COBIT and project management
how to align your project management practices with the leading IT governance framework
PMO and Change Manager at BC Ferries
As some companies and organizations continue to struggle to find the value of IT investments in their long-term strategic plans, a clear need to align project management practices with the leading IT frameworks is long overdue. Lack of resources to address all of the possible options is a deterrent for companies to pursue the adoption of some of these models. One of the leading IT governance frameworks is COBIT (Control Objectives for Information and Related Technology). It is not a simple exercise to find common links between COBIT and project management best practices, given the different scopes and objectives. However, with some careful considerations and some specific areas of focus, the value of good project management practices can be quickly realized and IT governance will incorporate project management as a key component of the framework. This paper will describe the most common elements of integration between COBIT and A Guide to the Project Management Body of Knowledge (PMBOK® Guide) and conclude how those elements support different aspects of the IT strategic planning process.
IT Governance Principles: Why are They Needed and How are They Achieved?
This paper assumes familiarity of the reader with project management, but not necessarily with the concept of IT governance or existing frameworks, such as COBIT; therefore, some basic elements will be provided to establish a common understanding of these components.
Governance is defined as “the act or process of governing; specifically, authoritative direction or control” (Merriam-Webster Online). The IT Governance Institute states that “while many organizations recognize the potential benefits that technology can yield, the successful ones also understand and manage the risks associated with implementing new technologies.” Some of the challenges faced by executive levels, as described by the Institute are:
- Aligning IT strategy with the business strategy
- Cascading strategy and goals down into the enterprise
- Providing organizational structures that facilitate the implementation of strategy and goals
- Insisting that an IT control framework be adopted and implemented
- Measuring IT's performance
Other research organizations, like Forrester and Gartner point out that IT governance is a key component of any enterprise strategy. Forrester defines IT governance as “the act of establishing IT decision structures, processes, and communication mechanisms in support of the business objectives and tracking progress against fulfilling business obligations efficiently and consistently” (Forrester, 2007).
Project Management Institute (PMI) has long recognized the importance of strategic project management. In its Portfolio Management Standard, PMI states that “A portfolio is a collection of projects or programs and other work that are grouped together to facilitate effective management of that work to meet strategic business objectives.” (PMI, 2008, p. 4) Furthermore, PMI recognizes that “Organizations have governance frameworks in place to guide the execution of organizational activities. Organizational Governance establishes the limits of power, rules of conduct, and protocols that organizations use to manage progress towards the achievement of their strategic goals.” (PMI, 2008, p. 7)
It is clear that any type of effort brought by an organization to align specific strategies with business objectives requires some level of governance. Without governance and, specifically IT governance, it will be hard to realize benefits and properly align scarce resources to achieve measurable business goals.
IT Governance may take many forms. Some organizations opt for “light governance,” where some basic rules are stated, formally or informally, and they are self-monitored for compliance. For example, there may be rules around how a project is approved, or an operational activity is performed, but it is up to each member of the IT team to decide if they are applicable and how the evidence will be gathered and provided as required. This is typically ranked in a Capability Maturity Model (CMM) as a level 1, where processes are expressed as “ad-hoc.”
More mature organizations will have resources, processes, and tools in place to assure that strict rules are followed and the evidence is always gathered and can be retrieved if required. For example, a project approval process is in place, with specific templates, and rules around the level of authority to approve certain projects. No one can deviate from the established process, and the process is audited and controlled, sometimes by external parties. This is an indication of a CMM at level 3 (or higher) where a process is defined, documented, and communicated across the organization.
As project management matures, best practices and standards help close the gap between a common understanding of what may be done to achieve maturity and proven ways to realize value. IT governance is not an exception, and there are models that will help any organization to move from early stages of adoption on IT governance to goals-driven activities and actions that provide a clear framework to follow.
The most prevailing IT Governance framework today is COBIT. COBIT stands for “Control Objectives for Information and related Technology.” COBIT was created in 1996 and evolved from an audit framework into a governance framework around 2000. The latest version, COBIT 5 was released in early 2012.
Many organizations started their adoption process of COBIT as an IT governance framework on version 4, but the new version 5 brings additional components that strengthen the value of governance and actually differentiate between governance and management. This differentiation provides added value to both, an IT Governance Model and project management practices, as described in detail later on in the paper. Thus, this paper will focus on the alignment between COBIT 5 and project management practices.
COBIT “helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. The framework addresses both business and IT functional areas across an enterprise and considers the IT-related interests of internal and external stakeholders” (ISACA Website). Upon analysis, many of the components of the IT Governance framework are closely linked to portfolio, program, and project management as described by PMI.
COBIT 5 is based on five key principles for governance and management of enterprise IT (ISACA, 2012):
• Principle 1: Meeting Stakeholder Needs
• Principle 2: Covering the Enterprise End-to-End
• Principle 3: Applying a Single, Integrated Framework
• Principle 4: Enabling a Holistic Approach
• Principle 5: Separating Governance From Management
Model Enablers (formerly known as Governance Areas)
The COBIT 5 framework describes seven categories of enablers (ISACA, 2012):
• Principles, policies, and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management.
• Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.
• Organizational structures are the key decision-making entities in an enterprise.
• Culture, ethics, and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.
• Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
• Services, infrastructure, and applications include the infrastructure, technology, and applications that provide the enterprise with information technology processing and services.
• People, skills, and competencies are required for successful completion of all activities, and for making correct decisions and taking corrective actions.
Model Key Areas (formerly Domains)
One of the guiding principles in COBIT is the distinction made between governance and management. In line with this principle, every enterprise would be expected to implement a number of governance processes and a number of management processes to provide comprehensive governance and management of enterprise IT (ISACA, 2012).
When considering processes for governance and management in the context of the enterprise, the difference between types of processes lies within the objectives of the processes, split in two key areas:
- Governance processes—Governance processes deal with the stakeholder governance objectives—value delivery, risk optimization, and resource optimization—and include practices and activities aimed at evaluating strategic options, providing direction to IT and monitoring the outcome (EDM, or Evaluate, Direct, and Monitor).
- Management processes—In line with the definition of management, practices and activities in management processes cover the responsibility areas of PBRM (Plan, Build, Run, Monitor) enterprise IT, and they have to provide end-to-end coverage of IT.
The governance domain or key area contains 5 processes and the management domain contains 32 processes. A detailed view of the domains and its processes can be seen in Exhibit 1 (ISACA, 2012).
Exhibit 1 – COBIT 5 Process reference Model © ISACA.
Areas of Influence on Project Management
How do project management practices, like the ones proposed by PMI affect the way COBIT is deployed and implemented in an organization? COBIT has a long tradition of linking back its different components to existing standards, methodologies, and frameworks. Among the more recognizable influences in COBIT are ISO (9000, 20000, 27000), TQM, Six Sigma, ITIL, TOGAF, IT-CMM, COSO, OCTAVE, PRINCE2, and the PMBOK® Guide.
As a practice, project management is probably the most widespread in the COBIT model. Value creation, strategic objectives, stakeholder management, risk management, among others, are project management concepts used across enablers and key areas.
However, some of the processes where a clear influence can be seen are:
- Ensure Benefits Delivery: Portfolio, program, and project metrics are a key input in the process. In addition, benefits coming from governance help to define if portfolios, programs, and projects are on the right track.
- Manage Strategy: program and project achievements allow managers to make informed decisions. These results can be monitored through quality reviews, lessons learned, or earned value.
- Manage Enterprise Architecture: Program and project requirements drive and receive feedback from enterprise architectural models and practices as well as implementation decisions.
- Manage Portfolio: Complete alignment with standard portfolio management practices (via business cases, resource and capacity planning, for example)
- Manage Budget and Costs: Total alignment with program management practices (via realization metrics, budget tracking, and monitoring)
- Manage Human Resources: This process is very well aligned with best practices for skills management, resource management, and resource allocation.
- Manage Suppliers: Elements well-known to project and program managers are referenced in this COBIT process; for example, vendor risk and contract management.
- Manage Quality: Project practices like quality management plans and requirements are inputs to this process.
- Manage Risk: Elements like risk analysis and risk quantification are common to project management, program management and this COBIT process.
- Manage Programs and Projects: This process is totally aligned with PMI's standards and best practices for project and program management. The next section will cover the details of this alignment.
- Manage Requirements: Most of the bets practices brought into the PMBOK® Guide — Fourth edition, have a 1-1 correspondence with the elements of this process. COBIT focus is on quality.
- Manage Organizational Change Enablement: Communications are considered key in this process, much as they are on the program and project management best practices.
- Manage Changes: The control activities of programs and projects are mirrored by most of the components of this process. Special emphasis is put on reporting and change control.
- Manage Change Acceptance and Transitioning: There is a direct link between the concepts of quality management in project management and the concepts presented in this COBIT process.
- Monitor, Evaluate, and Assess: Portfolio, program, and project metrics are required to allow proper execution of these processes.
This list shows a clear pattern of alignment between COBIT and project management practices. The depth and breadth of this alignment in a particular COBIT implementation depend on the level of maturity of the organization, as well as the ability to have proper control objectives in place to ensure that there is no collision between the objectives of COBIT and the objectives of a sound project management practice.
COBIT and Project Management Alignment
Areas of Knowledge
Project management practitioners are well aware of the areas of knowledge used to create a common understanding of how project management, program management, and portfolio management activities are performed.
Sound project management practices look at scope, time, cost, and quality as pillars for achieving success. These areas are referenced throughout COBIT either as inputs or outputs of its processes. In particular, quality management has become a popular choice to intersect IT governance and project management. Quality, seen as a knowledge area, is a common theme in most of the Build, Acquire, Implement processes in COBIT. Reaching a high maturity in these processes is a great indicator that IT governance is working inside an IT group.
Two other areas that provide valuable input to COBIT are Risk Management and Communications Management. Risk Management has to be seen as a foundational component of a mature model, and simple practices like a consistent risk log and corporate-wide risk mitigation criteria will go a long way to ensure that projects are supporting mature IT governance practices. Communications is the key in strategic planning and governance processes and they have to be properly aligned. Project and program managers need to work with their counterparts in the organizational environment to ensure that project-related communications are supported by and providing support to strategic initiatives. A good idea is to involve in any project, resources from the organizational communications or change management teams
It will be impossible to map directly to the 42 project management processes, 47 program management process, and 14 portfolio management processes into the 37 COBIT processes on the reference model. They have different scopes and objectives; however, there are important overlaps that any organization deploying an IT governance model needs to be aware of.
First, all processes in the portfolio management standard provide inputs to the COBIT governance processes. It can be argued that they should map out (or even be identical) to the “Manage Portfolio” process in COBIT 5, but that is not the case and probably it is for the best. It is much better to define key elements from the portfolio standard to ensure that common policies and procedures are followed. For example, the process to identify portfolio risks must be based on the same principles and arguably managed by the same people in charge of the risk optimization process. Why should an IT group have a risk management practice when knowledge and synergies can be leveraged from a corporate risk management team?
Program and project processes are brought into COBIT via the BAI01 (Manage Programs and Projects) process. The best way to ensure consistency is to either involve or even delegate the implementation of this piece of IT Governance to a project management office (PMO) or similar project/program management entity. There are supported models on the PMO environment that double as compliance entities. The most sensible approach is to formally assign a role inside the PMO to track the implementation of the COBIT process.
More often than not, the organization in charge of implementing COBIT and the organization running projects are not the same. This is the first challenge organizations have to overcome to ensure proper alignment between the two frameworks. There are a couple of options to achieve success.
One option is to create an equal-representation team with participation from the IT governance group and the PMO and set up two objectives: one around implementation and the other around constant monitoring and improvement. This arrangement helps all parties to understand where and how the key aspects of the framework support business planning. This is an ideal setting for flat organizations or projectized organizations. The additional benefit is that exchanging ideas becomes a tool to develop common understanding of governance and project management concepts.
The second option is to use PMO resources (or project management subject matter experts) as members of the IT governance team, either as temporary or assigned members. This approach provides expertise, but gives the IT government more power to make decisions on behalf of the project management practice. This approach is more effective in hierarchical and functional-based organization; however, it requires additional training and education, so that members of the PMO or subject matter experts are brought to a leveled-playing field as it relates to governance concepts.
After analyzing knowledge, processes, and organizational components, how do IT governance and project management support the IT strategic planning? The very definition of IT governance clearly hints that it is in place to support business objectives and strategic goals. Both project management practices and IT governance frameworks, such as COBIT, recognize the importance of business stakeholders and how they see the IT environment.
Both project management and the IT governance framework attempt to provide value by recognizing the needs of stakeholders, by providing a common understanding of processes, people, and organizational components needed to support business decisions, and, probably most importantly, by establishing measurable goals and cascading objectives that fulfill business areas needs. Proper alignment between project management and IT governance provide a solid foundation to support strategic IT initiatives and provide a measurable reference to allow business areas to make informed decisions.
Forrester Research (2007). Defining IT GRC. First document in the “Fundamentals of IT GRC” series.
Information Systems Audit and Control Association (2012). COBIT 5: Enabling Processes. Rolling Meadows, IL: ISACA.
ISACA website, retrieved July 2012.
Merriam-Webster Dictionary [Electronic Version], Retrieved from www.merriam-webster.com
Project Management Institute (2008). The standard for portfolio management — Second edition. Newtown Square, PA: Author.
© 2012, Ivan Rincon, B. Eng., MBA, PMP
Originally published as a part of the 2012 PMI Global Congress Proceedings – Vancouver, BC, Canada