COBIT – Goverment Case Studies

COBIT and IT Governance Case Study: Region of PeelUsing COBIT as a Powerful Tool for Enhancing IT Governance and Service Orientation

ABSTRACT

Information and technology represent two of the most valuable assets of the Region of Peel (Ontario, Canada), and leaders recognized the need for information technology (IT) to be governed based on value, risk and control. Because of the financial significance of IT investment and other factors, the Region’s Chief Information Officer (CIO) and the Director of Internal Audit agreed that an overall assessment should be conducted using version 4.0 of the Control Objectives for Information and related Technology (COBIT) framework from the IT Governance Institute (ITGI). Internal Audit hired the Manta Group, through a competitive request for proposal process, to conduct an assessment of the Region of Peel Information & Technology Services (I&TS) division. COBIT was selected because it is an international governance framework that provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts from around the world and are strongly focused on control, and less on execution. Peel Region’s experience with COBIT exceeded the organization’s expectation.

BACKGROUND

Situated in the heart of southern Ontario’s (Canada) major urban centres, the Region of Peel is the second largest municipality in Ontario, with a population of more than one million. Peel has undergone a major transition during the past few decades. Rapid population growth and commercial development have transformed what was primarily a rural area of farms and villages into a dynamic blend of urban, industrial and residential areas.

In 1974, the Regional Municipality of Peel was incorporated based on the principle that certain community and infrastructure services, such as public health, paramedic services, police, roads, water and sanitary sewers and waste collection, are more cost-effectively administered over a larger geographic area. Peel Region is governed by the Regional Chair and a 24 member Council, representing its member municipalities: the cities of Mississauga and Brampton and the town of Caledon. Responsible management, innovative programs and responsiveness to the needs of the people have been key factors in the economic growth and development of the Region of Peel.

The Region of Peel has more than 5,000 employees and is comprised of six departments plus Peel Regional Police that work together to deliver programs and day-to-day services to Peel residents, including police and paramedic services, health care, long-term care, child care, solid waste collection and recycling, water and waste water treatment, road construction and maintenance, and social housing.

Information and technology represent two of the most valuable assets of the Region of Peel, and leaders recognized the need for IT to be governed based on value, risk and control. Peel Region’s Internal Audit Work Plan for 2006 included a review of its Information and Technology Services (I&TS) division. Due to the financial significance of IT investment, length of time since the last review and the rate of change in IT, the Region’s Chief Information Officer (CIO) and the Director of Internal Audit agreed that an overall assessment should be conducted using version 4.0 of the Control Objectives for Information and related Technology (COBIT) framework from the IT Governance Institute (ITGI).

To ensure independence was maintained, it was agreed that a COBIT assessment would be conducted by a consultant with COBIT expertise and the project would be sponsored by Internal Audit. Internal Audit hired the Manta Group, through a competitive request for proposal process, to conduct an assessment of the Region of Peel I&TS division. The firm has expertise in IT governance and has found it to be a strong differentiating factor for its clients. The current global, networked business environment now demands that IT improve organizational processes via well-defined controls and measurements.

The Manta Group, which was founded in 2003 with the goal to unleash the power of IT investment through governance, uses COBIT widely in its service offerings wherever IT governance is involved. In fact, the Manta Group organizes its service-offering structure around the four COBIT domains. Very early in its formation, the Manta Group founders decided to use COBIT as the governance framework. As such, the company has three years of solid experience using COBIT within government, retail, media and finance sectors in Canada.

The Manta Group offers four sets of main consulting services: governance, portfolio management, service management, and risk and compliance. As a boutique management consulting firm, the Manta Group uses publicly available best practices and standards such as COBIT, ITIL, PMBoK, NIST and ISO. The Manta Group is a privately owned corporation and is owned by its three founding partners: Will O’Brien, Ash Allagh and Fariba Anderson. The Manta Group has annual revenue of CAN $4.5 million.

PROCESS

Peel Region has used COBIT as the basis of an assessment project to:

  • Assist Internal Audit in developing the work plan for future IT audit projects
  • Provide the executive management team with an overall assessment of the current maturity level of information technology at the Region of Peel
  • Identify areas that require attention enabling I&TS to focus its efforts

All departments were exposed to COBIT during the assessment, which provided a valuable introduction to IT governance and the breadth of IT responsibilities.

To obtain support of senior management for COBIT-related initiatives, the Peel Region Internal Audit division, in conjunction with Peel Region I&TS division, jointly decided that COBIT would provide a comprehensive framework for the assessment of IT functions and services. The Manta Group’s COBIT assessment framework is designed to assist senior management teams in organizations to leverage the power of the COBIT governance framework for activities such as audit and assessment.

COBIT was selected because it is an international governance framework that provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts from around the world and are strongly focused on control, and less on execution.  An assessment against these practices assists management in identifying strategies to close the gaps, optimize IT investments, ensure effective service delivery and also provide a measure against which to judge when things go right as well as ensuring a consistent approach to auditing control processes end to end across the IT organization.

COBIT is such an effective governance framework because of its coverage footprint and its result-/outcome-oriented approach where every task and action is measured by a specific contribution to a goal. The Manta Group has not been able to identify any other governance framework that provides a complete and concise model for governing investment in IT.

DEVELOPMENT OF A COBIT ASSSESSMENT FRAMEWORK

The Manta Group developed its COBIT Assessment Framework in response to the needs of organizations to accelerate assessment and reduce the costs of adopting COBIT. The framework uses a high insight to effort methodology tailored to each organization. It facilitates rapid assessment and consensus of undercontrolled targets for quick win results by analyzing customer demand for technology against risks and capabilities to determine which areas of COBIT will deliver the most value.

Business demand drivers, (which detail “who cares?”), are evaluated for each of the 34 COBIT processes. Consequence drivers, (which address “so what?”), and mitigation drivers, (focusing on “now what?”), are considered for each of the 34 high-level control objectives and all 215 detailed control objectives. Finally, each of the 34 processes is evaluated for responsibility and relevance. The approach is aimed at not just assessing existing maturity but determining what level of maturity is desirable, and more important, why.

This approach provides the following benefits:

  • Structured access to COBIT through a provided base of illustrative concerns keyed to each of COBIT’s 34 control objectives and 215 detailed control objectives
  • Evaluation of the severity of the risks, concerns and problems mitigated by COBIT high level and detailed control objectives
  • Efficient assessment of current practices against COBIT maturity level definitions
  • Full use of detailed control objectives as a system of cross-reference reality checks and validation
  • Ability for personnel without substantial knowledge of COBIT or IT to participate and contribute meaningfully in the assessment
  • Facilitation and generation of consensus and understanding among IT and business personnel involved in the assessment
  • Fully transparent methodology that facilitates knowledge transfer and continued use of the model
  • Provision of clear, concise reports for management utilizing the graphics and quadrant reports

COBIT ASSESSMENT PROJECT

The assessment project was sponsored by Peel Region’s Internal Audit department and included a steering committee and a project team. Representation from across the Region was included in both groups. The project team was comprised of 17 participants who were predominantly managers from all departments. The steering committee included seven directors representing all departments.

The steering committee participated in workshops to assess business demands and to review and validate the findings of the project team. The workshop assessment results for the maturity levels of information and technology services at the Region were compared to ISACA benchmarking for public sector organizations.

The assessment was conducted in a workshop environment where there was a balanced perspective provided by a team of stakeholders and I&TS management. The framework of the assessment required the project team to partake in a series of interactive self-evaluation sessions that analyzed the potential consequences and risk mitigation factors.  Assessment results were validated by the steering committee to ensure areas relevant and important to I&TS were being addressed.

GAP ASSESSMENT

At the end of the workshops and after review by the steering committee, six of the 34 COBIT control objectives were selected for gap analysis and recommendations. The gap analysis took into consideration COBIT goals, measurements and activities to ensure that the control objectives selected were relevant to the current and future demands of the Region and addressed potential concerns over what could go wrong. Based on the results of this analysis, the Manta Group provided guidance with developing specific recommendations for these six control objectives to mitigate the gaps.

Each of the six control objectives selected requires varying levels of approved funding, effort and commitment to implement recommendations that will address the gaps. A rating of the effort required for each was developed as follows:

  • PO2 Define the Information Architecture—Significant Effort
  • AI4 Enable Operation and Use—Reasonable Effort
  • AI6 Manage Change—Long-term Effort
  • DS1 Define and Manage Service Levels—Significant Effort
  • AI4 Ensure Continuous Service—Reasonable Effort
  • ME1 Monitor and Evaluate IT Performance—Long-term Effort

The results of the assessment are intended to:

  • Provide the executive management team with an overall assessment of the current maturity level of information technology at the Region of Peel
  • Identify areas that require attention enabling I&TS to focus its efforts
  • Provide a road map of recommended improvements and changes to close the gaps in areas that require attention
  • Assist Internal Audit in developing the work plan for future audit projects

CONCLUSION

Information and technology is an integral part of all businesses at the Region of Peel.  As such, most audit projects place some reliance on reviewing information and technology processes and controls. The results of this review have provided a framework that can be used in future audits. 

The Region of Peel has a very responsive and proactive group of IT professionals who embraced the idea of using COBIT to assess I&TS governance and identify areas to improve. The ability of participants to consider and discuss differing perspectives from various departments and cooperatively arrive at a consensus was a crucial factor in the success of the project.

Overall the assessment provided stakeholders throughout the Region of Peel with an appreciation of the complexities of providing information and technology services. The assessment workshops facilitated by the Manta Group were very successful and have provided a road map of recommendations for improvement. 

The interactive nature of the workshops was particularly valuable. With the steering committee and project team representing people from across the organization, the discussion in the workshops promoted consensus and understanding of the differing perspectives of various departments.

Peel Region has used the outcome of the COBIT assessment to assist the municipality with the improvement of IT governance to better meet the demands, priorities and needs of Peel citizens.

The COBIT assessment included participation from major stakeholders of IT services and, as such, provided an excellent platform for key decision makers to attain a comprehensive understanding of IT contributions to Peel Region. The assessment also identified areas of opportunities where IT and its users could focus on specific improvements to leverage the power of IT to service Peel citizens more effectively: Management action plans generated from the assessment recommendations were:

  • Develop a strategy and process to address information architecture and conduct an investigation into options
  • Revise project management methodology for information and technology projects to include specific practices to address operation and use
  • Implement risk assessment and configuration management processes as part of Peel Region’s IT change management processes
  • Develop an enhanced service level agreement for information and technology services, including service standards and performance targets that are meaningful and relevant to clients
  • Complete a business impact assessment to identify and confirm service continuity requirements for all information and technology applications and services
  • Identify appropriate performance and activity measurements with the input of stakeholders and develop and implement processes for gathering and reporting information to monitor and evaluate IT performance

During the assessment project, results of the workshops were vetted with the Chief Administrative Officer (the most senior staff position in the Region of Peel) to validate that the business demand analysis matched Peel’s vision of improving the service value chain. The results and recommendations were also presented to the Audit Subcommittee, a subcommittee of Regional Council.

The Manta Group will also present the approach used in the COBIT assessment at Peel Region to the Municipal Internal Auditors Association of Ontario as a model of best practices.

Peel Region’s experience with COBIT exceeded the organization’s expectation. The approach the Manta Group deployed to assess 34 control objectives and supporting 215 detailed objectives with 24 representatives from key business areas of Peel resulted in:

  • Detailed evaluation of what activities and goals for each COBIT process are of value to Peel Region, the degree to which they are in place or embraced and the effort that would be required to implement and incorporate those of value
  • Assessment results that generaterecommendations and management action plans
  • A time-efficient but comprehensive introduction to COBIT 4.0 for workshop and steering committee participants

Source: http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/ContentManagement/ContentDisplay.cfm&ContentID=35436 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: