COBIT® 5 Implementation Phases Tutorial

COBIT® 5 Implementation Phases

Welcome to lesson 4.1 ‘COBIT® 5 Implementation Phases’ which is a part of COBIT® 5 Foundation Certification Course. This lesson focuses on the COBIT® 5 implementation phases.

Let us explore the objectives of this lesson in the next section.

Objectives

By the end of this lesson, you will be able to:

• Explain the phases of the COBIT® 5 implementation lifecycle

• Identify the importance of a business case and list the information it includes

In the next section, we will focus on Phase 1 of the COBIT® 5 implementation lifecycle.

Phase 1 - What Are the Drivers?

The image below shows the activities for Phase 1 in each of the three lifecycle components.

The activities consist of:

• Programme management : Initiate programme

• Change enablement : Establish desire to change

• Continual improvement lifecycle : recognize the need to act

In the next section, we will focus on the step, ‘recognize the need to act’.

Recognize Need to Act

The need for new or improved IT governance is usually recognized by pain points or trigger events.

The Board and executive management should:

• analyze pain points to identify their root cause; and

• look for opportunities during trigger events.

By using pain points or trigger events as the launching points for IT governance initiatives, the business case for GEIT (Governance of Enterprise IT) improvement can be related to issues being experienced, which will improve buy-in to the business case.

In the next section, we will focus on the typical pain points.

Typical Pain Points

The common IT pain points are as follows:

• Failed IT initiatives

• Rising costs

• Perception of low business value for IT investments    

• Significant incidents related to IT risk, for example, data loss

• Service delivery problems    

• Failure to meet regulatory or contractual requirements    

• Audit findings for poor IT performance or low service levels

• Hidden or rogue IT spending

• Resource waste through duplication or overlap in IT initiatives

• Insufficient IT resources    

• IT staff burnout or dissatisfaction    

• IT-enabled changes frequently failing to meet business needs, for example, late deliveries and budget overruns    

• Multiple and complex IT assurance efforts    

• Board members or senior managers who are reluctant to engage with IT

In the next section, we will focus on the trigger events.

Trigger Events

The relevant trigger events for better IT governance are as follows:

• Merger, acquisition or divestiture

• Shift in the market, economy or competitive position

• Change in business operating model or sourcing arrangements

• New regulatory or compliance requirements

• Significant technology change or paradigm shift

• An enterprise-wide governance focus or project

• A new CIO, CFO, COO or CEO

• External audit or consultant assessments

• A new business strategy or priority

In the next section, we will focus on the purpose of Phase 1.

Purpose of Phase 1

The purpose of Phase 1 of the COBIT® 5 implementation lifecycle is to complete the following tasks:

• Outline the business case:
  - To accomplish this task, the implementation objectives and benefits need to be clearly expressed in business terms and summarised in a business case outline.
  - The purpose is to gain the commitment and buy-in of the relevant stakeholders from the beginning.

• Identify the stakeholders:
  - In this task, internal and external stakeholders related to the specific implementation have to be identified.
  - This is to ensure that appropriate and timely communication reaches them, keeping them informed and interested. It also helps in sustaining their commitment for successful implementation as mentioned earlier.

• Identify the roles and responsibilities:
  - The initiative should be owned by a sponsor and involve all key stakeholders. It should be based on a business case.
  - Initially, this can be done at a high level from a strategic perspective—from the top-down—starting with a clear understanding of the desired business outcomes and progressing to a detailed description of critical tasks, milestones and key roles and responsibilities.

• Wake-up call for IT governance programme:
  - To ensure the success of implementation initiatives leveraging COBIT®, the need to act should be widely recognized and communicated within the enterprise.
  - This can be done in the form of a ‘wake-up call’ where specific pain points are being experienced. It can also be done in the form of an expression of the improvement opportunity to be pursued and, most importantly, the benefits that will be realized.
  - An appropriate level of urgency needs to be instilled and the key stakeholders should be aware of the risk of not taking action as well as the benefits of undertaking the programme.

In the next section, we will focus on Phase 2 of the implementation lifecycle.

Phase 2—Where Are We Now?

The activities for Phase 2 in each of the three lifecycle components are mentioned in the image below:

These are as follows:

• Programme management : Define problems and opportunities

• Change enablement : Form implementation team

• Continual improvement lifecycle : Assess current state

In the next section, we will discuss the purpose of Phase 2.

Purpose of Phase 2

The purpose of Phase 2 is to complete the tasks mentioned under each of the following steps:

• Define problems and opportunities:

- pain points identified as governance problems need to be understood.

- trigger points that provide the opportunity for improvement should be taken advantage of.

• Form implementation team:

- A powerful guiding team should be formed.

- The team should have knowledge of the business environment and insight into influencing factors.

• Assess the current state:

- IT goals should be identified with respect to enterprise goals

- The most important processes must also be identified.
- Management risk appetite, maturity of existing governance and processes related to identifying the dependencies and managing them properly must also be understood.

In the next section, we will focus on an example based on Phase 2.

Implementation Phase 2—Problem Statement

A network and data center services organization engaged a third-party service provider to identify areas that needed change and give recommendations.
The service provider carried out the following tasks:

• He suggested that the organization take advantage of its position as an industry leader to achieve high reliability and availability in its network.

• He identified areas requiring change, and provided recommendations in a charter.

• He conducted an Operational Risk Management Analysis or ORMA to assess and remediate the people, processes, and tools needed to mitigate operational risk and reduce network complexity.

• He outlined a roadmap for operational excellence and availability using a best-practice approach to network design, tools, process, and expertise.    

• He suggested the setting up of an implementation team.

In the next section, let us focus on the key actions performed by the service provider and how they fit into the lifecycle approach.

Implementation Phase 2—Solution

The key actions performed by the service provider, categorized by the lifecycle components, are as follows:

• Identifying areas requiring change and providing recommendations in a charter, which comes under the ‘Define problems and opportunities’ step of programme management

• Suggesting the setting up of an implementation team, which comes under the ‘Form implementation team’ step of change enablement

• Conducting an Operational Risk Management Analysis or ORMA to assess and remediate the people, processes, and tools needed to mitigate operational risk and reduce network complexity, which comes under the ‘Assess current state’ of continual improvement lifecycle

In the next section, we will focus on Phase 3 of the COBIT® 5 implementation lifecycle.

Phase 3—Where Do We Want to Be?

The activities for Phase 3 in each of the three lifecycle components are mentioned in the image below.

These activities are as follows:

• Programme management : Define roadmap

• Change enablement : Communicate outcome

• Continual improvement lifecycle : Define target state

In the next section, we will discuss the purpose of Phase 3.

Purpose of Phase 3

The purpose of Phase 3 is to complete the tasks mentioned under each of the following steps:

• Define the roadmap:
  - In this step, the high-level change enablement plan and objectives must be described.

• Communicate outcome: In this step, the following activities are performed:    
  - Develop a communication strategy    
  - Communicate the vision    
  - Articulate the rationale and benefits of the change    
  - Set the tone at the top management level

• Define target state: In this step, the activities performed are as follows:

- Define the target for improvement    

- Analyze the gaps    

- Identify potential improvements

In the next section, we will focus on an example based on Phase 3.

Implementation Phase 3—Problem Statement

An IT organization engages in continual improvement of best practices based on current experiences, industry guidelines, and accepted network design principles. The critical areas evaluated are service support, change management, service performance management, service resiliency and people and skills. An improvement programme is arrived at by performing the following:

1. Interviewing business leaders, IT leaders and senior engineers

2. Gathering technical, organizational, process-related and tools related documents and templates

3. Carrying out a current-state assessment

4. Outlining a detailed plan to achieve business and availability goals

5. Preparing an attainable vision and roadmap

6. Communicating the outcomes of assessments and new targets to all key stakeholders

What are the key actions performed by the organization and how do they fit into the lifecycle approach?

In the next section, we will find out how the key actions performed by the organization fit into the lifecycle approach.

Implementation Phase 3—Solution

The key actions performed by the organization, categorized by the lifecycle components, are as follows:

• Preparing an attainable vision and roadmap, which comes under the step, ‘Define the roadmap’, of programme management

• Communicating the outcomes of assessments and new targets, changes, or solutions to key stakeholders, which comes under the step, ‘Communicate outcome’ of change enablement

• Interviewing business leaders, IT leaders, and senior engineers in addition to gathering technical, process, tools and organizational documents and templates, which comes under the step, ‘Define target state’ of continual improvement lifecycle

In the next section, we will discuss Phase 4 of the COBIT® 5 implementation lifecycle.

Phase 4—What Needs to Be Done?

The image below shows the activities for Phase 4 in each of the three lifecycle components.

The activities are as follows:

• Programme management : Plan programme

• Change enablement : Identify role players

• Continual improvement lifecycle : Build improvements

In the next section, we will discuss the purpose of Phase 4.

Purpose of Phase 4

The purpose of step 4 is to complete the tasks mentioned under each of the following steps:

• Plan programme: The activities performed to develop the programme plan are:

- prioritizing potential initiatives;

- developing formal and justifiable projects;    

- using plans that include contributions and programme objectives

• Identify role players: The activities performed to empower role players and identify quick wins are:

- prioritizing high benefits and easy implementation

- obtaining buy-in from key stakeholders affected by the change, and

- identifying strengths in existing processes and leveraging them accordingly

• Build improvements: The activities performed in this step are:

- plotting improvements on a grid for better prioritization, and    

- considering approaches, deliverables, resources needed, costs, estimated time scales, project dependencies and risks

In the next section, we will discuss Phase 5 of the COBIT® 5 implementation lifecycle.

Phase 5—How Do We Get There?

The activities for Phase 5 in each of the three lifecycle components are mentioned in the image below.

 The activities are:

• Programme management : Execute plan

• Change enablement : Operate and use

• ​Continual improvement lifecycle : Implement improvement

​In the next section, we will discuss the purpose of Phase 5.

Purpose of Phase 5

The purpose of Phase 5 is to complete the tasks as part of the following steps:

• Execute plan: The activities included in this step are as follows:

- Execute projects according to an integrated programme plan

- Provide regularly updated reports to stakeholders    

- Document and monitor the contribution of projects while managing the risks identified

• Operate and use: The activities included in this step are as follows:

- Build on the momentum and credibility of quick wins

- Plan cultural and behavioural aspects of the broader transition    

- Define measures of success

• Implement improvements: In this step, best practices are adopted and adapted to suit the enterprise’s approach to policies and process changes.

In the next section, we will focus on Phase 6 of the COBIT® 5 implementation lifecycle.

Phase 6—Did We Get There?

The image below shows the activities for Phase 6 in each of the three lifecycle components.

The activities are as follows:

• Programme management : realize benefits

• Change enablement : Embed new approaches

• Continual improvement lifecycle : Operate and measure

In the next section, we will discuss the purpose of Phase 6.

Purpose Of Phase 6

The purpose of Phase 6 is to complete the tasks mentioned under the following steps:

• realize benefits: The following activities are performed in this step:

- Monitor the overall performance of the programme against the business case objectives

- Monitor and measure the investment performance

• Embed new approaches: The following tasks are performed in this step:

- Provide transition from project mode to business-as-usual mode

- Monitor whether new roles and responsibilities have been taken on

- Track and assess objectives of the change response plans

- Maintain communication and ensure communication between appropriate stakeholders continues

• Operate and measure: The following activities are performed in this step:

- Set targets for each metric

- Measure metrics against targets    

- Communicate results and adjust targets as necessary

In the next section, we will focus on Phase 7 of the COBIT® 5 implementation lifecycle.

Phase 7 - How Do We Keep the Momentum Going?

The image shows the activities for Phase 7 in each of the three lifecycle components.

The activities are as follows:

• Programme management : Review effectiveness

• Change enablement : Sustain

• Continual improvement lifecycle : Monitor and evaluate

In the next section, we will discuss the purpose of Phase 7.

Purpose of Phase 7

The purpose of Phase 7 is to complete the tasks mentioned under the following steps:

• Review effectiveness:

- In this step, the programme effectiveness is reviewed through a programme review gate.

• Sustain:

- Ensure conscious reinforcement and reward achievers

- Maintain an ongoing communication campaign, that is, ensuring regular feedback on performance is provided to the people involved

- Provide continuous top-management commitment

• Monitor and evaluate:

- Identify new governance objectives based on programme experience

- Communicate lessons learned and further improvement requirements for the next iteration of the cycle

With this, we come to the end of the implementation phases. In the next section, we will focus on the business case.

Importance of the Business Case

A business case is a valuable tool available to the management for guiding the creation of business value. Following are some key facts on the business case:

• An initiative should be owned by a sponsor and involve all key stakeholders. It must be based on the business case.

• The business case is used to instill the appropriate level of urgency by informing key stakeholders of the risk of not taking action.

• The business case starts as a high-level document in the beginning, which discusses strategic benefits and costs, and progresses to a detailed plan on creating value.

In the next section, we will focus on the information available in a good business case.

Information Available in a Good Business Case

A good business case must include information on:

• the business benefits that will be realized;

• the business changes that are required;

• the investments that are needed;

• the ongoing IT operating costs;

• the constraints and dependencies derived from the risk assessment;

• the roles, responsibilities, and accountabilities relative to other initiatives, and

• the ways to monitor the investment.

Summary

Let us summarise what we have learned in this lesson:

• Some of the purposes of Phase 1 of the COBIT® 5 Implementation lifecycle are outlining the business case and identifying the stakeholders.

• The activities involved in Phase 4 of the lifecycle are the ‘Plan programme’ step as a part of programme management, the ‘Identify role players’ step as a part of change enablement and the ‘Build improvements’ step as a part of continual improvement lifecycle component.

• One of the key tasks performed in Phase 6 of the lifecycle is providing transition from project mode to business-as-usual mode.

• A business case is a valuable tool available to the management for guiding the creation of business value.

Some of the information available in the business case is the business benefits that will be realized and constraints and dependencies derived from risk assessment.
The next tutorial focuses on COBIT® 5 Process Capability Assessment Model.