IT Governance Frameworks

COBIT ( Control Objectives for Information and Related Technologies )and ITIL (Information Technology Infrastructure Library) are popular frameworks used for governance in IT Service Management (ITSM). Individually, they look at the Information Technology (IT) enterprise through a slightly different lens. When utilized together, they offer guidance for the effective management of IT services.

Given their respective similarities, let’s talk about the differences. ITIL is a framework that enables IT services to be managed across a lifecycle or service value chain. Conversely, COBIT supports enterprise IT governance to derive the business’s maximum value through IT investments while optimizing resources and mitigating risks.

COBIT

COBIT is a methodology that connects business strategic outcomes to IT strategic outcomes, incorporating feedback and tasks to IT and the business stakeholders. COBIT provides the resources (Frameworks, Process Descriptions, Control Objectives, Management Guidelines, and Maturity Models) to build, monitor, and improve its implementation while reducing costs, establishing and maintaining standards, and providing structure and oversight to IT processes.

5 guiding principles of the COBIT framework

The COBIT framework is based on these five guiding principles:

• Meeting stakeholder needs – Creating value for all stakeholders. The outputs are Benefits Realization, Risk Optimization, and Resource Optimization
• Covering the enterprise end to end – Covering all corporate processes and functions relating to data/ information flow and technologies. Ensuring the value creation and the corresponding governance encompasses the entire organization.
• Applying a single integrated framework – One set of standards to be utilized by all parties throughout the enterprise, IT, and the business.
• Enabling a holistic approach – COBIT 5 lists seven types of enablers (Principles, policies, and frameworks; Processes; Organizational structures; Culture, ethics and behavior; Information; Services, infrastructure, and applications; and People and skills and competencies all working together to provide one all-inclusive approach.
• Separating Governance from Management – Many organizations struggle with this aspect. There is no segregation of duty and no support – from executive leadership – for a holistic approach to governance.

ITIL4

With COBIT focused on governance, ITIL sees things through a different lens, which incorporates management. In ITIL4, governance is on full display as one of the four elements (along with Guiding Principles, Practices (Processes), and Continual Improvement) of the Service Value System, which transform the Service Value Chain into a value created for the customer. The Service Value Chain weaves through the traditional ITIL Service Lifecycle to knit pieces of every Service Lifecycle phase to create value for the business customer in the form of products and services. These four elements – which include Governance – enable the Service Value System to be consumable in a collaborative manner. This example of a Service Value Chain should help. An organization wishes to deploy a new code enhancement using DevOps. The ability to define strategy, design the solution, test the new functionality, deploy, record Incidents, fix the code, test the fix, deploy, measure, and record Incidents outstanding is a gamechanger for ITIL. Notice how this Service Value Chain weaves through the traditional Service Lifecycle. To gain total value from this Service Value Chain, the Service Value System’s four elements must be present. We need the Guiding Principles, Governance, Practices (Processes), and Continual Improvement to create a standardized output for the business customers in the form of value.

ITIL vs. Cobit

While COBIT tries to govern all the processes throughout an organization, ITIL uses governance to provide value to all stakeholders. When examining each framework, they appear similar, with similar aspects of the ITIL v3 Service Lifecycle. But we must understand that the expected outcomes are different. As stated above, COBIT wants end-to-end governance while ITIL V4 is seeking business value creation. They can co-exist, however.

An organization may use these frameworks in concert to govern the environment. Only very mature organizations with mature processes (practices) should entertain the thought as there may be confusion from users and stakeholders. Since each framework has a unique list of processes – with a significant overlap – an organization may use a “best of breed” to gain maximum results. For example, COBIT is much more robust in Supplier Management, Continuity, and Security, among others. At the same time, ITIL4 (and ITIL v3, for that matter) are better in the areas of what ITIL4 calls “General Management Practices” like Strategy Management, Architecture Management, Service Financial Management, Workforce, and Talent Management, Continual Improvement, Organizational Change Management, and Relationship Management. The two frameworks are robust in traditional control areas (Change Management, Configuration Management, and Asset Management). At the same time, COBIT is more vital in areas needing more control where ITIL4 lacks, and ITIL4 is more robust in the areas needing collaboration with stakeholders, especially from the business.

Neither framework, ITIL4, nor COBIT should be prescribed for a given organization. There should be requirements documented with goals and outcomes defined, then mapped to the application framework.