The document outlines the basic process for implementing COBIT in an organization. It involves 7 steps: 1) identifying drivers and pain points, 2) assessing the current state, 3) defining the target state, 4) developing an implementation plan, 5) executing the plan, 6) realizing benefits, and 7) sustaining momentum. Key lessons include ensuring buy-in from senior management, dealing with resistance to change, focusing on people adoption over infrastructure, and clearly communicating benefits which may be difficult to measure initially. Risk mitigation requires prioritizing challenges and developing plans to address them such as lack of skills or resources.

1. Session S12
Implementing COBIT® in your
OrganizationOrganization
by
Debra Mallette, CISA, CGEIT, CSSBB

2. Implementing COBIT® in your organization
• Implementing COBIT Program:
– Organizational Change
– IT Governance Program
– Iterative approach to implementation
• Learning Objectives:
– definitions and context
– basic process
– lessons learned– lessons learned
– success factors
– risk mitigation
– how to adapt these for your organization.
• Pre-requisites:
– "COBIT Foundation Certificate"
– familiarity with ValIT and RiskIT
2

3. Why are you here (in this session)?
• Assignment?
• Champion?
• Career Advancement?
• Curiosity?• Curiosity?
• All of the above?
• Other?
3

4. Current COBIT®
4

5. COBIT5.0®Future-C
5

6. Why implement COBIT?

7. How to implement COBIT – Basic Process
7

8. 1. What are the Drivers?
• Pain Points + Trigger Events -> Need for
Governance!
2. Where are we now?
• Define the Problems and Opportunities
• Form Powerful Guiding Team
• Assess the Current State
6. Did we get there?
• Realize the benefits
• Embed new approaches
• Operate and Measure
7. How do we keep momentum going?
• Review the Programme effectiveness
• Sustain
• Monitor and Evaluate
8
4. What needs to be done?
• Develop Programme Plan
• Empower Role Players and Identify Quick Wins
• Design and Build Improvements
5. How do we get there?
• Execute the Plan
• Enable Operation and Use
• Implement Improvements
3. Where do we want to be?
• Define the Roadmap
• Communicate (communicate, ….)
• Define Target State and Perform Gap
Analysis

9. 1. What are the Drivers?
• Pain Points + Trigger Events -> Need for
Governance!
2. Where are we now?
• Define the Problems and Opportunities
• Form Powerful Guiding Team
• Assess the Current State
6. Did we get there?
• Realize the benefits
• Embed new approaches
• Operate and Measure
7. How do we keep momentum going?
• Review the Programme effectiveness
• Sustain
• Monitor and Evaluate
9
3. Where do we want to be?
• Define the Roadmap
• Communicate (communicate, ….)
• Define Target State and Perform Gap
Analysis
4. What needs to be done?
• Develop Programme Plan
• Empower Role Players and Identify Quick Wins
• Design and Build Improvements
5. How do we get there?
• Execute the Plan
• Enable Operation and Use
• Implement Improvements

10. Lessons Learned
Success Factors
RisksRisks
10

11. • Senior Management not bought in
• Lack of Enterprise policy and direction
• Cost of Improvements outweigh perceived benefits
• Lack of trust and good relations between business and IT
• Resistance to Change
• Lack of Understanding of IT Governance
1111
• Trying to do too much at once
• IT in fire-fighting mode, not able to prioritize tasks
• Lack of appropriate IT skills in place
• Improvements not adopted or applied
• Benefits difficult to show or prove

12. Lessons Learned: Deal with the People
• Must assure that people in the organization
adopt, use and sustain the practices
• People, employing the practices, generate the
benefits to the organization
• Must understand, communicate, influence• Must understand, communicate, influence
and persuade people with the case for change
• Failure to establish a measurable target
12

13. Lesson Learned: Failure is Likely
The Diffusion of Innovations Model
Laggards
Late
Majority
Early
Success
%ofPopulationUsingTechnology
50%
80%
13
Ref: Diffusion of Innovations, 3rd Ed.
by Everett Rogers; Simon & Schuster, 1995
Early
Majority
Innovator
Early
Adopter/
%ofPopulationUsingTechnology
Time
20%
Failure
Ref: Diffusion of Innovations, 3rd Ed.
by Everett Rogers; Simon & Schuster, 1995

14. Lesson Learned: People employing practices
generate benefits to organization
Highest ROI= Effectiveness &
Cycle Time to Use
Return = f (Use (Population,Effectiveness),Synergy(1/Time))
Investment = g (Infrastructure,Culture,Transition Process)
Return on Investment = (f - g ) / g
ReturnonInvestment
+
14
ReturnonInvestment
Time
+
-
O
Failed Transitions lose money

15. Lesson Learned: Improvements not sustained
SMART Implementation Goal:
• At least 80% of the target users in the
organization effectively & efficiently use the
improvement.
• There is evidence of sustained use and• There is evidence of sustained use and
improving effectiveness and efficiency.
• The organization has measurable results.
• People new to the organization, are told
what to do and learn how to do it.
15

16. Lesson Learned: Improvements not applied
Attributes of Effective Use
3
4
5
LevelofEffectiveUse
Formalized
Prevention
Focus
Org-wide
Standard
Looked for on
Major projects
Req’d on all
major projects
Valued in
organization
Par with
Industry
Prevention &
Optimization
Some
More
Formalized
Recognized
as value-added
Metrics drive
Improvements
16
Ref: “Key Lessons in Achieving Widespread Inspections Use”
by Grady & Van Slack, IEEE Software July 1994
Objectives ComplianceProcess Infrastructure
1
2
3
LevelofEffectiveUse
None
Formalized
“Guideline”
Major projects
Avoided with
Pride
Favorably
Noticed
None
Defined
Industry
None
Training for
Practitioners
Some
Documented

17. Lesson Learned: Benefits difficult to measure
Use => Benefits!
Question:
• Who is using it?
• How often?
• For what?
• Where in org?
Metric Source
l User id’s
l Hit rate
l Hit paths & operations
l Tie to org chart
17
• Where in org?
• How widespread?
• Users satisfied?
• Is the use making an
impact on the business?
l Tie to org chart
l Diffusion Curve
l User responses
l Correlation to business
information

18. Lesson Learned: Making the case is important
Process Paradox
Salience
Investment
Mandated
Background
Priority
Identity
The case made for this change
assures mind share & resources
when prioritized with everything
else
This is the case made
for most capability
improvements. Lack
of buy-in or support is
guaranteed.
18
Return
Investment
Mandated
Income Generated
Income Lost
Fixed Costs Reduced
Variable Costs Reduced
Insurance Small Medium Large

19. Lesson Learned: Resistance to Change
Middle Management Black Hole
19

20. Implementation follow-through in organization:
Development->Test->Production (Service Delivery)
• Each must be resourced and managed.
• Who has what accountability and responsibility for
sustaining or service delivery activities in the COBIT
implementation?
• How do you assure the implementation is sustained• How do you assure the implementation is sustained
through re-orgs?
• What is the SLA/OLA’s for delivering the IT
Governance service?
• How are sustaining / service delivery functions
resourced or financed?
20

21. Risk Mitigation – List, prioritize, plan
Risks/challenges Challenge for you? Plan to address?
• Senior Management not bought in
• Lack of Enterprise policy and direction
• Resistance to Change
• Lack of Understanding of IT Governance
• Trying to do too much at once
• IT in fire-fighting mode, not able to prioritize• IT in fire-fighting mode, not able to prioritize
• Lack of appropriate IT skills in place
• Improvements not adopted or applied
• Benefits difficult to show or prove
• Cost of Improvements outweigh perceived
benefits
21

22. Change Enablement:
Based on Cotter Model
Establish a sense of urgency
Form a powerful guiding coalition
Create and communicate a clear vision, expressed simply
Empower others to act on the vision, identifying and implementing quick-wins
Program Management:
1. Initiate program
2. Define problems and opportunities
3. Define roadmap
4. Develop program plan
5. Execute plan
6. Realize benefits
Empower others to act on the vision, identifying and implementing quick-wins
Enable use and implement improvements/produce more change
Institutionalize new approaches
Sustain
6. Realize benefits
7. Review program effectiveness

23. Adapting these to your organization
Please take 10 minutes to discuss amongst yourselves:
• Your role?
• What implementation phase to start at?
• What’s your target (big Why)?
• What risks need to be managed?
• What methods to use?
• What resourcing approach?
23

24. Discussion Report outDiscussion Report out
24

25. Wrap-up:
Implementing COBIT® in your organization
25
Smarts and action are on the same side of the equation where the sum is success.
~Garrett Hazel

26. Speaker Contact Information
Debra Mallette, CGEIT, CISA, CSSBB
4460 Hacienda Dr, Building F -1039
Pleasanton, CA 94588-2761
Office Phone: 925 924 5123
26
Office Phone: 925 924 5123
Cell: 510-295-3217
debra.mallette@kp.org