Practical Case Implementing COBIT Processes - 2016-04
Practical Case Implementing COBIT Processes - 2016-04
Practical Case Implementing COBIT Processes - 2016-04
English
The IT director of the European Network of Transmission System Operators for Electricity (ENTSO-E) undertook a
pragmatic approach toward implementing COBIT 5 at the organisation beginning in 2014. Now, 2 years later, it is time
to share this successful collaboration between the internal IT department, the business organisation and the external
consultant(s), and to share how the results were achieved.
Taking a practical approach towards implementing a programme for governance of enterprise IT (GEIT) based on COBIT
5, ENTSO-E focused on prioritising the processes, the development of these processes andmost importantlythe
practical issues to overcome during the implementation of a new way of working.
About ENTSO-E
ENTSO-E represents 42 electricity transmission system operators (TSOs) from 35 countries across Europe
(figure 1). ENTSO-E was established and given legal mandates by the EUs Third Legislative Package for the Internal
Energy Market in 2009, which aims at further liberalising gas and electricity markets in the EU.
ENTSO-E promotes closer cooperation across Europes TSOs to support the implementation of EU energy policy and
achieve Europes energy and climate policy objectives, which are changing the very nature of the power system.
Through its deliverables, ENTSO-E is helping to build the worlds largest electricity market, the benefits of which will be
felt by all those in the energy sector as well as by Europes overall economy, today and into the future.
1|Page
2|Page
The IT manager reports to the 3 governance levels in the organisation (figure 2):
The assembly is made up of representatives from the 41 member TSOs from 34 European countries at the chief
executive officer (CEO) level.
The board consists of 12 elected members.
The ENTSO-E secretary general is the highest executive responsible for the daily operation of the secretariat.
As
At the beginning of 2014, the perception at the ENTSO-E Management Team was that the IT strategy was 99% ready,
but the new IT manager wanted to change it and make it more specific. This required some delicate manoeuvring.
IT Strategy Development
The revised IT strategy was based on a governance structure with 3 focus areas, which were presented to and approved
by the assembly. Figure 3 shows the governance structure.
The overall objective was to develop an IT organisation ready to support the TSO members in the best possible way.
The selection of best practices and standards was one of the detailed targets defined by the IT strategy. The selection
results included:
ITIL as the guiding framework for IT Service Management (ITSM). All IT staff would participate in the foundation
training and obtain their certification, so that a solid knowledge base will be present within the IT staff.
Project management based on PRINCE2, in order to introduce a more structured project management approach,
which will result in more clearly documented relation between the business benefits and the IT deliverables at the
beginning of each project. This decreases the risk of not delivering on time and within budget.
ISO 27002:2013 as guide for information security, in order to comply with external requirements regarding security
management at ENTSO-E.
Data Management Body of Knowledge (DMBOK) for data management to support the move from a Network Code
delivery organisation towards a data management support organisation.
COBIT 5 for having an overarching governance and management framework and to enable ENTSO-E to identify
the major IT processes that need to be in place to fulfil the enterprise goals. (Notably, COBIT was not selected in
January 2014; the decision was made to start working with COBIT 5 in June 2014.)
Progress Management
A structure was set up to manage the progress of this IT strategy (figure 4).
The project steering group consisted of 2 internal managers, the IT manager and the IT strategy programme manager,
who reported to this steering committee.
The working group, responsible for data strategy, consisted of representatives from several TSOs, managed by the
internal data management team.
The peer reviews from chief information officers (CIOs) of 6 TSOs were important to validate the IT strategy and follow
the progress and outcome of this IT strategy programme.
The IT manager implemented monthly meetings with his peers to understand what was required from a business
perspective and also keep them in the loop. This was (and still is) done through monthly face-to-face meetings.
After a few months, the need to develop a dashboard to plan and monitor the progress of this program became clear,
4|Page
and resulted in the development of the dashboard tool described in the next section.
For the prioritisation of the IT processes, the COBIT 5 Goals Cascade was applied and the team developed its own tool to
manage the different steps in this cascading process.
Most often, the Goals Cascade is used to select those COBIT processes with the highest priority, to develop and
implement, or to perform a process assessment, starting with the goals at the enterprise level. In this case, it was used to
define the prioritisation of the COBIT 5 processes in order to prepare a plan and ensure focus on the right processes.
This was a 6-step selection process:
Step 1Identify relevant business drivers for the IT processes.
Step 2Prioritise the enterprises IT processes.
Step 3Perform a preliminary selection of target processes based on the above prioritisation.
Step 4Confirm the preliminary selection of target processes with the project sponsor and key stakeholders.
Step 5Finalize the list of processes.
Step 6Document the scoping methodology in the IT strategy document.
To identify the business drivers, the IT manager had several discussions with different business partners and
stakeholders, explaining that it is not about IT change, but enabling the business to work better. While doing this, he had
to change the language from IT language to business language, in order to speak their language, and also to highlight
that this is not about technology, but about informationtheir information.
To define the enterprise goals, the IT manager organised meetings with the 6 TSO IT managers to identify the external
priorities and with the IT strategy steering committee to identify the internal priorities and then to come to a consensus
within the ENTSO-E management team, based on the internal and external priorities.
This resulted in the following selection of enterprise goals:
External priorities, defined by the 6 TSO IT managers:
1. Financial transparency
2. Customer-oriented service culture
3. Business service continuity and availability
4. Operational and staff productivity
5. Skilled and motivated people
These priorities were selected from the list of generic enterprise goals, as listed in the COBIT 5 framework.1
The final list of enterprise goals was used to start the Goals Cascade. Based on the 2 mapping tables2 found in the COBIT
5|Page
5 framework, a tool through which the cascade was run automatically after having indicated the 6 selected goals was
developed.3
The first selection resulted in the following priority range using different colours to indicate the priority of each process
(figure 5).
The preliminary priority range of target processes was not found by the management team to be very clear, so another
way of presenting the priorities, with 3 priority levels, was developed. In addition to the presentation format, some of the
high-priority processes seemed illogical places to start.
For example, problem management had a high priority, compared to e.g. service request and incident management,
configuration management and change management. Without a proper incident management, it is very difficult (if not
impossible) to develop and implement problem management, since the analysis of the incidents is used as a possible
source to identify problems. And in order to solve problems, changes can be initiated, so proper change management is
needed to solve the problems identified.
So, with the IT manager, we re-evaluated the importance and priorities. The outcome was the figure with the revised
prioritisation overview (figure 7)
6|Page
The developed and applied approach was documented in the IT strategy document, which was used to further detail the
actions needed to implement the IT strategy. In addition to developing the IT processes, priority focus was put on data
management. Based on the priorities and other regulations ENTSO-E needed to comply with, a road map was developed.
The first step in defining the road map was to define the roles and responsibilities for the major data management
stakeholders. Figure 8 shows that ENTSO-E will lead IT in directions and priorities of the data management road map,
the work groups will inform IT on what to do, and the IT manager will ask for advice and reviews from the TSO IT
managers and the governance boards to ensure that all data management initiatives are well aligned with other initiatives
within the TSO member community.
7|Page
ENTSO-E
management
Direct, Evaluate
and Monitor
Work Groups
Stakeholder
Needs
TSO IT
managers
Solution
Review
Benefits
Realisation
Governance
Board
Control
Processes
Quality Review
For each COBIT 5 process, a specific action plan was developed with targets for five specific questions. These questions
were related to the five levels of the COBIT Process Assessment Model (PAM) (figure 10).
Total score
3
2
0
0
1
2,4
0
2
0
0
0
0
0
0
0
0
0
0
1
0
0
0
9,4
85%
0
0
0
0
2
50%
0
0
0
0
0
0%
17/09/2015
15/11/2015
15/12/2015
17/09/2015
31/10/2015
30/11/2015
The action list (figure 11) of all processes was consolidated into one sheet to make it easy for all people involved to
check the status and follow up on their own actions.
9|Page
Link
APO01
Action nr Nr
APO01-01
Date actionWhat
1 17/08/15 Validate findings and score
APO01
APO01-02
11/09/15 GVO
APO01
APO01
MEA01
DSS05
MEA01
BAI10
APO01-03
APO01-04
MEA01-02
DSS05-03
MEA01-03
BAI10-02
3
4
2
3
3
2
17/09/15 KDJ
17/09/15 KDJ
31/08/15 GVO
15/09/15 KBU
15/09/15 KDJ
31/08/15 GVO
Due date
Who
31/08/15 GVO
The planning and follow-up for each achievement is also reported on a single sheet (figure 12), which is based on the
details of each process.
APO02
APO03
Documentation
KPI's
Reporting
Owner
Users trained
Job being done
Documentation
KPI's
Reporting
Owner
Users trained
Job being done
Documentation
KPI's
Reporting
Owner
Users trained
Job being done
Actual
Due date
sep/15 okt/15 nov/15 dec/15 jan/16 feb/16 mrt/16 apr/16
100%
17/09/2015 groen
groen
groen
groen
groen
groen
groen
groen
100%
15/11/2015 groen
groen
groen
groen
groen
groen
groen
groen
0%
15/12/2015 andere kleur
andere kleur
andere kleur
andere kleur
rood
rood
rood
rood
100%
17/09/2015 groen
groen
groen
groen
groen
groen
groen
groen
100%
31/10/2015 groen
groen
groen
groen
groen
groen
groen
groen
80%
30/11/2015 andere kleur
andere kleur
andere kleur
rood
rood
rood
rood
rood
100%
31/08/2015 groen
groen
groen
groen
groen
groen
groen
groen
100%
15/11/2015 groen
groen
groen
groen
groen
groen
groen
groen
0%
15/12/2015 andere kleur
andere kleur
andere kleur
andere kleur
rood
rood
rood
rood
100%
31/08/2015 groen
groen
groen
groen
groen
groen
groen
groen
100%
31/10/2015 groen
groen
groen
groen
groen
groen
groen
groen
100%
30/11/2015 groen
groen
groen
groen
groen
groen
groen
groen
100%
15/10/2015 groen
groen
groen
groen
groen
groen
groen
groen
80%
15/12/2015 andere kleur
andere kleur
andere kleur
andere kleur
rood
rood
rood
rood
60%
15/01/2016 andere kleur
andere kleur
andere kleur
andere kleur
andere kleur
rood
rood
rood
100%
31/08/2015 groen
groen
groen
groen
groen
groen
groen
groen
0%
30/11/2015 andere kleur
andere kleur
andere kleur
rood
rood
rood
rood
rood
50%
31/12/2015 andere kleur
andere kleur
andere kleur
andere kleur
rood
rood
rood
rood
The end result is the monitoring of the status of each process in the process progress sheet (figure 13).
10 | P a g e
Total score
15%
15%
26%
15%
9%
69%
73%
51%
7%
7%
73%
13%
7%
76%
57%
17%
29%
47%
33%
13%
3%
59%
10%
73%
7%
7%
60%
41%
85%
83%
76%
10%
66%
14%
55%
10%
3%
Owner
KDJ
KDJ
NFR
KDJ
KDJ
KDJ
KDJ
PVI
KDJ
KDJ
KDJ
KDJ
KDJ
GVO
KDJ
GVO
KBU
KBU
BMA
KDJ
PVI
MKU
MKU
MKU
MKU
JFZ
JFZ
JFZ
JFZ
JFZ
JFZ
KBU
KBU
KBU
KDJ
KBU
KBU
Process Title
Governance Framework Setting & Maintenance
Benefits delivery
Risk optimisation
Resource optimisation
Stakeholder Transparency
IT Management Framework
Strategy
Enterprise Architecture
Innovation
Portfolio
Budget & Costs
Human Resources
Relationships
Service Agreements
Suppliers
Quality
Risk
Security
Programmes & Projects
Requirements Definition
Solutions Identification & Build
Availability & Capacity
Organisational Change Enablement
Changes
Change Acceptance & Transitioning
Knowledge
Assets
Configuration
Operations
Service Requests & Incidents
Problems
Continuity
Security Services
Business Process Controls
Performance & Conformance
The System of Internal Control
Compliance with External Requirements
Level1
Level2
Level3
Level4
Level5
26%
12%
0%
0%
26%
12%
0%
0%
58%
31%
0%
0%
26%
12%
0%
0%
26%
3%
0%
0%
80%
85%
50%
0%
80%
91%
50%
0%
80%
61%
55%
0%
20%
0%
0%
0%
20%
0%
0%
0%
80%
91%
50%
0%
20%
9%
0%
0%
20%
0%
0%
0%
80%
95%
75%
0%
80%
68%
63%
0%
50%
14%
0%
0%
68%
31%
0%
0%
80%
55%
50%
0%
80%
36%
0%
0%
20%
9%
0%
0%
10%
0%
0%
0%
80%
72%
55%
0%
10%
9%
0%
0%
80%
91%
50%
0%
20%
0%
0%
0%
20%
0%
0%
0%
80%
73%
0%
0%
80%
47%
0%
0%
96%
100%
75%
0%
90%
100%
75%
0%
94%
88%
65%
0%
10%
9%
0%
0%
80%
81%
50%
0%
22%
15%
0%
0%
80%
66%
55%
0%
10%
9%
0%
0%
10%
0%
0%
0%
Total score
on 28 Oct.
2015
15%
15%
26%
15%
9%
69%
73%
51%
7%
7%
73%
13%
7%
75%
57%
17%
29%
47%
33%
13%
3%
59%
10%
73%
7%
7%
43%
41%
81%
83%
67%
10%
66%
14%
55%
10%
3%
Difference
27 Nov. vs.
28 Oct
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
1%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
17%
0%
4%
0%
9%
0%
0%
0%
0%
0%
0%
A last, but important element in this program was to increase knowledge about COBIT 5 and to map this to the daily work
within the IT department.
This was accomplished by giving periodic presentations in staff-meetings, providing presentations on COBIT and sending
the COBIT 5 Framework to the TSO IT managers.
For the internal IT department, a tool was developed that included the following elements:
A service catalogue summarising all services provided by the IT department, and divided by services for the members
and services for the internal secretariat organisation
A service level agreement (SLA) matrix listing all the services and indicating responsibilities and estimated effort
The related service definitions linked from the service catalogue
Key performance indicators (KPIs) for each service definition
An operational task list where all recurring tasks were added with notifications to the persons assigned N days
before the target date and on the target date
Figure 14 shows the interaction among all of these elements.
11 | P a g e
All of these tools and elements are available on ENTSO-Es SharePoint-based intranet; some are Excel files and others are
lists or libraries in SharePoint.
After 1.5 year, we made an evaluation of our achievements. This was done, by going back to the original Governance
structure we wanted to put in place.
On a high level, the project is on track.
We developed policies and standards of highest priority, and these are also applied through the processes.
Moving from project mode to operational resulted in unexpected cost and staffing issues, which need to be
managed and solved. So there is still some work to do.
The single hosting supplier program is ongoing, but no decision is taken yet.
12 | P a g e
This exercise shows where progress has been made with the business goals. In this case, the business is quite pleased
with the overall result, especially as the amount of change for the organisation was astounding.
13 | P a g e
Authors Note
If you would like more information on the tools that were developed, or to get more detailed information, please contact
Greet Volders at [email protected].
Greet Volders, Managing Consultant and C.E.O. of Voquals N.V., CGEIT and COBIT Certified Assessor
Greets main activity is providing advice for our customers, and regularly she gives trainings & seminars related to IT
Governance, Process Improvement and IT/Business alignment.
Since 2002, Greet is an active member in several development teams for COBIT and the development of COBIT PAM
(Process Assessment Model). Next to that she is also specialised in the optimisation of internal processes conform to
SOX and CMMI.
In this context, she executed a lot of assessments and audits to check the conformance to COBIT and CMMI in several
companies. Preparing companies for a compliancy-audit conforming ISO-standards is another field of expertise.
For more than 15 years, Greet has been giving trainings and presentations about Quality Systems, the development and
assessment of IT and Business processes, and the use of standards and frameworks.
Greet is accredited trainer for the COBIT 5 foundation and Assessors training.
She is a regular speaker at ISACA events, such as seminars and trainings for ISACA Belgium, presentations at EuroCACS
in 2011, 2012 and 2013, and the COBIT Conference in 2015, where she presented this practical, together with Kees de
Jong.
Endnotes
COBIT 5 , USA, 2012, p. 19
ISACA,
If you are interested in obtaining this tool, please contact author Greet Volders at
14 | P a g e