- COBIT—Released as an IT process and control framework linking IT to business requirements, COBIT initially was used mainly by the assurance community in conjunction with business and IT process owners. With the addition of management guidelines in 2000, COBIT was used more frequently as a management framework, providing management tools, such as metrics and maturity models, to complement the control framework. With the release of COBIT 4.0 in 2005, it became a more complete IT governance framework. Incremental updates to COBIT 4.0 were made in 2007; they can be seen as a fine-tuning of the framework, not fundamental changes. The current version is COBIT 4.1.
- ITIL v3—Released by the UK Office of Government Commerce (OGC), ITIL it is the most widely accepted approach to IT service management in the world. Version 3 consists of 27 detailed processes organized into five high-level processes described in five core books—Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement—that comprise one function: effective IT service management. In addition, ITIL v3 introduced the concept of the service life cycle and this is described in the book Official Introduction to the IT Service Lifecycle.
I have been to a number of IT service management conferences recently, and heard people explaining why they think organizations should use ITIL, or COBIT, or ISO/IEC 20000.
I think this is the wrong way of looking at things, and that every IT organization should use all of these, and more, to build their management system.
Each of these frameworks and management system standards has value to offer, and they have different strengths and weaknesses. If you just pick one of them, you will miss out on some great guidance and your management system will be missing some important characteristics.
ITIL, for example, provides lots of detailed guidance on implementation of processes, but is fairly weak on governance and goal setting. On the other hand, COBIT 5 while very strong on governance and goal setting does not provide much detail on process implementation; and ISO/IEC 20000, which provides concise information about what the IT organisation should do, offers little guidance on how to set about actually doing it.
What Are the Connections & Differences between COBIT and ITIL?
COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library) have been used by information technology professionals in the IT service management (ITSM) space for many years. Used together, COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises, whether those services are provided in-house or obtained from third parties such as service providers or business partners.
ITIL could be seen as the way to manage the IT services across their lifecycle, while COBIT is about how to Govern the Enterpise IT in order to generate the maximum creation of value by the business, enabled by IT investments, while optimizing the risks and the resources. COBIT 5 describes the principles and enablers that support an enterprise in meeting stakeholder needs, specifically those related to the use of IT assets and resources across the whole enterprise. ITIL describes in more detail those parts of enterprise IT that are the service management enablers (process activities, organizational structures, etc.).
OBIT is based on five principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management
And seven enablers:
1. Principles, Policies and Frameworks
3. Organizational Structures
4. Culture, Ethics and Behavior
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
ITIL focuses on ITSM and provides much more in-depth guidance in this area.
There are five stages in the ITIL Service Lifecycle:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
The distinction between the two is sometimes described as “COBIT provides the ‘why’; ITIL provides the ‘how.’” While catchy, that view is simplistic and seems to force a false “one or the other” choice.
It is more accurate to state that enterprises and IT professionals who need to address business needs in the ITSM area would be well served to consider using both COBIT and ITIL guidance. Leveraging the strengths of both frameworks, and adapting them for their use as appropriate, will aid in solving business problems and supporting business goals achievement.
How wrong focus creates problems instead of solving them
Making sure that your organisation is familiar with several sources of guidance instead of just one may seem counter intuitive. Isn’t it much simpler, less time consuming, and more effective to choose just one and develop expertise in that? Actually, in my experience, it’s not.
IT organisations that run an “ITIL project” or a “COBIT project” tend to focus on the suggestions in that guidance, rather than on the needs of their own organisation. This misplaced focus tends to result in the development of bureaucratic management systems. The changes proposed by such projects are too often imposed on, rather than embraced by IT staff; and too often they create little value for the organization that implements them. When the outcomes of an improvement project are disappointing, any guidance used to create it tends to get a bad name. What’s more disappointing – the outcomes also tend to make people cynical about future projects to improve practice.
What you should do is begin with your organisation’s needs. Use suggestions from best practices and standards, but only when you are confident that they will help you implement a service improvement project which has clear business goals that you can measure and report to your stakeholders. Depending on the goals you are trying to achieve you will probably find that you end up wanting to include suggestions from one or more of the sources of guidance I have been writing about.
How can you combine different sources of guidance in your management system?
Obviously, this depends on what you are trying to do.
For example if your customers and users are not satisfied with how you manage and resolve incidents then you could decide to improve your processes for incident and problem management. Your goals could be to improve customer satisfaction, to reduce the length of time it takes to resolve incidents, or even to reduce the number of incidents that have an impact on users. In this case I would strongly recommend that you read and understand the guidance in ITIL, which is very strong in these areas, and think about how you could use some of the ITIL ideas to improve how you work. But you should also read the relevant parts of COBIT, to get some ideas for possible process goals, metrics, activities, inputs and outputs. After you have read and thought about the guidance you will be well placed to make improvements that are tailored to meet your own specific needs. What you should end up with is an improved process that is right for you, that fits your culture and supports your organization’s goals. The process may be based on ideas from ITIL and COBIT, but your staff should see it as your process, and should understand how it helps them to deliver value to your customers.
ISO/IEC 20000 is somewhat different, since the requirement to achieve certification may come from outside the IT department, as a marketing or customer relationship initiative, in which case achievement of the certification may be a goal in itself. Even in this case, if you want real value from a project to achieve ISO/IEC 20000 certification then it is not just the certificate you need to focus on; you also need to think about how the improved processes will help you to deliver better value to your customers. Your improved processes must ensure you meet the requirements of the standard, but you may find that by using ideas from ITIL and COBIT to help you design the details, you maximise the value of achieving the certification.
Are there any other frameworks or standards I should be using?
There are lots of different frameworks and best practices that you can use to help you manage IT services. In addition to ITIL, COBIT and ISO/IEC 20000 you could think about using ideas from:
ISO/IEC 27001 – the international standard for information security management
If you are running IT services then you must make sure you understand the requirements for information security, and take these into account in designing your management system.
Agile – a development methodology that divides projects into short phases, each of which delivers valuable outcomes.
Agile can provide a great framework for an ITSM improvement project, helping you to rapidly deliver measureable value in small increments.
Kanban – a methodology for managing work in progress, to optimise the use of resources
Kanban can provide a great way to manage the workload of technical people in an IT department, ensuring that you get maximum value from your limited resources.
PRINCE2 and PMI – project management methodologies
Every IT department manages lots of projects, and you need formal project management methodologies to ensure you get value from these.
You can probably think of many more best practices, frameworks and standards that could help you create value for your customers. Don’t be scared to include ideas from any approach that can help you do a great job. Remember that what you are creating is not an ITIL management system or a COBIT management system, it is your management system which you are designing to help you create value for your customers.