The IT Skeptic looks at the COBIT Body of Knowledge - a layman's view

This is a video (and synchronised powerpoint) of a presentation by the IT Skeptic given to itSMFnz Wellington chapter on "the COBIT Body of Knowledge - a layman's view". 42 minutes, no download required.
Using COBIT as the framework for ITSM, ITIL shouldn’t be centre of the universe: COBIT as more than just an Audit Tool


Beyond COBIT?


At last us folks in Europe get to see a Skeptic performance. Good one! A fair comparison of COBIT, VAL IT and ITIL, I felt, that was likely to motivate an interest in COBIT.

At one point, you discussed the plethora of frameworks and standards - COBIT says it is based on over 50 others. There is a need, I feel, to integrate and unify these frameworks and standards. COBIT mappings are a significant step towards this and USMBOK, that you mentioned is, perhaps, one such attempt, although I am not familiar with that, myself.

However, you didn't speak about a major initiative that has been underway for 2-3 years - IT Capability Maturity Framework (IT-CMF) from The Innovation Value Institute (IVI) consortium. There is a 90 minute official launch video (from Feb-09) available at - if short of time just watch Martin Curley's presentation.

More Information
IT-CMF is attempting to integrate frameworks and provide a "periodic table of atomic processes". It is aimed at delivering business value from IT, so is an Enterprise Governance of IT approach but one that is broader than COBIT, VAL IT and Risk IT. It has 36 processes categorised under 4 dimensions:
1. Managing IT like a Business,
2. Managing the IT Budget,
3. Managing the IT Capability
4. Managing IT for Business Value

It maps on to COBIT, ITIL and many, many other frameworks.

IT-CMF is led by Martin Curley (Intel and National University of Ireland-Maynooth) and has as major partners and contributors: The Boston Consulting Group, BP, Chevron, Google, Microsoft, Ernst and Young, SAP, Gartner EXP and many more making about 30 of the world's leading companies. Significant testing of some of the core processes of the framework has taken place in these companies already and it is expected to be fully available by 2010. With this backing and the recent Microsoft announcement of the synergy of COBIT, VAL IT and MOF, I don't think any of us working in ITSM should ignore IT-CMF. I feel it might be the ITSM equivalent of the physicists' "Theory of Everything".

no answers

I like the idea of IT-CMF. i have tried for six months to get the following questions answered. Answers are promised but not forthcoming:

1) What is the status of the IT-CMF? How much exists beyond the 4x5 matrix and how much “will be developed”? For example where I can see the 35 processes?

2) In what form does the IT-CMF exist? Book? Online content? As-yet-unsynthesised working group materials?

3) Is the IT-CMF available? How does one obtain the IT-CMF?

4) How do the books on the website relate to the IT-CMF?

5) How does the IT-CMF relate to ITIL and COBIT, as the incumbent IT frameworks? (Yes I know they are not governance frameworks but if the models and terminology differ then a mapping will be essential)

6) How does IT-CMF relate to ISO38500?

7) What will be the status of IT-CMF? Will it be public domain? Members-only? A commercial product?

You are obviously party to much more information than the website reveals. Nor does the site seem to have got any more informative in the last six months. My take so far: nice concept, where's the meat?

Sorry - I have no insider information

I understand your concerns.

My thoughts are my own based on public information and the fact that so many "big players" are involved means we should keep tracking IT-CMF. There are academic qualifications in IT-CMF (Diplomas at NUI-Maynooth) that perhaps might spread into the commercial training domain - at least I'm personally watching this from my viewpoint as an ITSM training provider. ITIL is essential for quality IT service management but it does not alone deliver IT Governance objectives.

The plethora of ITSM frameworks and standards needs consolidation in my view; that's why I'm so interested in IT-CMF. This situation reminds me of the joke from the early 90s when the publication of international standards in networking were boomimg: "The great thing about standards is you have so many to choose from!".

A related questions that occurs to me:

Is Microsft just in IVI to keep it's eyes on the possible competition for MOF/COBIT/VAL IT, or is there a strategic intent? ITSM is after all a multi-billion dollar industry.

Q1 is partially answered in the videocast:

Time: 60:14 A list of the 36 processes and their abbreviations only

There is more information in an interview with Curley (podcast) on 9 July 09 - that's where 2010 for release comes from in fact he says middle of 2010 for V1.

IT-CMF announced yet again

I see IT-CMF announced yet again today but the website consists of the same pretty pictures it did a year ago (except the self-assessment may or may not be new - I don't recall).

I'm sure it's great and we're gonna just love it when we see it, but this endless tease grows tiresome.

More details on IT-CMF

I've been in touch with the IVI, the organisation behind IT-CMF. Release is scheduled for June 2010. For those wondering I can share the following

the IT-CMF is an integrating framework, based on leveraging existing frameworks. While these frameworks [ITIL, COBIT, ISO38500] in their own right are good management tools, they don’t address all aspects of IT management that a CIO must deal with. As part of the outputs from the IVI research we will be addressing the mapping to the existing frameworks.

The IT-CMF will be released in 3 forms: overview material and at least one set of assessment questions will be available in the public domain, all material is available to IVI members, and IVI will offer assessments and education. In addition, key IVI members will also provide assessments (certified by IVI) and provide consultancy services to support the application of the IVI recommendations within an organization, and help in evaluating the results.

Currently it is only available to IVI Consortium members: one can join IVI by contacting the IVI office at (tel: +353-1-7086931). Once released, we will have local representation in many countries, including probably two initially in the USA (west coast and east coast).

Uber Framework


The Intel series of books are well produced and chase down sound theories. They need other references to work. It also had good funding.

However, its not easy finding all the frameworks - no-one has contacted us yet about positioning the USMBOK (:-)). Providing a consistent insight into these disparate frameworks and a pragmatic approach to exploiting them is the proverbial herding of cats. Believe me I know as this was exactly what I encountered when writing the USMBOK. In that case I was helped by my product management training and background and by having a different intent - universally applicable concepts and methods to manage services across industries.

Anything that offers clarity over the mission of IT is welcomed and these books have a lengthy pedigree going back as far as 2003/2004 - pre ITIL V3.

IT-CMF launched in Melbourne last week


Went to BCG's Melbourne office last Thursday for a launch of IT-CMF. The breakfast was lovely.

It does look quite good and is clearly developed by some very bright people.

The processes/disciplines wrapped up in the 4 pillars of awesomeness are:
Managing IT like a business
* IT Leadership & Governance
* Bus. Process Mgt
* Bus. Planning
* Strat planning
* Demand & Supply Mgt
* Capacity Forecatsing & Planng
* Risk Mgt
* Org Design & Planning
* Sourcing
* Innovation Mgt
* Service Analytics & Intelligence
* Sustainability

Managing the IT Budget
* Funding & Financing
* Budget Mgt
* Portfolio Planning & Prioritisation
* Budget Oversight & performnce Analysis

Managing the IT Capability
* EA Mgt
* Tech Infra Mgt
* Ppl Asset Mgt
* Relationship Asset Mgt
* R&D&Engineering
* Solutions delivery
* Service Provisioning
* User Training Mgt
* User Experience Design
* Prog & Proj Mgt
* Supplier Mgt
* Capability Assessment & Mgt

Managing IT for Bus Value
* Benefits Assessment & realisation
* Portfolio Mgt

So there's your list. Yep, it is quite exhaustive, but the devil is in the detail, which was minimal although this was a 45 min launch.

The sales pitch was interesting:
* We are credible (which, granted they are), lots of big organisations contributing to this.
* Any frameworks you’re referencing right now are incomplete, so you should use this. They used some spider graphs showing how incomplete ITIL is (but seemed to pretty much base it on V2), How incomplete I think it was Prince2 is. But conveniently didn’t map COBIT.
* Start with an assessment (that currently only BCG can do unless you do a self-assessment), even a quick & dirty one.
Truth be known, the compelling bit was that they have mapped out initiatives against the areas, based on your response to a given set of questions and where the benefits are most likely to lie. Ie: you improve this, and your benefits are likely to be yielded here & there. That is the bit that made me sit up and stop chewing my pastry.
* I'd describe this as a "soft launch", not alot of call to action, no sales guys crawling over us - I respected this approach - if we need 'em we'll approach them. It was a "food for thought" style prez.

I asked a couple of questions, got some curious answers (and I’m paraphrasing here):
Q1) What tangibles do I get – are there some books? Best practices? Guides? Cause & effect database?
A1) “Basically you can do assessments and get reports/recommendations. You can do some training too. No, you cannot have the Best Practice IP” It didn’t really go beyond that which was a bit ordinary. I got the sense that the people who are Members of the Innovation Value Institute (IVI) get access to the goodness. It is not public domain yet.
Q2) For better or worse, an industry has sprung up around some of the other frameworks. What is your vision for the supporting industry (consulting companies, training companies, certification schemes, toolset vendors, industry bodies – global chapters) for IT-CMF?
A2) “We don’t want to see that happen – this should be intuitive enough for IT Leaders to utilise without constantly engaging third parties. Also, this framework belongs at the Steering level.” This wasn’t the answer I was expecting. I wasn’t sure whether that meant “we don’t want to share or have our consulting revenues cannibalised by something that is 'open', or this will get legs if it provides value, over time".
Q3) This seems to be the framework to pull together the frameworks. Are you anticipating a new ISO standard or consolidation of a few standards to set a bar?
A3) “That would be great, but is a way down the track.” Pretty realistic answer.

I received an information pack – a 2-page summary of each of the 30 something processes, an exec overview and some laminated slides.
Cultural Change is given a couple of throw-away bullet-points in two of the processes which is a bit of a gap – should stand in its own right. But truth be known, many of the bits that you chip away at to develop or retain a constructive culture are there.

I might be coming across as a bit negative – I’m not. At face value the framework has most of the things I see as important, some things I hadn't thought of, many things that go outside my direct experience and some that do my head in when I consider the possibilities and complexities. I certainly got the impression that this framework was for larger organisations – if you need to ask how much you probably can’t afford it. But in theory - this has the potential to be industry changing, well actually, industry defining. The change may never ever happen...

Anyway, my 20 cents on a 45 min launch. And only worth 20 cents!

PS: Skep – email me your postal address and I’ll send you my info pack so you can have a looksey for yourself.


The model is heavy on planning and budgeting, I suppose customer service is hidden under tech infra management.

I would say that one of the four pillars should be customer service/relationship management which seems to be well hidden. The User Training Mgmt indicates that this framework is meant for IT Directors who think they are the center of the world with total control over it and I guess there may well be large IT divisions in big US corporations who have that position. I'm sure that the BCG knows their business and will have customers willing to spend a lot of time and money studying their own IT Universe.



I think Aale has nailed my concern
It smells big corporate inside-out self-absorbed IT
Mind you the same could arguably be said about ITIL
But anyway I'm not hearing anything radically new: YAFF I'd say - Yet Another Framework. It's a crowded market.

And brilliant intelligence thanks Tom!

Masked superheros

One of my souveniers from Pink11 US trip is a thick book of Superman and Batman together. Superman was the first great success of the masked heros and then many others followed the same route of secret identity, mask and costume and some kind of superpowers.

I see an analogy between those masked heros and the ITSM frameworks. ITIL is the Superman, COBIT the Batman etc. They all have something in common and all try to save the world with a complicated model. The solutions become more and more complicated as the original idea becomes worn. The book of Superman and Batman working together which I bought represents in a way Rob's dream of unified ITIL and COBIT.

It is rather amazing that all the frameworks seem to have one common feature; they all lack proper customer interface. There should be sales, marketing and CRM/BRM processes. I find it quite silly to talk about Service Lifecycle without sales & marketing. Please, think of any business where the technical people decide Service Lifecycle without talking to sales! (Ok, Nokia pops immediately to my mind but see what happened:)



ITILv3 has 26 "official" processes and the upcoming COBIT5 promises over 40 processes yet the ISO 20000 folks have chosen to keep their revision (due out in a few months) to around 15 or so. In discussions around this the prevailing wisdom was that IT folks just getting on board would (and do) find ITIL & COBIT a bit overwhelming. Especially when the ISO is, in fact, prescriptive...(you shall... as opposed to you should...). I think the ISO folks might be on to something here. The ISO 20000 processes are based on the ITILv2 Service Support & Delivery processes which most orgs are still struggling to implement. These are still the processes with the greatest impact as well. Hmmmm.... Half the processes, twice the bang! OK, now where are those sales & marketing folks?

Too many processes spoil the broth

What we have in both the case of ITIL and COBIT is implicit endorsement of the fallacy that local optimization leads to global optimization. By listing all these objectives, without providing a proper set of larger abstractions to help understand and prioritize them in terms of overall value, the frameworks degenerate into laundry lists and (to George's point) ISO/IEC: 200000 chooses to stick with the arguably higher value add ITIL v2 core. The result is scattershot ITSM implementations and in words of Womack & Jones in Lean Thinking:

lots of commotion, many isolated victories… and… loss of the war when no sustainable benefits reached the customer or the bottom line.

It's not a bad thing to identify diversity of "practices" or "disciplines" or perhaps "capabilities" in IT management. But the term process should be reserved for longer lived, event driven, countable, value adding sequences of activities. My view is that there may be about 8 or 9 varied forms of true event driven "processes" in IT management, if we insist on a base entity (which what makes the process countable).

You can call it "flow kaizen" if you like. Or not, if the Lean terminology is off-putting. But it's what we need in large scale IT management guidance.

Charles T. Betz

big picture

So what defines the large objectives for global optimisation? Can they be generalised for all organisations in the same way as "local optima"?

The $64k question

Well, that's the $64k question we've kicked around here from time to time. It takes us down the same road as Goldratt's The Goal. We know a few things:

- One can only optimize a complex system for one thing - multiple optima are not possible - and this has implications for the value network advocates out there, since the existence of multiple stakeholders is a part of that discourse
- If the true value of IT services is transactional value delivery, we can then view the production of those transactions as the thing to be optimized. However, there is still considerable complexity: the product lifecycle (creating the transaction template, the "utility") vs. reliably and quickly delivering the actual transaction (the "warranty.") Both are value streams. We know that both cannot be optimized at the same time, so at least part of the answer to your question must be "no" - different organizations must choose different tradeoffs between utility and warranty.
- But we *can* decompose the lifecycle of the service as a product (I believe it has four subsidiary lifecycles) and nine or so large grained processes needed to align those lifecycles so that they deliver the service.

Charles T. Betz


I don't believe you are correct.

In fact, I'm pretty sure you just trampled over multiple bodies of mathematics -- Hamiltonian dynamics (heteroclinic?), Path relinking, Simulated Annealing, and about a dozen others -- as well as a Nobel prize winner or two (Nash Equilibrium comes to mind).

Not to mention, methodologies in manufacturing and aerospace explicitly designed for dealing complex system optimization.



We've had our differences but I'm prepared to admit I may be wrong on this one and I truly want to offer an olive branch. I've been reading what from your point of view is probably entry level MBA material and I could have sworn I've seen it said multiple times that by definition one optimizes for only one thing at once. I don't have time to go back and track down where I might have seen it, so let's go with your statement that one can optimize for multiple things at once.

Of course one of the simplest ways to do this is simply scope an aggregate function which consolidates/weights the multiple objectives into one larger, logical system, so some of the issue is merely about defining "system" boundaries. I'm also aware that there are limitations to this approach, and that's about the extent of my knowledge of the hard mathematics.

The practical question here I think still stands. How do we optimize the complex system that is an IT value chain/stream/network (take your pick)? How do we understand goals and objectives? Is "optimizing" even the right narrative?

Goldratt says that an aggregation of local optima is not a global optimum; it is very inefficient. This resonates with my daily experience. I'm concerned that the large IT frameworks, and in particular the concept of capability maturity, are merely attempts to aggregate local optima. Is this is valid concern? Is Goldratt wrong? Is there a better map? How do we get to the larger abstractions, the flow kaizen as opposed to the process kaizen? "Quote to Cash," not "Marketing vs. Sales vs. Production"? "Inspire to Retire," not "Architecture vs. Dev vs. Ops"? Is the quest for such abstractions beneficial or harmful?


Charles T. Betz

Why not?

Sorry, do not understand? Why multiple optima are not possible? I mean finding a solution which combines near optimal solution for several variables. And anyways finding optimal solutions can be a terrible waste of time when the difference is minimal. The goal is to find a solution that works for all stakeholders.

Churchill's famous dictum fits here: "Democracy is the worst form of government, except for all those other forms that have been tried from time to time." (from a House of Commons speech on Nov. 11, 1947)

when "several" is "several dozen"

The capitalist organizations I work in are goal-seeking animals, and at a minimum, I would scrutinize every single dimension being proposed. If one is not good enough then maybe we need two but let's be very careful. Three? Sigh... And proliferating to twenty or forty is what Goldratt warns of; you will have no global optimum, in fact you will have a confused, inefficient mess which is what we've seen when CMMI or ITIL advocates run off and try to fix everything.

This is philosophical terrain in some sense, and in a macro political context I also would be very cautious about any concept of "optimization." I think totalitarianism could result, to your implication. Is the search for "optimization" a hegemonic discourse? That might be a deconstructionist critique - claiming to interpret the "optimum" could be a linguistic play for power.

But I left that stuff behind a long time ago and ITSM in an enterprise context is my declared boundary - not the polis.

The Wikipedia article on multi-objective optimization is useful, see the AOF section.

Charles T. Betz


My simplistic layman's view of Goldratt's ideas is that benefit is only delivered when you address a specific constraint that is preventing you from delivering value, and that there is an activity required to identify what that desired value really is. Often it seems organisations are seeking multiple goals when in fact they are aspects of the same underlying goal, but that needs to be made explicit.

What often goes wrong in the real world is when multiple initiatives are started without a sense of purpose or an awareness of a system viewpoint. Which brings us back to the CMDB issue. There is no point developing an all singing all dancing CMDB if the actual impact it has on the value delivered is zero or negative.

My preferred approach these days is to try and identify a clear bottleneck with a clear business impact, such as the role of the security team in approving changes, and then apply the drum and rope approach to removing it. Obviously that means making changes outside of the security team. Once that is fixed I can move on to the next constraint. Hopefully what I will never find myself doing in the future is an "ITIL V3 implementation" or a recommendation to go for the low hanging fruit just because it happens to be there.

Of course that still means we need a way of de-constructing the value network in such a way that I can treat elements of it as being discreet There are cliches from my early ITIL days that still come back to haunt me: It is true that all the elements of ITIL are interconnected, but that doesn't mean that I can't make changes within one process/function/capability without involving the whole organisation.

James Finister

Local optima, functional bias?

I don't see any evidence of a lifecycle or process approach, either. Ask again: is the search for "maturity" across "capabilities" equivalent to the fallacy that one achieves global optima through local optima? Here for further discussion.

Charles T. Betz

Syndicate content