Project Management Best Practices: An Introduction to COBIT

The final entry to CA’s series on project management best practices is an overview of the control objectives for information and related technology (COBIT) methodology. Where both PMBOK and PRINCE2 are more project intensive, COBIT takes a top-down approach for managers and auditors to ensure governance over key issues such as Sarbanes-Oxley compliance.

The newest of the key project-related methodologies, COBIT, was created by the Information Systems Audit and Control Association (ISACA) and the ITGI IT Governance Institute (ITGI) in 1996 for IT governance and control. Four editions have been published since November 2005. The recent incremental release, 4.1, includes streamlined control objectives and application controls, improved process controls and an enhanced explanation of performance management.

As a pivotal set of methodologies to ensure Sarbanes-Oxley Act compliance, COBIT has been rapidly adopted by managers and auditors across major organizations. While adoption of COBIT is global, the principle marketplaces have been the U.S. (especially from the Sarbanes-Oxley perspective) and Europe . The framework bridges the gap between risks, control needs and technical implementation approaches. It provides a processes-oriented structure classified by domain, which identifies the resources to be leveraged, defines the control objectives to be considered and incorporates major international standards.

COBIT outlines 34 high-level objectives that cover multiple sub-objectives across four domains:

Planning and Organization – Defining the strategic IT plan and information architecture; determining the technology direction; defining the processes organization and relationships; managing the investment; communicating the direction; managing the human resources; and managing risk issues and projects.

Acquisition and Implementation – Identifying and acquiring solutions, software and technology; enabling operation and use; procuring resources; managing changes and accrediting the solutions and changes to them.

Delivery and Support – Defining and managing service levels, third-party services, and performance and capacity; ensuring continuous service and security; identifying and allocating costs; managing the service desk and incidents; managing problems, data, configurations, and the physical environment and operations.

Monitoring and Evaluation – Monitoring and evaluating performance and internal control; ensuring regulatory compliance; and providing IT governance.

The framework focuses on what needs to be done, rather than providing prescriptive guidelines on how to achieve objectives. For example, as part of planning and organizing, COBIT recommends the implementation of project management frameworks and supports. Typically, this would lead to the set-up of a PMO and implementation of a project management methodology such as PMBOK or PRINCE2.

COBIT provides a framework that maps directly to the core IT governance focus areas of strategic alignment, value delivery, resource management, risk management and performance measurement.

By following a business-driven implementation approach, effective IT governance becomes part of the organization’s DNA.

Business Drivers and Value

While the need for good IT governance is generally acknowledged, the implementation of frameworks such as COBIT are frequently seen as “something we feel we ought to do,” with no real perspective of the value that is delivered to the organization. The keys to successful implementations are focusing on the business drivers and results the organization is seeking, and recognizing that “zero to hero” may be a journey involving many small steps rather than a single leap of faith. Changes to processes will potentially drive organizational and cultural change thus the implementation needs to be managed holistically.

Assessment and Planning

A pragmatic approach for delivery involves two main groups of activity. The first is an assessment, and the second the actual implementation.

A good assessment approach involves the following:

· Establishment/review of business drivers

· Mapping of business drivers against process areas to identify relative importance to the business

· Capability assessment of the process areas to establish current position

· Comparison with relative importance to set priorities and establish gaps

· Formulation of a high-level solution (this will involve the definition of activity goals, control objectives and audit guidelines)

· Assessment of the impact on the business, which addresses the expected level of cultural change and resistance that is likely to be encountered

· Creation of the roadmap that balances priorities against the ROI (financial and other benefits) that would be expected to accrue (this is likely to be defined as a program involving multiple work streams)

For more on Project Management go to Project Manager