COBIT 5 clearly describes the COBIT process reference model as just “an example of a process model”. It then says that any local process model would do, if it only covers the basic governance and management objectives:
“In theory, an enterprise can organize its processes as it sees fit, as long as the basic governance and management objectives are covered. Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives.”
This means that we would have to be able to define an alternative process model that complies with this requirement of “covering the basic governance and management objectives”. If we could find that, it would make COBIT available to smaller and less complex organizations, which IMHO would be “a good thing”.
COBIT 5 lists three main governance objectives: benefits realization, risk optimization and resource optimization. Generic objectives of the larger group of management processes are not defined; COBIT only says:
“Practices and activities in management processes cover the responsibility areas of PBRM enterprise IT, and they have to provide end-to-end coverage of IT.”
The COBIT 5 core book defines processes through the following statements:
- “Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.”
- “A collection of practices influenced by the enterprise’s policies and procedures that takes inputs from a number of sources (including other processes), manipulates the inputs and produces outputs (e.g., products, services).”
It then says:
- “Process controls are generic control objectives…”
Looking at a description of a single process, I only find fields covering “purpose” and “goal“, but not a field for “objectives“.
The definition of objective is: “Statement of a desired outcome“.
There is no use of the term “outcome” in the practice or in the process definitions.
This leaves me with the question: “What are objectives of COBIT’s management processes?”.
These objectives would be required to demonstrate that an alternative process model complies to the COBIT requirement of “covering the basic governance and management objectives”. But where are these objectives described so I can test the alternative process model against these requirements?
My question was however answered by a good friend from the field of standards and frameworks, Geoff Harmer, a great expert. Geoff explained that the outcomes appear in the Process Assessment Model (PAM): Using COBIT 5 (the “PAM book”) in Chapter 3 pp. 15-114. E.g. For process DSS02 Manage Service Requests and Incidents the outcomes are:
- DSS02-01 IT-related services are available for use
- DSS02-02 Incidents are resolved according to agreed-on service levels
- DSS02-03 Service requests are dealt with according to agreed-on service levels and to the satisfaction of users.
The Process Assessment Model (PAM) requires processes that are going to be assessed to be defined using a Process Reference Model (PRM) and a PRM must be conformant with the ISO 15504 Information Technology — Process Assessment’s viewpoint and that is what the PAM book does. This means Process Purpose, Outcomes, Base Practices and Work Products (i,e, inputs and outputs) must be defined for each COBIT 5 Process.
So, in fact, the objectives and the outcomes I was looking for are there in COBIT, but they are called goals (in or Process goals (in the Enabling processes book).
Geoff goes on and then explains that what are called Base Practices in the PAM book are called Management Practices in the Enabling Processes book (or Governance Practices for the governance processes: EDM01, EDM02, EDM03, EDM04 and EDM05). Management practices are equivalent to what earlier versions of COBIT called Control Objectives.
And then I realized that COBIT is an acronym for Control Objectives for Information and related Technology.
I must admit that I’m rather lost with all of this. Actually is supports my opinion that the IT industry is making things much more complex than it should be. After all, if you can’t explain it clearly in a few words, how is it ever going to work for us?
You can probably imagine why I prefer mathematics over IT management 😉