Several years ago, the IT department of the largest bakery factory in the world conducted a COBIT® 5 assessment and implementation of enterprise governance as presented in the article, “A Partial Transition to COBIT 5 Demonstrates Value to IT.”
Months later, the factory started implementing The Open Group Architecture Framework (TOGAF)1 in conjunction with resource-related processes in the COBIT® governance domain Evaluate, Direct and Monitor (EDM). Because the internal processes were divided, the decision was made to have an explicit group for implementing TOGAF and another working with COBIT-related (and previously defined) processes, converging at a certain point in IT governance.
Scope
The target was to cover the EDM domain including EDM04 Ensured Resource Optimization (figure 1), which contains 3 practices:
- Evaluate resource management
- Direct resource management.
- Monitor resource management.
Figure 1—Included Domain Processes
Source: ISACA®, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.
This target would be managed considering the scope of architecture governance as outlined in TOGAF to support the IT governance that was to be managed using COBIT.
This was designed with the implementation of an architecture review board (ARB). Applying the principle of separating governance from management, the board was added to oversee the implementation of the strategy.
Figure 2—Tailored COBIT 5 Governance and Management Key Areas
Source: Adapted from ISACA, COBIT®5: Enabling Processes, USA, 2012, p. 23. Reprinted with permission.
The responsibilities of the ARB were to:
- Provide the basis for all decision-making regarding architectures
- Ensure the flexibility of the enterprise architecture:
- To meet changing business needs
- To leverage new technologies
- Enforce architecture compliance
- Ensure adoption of the discipline of architecture-based development
- Meet on a regular basis
- Resolve ambiguities, issues or conflicts that have been escalated
- Provide advice, guidance and information
- Validate reported service levels and cost savings
- Produce usable governance material and activities
- Provide a mechanism for the formal acceptance and approval of architecture through consensus and authorized publication
- Provide a fundamental control mechanism for ensuring the effective implementation of the architecture
These responsibilities were mapped against select EDM governance processes in COBIT® 2019 (figure 3) Not all COBIT activities are included in figure 3 as some were carried out by the IT governance team implementing COBIT rather than the ARB.
Figure 3—Mapping ARB Responsibilities to EDM Practices
Practice ID |
Practice Name |
Activity |
EDM04.01 |
Evaluate resource management |
1. Starting with current and future strategies, examine the potential options for providing information and technology (I&T)-related resources (i.e., technological, financial and human resources), and develop capabilities to meet current and future needs (including sourcing options). |
2. Define the key principles for resource allocation and the management of resources and capabilities so I&T can meet the needs of the enterprise according to the agreed priorities and budgetary constraints. For example, define preferred sourcing options for certain services and financial boundaries per sourcing option. |
||
3. Review and approve the resource plan and enterprise architecture strategies for delivering value and mitigating risk with the allocated resources. |
||
5. Define principles for the management and control of the enterprise architecture. |
||
EDM04.02 |
Direct resource management |
2. Establish principles related to safeguarding resources. |
3. Communicate and drive the adoption of resource management strategies, principles and agreed resource plan and enterprise architecture strategies. |
||
5. Define key goals, measures and metrics for resource management. |
||
EDM04.03 |
Monitor resource management |
1. Monitor the allocation and optimization of resources in accordance with enterprise objectives and priorities using agreed goals and metrics. |
2. Monitor I&T-related sourcing strategies, enterprise architecture strategies and business- and IT-related capabilities and resources to ensure that current and future needs and objectives of the enterprise can be met. |
||
3. Monitor resource performance against targets, analyze the cause of deviations and initiate remedial action to address the underlying causes. |
The process for architecture governance was tailored from TOGAF; the ARB has global scope.
The review life cycle includes the initial and full design review where the projects are approved (ARB 1 in figure 4) and the final approval before the projects are deployed(ARB 2 in figure 4). The second review refers to the architecture compliance review process, in which the compliance of a specific project against established architectural criteria, spirit and business objectives is scrutinized.
With these reviews, the ARB assesses compliance with enterprise road maps, reference architecture, standards and subject matter expert best practices (figure 4).
Figure 4—Tailored Architecture Governance
Source: Adapted from The Open Group, The TOGAF Standard, Version 9.2, 44. Architecture Governance, Netherlands, 2018
Conclusion
Mapping COBIT’s governance process EDM 04 Ensured Resource Optimization to TOGAF’s architecture framework gave the factory the advantage of using a defined process for the ARB, tailored to the company’s needs and describing activities at higher-level detail, which provided the capability to include the business perspective on the reviews.
COBIT provided the IT-related goals and accompanying metrics and enabled forging relationships with the rest of the IT processes involved in the project’s deployment. The ARB helped with the traceability of those goals.
It was also helpful to show how COBIT and TOGAF interact and have touchpoints that can be very useful to achieve and monitor the development of IT goals that are aligned with enterprise goals.
Victor Antonio Jimenez
Is an IT professional with more than 23 years of experience in application development, project management, new technologies, enterprise architecture, service-oriented architecture (SOA) governance, cloud governance, and IT governance definition and implementation. He has been using COBIT in IT governance implementations since 2012 in both private and public enterprises.
Endnotes
1 The Open Group, “The TOGAF Standard, Version 9.2,” Van Haren Publishing, The Netherlands, 2018