Assessment of IT OperationsLeveraging Industry StandardLeveraging Industry Standard 

Frameworks*An Overview

*COBIT 5, ITIL, CMM, otherCOBIT 5, ITIL, CMM, other

SSPEAKERPEAKER BBIOGRAPHYIOGRAPHYSSPEAKERPEAKER BBIOGRAPHYIOGRAPHY

Sameer Gupta is a director in KPMG's Management Consulting Practice andSameer Gupta is a director in KPMG s Management Consulting Practice and 

has over 25 years of IT strategy, sourcing, transformation, reengineering, and 

operations improvement experience. He has worked closely with CXOs of 

lti l F t 1000 i t h l li th i i i timultiple Fortune 1000 companies to help align their sourcing, organization 

and governance strategy with their corporate goals. He has worked on number 

of initiatives to help lower the TCO while improving customer focus. His 

experience includes assessment, definition, implementation, management 

and optimization of these strategies.

AgendaAgenda• Overview – 45 minutes

– Defining IT EnterpriseDefining IT Enterprise– Defining Stakeholder Value– Exercise : Current Challenges– Aspects of Mature IT– Value of Mature IT– IT Maturity Assessment Model Frameworks– IT Maturity Assessment Model Frameworks– Steps in a Maturity Assessment– Maturity Levels– When to do a Maturity Assessment? – What do you need to conduct an assessment?

• Application Exercise 15 minutes• Application Exercise – 15 minutes– Identify top 4 challenges in your IT organization– Align Maturity Gaps with Challenges

• Exercise Discussion – 15 minutes– Sample Outputs

• Additional Considerations – 15 minutes– Capability Importance– Typical Next Steps– Wrap Up

Defining the IT EnterpriseDefining the IT EnterpriseInformation is a key resource for all enterprises.Information is created, used, retained, disclosed and destroyed.Technology plays a key role in these actions

Stakeholder Drivers(Environment, Technology Evolution…)

Technology plays a key role in these actions.Enterprises maintain quality information to drive business decisionsGenerate business value from IT‐enabled investmentsMaintain IT‐related risk at an acceptable levelOptimize the cost of IT services and technology

S COBIT 5 I d i

Stakeholder Needs: ValueBenefits

RealizationRisk

OptimizationResource

Optimization

Influences

Stakeholder Drivers and Enterprise GoalsSource: COBIT 5‐Introduction

Enterprise GoalsIT Enablement Services

Realization Optimization Optimization

ustomers IT Supper

vices

mpu

ting 

espplications 

eslications 

es

IT-related Goals

Cascades to

IT Cu

pliers

Central IT Se

Person

al Com

Service

Back‐Office Ap

Service

Busine

ss App

Service

Enabler Goals

Cascades to

Source: COBIT® 5, © 2012 ISACA®

Delivering Stakeholder ValueDelivering Stakeholder ValueBusiness Direction, Structure and Corporate Governance

Owners and Stakeholders

iers

IT CManage Services

Govern ServicesAccountableDelegate

IT Sup

pli ustom

ersDevelop Services

Governing Body

MonitorSet Direction

Deliver Services

Management

/

COBIT 5 Principles1 Meeting Stakeholder Needs

Operations and Execution

ReportInstruct/ Align1. Meeting Stakeholder Needs2. Covering the Enterprise End to End3. Applying a Single Integrated Framework4. Enabling a Holistic Approach5. Separating Governance from Management

dSource: COBIT® 5, © 2012 ISACA®Source: COBIT 5‐Introduction

IT ORGANIZATION CHALLENGESExercise

IT ORGANIZATION CHALLENGES

IT Organization ChallengesIT Organization Challenges

1 Customer 2 IT not cost3. Unfilled 

4 Systems1. Customer not satisfied

2. IT not cost efficient

improvement opportunities

4. Systems not stable

6 Projects not 7 Technology5. Inadequate 

controls

6. Projects not delivered on‐

time

7. Technology not up‐to‐

date

8. Lot of open positions

9. Redundant applications

10. Risk concerns from outsourcing

11. Lack in application functionality

12. Data centers not secure

13. Business not proactive

14. Projects quality is bad

Aspects of Mature ITWhat organization capabilities to consider? 

��

��

5

4��

��

��

�

���������� � ������ �������� ����� ��� ���������

2. Processes3.Organizational 

Structures

4. Culture, Ethics & Behavior

3

��

� �

��

�

������������ � �������

��������� ������� ��

1. Principles, Policies and Frameworks

2

1

�� �������

������� ��������

����������

Resources

5. Information6. Services –

Infrastructure & Applications

7. People, Skills & Competencies

Key aspects of capability for‘getting the job done’ ��

���� ��������

0� 100�

������� ��� �����

Source: COBIT® 5, © 2012 ISACA®

COBIT 5 Enablers

���� �������� �����

Lack of Maturity results  l f lin loss of IT Value…

5 10%

10‐15%

10‐15%Loss in vendor governance

Poor demand

25‐45% potential

5‐10%

5‐10%

5‐10%

Poor demand management

potential value decline

Loss in executive focus

Loss in process dh

Poor capacity management

adherence

Illustrative

…IT Value can be gained by improving Maturity

By improving maturity, IT organizations may realizeorganizations may realize additional significant value gain, as they  move up the value chain and focus beyond efficiency and deliver an effective service delivery organization.

10 15%

10‐15%

10‐15% Gain through faster access to  i iGain through

30‐50% potential

5‐10%

10‐15%

5‐10%

innovation Gain through increased agility and faster time to market

potential value gain

Gain through strategic vendor relationshipsGain through 

better change

Gain through business aligned 

change initiatives

better change management

Illustrative

IT Assessment FrameworksITIL and CMMi

• ITIL – a framework for IT Service Management• ITIL – a framework for IT Service Management. It contains a set of guidelines that an IT Organization is recommended to follow based on industry best practice.on industry best practice.

• CMMi – a framework for managing process and integrating activities across an organization.

IT Assessment FrameworksITIL and CMMi

Strategy RequirementOptimize

CMMi 

ITIL CMMiFocus on Service Management/ Operations

Focus on Software Development, Integration, 

Evolve

Design & SelectEvolve

Design

B ildDeploy

OperateIT Life Cycle

g / p p , g ,Deployment & Maintenance

IT Operations and Services Application Development, Infrastructure Projects

Address IT Operation Primarily focused on Software & SelectBuild

ITIL

Address IT Operation processes like Security, Change Management, Capacity Planning and Service Desk

Primarily focused on Software Development Organizations

Framework for the operations Quality standard for softwareFramework for the operations and infrastructure taking a Services view

Quality standard for software development processes

COBIT 5: Enabling ProcessesCOBIT 5: Enabling  Processes 

APO03 Manage enterprise architecture

Added/ Updated from COBIT 4

architecture.APO04 Manage innovation.APO05 Manage portfolio.APO06 Manage budget and costs.APO08 Manage relationships.APO13 Manage security.BAI05 Manage organisational change enablement.BAI08 Manage knowledge.BAI09 Manage assets.DSS05 Manage security service.DSS06 M b iDSS06 Manage business process controls.

Source: COBIT® 5, © 2012 ISACA®

IT Maturity AssessmentUnderstand Business Expectations from IT

Back‐Office Applications Services

Business Applications Services

Personal Computing Services

Central IT Services

Before undertaking an assessment, gain understanding of the overall 

Product Innovation

Business Intelligence

Business Agility

Cost Containment

Capacity Management

Quality Improvement

g gbusiness, objectives, strategies, plan, and business model and the role that technology has in supporting the business in order  g y

Process Transformation

New Market Entry

Q y p

Process Efficiency

Stable Operations

pp gfor the assessment to be meaningful and useful.

IT Services

Select an Assessment FrameworkSelect an Assessment Framework

Business Direction, Structure and Corporate Governance

Information & Systems Strategy

Portfolio Management

Governance Management

Business/ IT Alignment

Enterprise Architecture

Benefits Management

tom

ers IT Su

IT Service Management

Information Security

Management

Resource Management

IT Performance Management

IT Financial Management

IT Management

Vendor MM

anag

emen

t

IT Man

T A

lignm

ent

IT C

ust uppliers

Program ManagementOpportunityDevelopment

SolutionsDevelopment

Service Delivery

Systems Development

Applications Management

Managem

entR

elat

ions

hip

M agement

Busi

ness

/ IT

ConfigurationChange

SystemAvailability

IT ServiceSupport

Service Delivery

InfrastructureManagement

Sample FrameworkSample Framework

Step One – Select a Process kdBreakdown

• The first step in the process involves deciding how to break the big problem into a smaller set of activities. This usually involves selecting an “IT process framework” as the starting point.

Business Direction, Structure and Corporate Governance

Information & S t St t

Portfolio M t

Governance M t

Business/ IT Alignment

Enterprise A hit t

Benefits M t

ers IT

IT Service Management

(APO09)

Information Security

Management

Resource Management

(APO07)

IT Performance Management

(AP011)

IT Financial Management

(APO06)

IT Management

Systems Strategy(APO01, AP002)

Management(APO05 )

Management(MEA01, MEA02, MEA03)

Architecture(APO03, )

Management(EDM002)

Relation(Eem

ent B

usineent

IT S

uppl

ie Custom

ersProgram Management(BAI01)

OpportunityDevelopment

(BAI02)

SolutionsDevelopment

(BAI03)

(APO09) g(APO13, DSS05)

(APO07) (AP011)(APO06)

Systems Development

Applications Management

(BAI06)

nship Managem

enE

DM

05, AP

O08)

Ven

dor

Man

age

(AP

O10

)

ess/ IT Alignm

entIT

Man

agem

( ) ( )

ConfigurationChange(BAI10)

SystemAvailability

(BAI04, DSS04)

IT ServiceSupport

(DSS02, DSS03)

Service Delivery

( )

InfrastructureManagement(DSS01, DSS02)

nt

Partial Mapping to COBIT 5

Step Two – Schedule Discussions with Key S k h ldStakeholders

• The next step is to select who to involve in the assessment data gathering, specifically to understand current performance levels in context of the standards for performance.

nt nt ent

nt nt ent

ms Strategy

prise Architecture

rnan

ce  M

anagem

en

olio M

anagem

ent

its Re

alization 

onship M

anagem

en

e & Cap

ability 

cial M

anagem

ent

rman

ce M

anagem

e

e Man

agem

ent

ity Man

agem

ent

or M

anagem

ent

rtun

ity Develop

men

am M

anagem

ent

onsDevelop

men

t

cation

s Man

agem

en

tructure M

anagem

mAvailability

guration

Chan

ge

eSupp

ort

SAMPLE

Interviewees System

Enterp

Gover

Portfo

Bene

f

Relatio

Peop

le

Fina

nc

Perfor

Servic

Securi

Ven

do

Opp

or

Progra

Solutio

App

lic

Infrast

System

Config

Servic

IT LeadershipChief Information Officer (CIO)

x x x x x x x x x

Chief Technology Officer (CTO) x x x x x x x x xChief Technology Officer (CTO) x x x x x x x x x

Application Manager x x x x x x x x x x x x x x x

Operations Manager x x x x x x x x x

Business LeadershipBusiness LeadershipChief Executive (CEO)

x x x x x x x

Chief Financial Officer (CFO) x x x x x x x

Enterprise Risk Officer x x x x

Key Business Stakeholders x x x x x x x x x x x

Step Three – Compare Performance to d dStandards

• Once the right stakeholders are involved, a facilitated process occurs. This can be done by using surveys, interviews or facilitated workshops to compare current activities to standards for the IT process.

Understand IT RoleUnderstand IT Role

‐ External Forces

‐ Internal Business Considerations

‐ Current IT Strategy

Assess IT CapabilitiesAssess IT Capabilities

‐ IT controls

‐ IT process guidelines

Develop RecommendationsDevelop Recommendations

‐ Prioritize Improvement Current IT Strategy‐ Integrated approach

pAreas

‐ Recommendations

‐ Roadmap

Defining Maturity Levels –Typical Levels 

COBIT 4.1 MM Levels

Capability Levels Based on ISO/IEC

Meaning of the Capability Levels Based on ISO/IEC 15504

ContextLevels Based on ISO/IEC 

1550415504

5—Optimizing 5—Optimized Continuously improved to meet relevant current and projected enterprise goals

Enterprise view/corporate knowledgeknowledge4—Managed and 

measurable4—Predictable Operates within defined limits to achieve its 

process outcomes

3—Defined 3—Established Implemented using a defined process that is capable of achieving its process outcomes

N/A 2—Managed Implemented in a managed fashion (planned, monitored and adjusted) with appropriately established, controlled and maintained work products

Instance view/individual knowledge

N/A 1—Performed Achieves its process purpose

2—Repeatable1—Ad hoc0—Non‐existent

0—Incomplete Not implemented or little/no evidence of any systematic achievement of the process purpose

ASSESSMENT DRIVERSExercise

ASSESSMENT DRIVERS

When to conduct a Maturity ?Assessment?

• New Leadership p

• Major Business/ IT Transformation

• Audit Recommendation

• Major Outsourcing Transformation

• Cost Optimization

• Risk Assessment

• Ongoing

What do you need to conduct an ?assessment?

Value of Portfolio Management Key Process Components/ KPIs

Questionnaire/ Evidence Maturity Framework

APPLICATION EXERCISEExercise

APPLICATION EXERCISE

Identify top 4 challenges in your IT organization

1 Customer 2 IT not cost3. Unfilled 

4 Systems1. Customer not satisfied

2. IT not cost efficient

improvement opportunities

4. Systems not stable

6 Projects not 7 Technology5. Inadequate 

controls

6. Projects not delivered on‐

time

7. Technology not up‐to‐

date

8. Lot of open positions

9. Redundant applications

10. Risk concerns from outsourcing

11. Lack in application functionality

12. Data centers not secure

13. Business not proactive

14. Projects quality is bad

Review IT Maturity Modell h h llAlign with Challenges

Business Direction, Structure and Corporate Governance

Information & Portfolio Governance

Business/ IT Alignment

Enterprise Benefits

ers IT

IT Service Management

Information Security

Management

Resource Management

IT Performance Management

IT Financial Management

IT Management

Systems Strategy ManagementManagementp

Architecture Management

Vendoagem

ent

IT gnm

ent

IT C

usto

mT Suppliers

Program ManagementOpportunityDevelopment

SolutionsDevelopment

g Managementg gg

Systems Development

Applications Management

or Managem

entR

elat

ions

hip

Man

a Managem

entBu

sine

ss/ I

T Al

ig

ConfigurationChange

SystemAvailability

IT ServiceSupport

Service Delivery

InfrastructureManagement

R

Staying Pragmatic about the "Real "Pain Points"

• The best IT Governance diagnostics will consider the pragmatic realities of daily IT operations. Most management practices that appear unusual will have rational reasons for existing. The 

Symptom Naïve Interpretation

Software license  • Software Purchasing not 

ost a age e t p act ces t at appea u usua a e at o a easo s o e st g etable below illustrates some real‐life examples.

Real Situation / Pain Point

• CIO under directive  from CFO to cut costs; lapses maintenance agreements arelapsed

gfunctional

• Purchase upgrades; newmethods to monitor maintenance

; pintentional to fund critical projects

• Need to improve financial management and business alignment processes 

d k d b k d diCompany paying unusually low price for  infrastructure management

• IT supplier management is highly effective; no changes are necessary

• Vendor was asked to cut costs; backup and disaster recovery process was scoped out

• Need to improve supplier management and value management processes 

• Outstanding demand business is dissatisfiedIT budget is significantly below industry benchmarks

• IT cost management is highly effective.

• “Is this really a problem?”

• Outstanding demand, business is dissatisfied• Immature portfolio management and business alignment

y p• “Is it really good?”

Sample OutputsSample OutputsThe final report is typically an executive summary and a detailed report on the current and target states, gaps and corresponding recommendations.  A high level roadmap is usually included to prioritize next stepsusually included to prioritize next steps.

Example: Summary Maturity Level Graphic

Example: Summary Roadmap

ADDITIONAL CONSIDERATIONSADDITIONAL CONSIDERATIONS

Capability ImportanceCapability Importance

“Maturity” 5y

Degree of process and attitudinal effectiveness against the KPMG Maturity M d l

4

Capability too high to support the business

Model

“Importance”

Maturity

3

M

2Capability insufficient to support 

the business

Degree to which influences in the business demand mean that the capability will

Importance1 2 3 4 5

1

that the capability will have an impact on IT’s ability to deliver

Typical Next StepsTypical Next Steps

Design

•Future State Model Design

• Implementation

Enable

•Service Delivery Framework

Manage

•Services Portfolio

Assess

• IT Maturity • Implementation Roadmap

•Service Management Framework

•Transition

•Services Portfolio Management

•Detailed Operating Procedures

•Process & Tool Definition

•Change Management

IT Maturity Assessment

•Gap Analysis

g g

COBIT 5 ImplementationCOBIT 5 Implementation 

S COBIT® 5 © 2012 ISACA®Source: COBIT® 5, © 2012 ISACA®

Sameer Gupta

THANKS

Sameer Gupta

SameerGupta@kpmg.com

THANKS

Collaborate – Contribute – Connect

• www.isaca.org/knowledge-center • The Knowledge Center is a collection of

resources and online communities that connect ISACA members – globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today!