Cobit 5 Process Reference Model for Gap Assessment

26 Février, 2013

CRIP - Assises ITIL & Gouvernance

Fatimatou Dieng Diop, Expert Organisation Informatique

BNP Paribas IT Group Production

Context and goals

A renovated IT Production Governance

To Foster standardization and reduce complexity

Set-up

Conclusion

Agenda

ITG IPS 2

The IT Group Production delivers services to numerous and various entities of the Group

Equipement Solutions

Banque de détail France

Personal Finance

Bancwest

Distribution Marchés & Solutions BNL

Banque de détail Luxembourg

Banque de détail Belgique

International Retail Banking Capital Market

Pole

Corporate Banking

Principal investments

ALM - Trésorerie

Investment Partners

Personal Investor

Service Epargne Entreprise

FIN’AMS

Immobilier

Pole

BP2S

Wealth management

Assurance

Finance développement Groupe

Group Risk Management

Affaires fiscales Groupe

Conformité groupe

Inspection Générale

Marque, communication et qualité

RH Groupe

ITP

Production

ITG IPS 3

IT Group Production – Some figures

5 Strategic Datacentres located in

France and Belgium

# 10 000 servers

# 100 000 Mips

# 8 000 To storage

# 400 firewalls (France)

120 000 mail boxes

Around 1 500 collaborators With a similar sized external workforce

Security devices

Mail

Datacentres

Workforce

70 000 of the 270 000 Workstations

60 000

Around 40% of Group

Production services

Coverage

ITG IPS 4

The economical and regulatory environment impacts all financial institutions, including BNP Paribas and indirectly its production units

The pace of changes required by the Businesses to adapt to new economical constraints, the increased need for reduction of « Time To Market ».

Regulatory requirements are generating a huge volume of adaptations

We need more than ever to master quality, budget, cost, delays and risk with an emphasis on efficiency due to unfavourable economical context

Context and Goals

Increasing complexity of the IT environment

Complexity of processes, organisation (international dimension, xborder requirements, extended enterprise)

Richness but also increased complexity of applications and infrastructures solutions

Exponential increases of volumes require stronger management of capacity, performances and costs

… leading to renewed constraints:

We need to be more agile and keep in sync with Business requirements, be prompt to implement required solutions

Our collaborators must get a better understanding of their contribution/accountability within the overall set-up.

The enterprise must control the evolution of production running costs and investments

Increasing need for standardization and industrialisation

ITG IPS 5

Passed years experiences

CMMI framework. Within BNP Paribas, all development units have reached at least a level 3 maturity.

As a contributor to development projects, the Production has embedded in Development methodology its own requirements. The production life cycle processes were enhanced.

ISO 9001: The Group IT Production has been working on client satisfaction and improvement of quality delivered to the clients and the performance of its quality management system over the last decade. It has remained certified during all that period of time.

ISO 20000-1: We have adopted the ITIL referential, rationalised accordingly our processes using best practices and reached an ISO 20000-1 certification.

ISO 27000: A part of infrastructure is already certified for security management system.

ISO 14001: A part of our infrastructure services is already certified ISO 14001, in line with the emphasis we put on Social and Environmental Responsibility

These methodologies have indeed brought real benefits but they reach some limits they may be quite far away from the reality on the ground and the expected improvements will remain not enough precise

So even if they are structured upon bringing direct value to the Client, they may not always bring value to all parties.

Context and Goals

ITG IPS 6

Fostering standardization and reducing complexity

Logical Model

A Logical Model has been detailed in order to structure IT Production operating model

This ‘IT Production model’ proposes some activities which need to be standardized all over the Group.

Subscription to the Logical Model requires to comply to the following principles:

‘Roles and responsibilities distribution among organization should comply to agreed high level guiding principles’.

‘Roles and responsibilities within entities should comply with defined logical model roles distribution principles’

Organizational model

Multi-form IT Production model defines three main forms of organizing the IT production activities

Entities that subscribe to multi-form model presume to follow rules defined by the IT renovated governance

Multi-form end-to-end operating model, with shared understood objectives in order to:

Clarify roles and responsibilities

Involve IT Production in key development process (portfolio, project lifecycle and asset management)

ITG IPS 7

Logical Model through a common framework to structure BNPP IT Production activities

5 logical units with differentiated responsibilities

IT Production

Production /

Infrastructure

management

Métiers

Production /

Infrastructure

management

Customer

management

Information System

Management &

Development

- ISMD -

Customer & Services

Management

- CSM -

Infrastructure &

Operations

- I&O -

'Regalian' & Normative Activities

Métiers Business

Sh

ared

fu

nct

ion

s

• Responsible for

– Design, delivery, validation & maintenance

of applications

– Application quality, rationalization and

optimization

– Application roadmaps

– Total cost of ownership

• Responsible for Infrastructure and Production

Operations, for dedicated and shared services

– Recurrent support

– Build operations

– ‘Producer' of technical solutions and technical

expertise

• Responsible for transversal technical services

(hosting activities managed centrally: datacenter,

network, user desktop, …)

• Responsible for

– Definition of business needs &

priorities regarding IT-enabled

processes

– Arbitration on IT investments portfolio

(IT Expense sizing, Run vs Change

balance)

– Solution validation and business

process update

– Business risk mitigation decisions

• Responsible for 'Regalian' and normative

activities for the IT production, e.g.

–Security policy

–Risk Management policy

–Budget & engagement policy

–Strategy policy

–Production model management

–Partnership control

–Norms & standards

–Processes & methodologies

• Responsible for shared functions for the

IT production, e.g.

–Procurement

–HR career track

–Experts communities

–Efficiency (lean)

• Responsible for end-to-end IT production

services on the whole scope of client perimeter

– 'Assembler' of technical solutions to meet

Business needs

– 'Producer' of services to deploy and monitor

Business applications

• “Customer & services management” function(s)

to manage production of shared applications

Functional view only, independent from any organizational consideration

Bus

ISMD

CSM

I&O

Transversal

8 ITG IPS

Target: IT Production organizational multiform model

Customer and services

management embedded

in entities

Customer and services

management embedded

in IT Production

IT Production fully

embedded

in entities

ITP

R

egal

ian,

nor

mat

ive

and

shar

ed fu

nctio

ns

IPS

Entity 3 Entity 4 Entity 2 Entity 1

Infrastructure & Operations - BP²I Other provider

ITP /IPS / BP²I

Entity 5

Entity 6

Customer

& services

management

Customer

& services

management

Transversal "hosting" activities managed centrally by shared production: messaging, datacenter, network, user desktop, …

"Entity" represent a rational grouping of Pôle / Métier / Territory from a production point of view

Bus

ISMD

CSM

I&O

Transversal

Info. System

Mngmt & dev

Info. System

Mngmt & dev

Infra &

Operations

Infra &

Operations

Infra &

Operations

Infra &

Operations

Info. System

Mngmt & dev

Info. System

Mngmt & dev

Customer

& services

management

Customer

& services

management

Info. System

Mngmt & dev

Info. System

Mngmt & dev

Customer

& services

management

Customer

& services

management

Infra &

Operations

Infra &

Operations

Technical

Services

Technical

Services

Technical

Services

Technical

Services

Technical

Services

Technical

Services

9 ITG IPS

Gap assessment

Entities who subscribe to multiform model (s) have to make a formal report on gap analysis and

associated action plan.

We have developed a Gap Assessment Toolkit to:

Measure gaps between the declared production model and the current allocation of

production activities

Prepare an action plan to optimize the production organization model

This IT Production Activities Gap Assessment Model is a multi-choice questionnaire:

About 160 questions have been drawn from the COBIT 5 process reference model and

adjusted in accordance to the context of IT Production (ITIL / ISO 20000).

When the questionnaire is completed, the results present a current distribution of IT

production activities among: Business, IT Production, both Business & IT production and

none if not performed. Regional and technological specificities are taken into account.

Gaps, if any, are classified by processes and by IT domain activities. Actions to bridge them

should be planned by both Business & IT production.

10 ITG IPS

Set-up

Mapping the COBIT Roles and Organisational Structures with those of BNPP.

Finding the IT production coverage : we have analysed the COBIT 5 detailed activities and the IT

production Logical Model ones with the goal of allocating these activities into the COBIT

framework.

Results : APO09 Manage Service Agreement – BAI03.11 Manage Solutions Identification and

Build – BAI04 Manage Availability and Capacity – BAI06 Manage Changes – BAI09 Manage

Assets – BAI010Manage Configuration – DSS01 Manage Operations – DSS02 Manage Service

Requests and Incidents – DSS03 Manage Problems - BAI01 Manage Programmes and Projects –

BAI0 DSS04 Manage Continuity – DSS05 Manage Security Services.

Building the RACI charts of the Organizational Model.

creating the questionnaire of Gap assessment

11 ITG IPS

Conclusion

Benefits

COBIT 5 (ITG0001 -IT Governance fundamentals) is aligned with international standards and

frameworks which are recommended throughout the Group (ISO/IEC/ 20000, ITIL, CMMI &

TOGAF) and with ISO 38500 (IT Governance). The process capability model is based on the

process assessment standard ISO 15504.

COBIT includes a process reference model, which defines 37 governance and management

processes. It represents all processes relating to IT activities, providing a common reference

model understandable to operational IT and business managers.

Limits

The process descriptions are sometime theoretical.

Some activities are too detailed to be operated

12 ITG IPS