A Tool Design of Cobit Roadmap Implementation

Over the last two decades, the role of information technology in organizations has changed from primarily a supportive and transactional function to being an essential prerequisite for strategic value generation. The organizations based their operational services through its Information Systems (IS) that need to be managed, controlled and monitored constantly. IT governance (ITG), i.e. the way organizations manage IT resources, has became a key factor for enterprise success due to the increasing enterprise dependency on IT solutions. There are several approaches available to deal with ITG. These methods are diverse, and in some cases, long and complicated to implement. One well-accepted ITG framework is COBIT, designed for a global approach. This paper describes a design of a tool for COBIT roadmap implementation. The model is being developed in the course of ongoing PhD research. Keywords—IT governance; COBIT; Tool design; Roadmap; Implementation


I. INTRODUCTION
In recent years, due to the increase of IT investment, the IT governance has become a center of interest among practitioners and researchers.
Several issues made its contribution to explain this phenomenon [1]: (1) Business activities became largely dependent in IT systems.(2) Therefore business failure and success are increasingly dependent on IT (3) IT should deliver value to business and be aligned with the organization's goals.(5) Response to fast changes in business environment.(6) Ensure business continuity.Some methods to support IT governance exist.Weill & Ross have developed an IT governance framework that can be used to assign responsibilities for high level IT decision making, but their work give no more information on how the IT organization must effectively perform their work [2].The ISO / IEC 20000 and preceding IT Infrastructure Library (ITIL) might aid the creation of processes related to delivery and support [3].The most recognized, publicly available, IT governance framework is COBIT -Control Objectives for Related Technology- [4], which will be discussed.
These frameworks and standards are useful to guide the decisions of managers on the key processes of IT.However, they remain general framework and must be adapted to the organization.Many organizations struggle with implementing and embedding these governance practices into their organizations.Through case and survey research, it will be vital to verify how organizations are adopting and implementing ITG.This last point is essential: that would guide specification phases of implementation of ITG, reduce costs and deadlines, ensure effective support to implement IT governance and reduce the risk of failing financial investments.It will be also interesting to analyze this issue in relation to a largely well-accepted framework as COBITcurrently in its fifth edition-covering the IT activities of the enterprise end to end.Some specific questions are:  Which COBIT 5 processes and related practices are most adapted to my organization?
 Which COBIT 5 processes and related practices/structures will be easy / difficult to implement?
 How could I implement COBIT 5 processes in my organization?
As a response, this paper proposes to provide a tool design of COBIT roadmap implementation.This paper is organized as follows: Section 2 introduces an overview of IT Governance concepts.Afterward; to encompass the research scope; COBIT 5 framework, its implementation life cycle and available implementation tools will be presented.Then, in section 3, a tool design of COBIT roadmap implementation will be proposed.This paper concludes with discussion and future research directions.

A. Information Technology Governance
There are many definitions of Information Technology Governance (ITG) [5], ITG is commonly used to a set of structures and processes to ensure that IT support and adequately maximize the business objectives and strategies of the organization, adding value to the services delivered, weigh the risks and getting a return on investment in IT [5].The IT Governance is part of a Corporative Governance [6].
In the last decade, the concept of IT governance has attracted the attention among researchers.Those include Brown and Grant [8]; Mähring [9]; Webb, Pollard and Ridley [5]; and Wilkin and Chenhall [11]: (1) Brown and Grant [8] identified three ITG research streams, structural analysis, contingency analysis and the combination of the first two.They contribute a conceptual map of ITG knowledge from literatures.(2) Mähring [9] reviewed ITG literatures that relate to board of directors' role.The study argues that SOX have added compliance pressure and changed board responsibilities.(3) Webb, et al. [5] reviewed a wide range of ITG literatures to integrate [5] presented the diversification and confusion in ITG conceptualization.That review analyzed not only academic but also practical concepts.(4) Wilkin and Chenhall [11] describe concepts of strategic alignment, www.ijacsa.thesai.orgperformance measurement, risk management, and value delivery as the most significant enablers of IT governance.They note that broader organizational structures, business processes and technology, and resource capabilities influence the enablers and by extension IT governance.
Many researchers also attempt to propose various ITG models and concepts (e.g.Van Grembergen and De Haes [12], Weill and Ross [10], Brown and Grant [6]).
In the practitioner arena, there are a various versions of frameworks and standards dealing with the ITG: ISO/IEC Standard 38500, ITIL V3, and COBIT, for instance, COBIT has been recognized as the most used framework [7].
Past literature reviews indicate different viewpoints and conceptual diversification in ITG field of studies, essentially, when different research communities differently conceptualize ITG.One outstanding finding is that ITG is constantly evolving.Since there are regular introductions of new concepts, legal requirements, standards and practical frameworks.It is vital not to ignore these changes in order to gain better understanding of ITG field.
COBIT 5, the latest version of COBIT [13] is recently introduced, in this context the next section proposes to explore the IT Governance concepts in COBIT 5.

B. IT Governance Concepts in COBIT 5
COBIT is the framework for governance and management of IT developed by ISACA, which evolved into the current version "COBIT 5"released in 2012, designed to be a single integrated framework [13].COBIT 5 defines governance as: "Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives."[13].
This definition is different from the previous versions of COBIT.It recognizes multiple stakeholders of organizational IT as well as balance of resources distribution while maintain overall firm goals.Second, it explicitly states what activities to do.Third, this no mentions about leadership, structures and processes in the definition [14].
COBIT 5 reveals new conceptual ideas compared to previous versions.COBIT 5 proposes COBIT principles, which guide the governance of IT.The five principles include: Meeting Stakeholder Needs; Covering Enterprise End-to-end; Applying a Single, Integrated Framework; Enabling a Holistic Approach; and separating Governance from Management [14] as in Table I.Principle 1 emphasizes on goal cascade and value creation among different stakeholders who may expect different IT value.Principle 2 exhibits that COBIT does not limit to IT department but it covers entire enterprise.COBIT includes guide for integration to corporate governance for value creation by specifying roles, activities and relationships.Principle 3 indicates that COBIT aims to be the umbrella framework.
COBIT provides an integration guideline to use with other frameworks.Principle 4 shows how ITG components relates and provide a set of critical success factors (they are called enablers).Principle 5 shows that COBIT 5 clearly separate governance and management.From operational point of views, COBIT 5 provides 37 processes in two domains.The governance domain contains five processes while management domain contains 32 processes.These processes are provided as a guideline to practitioners.Fig. 1 shows key governance and management areas and Table II shows COBIT processes.COBIT 5 indicates that governance processes will provide direction to management processes based on business needs.
Then, governance processes will get feedback from management processes to evaluate how well the directions are carried out or whether they are needed to be adjusted.
Governance actions include Evaluate, Direct and Monitor or EDM.COBIT 5 sees board of directors is accountable for governance processes while executives are responsible to perform them.EDM and board accountability concepts are similar to ISO38500 [10].
On the other hand, management processes are categorized by IT life cycle.There are four areas: Align, Plan and Organize (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and Monitor, Evaluate and Assess (MEA).www.ijacsa.thesai.orgEach area contains different processes.COBIT 5 sees that APO and MEA areas are directly linked to governance processes.These process areas contain different ITG activities.
COBIT 5 is not a minor update to its previous version.There are conceptual differences, new emphasizes and new arrangements.These distinctions could imply or effect governance practice and knowledge in many ways.COBIT

C. COBIT 5 Implementation life cycle
COBIT 5 has a professional guide for implementation.The guide provides details of seven phases of the implementation life cycle, applying a continual improvement life cycle approach provides a method for enterprises to address the complexity and challenges typically encountered during ITG implementation [14].There are three interrelated dimensions to the life cycle, as illustrated in figure 2: the core ITG continual improvement life cycle, the enablement of change (addressing the behavioral and cultural aspects of the implementation or improvement), and the management of the Program.The three aforementioned dimensions exist within each and every one of these phases The seven phases of the implementation life cycle are illustrated in figure 2. Phase 2-Where Are We Now? Phase 2 aligns IT-related objectives with enterprise strategies and risk, and priorities the most important enterprise goals, IT-related goals and processes.COBIT 5 provides a generic mapping of enterprise goals to IT-related goals to IT processes to help with the selection.Given the selected enterprise and IT-related goals, critical processes are identified that need to be of sufficient capability to ensure successful outcomes.Management needs to know its current capability and where deficiencies may exist.This is achieved by a process capability assessment of the as-is status of the selected processes.Phase 3 sets a target for improvement followed by a gap analysis to identify potential solutions.Some solutions will be quick wins and others more challenging, long-term tasks.Priority should be given to projects that are easier to achieve and likely to give the greatest benefit.Longer-term tasks should be broken down into manageable pieces.

Dimensions
A defined target is set for the future improvement, a gap analysis is completed to indicate the delta between as-Is and To-Be, and potential improvements are identified.Phase 6 focuses on sustainable transition of the improved governance and management practices into normal business operations and monitoring achievement of the improvements using the performance metrics and expected benefits.The time spent per phase will differ greatly depending on (amongst other factors) the specific enterprise environment, its maturity, and the scope of the implementation or improvement initiative.However, the overall time spent on each iteration of the life cycle ideally should not exceed six months, with improvements applied progressively; otherwise, there is a risk of losing momentum, focus and buy-in from stakeholders.
Over time, the life cycle will be followed iteratively while building a sustainable approach.This becomes a normal business practice when the phases in the life cycle are everyday activities and continual improvement occurs naturally.Figure 3 illustrate an example of generic roles for key stakeholders and responsibilities of implementation role players when creating the appropriate environment to sustain governance and ensure successful outcomes.Similar tables are provided for each phase of the implementation life cycle.

D. Available tools
In addition, to the implementation guide described in the previous section, there are a number of tools included within the guidance: www.ijacsa.thesai.org

1) Assessment Scoping Tool-An Excel file that brings together various existing mappings related to COBIT 5 in a hierarchical tree format, including:
 Mapping of COBIT 5 processes to IT goals to business goals to IT balanced scorecard  Mapping COBIT 5 processes to IT goals 2) Self-assessment Templates-An Excel file with separate evaluation sheets for all 37 COBIT 5 processes.
Except for the documentations provided by ISACA to their members, there is a lack of important documentation from other sources regarding the latest version of the framework.For this reason, this paper is based on ISACA documentation.
Our analysis on COBIT 5 implementation guide also reveals that the implementation guidance builds extensively on all the COBIT components such as [14]- [15]- [16], so the team in charge of the IT Governance Implementation should be already familiar with all other COBIT 5 guidance.This multitude and complexity of the guides can be an obstacle for the implementation of COBIT; in this context the next section proposes a tool design of COBIT roadmap implementation.

III. A TOOL DESIGN OF COBIT ROADMAP IMPLEMENTATION
COBIT is a largely well-accepted ITG framework; COBIT5 the last version of COBIT offers a wide range of guides (COBIT5: Process facilitating, for implementation, for information security...) For COBIT 5 implementation, ISACA suggests a lifecycle approach based on 7 phases with high-level roles.However, the multitude and complexity of the guides can be an obstacle for the implementation of COBIT; as a solution to these issues, we propose a tool design of COBIT roadmap implementation such tool would ensure effective support to enterprises wishing to implement COBIT.
In COBIT 5 implementation Guide [14], ISACA propose a lifecycle of 7 phases, our tool will support the first 4 phases in the COBIT implementation life cycle that deal with the establishment of a roadmap of COBIT implementation: The RACI matrices provided by COBIT states that each implementation related activity might be associated with a role, so that the role is responsible, accountable, consulted or informed with respect to the activity.Implementation Guide introduces 9 different stakeholders.Our proposal features a more simplified representation of only 5 different stakeholders by considering that consulted or informed stakeholders are inactive.

Role Description Program Steering
Direct, design, control, drive and execute the end-to-end Program from the identification of objectives and requirements, to the eventual evaluation of business case objectives and the identification of triggers and objectives for implementation or improvement cycles.Assessment Responsible Participate as required throughout the Program and provide assessment inputs on relevant issues.Plan, perform and verify assessment results independently.Provide advice on current issues being experienced and input on control practices and approaches.Review the feasibility of business cases and implementation plans.Provide guidance as required during implementation.CEO Provide leadership to the Program and applicable IT resources to the core implementation team.Work with business management and executives to set the appropriate objectives, direction and approach for the Program.Business Executive Provide applicable business resources to the core implementation team.Work with IT to ensure that the outcomes of the improvement Program are aligned to and appropriate for the business environment of the enterprise, and that value is delivered and risk is managed.Visibly support the improvement Program and work with IT to address any issues that are experienced.Ensure that the business is adequately involved during implementation and in the transition to use.

Board and executive management
Set the overall direction, context and objectives for the improvement Program and ensure alignment with the enterprise business strategy, governance and risk management.Provide visible support and commitment for the initiative, including the roles of sponsoring and promoting the initiative.Approve the outcomes of the Program, and ensure that envisioned benefits are attained and corrective measures are taken as appropriate.Ensure that the required resources (financial, human and other) are available to the initiative.
Given that an IT organization desires to move from a current state, the as-is model, through evaluating a number of possible change scenarios, to the desired to-be scenario, seven steps needs to be taken, Figure 9 provides a BPMN modeling of steps cited below: 1) Define scope: The COBIT framework is a general framework, suitable for many different types of enterprises, as discussed.In order to align effort with the real needs of the enterprise, the roadmap begins with establishing clear goals among the generic COBIT enterprise goals distributed according Balance Score Card four dimensions (Financial, Customer, Internal, Learning/Growth).COBIT provides goals cascade to translate stakeholder needs into specific, actionable and customized enterprise goals and into IT related goals.COBIT provides also a mapping between IT-related goals and the relevant COBIT processes.When this logical sequence is followed, the system can deduce the IT processes to implement or improve.

2) Create As-is Model of Current IT Organization:
The second step concerns the development of a model of the current IT organization.
In order to assess the maturity, an as-is model of Current IT Organization is created based on structure of COBIT 5 Process Reference Model (PRM) defined in Process Assessment Model: Using COBIT 5.The reference model is a predefined, optimal IT governance model that represents the ideal organization, COBIT 5 PRM subdivides the IT-related processes, practices and activities of the enterprise into two main areas, governance and management.Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-upon enterprise objectives to be achieved, setting direction through prioritization and decision making, and monitoring performance and compliance against enterprise objectives.Management ensures that the plan, build, run and monitor (PBRM) IT management activities are executed in alignment with the direction set by the governance body to achieve the enterprise objectives.By using such Model, it is possible to create a model of current IT organization's governance structure.
3) Assess current maturity level: The third step is to assess the capability level of a process ("as-it maturity").
The Capability Model is based on ISO/IEC 15504 (SPICE):  Level 0: Incomplete.The process is not implemented or fails to achieve its purpose;  Level 1: Performed (Informed).The process is implemented and achieves its purpose;  Level 2: Managed (Planned and monitored).The process is managed and results are specified, controlled and maintained;  Level 3: Established (Well defined).A standard process is defined and used throughout the organization;  Level 4: Predictable (Quantitatively managed).The process is executed consistently within defined limits  Level 5: Optimizing (Continuous improvement).The process is continuously improved to meet relevant current and projected business goals.The capability of processes is measured using process attributes.The international standard defines nine process attributes [15]:  Fully achieved (>85% -100%) www.ijacsa.thesai.orgFig. 6.COBIT 5 Process Capability Model [15] In COBIT 5 to achieve a given level of capability, the previous level has to be completely achieved.
The maturity level will be the result of comparison between as-is Model of Current IT Organization and the COBIT PRM. Figure 7 shows an overview of assessment method.

4) Identify potential Change Scenarios:
In order to identify the potential improvements, IT managers and business managers are interviewed to establish the To-Be maturity level based on enterprise requirement for performance and conformance, the reasons for not achieving this level can be calculated from the approach explained above, and potential improvements can be defined: The system identify performs a comparison (by attribute) between current capability model and target capability level.a) If a required process outcome is not consistently achieved, the process does not meet its objective and needs to be improved.
b) The assessment of the process practices will reveal which practices are lacking or failing, enabling implementation and/or improvement of those practices to take place and allowing all process outcomes to be achieved.
Once gaps identified, Program steering can define potential improvements:  Collate Gaps into potential improvements.
 Prioritize and argue every potential improvement.
5) Prioritize and select change scenarios: Decisionmaking can be described as a process of improvement selection.For each improvement, the decision-maker should consider the potential benefit, ease of implementation (cost, effort, sustainability), and risk.
Unapproved projects and initiatives should also be recorded for potential future consideration.

6) Establish the roadmap:
The approved improvements should be integrated into an overall improvement strategy with a detailed plan to roll out the solution.
This step consists of:  Defining and gather approved improvements into projects needed to implement the To-Be scenario.
 Developing a Program plan with allocated resources and project plans, and defines the projects deliverables.
 Identify metrics for measuring the progress.Further, because the lifecycle presented in COBIT 5 implementation guide provides only generic guidance, the IT governance implementation roadmap is not prescriptive and should be tailored to the needs of the organization applying it.The tool will provide an efficient method for implementing IT governance using COBIT 5 and adapt the roadmap to the effective need of the organization.

V. FUTURE RESEARCH DIRECTION
Further research is ongoing to provide a set of key indicators in order to give a widespread support decisionmaking in the selection and prioritization change scenarios.The implementation guide describes briefly some indicators such potential benefit, ease of implementation (cost, effort, sustainability), and risk; other economic and financial indicators like value creation, and ROI will be considered as evaluation variables.
COBIT 5 management practices, and Other Specific frameworks: such as PMBOK, can also provide guidance through for this step.
In the next step, implementation phase will be started; as envisaged in the design science research paradigm [16], an evaluation of the tool will be also performed:  In a first step multiple explorative focus groups will be used to evaluate the perceived utility and actual usability of the developed tool.www.ijacsa.thesai.org Secondly, laboratory experiments will be carried out to quantitatively measure the effectiveness to validate if the usage of the proposed tool will reduce the perceived complexity costs and deadlines of COBIT 5 implementation phases.

Principle 1 -
Meeting Stakeholder Needs Principle 2 -Covering the Enterprise End-to-End Principle 3 -Applying a Single Integrated Framework Principle 4 -Enabling a Holistic Approach Principle 5 -Separating Governance from Management These principles demonstrate scope, how-to and objectives of COBIT.They highlight on certain concepts, such as, goal cascade and governance enablers.

Fig. 2 .
Fig. 2. Seven Phases of the Implementation Life Cycle[14] Phase 1-What Are the Drivers?Phase 1 identifies current change drivers and creates at executive management levels a desire to change.Key Questions, which need to be answered in this phase, include: What is the business motivation and justification?What are the Stakeholder needs and expectations that need to be satisfied?Why are we doing this?There must be consensus on the need for implementing COBIT 5, to change and improve, supported by the will and commitment of executive management.Dimensions:  Program Management -Initiate the Program  Change Enablement -Establish the desire to change  Continual Improvement Lifecycle -Recognize the need to act.

Phase 3 -
: www.ijacsa.thesai.org Program Management -Define Problems and Opportunities  Change Enablement -Form the implementation team  Continual Improvement Lifecycle -Assess current state Where Do We Want To Be?

Phase 5 -
Program Management -Define the Roadmap  Change Enablement -Communicate outcome  Continual Improvement Lifecycle -Define target state Phase 4-What Needs To Be Done?Phase 4 plans feasible and practical solutions by defining projects supported by justifiable business cases and developing a change plan for implementation.A welldeveloped business case will help ensure that the project's benefits are identified and continually monitored.Comprehensive business cases and change plans are developed, and projects planned, for delivering the work and effecting the implementation into the Enterprise.Dimensions:  Program Management -Plan Program  Change Enablement -Identify role players How Do We Get There?Phase 5 provides for the implementation of the proposed solutions into day-to-day practices and the establishment of measures and monitoring systems to ensure that business alignment is achieved and performance can be measured.Success requires engagement, awareness and communication, understanding and commitment of top management, and ownership by the affected business and IT process owners.Dimensions:  Program Management -Execute plan  Change Enablement -Operate and use  Continual Improvement Lifecycle -Implement improvements Phase 6-Did We Get There?

Phase 7 -
Program Management -Realize benefits  Change Enablement -Embed new approaches  Continual Improvement Lifecycle -Operate and measure How Do We Keep the Momentum Going?Phase 7 reviews the overall success of the initiative, identifies further governance or management requirements and reinforces the need for continual improvement.It also priorities further opportunities to improve GEIT.Dimensions:  Program Management -Review effectiveness  Change Enablement -Sustain  Continual Improvement Lifecycle -Monitor and evaluate

Fig. 4 .
Fig. 4. Overview of define Scope steps COBIT describes a PRM in term of: Purpose  Outcomes Base Practices: the activity needed to accomplish the process outcome.Input and Output Work products.

Figure 8
Figure 8 shows the use case diagram of COBIT roadmap implementation tool.IV.CONCLUSION This paper has presented a tool design of COBIT roadmap implementation; our design was based mainly on the COBIT 5 lifecycle of implementation.The purpose of such tool is to industrialize the setup of COBIT; reduce costs and deadlines; ensure guidance and effective support through the IT governance implementation life cycle phases; and reduce the risk of failing financial investments.