The purpose of COBIT performance management (CPM) is to evaluate how well the governance and management system and all the components of an enterprise work, and how they can be improved to achieve target levels of process and practice capability and maturity. CPM concepts and methods align to and extend CMMI V2.0 capability and maturity levels.1 The results of a CPM assessment not only indicate current process and focus area capability and maturity; CPM can also be used to improve relevant governance and management components over time, deliver increased value to the business, measure the achievement of current vs. projected business goals, enhance benchmarking and consistent reporting, and adhere to the required organizational compliance. Applying the CPM properly can seem like a very daunting prospect at first; however, practitioners will find that it becomes much more intuitive and manageable when the process is broken down into several high-level activities.
1. Conduct COBIT 2019 Awareness Sessions With Identified Stakeholders
Conducting awareness and training sessions2 helps to ensure an adequate level of participation during the assessment from all identified stakeholders whose participation is critical for successful completion of all assessment activities and for making sound decisions and taking corrective actions.
Understanding both the business and IT contexts is important to scope the assessment properly. These contexts will help to surface current priorities and pain points from the perspective of relevant teams, as the success of any enterprise depends on its people.
2. Design a Tailored Governance System to Determine Applicable COBIT 2019 Governance and Management Objectives
The different stages and steps in the design process, as shown in figure 1, will result in recommendations for prioritizing governance and management objectives (and/or related governance system components), and will set the stage for assigning and achieving target capability levels.
Figure 1—Governance System Design Workflow
Source: ISACA, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018
The conclusion of the design phase must result in 1 design for the governance system for enterprise information and technology (I&T). This design will include:
- Prioritized governance and management objectives
- Target capability levels for processes
- Recognition of any governance component requiring specific attention due to a particular issue or circumstance (e.g., if privacy is of utmost concern to an enterprise, privacy policies and procedures may need extra attention)
3. Identify Respective Process Owners and Conduct Briefing Sessions
Prepare process assessment templates for all agreed-on processes.
The process owners, participants in the processes and users of process outputs are principal sources of knowledge and experience about the processes;3 they are in a good position to identify potential process capability weaknesses. To motivate participants to be open and constructive, management should indicate clear support for the assessment. It should be clearly stated that process assessments focus on the processes, not on the performance of enterprise staff involved with them. The intent is to make the processes perform more effectively in support of defined business goals, not to allocate blame to individuals for poor performance.
4. Obtain Required Evidence Using Agreed-On Methodologies, Validate and Gather Additional Evidence Using Direct and Indirect Approaches
Evidence should be collected in a systematic manner using an explicitly identified strategy and technique that is easily demonstrable. All evidence collected should be easily associated to the appropriate governance and management objectives involved in the assessment and sufficient to meet the purpose and scope of the assessment.
For each objective, relate the evidence to relevant process practices and activities, and ensure that the data collected are correct and objective.
Evidence can be provided either in the form of direct evidence such as a document or an outcome, or indirect evidence, including (for example) plans to produce particular outcomes. In general, the primary source of evidence will be interviews, whose results will be confirmed through examination of work products and outputs from the practices whose objectives are being assessed. In some cases, gathering and evaluating evidence could involve working through the relevant processes to understand them in sufficient detail.4
5. Perform the Process Activity Rating
For each objective assessed, a rating is assigned for each process activity up to and including the highest capability level defined in the assessment scope. The rating is based on validated data, and traceability must be maintained between the objective evidence collected and the process activity ratings assigned.
The rating scale to be used is:
Fully—The capability level is achieved for more than 85%. (This remains a judgment call, but it can be substantiated by the examination or assessment of the components of the enabler such as process activities, process goals or organizational structure good practices.)
Largely—The capability level is achieved between 50% and 85%.
Partially—The capability level is achieved between 15% and 50%.
Not—The capability level is achieved less than 15%.5
6. Report the Identified Strengths and Opportunities
The results of the assessment must be reported in an output document and provided to the assessment sponsor. The results of the assessment are analyzed and presented in the report, which should cover observed strengths and weaknesses in process capability and identify any opportunities for process improvement. The end result of an assessment is a report containing a determination of the current capability level.6
Following these steps sequentially helps professionals perform an effective capability assessment of the governance and management system and all the components of an enterprise. CPM refers to how well the governance and management system and all the components of an enterprise work, and how they can be improved to meet the required level.
Process activities are associated with capability levels managing the performance of processes, while maturity levels are associated with focus and will be achieved if all required capability levels are achieved.
Leela Ravi Shankar Dhulipalla, CGEIT, COBIT Certified Assessor, COBIT 2019 and COBIT 5 Trainer, IAITAM Accredited Trainer, Certified IT Asset Manager, PMP, TOGAF 9
Is a senior IT advisory professional with more than 20 years of experience directing enterprise IT operations to maximize performance, profitability and productivity. He excels at formulating IT governance, risk management, business continuity, asset management and information security policies and procedures; defining IT strategy and road maps; implementing enterprise governance of information and technology (EGIT) and cybersecurity frameworks; designing security controls; and leading top-performing teams. Dhulipalla has extensive experience managing multimillion-dollar projects, transforming and standardizing organizational practices, leveraging IT as a strategic tool, conducting risk assessments, and directing audits. He has a consistent history of improving business-IT alignment. He can be reached at LeelaRaviShankar.D@gmail.com or https://www.linkedin.com/in/leelaravishankard/.
1 CMMI Institute, CMMI V2.0
2 ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018
3 ISACA, COBIT Assessor Guide: Using COBIT 5, USA, 2013
5 Op cit COBIT 2019 Framework: Introduction and Methodology
6 Op cit COBIT Assessor Guide: Using COBIT 5