Sunday, May 16, 2010

IT GOVERNANCE: Battle of Giants

Battle of Giants

Yeah, it’s time for yet another article. I’ve just consumed my daily doses of caffeine and somewhere in the background the wonderful harp music of Andreas Vollenweider is doing its magic. Magic, a curious thing – I wonder how that applies to something like service management (and “yes” I’m still dropping the IT). Can magic be found in frameworks, standards and methods? I believe the answer to be positive; it all depends on how one observes the world. I ‘recently’ stumbled upon (which is also a fantastic tool: stumble upon) the world of IT governance (feel free to drop the IT again), and jeepers creepers I felt like walking into Ali Babi’s cave filled with unspeakable treasures. Join me; enter the cave and who knows we might even find some magic lamps.

The reason this article is called “Battle of Giants” is twofold. Firstly it sounds pretty groovy and hopefully visualises battles like the ones you find in “Return of the King” where the good guys are fighting the bad guys with enormous battle-axes, lances, and catapults. Secondly, because I’m thinking a bloody battle between the following giants: OGC and ISACA/PMI. Yeah, call me weird and join the crowd. For those that still don’t have a clue: OGC owns ITIL and Prince2, ISACA owns CobiT and Val IT, and PMI owns PMBOK. OGC is based in the UK, and both ISACA and PMI are based in the US. Did I just see you raise your eyebrows, or at least one, like Mr. Spock?

  • OGC, ITIL and Prince2

  • ISACA, CobiT and Val IT


Yes, Father, I have sinned, as I no longer believe ITIL and Prince2 are the only truth, and feel tempted to join these other religions called ISACA and PMI, as they have more structure and seem to make a Hell lot of more sense as frameworks. Please guide me, for I have lost my way and need your advice.

Well, in this article we won’t be assessing all these frameworks, but will be focusing on ISACA’s cave of treasures. Surely, I need to give myself some space for sequels, prequels, and those that fall somewhere in between (the sneaquels, as they seem to sneak in between episodes).

ISACA’s Cave of Credits
I used to be a member of the itSMF for many years, but recently decided to swap my membership to some other organisations including ISACA and PMI. Sure, the itSMF can claim until the end of time that they’re not fully ITIL and OGC aligned, but “hey presto” they’re doing a lot of ITIL, seem to backup a lot of OGC and aren’t really doing so much of the other stuff, and hence I felt it was necessary to step into the dark side’s territory and explore some new forces firsthand. To be honest I’m glad I did and not a moment too soon!

Admitted both ISACA’s and PMI’s websites are pretty crappy, although ISACA is about to launch their revamped website. They’re both ugly ducklings from the outside, but it’s funny because once you’re on the inside you get immediate access to all the prices, and the ugly duckling turns into a beautiful swan (like the lake Geneva (CH) swans). It’s like looking at a Citroën 2CV (deux chevaux) with a Ferrari engine under the bonnet. Everything you can’t find with (or would expect to come from) the itSMF or OGC you can find with ISACA and PMI and most importantly at a reasonable and affordable price, meaning you don’t have to pay ridiculous amounts like £5,000 per annum for something that’s basically all based on using your common sense and a teaspoon of yin-yang and logic. ISACA and PMI are not offering crappy 2-page newsletters (sorry itSMF) that are filled with advertisements of overpriced consultancy agencies and delivering-no-quality-whatsoever training organisations, but are offering real journals (magazines) with articles that provide sincere value and are actually interesting reading material too. I’m sure itSMF will become aware of this article at some time any maybe it will open their eyes, and maybe, just maybe, they will follow ISACA/PMI’s example and start publishing a real IT Service Management Journal without all those crappy advertisements. Ah well, it’s just a lone ranger’s thought! It’s funny as it’s all about providing value to customers – or isn’t it?

So, should you become a member of ISACA (IT Governance) and PMI (Project Management Institute)? I believe you should, and rather sooner than later, and hey I don’t have anything to gain by saying this, and merely am trying to share my experience with you my loyal readers out there.

Entering the Cave
ISACA offers a number of accessibility options to their materials. The easiest one is to hop on their website (, register for absolutely zilch, nada, nothing and immediately get access to a number of their most important publications being CobiT v4.1 and Val IT 2nd edition – this is known as “basic subscriber” membership. The CobiT v4.1 and Val IT 2nd edition documents become available as downloadable PDFs, and it feels like downloading ITIL v3 for free. If you don’t like ITIL’s somewhat unorganised structure, then you’ll be most happily surprised with ISACA’s documents. I can safely and confidently say that CobiT v4.1 has exactly 34 processes that allow you to put more control and governance in place in those areas of IT where it is most needed. If you ask me how many processes ITIL v3 has, then honestly I can’t give you a clear answer, and that doesn’t make any sense as I’m allowed to call myself an ITIL v3 Expert, which at that moment seems to lose a lot of its intrinsic value. So, to make a long story short, there are heaps of ISACA resources available to those who take a couple of minutes filling out a form with their name and address, and Bob will be your uncle in no time at all.

ISACA also offers a “baseline” access model, which means you don’t’ even have to fill out a form and still get access to some documents, including CobiT v4.1. I guess for those taking the effort of typing in ISACA’s full URL in a browser, filling out a simple form to become a “basic subscriber” is probably valuable considering all the extras you get access to. For me, personally, I wouldn’t even consider the “baseline” access model, unless you don’t want your full name in their database, but in that case you probably shouldn’t be working in IT al all. Surely you’re aware that Big Brother is watching your every step.

So, at the lowest level we’ve got “baseline” access (casual website visitor), the next level up is known as “basic subscriber” access (filling out a form with your name), and the most complete type of access is granted when you become a “full subscriber” (paying an annual subscription fee). As a full subscriber you’ll get access to the full ISACA cave, except one small crevice that’s labelled “CobiT Online”, but by the time you decide to become a full member you’ll most likely also tick this box.

Here’s a small list you get access to when you become a “full subscriber”:

  • invitations to local seminars, conferences, and chapters
  • ISACA Journal (magazine both mailed to you, but also available electronically)
  • benchmarking capability
  • browse CobiT, including Control Practices and Quickstart entries
  • download all PDFs

    • CobiT Quickstart

    • CobiT v4.1

    • CobiT toolset (slides, maturity assessments, the works!)

    • CobiT Mappings

    • Search and create MyCobiT

    • Val IT 2nd edition

    • Board Briefing on IT Governance

    • IT Governance Implementation Guide

    • IT Assurance Guide

    • Access the discussion area

The list of files that can be downloaded just goes on, and on, and on. I can’t tell you how surprised I was when I compared this to “all” the resources made available by organisations like the itSMF and OGC, which is literally close to nothing – even if you’re a paying member. Ah well, one lesson learned for me; don’t judge on organisation by its appearances (website) only.

Exploring the Cave
Funny isn’t it – you walk into a cave, holding your flickering torch high in front of you, expecting to find nothing, as this is what happened to me on countless explorations before, and all of a sudden you start to see the shimmering reflections of rubies, emeralds, sapphires, and diamonds. Where do I start, and how much weight (treasures) can I carry, or am I allowed to carry with me?

Well, we’ll start by mentioning that ISACA and ITGI (IT Governance Institute) have a lot in common (and that’s a grand understatement) as they’re both about IT governance which is defined by them as:

“IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.”

You start wondering why all these organisations come up with these wonderfully artificially constructed sentences that in all reality no-one uses. They probably have a secret well hidden room where people (nope, I don’t want to go into stereotypes right now) spent most of their lives creating cryptic definitions, so we have something to decipher. I guess what I’m reading between the lines is this:

“IT Governance means that people need to be held accountable and responsible for their actions, need to understand why they are doing (IT) things the way they are doing them, and foremost keep doing the right (IT) things (now and in the future).”

Did that help? Probably not! Yeah, I’m laughing out loud! So, it’s roughly about ensuring that the right people are doing the right things for the right seasons (typically creating some type of value to the business) and whilst doing so managing risks adequately. No, it’s not always about minimising risks, because not all risks are negative, and some residual risk may well be accepted by the business. Some risks represent opportunities and can be extremely positive. Come on, those Google guys took some risk leaving University a bit too early, but no one is blaming or pointing the finger at them now!

Okay, I think we’re going a bit off track here and that’s something you don’t want to do when you’re wandering through the “IT governance” cave, as this cave is all about putting control in place, so you know exactly where you are and where you’re heading towards at every single moment in time. IT governance is the set of “minimum” internal and external rules, standards, policies, and guidelines you apply to the management of your IT (yeah, that too). IT is getting incredibly significant and business critical to an ever increasing number of organisations around this tiny blue planet, and without the right set of controls in place it will be virtually impossible to reap the full benefits of IT and its supporting infrastructure. Worse, without proper controls in place, IT may actually damage the business beyond repair, which reminds me of a list of credit-card numbers that was publicly published on the Internet not so long ago.

The Val IT Crevasse
It’s funny as many of ISACA’s resources seem to be in orbit (at least in my opinion) around CobiT, whereas maybe, just maybe, they should actually be in orbit around Val IT. I guess orbit and CobiT seem more related, in characters only, than orbit and Val IT. Nope, that can’t be right and it isn’t hence some things are about to get changed bit time (see Area 51).

Val IT is all about creating, monitoring and optimising value from IT investments with an acceptable level of risk. Val IT sets good practices for the ends: “This is what we need to achieve as a business – if we don’t then we’re in deep sh#@”! Well, please tell me, are we doing the right things and are we reaping the needed and expected benefits? Again, this is Val IT space! Its whole focus is aimed at strategic management levels so strategic value can be harvested.

Val IT covers three key domains:

  1. Value Governance [VG] (embeds the governance framework into the organisation)

  2. Portfolio Management [PM] (ensures the right programmes are selected to be added to the portfolio of products and services)

  3. Investment Management [IM] (ensures that selected programmes are funded, implemented and able to provide bang-for-the-buck)

Val IT is also about ensuring that any governance as applied to IT (wherever, whenever, whoever) is properly aligned with the broader Enterprise governance of IT (wherever, whenever, whoever). Val IT’s focus is on selecting and driving the right programmes that create value to the business. It provides three domains (see above), 22 processes and a whopping 69 management practices to help management get on their way and hit the ground running. Personally I absolutely adore this framework as it tells me exactly what needs to done in order to be able to answer the following two key questions:

  1. Are we doing the right things?

  2. Are we getting the benefits?

This framework doesn’t leave any ambiguity as where and how to start unlike the ITIL framework. Yeah, this needs to be said: ISACA answers the “what needs to be done!” question, whereas frameworks like ITIL, MOF and their brethren are more about filling in some of the “how to do” things. As such ISACA’s Val IT framework needs to be visualised as sitting on top of these other frameworks (and driving them), and I believe it makes sense to look at Val IT and CobiT before looking at frameworks like ITIL and MOF. We need to understand what needs to be controlled and protected, before we start to run around like headless chickens controlling and protecting the wrong stuff!

Figure 1 - Val IT and CobiT

The CobiT Crevasse
So, yeah, most of ISACA’s documents and resources seem to be in orbit around CobiT (I somehow seem to like using these two words close together: “CobiT Orbit”). So, what’s this CobiT thing all about? It’s probably easiest when you compare CobiT to Val IT. Whereas Val IT revolves around “strategy” and “value”, CobiT revolves around “architecture” and “delivery”. So basically CobiT sits one level below Val IT, and frameworks like ITIL and MOF are positioned below CobiT. I know, ITIL is trying to raise the bar into strategic spheres, but it’s not there as yet, and the current ITIL v3 volume “Service Strategy” needs a major rewrite before it even comes close to Val IT’s potential.
CobiT is basically about putting program results (as selected by Val IT) into the live environment so they (read the individual projects) start to deliver value and keep delivering value.

CobiT covers four key domains:

  1. Plan and Organise [PO] (Ensuring IT contributes to the achievement of business objectives by planning and organising the right solutions/projects)

  2. Acquire and Implement [AI] (Identifying, implementing and integrating solutions/projects)

  3. Deliver and Support [DS] (Delivering and supporting IT services)

  4. Monitor and Evaluate [ME] (Managing and monitoring performance, compliance and governance)

CobiT’s focus is twofold, but can be summarised as providing a business focus (linking business goals to IT goals) and process focus (being able to plan, build, run and monitor IT). CobiT fulfils the business need for assurance about the value of IT, the management of IT-related risks and increased requirements for control over information. Please realise that value, risk and control constitute the very core of IT governance.

CobiT provides four domains (see above), 34 processes and a whopping 210 control objectives. Please notice the subtle difference in terminology used here: Val IT refers to management practices, whereas CobiT refers to control objectives. In all reality both tell you what needs to be done, or reading between the lines: “get your lazy bum of the chair and start to take some action!”
CobiT rocks, as it tells me exactly what needs to done in order to be able to answer the following two key questions:

  1. Are we doing them (the right things) the right way?

  2. Are we getting them (the right things) done well?

It’s not easy, not easy at all, to write a final paragraph on this section that covers CobiT, as it merely provides you with a glimpse of its enormous potential.

Ask yourself the following questions:

  1. Do I really understand where I can gain optimal value from IT?

  2. Do I understand the financial impact and the risks that are inherently associated with IT changes?

  3. Am I able to deliver and support IT to a level that satisfies the business?

  4. Am I able to measure how, where and when IT adds value to the business and business strategy?

  5. Do I know how our business performs compared to similar organisations in my industry, and is that performance good enough?

After studying CobiT and Val IT for some time now, I’ve come to the conclusion that CobiT can actively assist you in answering the above mentioned questions, and that’s just scraping the tip of the iceberg!

Area 51
Anyone that knows me a little bit, knows I’m a huge fan of anything science fiction, and hence my interest for Area 51. Come on, who wouldn’t want to meet some three-headed green aliens, or an alien like Alf (I’m sure Alf’s producer didn’t like cats very much)? ISACA is a bit like Area 51, and those caves of Ali Baba, with all its treasures about to be unearthed. Oh, and yes, there’s another reason why I’ve called this section Area 51. At this moment of writing ISACA has announced that it will start working on the next release of CobiT – my guess is that it’s going to be called CobiT v5.0 (or ValCobiT v5.0). As CobiT v4.0 quickly got an update to CobiT v4.1, I assume the same will happen to CobiT v5.0, and voila we’ve landed in Area 5.1. It’s my understanding that the merger of CobiT and Val IT into one integrated framework will be a key feature of this new release. Maybe it’s time to apply some SOA (Service Oriented Architecture) principles to frameworks, and make them more flexible, modular and extensible. I recommend anyone to keep a close eye on the movements of this update, as with some of the how-s answered, this framework has all potential to make the gap with its competing brethren a lot wider, and you’d better make sure you’re on the right side!

The positive effects of my daily doses of caffeine are slowly but surely diminishing, so now is as good a time as ever to leave Area 51 and Ali Baba’s caves behind us. I hope some of my passion for CobiT and Val IT has come across to you. I believe these two frameworks have an enormous potential as yet undiscovered by many boards and senior executives who not unlike most other lemmings follow the ITIL scent. Make sure you understand and use the full potential of all these available frameworks. To those senior executives who may be reading this article I recommend having a look at the “CobiT Related Publications - Board Briefing on IT Governance, 2nd Edition” document as downloadable PDF from ISACA’s website. May the force be with you, and CobiT guard you on your path to extreme success and happiness.

Glossary of Terms

OGCOffice of Government Commerce
PMIProject Management Institute
PMBOKProject Management Body Of Knowledge
PRINCE2PRojects IN Controlled Environments 2
ITILInformation Technology Infrastructure Library
VAL ITEnterprise Value Governance of IT Investments
MOFMicrosoft Operations Framework
ITGIInformation Technology Governance Institute
CobiTControl Objectives for Information and related Technology


Live long and prosper

Nanoo... Nanoo...



  1. This comment has been removed by the author.

  2. So does this mean all the crap I've been spoon fed from your videos is pointless? Should I be focusing on Cobit and IT Val instead of ITIL?