Cobit 5 Process Reference Model for Gap Assessment
Transcript of Cobit 5 Process Reference Model for Gap Assessment
Cobit 5 Process Reference Model for Gap Assessment
26 Février, 2013
CRIP - Assises ITIL & Gouvernance
Fatimatou Dieng Diop, Expert Organisation Informatique
BNP Paribas IT Group Production
Context and goals
A renovated IT Production Governance
To Foster standardization and reduce complexity
Set-up
Conclusion
Agenda
ITG IPS 2
The IT Group Production delivers services to numerous and various entities of the Group
Equipement Solutions
Banque de détail France
Personal Finance
Bancwest
Distribution Marchés & Solutions BNL
Banque de détail Luxembourg
Banque de détail Belgique
International Retail Banking Capital Market
Pole
Corporate Banking
Principal investments
ALM - Trésorerie
Investment Partners
Personal Investor
Service Epargne Entreprise
FIN’AMS
Immobilier
Pole
BP2S
Wealth management
Assurance
Finance développement Groupe
Group Risk Management
Affaires fiscales Groupe
Conformité groupe
Inspection Générale
Marque, communication et qualité
RH Groupe
ITP
Production
ITG IPS 3
IT Group Production – Some figures
5 Strategic Datacentres located in
France and Belgium
# 10 000 servers
# 100 000 Mips
# 8 000 To storage
# 400 firewalls (France)
120 000 mail boxes
Around 1 500 collaborators With a similar sized external workforce
Security devices
Datacentres
Workforce
70 000 of the 270 000 Workstations
60 000
Around 40% of Group
Production services
Coverage
ITG IPS 4
The economical and regulatory environment impacts all financial institutions, including BNP Paribas and indirectly its production units
The pace of changes required by the Businesses to adapt to new economical constraints, the increased need for reduction of « Time To Market ».
Regulatory requirements are generating a huge volume of adaptations
We need more than ever to master quality, budget, cost, delays and risk with an emphasis on efficiency due to unfavourable economical context
Context and Goals
Increasing complexity of the IT environment
Complexity of processes, organisation (international dimension, xborder requirements, extended enterprise)
Richness but also increased complexity of applications and infrastructures solutions
Exponential increases of volumes require stronger management of capacity, performances and costs
… leading to renewed constraints:
We need to be more agile and keep in sync with Business requirements, be prompt to implement required solutions
Our collaborators must get a better understanding of their contribution/accountability within the overall set-up.
The enterprise must control the evolution of production running costs and investments
Increasing need for standardization and industrialisation
ITG IPS 5
Passed years experiences
CMMI framework. Within BNP Paribas, all development units have reached at least a level 3 maturity.
As a contributor to development projects, the Production has embedded in Development methodology its own requirements. The production life cycle processes were enhanced.
ISO 9001: The Group IT Production has been working on client satisfaction and improvement of quality delivered to the clients and the performance of its quality management system over the last decade. It has remained certified during all that period of time.
ISO 20000-1: We have adopted the ITIL referential, rationalised accordingly our processes using best practices and reached an ISO 20000-1 certification.
ISO 27000: A part of infrastructure is already certified for security management system.
ISO 14001: A part of our infrastructure services is already certified ISO 14001, in line with the emphasis we put on Social and Environmental Responsibility
These methodologies have indeed brought real benefits but they reach some limits they may be quite far away from the reality on the ground and the expected improvements will remain not enough precise
So even if they are structured upon bringing direct value to the Client, they may not always bring value to all parties.
Context and Goals
ITG IPS 6
Fostering standardization and reducing complexity
Logical Model
A Logical Model has been detailed in order to structure IT Production operating model
This ‘IT Production model’ proposes some activities which need to be standardized all over the Group.
Subscription to the Logical Model requires to comply to the following principles:
‘Roles and responsibilities distribution among organization should comply to agreed high level guiding principles’.
‘Roles and responsibilities within entities should comply with defined logical model roles distribution principles’
Organizational model
Multi-form IT Production model defines three main forms of organizing the IT production activities
Entities that subscribe to multi-form model presume to follow rules defined by the IT renovated governance
Multi-form end-to-end operating model, with shared understood objectives in order to:
Clarify roles and responsibilities
Involve IT Production in key development process (portfolio, project lifecycle and asset management)
ITG IPS 7
Logical Model through a common framework to structure BNPP IT Production activities
5 logical units with differentiated responsibilities
IT Production
Production /
Infrastructure
management
Métiers
Production /
Infrastructure
management
Customer
management
Information System
Management &
Development
- ISMD -
Customer & Services
Management
- CSM -
Infrastructure &
Operations
- I&O -
'Regalian' & Normative Activities
Métiers Business
Sh
ared
fu
nct
ion
s
• Responsible for
– Design, delivery, validation & maintenance
of applications
– Application quality, rationalization and
optimization
– Application roadmaps
– Total cost of ownership
• Responsible for Infrastructure and Production
Operations, for dedicated and shared services
– Recurrent support
– Build operations
– ‘Producer' of technical solutions and technical
expertise
• Responsible for transversal technical services
(hosting activities managed centrally: datacenter,
network, user desktop, …)
• Responsible for
– Definition of business needs &
priorities regarding IT-enabled
processes
– Arbitration on IT investments portfolio
(IT Expense sizing, Run vs Change
balance)
– Solution validation and business
process update
– Business risk mitigation decisions
• Responsible for 'Regalian' and normative
activities for the IT production, e.g.
–Security policy
–Risk Management policy
–Budget & engagement policy
–Strategy policy
–Production model management
–Partnership control
–Norms & standards
–Processes & methodologies
• Responsible for shared functions for the
IT production, e.g.
–Procurement
–HR career track
–Experts communities
–Efficiency (lean)
• Responsible for end-to-end IT production
services on the whole scope of client perimeter
– 'Assembler' of technical solutions to meet
Business needs
– 'Producer' of services to deploy and monitor
Business applications
• “Customer & services management” function(s)
to manage production of shared applications
Functional view only, independent from any organizational consideration
Bus
ISMD
CSM
I&O
Transversal
8 ITG IPS
Target: IT Production organizational multiform model
Customer and services
management embedded
in entities
Customer and services
management embedded
in IT Production
IT Production fully
embedded
in entities
ITP
R
egal
ian,
nor
mat
ive
and
shar
ed fu
nctio
ns
IPS
Entity 3 Entity 4 Entity 2 Entity 1
Infrastructure & Operations - BP²I Other provider
ITP /IPS / BP²I
Entity 5
Entity 6
Customer
& services
management
Customer
& services
management
Transversal "hosting" activities managed centrally by shared production: messaging, datacenter, network, user desktop, …
"Entity" represent a rational grouping of Pôle / Métier / Territory from a production point of view
Bus
ISMD
CSM
I&O
Transversal
Info. System
Mngmt & dev
Info. System
Mngmt & dev
Infra &
Operations
Infra &
Operations
Infra &
Operations
Infra &
Operations
Info. System
Mngmt & dev
Info. System
Mngmt & dev
Customer
& services
management
Customer
& services
management
Info. System
Mngmt & dev
Info. System
Mngmt & dev
Customer
& services
management
Customer
& services
management
Infra &
Operations
Infra &
Operations
Technical
Services
Technical
Services
Technical
Services
Technical
Services
Technical
Services
Technical
Services
9 ITG IPS
Gap assessment
Entities who subscribe to multiform model (s) have to make a formal report on gap analysis and
associated action plan.
We have developed a Gap Assessment Toolkit to:
Measure gaps between the declared production model and the current allocation of
production activities
Prepare an action plan to optimize the production organization model
This IT Production Activities Gap Assessment Model is a multi-choice questionnaire:
About 160 questions have been drawn from the COBIT 5 process reference model and
adjusted in accordance to the context of IT Production (ITIL / ISO 20000).
When the questionnaire is completed, the results present a current distribution of IT
production activities among: Business, IT Production, both Business & IT production and
none if not performed. Regional and technological specificities are taken into account.
Gaps, if any, are classified by processes and by IT domain activities. Actions to bridge them
should be planned by both Business & IT production.
10 ITG IPS
Set-up
Mapping the COBIT Roles and Organisational Structures with those of BNPP.
Finding the IT production coverage : we have analysed the COBIT 5 detailed activities and the IT
production Logical Model ones with the goal of allocating these activities into the COBIT
framework.
Results : APO09 Manage Service Agreement – BAI03.11 Manage Solutions Identification and
Build – BAI04 Manage Availability and Capacity – BAI06 Manage Changes – BAI09 Manage
Assets – BAI010Manage Configuration – DSS01 Manage Operations – DSS02 Manage Service
Requests and Incidents – DSS03 Manage Problems - BAI01 Manage Programmes and Projects –
BAI0 DSS04 Manage Continuity – DSS05 Manage Security Services.
Building the RACI charts of the Organizational Model.
creating the questionnaire of Gap assessment
11 ITG IPS
Conclusion
Benefits
COBIT 5 (ITG0001 -IT Governance fundamentals) is aligned with international standards and
frameworks which are recommended throughout the Group (ISO/IEC/ 20000, ITIL, CMMI &
TOGAF) and with ISO 38500 (IT Governance). The process capability model is based on the
process assessment standard ISO 15504.
COBIT includes a process reference model, which defines 37 governance and management
processes. It represents all processes relating to IT activities, providing a common reference
model understandable to operational IT and business managers.
Limits
The process descriptions are sometime theoretical.
Some activities are too detailed to be operated
12 ITG IPS