to a set of generic enterprise goals. These enterprise goals have been developed using the balanced scorecard (BSC) 1 dimensions, and they represent a list of commonly used goals that an enterprise may define for itself. Although this list is not exhaustive, most enterprise-specific goals can be mapped easily onto one or more of the generic enterprise goals. A table of stakeholder needs and enterprise goals is presented in appendix D.
COBIT 5 defines 17 generic goals, as shown in figure 5, which includes the following information:
• The BSC dimension under which the enterprise goal fits
• Enterprise goals
• The relationship to the three main governance objectives—benefits realisation, risk optimisation and resource
optimisation. (‘P’ stands for primary relationship and ‘S’ for secondary relationship, i.e., a less strong relationship.)
Step 3. Enterprise Goals Cascade to IT-related Goals
Achievement of enterprise goals requires a number of IT-related outcomes, 2 which are represented by the IT-related goals.
IT-related stands for information and related technology, and the IT-related goals are structured along the dimensions of the
IT balanced scorecard (IT BSC). COBIT 5 defines 17 IT-related goals, listed in figure 6.
The mapping table between IT-related goals and enterprise goals is included in appendix B, and it shows how each enterprise goal is supported by a number of IT-related goals.
Step 4. IT-related Goals Cascade to Enabler Goals
Achieving IT-related goals requires the successful application and use of a number of enablers. The enabler concept is explained in detail in chapter 5. Enablers include processes, organisational structures and information, and for each enabler a set of specific relevant goals can be defined in support of the IT-related goals.
Processes are one of the enablers, and appendix C contains a mapping between IT-related goals and the relevant COBIT 5 processes, which then contain related process goals.
Using the COBIT 5 Goals Cascade
Benefits of the COBIT 5 Goals Cascade
The goals cascade 3 is important because it allows the definition of priorities for implementation, improvement and assurance of governance of enterprise IT based on (strategic) objectives of the enterprise and the related risk. In practice, the goals cascade:
• Defines relevant and tangible goals and objectives at various levels of responsibility
• Filters the knowledge base of COBIT 5, based on enterprise goals, to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects
• Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals
Using the COBIT 5 Goals Cascade Carefully
The goals cascade—with its mapping tables between enterprise goals and IT-related goals and between IT-related goals
and COBIT 5 enablers (including processes)—does not contain the universal truth, and users should not attempt to use it
in a purely mechanistic way, but rather as a guideline. There are various reasons for this, including:
• Every enterprise has different priorities in its goals, and priorities may change over time.
• The mapping tables do not distinguish between size and/or industry of the enterprise. They represent a sort of common denominator of how, in general, the different levels of goals are interrelated.
• The indicators used in the mapping use two levels of importance or relevance, suggesting that there are ‘discrete’ levels of relevance, whereas, in reality, the mapping will be close to a continuum of various degrees of correspondence.
Using the COBIT 5 Goals Cascade in Practice
From the previous disclaimer, it is obvious that the first step an enterprise should always apply when using the goals cascade is to customise the mapping, taking into account its specific situation. In other words, each enterprise should build its own goals cascade, compare it with COBIT and then refine it.
For example, the enterprise may wish to:
• Translate the strategic priorities into a specific ‘weight’ or importance for each of the enterprise goals.
• Validate the mappings of the goals cascade, taking into account its specific environment, industry, etc.
Governance and Management Questions on IT
The fulfilment of stakeholder needs in any enterprise will—given the high dependency on IT—raise a number of questions on the governance and management of enterprise IT (figure 7).
How to Find an Answer to These Questions
All questions mentioned in figure 7 can be related to the enterprise goals, and serve as input to the goals cascade, upon which they can be addressed effectively. Appendix D contains an example mapping between the internal stakeholder questions mentioned in figure 7 and enterprise goals.
COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective. This means that COBIT 5:
• Integrates governance of enterprise IT into enterprise governance. That is, the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system. COBIT 5 aligns with the latest views on governance.
• Covers all functions and processes required to govern and manage enterprise information and related technologies wherever that information may be processed. Given this extended enterprise scope, COBIT 5 addresses all the relevant internal and external IT services, as well as internal and external business processes.
COBIT 5 provides a holistic and systemic view on governance and management of enterprise IT (see principle 4), based on a number of enablers. The enablers are enterprisewide and end-to-end, i.e., inclusive of everything and everyone, internal and external, that are relevant to governance and management of enterprise information and related IT, including the activities and responsibilities of both the IT functions and non-IT business functions.
Information is one of the COBIT enabler categories. The model by which COBIT 5 defines enablers allows every stakeholder to define extensive and complete requirements for information and the information processing life cycle, thus connecting the business and its need for adequate information and the IT function, and supporting the business and context focus.
Governance Approach
The end-to-end governance approach that is at the foundation of COBIT 5 is depicted in figure 8, showing the key components of a governance system.
In addition to the governance objective, the other main elements of the governance approach include enablers; scope; and roles, activities, and relationships.
Governance Enablers
Governance enablers are the organisational resources for governance, such as frameworks, principles, structures, processes and practices, through or towards which action is directed and objectives can be attained. Enablers also include the enterprise’s resources—e.g., service capabilities (IT infrastructure, applications, etc.), people and information. A lack of resources or enablers may affect the ability of the enterprise to create value.
Given the importance of governance enablers, COBIT 5 includes a single way of looking at and dealing with enablers (see chapter 5).
Governance Scope
Governance can be applied to the entire enterprise, an entity, a tangible or intangible asset, etc. That is, it is possible to define different views of the enterprise to which governance is applied, and it is essential to define this scope of the governance system well. The scope of COBIT 5 is the enterprise—but in essence COBIT 5 can deal with any of the different views.
Roles, Activities and Relationships
A last element is governance roles, activities and relationships. It defines who is involved in governance, how they are involved, what they do and how they interact, within the scope of any governance system. In COBIT 5, clear differentiation is made between governance and management activities in the governance and management domains, as well as the interfacing between them and the role players that are involved. Figure 9 details the lower part of figure 8, listing the interactions between the different roles.
Chapter 4
principle 3: A pplying A s ingle i ntegrAted f rAmework
COBIT 5 is a single and integrated framework because:
• It aligns with other latest relevant standards and frameworks, and thus allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator.
• It is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used. A single overarching framework serves as a consistent and integrated source of guidance in a non-technical, technology-agnostic common language.
• It provides a simple architecture for structuring guidance materials and producing a consistent product set.
• It integrates all knowledge previously dispersed over different ISACA frameworks. ISACA has researched the key area of enterprise governance for many years and has developed frameworks such as COBIT, Val IT, Risk IT, BMIS, the publication Board Briefing on IT Governance, and ITAF to provide guidance and assistance to enterprises.
COBIT 5 integrates all of this knowledge.
COBIT 5 Framework Integrator
Figure 10 provides a graphical description of how COBIT 5 achieves its role of an aligned and integrated framework.
The COBIT 5 framework delivers to its stakeholders the most complete and up-to-date guidance (see figure 11)
on governance and management of enterprise IT by:
• Researching and using a set of sources that have driven the new content development, including:
– Bringing together the existing ISACA guidance (COBIT 4.1, Val IT 2.0, Risk IT, BMIS) into this single framework
– Complementing this content with areas needing further elaboration and updates
– Aligning to other relevant standards and frameworks, such as ITIL, TOGAF and ISO standards. A full list of references can be found in appendix A.
• Defining a set of governance and management enablers, which provide a structure for all guidance materials
• Populating a COBIT 5 knowledge base that contains all guidance and content produced now and will provide a structure for additional future content
• Providing a sound and comprehensive reference base of good practices
Chapter 5 principle 4: enabling A holistic ApproAch
COBIT 5 Enablers
Enablers are factors that, individually and collectively, influence whether something will work—in this case, governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve.
The COBIT 5 framework describes seven categories of enablers (figure 12):
• Principles, policies and frameworks are the vehicle to translate the desired behaviour into practical guidance for day-to-day management.
• Processes describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.
• Organisational structures are the key decision-making entities in an enterprise.
• Culture, ethics and behaviour of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.
• Information is pervasive throughout any organisation and includes all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
• Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services.
• People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions.
Figure 12—COBIT 5 En
Some of the enablers defined previously are also enterprise resources that need to be managed and governed as well. This applies to:
• Information, which needs to be managed as a resource. Some information, such as management reports and business intelligence information, are important enablers for the governance and management of the enterprise.
• Service, infrastructure and applications
• People, skills and competencies
Systemic Governance and Management Through Interconnected Enablers
Figure 12 also conveys the mindset that should be adopted for enterprise governance, including governance of IT, which is to achieve the main objectives of the enterprise. Any enterprise must always consider an interconnected set of enablers. That is, each enabler:
• Needs the input of other enablers to be fully effective, e.g., processes need information, organisational structures need skills and behaviour.
• Delivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient.
So when dealing with governance and management of enterprise IT, good decisions can be taken only when this systemic nature of governance and management arrangements is taken into account. This means that to deal with any stakeholder need, all interrelated enablers have to be analysed for relevance and addressed if required. This mindset has to be driven by the top of the enterprise, as illustrated by the following examples.
EXAMPLE 3—GOVERNANCE AND MANAGEMENT OF ENTERPRISE IT
Providing operational IT services to all users requires service capabilities (infrastructure, application), for which people with the appropriate skill set and behaviour are required. A number of service delivery processes need to be implemented as well, supported by the appropriate organisational structures, showing how all enablers are required for successful service delivery.
EXAMPLE 4—GOVERNANCE AND MANAGEMENT OF ENTERPRISE IT
The need for information security requires a number of policies and procedures to be created and put in place. These policies, in turn, require a number of security-related practices to be implemented. However, if the enterprise’s and personnel’s culture and ethics are not appropriate, information security processes and procedures will not be effective.
COBIT 5 Enabler Dimensions
All enablers have a set of common dimensions. This set of common dimensions (figure 13):
• Provides a common, simple and structured way to deal with enablers
• Allows an entity to manage its complex interactions
• Facilitates successful outcomes of the enablers
Enabler Dimensions
The four common dimensions for enablers are:
• Stakeholders—Each enabler has stakeholders (parties who play an active role and/or have an interest in the enabler).
For example, processes have different parties who execute process activities and/or who have an interest in the process outcomes; organisational structures have stakeholders, each with his/her own roles and interests, that are part of the structures. Stakeholders can be internal or external to the enterprise, all having their own, sometimes conflicting, interests and needs. Stakeholders’ needs translate to enterprise goals, which in turn translate to IT-related goals for the enterprise. A list of stakeholders is shown in figure 7.
• Goals—Each enabler has a number of goals, and enablers provide value by the achievement of these goals. Goals can be defined in terms of:
– Expected outcomes of the enabler
– Application or operation of the enabler itself
The enabler goals are the final step in the COBIT 5 goals cascade. Goals can be further split up in different categories:
– Intrinsic quality—The extent to which enablers work accurately, objectively and provide accurate, objective and reputable results
– Contextual quality—The extent to which enablers and their outcomes are fit for purpose given the context in which they operate. For example, outcomes should be relevant, complete, current, appropriate, consistent, understandable and easy to use.
– Access and security—The extent to which enablers and their outcomes are accessible and secured, such as:
• Enablers are available when, and if, needed.
• Outcomes are secured, i.e., access is restricted to those entitled and needing it.
• Life cycle—Each enabler has a life cycle, from inception through an operational/useful life until disposal. This applies to information, structures, processes, policies, etc. The phases of the life cycle consist of:
– Plan (includes concepts development and concepts selection)
– Design
– Build/acquire/create/implement
– Use/operate
– Evaluate/monitor
– Update/dispose
• Good practices—For each of the enablers, good practices can be defined. Good practices support the achievement of the enabler goals. Good practices provide examples or suggestions on how best to implement the enabler, and what work products or inputs and outputs are required. COBIT 5 provides examples of good practices for some enablers provided by COBIT 5 (e.g., processes). For other enablers, guidance from other standards, frameworks, etc., can be used.
Enabler Performance Management
Enterprises expect positive outcomes from the application and use of enablers. To manage performance of the enablers, the following questions will have to be monitored and thereby subsequently answered—based on metrics—on a regular basis:
• Are stakeholder needs addressed?
• Are enabler goals achieved?
• Is the enabler life cycle managed?
• Are good practices applied?
The first two bullets deal with the actual outcome of the enabler. The metrics used to measure to what extent the goals are achieved can be called ‘lag indicators’.
The last two bullets deal with the actual functioning of the enabler itself, and metrics for this can be called ‘lead indicators’.
In appendix G, the seven categories of enablers are discussed in more detail. Reading this appendix is recommended for better understanding the enablers and how powerful they can be in organising governance and management of enterprise IT.
Chapter 6
p rinciple 5: s epArAting g overnAnce f rom m AnAgement
Governance and Management
The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes.
The COBIT 5 view on this key distinction between governance and management is:
• Governance
Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making;
and monitoring performance and compliance against agreed-on direction and objectives.
In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.
• Management
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.
Interactions Between Governance and Management
From the definitions of governance and management, it is clear that they comprise different types of activities, with different responsibilities; however, given the role of governance—to evaluate, direct and monitor—a set of interactions is required between governance and management to result in an efficient and effective governance system. These interactions, using the enabler structure, are shown at a high level in figure 14.
COBIT 5 Process Reference Model
COBIT 5 is not prescriptive, but it advocates that enterprises implement governance and management processes such that the key areas are covered, as shown in figure 15.
Figure 15—COBIT 5
An enterprise can organise its processes as it sees fit, as long as all necessary governance and management objectives are covered. Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives.
COBIT 5 includes a process reference model, which defines and describes in detail a number of governance and management processes. It represents all of the processes normally found in an enterprise relating to IT activities, providing a common reference model understandable to operational IT and business managers. The proposed process model is a complete, comprehensive model, but it is not the only possible process model. Each enterprise must define its own process set, taking into account its specific situation.
Incorporating an operational model and a common language for all parts of the enterprise involved in IT activities is one of the most important and critical steps towards good governance. It also provides a framework for measuring and monitoring IT performance, providing IT assurance, communicating with service providers, and integrating best management practices.
The COBIT 5 process reference model divides the governance and management processes of enterprise IT into two main process domains:
• Governance—Contains five governance processes; within each process, evaluate, direct and monitor (EDM) 5 practices are defined.
• Management—Contains four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM), and provides end-to-end coverage of IT. These domains are an evolution of the COBIT 4.1 domain and process structure. The names of the domains are chosen in line with these main area designations, but contain more verbs to
describe them:
– Align, Plan and Organise (APO)
– Build, Acquire and Implement (BAI)
– Deliver, Service and Support (DSS)
– Monitor, Evaluate and Assess (MEA)
Chapter 7
implementation guidance
Introduction
Optimal value can be realised from leveraging COBIT only if it is effectively adopted and adapted to suit each enterprise’s unique environment. Each implementation approach will also need to address specific challenges, including managing changes to culture and behaviour.
ISACA provides practical and extensive implementation guidance in its publication COBIT 5 Implementation, 6 which is based on a continual improvement life cycle. It is not intended to be a prescriptive approach nor a complete solution, but rather a guide to avoid commonly encountered pitfalls, leverage good practices and assist in the creation of successful outcomes. The guide is also supported by an implementation tool kit containing a variety of resources that will be continually enhanced. Its content includes:
• Self-assessment, measurement and diagnostic tools
• Presentations aimed at various audiences
• Related articles and further explanations
The purpose of this chapter is to introduce the implementation and continual improvement life cycle at a high level and to highlight a number of important topics from COBIT 5 Implementation such as:
• Making a business case for the implementation and improvement of the governance and management of IT
• Recognising typical pain points and trigger events
• Creating the appropriate environment for implementation
• Leveraging COBIT to identify gaps and guide the development of enablers such as policies, processes, principles, organisational structures, and roles and responsibilities
Considering the Enterprise Context
The governance and management of enterprise IT do not occur in a vacuum. Every enterprise needs to design its own implementation plan or road map, depending on factors in the enterprise’s specific internal and external environment such as the enterprise’s:
• Ethics and culture
• Applicable laws, regulations and policies
• Mission, vision and values
• Governance policies and practices
• Business plan and strategic intentions
• Operating model and level of maturity
• Management style
• Risk appetite
• Capabilities and available resources
• Industry practices
It is equally important to leverage and build on existing enterprise governance enablers.
The optimal approach for the governance and management of enterprise IT will be different for every enterprise, and the context needs to be understood and considered to adopt and adapt COBIT effectively in the implementation of governance and management of enterprise IT enablers. COBIT is often underpinned with other frameworks, good practices and standards, and these, too, need to be adapted to suit specific requirements.
Key success factors for successful implementation include:
• Top management providing the direction and mandate for the initiative, as well as visible ongoing commitment and support
• All parties supporting the governance and management processes to understand the business and IT objectives
• Ensuring effective communication and enablement of the necessary changes
• Tailoring COBIT and other supporting good practices and standards to fit the unique context of the enterprise
• Focussing on quick wins and prioritising the most beneficial improvements that are easiest to implement
Creating the Appropriate Environment
It is important for implementation initiatives leveraging COBIT to be properly governed and adequately managed. Major IT-related initiatives often fail due to inadequate direction, support and oversight by the various required stakeholders, and the implementation of governance or management of IT enablers leveraging COBIT is no different. Support and direction from key stakeholders are critical so that improvements are adopted and sustained. In a weak enterprise environment (such as an unclear overall business operating model or lack of enterprise-level governance enablers), this support and participation are even more important.
Enablers leveraging COBIT should provide a solution addressing real business needs and issues rather than serving as ends in themselves. Requirements based on current pain points and drivers should be identified and accepted by management as areas that need to be addressed. High-level health checks, diagnostics or capability assessments based on COBIT are excellent tools to raise awareness, create consensus and generate a commitment to act. The commitment and buy-in of the relevant stakeholders need to be solicited from the beginning. To achieve this, implementation objectives and benefits need to be clearly expressed in business terms and summarised in a business case outline.
Once commitment has been obtained, adequate resources need to be provided to support the programme. Key programme roles and responsibilities should be defined and assigned. Care should be taken on an ongoing basis to maintain commitment from all affected stakeholders.
Appropriate structures and processes for oversight and direction should be established and maintained. These structures and processes should also ensure ongoing alignment with enterprisewide governance and risk management approaches.
Visible support and commitment should be provided by key stakeholders such as the board and executives to set the ‘tone at the top’ and ensure commitment for the programme at all levels.
Recognising Pain Points and Trigger Events
There are a number of factors that may indicate a need for improved governance and management of enterprise IT.
By using pain points or trigger events as the launching point for implementation initiatives, the business case for governance or management of enterprise IT improvement can be related to practical, everyday issues being experienced.
This will improve buy-in and create the sense of urgency within the enterprise that is necessary to kick off the implementation. In addition, quick wins can be identified and value-add can be demonstrated in those areas that are the most visible or recognisable in the enterprise. This provides a platform for introducing further changes and can assist in gaining widespread senior management commitment and support for more pervasive changes.
Examples of some of the typical pain points for which new or revised governance or management of IT enablers can be a solution (or part of a solution), as identified in COBIT 5 Implementation, are:
• Business frustration with failed initiatives, rising IT costs and a perception of low business value
• Significant incidents related to IT risk, such as data loss or project failure
• Outsourcing service delivery problems, such as consistent failure to meet agreed-on service levels
• Failure to meet regulatory or contractual requirements
• IT limiting the enterprise’s innovation capabilities and business agility
• Regular audit findings about poor IT performance or reported IT quality of service problems
• Hidden and rogue IT spending
• Duplication or overlap between initiatives or wasting resources, such as premature project termination
• Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction
• IT-enabled changes failing to meet business needs and delivered late or over budget
• Board members, executives or senior managers who are reluctant to engage with IT, or a lack of committed and
satisfied business sponsors for IT
• Complex IT operating models
In addition to these pain points, other events in the enterprise’s internal and external environment can signal or trigger a focus on the governance and management of IT. Examples from chapter 3 in the COBIT 5 Implementation publication are:
• Merger, acquisition or divestiture
• A shift in the market, economy or competitive position
• A change in the business operating model or sourcing arrangements
• New regulatory or compliance requirements
• A significant technology change or paradigm shift
• An enterprisewide governance focus or project
• A new CEO, CFO, CIO, etc.
• External audit or consultant assessments
• A new business strategy or priority
Enabling Change
Successful implementation depends on implementing the appropriate change (the appropriate governance or management enablers) in the appropriate way. In many enterprises, there is a significant focus on the first aspect—core governance or management of IT—but not enough emphasis on managing the human, behavioural and cultural aspects of the change and motivating stakeholders to buy into the change.
It should not be assumed that the various stakeholders involved in, or impacted by, new or revised enablers will readily accept and adopt the change. The possibility of ignorance and/or resistance to change needs to be addressed through a structured and proactive approach. Also, optimal awareness of the implementation programme should be achieved through a communication plan that defines what will be communicated, in what way and by whom, throughout the various phases of the programme.
Sustainable improvement can be achieved either by gaining the commitment of the stakeholders (investment in winning hearts and minds, the leaders’ time, and in communicating and responding to the workforce) or, where still required, by enforcing compliance (investment in processes to administer, monitor and enforce). In other words, human, behavioural and cultural barriers need to be overcome so that there is a common interest to properly adopt change, instil a will to adopt change, and to ensure the ability to adopt change.
A Life Cycle Approach
The implementation life cycle provides a way for enterprises to use COBIT to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are the:
1. Core continual improvement life cycle—This is not a one-off project.
2. Enablement of change—Addressing the behavioural and cultural aspects
3. Management of the programme
As discussed previously, the appropriate environment needs to be created to ensure the success of the implementation or improvement initiative. The life cycle and its seven phases are illustrated in figure 17.
Phase 1 starts with recognising and agreeing to the need for an implementation or improvement initiative. It identifies the current pain points and triggers and creates a desire to change at executive management levels.
Phase 2 is focused on defining the scope of the implementation or improvement initiative using COBIT’s mapping of enterprise goals to IT-related goals to the associated IT processes, and considering how risk scenarios could also highlight key processes on which to focus. High-level diagnostics can also be useful for scoping and understanding high-priority areas on which to focus. An assessment of the current state is then performed, and issues or deficiencies are identified by carrying out a process capability assessment. Large-scale initiatives should be structured as multiple iterations of the life cycle—for any implementation initiative exceeding six months there is a risk of losing momentum, focus and buy-in from stakeholders.
During phase 3, an improvement target is set, followed by a more detailed analysis leveraging COBIT’s guidance to identify gaps and potential solutions. Some solutions may be quick wins and others more challenging and longer-term activities. Priority should be given to initiatives that are easier to achieve and those likely to yield the greatest benefits.
Phase 4 plans practical solutions by defining projects supported by justifiable business cases. A change plan for implementation is also developed. A well-developed business case helps to ensure that the project’s benefits are identified and monitored.
The proposed solutions are implemented into day-to-day practices in phase 5. Measures can be defined and monitoring established, using COBIT’s goals and metrics to ensure that business alignment is achieved and maintained and performance can be measured. Success requires the engagement and demonstrated commitment of top management as well as ownership by the affected business and IT stakeholders.
Phase 6 focuses on the sustainable operation of the new or improved enablers and the monitoring of the achievement of expected benefits.
During phase 7, the overall success of the initiative is reviewed, further requirements for the governance or management of enterprise IT are identified, and the need for continual improvement is reinforced.
Over time, the life cycle should be followed iteratively while building a sustainable approach to the governance and management of enterprise IT.
Getting Started: Making the Business Case
To ensure the success of implementation initiatives leveraging COBIT, the need to act should be widely recognised and communicated within the enterprise. This can be in the form of a ‘wake-up call’ (where specific pain points are being experienced, as discussed previously) or an expression of the improvement opportunity to be pursued and, very important, the benefits that will be realised. An appropriate level of urgency needs to be instilled and the key stakeholders should be aware of the risk of not taking action as well as the benefits of undertaking the programme.
The initiative should be owned by a sponsor, involve all key stakeholders and be based on a business case. Initially, this can be at a high level from a strategic perspective—from the top down—starting with a clear understanding of the desired business outcomes and progressing to a detailed description of critical tasks and milestones as well as key roles and responsibilities. The business case is a valuable tool available to management in guiding the creation of business value. At a minimum, the business case should include the following:
• The business benefits targeted, their alignment with business strategy and the associated benefit owners (who in the business will be responsible for securing them). This could be based on pain points and trigger events.
• The business changes needed to create the envisioned value. This could be based on health checks and capability gap analyses and should clearly state both what is in scope and what is out of scope.
• The investments needed to make the governance and management of enterprise IT changes (based on estimates of projects required)
• The ongoing IT and business costs
• The expected benefits of operating in the changed way
• The risk inherent in the previous bullets, including any constraints or dependencies (based on challenges and success factors)
• Roles, responsibilities and accountabilities related to the initiative
• How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and metrics)
The business case is not a one-time static document, but a dynamic operational tool that must be continually updated to reflect the current view of the future so that a view of the viability of the programme can be maintained.
It can be difficult to quantify the benefits of implementation or improvement initiatives, and care should be taken to commit only to benefits that are realistic and achievable. Studies conducted across a number of enterprises could provide useful information on benefits that have been achieved.
Chapter 8
the cobit 5 process capability model
Introduction
Users of COBIT 4.1, Risk IT and Val IT are familiar with the process maturity models included in those frameworks. These models are used to measure the current or ‘as-is’ maturity of an enterprise’s IT-related processes, to define a required ‘to-be’ state of maturity, and to determine the gap between them and how to improve the process to achieve the desired maturity level.
The COBIT 5 product set includes a process capability model, based on the internationally recognised ISO/IEC 15504
Software Engineering—Process Assessment standard. This model will achieve the same overall objectives of process assessment and process improvement support, i.e., it will provide a means to measure the performance of any of the governance (EDM-based) processes or management (PBRM-based) processes, and will allow areas for improvement to be identified.
However, the new model is different from the COBIT 4.1 maturity model in its design and use, and for that reason, the following topics are discussed:
• Differences between the COBIT 5 and the COBIT 4.1 models
• Benefits of the COBIT 5 model
• Summary of the differences that COBIT 5 users will encounter in practice
• Performing a COBIT 5 capability assessment
Details of the COBIT 5 capability assessment approach are contained in the ISACA publication COBIT ® Process Assessment Model (PAM): Using COBIT ® 4.1. 11
Although this approach will provide valuable information about the state of processes, processes are just one of the seven governance and management enablers. By consequence, process assessments will not provide the full picture on the state of governance of an enterprise. For that, the other enablers need to be assessed as well.
Differences Between the COBIT 4.1 Maturity Model and the COBIT 5
Process Capability Model
The elements of the COBIT 4.1 maturity model approach are shown in figure 18
Using the COBIT 4.1 maturity model for process improvement purposes—assessing a process maturity, defining a target
maturity level and identifying the gaps—required using the following COBIT 4.1 components:
• First, an assessment needed to be made whether control objectives for the process were met.
• Next, the maturity model included in the management guideline for each process could be used to obtain a maturity profile of the process.
• In addition, the generic maturity model in COBIT 4.1 provided six distinct attributes that were applicable for each process and that assisted in obtaining a more detailed view on the processes’ maturity level.
• Process controls are generic control objectives—they also needed to be reviewed when a process assessment was made. Process controls partially overlap with the generic maturity model attributes.
The COBIT 5 process capability approach can be summarised as shown in figure 19.
There are six levels of capability that a process can achieve, including an ‘incomplete process’ designation if the practices in it do not achieve the intended purpose of the process:
• 0 Incomplete process—The process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the process purpose.
• 1 Performed process (one attribute)—The implemented process achieves its process purpose.
• 2 Managed process (two attributes)—The previously described performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained.
• 3 Established process (two attributes)—The previously described managed process is now implemented using a defined process that is capable of achieving its process outcomes.
• 4 Predictable process (two attributes)—The previously described established process now operates within defined limits to achieve its process outcomes.
• 5 Optimising process (two attributes)—The previously described predictable process is continuously improved to meet relevant current and projected business goals.
Each capability level can be achieved only when the level below has been fully achieved. For example, a process capability level 3 (established process) requires the process definition and process deployment attributes to be largely achieved, on top of full achievement of the attributes for a process capability level 2 (managed process).
There is a significant distinction between process capability level 1 and the higher capability levels. Process capability level 1 achievement requires the process performance attribute to be largely achieved, which actually means that the process is being successfully performed and the required outcomes obtained by the enterprise. The higher capability levels then add different attributes to it. In this assessment scheme, achieving a capability level 1, even on a scale to 5, is already an important achievement for an enterprise. Note that each individual enterprise shall choose (based on cost-benefit and feasibility reasons) its target or desired level, which very seldom will happen to be one of the highest.
The most important differences between an ISO/IEC 15504-based process capability assessment and the current COBIT
4.1 maturity model (and the similar Val IT and Risk IT domain-based maturity models) can be summarised as follows:
• The naming and meaning of the ISO/IEC 15504-defined capability levels are quite different from the current COBIT 4.1 maturity levels for processes.
• In ISO/IEC 15504, capability levels are defined by a set of nine process attributes. These attributes cover some ground covered by the current COBIT 4.1 maturity attributes and/or process controls, but only to a certain extent and in a different way.
Requirements for an ISO/IEC 15504:2-compliant process reference model prescribe that in the description of any process that will be assessed, i.e., any COBIT 5 governance and/or management process:
• The process is described in terms of its purpose and outcomes.
• The process description shall not contain any aspects of the measurement framework beyond level 1, which means that any characteristic of a process attribute beyond level 1 cannot appear inside a process description. Whether a process is measured and monitored, or whether it is formally described, etc., cannot be part of a process description or any of the management practices/activities underneath. This means that the process descriptions—as included in COBIT 5:
Enabling Processes—contain only the necessary steps to achieve the actual process purpose and goals.
• Following from the previous bullets, the common attributes applicable to all enterprise processes, which produced duplicative control objectives in the COBIT ® 3 rd Edition publication and were grouped into the process control (PC)
objectives in COBIT 4.1, are now defined in levels 2 to 5 of the assessment model.
Differences in Practice 12
From the previous descriptions, it is clear that there are some practical differences associated with the change in process assessment models. Users need to be aware of these changes and be prepared to take them into account in their action plans.
The main changes to be considered include:
• Although it is tempting to compare assessment results between COBIT 4.1 and COBIT 5 because of apparent similarities to the number scales and words used to describe them, such a comparison is difficult because of the differences in scope, focus and intent, as illustrated in figure 20.
• In general, scores will be lower with the COBIT 5 process capability model, as shown in figure 20. In the COBIT 4.1
maturity model, a process could achieve a level 1 or 2 without fully achieving all the process’s objectives; in the COBIT 5 process capability level, this will result in a lower score of 0 or 1.
The COBIT 4.1 and COBIT 5 capability scales can be considered to ‘map’ approximately as shown in figure 20.
• There is no longer a specific maturity model per process included with the detailed process contents in COBIT 5 because the ISO/IEC 15504 process capability assessment approach does not require this and even prohibits this approach. Instead, the approach defines the information required in the ‘process reference model’ (the process model
to be used for the assessment):
– Process description, with the purpose statements
– Base practices, which are the equivalent of process governance or management practices in COBIT 5 terms
– Work products, which are the equivalent of the inputs and outputs in COBIT 5 terms
• The COBIT 4.1 maturity model produced a maturity profile of an enterprise. The main purpose of this profile was to identify in which dimensions or for which attributes there were specific weaknesses that needed improvement. This approach was used by enterprises when there was an improvement focus rather than a need to obtain one maturity
number for reporting purposes. In COBIT 5 the assessment model provides a measurement scale for each capability attribute and guidance on how to apply it, so for each process an assessment can be made for each of the nine capability attributes.
• The maturity attributes in COBIT 4.1 and the COBIT 5 process capability attributes are not identical. They overlap/ map to a certain extent, as shown in figure 21. Enterprises having used the maturity model attributes approach in COBIT 4.1 can reuse their existing assessment data and reclassify them under the COBIT 5 attribute assessments
based on figure 21.
Benefits of the Changes
The benefits of the COBIT 5 process capability model, compared to the COBIT 4.1 maturity models, include:
• Improved focus on the process being performed, to confirm that it is actually achieving its purpose and delivering its required outcomes as expected.
• Simplified content through elimination of duplication, because the COBIT 4.1 maturity model assessment required the use of a number of specific components, including the generic maturity model, process maturity models, control objectives and process controls to support process assessment.
• Improved reliability and repeatability of process capability assessment activities and evaluations, reducing debates and disagreements between stakeholders on assessment results.
• Increased usability of process capability assessment results, because the new model establishes a basis for more formal, rigorous assessments to be performed, for both internal and potential external purposes.
• Compliance with a generally accepted process assessment standard and therefore strong support for the process assessment approach in the market.
Performing Process Capability Assessments in COBIT 5
The ISO/IEC 15504 standard specifies that process capability assessments can be performed for various purposes and with varying degrees of rigour. Purposes can be internal, with a focus on comparisons between enterprise areas and/or process improvement for internal benefit, or they can be external, with a focus on formal assessment, reporting and certification.
The COBIT 5 ISO/IEC 15504-based assessment approach continues to facilitate the following objectives that have been a key COBIT approach since 2000 to:
• Enable the governance body and management to benchmark process capability.
• Enable high-level ‘as-is’ and ‘to-be’ health checks to support the governance body and management investment decision making with regard to process improvement.
• Provide gap analysis and improvement planning information to support definition of justifiable improvement projects.
• Provide the governance body and management with assessment ratings to measure and monitor current capabilities.
This section describes how a high-level assessment can be performed with the COBIT 5 process capability model to achieve these objectives.
The assessment distinguishes between assessing capability level 1 and the higher levels. Indeed, as described previously, process capability level 1 describes whether a process achieves its intended purpose, and is therefore a very important level to achieve—as well as foundational in enabling higher capability levels to be reached.
Assessing whether the process achieves its goals—or, in other words, achieves capability level 1—can be done by:
1. Reviewing the process outcomes as they are described for each process in the detailed process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what degree each objective is achieved. This scale consists of the following ratings:
• N (Not achieved)—There is little or no evidence of achievement of the defined attribute in the assessed process.
(0 to 15 percent achievement)
• P (Partially achieved)—There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable. (15 to 50 percent achievement)
• L (Largely achieved)—There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process. (50 to 85 percent achievement)
• F (Fully achieved)—There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process. (85 to 100 percent achievement)
2. In addition, the process (governance or management) practices can be assessed using the same rating scale, expressing the extent to which the base practices are applied.
3. To further refine the assessment, the work products also may be taken into consideration to determine the extent to which a specific assessment attribute has been achieved.
Although defining target capability levels is up to each enterprise to decide, many enterprises will have the ambition to have all their processes achieve capability level 1. (Otherwise, what would be the point of having these processes?) If this level is not achieved, the reasons for not achieving this level are immediately obvious from the approach explained above, and an improvement plan can be defined:
1. If a required process outcome is not consistently achieved, the process does not meet its objective and needs to be improved.
2. The assessment of the process practices will reveal which practices are lacking or failing, enabling implementation and/or improvement of those practices to take place and allowing all process outcomes to be achieved.
For higher process capability levels, the generic practices are used, taken from ISO/IEC 15504:2. They provide generic descriptions for each of the capability levels.