Kegagalan Tata Kelola TI
High Cost, Low Impact
Matang Tapi Tidak Bermanfaat
Kebijakan yang Tidak Konkret
Melupakan Tujuan “Tata Kelola”
Ambisus namun Tidak Terukur
Tata Kelola Hanya untuk Formalitas
Gagal Memahami Kebutuhan
Cobit 2019 Improves
Flexibility and openness
Currency and relevance
Performance management of IT
What Is COBIT and What Is It Not?
COBIT IS NOT
A framework for the governance and management of enterprise I&T
A full description of the whole IT environment of an enterprise
COBIT defines the components to build and sustain a governance system
A framework to organize business processes
COBIT defines the design factors that should be considered by the enterprise to build a best fit governance system
An (IT-) technical framework to manage all technology
COBIT is flexible and allows guidance on new topics to be added
COBIT does not make or prescribe any IT-related decisions
Provide Stakeholder Value
Based on Conceptual Model
Open and Flexible
Dynamic Governance System
Aligned to Major Standards
Governance Distint From Mgmt
Tailored to Enterprise Needs
E2E Governance System
Governance and Management Objectives
• A governance or management objective always relates to one process (with an identical or similar name) and a series of related components of other types to help achieve the objective
• A governance objective relates to a governance process while a management objective relates to a management process.
Governance and Management Objectives
Evaluate, Direct and Monitor
Align, Plan and Organize
Build, Acquire and Implement
Deliver, Service and Support
Monitor, Evaluate and Assess
Components of the Governance System
Principles, Policies and Frameworks
Culture, Ethics and Behavior
People, Skills and Competencies
Services, Infrastructure and Applications
Types of Components
• Generic components are described in the COBIT core model and apply in principle to any situation.
• Variants are based on generic components but are tailored for a specific purpose or context within a focus area (e.g., for information security, DevOps, a particular regulation)
The goals cascade further supports translation of enterprise goals into priorities for alignment goals.
• Enterprise goals have been consolidated, reduced, updated and clarified
• Alignment goals emphasize the alignment of all IT efforts with business objectives.
COBIT Performance Management (CPM) Principles
The CPM should be simple to understand and use
The CPM should be consistent with, and support, the COBIT conceptual model
The CPM should provide reliable, repeatable and relevant results
The CPM must be flexible, so it can support the requirements of different organizations with different priorities and needs
The CPM should support different types of assessment, from self-assessments to formal appraisals or audits
COBIT Performance Management (CPM) Overview
Process activities are associated to capability levels
Other governance and management component types (e.g., organizational structures, information) may also have capability levels defined for them in future guidance
Maturity levels are associated with focus areas (i.e., a collection of governance and management objectives and underlying components) and will be achieved if all required capability levels are achieved
Capability Levels for Processes
Governance System Design Workflow
Impact of Design Factors
Management Objective Priority and Target Capability Levels
Specific Focus Areas
Maturity Levels for Focus Areas
Incomplete—Work may or may not be completed toward achieving the purpose of governance and management objectives in the focus area.
Initial—Work is completed, but the full goal and intent of the focus area are not yet achieved.
Managed—Planning and performance measurement take place, although not yet in a standardized way.
Defined—Enterprisewide standards provide guidance across the enterprise.
Quantitative—The enterprise is data driven, with quantitative performance improvement.
Optimizing—The enterprise is focused on continuous improvement.
Implementation Road Map
COBIT Implementation Approach
What are the drivers?
Where are we now?
Where do we want to be?
What needs to be done?
How do we get there?
Did we get there?
How do we keep the momentum going?
Roles and Organizational Structures
Group of the most senior executives and/or nonexecutive directors accountable for governance and overall control of enterprise resources
Group of senior executives appointed by the board to ensure that the board is involved in, and kept informed of, major decisions
Chief Executive Officer
Highest-ranking officer charged with the total management of the enterprise
Chief Information Officer
Most senior official responsible for aligning IT and business strategies and accountable for planning, resourcing and managing delivery of I&T services and solutions
Chief Technology Officer
Most senior official tasked with technical aspects of I&T, including managing and monitoring decisions related to I&T services, solutions and infrastructures
EDM01 - Ensured Governance Framework Setting and Maintenance
Provide a consistent approach integrated and aligned with the enterprise governance approach. I&T-related decisions are made in line with the enterprise’s strategies and objectives and desired value is realized. To that end, ensure that I&T-related processes are overseen effectively and transparently; compliance with legal, contractual and regulatory requirements is confirmed; and the governance requirements for board members are met.
EDM02 - Ensured Benefits Delivery
Secure optimal value from I&T-enabled initiatives, services and assets; cost-efficient delivery of solutions and services; and a reliable and accurate picture of costs and likely benefits so that business needs are supported effectively and efficiently.
EDM03 - Ensured Risk Optimization
Ensure that I&T-related enterprise risk does not exceed the enterprise’s risk appetite and risk tolerance, the impact of I&T risk to enterprise value is identified and managed, and the potential for compliance failures is minimized.
EDM04 - Ensured Resource Optimization
Ensure that the resource needs of the enterprise are met in the optimal manner, I&T costs are optimized, and there is an increased likelihood of benefit realization and readiness for future change.
EDM05 - Ensured Stakeholder Engagement
Ensure that stakeholders are supportive of the I&T strategy and road map, communication to stakeholders is effective and timely, and the basis for reporting is established to increase performance. Identify areas for improvement, and confirm that I&T-related objectives and strategies are in line with the enterprise’s strategy.
APO01 - Managed I&T Management Framework
Implement a consistent management approach for enterprise governance requirements to be met, covering governance components such as management processes; organizational structures; roles and responsibilities; reliable and repeatable activities; information items; policies and procedures; skills and competencies; culture and behaviour; and services, infrastructure and applications.
APO02 - Managed Strategy
Support the digital transformation strategy of the organization and deliver the desired value through a road map of incremental changes. Use a holistic I&T approach, ensuring that each initiative is clearly connected to an overarching strategy. Enable change in all different aspects of the organization, from channels and processes to data, culture, skills, operating model and incentives.
APO03 - Managed Enterprise Architecture
Represent the different building blocks that make up the enterprise and its interrelationships as well as the principles guiding their design and evolution over time, to enable a standard, responsive and efficient delivery of operational and strategic objectives.
APO04 - Managed Innovation
Achieve competitive advantage, business innovation, improved customer experience, and improved operational effectiveness and efficiency by exploiting I&T developments and emerging technologies.
APO05 - Managed Portfolio
Optimize the performance of the overall portfolio of programs in response to individual program, product and service performance and changing enterprise priorities and demand.
APO06 - Managed Budget and Costs
Foster a partnership between IT and enterprise stakeholders to enable the effective and efficient use of I&T-related resources and provide transparency and accountability of the cost and business value of solutions and services. Enable the enterprise to make informed decisions regarding the use of I&T solutions and services.
APO07 - Managed Human Resources
Optimize human resources capabilities to meet enterprise objectives
APO08 - Managed Relationships
Enable the right knowledge, skills and behaviors to create improved outcomes, increased confidence, mutual trust and effective use of resources that stimulate a productive relationship with business stakeholders.
APO09 - Managed Service Agreements
Ensure that I&T products, services and service levels meet current and future enterprise needs
APO10 - Managed Vendors
Optimize available I&T capabilities to support the I&T strategy and road map, minimize the risk associated with nonperforming or noncompliant vendors, and ensure competitive pricing.
APO11 - Managed Quality
Ensure consistent delivery of technology solutions and services to meet the quality requirements of the enterprise and satisfy stakeholder needs
APO12 - Managed Risk
Integrate the management of I&T-related enterprise risk with overall enterprise risk management (ERM) and balance the costs and benefits of managing I&T- related enterprise risk
APO13 - Managed Security
Keep the impact and occurrence of information security incidents within the enterprise’s risk appetite levels.
APO14 - Managed Data
Ensure effective utilization of the critical data assets to achieve enterprise goals and objectives.
BAI01- Managed Programs
Realize desired business value and reduce the risk of unexpected delays, costs and value erosion. To do so, improve communications to and involvement of business and end users, ensure the value and quality of program deliverables and follow up of projects within the programs, and maximize program contribution to the investment portfolio
BAI02 - Managed Requirements Definition
Create optimal solutions that meet enterprise needs while minimizing risk.
BAI03 - Managed Solutions Identification and Build
Ensure agile and scalable delivery of digital products and services. Establish timely and cost-effective solutions (technology, business processes and workflows) capable of supporting enterprise strategic and operational objectives.
BAI04 - Managed Availability and Capacity
Maintain service availability, efficient management of resources and optimization of system performance through prediction of future performance and capacity requirements.
BAI05 - Managed Organizational Change
Prepare and commit stakeholders for business change and reduce the risk of failure.
BAI06 - Managed IT Changes
Enable fast and reliable delivery of change to the business. Mitigate the risk of negatively impacting the stability or integrity of the changed environment.
BAI07 - Managed IT Change Acceptance and Transitioning
Implement solutions safely and in line with the agreed expectations and outcomes
BAI08 - Managed Knowledge
Provide the knowledge and information required to support all staff in the governance and management of enterprise I&T and allow for informed decision making.
BAI09 - Managed Assets
Account for all I&T assets and optimize the value provided by their use.
BAI10 - Managed Configuration
Provide sufficient information about service assets to enable the service to be effectively managed. Assess the impact of changes and deal with service incidents
BAI11 - Managed Projects
Realize defined project outcomes and reduce the risk of unexpected delays, costs and value erosion by improving communications to and involvement of business and end users. Ensure the value and quality of project deliverables and maximize their contribution to the defined programs and investment portfolio.
BAI06 - Change Types
- Standard changes
- Normal Changes
- Emergency Changes
BAI06 - The Purpose of the Change Control
• Change is the addition, modification, or removal of anything that could have a direct or indirect effect on services
• The purpose of the change control practice is to maximize the number of successful service and product changes by ensuring that risks have been properly assessed, authorizing changes to proceed, and managing the change schedule
• The scope of change control is defined by each organization. It will typically include all IT infrastructure, applications, documentation, processes, supplier relationships, and anything else that might directly or indirectly impact a product or service
• The person or group who authorizes a change is known as a change authority
• The change schedule is used to help plan changes, assist in communication, avoid conflicts and assign resources
DSS01 - Managed Operations
Deliver I&T operational product and service outcomes as planned.
DSS02 - Managed Service Requests and Incidents
Achieve increased productivity and minimize disruptions through quick resolution of user queries and incidents. Assess the impact of changes and deal with service incidents. Resolve user requests and restore service in response to incidents.
DSS03 - Managed Problems
Increase availability, improve service levels, reduce costs, improve customer convenience and satisfaction by reducing the number of operational problems, and identify root causes as part of problem resolution.
DSS04 - Managed Continuity
Adapt rapidly, continue business operations and maintain availability of resources and information at a level acceptable to the enterprise in the event of a significant disruption (e.g., threats, opportunities, demands).
DSS05 - Managed Security Services
Minimize the business impact of operational information security vulnerabilities and incidents.
DSS06 - Managed Business Process Controls
Maintain information integrity and the security of information assets handled within business processes in the enterprise or its outsourced operation.
MEA01 - Managed Performance and Conformance Monitoring
Provide transparency of performance and conformance and drive achievement of goals.
MEA02 - Managed System of Internal Control
Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk
MEA03 - Managed Compliance With External Requirements
Ensure that the enterprise is compliant with all applicable external requirements.
MEA04 - Managed Assurance
Enable the organization to design and develop efficient and effective assurance initiatives, providing guidance on planning, scoping, executing and following up on assurance reviews, using a road map based on well-accepted assurance approaches.
Design factors are factors that can influence the design of an enterprise’s governance system and position it for success in the use of I&T
Organizations typically have a primary strategy and, at most, one secondary strategy
supporting the enterprise strategy— Enterprise strategy is realized by the achievement of (a set of) enterprise goals. These goals are defined in the COBIT framework, structured along the Balanced Scorecard (BSC) dimensions
of the enterprise and current issues in relation to I&T—The risk profile identifies the sort of I&Trelated risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk appetite
A related method for an I&T risk assessment for the enterprise is to consider which I&Trelated issues it currently faces, or, in other words, what I&T-related risk has materialized
The threat landscape under which the enterprise operates can be classified
The compliance requirements to which the enterprise is subject can be classified according to the categories
Role of IT
The role of IT for the enterprise can be classified
Source Model for IT
The sourcing model the enterprise adopts can be classified
IT Implementation Methods
The methods the enterprise adopts can be classified
Technology Adoption Startegy
The technology adoption strategy can be classified
Two categories, as are identified for the design of an enterprise’s governance system
DF - Enterprise Strategy
The enterprise has a focus on growing (revenues).
The enterprise has a focus on offering different and/or innovative products and services to their clients.
The enterprise has a focus on short-term cost minimization.
The enterprise has a focus on providing stable and client-oriented service.
DF - Enterprise Goals
Balanced Scorecard (BSC) Dimension
Portfolio of competitive products and services
Managed business risk
Compliance with external laws and regulations
Quality of financial information
Customer-oriented service culture
Business-service continuity and availability
Quality of management information
Optimization of internal business process functionality
Optimization of business process costs
Staff skills, motivation and productivity
Compliance with internal policies
Managed digital transformation programs
Product and business innovation
DF - Threat Landscape
The enterprise is operating under what are considered normal threat levels.
Due to its geopolitical situation, industry sector or particular profile, the enterprise is operating in a high- threat environment.
DF - Role of IT
Running and continuity
Driver for innovating
Critical for both running and innovating
DF - Sourcing Model for IT
DF - IT Implementation Methods
DF - Technology Adoption Strategy