Upload
alan-mcsweeney
View
567
Download
3
Embed Size (px)
Citation preview
PMI/OPM3 and CMMI Assessment
Alan McSweeney
November 26, 2009 2
Objectives
• Provide customer with an understanding of the approach to using PMI project methodology to use to implement IT quality management
November 26, 2009 3
Agenda
• PMI/OPM3 and CMMI in the context of COBIT
• Assessing PMI/OPM3 and CMMI
• Approach
• Indicative financial analysis
• Next steps
November 26, 2009 4
Background
• Maturity models allow organisations to identify and assess areasin need of process improvement
• IT Controls− IT must implement internal controls around how it operates
− The systems IT delivers to the business and the underlying business processes these systems actualise must be controlled — these are controls external to IT
• CMMI and OPM3 are two such maturity models− CMMI focuses on software engineering
− OPM3 focuses on project management across any project based activity
• The de-facto standard for IT governance is COBIT− CCCControl ObObObObjectives for IIIInformation and related TTTTechnology
November 26, 2009 5
IT Service Delivery Issues and Challenges
• Keeping up with business needs
• User and IT dissatisfaction with products and services
• High costs of delivery
• Delivery cycles too long
• Technology infrastructure out-dated
• Projects late and over budget
• Meeting service levels
• Regulatory requirements
November 26, 2009 6
OPM3
• OPM3− OOOOrganizational PPPProject MMMManagement MMMMaturity MMMMode (OPMMM or OPM3)
− Part of PMI — project maturity standard for organisations
• OPM3 focuses on knowledge, assessment and improvement− Knowledge - why organisational project management and maturity are
important and how to recognise enterprise competency
− Assessment - the procedure an organisation uses to determine its maturity
− Improvement - provides information on how an organisation can increase its organisational project management maturity
November 26, 2009 7
PMI — Project Management Areas
ProjectIntegration
Management
ProjectScope
Management
Project Time
Management
ProjectCost
Management
ProjectQuality
Management
ProjectHuman Resource
Management
ProjectCommunications
Management
ProjectRisk
Management
ProjectProcurementManagement
November 26, 2009 8
Many Quality Management Frameworks
Baldridge QAI/QM COSO COBIT
COQ SIX SIGMA ISO
ITIL CMMI V-Model
November 26, 2009 9
SEI Capability Maturity Model Integrated (CMMI)
Initial
Repeatable
Defined
Managed
Optimising
Ad Hoc
DisciplinedProcesses(Project)
StandardDisciplinedProcesses(Organisation)
PredictableProcesses
ContinuousImprovement
November 26, 2009 10
Comparison of Standards
November 26, 2009 11
What is COBIT?
• The de-facto industry framework for the management of Information Technology standards and processes
• All other frameworks and standards are a sub set of the COBIT framework
• COBIT comprises− 4 Domains
− 34 Processes
− 318 Control Objectives
November 26, 2009 12
COBIT
• COBIT aims to be different from other quality and governance approaches in two ways1. It is an IT governance framework and supporting set of tools
that IT can use to bridge the gap between control requirements, technical issues and business risks
2. It provides a detailed implementation structure and toolset that translates the framework theory into a practical and achievable deliverables
November 26, 2009 13
COBIT and Other Standards
• COBIT provides a framework and an associated toolset that allow IT implement controls and address technical issues and business risks and communicate that level of control to IT business stakeholders− By providing a toolset COBIT enables the development of policy and
practice for IT control throughout the enterprise.
• COBIT is integrated with other standards and thus can become an umbrella framework for IT governance− It assists in understanding and managing the risks and benefits associated
with IT
− The process structure of COBIT and its business-oriented approach provides an end-to-end view of IT
November 26, 2009 14
COBIT Domain and Process Structure
November 26, 2009 15
COBIT Structure
November 26, 2009 16
Maturity Models and COBIT
• Typically when an organisation undertakes a maturity assessment, it achieves a single (scored) rating that summarizesappraisal results and makes comparisons among the projects and processes via a staged representation format
• Each stage indicates the level of maturity in a graded scale of process improvement
• The model starts with basic management practices and progresses through a path of successive levels. No stages can beskipped
• To fully map and understand a maturity model, you must place the model in an IT governance context hence the COBIT framework
November 26, 2009 17
COBIT Process Domains and The Delivery of Information to Meet Objectives
``
Monitor and
Evaluate
Plan and
Organise
Deliver and
Support
Acquire and
ImplementInformation
Governance
Objectives
Business
Objectives
November 26, 2009 18
COBIT Domains and Processes
Plan and Organise (PO) Acquire and Implement (AI) Deliver and Support (DS) Monitor and Evaluate (ME)
PO1 Define a strategic IT plan AI1 Identify automated
solutions
DS1 Define and manage
service levels
ME1 Monitor and evaluate IT
performance
PO2 Define the information architecture
AI2 Acquire and maintain application software
DS2 Manage third-party services
ME2 Monitor and evaluate internal control
PO3 Determine technological direction
AI3 Acquire and maintain technology infrastructure
DS3 Manage performance and capacity
ME3 Ensure regulatory compliance
PO4 Define the IT processes, organisation and relationships
AI4 Enable operation and use DS4 Ensure continuous service ME4 Provide IT governance
PO5 Manage the IT investment AI5 Procure IT resources DS5 Ensure systems security
PO6 Communicate
management aims and direction
AI6 Manage changes DS6 Identify and allocate costs
PO7 Manage IT human resources
AI7 Install and accredit solutions and changes
DS7 Educate and train users
PO8 Manage quality DS8 Manage service desk and incidents
PO9 Assess and manage IT
risks
DS9 Manage the configuration
PO10 Manage projects DS10 Manage problems
DS11 Manage data
DS12 Manage the physical
environment
DS13 Manage operations
November 26, 2009 19
COBIT Information Measurement Criteria
• COBIT defines seven measurement criteria:COBIT defines seven measurement criteria:COBIT defines seven measurement criteria:COBIT defines seven measurement criteria:1.1.1.1. EffectivenessEffectivenessEffectivenessEffectiveness - Deals with information being relevant and pertinent to the business
process as well as being delivered in a timely, correct, consistent and usable manner
2.2.2.2. EfficiencyEfficiencyEfficiencyEfficiency - Concerned with the provision of the information through the optimal use of resources
3.3.3.3. ConfidentialityConfidentialityConfidentialityConfidentiality - Concerned with the protection of sensitive information from unauthorised disclosure
4.4.4.4. IntegrityIntegrityIntegrityIntegrity - Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
5.5.5.5. AvailabilityAvailabilityAvailabilityAvailability - Relates to the information being available when required by thebusiness process now and in the future
6.6.6.6. ComplianceComplianceComplianceCompliance - Deals with complying with laws, regulations and contractual arrangements
7.7.7.7. ReliabilityReliabilityReliabilityReliability - Relates to the provision of appropriate information for the workforce of the organisation
November 26, 2009 20
COBIT Process Goals and Metrics
• GoalGoalGoalGoal
• Activity Goals
• Process Goals
• IT Goals
• MetricMetricMetricMetric
• Key Performance Indicators
• Process Key Goal Indicators
• IT Key Goal Indicators
November 26, 2009 21
Sample Goals and Metrics for the COBIT Process PO1 Define a Strategic IT Plan
Activity Goals Process Goals IT Goals
• Engaging with business and senior
management in aligning IT strategic
planning with current and future business
needs
• Understanding current IT capabilities
• Translating IT strategic planning into
tactical plans
• Providing for a prioritisation scheme for
the business objectives that quantifies
the business requirements
• Define how business requirements are
translated in service offerings.
• Define the strategy to deliver service
offerings.
• Contribute to the management of the
portfolio of IT-enabled business
investments.
• Establish clarity of business impact of
risks to IT objectives and resources.
• Provide transparency and understanding
of IT costs, benefits, strategy, policies
and service levels.
• Respond to business requirements in
alignment with the business strategy.
• Respond to governance requirements in
line with board direction.
Key Performance Indicators Process Key Goal Indicators IT Key Goal Indicators
• Delay between updates of business
strategic/tactical plan and updates of IT
strategic/tactical plan
• % of strategic/tactical IT plan meetings
where business representatives have
actively participated
• Delay between updates of IT strategic
plan and updates of IT tactical plans
• % of tactical IT plans complying with the
• Predefined structure/contents of those
plans
• % of IT initiatives/projects championed
by business owners
• % of IT objectives in the IT strategic plan
that support the strategic business plan
• % of IT initiatives in the IT tactical plan
that support the tactical business plan
• % of IT projects in the IT project
portfolio that can be directly traced back
to the IT tactical plan
• Degree of approval of business owners of
the IT strategic/tactical plans
• Degree of compliance with business and
governance requirements
• Level of satisfaction of the business with
the current state (number, scope, etc.)
of the project and applications portfolio
November 26, 2009 22
COBIT Generic Process Controls
• In addition to the process-specific control objectives, COBIT includes a set of generic process controls that are applied to all processes− PC1 Process OwnerPC1 Process OwnerPC1 Process OwnerPC1 Process Owner - Assign an owner for each COBIT process such that
responsibility is clear
− PC2 RepeatabilityPC2 RepeatabilityPC2 RepeatabilityPC2 Repeatability - Define each COBIT process such that it is repeatable
− PC3 Goals and ObjectivesPC3 Goals and ObjectivesPC3 Goals and ObjectivesPC3 Goals and Objectives - Establish clear goals and objectives for each COBIT process for effective execution
− PC4 Roles and ResponsibilitiesPC4 Roles and ResponsibilitiesPC4 Roles and ResponsibilitiesPC4 Roles and Responsibilities - Define unambiguous roles, activities and responsibilities for each COBIT process for efficient execution
− PC5 Process PerformancePC5 Process PerformancePC5 Process PerformancePC5 Process Performance - Measure the performance of each COBIT process against its goals
− PC6 Policy, Plans and ProceduresPC6 Policy, Plans and ProceduresPC6 Policy, Plans and ProceduresPC6 Policy, Plans and Procedures - Document, review, keep up to date, sign off on and communicate to all involved parties any policy, plan or procedure that drives a COBIT process
November 26, 2009 23
COBIT Generic Application Controls
• As with the generic process controls, COBIT includes a set of generic application controls that are applied to all processes
− Data Origination/Authorisation ControlsData Origination/Authorisation ControlsData Origination/Authorisation ControlsData Origination/Authorisation Controls• AC1 Data Preparation Procedures• AC2 Source Document Authorisation Procedures• AC3 Source Document Data Collection• AC4 Source Document Error Handling• AC5 Source Document Retention
− Data Input ControlsData Input ControlsData Input ControlsData Input Controls• AC6 Data Input Authorisation Procedures• AC7 Accuracy, Completeness and Authorisation Checks• AC8 Data Input Error Handling• Data Processing Controls• AC9 Data Processing Integrity• AC10 Data Processing Validation and Editing• AC11 Data Processing Error Handling
− Data Output ControlsData Output ControlsData Output ControlsData Output Controls• AC12 Output Handling and Retention• AC13 Output Distribution• AC14 Output Balancing and Reconciliation• AC15 Output Review and Error Handling• AC16 Security Provision for Output Reports
− Boundary ControlsBoundary ControlsBoundary ControlsBoundary Controls• AC17 Authenticity and Integrity• AC18 Protection of Sensitive Information During Transmission and Transport
November 26, 2009 24
Current Situation
• As CMMI came first (published in 1991), many organisations have implemented CMMI and have developed processes and standards to support this framework
• With the later arrival of OPM3, many organisations are trying to establish where it fits, and whether and how a software engineering maturity model works in conjunction with a project management maturity model
November 26, 2009 25
Benefits of Implementing IT Control Framework
• Better IT to business alignment built on a business focus
• Management view of what IT does
• Clear ownership and responsibilities, based on process orientation
• General acceptability with third parties and regulators
• Shared understanding amongst all stakeholders, based on a common language
• Fulfillment of the governance requirements for the IT control environment
November 26, 2009 26
Approach
AnalyseAssess and
Identify Gaps
Recommend
and Quantify
Next Steps
Step 1 Step 2 Step 3
November 26, 2009 27
Step 1: Analyse
•Establish scope of assessment within Customer using COBIT framework and domains
• Identify overlaps, differences and gaps between the two frameworks using COBIT’s domains within this scope
November 26, 2009 28
Example Comparison of CMMI and OMP3
AssessmentAssessmentAssessmentAssessmentDomainDomainDomainDomain
Processes are moderately addressed by CMMI and rarely addressed or none at all by ITIL and PMBOK. Keep in mind a domain ranking for the three compared frameworks is a summary of rankings for each process in the domain
ME
Processes are frequently addressed by ITIL and rarely addressed or none at all by OPM3 and CMMI
DS
Processes are frequently addressed by CMMI, moderately addressed by ITIL and none at all by PMBOK
AI
Processes are moderately addressed by both ITIL and PMBOK and rarely addressed or none at all by CMMI
PO
November 26, 2009 29
Step 2: Assess and Identify Gaps
• What is the impact of gaps in CMMI coverage in Customer’s environment?
• Will OPM3 bridge these gaps?
• Can the gap closure requirement be clearly stated in a specific recommendation?
• What benefit would be derived from closing the gap?
November 26, 2009 30
Step 3: Recommend and Quantify Next Steps
• Are the benefits of the recommendations clearly quantified?
• Can they be delivered within a realistic timetable?
November 26, 2009 31
Conclusions
• OPM3 and CMMI are not exclusive standards, and can be used together
• A practical, benefits-driven approach is required to assess the benefit of combining OPM3 with CMMI
• This must be considered within an overall framework (COBIT) if the two maturity models are not to be seen to compete
• To do this successfully, the following factors also need to be assessed− The level of compliance the business is currently subject to− The amount of software engineering and project based activity being
undertaken− The Project management skills and experience currently within the
organisation