ITIL 4 and COBIT White Paper
- White Paper
- Service management
May 30, 2019 |
14 min read
- White Paper
- Service management
In many areas of work there can be a conflict between doing the right thing or doing things right. In an IT environment, doing the right thing can be summarized in what the IT team decides to focus on to achieve the business aims. This is IT governance. When this has been decided, the IT team will focus on doing things right. In practical terms, this translates to how the IT team will carry out this task. This is IT service management.
Putting it in perspective: IT governance and IT management
There is a certain amount of confusion regarding the term IT governance. Some IT professionals mistakenly believe that IT governance is related to adhering to rules and regulations, as well as general bureaucratic tasks, that can act as. an impediment to normal operations. This view of IT governance is unfair and inaccurate. The truth is that IT governance works together with IT management. IT governance ensures that IT activities and processes are aligned with the overall objective, such as enterprise priorities. IT Management is the methods used by IT teams to meet these objectives. IT governance aims to achieve balance between IT performance and IT conformance. IT performance ensures that IT continually delivers value and meets consumers expectations in terms of cost, functionality and so on. IT conformance ensures that all of the rules and regulations are adhered to and that all risks are appropriately managed. IT performance and IT conformance can conflict with one another. For example, an excessive focus on IT conformance would be where the IT security department enforces a stringent password policy, where all passwords must be 32 characters long, include numbers, and changed daily. This would result in difficulties for the user. On the other hand, IT performance would enforce a lax password policy where passwords never expire, require four characters, and only include numbers would compromise IT security. IT governance would create systems to evaluate the various options available and then select the appropriate option. Thus, IT governance is the balance between IT performance and IT conformance.
ITIL® 4 and COBIT® 2019: focusing on similar problems from different directions
IT today is a much complex and continuously evolving entity than what it was just 20 years ago. Initially, the enormous efficiency improvements brought by IT to business processes was the key driver for the increasing use of IT in many areas. The increase in the number and quality of technology led to the use of IT in more complex and critical business processes. After a short amount of time, the industry was facing increasingly complex IT, which had become ubiquitous in industry segments, business domains, and processes.
This complexity had been created due to the volume of material and the interdependencies of technologies on one another. Furthermore, there was an overabundance of stakeholders working simultaneously on the various aspects of IT design, creation, delivery, and consumption. There have been clear attempts by IT stakeholders to manage this complexity. ITIL is an example of this. Business stakeholders have also attempted to utilize IT to suit business objectives. This has been attempted through governance and control frameworks such as COBIT.
The focus of ITIL has steadily evolved over the years. Currently, its objective is to deliver value to the customer in the form of services. The key objective is to understand parameters and needs involved in a good service delivery. This is viewed from the service provider’s perspective, looking at the client or business.
The focus of COBIT has also evolved. Its key objective is to ensure services are delivering stakeholder value from a business perspective, looking at a service delivery engine.
Essentially, COBIT and ITIL are two different methods at achieving the same objective. At a certain point these two frameworks will complement other.
Governance is normally considered the study of 'What' an organization needs to achieve, whereas management is usually about 'How' to achieve it. In other words, COBIT is the governance framework and ITIL is the execution framework.
ITIL 4 acknowledges that there are various methods of managing and implementing IT. Hence, it does not prescribe definite processes and architectures, as this may be counterproductive to the specific service delivery environment. Instead, ITIL 4 builds upon the immense pool of existing knowledge of IT service management practices present in various organizations. At he same time making it flexible enough for organizations to use when and how they need it.
ITIL 4 advocates that any service delivery and value creation effort should consider the four dimensions of service management as:
- organizations and people
- information and technology
- partners and suppliers
- value streams and processes.
ITIL service value system consists of:
- Guiding principles: recommendations that can guide an organization in all circumstances, regardless of changes in its goals, strategies, type of work, or management structure.
- Governance: the means by which an organization is directed and controlled.
- Service value chain: a set of interconnected activities that an organization performs to deliver a valuable product or service to its consumers and to facilitate value realization.
- Practices: sets of organizational resources designed for performing work or accomplishing an objective.
- Continual improvement: a recurring organizational activity performed at all levels to ensure that an organization’s performance continually meets stakeholders’ expectations.
Figure 4.1 Service value system The service value chain consists of six activities: plan improve engage design and transition obtain/build deliver and support.
COBIT has been one of the most popular options for anyone attempting to establish governance over IT service creation and delivery. COBIT also established creation through IT-enabled investments. There have been other attempts such as ISO 38500, OECD® principles, and the Cadbury report. However, these have not be as popular as COBIT, nor have they developed the large repository of knowledge as COBIT has.
COBIT 2019 has been updated with new guidance, facilitating an easier and more intuitive implementation. This will strengthen COBIT’s continuing role as an important driver of innovation and business transformation.
COBIT 2019 prescribes the six governance system principles as:
- provide stakeholder value
- holistic approach
- dynamic governance system
- governance distinct from management
- tailored to enterprise needs
- end-to-end governance system.
COBIT 2019 product architecture consists of major components.
For information and technology to contribute to enterprise goals, several governance and management objectives should be achieved. These 40 governance and management objectives are grouped into five domains:
- EDM: evaluate, direct, and monitor
- APO: align, plan, and organize
- BAI: build, acquire, and implement
- DSS: deliver, service, and support
- MEA: monitor, evaluate, and assess.
To satisfy governance objectives, each enterprise needs to establish and sustain a system built from some of the below components:
- organizational structures
- principles, policies, and frameworks
- culture, ethics, and behaviour
- people, skills, and competencies
- services, infrastructure, and applications.
A focus area describes a certain governance topic, domain or issue that can be addressed by a collection of governance objectives and their components. For example:
- small and medium enterprises
- information security
Organizations will need to adapt the following design factors to meet their requirements:
- enterprise strategy
- enterprise goals
- risk profile
- I and T related Issues
- threat landscape
- compliance requirements
- role of IT
- sourcing model for IT
- IT implementation methods
- technology adoption strategy
- enterprise size.
ITIL 4 and COBIT 2019: similarities in framework architecture
6.1 GOVERNABCE IN COBIT 2019 AND ITIL SVS
ITIL 4 service value system is an example of how various components in a service providers organization can come together to create value. One of the important components of ITIL SVS is governance. The principles of governance as discussed in COBIT are similar to some of the concepts discussed in ITIL 4. Evaluate, direct and monitor are the basic governance components accepted by both ITIL 4 and COBIT 2019/
6.2 GUIDING PRINCIPLES
Figure 6.1 Guiding principles
The 7 guiding principles of ITIL 4 should be considered in all areas of an organization. Some of the guiding principles in ITIL 4 have a close relationship with the governance system principles described in COBIT 2019 such as:
Focus on value: the ITIL 4 guiding principle of focus on value is compatible with the COBIT 2019 governance principle of delivering stakeholder value. Both principles focus on value creation for the relevant stakeholders.
Think and work holistically: the ITIL 4 guiding principle of think and work holistically is compatible with the COBIT 2019 governance principle of end-to-end governance system. Both principles state that value cannot be delivered by working in isolation but can only be created by focusing on all of the components that the enterprise puts in place to achieve its goals.
Progress iteratively with feedback: ITIL 4 guiding principle of progress iteratively with feedback has some similarity with the COBIT 2019 governance principle of dynamic governance system. Both principles acknowledge that the management framework will be revised during its lifetime in response to a changing business environment.
Synergy in components of the governance system and dimensions of service management
ITIL 4 reinforces the principle that value cannot be created by independently implementing either processes or technology. The value creation must be brought about holistically to include the four dimensions of service management. These dimensions complement some of the components of the COBIT 2019 components of the governance system. Interestingly COBIT does identify partners/suppliers as one of the components of a governance system.
Figure 7.1 Interaction between governance system and service management
Organizations and people: this dimension is closely associated with the COBIT 2019 component of organization structures, people skills, and competencies.
Information and technology: this dimension is closely related with the COBIT 2019 component of information, service infrastructure, and applications.
Value streams and processes: this dimension is closely related with the COBIT 2019 component of processes, principle policies, and procedures.
Synergies between ITIL service value chain and COBIT goals cascade
To create value, six activities of the ITIL service value chain draw upon other organizational components. These activities are non-linear, and do not have a definite sequence or definite start and end points. The value creation journey will be different for every value creation instance. A similar concept can be observed in COBIT 2019 governance and management objective.
The localization and customization of service value chain is a key point emphasized in ITIL 4. The requirements that need to be met must be determined before embarking on a service value chain for value creation. This will determine the sequence of activities.
A similar process ensures the localization and customization of application of COBIT through a goal cascade methodology. The organization must understand what the enterprise goals and priorities are, before embarking on the application of governance controls and processes. There are 13 such enterprise goals identified in COBIT 2019. Once selected it can be mapped on to the alignment goals; which there are 13 of, that IT is expected to achieve, to contribute to value creation. These alignment goals; which there are 40 of, can then be used to decide which governance objectives need to be worked on to improve the governance systems within the organization.
The similarities between the two frameworks can be observed at a very high level. Both frameworks consider business objectives and focus on value creation as a starting point. Yet, they are both trying to achieve a different purpose.
Synergies between ITIL service value chain activities and COBIT domains
ITIL 4 service value chain activities will use a different combination of ITIL practices to create value. This is fairly similar to the governance and management objective in the five domains in COBIT.
COBIT align, plan, and organize and ITIL service value chain plan activity: these two frameworks complement each other as the grouped processes/practices focus on all of the planning activities within an organization, such as projects, services, enterprise architecture, and so on.
COBIT build, acquire, and implement (BAI) and ITIL service value chain design/transition build/obtain activity: COBIT domain BAI complements ITIL SVC activities of design/transition in areas such as requirement definition, availability, capacity, and so on.
COBIT domain BAI also complements ITIL SVC activities of build/acquire in areas such as managed IT assets, configuration, solution acceptance, and so on.
COBIT deliver service support (DSS) and ITIL service value chain deliver and support activity: these two are perhaps the most complementary activities in COBIT and ITIL 4. Both focus on areas such as service requests, problems, incidents, and so on.
Synergies in ITIL practices and governance management objectives
Both ITIL 4 and COBIT are frameworks that have similar objectives yet attain them through different perspectives. One to one mapping of processes is neither possible nor advisable. However, there are certain similarities that can be used to complement one another.
COBIT has taken an open approach in articulating the scope of its influence. When necessary, it also does not shy away from guiding users to other appropriate frameworks, standards, and processes. COBIT 4.1 and COBIT 5 have a related guidance outline. COBIT2019 takes a step further in this direction. In the description of governance and management objectives, each objective points to a ‘related guidance’ and ‘detailed reference’. Hence, it has become easier for practitioners to combine the governance directions from COBIT, with the activities in ITIL, to create a comprehensive solution. Nonetheless, in the current version of COBIT 2019 each objective is mapped to ITIL v3 processes.
The below table is a high-level overview of how COBIT 2019 governance and management objectives are mapped to ITIL 4 practices. It should be noted that this is a very high-level chart showing similarities and should not be considered as an exact cross-reference of all of the content/activities within both of the frameworks. Its intention is to show how the implementation of ITIL practices in an organization will support governance implementation efforts.
COBIT 2019 Governance and Management Objective
|ITIL 4 Practices|
Ensured risk optimization
|APO02||Managed strategy||Strategy management|
Managed enterprise architecture
Managed budget and costs
|Service financial management|
Managed human resources
|Workforce and talent management|
Managed service agreements
Service level management
|Information security management (partial) Risk management|
Managed requirements definition
|Business analysis, software development, and management|
Managed solutions identification and build
Managed availability and capacity
|Availability management, capacity, and performance management|
Managed organizational change
|Organizational change management|
Managed IT changes
Managed IT change, acceptance, and transitioning
|Release management, deployment management|
|IT asset management|
|Service configuration management|
|Infrastructure and platform management (partial)|
Managed service requests and incidents
|Incident management, service desk, service request management|
|Service continuity management|
Managed security services
|Information security management|
Managed performance and conformance monitoring
|Continued improvement, measurement and reporting|
Managed system of internal control
|Information security management, (partial)|
Measurement and reporting (partial)
ITIL 4 and COBIT 2019: how they are different
COBIT 2019 focuses on the overall enterprise when creating and managing the governance system. On the other hand, ITIL 4 focuses on even the smallest opportunities of value creation between service providers and service consumers. Thus, COBIT 2019 is concerned with the system, whereas ITIL 4 is concerned with every process within the system regardless of its size.
ITIL 4 has continuously developed by applying an active and modular approach towards IT service management.
Consequently, ITIL 4 can be used by any organization to manage and improve its IT services at all levels and at any size.
COBIT 2019 is equally comprehensive in its coverage of IT governance. However, unlike ITIL 4 it would be difficult to scale down COBIT 2019 for use in a smaller organization. Yet, ITIL 4 and COBIT 2019 have been created for different purposes, so it would be unrealistic to expect them to apply to the same situation.
Organizations need to take a comprehensive view of IT services and govern them with the assistance of a robust governance framework. Moreover, the framework will need strong support from the top of the organization to achieve its aims.
I once worked on an interesting project in a large government organization using multiple frameworks. ITIL Service Delivery, CMMI for Application development, PMBoK for Project Management, TOGAF for enterprise architecture, and so on. Each department was satisfied with their own management framework. However, senior management was finding it difficult to create an enterprise wide performance picture for enabling strategic decisions. We successfully used COBIT as an integrator framework to correlate and map the other frameworks and projects the enterprise level performance dashboard without disturbing the other frameworks already in use.
Further details can be found at http://www.isaca.org/COBIT/focus/Pages/dubai-customs-cobit-5-implementation.aspx
[Accessed on 23 May 2019]
It is evident that COBIT 2019 can work in harmony with ITIL 4 in any complex IT environment. Particularly, the implementation of a COBIT governance system will be greatly supported by the existence of ITIL 4 practices in that IT environment
Whereas COBIT 2019 focuses on governance of enterprise IT, ITIL 4 focuses on management and execution of IT in the enterprise for value creation. Enterprises should use COBIT 2019 for deciding the ‘what’ part of the IT service value equation and should depend on ITIL 4 for seeking answers to the ‘how,’ ‘when,’ and ‘where’ questions.
Both frameworks can be applied in a specific environment to work together. The presence of one in a certain environment will benefit the implementation of the other.
AXELOS (2019). ITIL® Foundation, ITIL 4 edition. London: The Stationary Office
ISACA (2018). COBIT® 2019 Design Guide. Schaumburg: ISACA
ISACA (2019). COBIT® 2019 Framework: Introduction and Methodology. Schaumburg: ISACA
ISACA (2018). COBIT® 2019 Implementation Guide. Schaumburg: ISACA
Vyas, V, GEIT. Al Ghaith, J. Al Yaqoobi, A, PMP. Hasan, SJ. (18 January 2016) Dubai Customs COBIT 5 Implementation. COBIT Focus, [online]. Available at: http://www.isaca.org/COBIT/focus/Pages/dubai-customs-cobit-5-implementation.aspx [Accessed 20 May. 2019]
About the author
Vishal is Chief Solutions Officer at Knowlathon, heading global consulting and coaching practice on IT Governance and IT Service management. He has delivered sessions and projects in over 24 countries over 15 years. He is passionate about coaching teams and organizations on ITSM, IT governance, and risk management to co-create unique solutions for complex and challenging environments. Vishal is especially adept at mentoring consultants and instructors to deliver high impact sessions and consulting assignments. He also actively participates in industry forums to create knowledge resources for advancement of public knowledge and understanding of best practice frameworks.