CHAPTER 6: DOMAINS AND PROCESSES
‘If you can’t describe what you are doing as a process, you don’t know what you’re doing.’
William Edwards Deming (1900-1993)
COBIT 5 has 37 processes in five domains. The governance domain: Evaluate, Direct and Monitor (EDM), has five processes, and the four management domains: Align, Plan and Organise (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and Monitor, Evaluate and Assess (MEA), have the remaining 32 processes. Table 6.1 shows how many processes there are in each domain and illustrates the main role of the domain.
Table 6.1: COBIT®5 Domains
This chapter looks at the structure of processes as described in the COBIT 5: Enabling Processes guide. Remember what was discussed in Chapter 5 (Enabler 2: Processes) that the structure of this guide is sometimes referred to as the Process Reference Model (PRM), but strictly speaking the formal Process Reference Model (PRM) – that is, a document that uses the formal terminology required by ISO/IEC 15504 – is only in the COBIT 5: Process Assessment Model (PAM): Using COBIT 5.
Appendix A lists all of the 37 processes and shows related frameworks and standards.
Each COBIT 5 process is structured in a consistent format that is extremely easy to understand and use. Each process is about four to six A4 pages. We are going to discuss the topics in the order in which they are described in each process. We will draw on two example processes:
• A governance process: EDM01: Ensure Governance Framework Setting and Maintenance.
• A management process DSS02: Manage Service Requests and Incidents.
Bold headings and italic fonts are word-for-word extracts from the COBIT 5: Enabling Processes guide.
An Example of a Governance Process
Process Number: EDM01
Process Name: Ensure Governance Framework Setting and Maintenance
Area: Governance
Domain: Evaluate, Direct and Monitor
Process Description: Analyse and articulate the governance of enterprise IT, and put in place and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission goals and objectives.
Process Purpose Statement: Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the enterprises’ strategies and objectives, ensure the IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements is confirmed and the governance requirements for board members are met.
IT-related Goals: Appropriate IT-related goals (three) from the list of 17 IT-related goals discussed as part of the goals cascade in Chapter 4.
Related Metrics: Three or four metrics for measuring achievement of each IT-related goal.
Process Goals: Called process goals (three), but effectively these are the process outcomes.
Related Metrics: Two or three metrics for measuring achievement of each process goal.
RACI Chart: The governance practices are defined (three) and numbered using decimal points:
EDM01.01 Evaluate the governance system
EDM01.02 Direct the governance system
EDM01.03 Monitor the governance system.
A RACI chart is provided that shows for each of these governance practices which of the 26 roles (shown in Table 5.5 in Chapter 5) are responsible, accountable, consulted or informed. Only one role is accountable for each governance practice.
Governance Practices, Inputs/Outputs and Activities:
Each of the governance practices EDM01.01, EDM01.02 and EDM01.03 is described with a brief paragraph explaining each governance practice. Each governance practice shows its inputs and its outputs. Inputs are frequently from other governance practices or management practices, but sometimes inputs are from Outside COBIT, for example, regulations for governance practice EDM01.01 and audit reports for governance practice EDM01.02. Outputs are typically to other governance practices or management practices, for example, governance practice EDM01.01 has an output Authority levels that is delivered to All EDM and to management practices APO01.01 and APO01.03. Each governance practice also details the activities that make up the practice and these are a sentence each. For example, the governance practice EDM01.01 has eight activities and the second one of these activities is ‘Determine the significance of IT and its role with respect to the business.’
Related Guidance: Describes related standards and/or frameworks with detailed reference to which section of a standard document or a specific framework guide is relevant. For example, the Organisation for Economic Co-operation and Development (OECD) has Corporate Governance Principles that can exist with the detailed definition of governance process EDM01.
An Example of a Management Process
Process Number: DSS02
Process Name: Manage Service Requests and Incidents
Area: Management
Domain: Deliver, Service and Support
Process Description: Provide timely and effective response to user requests and resolution of all types of incidents. Restore normal service, record and fulfil user requests; and record, investigate, diagnose, escalate and resolve incidents.
Process Purpose Statement: Achieve increased productivity and minimise disruptions through quick resolutions of user queries and incidents.
IT-related Goals: Appropriate IT-related goals (two) from the list of 17 IT-related goals discussed as part of the goals cascade in Chapter 4.
Related Metrics: Three or four metrics for measuring achievement of each IT-related goal.
Process Goals: Called process goals (three), but effectively these are the process outcomes.
Related Metrics: One or two metrics for measuring achievement of each process goal.
RACI Chart: The management practices are defined (seven) and numbered using decimal points:
A table is provided that shows for each of these management practices which of the 26 roles (shown in Table 5.5 in Chapter 5) are responsible, accountable, consulted or informed. Only one role is accountable for each management practice.
Management Practices, Inputs/Outputs and Activities:
Each of the management practices DSS02.01, DSS02.02, DS02.03, DSS02.04, DSS02.05, DSS02.06 and DSS02.07 is described with a brief paragraph explaining each management practice. Each management practice shows its inputs and its outputs. Inputs are frequently from other management practices or governance practices, but for the DSS02 management practices these are only from other management practices. Outputs are typically to other management practices or governance practices, but for all DSS02 processes its management practices are only linked to other management practices, for example, management practice DSS02.04 has an output Problem log that is to management practice DSS03.01. Each management practice also details the activities that make up the practice and these are a sentence each. For example, the management practice DSS02.05 has four activities and the third one of these activities is Perform recovery actions if required.
Related Guidance: Describes related standards and/or frameworks with detailed reference to which section of a standard document or a specific framework guide is relevant. For example, ITIL V3 2011 is the related framework and the relevant sections are: Service Operations, 4.2 Incident Management and Service Operation, 4.3 Request Fulfilment.