COBIT vs. ITIL: A Comparison of Two IS/IT Governance Frameworks Report

Introduction

Information is a major aspect of all organizations and business firms (Brooks, 2006). This information is in terms of strategic plans, organisation’s financial outlines, consumer database, investors’ information and returns on investments. Others include suppliers’ information, intelligence information collected from competitors and employees’ information.

This information forms the core of any firm and its security greatly determines the survival of the organisation in the market. As a result of this, technological revolutions especially in information technology (IT) are vital to many organizations. Many organisations struggle to fit into the dynamic and changing market within which they operate.

Breach of security as far as information is concerned may greatly affect this adaptability. As a result of this, several information security and technological frameworks have been formulated to address the issue. These are frameworks such as ISO 38500 that allow managers to directly access and control this information.

In this paper, the author is going to discuss two main information frameworks namely the Control Objective of Information and related Technologies (herein referred to as COBIT) and IT Information Library (herein referred to as ITIL). The two are IS/IT governance frameworks. In addition, the author will shed light on some technical aspects of the frame works and an analysis of companies that use these frameworks.

Control Objective Information and related Technology (COBIT)

Overview

Control Objective Information and related Technology is an international framework for information technology (IT) governance that helps managers to address daily business challenges in terms of technical issues, regulatory compliance and business ideas. They are able to strategically address these challenges and in the process able to achieve the organizational goals (ISACA, n.d). The main objective of the framework is to control information and enhance security of sensitive data as well as IT governance.

The first edition of COBIT was launched in the market in 1996 and the latest version dubbed COBIT 5 will be made available in 2012. This version is set to incorporate the features of earlier versions of COBIT and other products of ISACA.

COBIT version 4.1 has 34 high level objectives that are streamlined from 215 control objectives of the management. The four major domains that COBIT deals with are planning and organizing, acquisition and implementation, delivering and support as well as monitoring and evaluation (ISACA, n.d).

These domains improve IS/IT governance in a business firm by enhancing the security of information and analyzing the risks that the organization’s information is exposed to.

COBIT provides a common language through which managers and IT professionals can communicate. This is given the fact that it has an aspect of ‘sharing knowledge’. The toolset operated by the framework supports IT by defining and aligning the goals of a business organization with those of information technology.

Structural Aspects of COBIT

According to ISACA (n.d), COBIT has 34 high level processes. Each of these processes has numerical maturity level ranging from 0 to 5 where 0 is non-existent and 5 is optimal maturity. The scale is normally used as a key to evaluate the level of maturity within an organization. This is together with the level of “best practices considered” (ISACA, n.d: p. 3) and the level achieved by competitors. In summary, COBIT version 4.1 domains are as follows:

• Planning and Organizing (PO) Domain

This domain ranges from PO1 to PO10 and addresses the tactics and strategies to identify how IT can contribute to the achievement of organisational objectives. This domain also acknowledges the need to strategically manage, plan and communicate the vision of the business entity from different perspectives. This is together with the relevant parties responsible for its realisation. Key to this domain is proper organization of technological infrastructure.

• Acquiring and Implementing (AI)

This domain runs from AI1 to AI17. It provides that in order to achieve the objectives of IT, possible solutions to its shortcomings should be identified or acquired. The solutions should also be implemented and integrated into the daily business processes. Moreover, change and maintenance of COBIT systems is important as it affects the functioning of the system and its ability to achieve the organisational goals.

• Monitoring and Evaluation (ME)

Abbreviated as ME, the third domain is the shortest domain running from ME1 to ME4. It exclusively addresses improvements of any IT process by stating that it needs to be assessed on a regular basis. This is to ensure that it complies with the control requirements. ME addresses performance management, compliance to external regulations, monitoring and evaluation of internal control systems and governance.

• Delivering and Supporting (DC)

This domain tackles the concerns of actual delivery of required services. This includes security management and continuity, operational facilities, support service for users and data management. The domain runs from DS1 to DS13

Other subsidiary domains include:

• Process Controls (PC)

This is a generic control requirement found on each COBIT process. It is identified as PCn (Process Control number). This domain works in conjunction with process control objectives. It is runs from PC1 to PC6.

• Application Controls (AC)

COBIT assumes that the role of IT is to design and implement automated applications informed by the needs and requirements of the business. This subsidiary domain covers general IT controls with the help of Acquire and Implement domain. Together they create applications control.

Figure 1: A Model of COBIT Approach Domain, Arrangements and Key Functions

Source: ISACA (n.d)

IT Infrastructure Library (ITIL)

Overview

This is a strategically driven framework with a set of concepts that helps in managing, developing and operating information technology applications. ITIL serves as a platform for managers to align IT services with major business goals (ITIL, 2007). Therefore ITIL provides the linkage between operational guidelines and technical implementation of the same. It was developed by the Office of Government Commerce.

ITIL emphasises the importance of IT and how it can be customized to address the needs and requirements of a given organisation. This customization can be with respect to financial operations and strategic goals of the organisation. The aim is to ensure that IT is managed and governed effectively. ITIL is a registered trade mark in UK. The framework is provided as a set of eight (8) with topics on IT management (Brooks, 2006). The topics are as listed below:

1. Service Delivery
2. Service Input
3. ICT Infrastructure Management
4. Security Management
5. The Business Perspective.
6. Application Management.
7. Software Asset Management.
8. Planning to Implement Service Management

It is a leading IT service management framework which is used by government agencies and other top notch institutions and organisations such as NASA, IBM and Disney. It is an indication of how IT can be used to address business expectations. It operates along five core guidelines. These include identifying consumers’ needs and IT requirements as well as designing and implementing the IT policies required. Other guidelines include monitoring and improving the IT services.

Users of ITIL enjoy a wide range of benefits which includes:

• Reduction of costs associated with IT mishaps
• Improved service delivery to consumers
• Improved productivity
• Improved service delivery to third parties
• Improved use of IT skills and experience
• Reduction in operational costs due to improved resources and reduced rework.

How Does ITIL Work?

Lacy & Macfarlane (2007) are of the view that ITIL has five main service- lifecycle stages. These are Service Strategy, Service Design, Service Transition, Service Operation and finally Continual Service Improvement. These are requirements that need to be incorporated into what is known as the four P’s (perspective, position, plan and pattern).

The first stage (service strategy), is made up of business outcomes that are identified and agreed on by the management. These outcomes are critical to the success of the entity. This leads to the next stage (service design) where a solution is provided. A service delivery package (SDP) proceeds to the next stage which contains necessary items and details that will be passed on to the rest of the stages. As such, a holistic approach has to be adopted to ensure that all IT processes are consistent and with the objectives of the organisation.

In the third stage (service transition), the SDP is tested, evaluated and validated. If assumptions and requirements have changed, modifications are carried out at this stage. The SDP is turned into a Service Knowledge Management System (SKMS). This is taken through the IT environment and finally into the fourth stage (service operation).

The purpose of this stage is to ensure that the services availed to consumers and end users are of high quality. It is also intended to manage applications and infrastructure thus enhancing service delivery. Weaknesses and possible failures at any of the stages is identified and addressed through continued improvement of the services provided.

The figure below vividly illustrates the five main stages that are involved in ITIL operation:

Figure 2: Five Main Stages of ITIL Operation

Adapted from: ITIL (2007)

Walt Disney Company and ITIL

Walt Disney Company has five divisions that are managed by different teams. One of its divisions (the Theme Park and Resorts) accounts for 30% of the company’s revenue. The division was at the verge of collapse before adopting efficient IT governance frameworks provided by ITIL. According to APM Group [APM] (2010), there were various challenges facing the division especially in the IT department.

One such challenge is the fact that the goals of the IT department were not aligned with the goals of the division and the company as a whole. It is the largest division in the company which is in direct contact with the clients on a daily basis. There were rampant cases of customer dissatisfaction especially when the customer care representatives were required to confirm information from the division’s database.

This problem was brought about by slow connections and at times by network blackouts. The effects of these challenges included deterioration of services offered and reduced consumer confidence. The consumers were opting for the services provided by the competitors.

Other problems included lack of security for the division’s information. The information could be easily accessed by hackers and such other third parties. There was also the difficulty in upgrading the system to reflect the changing demands of customers and the dynamic technology. These challenges affected employees’ morale resulting to reduced productivity. Before the integration of ITIL services the Theme Park and Resorts Division was incurring losses.

When ITIL was brought on board by the IT Service Management division in mid 2000, all this was set to change. To kick off the initiative, the division hired Mr. Glen Taylor, a former ITIL Chief Information Officer (CIO). He was tasked with the responsibility of integrating ITIL into the management system. He took three major steps to ensure that employees at Themes Park and Resort are conversant and able to work with the new system. The steps included:

1. Sensitizing the employees on what ITIL entails. The justification behind this was the fact that the employees were used to bottom-up marketing tactics. It is noted that for ITIL to work properly, executive-down marketing tactics are required. This created the need for forums such as ‘lunch and learn’ to be set up so that all employees were brought into terms with the new system.
2. Instigating educational programs. This included the launch of the Foundation Training Programs on ITIL which were relevant to Walt Disney and specifically the division.
3. The third step entailed the selection of ITIL experts with the ability to articulate the vision and mission of the management. The experts could also understand what ITIL version 3 entails, persuading and influencing people to work together.

By the time the division was taken through all the steps, it had fully adopted ITIL. This led to a tremendous growth in the number of customers and in gross profit. The earlier challenges were effectively tackled and as a result, Themes Restaurant and Resort acquired a competitive edge in the market. It was able to realize a huge return on investments due to adoption of relevant IS/IT management and governance framework that was customized and aligned to the goals and objectives of the organisation.

Conclusion

In conclusion, it is noted that IS/IT governance is vital to any business organisation that is willing to embrace technology. To come up with a relevant framework, the managers should first determine their IT goals and strategically integrate them with the business objectives.

The major aim of COBIT is to ensure that risks brought about by IT mismanagement have been analysed and fully addressed to enhance information security. Therefore it can be said that its main objective is proper governance of IT infrastructure and maintenance of a risk-free system. On the other hand, ITIL ensures quality and accountability of the IT framework. ITIL can be customized and aligned with the goals of both the IT department and the organization as a whole.

ITIL is said to be superior to COBIT because of its high level of competence. The latter entails evaluation, testing, validation and improvement of the framework as required by the organization. This attribute explains its widespread use across the world considering that many reputable organizations are using it.

References

APM Group. (2010). Case study: Disney and ITIL. Web.

Brooks, P. (2006). Metrics for IT service management. London: Van Haren Publishing.

ISACA (n.d). Cobit 4.1 domains and collaboration. Web.

ITIL. (2007). How does ITIL work? Retrieved from https://www.axelos.com/best-practice-solutions/itil.

Lacy, S., & Macfarlane, I. (2007). ITIL service transition. Chicago: The Stationary Office.