In yesterday's post on the importance of compromise in IT governance, I shared some advice from an interview I'd done with an executive of the IT Governance Council. One of his tips was for governance teams to use a best-practices framework like the IT Infrastructure Library (ITIL) or Control Objectives for Information and Related Technology (COBIT).
Based on my (admittedly limited) knowledge of these frameworks, I think COBIT seems like a better fit for most business folks, who will probably find it easier to relate to COBIT's high-level objectives, which are contained in four broad and easy-to-understand categories: planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation. In contrast, I'd say most business people think of ITILand its five books of Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement, if they think of it at all, as "an IT thing."
Many organizations use more than one framework, a number of experts have told me. When I interviewed Mike Harris, owner and president of David Consulting Group and one of three authors of a new book titled "The Business Value of IT: Managing Risks, Optimizing Performance and Measuring Results," he advocated what I thought was an interesting approach of using three popular improvement methodologies: ITIL, COBIT and CMMI (Capability Maturity Model Integration). The trick, he said, is to "take the strengths of each one and to apply them in the right way."
In his book, Harris uses an analogy of three Russian nesting dolls. The outer doll is COBIT, which provides a framework for governance and control of IT providers. The middle doll is ITIL, which focuses on best practices for IT operations.The inner doll is CMMI, which focuses on best practices for systems and software development.
The doll analogy is employed to illustrate the day-to-day involvement the business can expect to have with each framework, explained Harris. Business will be most involved with COBIT, somewhat less so with ITIL, and probably far less so with CMMI. He said:
... COBIT is a business-oriented best practice. So COBIT is about the control the business should expect to have in place regarding IT. The strength and weakness of COBIT is it really only defines control points and essentially generates the climate to report and audit information at those control points. So it's perfect for monitoring information for IT governance.
Harris said COBIT's main drawback is "it doesn't really contain any best practices," which is why he thinks it's important to bring in additional frameworks. He suggested:
The business should expect to control IT through a COBIT-like structure and at the same they should do those check boxes that say "Are you following ITIL practices?"and "Are you following CMMI practices?"