Last week in “Making COBIT 5 part of your IT strategy,” I wrote about why the latest release of the COBIT standard should be on your radar. This week I begin a detailed review of COBIT 5, starting with how your IT organization can use this version to show how IT is contributing to your business’s financial performance, and in particular, helping to mitigate risk and ease the compliance burden.
As I mentioned, a major innovation in COBIT 5 is the inclusion of scorecards that give IT a roadmap for demonstrating that it is running efficiently and effectively. And, by embracing this approach, IT can show how it’s helping the business run more efficiently and effectively.
COBIT 5 measures dovetail into a four-quadrant Norton Kaplan balanced scorecard, something that is used throughout the business world. The beauty of this is that by using a scorecard as a measurement and management tool, you’re mapping what you’re measuring to how the business measures itself. If you’re concerned about demonstrating IT value to the business, you want to examine COBIT scorecards and see what you can glean from them as well as how you measure up.
Today, I’m going to look one quadrant – the financial quadrant – and call out the metrics as well as the business questions that the COBIT IT scorecard raises. If you can’t answer these questions, it’s a sign you need to look more closely at your IT performance system.
Financial, risk and compliance goals for the enterprise
The COBIT 5 IT scorecard is based upon a generalized business scorecard. In this post, I’ll look at linkages between them, but focus my attention on the IT scorecard. For the business, COBIT 5’s financial quadrant has five areas that a business should use to score itself for financial performance, risk and compliance. They are:
1) Value of Business Investments
2) Portfolio of Products and Services
3) Managed Business Risk
4) Compliance with External Laws and Regulations
5) Financial Transparency
Why should IT look at these business goals? IT has a significant impact on several of them and the IT-related scorecard ties directly back to the business-related scorecard.
Financial, risk and compliance goals for IT
How should IT score itself in terms of financial performance, risk and compliance? COBIT 5 comes up with six goal areas, and if you compare these goals to the outline for the business-related scorecard above, you see pretty close linkages. This means it’s possible to map IT goals (and related metrics) to business goals and metrics. Let’s look at each goal area and its respective metrics individually:
1. Alignment of IT and business strategy: COBIT 5 recommends IT look at three metrics here: alignment of enterprise and IT strategies, satisfaction with the portfolio of programs and services, and IT value drivers that are mapped to business drivers. These metrics tie nicely to the enterprise goal of the value of business investments.
2. Commitment of executive for making IT-related decisions: This is an enabler of the previous goal. An important metric here is executives who have clearly defined accountabilities for IT decisions. (This does not mean IT executives.) Also important is the frequency that IT is on the board agenda in a proactive versus reactive manner. We know, for example, that this was the case at United Airlines during its merger with Continental, but what about the normal operating period? On the IT management side of this goal are metrics regarding the frequency of IT strategy committee meetings and the rate of executive IT-related decisions.
3. Realized benefits for IT enabled investments and service portfolio: This is about proving that IT investments achieved their expected benefits for the business. Things that matter are percent of IT investments where benefit realization is monitored through the (product) life cycle, the percent of IT services where expected benefits are realized, and the percent of IT-enabled investments where claimed benefits are met or exceeded. Wouldn’t it be nice if this happened frequently? Many companies do not try to do anything here.
4. Managed IT-related business risks: Clearly, many business risks are tied directly to IT performance. This is one reason why COBIT gained teeth as a standard after Sarbanes-Oxley. IT measurements recommended by COBIT include: 1) Percent of critical business processes, IT services, and IT enabled risk assessments; 2) the number of significant IT-related incidents that were not identified by a risk assessment; 3) the number of enterprise risk assessments including IT-related risk, and 4) the frequency of updates to risk profile. Put simply, this is all about the use and learning from risk assessments.
5. IT compliance and support for business compliance with external laws and regulations: These metrics deal with the compliance as well as the impact of compliance, specifically the following: the cost and impact of IT non-compliance, IT-related non-compliance issues reported to the board or causing public embarrassment, non-compliance issues relating to service providers, and the coverage of compliance assessments. Clearly, you want things that are reported to board or cause public embarrassment to be few and far between. People get fired over these things. I know personally of one company where this happened. Core systems failed during a public disaster and this created grea embarrassment.
6, Transparency of IT costs, benefits, and risks: Here, things that matter are investment business cases that are defined and have approved costs and benefits, percent of IT services with clearly defined and approved operating costs and benefits, and the satisfaction survey around transparency and the understanding and accuracy of IT financial information. For many, this goal area represents a stretch because their costs are still locked up in cost-center financials. I am covering in a separate blog series the importance of getting costs to the level of services. COBIT effectively endorses service costing. This is so important because you cannot have a business discussion until cost is presented at the level that the business can understand. Transparency is not just about having cost data—it is about making this data understandable so a prioritization discussion can happen.
Where to start?
The remaining question is where to begin? My suggestion t is to start where you can drive the most value within IT and for the business. Or to put it differently, start with where you can quickly drive improvement. Next post, I will turn my attention to the customer quadrant. In the meantime, feel free to ask questions or comment below.
Blog post: Making COBIT 5 part of your IT strategy
Solution page: IT Performance Management