Summary
Highlights
COBIT 2019 Performance Management helps assess the effectiveness of a governance system and identify areas for improvement. It integrates concepts like capacity and maturity levels, emphasizing ease of understanding, consistency with COBIT's conceptual model, reliable results, flexibility, and support for various evaluation types (formal, self-assessment, and audit).
COBIT 5, aligned with ISO 15504 (now ISO 33000), focuses on process capacity levels. CMMI 2.0 determines both process capacity and maturity levels for sets of processes. COBIT 2019 expands on these, allowing for capacity level determination of processes and other governance system components, as well as maturity levels for focus areas. Currently, detailed guidelines primarily exist for process capacity and information security maturity.
The video details six process capacity levels (0 to 5) based on CMMI: Level 0 (Incomplete), Level 1 (Performed), Level 2 (Managed), Level 3 (Established), Level 4 (Predictable), and Level 5 (Optimizing). Each level describes the characteristics of a process's performance and management.
To determine process capacity levels, activities are evaluated using indicators: 'Fully' (F) for over 85% compliance, 'Largely' (L) for 50-85% compliance, 'Partially' (P) for 15-50% compliance, and 'Not Implemented' (N) for less than 15% compliance.
Using the COBIT framework, the video demonstrates how to set a target capacity level for a process like 'Ensure Risk Optimization' (EDM03). It explains how to mark activities as 'Fully' (F) for the desired capacity level and 'Not Applicable' (N) for higher-level activities if the target is lower, showing how different target levels (e.g., Level 2 vs. Level 3) influence which activities must be fully compliant.
The video then illustrates how to evaluate the current capacity level ('As Is') by assigning a percentage of compliance to each activity. This process reveals gaps between the current and objective compliance, highlighting areas that need improvement, shown as 'breaches' within the tool. The overall process capacity is determined by evaluating all relevant activities.
Similar to capacity levels, six maturity levels (0 to 5) are applied to focus areas like information security. These levels describe the state of an organization's governance and management within that specific area, from incomplete to optimized. The information security guideline for COBIT 2019 already allows for determining this maturity.
COBIT 2019 also provides guidelines for managing the performance of other components. For 'Organizational Structures,' criteria like operating principles, scope of control, and decision rights are used. For 'Information Elements and Flows,' the COBIT 5 information reference model with its intrinsic, contextual, and security criteria is applied. For 'Culture, Ethics, and Behavior,' defining desirable and undesirable behaviors linked to capacity levels is suggested, though more detailed guidance is anticipated in future focus area publications.