Several years ago, the IT department of the largest bakery factory in the world, with a presence in the United States, Mexico, Central America, South America, Asia, Europe, Canada and the United Kingdom, conducted a COBIT 4 assessment and implementation of a enterprise governance. Recently, it was determined that the assessment and governance process needed to be updated to determine the next steps required to align it with the new business vision.
The initiative was suggested by the company’s architecture and standards (A&S) team and was needed to update processes and practices to align with the new business objectives. Strong IT governance was also necessary to support a soon-to-be-started initiative relating to enterprise architecture.
Since the team responsible for governance was planning to start the upgrade of the COBIT 4 assessment aligned to the new business strategy later in the year, it was decided that the COBIT 5 self-assessment could be segmented and started right away by the A&S team covering only the processes of A&S and in global support areas.
The objectives for this undertaking included:
- Determining the current maturity level of the company’s processes related to A&S and global support, based on the COBIT 5 framework
- Defining the target maturity level based on a 3-year plan
- Defining an implementation plan to achieve the target maturity levels
Scope
The diagnosis of the A&S and global support functions covered 3 of the 5 COBIT domains (12 of 37 processes defined in the COBIT 5 framework). The domains and whether they were required in this case are (figure 1):
- Evaluate, Direct and Monitor (EDM)—Governance direction. Not included.
- Align, Plan and Organize (APO)—Use of information and technology. Included.
- Build, Acquire and Implement (BAI)—IT requirements, acquisition of technology. Included.
- Deliver, Service and Support (DSS)—Delivery of value from IT. Included.
- Monitor, Evaluate and Assess (MEA)—Assessing the needs of the company and the regulatory requirements. Not included.
Figure 1—Included Domains
Source: Victor Antonio Jimenez. Reprinted with permission.
The assessment was performed using the COBIT Self - Assessment Guide: Using COBIT 5 and tool kit. The working sessions with team members included an introduction to the COBIT 5 framework for team members who had not participated in the previous COBIT 4 work and had no previous experience using COBIT.
The results were reviewed with management. The results were presented with the current maturity level and the 3-year goal, as shown in figure 2.
Figure 2—Current and Goal Maturity Levels
Source: Victor Antonio Jimenez. Reprinted with permission.
The detail and suggestions for improving processes were presented as shown in figure 3.
Figure 3—Result Detail and Suggestions for Improving Processes
Source: Victor Antonio Jimenez. Reprinted with permission.
A benchmark was set using baseline data provided by Benchmarking and Business Value Assessment of COBIT 5. For comparative purposes, the following benchmarks were set:
- Industry—Food
- Revenue—US $13789 million
- Company Size—124,290 employees
- Continent—North America
The goal of achieving a maturity level 3 in a period of 3 years was set, as noted in figure 4 based on the capability levels in ISO/IEC 15504-2 Information technology—Process assessment—Part 2: Performing an assessment.
Figure 4—Goal Levels
Source: Victor Antonio Jimenez. Reprinted with permission.
The benchmarking results were presented to senior management using graphics as much as possible (figure 5 ).
Figure 5—Benchmarking Results Example Presented to Senior Management
Source: Victor Antonio Jimenez. Reprinted with permission.
Then the actions aligned with business objectives were defined, taking into consideration the vision, key capabilities and IT objectives. Next, the findings were prioritized and the road map to the goal was set.
It was important to clarify to senior management the objectives, benefits, dependencies and assumptions of every domain to enforce the message that a complete assessment should be performed to have a complete view of the effort.
Once this was done, a set of smaller projects was presented—each of them with the objective, expected benefits and the COBIT process it covered so those responsible for a project could understand its scope and benefits. These initiatives were:
- A&S and global support strategic plan
- Management framework and services
- Management of innovation
- Management of knowledge
- Management of service requests, incidents and problems
- Management of operations, continuity and business process controls
These projects were presented using the template shown in figure 6.
Figure 6—Project Presentation Template
Source: Victor Antonio Jimenez. Reprinted with permission.
The coexistence of COBIT 5 with other standards and frameworks (see figure 7) gave a comprehensive solution to the ongoing effort of the group during the implementation of strategic controls.
Figure 7—COBIT 5 Coverage of Other Standards and Frameworks
Source: ISACA, COBIT 5, USA, 2012
Conclusion
The self-assessment provided the view for a complete scope of the initiatives that are soon to begin to provide the company a balanced approach to IT governance. Although this project was a partial effort on the part of 2 IT areas, it was of great value to set the maturity level goal and devise specific strategies to reach it and show upper management of all IT departments the value of updating the processes and enablers using COBIT 5.
The enterprise continues work to implement the initiatives identified to update them to align with the business strategy as well as all new efforts to increase the maturity processes of IT. COBIT 5 helps in defining the path toward unified, complementary initiatives, all targeted toward a consistent goal.
Victor Antonio Jimenez
Is an IT professional with more than 19 years of experience in application development, project management, new technologies, enterprise architecture, service-oriented architecture (SOA) governance, and IT governance definition and implementation. He has been using COBIT in IT governance implementations since 2012 in both private and public enterprises.