How to align IT strategy to business strategy (using COBIT)

by Chris Wilken Follow me on Twitter here.

Over my consulting career, I’ve seen many organizations struggle to create an IT strategy that aligns with the business’ strategy. Most of
the times, IT develops a strategy that consists of one or more of the following:

 Reduce costs
 Integrate emerging technology
 Upgrade legacy technology
 Comply with regulations
They then come up with tactical solutions such as

 Freeze salaries for 1 year

 Reduce staff
 Consolidate our data centers
 Remove old technology
 Add in technology / processes to check an audit box
 MOBILE!!!!!!!!!!!11111111
At the end of the year, IT has done a lot of things. They may have even accomplished many of their goals. But the business isn’t happy.
The business may even decide to cut IT’s budget for next year.
Why is this?
Let’s be frank. No matter what the excuses are: “business is down,” “the economy is bad,” “the business just doesn’t get it,” the fact of
the matter is that IT didn’t achieve what the business wanted. The business did not get the value from IT that it expected. It may be
communicated differently or even indirectly, but whenever there is a reduction in IT, that means IT isn’t demonstrating the value
that the business cares about.
Why didn’t IT achieve what the business wanted? It could be many complex reasons, but I would venture a guess that it was because IT
was looking at the business’ strategy from a myopic view.

Let’s use a simple example. If the business wants to control IT costs, what’s the first thing that IT does? IT typically looks at the biggest
areas of IT expense – employee costs (or maybe hardware/software costs). So the organization works to reduce those costs. It could be
firing people, freezing salaries (which causes people to voluntarily leave), or getting rid of professional services. The problem with this
approach is that there are downstream effects that are forgotten about (or assumed will “take care of themselves”). Maybe some of IT’s
best people left when salaries were frozen. Maybe employees decide to “keep their head down” and not take risks.

While at the end of the day, the organization saves money, it does at the expense of productivity or even revenue generation.

One of the things that COBIT does it helps organizations think broader when faced with the task of reducing costs. I’ll show you how.

If you’re already familiar with COBIT, skip this section.

COBIT (version 5) is an IT Governance and Management framework. There are a lot of great IT frameworks out there. Why am I focusing on COBIT versus those?
Well, COBIT is the most comprehensive IT framework. Other frameworks only focus on parts of IT (e.g. project management, service management, architecture,
security). Also, (a little shameless self promotion here) I helped write parts of COBIT 5 and was a primary writer of COBIT 5 for Information Security.

Let’s keep this walkthrough simple and focus only on one area – controlling (containing) IT costs.

Step 1: Identify the business goal(s) you want to accomplish

COBIT 5 (C5) has a list of “Stakeholder Needs” in Appendix D (page 55) found within COBIT 5: A Business Framework for the
Governance and Management of Enterprise IT (the primary C5 family is comprised of 3 publications and this publication introduces all
the new concepts and thinking behind C5 – it is a must read if you’re going to use C5).
Within “Stakeholder Needs” there is a list of questions that business typically wants answered. One of those questions is “How do I
control the cost of IT?”

I built an Excel spreadsheet to make this exercise more efficient, so the following screen prints are from the tool. The same exercise can
be done with the book/pdf, there will just be a lot of flipping between pages.

The Enterprise Goals that map to the Stakeholder Need of “How do I control the cost of IT?”

Here’s where the COBIT magic comes in. All the people who helped build COBIT brainstormed and created a large list of stakeholder
questions, enterprise goals, IT goals, and IT processes. They debated and reduced these multiple lists into smaller, more manageable
lists. For the Stakeholder Needs, the result was 22 questions. For the Enterprise Goals, the result was Enterprise Goals.

They then associated the 22 stakeholder questions the 17 Enterprise Goals that would best answer each question.

For this example, the Stakeholder Need of “How do I control the cost of IT?” is associated with the Enterprise Goals of “Optimisation of
service delivery costs,” “Optimisation of business process costs,” and “Operational and staff productivity” as you can see in the image
above.
The rest of this effort now becomes a mapping exercise.

Step 2: Map business goals to IT goals

First we map the Enterprise Goals to IT-related Goals using Appendix B: Detailed Mapping Enterprise Goals – IT-related Goals.

IT Goals with a “P” or “S” are related to the cost reduction Enterprise Goals (highlighted in blue)

We end up with the following results:

 Optimisation of service delivery costs
Primary IT-related Goals
 Managed IT-related business risk
 Transparency of IT costs, benefits and risk
 Optimisation of IT assets, resources and capabilities
Secondary IT-related Goals
 Alignment of IT and business strategy
 Realised benefits from IT-enabled investments and
services portfolio
 Adequate use of applications, information and technology
solutions
 Enablement and support of business processes by
integrating applications and technology into business
processes
 Delivery of programmes delivering benefits, on time, on
budget, and meeting requirements and quality standards

Optimisation of business process costs

Primary IT-related Goals
 Realised benefits from IT-enabled investments and
services portfolio
 Transparency of IT costs, benefits and risk
 Optimisation of IT assets, resources and capabilities
Secondary IT-related Goals
 Alignment of IT and business strategy
 Delivery of IT services in line with business requirements
 Adequate use of applications, information and technology
solutions
 Enablement and support of business processes by
integrating applications and technology into business
processes
 Delivery of programmes delivering benefits, on time, on
budget, and meeting requirements and quality standards

Operational and staff productivity

Primary IT-related Goals
 Adequate use of applications, information
and technology solutions
 Competent and motivated business and IT
personnel
Secondary IT-related Goals
 Realised benefits from IT-enabled investments and services portfolio
 IT agility
 Optimisation of IT assets, resources and capabilities
 Enablement and support of business processes by integrating
applications and technology into business processes

Let’s continue to keep this exercise relatively simple and only focus on the Primary IT-related Goals right now. Notice that two of the
goals overlap (“Transparency of IT costs, benefits and risk” and “Optimisation of IT assets, resources and capabilities). A note about the
Secondary IT-related Goals – they don’t have as much of an impact to achieving the Enterprise Goals as the Primary IT-related Goals.
Leaving those out is a good way to reduce the scope or level of effort.
Step 3: Map IT goals to IT processes
Now, back to the mapping. We now need to map the Primary IT-related Goals to the IT-related Processes using Appendix C: Detailed
Mapping IT-related Goals – IT-related Process. This will identify the specific COBIT Processes that the organization should improve.

The results of this mapping are as follows:

4 Managed IT-related business risk

EDM03 Ensure risk optimization
APO10 Manage suppliers
APO12 Manage risk
APO13 Manage security
BAI01 Manage programmes and projects
BAI06 Manage changes
DSS01 Manage operations
DSS02 Manage service requests and incidents
DSS03 Manage problems
DSS04 Manage continuity
DSS05 Manage security services
DSS06 Manage business process controls
MEA01 Monitor, evaluate and assess performance and conformance
MEA02 Monitor, evaluate and assess the system of internal control
MEA03 Monitor, evaluate and assess compliance with external requirements

5 Realised benefits from IT-enabled investments and services portfolio

EDM02 Ensure benefits delivery
APO04 Manage innovation
APO05 Manage portfolio
APO06 Manage budget and costs
APO11 Manage quality
BAI01 Manage programmes and projects

6 Transparency of IT costs, benefits and risk

EDM02 Ensure benefits delivery
EDM03 Ensure risk optimisation
EDM05 Ensure stakeholder transparency
APO06 Manage budget and costs
APO12 Manage risk
APO13 Manage security
BAI09 Manage assets

8 Adequate use of applications, information and technology solutions

APO04 Manage innovation
BAI05 Manage organisational change enablement
BAI07 Manage change acceptance and transitioning

11 Optimisation of IT assets, resources and capabilities

EDM04 Ensure resource optimisation
APO01 Manage the IT management framework
APO03 Manage enterprise architecture
APO04 Manage innovation
APO07 Manage human resources
BAI04 Manage availability and capacity
BAI09 Manage assets
BAI10 Manage configuration
DSS01 Manage operations
DSS03 Manage problems
MEA01 Monitor, evaluate and assess performance and conformance

16 Competent and motivated business and IT personnel

EDM04 Ensure resource optimisation
APO01 Manage the IT management framework
APO07 Manage human resources

Wow, that is a lot of IT processes that effect IT costs (30 unique processes). But if you really sit and think about it, it makes sense.
Everything in IT (and in business) is interrelated. I’ve seen it time and time again where IT cuts staff, staff is forced to “work harder,”
overworked staff then implements a change that causes an outage. There are various studies on how much the cost of an outage is, but it
varies from $5,000 – $13,000 per minute for large enterprises. If you took a shortcut approach for reducing costs, it just backfired.
This means that if you really want to be effective in controlling the cost of IT, you need to assess the effectiveness of the above IT
processes. If you improve the processes, you will reduce the costs of IT.

Step 4: Measure (or assess) the IT processes to determine which need to be improved
The steps involved with measuring (or assessing) the effectiveness of the IT processes is a post in itself. I’ll save that for next time.

Until then, I’d like to get your thoughts. Would you undertake this exercise to better approach your IT organization’s efforts? Please
leave your comments below.