ASSESSMENT OF IT GOVERNANCE
Pablo Daniel Avila
Student number: s1713841
MSc Business Administration specialization Business & ICT
Faculty of Economics and Business
Rijksuniversiteit Groningen
Supervisors
Prof.Dr. E.W. Berghout
Dr. C.W. Tan
ii
ABSTRACT
In this master thesis, a literature study on IT governance has been conducted in order to create an integrative IT governance definition. This research contains valuable information about why IT governance is important and how it can be defined. Afterwards, IT governance frameworks applied in the practice are presented. Particular attention is paid to the full lifecycle framework by Berghout et al. (2002) and to CobiT 5 (2012) which has become ISACA integrative framework by incorporating, for example, Val IT and ISO 38500.
After the review part, a mapping analysis is conducted to compare the full lifecycle framework with CobiT 5. This mapping gives insights in the similarities and differences of both frameworks. To investigate the potential benefits of applying the full lifecycle framework, an empirical investigation is conducted through 49 organizations by means of an IT governance quick scan. The data was collected during the years 2009-2012 from different middle and large sized organizations in the Netherlands. The IT governance quick scan from the full lifecycle framework creates an complete overview of the current state of IT costs and benefits within the organization. This distinct feature represents an improvement for the assessment of IT governance.
Additionally, this research briefly introduces and applies a method for clustering benchmarking. A successful application of clustering methods might produce relevant insights for the assessment of IT governance at a cluster level. Another major promise of clustering algorithms is their potential to aggregate different types of metrics related to IT governance.
iii
TABLE OF CONTENTS
Introduction and Background
5
Chapter 1: IT governance
10
1.1 In search of an IT governance definition
10
1.1.1 The importance IT governance
10
1.1.2 IT governance defined
12
1.2 IT governance, corporate governance and IT management
17
Chapter 2: IT governance in practice
20
2.1 IT governance frameworks
20
2.2 ISACA frameworks
24
2.2.1 CobiT 4.1 24
2.2.2 Val IT in CobiT 4.1
27
2.2.3 CobiT 5
28
2.2.4 Val IT in CobiT 5
34
2.2.5 Comparison of CobiT 4.1 and CobiT 5
36
2.3 The full lifecycle framework
36
Chapter 3: Analysis
40
3.1 Mapping the full lifecycle framework and CobiT 5
40
3.1.1 Comparing the full lifecycle stages with CobiT 5 at a conceptual level
40
3.1.2 Comparing the full lifecycle stages with CobiT 5 at a practical level
46
3.1.3 Conclusion of this comparison
48
3.2 Application of the full lifecycle framework
49
3.2.1 Descriptive statistics
49
3.2.2 Benchmarking organizations with an IT governance scan
51
iv
Chapter 4: Discussion and Conclusion
60
4.1 Discussion
60
4.2 Improvements and future research
61
4.3 Conclusion
63
4.4 Practical limitations
64
References
65
Appendix
71
Appendix 1: EBSCO
71
Appendix 2: More sources for definitions
72
Appendix 3a: CobiT Processes
80
Appendix 3b: Val IT Practices covered in CobiT 5
81
Appendix 4: Quick Scan
82
Appendix 5: HA
85
Appendix 6: Radar Charts
87
Appendix 7: Negenvlaksmodel
88
Appendix 8: Similar propositions
90
Appendix 9: Quick scan arguments
92
Appendix 10: Quick scan percentages
97
5
INTRODUCTION AND BACKGROUND
Information technologies (IT)1 have an increasing impact for the society as well as for organizations among all possible sectors and branches (De Haes & Van Grembergen 2008). Information technologies are crucial, therefore, organizations need to implement IT governance approaches/frameworks to be successful (Weill 2004). One of the available IT governance frameworks that merits attention is the full lifecycle framework by Berghout & Nijland (2002) which is capable to help organizations in assessing their IT costs and benefits throughout the entire lifecycle.
IT governance has emerged as an important discipline for researchers and practitioners (Webb 2006; De Haes & Van Grembergen 2008). Two main reasons remark its importance. Firstly, from a business performance perspective, it has been shown that top-performing organizations generate higher returns than their competitors when introducing IT governance (Ross & Weill 2004). Implementing IT governance can help reducing the number of IT failed projects (De Haes & Van Grembergen 2008 in ISACA). Very often, these IT failed projects represent an important waste of financial resources or they fail to bring benefits to the organizations (Krigsman 2012; Cook 2007). The second topic remarking the importance of IT governance is the emerging of fiscal regulations supporting the implementation of IT governance practices and frameworks. For instance, the Sarbanes Oxley Act in the United States requires that organizations analyse their IT corporate governance practices to guarantee proper fiscal accountability (Bloem et al. 2005).
The importance of IT governance points out the need for creating and implementing IT governance frameworks capable to ensure that IT investments will generate value within the compliance requirements imposed by the legal environment (Bloem et al. 2005). The most well-known framework for IT governance is the Control Objectives for Information and related Technology (CobIT) elaborated by the Information systems Audit and Control Association (ISACA). The new CobiT version, named CobiT 5, shows some serious signs of commitment for solving IT governance/management issues related to IT investment, for example, by completely integrating the Val IT framework and the ISO 38500. The Val IT framework focuses on the business value creation of IT and it offers a set of guidelines, processes and best practices related to IT governance, Portfolio Management and Investment Management (Val IT 2008). Above all, Val IT recognizes the importance of managing investments through their full economic lifecycle (ibid.). The ISO 38500 (2008) represents an improvement because of its imperative of evaluating the different stages of the IT governance process.
1
6
Beyond CobiT 5, there are additional tools available for generating value in the organization through a full lifecycle approach. One available framework is the full lifecycle approach2 by Berghout et al. (2002). This framework is able to evaluate the state of costs/benefits throughout the entire lifecycle of IT. Such a framework might represent a valuable contribution as well for researchers interested in formal methods for the IT evaluation discipline as for practitioners willing to obtain benefits from their IT investments.Motivation of this thesis:
Good IT governance is important for organizations and for the society itself. From a business perspective, improving IT governance assessment is worth because it can help organizations to tackle two main challenges. First, IT governance practices can help organizations to generate value from IT investments (Berghout et al. 2002; CobiT 5 2012). Second, IT governance can help organizations avoiding financial scandals and, consequently, reducing the rate of IT failures (Bloem et al. 2005; Krigsman 2012; Cook 2007). Finally, from a societal long run perspective, it is important to state that a significant part of the living standard in a country depends on IT innovation (Brynjolfsson 2011); consequently, the discussion on IT governance is not only a concern for organizations but also for policymakers dedicated to increase value in the society.
Objectives and methods:
This master thesis aims to demonstrate the application of an IT governance quick scan across 49 organizations as proposed by Berghout et al. (2002). The results of the IT governance quick scan are analysed through bivariate methods and an interpretative analysis. The available data is also used for a hierarchical cluster analysis. These different analyses are conducted in order to evaluate the variation of the performance across the different organizations and to discover relevant taxonomies. Additionally this paper investigates whether an IT governance quick scan represents an improvement in the IT governance field. To find that out, it is examined whether CobiT 5 represents a shift to a full lifecycle paradigm and whether this new ISACA framework might be complemented with a IT governance quick scan and with a cluster analysis approach.
A conceptual mapping will show that the full lifecycle framework and the new CobiT 5 (2012) have many common aspects and that both frameworks are able to study relevant aspects of the lifecycle of IT investments. The mapping will also show that differences exist: using
7
CobiT 5 in combination with the full lifecycle framework could produce complementary and useful insights on the assessment of the economic feasibility of information systems. The conceptual mapping involves a practical approach consisting in similarities and differences between both frameworks. Because of the distinctive nature of the object of analysis only a comparative practical approach is used here.An empirical analysis based on 49 organizations will reinforce the validity of the applicability of the IT governance quick scan by Berghout et al. (2002). A further validation of this method might be perceived as an advance in the IT costs and benefits management field. Taxonomies on the state of cost/benefit management within the studied organizations are created with help of a cluster analysis by Hair et al. (2009) and by means of the results obtained with the IT governance quick scan.
Research questions:
After defining IT governance and presenting different IT governance frameworks, three central questions will be treated. The initial central question is: to what extent is the full lifecycle framework by Berghout et al. (2002) similar to CobiT5? Answering this central question involves explaining to what degree the different key governance and management areas in CobiT 5 are comparable to the lifecycle stages proposed by Berghout et al. (2002). The next central question is: to what extent is the full lifecycle framework able to assess IT costs/benefits? Answering this central question consists of applying the full lifecycle framework, assessing its applicability and comparing its results with CobiT 5 assessment methods and with the results from a hierarchical cluster analysis. The final central question is: to what extent can an IT governance quick scan improve the assessment of IT governance? Answering this question demands exploring to what degree an IT governance quick scan as suggested by the full lifecycle framework represents a contribution for scholars and practitioners interested in an integrative method for the assessment of IT governance. In concrete, the following (sub)questions divided into preliminary and central questions, are treated in this present thesis:
Preliminary questions:
1) What are the attributes of IT governance? (Chapter 1)
2) What are the most relevant existing IT frameworks? (Chapter 2) Central research questions:
8
4) To what extent is the full lifecycle framework able to assess IT costs/benefits?(Chapter 3 and 4)
4a) What are the results of its application? (Chapter 3.2)
4b) To what extent is it possible to identify categories in the results of its application? (Chapter 3.2)
4c) Would CobiT 5 assessments have resulted in similar conclusion? (Chapter 3 and 4) 5) To what extent can an IT governance quick scan improve the assessment of IT
governance? (Chapter 4) Structure of the thesis:
9
Figure A: Structure of this master thesisDiscussion and Conclusion
(Chapter 4)
Analysis
Literature
review
IT governance
concepts
(ch. 1)
IT governance quick scan (Berghout et al. 2002) ISACA frameworks (CobiT 5 2012)
IT governance
frameworks
(ch. 2)
Improvement?
Mapping analysis
(ch. 3.1)
Quick scan
application
(ch. 3.2)
10
1. IT GOVERNANCE
In this section, IT governance will be defined by conducting a short literature survey and by studying relevant literature (1.1). The “IT governance” concept will be compared with the concept of “corporate and “IT management” in order to obtain a better picture of the context of IT governance (1.2).
1.1 In search of an IT governance definition
Before defining IT governance, its importance will be presented. 1.1.1 The importance of IT governance
Governing and managing information technology is a crucial activity in organizations to generate business value3. According to Ross & Weill (2004), firms that were successful in their IT governance had more than 20% higher Return On Assets (ROA) than comparable organizations with similar strategies but with inadequate IT governance.
Information technologies embrace a high potential business value (Brynjolfsson 2011), however, generating value from IT is still a challenge for many organizations (Berghout et al. 2011). Poor benefits in IT was a major problem is the past. Some scholars even imply that IT was not able to increase productivity. For example, Solow (1987) stated “you can see the computer age everywhere but in the productivity statistics." Furthermore, in the begin of this millennium, many investment banks and accountants inflated market values, to create illusionary realities in stock markets. Enron, WorldCom, Arthur Andersen represent some of the IT falls during the internet bubble (Bloem et al. 2005). Regrettably, poor IT benefits represent still a major concern for organizations. Krigsman (in ZDnet 2012) requests some experts to undertake the challenge of quantifying the costs of the worldwide IT failure. It has been calculated that the global of IT failure is around $3 trillion per year. Another study shows that only 35% of all IT projects succeeded while the rest (65%) were either challenged or failed (Cook 2007). Beyond the figures presented above, it is clear that many organizations still are not obtaining enough value from IT.
From a business perspective, IT governance frameworks should be applied to exploit the potential of information technologies. Information technologies need to be properly evaluated because they represent a strategic resource and they can play a very important role for generating business opportunities (De Haes & Van Grembergen 2008). Moreover, proper evaluation is important because many organizations spend an important part of their financial
11
resources on IT investments (Berghout & Powell 2009), and many companies are highly dependent on IT (Haes & Grembergen 2008). Unfortunately, IT value creation will not happen automatically when a new technology is introduced, since different organizational arrangements are needed to be successful. Good IT governance will be required to create a proper IT decision making, to link IT to the business strategy and to facilitate IT value creation strategies (Ross & Weill 2004). Additionally, IT needs to be actively managed after its implementation in order to generate maximum value (Swinkels 1997). The post implementation has major importance because benefits are only obtainable when IT is in use (Berghout et al. 2002). Being IT a complex sociotechnical phenomenon (Boland & Hirschheim 1987; Orlikowski 1992; Walsham 1993; Hu et al. 2007), it is necessary to evaluate IT with techniques that include informal assessments and that does not underestimate IT complexity (Berghout et al. 2009). As a result, the application of rational methods on IT, for example traditional cost/benefits, delivers an incomplete analysis (Berghout et al. 2009). This master thesis claims that IT governance frameworks should include a set of organizational arrangements that allow a more complete and realistic assessment of the sociotechnical process of IT.12
1.1.2 IT governance definedIn this section, a short literature survey will be conducted. The results will be presented in a final comparative table. Before starting defining IT governance it necessary to make some remarks:
IT governance is not a just trendy word. As explained before: IT governance matters.
IT governance is not (only) a regulatory compliance.
IT governance is not IT management.
IT governance is not only for IT people.
IT governance does not have one universal accepted meaning or definition.
Different scholars investigated the concept of IT governance and they created a rich literature on this field, however, a common definition is missing. The goal of this section is to review the most important definitions and to present a short overview to the reader (see table 2). To create this overview, literature with the keyword “IT governance” was searched in the data base EBSCO (available at the University of Groningen) which was used to extract IT governance definitions from peer review journals during the years 2006-2011. By considering that period, possible new definitions of IT governance that have been published after the popular book of Ross & Weill (2004) might be included in this survey. In total, 40 publications were found and 16 relevant academic articles were identified and surveyed from the available articles. These 16 publications were selected because they deal explicitly with IT governance topics (see Appendix 1a to reproduce these findings). For comparative purposes, the ISACA website and Google Scholar were consulted in the search of different concepts or definitions (see Appendix 2 to read all the definitions in detail).
13
Table 1: Definitions of IT governanceTable 2: Frequencies across the 16 papers from EBSCO
Definition Frequency Definition found in
Board Briefing 2nd Edition (2003)
7 Edephonce & Nfuka (2011); Bart & Turel (2010); Simon, Poston, Kettinger (2009); Merhout & Havelka (2008); Syaiful Ali (2006); Posthumus, Solms, King (2010)
Grembergen et al. (2004)
6 Simonsson, Johnson, Ekstedt (2010); Butler & Butler (2010); Posthumus, Solms, King (2010); De Haes & Grembergen (2010); De Haes & Van Grembergen (2008); Merhout & Havelka (2008)
ISO 38500 (2008) 1 Turel & Bart (2010)
Author and sources
IT governance definition
Ross & Weill (2004). It appears in: Google Scholar, EBSCO
“specifying the decision rights and accountability framework to encourage desirable behaviour in the use of IT”
Van Grembergen (2004).It appears in: Google
Scholar, EBSCO
“IT governance is the organisational capacity exercised by the board, executive management and IT Management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT”
Webb (2006).It appears in: Google Scholar, EBSCO
“IT governance is the strategic alignment of IT with the business such that maximum business value is achieved through the development and maintenance of effective IT control and accountability, performance management and risk management.”
Board Briefing on IT governance 2nd Edition. It appears in: ISACA
“IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organization’s IT sustains and extends the organisation’s strategies and objectives.”
ISO 38500 (2008). It appears in: EBSCO
"The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation." Luftman (2003). It
appears in: Google Scholar
14
Ross & Weill (2004) 2 Xue, Liang, Boulton (2006); Heart, Maoz, Pliskin(2010)
Webb et al.(2006) 1 Heart, Maoz, Pliskin (2010) Defintion is not
specified.
2 Wilkin & Chenhall (2010);Tanriverdi (2006)
In table 3, definitions are explored and compared in an agnostic way. Three comparative categories are added the “what”, “who” and “how” of IT governance. The “what” refers to question: what is the goal of IT governance? The “who” deals with roles and responsibilities and it is connected with the question of who is responsible or accountable for IT governance? The “how” deals with the elements which make IT governance possible. The “how” category is associated to the question: what are the elements that ensure IT governance? (elements of the “who” category are excluded in the “how” category).
Table 3: General aspects of the definitions
** Not explicit in the definition, but information is implied in the author’s paper or book.
All these six definitions focus have as goal the alignment of IT with the business. However, some relevant differences exist between them. With respect to roles and responsibilities, Luftman (2003), Board Briefing 2nd Edition (2003) and Ross & Weill (2004) do not mention in their definition, at least explicitly, the multiple stakeholder nature of IT governance. For
Author and source What Who How Special elements of the definition
Ross & Weill (2004) X X** X “Desirable behaviour” Van Grembergen
(2004)
X X X** IT governance as “an organizational capacity” IT management is also responsible for IT governance
Control the formulation and implementation of IT strategy
Webb (2006) X - X Performance management, risk management,
control Board Briefing on IT
governance 2nd Edition
X X X Leadership
ISO 38500 (2008) X** - - IT governance as a system
15
instance, the Board Briefing 2nd Edition (2003) delegates the official responsibility to board members and executive management. In the case of Luftman (2003), some stakeholders are explicitly included such as business partners, IT Management, and service providers, however, other relevant players such as executive managers are not mentioned. Beyond the explicit content, it should be stated that all definitions implicitly include different roles or stakeholders in their related literature. Additional elements come to light among the definitions. The Board Briefing 2nd Edition (2003) advocates for “leadership” and “processes” to ensure IT governance. Luftman (2003), ISO 38500 (2002) and Van Grembergen (2004) include the word “control” or “monitor”.In order to formalize this comparison, definitions will be evaluated with formal and specific academic concepts such as “business/IT alignment”, “structures”, “processes”, “relations”, and “control”. Business/IT alignment means that the IT is in harmony with the business. Business/IT alignment is not an easy task and organization need formal methods or frameworks to be successful. Many model and tools for Business/IT alignment exist, for example, the enhanced SAM model by (Maes 1999) which is an extension of the popular SAM by Henderson & Venkatraman (1993). A brief description of these models is available in appendix 7.
16
Table 4: Elements of IT governanceImportant elements of IT governance Ross & Weill (2004) Van Grembergen (2004) Webb (2006) Board Briefing 2nd Edition (2003) ISO 38500 (2008) Luftman (2003) Business/IT alignment
yes yes yes yes yes yes
Structures yes yes partially yes - partially
Processes & relations
- yes - yes partially yes
Control - yes yes yes yes
-* “yes” means covered “and “partially” refers to partially covered.
Elements from Table 4 and other foundations from the IT evaluation field will be combined to create an integrative IT governance definition:
An IT governance system embraces the introduction and oversight of structures, processes and relations in order to create business value.
This definition is supported by the following comments:
“An IT governance system” refers to the systems theory idea that any system can be defined as “a collection of elements connected in such a way that no elements are isolated from other elements” (De Leeuw 1990).
“Structures”, “processes” and “relations” refer to the concepts already defined in this section.
“Oversight” refers to control mechanism of the system.
“Business value” is determined by all financial and non-financial consequences- thus not only benefits (Renkema & Berghout 1997).See composition of the term “value” in table 5 below.
Table 5: Financial and non-financial consequences (Renkema & Berghout 1997)
Consequences Positive Negative Summation
Financial Returns Costs Profitability
Cash inflow Cash outflow Cash result
Non-financial Positive contribution Negative contribution Non-financial contribution Financial and
non-financial combined
17
1.2 IT governance, corporate governance and IT managementIT governance is linked with “corporate governance” and “IT management”. In the following text, this link will be elaborated by taking a system theoretical perspective (De Leeuw 1990). According to the OECD principles (2004), corporate governance provides the structure for determining the organizational objectives and for monitoring its performance in order to guarantee that business objectives are achieved. In corporate governance, the board of directors elected by shareholders controls C-level managers in order to assure the interest of shareholders (OECD 2004). The rationale of corporate governance is applied for the governance of key assets, such as human assets or financial assets (Ross & Weill 2004). For example, a CFO controls managers responsible for the enterprise’s portfolio of investments in order to assure that their activities are align with the financial objectives of the organizations. The same rationale can be applied for IT governance (Ibid.). In the context of IT governance, top management (for example a CIO) controls that IT managers activities are in harmony with organizational objectives. For example, top management will control whether middle management (for example IT management) prioritizes IT projects which are in accordance with the organizational objectives. Figure 1 applies the corporate governance principles in the area of IT governance.
Figure 1: A system theoretical view on controls
Governance has many layers from strategic to operational areas and it involves different stakeholders. The ISO 38500 (2008) focuses, specially, on corporate governance and, consequently, the main stakeholder is the board of directors. In the case of Ross & Weill (2004) governance is situated, specially, at CxO level; so the main stakeholder is the senior management personal. This difference in focus does not mean that corporate governance and IT governance are not interrelated. Ross & Weill (2004) show the link between corporate governance and IT governance in figure 2.
19
context of IT governance. However, it is essential to mention that this formal system representation is vulnerable to structural contingencies and other contextual factors. In regard to structural contingencies, it has to be mentioned that organizations might have different IT governance archetype such as, monarchy, federalism, IT duopoly, feudal or even anarchy Ross & Weill (2004). In regard to other contextual factors, it is imperative to mention that a diversity of corporate governance systems exist because of historical and institutional differences (Clarke 2007). Those differences contingencies might have an impact on how IT governance is established in the organization. A further development of those topics is beyond the scope of this master thesis.Figure 3: corporate governance, IT governance and stakeholders
In this chapter 1, the importance of IT governance has been demonstrated. Academic literature has been studied and different aspects of IT governance have been combined. Finally, IT governance is defined as a system which embraces the introduction and oversight of structures, processes and relations in order to create business value. Furthermore, IT governance is not an isolated system because it interacts with corporate governance and IT management.
Board of Directors
C-Level Managers
IT Management & Line Managers
Corporate Governance
20
2. IT GOVERNANCE IN PRACTICE
In this chapter, different frameworks will be explained. First some recognized IT governance frameworks will be introduced. Many of them are now part of CobiT 5. Afterwards, ISACA frameworks CobiT 4.1 and CobiT 5 will be presented. Special attention is given to CobiT 5 in order to discover all its governance/management practices for IT costs and benefits. Finally, the full lifecycle framework will be explained.
2.1 IT governance frameworks
In response to regulative compliance and to the need for increasing IT performance, different IT governance frameworks have been developed. In the text below, a short description of some recognized frameworks is provided.
Ross & Weill (2004) present a framework based on some questions that can be used to allocate responsibilities for high level IT decision making. This framework is quite simple but not very comprehensive to full use all the potential of IT governance. This is probably one of the most famous and its guidelines and definitions are well known in the IT governance discipline.
Another framework is the Val IT which was created by ISACA. Val IT focuses on the business value creation of IT investment and it offers a set of valuable guidelines, processes and best practices that complement CobiT guidelines. According to ISACA, Val IT is designed to help executives at all management levels directly involved with the selection, procurement, development, implementation, deployment and benefits realisation. Regarding to its content, Val IT comprises 22 processes which are part of three domains: Value Governance (VG), Portfolio Management (PM) and Investment Management (IM) (Val IT 2008). This framework is integrated in CobiT 5
The framework Risk IT is about business risk. Different aspects of information technologies such as its use and its adoption can represent a risk of different magnitudes comparable to a certain market risk, credit risk or even compliance risk. In this context, Risk IT offers a different processes related to reduce diverse risks: IT benefit/value enablement risk (3 processes), IT programme and project delivery risk (3 processes related to investment Portfolio Management) and IT operations and service delivery risk (3 processes) (Risk IT 2009). This framework is integrated in CobiT 5.
21
(OGC). Technical management is accountable for the maintenance and exploitation of the information technology infrastructure (Looijen 2000). This framework provides a focus on the continual measurement and improvement of the quality of IT service from a business and customer perspective. This approach considers IT quality as the level of alignment between IT services and the business needs. To achieve alignment, ITIL v3 contains 29 processes and five domains which are: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement (ITIL 2007). ITIL is integrated in CobiT 5, however, the demand/supply model for IT as proposed by Looijen (2000) is not part of ISACA frameworks catalogues.ASL (Application Service Library) is a framework for application management that bases its best practices on the experience of professionals (Van de Pols 2009). Application management is about the maintaining and exploiting all application software and their associated databases (Looijen 2000). According to ASL 2, an application is part of a business process and therefore applications are direct related with the quality of IT support. ASL focusses, at the operational level on service organization, development and maintenance and connecting processes, at the tactical level on management processes, and the strategic level on application cycle management and organisation cycle management (Van de Pols 2009). A similar framework is the ISO/IEC 2000 which offers a broad guidance for IT service management (ISO/IEC 2000 in Wikipedia). According to ASL foundation (2011), this framework seems not to focus much on the strategic value of applications. BiSL (Business Information Service Libray) is about functional management (Looijen 2000) and information management4 (ASL BiSL Foundation 2012). This framework connects the functional and information management with the business processes. Functional management deals with the maintenance and exploitation of the information technology functionally and therefore is very important for the user organization (Looijen 2000). BiSL has seven clusters of processes5: Usage Management, Functionality Management, Connecting Processes, Management Processes, Determine the Information Strategy, Determine the information provision organization strategy and Connecting processes at the guiding level (ASL BiSL Foundation 2012).
The ISO/IEC 38500 Corporate governance of information technology standard, offers a framework for governance of IT for the high level management in order to satisfy their legal compliance and to achieve good governance. The model for governance of IT provided in ISO/IEC 38500 defines three fundamental governance tasks – Evaluate, Direct and Monitor
22
that guide organizational behaviour and support the governing decision makers to check that the management is doing the job of managing IT correctly (Toomey 2009). This framework is integrated in CobiT 5The Open Group Architecture Framework is a framework for enterprise architecture which offers a approach for designing, planning, implementation, and governance of information architecture. TOGAF is a registered trademark of The Open Group in the United States and other countries. TOGAF recognizes for levels:: Business, Application, Data, and Technology. (opengroup 2012). This framework is integrated in CobiT 5.
Projects in Controlled Environments 2 (PRINCE2 2011) is a project management method from the UK government. The methodology encompasses the management, control and organisation of a project in regard to traditional topics such as time management, cost and quality PMBOK, an American framework, complements Prince 2 with a knowledge based approach (PMI 2012). Both frameworks are integrated in CobiT 5.
CobiT 4.1 is a well-known framework for IT governance. CobiT stands for Control Objectives for Information and related Technology. This is an IT governance framework based on best-practice around the world. CobiT was created by the Information systems Audit and Control Association (ISACA) and the IT governance Institute (ITGI) in 1996. In concrete, CobiT 4.1 gives directives on how to structure and lead the IT activities in order to achieve good IT governance. CobiT 4.1 offers a large number of performance indicators, responsibility assignment guidelines, actions and goals that can be monitored in order to reach good IT governance. Moreover, CobiT 4.1 features a maturity model for IT governance. In total, CobiT 4.1 contains 34 processes and four domains. These domains include Planning and Organisation, Acquisition and Implementation, Delivery and Support and Monitoring (CobiT 4.1, 2007). Many aspects of CobiT 4.1 are integrated in CobiT 5.
23
(ITAF) into one framework (CobiT 5 2012). The inclusion of Val IT represents an important improvement for the management of costs and benefits.Table 6: governance frameworks
A complete portfolio of frameworks and definitions on IT governance is too large to be presented in this master thesis. This can be easily showed by searching in Google, where more than 160 million hits for the keyword “IT governance” were found. Parallel to that, in EBSCO more than 3300 hits for the keyword “Governance” and more than 5070 hits for the
Framework/Approach Focus Audience
Ross & Weill Decision making issues Board Members, Executives e.g., CIO,.CEO,CFO CobiT 4.1.1 (part of CobiT 5) IT control objectives, infrastructure, architecture, project management Board of directors, Management, users, and auditors
BISL Quality of functional
management and information management
Functional manager, Service Management, CIO and related stakeholders Audit
ASL IT support for business
processes
Application manager, Service Management, CIO and related stakeholders, Audit ITIL
(part of CobiT 5)
Improvement of the quality of IT service from a business and customer perspective
Technical manager ,Service Management, CIO and related stakeholders , Audit CobiT 5 Business value creation of IT
(Val IT), IT control objectives, infrastructure, architecture, project management, etc.
Board of directors, Management, users, and auditors
Val IT (part of CobiT 5)
Business value creation of IT investment/ Initial stages
Board of directors,
Management and auditors ISO 38500
(part of CobiT 5)
Effective governance of IT through proper organizational behaviour
Board of directors,
Management and auditors
TOGAF (part of CobiT 5)
IT infrastructure Main stakeholders are IT architects
PRINCE2/PMBOOK (part of CobiT 5)
Time management, cost, quality, project knowledge
Project managers
RISK IT (part of CobiT 5)
Reducing business risks related to IT
Board of directors,
24
keyword “IT frameworks” appeared in the results. In the next section ISACA frameworks will presented in more detailed.2.2 ISACA frameworks
In this chapter, CobiT 4.1 (section 2.2.1-2) and CobiT 5 (Section 2.2.3-4) with their respective practices for management of costs and benefits will be introduced. Describing and comparing these two frameworks will help the reader to understand the real nature of the new framework CobiT 5 (Section 2.2.4).
2.2.1 CobiT 4.1
CobiT 4.1 is a very popular framework which mission is: “To research, develop, publicise and promote an authoritative, up-to-date, internationally accepted IT governance control framework for adoption by organizations and day-to-day use by business managers, IT professionals and assurance professionals” (CobiT 4.1 2007). CobiT 4.1 does not intend to offer a recipe to solve a particular problem, but instead, it intends to offer an internationally accepted framework for IT governance control (Ibid.).
CobiT 4.1 framework:
25
Figure 4: CobiT 4.1 Framework (CobiT 4.1 2007)Next, the focus areas for IT governance will be presented. ISACA promises to guarantee that IT is aligned with the business, that IT delivery business benefits, that IT resources are used correctly and in a disciplined way, and that IT risks are managed properly (Ibid.).
“Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT proposition; and aligning IT operations with organization operations” (CobiT 4.1 2007).
“Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT” (Ibid.).
“Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues related to the optimization of knowledge and infrastructure” (Ibid.).
26
“Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting” (Ibid.).
CobiT 4.1 is able to address different IT governance focus areas with individual CobiT processes (in total 34 generic processes). By putting all the focuses together, it is possible to obtain a holistic view of the IT governance processes and to embody a visual framework for maximizing benefits from information technology. For instance, each process addresses a certain focus of the IT governance which, in turn, is divided in primary and secondary perspectives. The five focus areas are graphically represented in the CobiT 4.1’s diamond.
Figure 5: CobiT Diamond in the process AI5 Procure IT Resources
CobiT 4.1 defines IT activities in 34 processes within four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS) and Monitor and Evaluate (ME). In the text below, the typical questions corresponding the four domains are extracted from the CobiT 4.1Executive Summary are shown (CobiT 4.1 2007). The four domains are:
Plan and Organise
• Are IT and the business strategy aligned?
• Is the organization achieving optimum use of its resources? • Does everyone in the organisation understand the IT objectives? • Are IT risks understood and being managed?
27
Acquire and Implement• Are new projects likely to deliver solutions that meet business needs? • Are new projects likely to be delivered on time and within budget? • Will the new systems work properly when implemented?
• Will changes be made without upsetting current business operations? Deliver and Support
• Are IT services being delivered in line with business priorities? • Are IT costs optimised?
• Is the workforce able to use the IT systems productively and safely?
• Are adequate confidentiality, integrity and availability in place for information security? Monitor and Evaluate
• Is IT’s performance measured to detect problems before it is too late? • Does management ensure that internal controls are effective and efficient? • Can IT performance be linked back to business goals?
• Are adequate confidentiality, integrity and availability controls in place for information security?
For illustrative purposes, all the processes with the corresponding IT governance focus areas are presented in the appendix 3a (Ibid.).
Maturity model:
ISACA developed for CobiT 4.1 a maturity model based on the Capability Maturity Model (CMM) Scale from the Software Engineering Institute. While many concepts of the CMM model were used, the CobiT implementation differs from the original oriented toward software product engineering principles CMM. According to ISACA, the Capability Maturity Model in CobiT 4.1 focuses on strategic issues and high level IT Management processes (FAQ ISACA).
2.2.2. Val IT in CobiT 4.1
28
financial and non-financial value for IT-enabled investments. In the following figure, the so called ‘Four Ares’ from Val IT are shown.Figure 6: The ‘Four Ares’ adapted from Val IT ISACA (2008) 2.2.3 CobiT 5
CobiT 5 expands the topics related to governance over IT to obtain more value from IT. An important step in CobiT 5 is the integration of Val IT guidelines for benefits realization.
29
Figure 7: CobiT 5 Governance and Management Processes (CobiT 5 2012)One of CobiT 5’s new features is the addition of new management practices for information systems: “For each CobiT process, the management practices provide a complete set of high level requirements for effective and practical management (governance) of organization IT”. Moreover, CobiT 5 states that more detailed guidance for practices and activities will be developed in the future (CobiT 5 2012). This signalizes that more guidance for the management of costs and benefits in a more profound way could be introduced in the future. Goals in CobiT 5:
CobiT 5 recognizes different goals that are represented in a more detailed and dynamic way comparing to its predecessor. Firstly, common business goals (the so called Enterprise Goals) can be related to governance objectives with primary (strong) and secondary (less strong) relationships. Secondly, IT related goals which deal with IT related outcomes for the realization of organization goals can be combined with a certain numbers of CobiT 5 enablers to achieve the desired outcome (CobiT 5 2012).
30
It is important to underline that the framework has been considerably reorganized from being an IT process model that into a framework with more governance practices for IT, management and a process model. Many components such as the balance scorecard, maturity models, goals and metrics, and roles and responsibilities (RACI) charts are present in CobiT 5. However, many changes has been made and some elements has been even removed; such as the CobiT 4.1 Diamond (governance focus areas), and some processes and control objectives. For example, CobiT 4.1’s control objective PO 4.8 “Responsibility for Risk, Security and Compliance” has been deleted. However, risk, security and compliance control aspects are found in other elements of the new framework.CobiT 5 distinguishes five principles. The first principle is “Integrator framework” which means that CobiT 5 integrates existing ISACA guidelines on governance and management of organization IT. Moreover, it incorporates other standards and frameworks such as Val IT in one architecture for structuring guidance (CobiT 5 2012). According to the CobiT 5, the new architecture is a “simple” one. However, the author of this thesis disagree on that and considers CobiT 5 as integrative framework of high complexity with topics and focus areas that in the practice interact with each other. To obtain an overview of the whole state of governance requires in CobiT the application of a large number of processes and metrics, which in some cases overlap which each other.
Figure 8: CobiT 5 Principles (CobiT 5 2012)
31
environment, and (use of) technology evolutions”. RACI charts show the expected involvement of stakeholders in each process (Ibid.).Figure 9: RACI Charts (CobiT 5 2012)
The third principle is “Business and Context Focussed” and is closely associated with the principle “Stakeholder Value Driven”. To start with, stakeholder needs can be connected to different governance objectives. Afterwards, those governance objectives can be translated into organization goals and into IT-related goals. Finally, processes, organizational structures and information can be defined in support of the IT-related goals. For example, an important goal could be to “align IT with the business strategy” in order to cultivate a more business focused IT unit. In an organization, in which customer satisfaction is an important part of the business strategy, the goal could be to create a more customer oriented IT function (Ibid.). The fourth principle is “Enabler Based” and it refers to the Enablers assistance necessary to implement robust governance and management systems. The word “enablers” refers to governance and management processes, principles and policies, organizational structures, skills and competences, culture and behaviour, as well as services capabilities and information (Ibid.).
32
Similar to its predecessor, CobiT 5 is not a dogmatic book of instructions and it represents a reference for the convenience of organizations and auditors. The process reference model in CobiT 5 is divided in governance and management domains. The governance domain deals with governance processes (evaluate, direct, monitor) and the management domain deals with the areas of plan, build, run and monitor (four domains similar to CobiT 4.1.1) (CobiT 5 2012). CobiT 5 separates the processes into governance and management, however, it is important to remark that both areas are highly interconnected.CobiT 5 expands the number of governance related processes. In CobiT 4.1.1, there is only one process covering IT governance topics which is the ME4 Provide IT governance and it states: “ME4 covers the process of governance oversight over IT, in keeping with COBIT’s purpose as an IT governance framework.” (CobiT 4.1 2007).
33
Figure 10: Governance and Management Processes (CobiT 5 2012)Maturity model in CobiT 5:
CobiT 5 maturity model is based on the ISO/IEC 155046. This new model presents some differences (CobiT 5 2012). However, an important similarity between CobiT 4.1 and CobiT 5 Maturity model is that both models are inspired in models which were first created for the assessment of software development maturity levels. In the following figure, an overview of both maturity models is presented.
34
Figure 11: Maturity Models in CobiT 4.1 en CobiT 5 (CobiT 5 2012)2.2.4 Val IT in CobiT 5
Different approaches have been proposed for the management of IT benefits (e.g.: Active Benefits Realization by Remenyi & Sherwood-Smith (1997), The Benefits Management Approach by Ward and Daniel (2006) and Val IT (2008). ISACA underlines the importance of benefits management and management best practices by integrating Val IT into CobiT 5. The integration of Val IT in CobiT 5 represents a step to recognize the importance of costs/benefits management.
35
Portfolio Management aims to ensure the alignment of IT-enabled investments in the portfolio and the strategic objectives of the organization. For instance, topics on PM are associated with the CobiT 5 process7 AP005 Manage Portfolio (CobiT 5 2012).Investment Management aims to ensure that IT-enabled investments contribute to optimal value. For instance topics on IM are associated with processes in CobiT 5 such as: AP005 Manage Portfolio and BAI 1 Manage Programmes and Projects (CobiT 5 2012).
These three domains in CobiT 5 are differently represented and they involve different stakeholders, metrics, goals and processes (see appendix 3). Across all the processes in CobiT 5 the model based on ISO/IEC 15504 can be applied to assess maturity (CobiT, 2012). Curiously, CobiT 5 does not include the results chains method used by Thorp (1998) and in VAL IT (2008) which is useful to create transparency in the investment programmes. The figures 12 and 13 give an overview on the integration of Val IT into CobiT 5.
Figure 12: CobiT 4.1.1, Val IT and Risk IT covered in CobiT 5 (CobiT 5 2012)
Figure 13: Val IT Practices covered in CobiT 5 (See more in Appendix 3)
36
2.2.5 Comparison of CobiT 4.1 and CobiT 5This review of CobiT 4.1and CobiT 5 does not include all possible elements of these two complex frameworks. Still, this review is exhaustive enough to obtain a good impression of CobiT.
To sum up, the following improvements has been made into the CobiT 5 framework: first, the framework and processes have been reformulated in order to convert CobiT into a more comprehensive framework. Moreover, stakeholder needs at different levels are better incorporated. Besides, management best practices are added and will be further developed (CobiT 5 2012). Also, different standards have been incorporated into CobiT 5 making it an integrative governance framework.
It can now be concluded that CobiT 5 could be seen as an IT Management and IT governance framework and not only as an IT governance Framework. The reason for that is that CobiT 5 does cover topics on IT management as well as on IT governance. Moreover, CobiT 5 has been expanded with VAL IT and Risk IT. VAL IT represents the first major step in improving the state of costs/benefits management in ISACA because it recognizes a full lifecycle approach. In the context of IT governance, CobiT 5 introduce new guidelines and processes for a full lifecycle evaluation. These guidelines are, for example, “Maintain the Governance Framework”, “Ensure Value Optimisation”, “Ensure Risk Optimisation” and “Ensure Stakeholder Transparency”(EDM1-4 in CobiT 5 2012; ISO 38500). The focus of EDM1-4 is, above all, oriented toward corporate governance at the board of director level.
2.3 The full lifecycle framework
The objective of this section is to introduce the full lifecycle approach8 proposed by Berghout et al. (2002). This framework deals in an effective manner with project dynamics and management learning issues throughout the full lifecycle representing a chance for organizations willing to improve their state of IT costs and benefits management. This framework is one of the available methods which include informal assessments and that does not underestimate IT complexity. Next, the full lifecycle framework will be presented for introductory purposes.
IT projects are complex, since managing costs and benefits of IT projects involve risks and uncertainty. Risks and uncertainty decrease during the project. However, at the same time, possibilities to change the information systems also decrease. This phenomenon is called the ‘IT management paradox” (Berghout et al. 2002). For example, when IT is already in use,
37
risks are lower, even so, the possibilities are lower to adapt operational systems to new requirement (Ibid.). Moreover, from a cost/benefit view, the activity of exploiting IT represents 60%-80% of the overall lifecycle costs while the possibility to limit these costs or increase benefits is very small (Ibid.). Consequently, not only the development costs but the complete lifetime of IT costs should be evaluated in order to avoid building information systems that will not deliver enough benefits during its exploitation (Ibid.).Figure 14: Incomplete benefit analysis (Berghout & Nijland 2002)
A lifecycle approach could help organizations with the assessment of “project dynamics” and the introduction of “management learning” in order to improve the state of management of cost/benefit in organizations. “Project dynamics” means that an organization might evaluate a project at any of several stages during its development and implementation: evaluation becomes a continuous and dynamic process. Thus, project should not only be evaluated at the initial stage but also through the stages of its lifetime (Farbey et al. 1999). “Management learning” means that a certain organization learn lessons from prior projects. As a result, relevant experiences can be reused for developing realistic and more accurate expectation for the approval of new IT investments (Ibid.).
38
The traditional full lifecycle comprises three major lifecycle activities: planning stage, development stage and exploitation stage. In the planning stage the relevance of IT is examined in comparison to other possible business investments, new IT investments are identified and their individual importance among all potential IT investments is established. In the development stage, the prioritized investment proposals are designed, built, tested and implemented. Finally, in the exploitation stage, the information systems are operated, controlled and maintained (Berghout & Nijland 2002).Berghout & Nijland (2002) expand the traditional full lifecycle by including new stages within the lifecycle activities (see figure 19 below) . The planning stage includes the prioritization of IT against non-IT and the prioritization between IT investments. The development stage focuses on designing, building, testing and implementing of information systems investments. The exploitation stage involves operating, maintaining and discarding operational information systems. The phase abandon indicates that IT does not live forever. The different lifecycles stages have diverse costs and benefits and their calculation at each stage requires a profound understanding from the performance of the other lifecycle phases.
Figure 15: Three major lifecycle activities (Berghout & Nijland 2002)
39
information about the state of cost/benefit management of present IT projects and because it allows organizations to create valuable knowledge for future IT projects (In appendix 4 is possible to see all Quick Scan activities from Berghout et al. ( 2002).Figure 16: The Full Lifecycle Management in practice (Berghout et al. 2002)
40
3. ANALYSIS
This chapter starts investigating the relation of the full lifecycle framework with CobiT 5 with a mapping analysis (3.1). Their similarities and differences will be presented after conducting a formal comparison across relevant elements of both frameworks. Such a comparison helps creating an understanding to what extent the different economic lifecycles and their evaluations are related to CobiT 5. Additionally, it might help to understand whether it would be wise to apply an IT governance quick scan. An application of an IT governance quick scan could help many organizations to obtain relevant insights in assessing IT cost/benefits (3.2).
3.1 Mapping the full lifecycle framework and CobiT 5
In chapter 3, it has been argued that the full lifecycle framework distinguishes different stages of the IT lifecycle costs and benefits and that the full lifecycle framework could help CobiT 5 in achieving goals such as “realise benefits from IT enabled investments and services portfolio” (CobiT 5 2012). The relation between both frameworks will be formalized through a comparison which might identify relevant guidelines for the application of an IT governance quick scan. The mapping is divided into two parts. The first comparison (3.1.1) consists of mapping general aspects at a conceptual level -representing a good starting point for a further analysis. The second comparison (3.1.2) studies in more detail the actual similarities between the full lifecycle framework and CobiT 5. Finally, a conclusion of this mapping will be presented (3.1.3).
3.1.1 Comparing the full lifecycle stages with CobiT 5 at a conceptual level
41
that, the nomenclature of the domain Build, Acquire and Implement (BAI) reveals similar developing activities and implementing technologies comparable to the realisation stage in the full lifecycle framework. Moreover, a quite obvious relationship exists between the domain Deliver, Service and Support (DSS) dealing with post implementation activities conceived in the stage exploitation from the full lifecycle framework. Finally, the key management practices from the domain Monitor, Evaluate and Assess (MEA) control compliance and the performance of information technologies similarly to the evaluation stage in the full lifecycle frameworkVal IT:
As explained in the literature review, CobiT 5 incorporates processes from Val IT to manage the costs/benefits of Information systems. These benefits, according to Val IT, should be realized “by actively managing investments across their full economic life cycle—from proposal to profit or improved service performance” (Val IT 2008). In the same vein, the full lifecycle framework is a governance tool which aims to assure more value from IT investments and which recognizes the importance of managing the cost/benefits across the full lifecycle.
Val IT can be mapped onto the full lifecycle framework. The Portfolio Management Domain in Val IT dealing, for example, with the IT projects selection and its justification which are also represented in the full lifecycle framework by the stages identification, justification and evaluation. Furthermore, the Investment Management Domain in VAL IT is related with the stages realisation, exploitation and evaluation from the full lifecycle framework.
42
Table 8: Interrelation between CobiT 5 Processes, Val IT and the full lifecycle frameworkfull lifecycle framework (Stages) VAL IT (Domains) CobiT 5 (Example of processes) Identification PM AP005 Justification PM AP005
Realisation IM AP005 BAI 1
Exploitation IM AP005 BAI 1
Evaluation PM, IM AP005 BAI 1
CobiT 5 domains and the ISO 38500
CobiT 5 processes can be mapped onto the full lifecycle framework by taking a practical approach: firstly, CobiT 5 processes will be explored and; secondly, CobiT domains will be contextualised with the full lifecycle framework. For a complete overview, table 9 and figure 17 show the mapping between CobiT 5 and the full lifecycle framework.
Firstly, the five stages from the full lifecycle framework will be linked with general process descriptions provided by CobiT 5. For instance, the identification stage recommends organisations to pay attention on external IT opportunities “with respect to competition, customers, changes in society.”(Berghout & Nijland 2002). Similar guidelines and topics can be found in CobiT 5 process description APO4 (CobiT 5 2012) which advices to: “Maintain an awareness of information technology and related service trends… identify innovation opportunities” and “Analyse what opportunities for business innovation ...can be created by emerging technologies….”. This example shows that the frameworks can be compared and it illustrates the rationale used for this first step of the mapping with CobiT 5.
43
investments and services portfolio” and both processes aim to create value: EDM02 by means of the sub process “Evaluate value optimization” and BAI01 by means of the activity “Measure project performance against key project performance criteria” (see processes in :ITGI –CobiT 5 Ref 2011). All in all, they are different processes but they might be dealing with very similar topics. This last example also illustrates the rationale used for the mapping in table 10.44
Table 9: CobiT 5 processes and the full lifecycle framework- Step 1Process*9 Identification Justification Realisation Exploitation Evaluation
AP01-4 X AP05 X X X AP06 X X x X AP07 X X AP08 X AP09 X X X X AP10 X X X X AP11 X AP12 X BAI1 X X X X BAI2 X BAI3 X X X BAI4 X X X BAI5 X X BAI6 X X BAI7 X BAI8 X DSS1 X DSS2 X X X DSS3 X DSS4 X DSS5 X DSS6 X DSS7 X X DSS8 X MEA1 X MEA2 X MEA3 X EDM1 X X EDM2 X X X X X EDM3-5 X EDM4 X X X X X EDM5 X
46
This section has shown that CobiT 5 process and domains can be mapped onto the full lifecycle framework. As mentioned before, this mapping provides only a general impression on their relation, however, it represents a useful starting point to a more practical investigation.3.1.2 Comparing the full lifecycle stages with CobiT 5 at a practical level
In this second part of the comparison, the full lifecycle framework in CobiT 5 will be studied taking a more practical view; beyond the conceptual linking between processes and stages. From the literature review and the previous section, it can be drawn that both frameworks deal with IT cost/benefit management, that they take a multi-stakeholder perspective and that they take a full lifecycle approach (see figure 17). As explained before, the stages from the full lifecycle framework are similar to CobiT 5 at conceptual level. In practice, various similarities and differences (or less similar elements) come to light.
ISACA framework includes different guidelines; for example, for a top-down, bottom-up and inside-out analysis similar to the identification stage. On the other hand, CobiT 5 does not clearly advise the introduction of general norms which have to be met by all proposals. As a result, good proposals might not be considered by decision makers because they are not comparable with other initiatives. Comparable to the justification stage, CobiT 5 advices to prioritize IT investments. However, there is not a clear guideline for including the exploitation costs in the investment appraisal process. In principle, many elements of the realisation stage are similar to CobiT 5: costs and benefits should be controlled and time schedule of projects should be properly managed. Nonetheless, in CobiT 5 it is more difficult to connect the realisation stage with the justification stage and with the exploitation stage, namely, there are not explicit guidelines promoting exchange of information between each stage. This is so, because CobiT 5 focusses more on interconnecting process and sub-processes than interconnecting stages. For example, the reference guide of CobiT 5 contains more than 200 pages related to the description of the processes and their interconnections (see ITGI –CobiT 5 Ref. 2011). With other words, the interconnection between the different stages in the CobiT 5 lifecycle is implicit based in the 37 processes and their corresponding sub-process and activities.
47
guidelines about a “user” organization. Finally, although CobiT 5 recognizes the importance of the full economic lifecycle, ISACA framework does not evaluate explicitly all aspects of each stage. For instance, guidelines for comparing exploitation costs with other stages are not explicit mentioned and there are not written procedures for the five stages. Figure 18 shows the level of similarity of the lifecycle stage with CobiT 5. More similar areas in CobiT 5 are the identification, justification and realisation stage which are represented in the radar chart with black color. On the other hand, less similar areas are the evaluation and exploitation stage. In order to avoid redundancy, details over the construction of figure 18 can be found only in the appendix 9 and 10. Next, the main results are presented.Figure 18: Similar and less similar elements between the full lifecycle and CobiT 510
