Kegagalan Tata Kelola TI
High Cost, Low Impact |
Matang Tapi Tidak Bermanfaat |
Kebijakan yang Tidak Konkret |
Melupakan Tujuan “Tata Kelola” |
Ambisus namun Tidak Terukur |
Tata Kelola Hanya untuk Formalitas |
Gagal Memahami Kebutuhan |
Cobit 2019 Improves
Flexibility and openness |
Currency and relevance |
Prescriptive application |
Performance management of IT |
What Is COBIT and What Is It Not?
COBIT IS |
COBIT IS NOT |
A framework for the governance and management of enterprise I&T |
A full description of the whole IT environment of an enterprise |
COBIT defines the components to build and sustain a governance system |
A framework to organize business processes |
COBIT defines the design factors that should be considered by the enterprise to build a best fit governance system |
An (IT-) technical framework to manage all technology |
COBIT is flexible and allows guidance on new topics to be added |
COBIT does not make or prescribe any IT-related decisions |
Cobit Principles
Governance System |
Governance Framework |
Provide Stakeholder Value |
Based on Conceptual Model |
Holistic Approach |
Open and Flexible |
Dynamic Governance System |
Aligned to Major Standards |
Governance Distint From Mgmt |
|
Tailored to Enterprise Needs |
|
E2E Governance System |
|
Governance and Management Objectives
• A governance or management objective always relates to one process (with an identical or similar name) and a series of related components of other types to help achieve the objective
• A governance objective relates to a governance process while a management objective relates to a management process. |
Governance and Management Objectives
Governance Objectives |
Management objectives |
EDM
Evaluate, Direct and Monitor |
APO
Align, Plan and Organize |
BAI
Build, Acquire and Implement |
DSS
Deliver, Service and Support |
MEA
Monitor, Evaluate and Assess |
Components of the Governance System
Processes |
Organizational Structures |
Principles, Policies and Frameworks |
Information |
Culture, Ethics and Behavior |
People, Skills and Competencies |
Services, Infrastructure and Applications |
Types of Components
• Generic components are described in the COBIT core model and apply in principle to any situation.
• Variants are based on generic components but are tailored for a specific purpose or context within a focus area (e.g., for information security, DevOps, a particular regulation) |
Goals Cascade
The goals cascade further supports translation of enterprise goals into priorities for alignment goals.
• Enterprise goals have been consolidated, reduced, updated and clarified
• Alignment goals emphasize the alignment of all IT efforts with business objectives. |
COBIT Performance Management (CPM) Principles
The CPM should be simple to understand and use |
The CPM should be consistent with, and support, the COBIT conceptual model |
The CPM should provide reliable, repeatable and relevant results |
The CPM must be flexible, so it can support the requirements of different organizations with different priorities and needs |
The CPM should support different types of assessment, from self-assessments to formal appraisals or audits |
COBIT Performance Management (CPM) Overview
Process activities are associated to capability levels |
Other governance and management component types (e.g., organizational structures, information) may also have capability levels defined for them in future guidance |
Maturity levels are associated with focus areas (i.e., a collection of governance and management objectives and underlying components) and will be achieved if all required capability levels are achieved |
Capability Levels for Processes
0 |
Didn't do |
1 |
Adhoc |
2 |
Regulated |
3 |
Have template |
4 |
Quantative calculated |
5 |
Continuous Improvement |
Governance System Design Workflow
Impact of Design Factors
1 |
Management Objective Priority and Target Capability Levels |
2 |
Component Variations |
3 |
Specific Focus Areas |
Maturity Levels for Focus Areas
0 |
Incomplete—Work may or may not be completed toward achieving the purpose of governance and management objectives in the focus area. |
1 |
Initial—Work is completed, but the full goal and intent of the focus area are not yet achieved. |
2 |
Managed—Planning and performance measurement take place, although not yet in a standardized way. |
3 |
Defined—Enterprisewide standards provide guidance across the enterprise. |
4 |
Quantitative—The enterprise is data driven, with quantitative performance improvement. |
5 |
Optimizing—The enterprise is focused on continuous improvement. |
Implementation Road Map
COBIT Implementation Approach
1 |
What are the drivers? |
2 |
Where are we now? |
3 |
Where do we want to be? |
4 |
What needs to be done? |
5 |
How do we get there? |
6 |
Did we get there? |
7 |
How do we keep the momentum going? |
Roles and Organizational Structures
Board |
Group of the most senior executives and/or nonexecutive directors accountable for governance and overall control of enterprise resources |
Executive Committee |
Group of senior executives appointed by the board to ensure that the board is involved in, and kept informed of, major decisions |
Chief Executive Officer |
Highest-ranking officer charged with the total management of the enterprise |
Chief Information Officer |
Most senior official responsible for aligning IT and business strategies and accountable for planning, resourcing and managing delivery of I&T services and solutions |
Chief Technology Officer |
Most senior official tasked with technical aspects of I&T, including managing and monitoring decisions related to I&T services, solutions and infrastructures |
|
|
EDM
EDM01 - Ensured Governance Framework Setting and Maintenance |
Provide a consistent approach integrated and aligned with the enterprise governance approach. I&T-related decisions are made in line with the enterprise’s strategies and objectives and desired value is realized. To that end, ensure that I&T-related processes are overseen effectively and transparently; compliance with legal, contractual and regulatory requirements is confirmed; and the governance requirements for board members are met. |
EDM02 - Ensured Benefits Delivery |
Secure optimal value from I&T-enabled initiatives, services and assets; cost-efficient delivery of solutions and services; and a reliable and accurate picture of costs and likely benefits so that business needs are supported effectively and efficiently. |
EDM03 - Ensured Risk Optimization |
Ensure that I&T-related enterprise risk does not exceed the enterprise’s risk appetite and risk tolerance, the impact of I&T risk to enterprise value is identified and managed, and the potential for compliance failures is minimized. |
EDM04 - Ensured Resource Optimization |
Ensure that the resource needs of the enterprise are met in the optimal manner, I&T costs are optimized, and there is an increased likelihood of benefit realization and readiness for future change. |
EDM05 - Ensured Stakeholder Engagement |
Ensure that stakeholders are supportive of the I&T strategy and road map, communication to stakeholders is effective and timely, and the basis for reporting is established to increase performance. Identify areas for improvement, and confirm that I&T-related objectives and strategies are in line with the enterprise’s strategy. |
APO
APO01 - Managed I&T Management Framework |
Implement a consistent management approach for enterprise governance requirements to be met, covering governance components such as management processes; organizational structures; roles and responsibilities; reliable and repeatable activities; information items; policies and procedures; skills and competencies; culture and behaviour; and services, infrastructure and applications. |
APO02 - Managed Strategy |
Support the digital transformation strategy of the organization and deliver the desired value through a road map of incremental changes. Use a holistic I&T approach, ensuring that each initiative is clearly connected to an overarching strategy. Enable change in all different aspects of the organization, from channels and processes to data, culture, skills, operating model and incentives. |
APO03 - Managed Enterprise Architecture |
Represent the different building blocks that make up the enterprise and its interrelationships as well as the principles guiding their design and evolution over time, to enable a standard, responsive and efficient delivery of operational and strategic objectives. |
APO04 - Managed Innovation |
Achieve competitive advantage, business innovation, improved customer experience, and improved operational effectiveness and efficiency by exploiting I&T developments and emerging technologies. |
APO05 - Managed Portfolio |
Optimize the performance of the overall portfolio of programs in response to individual program, product and service performance and changing enterprise priorities and demand. |
APO06 - Managed Budget and Costs |
Foster a partnership between IT and enterprise stakeholders to enable the effective and efficient use of I&T-related resources and provide transparency and accountability of the cost and business value of solutions and services. Enable the enterprise to make informed decisions regarding the use of I&T solutions and services. |
APO07 - Managed Human Resources |
Optimize human resources capabilities to meet enterprise objectives |
APO08 - Managed Relationships |
Enable the right knowledge, skills and behaviors to create improved outcomes, increased confidence, mutual trust and effective use of resources that stimulate a productive relationship with business stakeholders. |
APO09 - Managed Service Agreements |
Ensure that I&T products, services and service levels meet current and future enterprise needs |
APO10 - Managed Vendors |
Optimize available I&T capabilities to support the I&T strategy and road map, minimize the risk associated with nonperforming or noncompliant vendors, and ensure competitive pricing. |
APO11 - Managed Quality |
Ensure consistent delivery of technology solutions and services to meet the quality requirements of the enterprise and satisfy stakeholder needs |
APO12 - Managed Risk |
Integrate the management of I&T-related enterprise risk with overall enterprise risk management (ERM) and balance the costs and benefits of managing I&T- related enterprise risk |
APO13 - Managed Security |
Keep the impact and occurrence of information security incidents within the enterprise’s risk appetite levels. |
APO14 - Managed Data |
Ensure effective utilization of the critical data assets to achieve enterprise goals and objectives. |
BAI
BAI01- Managed Programs |
Realize desired business value and reduce the risk of unexpected delays, costs and value erosion. To do so, improve communications to and involvement of business and end users, ensure the value and quality of program deliverables and follow up of projects within the programs, and maximize program contribution to the investment portfolio |
BAI02 - Managed Requirements Definition |
Create optimal solutions that meet enterprise needs while minimizing risk. |
BAI03 - Managed Solutions Identification and Build |
Ensure agile and scalable delivery of digital products and services. Establish timely and cost-effective solutions (technology, business processes and workflows) capable of supporting enterprise strategic and operational objectives. |
BAI04 - Managed Availability and Capacity |
Maintain service availability, efficient management of resources and optimization of system performance through prediction of future performance and capacity requirements. |
BAI05 - Managed Organizational Change |
Prepare and commit stakeholders for business change and reduce the risk of failure. |
BAI06 - Managed IT Changes |
Enable fast and reliable delivery of change to the business. Mitigate the risk of negatively impacting the stability or integrity of the changed environment. |
BAI07 - Managed IT Change Acceptance and Transitioning |
Implement solutions safely and in line with the agreed expectations and outcomes |
BAI08 - Managed Knowledge |
Provide the knowledge and information required to support all staff in the governance and management of enterprise I&T and allow for informed decision making. |
BAI09 - Managed Assets |
Account for all I&T assets and optimize the value provided by their use. |
BAI10 - Managed Configuration |
Provide sufficient information about service assets to enable the service to be effectively managed. Assess the impact of changes and deal with service incidents |
BAI11 - Managed Projects |
Realize defined project outcomes and reduce the risk of unexpected delays, costs and value erosion by improving communications to and involvement of business and end users. Ensure the value and quality of project deliverables and maximize their contribution to the defined programs and investment portfolio. |
BAI06 - Change Types
- Standard changes
- Normal Changes
- Emergency Changes |
BAI06 - The Purpose of the Change Control
• Change is the addition, modification, or removal of anything that could have a direct or indirect effect on services
• The purpose of the change control practice is to maximize the number of successful service and product changes by ensuring that risks have been properly assessed, authorizing changes to proceed, and managing the change schedule
• The scope of change control is defined by each organization. It will typically include all IT infrastructure, applications, documentation, processes, supplier relationships, and anything else that might directly or indirectly impact a product or service
• The person or group who authorizes a change is known as a change authority
• The change schedule is used to help plan changes, assist in communication, avoid conflicts and assign resources |
DSS
DSS01 - Managed Operations |
Deliver I&T operational product and service outcomes as planned. |
DSS02 - Managed Service Requests and Incidents |
Achieve increased productivity and minimize disruptions through quick resolution of user queries and incidents. Assess the impact of changes and deal with service incidents. Resolve user requests and restore service in response to incidents. |
DSS03 - Managed Problems |
Increase availability, improve service levels, reduce costs, improve customer convenience and satisfaction by reducing the number of operational problems, and identify root causes as part of problem resolution. |
DSS04 - Managed Continuity |
Adapt rapidly, continue business operations and maintain availability of resources and information at a level acceptable to the enterprise in the event of a significant disruption (e.g., threats, opportunities, demands). |
DSS05 - Managed Security Services |
Minimize the business impact of operational information security vulnerabilities and incidents. |
DSS06 - Managed Business Process Controls |
Maintain information integrity and the security of information assets handled within business processes in the enterprise or its outsourced operation. |
MEA
MEA01 - Managed Performance and Conformance Monitoring |
Provide transparency of performance and conformance and drive achievement of goals. |
MEA02 - Managed System of Internal Control |
Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk |
MEA03 - Managed Compliance With External Requirements |
Ensure that the enterprise is compliant with all applicable external requirements. |
MEA04 - Managed Assurance |
Enable the organization to design and develop efficient and effective assurance initiatives, providing guidance on planning, scoping, executing and following up on assurance reviews, using a road map based on well-accepted assurance approaches. |
|
|
Design factors
Design factors are factors that can influence the design of an enterprise’s governance system and position it for success in the use of I&T |
Design Factors
Enterprise Startegy |
Organizations typically have a primary strategy and, at most, one secondary strategy |
Enterprise Goals |
supporting the enterprise strategy— Enterprise strategy is realized by the achievement of (a set of) enterprise goals. These goals are defined in the COBIT framework, structured along the Balanced Scorecard (BSC) dimensions |
Risk Profile |
of the enterprise and current issues in relation to I&T—The risk profile identifies the sort of I&Trelated risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk appetite |
I&T-Related Issues |
A related method for an I&T risk assessment for the enterprise is to consider which I&Trelated issues it currently faces, or, in other words, what I&T-related risk has materialized |
Threat Landscape |
The threat landscape under which the enterprise operates can be classified |
Compliance Requirements |
The compliance requirements to which the enterprise is subject can be classified according to the categories |
Role of IT |
The role of IT for the enterprise can be classified |
Source Model for IT |
The sourcing model the enterprise adopts can be classified |
IT Implementation Methods |
The methods the enterprise adopts can be classified |
Technology Adoption Startegy |
The technology adoption strategy can be classified |
Enterprise Size |
Two categories, as are identified for the design of an enterprise’s governance system |
DF - Enterprise Strategy
Strategy Archetype |
Explanation |
Growth/Acquisition |
The enterprise has a focus on growing (revenues). |
Innovation/ Differentiation |
The enterprise has a focus on offering different and/or innovative products and services to their clients. |
Cost Leadership |
The enterprise has a focus on short-term cost minimization. |
Client Service/Stability |
The enterprise has a focus on providing stable and client-oriented service. |
DF - Enterprise Goals
Reference |
Balanced Scorecard (BSC) Dimension |
Enterprise Goal |
EG01 |
Financial |
Portfolio of competitive products and services |
EG02 |
Financial |
Managed business risk |
EG03 |
Financial |
Compliance with external laws and regulations |
EG04 |
Financial |
Quality of financial information |
EG05 |
Customer |
Customer-oriented service culture |
EG06 |
Customer |
Business-service continuity and availability |
EG07 |
Customer |
Quality of management information |
EG08 |
Internal |
Optimization of internal business process functionality |
EG09 |
Internal |
Optimization of business process costs |
EG10 |
Internal |
Staff skills, motivation and productivity |
EG11 |
Internal |
Compliance with internal policies |
EG12 |
Growth |
Managed digital transformation programs |
EG13 |
Growth |
Product and business innovation |
DF - Threat Landscape
Normal |
The enterprise is operating under what are considered normal threat levels. |
High |
Due to its geopolitical situation, industry sector or particular profile, the enterprise is operating in a high- threat environment. |
DF - Role of IT
Support |
Not crucial |
Factory |
Running and continuity |
Turnaround |
Driver for innovating |
Strategic |
Critical for both running and innovating |
DF - Sourcing Model for IT
Outsourcing |
Cloud |
Insourced |
Hybrid |
DF - IT Implementation Methods
Agile |
DevOps |
Traditional |
Hybrid |
DF - Technology Adoption Strategy
First mover |
Follower |
Slow adopter |
|
|
Created By
Metadata
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets