DuPont Drives Continuous Improvement With COBIT 5 Process Assessment Model

Over time, business has increasingly advanced the application of IT to meet ever-changing business needs and regulatory requirements. A systematic and continuous improvement program is needed now more than ever to help businesses assess IT management capabilities; identify strengths, weaknesses and risk factors with respect to business requirements; and implement process changes to enhance services and operations needed to meet stakeholder and business needs. In essence, continuous improvement helps an organization focus on “doing things right” and continually improving its effectiveness and efficiency.

To successfully meet this need, DuPont recognized that it must leverage a robust, dependable process assessment framework to drive its continuous improvement program. The COBIT 5 process assessment model (PAM)¹ is evidence-based and enables a reliable, consistent and repeatable assessment in the area of governance and management of enterprise IT (GEIT) to support continuous process improvement (the COBIT Assessment Programme²). Accredited training organizations deliver training on the assessment approach, and an assessor certification, COBIT 5 Certified Assessor, is available from ISACA.

DuPont had successfully applied the COBIT framework for its IT process management, governance and audit compliance over a period of years and, therefore, decided to use the COBIT 5 PAM. IBM Global Business Services, a premier consulting service provider that has broad knowledge of COBIT implementation, deep expertise in enterprise IT process management and governance, and extensive experiences in both private and public sectors, was asked to perform an independent process capability assessment for DuPont.

Background on DuPont

E. I. du Pont de Nemours and Company, commonly referred to as DuPont, is a Fortune 500 American chemical company. DuPont’s vision is to be the world’s most dynamic science company, creating sustainable solutions essential to a better, safer and healthier life for people everywhere. For more than 200 years, DuPont has served markets as diverse as agriculture, nutrition, electronics and communications, safety and protection, home and construction, transportation, and apparel. Over the years, DuPont has advanced to become a world leader in market-driven innovation and science. It has brought world-class science and engineering to the global marketplace through innovative products, materials and services, and introduced thousands of new products and patent applications every year. The DuPont information sciences and IT organization provides globally-integrated communication, information services and computing infrastructure that enables the enterprise to provide solutions for the world’s most urgent needs, and more important, uses information and technology for a competitive advantage, fueling business growth for the company.

Establish the COBIT 5 PAM Assessment

The COBIT 5 PAM is an ISO/IEC 15504-based process capability assessment model that incorporates COBIT 5 as the process reference model (PRM) for base requirements and ISO/IEC 15504 as the basis for the measurement framework to determine capability levels.

COBIT 5 brings together its five key principles that allow enterprises to build an effective governance and management framework, and a holistic set of seven enablers that help enterprises optimize information and technology investment and use for the benefit of stakeholders. Furthermore, COBIT 5 enables information and related technology to be governed and managed in a holistic manner for entire enterprises, taking in the full end-to-end business and functional areas and considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or public-sector.

The ISO/IEC 15504 standard identifies management process assessment as an activity that can be performed either as part of a process improvement initiative or as part of a capability determination approach. The purpose of process improvement is to continually improve the enterprise’s management effectiveness and efficiency, and the purpose of process capability determination is to identify the strengths, weaknesses and risk factors of selected management processes with respect to a particular, specified requirement through the processes used and their alignment with business needs.

Leveraging ISO/IEC 15504, in conjunction with the widely accepted COBIT framework for GEIT, makes the COBIT 5 PAM the basis for a robust, dependable and scalable assessment approach. Figure 1 illustrates the high-level architecture of the COBT 5 PAM.

The COBIT 5 PAM is composed of process and capability dimensions, a set of process performance indicators that are specific for each process and used to determine whether a process is at capability level 1, and a set of generic process capability attribute indicators which apply to capability levels 1 to 5. The process capability attribute indicators are generic for each process attribute and used as a basis for collecting objective evidence that enables process capability ratings to be determined. The process dimensions of the PAM use the COBIT 5 PRM, where the governance and management processes are defined in a life cycle and classified into process categories with an architecture describing the relationship among the processes. The capability dimension provides a measure of a process’s capability to meet the current or projected business goals for the enterprise process, expressed in terms of nine process attributes grouped into five capability levels. Figure 2 illustrates the two-dimensional COBIT 5 PAM with the PRM as the process dimension and the ISO/IEC 15504 measurement framework as the capability dimension.

View large graphic.

The COBIT 5 PRM subdivides the IT-related processes, practices and activities of the enterprise into two main areas, governance and management. Governance ensures that stakeholders’ needs, conditions and options are evaluated to determine balanced, agreed-upon enterprise objectives to be achieved, setting direction through prioritization and decision making, and monitoring performance and compliance against enterprise objectives. Management ensures that the plan, build, run and monitor (PBRM) IT management activities are executed in alignment with the direction set by the governance body to achieve the enterprise objectives.

The PAM process capability levels begin from level zero (incomplete process), to level one (performed process) and then to level two (managed process), which generally represent the instance view of an individual program or project. At level two, the base management practices are performed in a managed fashion (planned, monitored and adjusted) to achieve the process purposes, with work products appropriately established, controlled and maintained. Process capability levels three (established process), four (predictable process) and five (optimized process) represent the enterprise view of the corporate capability for a process, where a standard enterprise-level process is deployed and operated with defined limits to achieve its process outcomes and continuously improved to meet relevant current and projected business goals. The COBIT 5 PAM assessment evaluates if and how well specific process attributes for each process level are achieved, and provides a level of confidence in the assessment results that indicates the overall capability of management processes. A rating that indicates the level of achievement is assigned accordingly, based on objective and validated evidence for each process attribute. The capability level of a process is determined on the basis of the achievement of specific process attributes according to ISO/IEC 15504, i.e., whether the process attributes at that level have been largely and fully achieved and whether the process attributes for the lower level have been fully achieved.

Plan and Scope the COBIT 5 PAM Assessment

Diligent assessment planning and proper scoping was critical to the success of the COBIT 5 PAM assessment at DuPont. This involved identifying relevant DuPont business drivers and associated stakeholder needs for the process assessment, selecting the target processes that would be included in the scope of the assessment, identifying any relevant constraints, selecting the assessment participants and the assessment team, and defining their respective roles and responsibilities. DuPont and IBM collaborated with the relevant stakeholders and determined the assessment scope, the management processes to be assessed, assessment constraints and participants, and the type of assessment to be executed (class two). Based on the assessment scope and requirements, IBM established a PAM assessment team with competent and certified assessors, independent from the organizations performing the management processes.

It was integral to the assessment planning and scoping that the assessment team identified and reviewed DuPont business and regulatory requirements and developed various diagnostic tools, assessment templates, guidelines and procedures to ensure assessment standardization and consistency across the processes assessed. There were a number of assessment tools and templates developed and applied by the assessment team that effectively addressed assessment and stakeholder needs. The assessment team managed the assessment plan, scope and schedule through constant tracking and continual communication with DuPont leadership and associated stakeholders. All assessment statuses and issues, changes and updates were identified and communicated in a timely manner to the appropriate DuPont stakeholders for proper action.

Perform the COBIT 5 PAM Assessment

The COBIT 5 PAM assessment was carried out based on the assessment class (class two) and assessment scope chosen by DuPont management (in accordance with the Assessor Guide: Using COBIT 5³) with the goal of determining if the management processes at DuPont have met the business needs and regulatory requirements, achieved the process purposes, applied good practices, managed the life cycle of the processes, and produced appropriate work products. There were a number of assessment techniques developed and applied in the process assessment, including:

• Management diagnostics and awareness assessment
• Management questionnaires and checklists to confirm findings
• Sampling techniques to determine whether process outcomes have (or have not) occurred
• Management statements corroborated by customers and other assurance sources
• Staff interviews to assess their knowledge, competency, awareness and behaviors
• Process, policy and standard operating procedure reviews
• Process instances and sample data identified, collected and reviewed
• Sample processes, procedures, meetings and reviews observed and walked through

Leveraging the appropriate assessment techniques developed by the IBM assessment team, in conjunction with DuPont support, the team conducted extensive process management reviews and interviews with internal and external stakeholders. The assessment team confirmed that evidence and artifacts collected from various sources were sufficient and objective, and ensured that the data as a whole were consistent with the requirements of the class and scope of the assessment. The in-depth analysis and validation of the supporting evidence and artifacts were thereafter performed to evaluate if the base management practices existed for the management processes; whether these practices achieved the process purpose and outcomes; and how well or poorly the management processes performed, which led to the establishment of the DuPont process profiles and recommendations for continuous improvement.

Develop and Communicate the Assessment Results

The results of the assessment were analyzed and reported in a detailed assessment report, which included an overall assessment approach and analysis, a determination of the current capability level, key issues (such as observed weaknesses in process capabilities and opportunities for improvement), and recommendations for process improvement. The detailed assessment report was provided to the DuPont assessment sponsor upon completion of the assessment workload. A high-level management summary and executive briefing were also provided in the form of a presentation to the DuPont leadership team. The process capability profiles and improvement road map were also properly established for the assessed management processes, with the key issues analyzed, capability gaps incorporated and target levels provided for respective processes. Figure 3 illustrates the mock-up of the DuPont specific, measurable, actionable, realistic and time-bound (SMART) improvement road map for continuous improvement.

View large graphic.

Implement Continuous Improvement Road Map

The continuous improvement of the management processes capabilities through their life cycle goes beyond simply remediating or mitigating these identified process issues or weaknesses. Rather, continuous improvement efforts need to be closely aligned with enterprise business objectives and risk tolerances and managed holistically across the enterprise with appropriate strategy, priority and resources using the seven COBIT 5 enablers. The DuPont governance organization ensured that the target capability levels for the processes be set in alignment with strategic vision and business objectives of IT, for the balance of optimal business value, risk levels and resource use, and that management execution of the process improvement road map with defined roles and responsibilities be performed and governed continually through its life cycle. Figure 4 illustrates the continuous improvement landscape with the seven COBIT 5 enablers.

Conclusion

Businesses have been continually enhancing their process capabilities to address complex and dynamic business challenges. To that end, it is critical to adopt a robust process assessment framework, perform a reliable assessment for internal reporting, and establish a sound and solid basis for capability determination and continual process improvement. Furthermore, it is generally understood that the higher the process capability, the lower the risk of the process failing to meet its intended purpose, and that the higher the capability, the more costly the process is to operate. This case study presents a process capability assessment with the COBIT 5 PAM for a Fortune 500 company. This COBIT 5 PAM assessment has helped DuPont establish appropriate process baselines and a well-balanced SMART improvement road map to continually enhance its information and technology capability for a competitive advantage and fuel business growth for the company. The COBIT 5 PAM is based on an ISO standard for an evidence-based process capability assessment that, if properly implemented, can greatly benefit enterprises of all sizes, whether commercial, not-for-profit or public-sector.

Acknowledgments

The authors wish to recognize Eric Mittnight, Michael T. Clark, John W. Lainhart, Christopher M. Ballister, James L. Golden and Jose Martinez of IBM and Dana F. Ormerod of DuPont for their exceptional contributions to the COBIT 5 PAM assessment at DuPont and the development of this case study.

References

• International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), 20000:2006, IT Service Management Standard, Switzerland, 2006
• ISO/IEC, 27001:2005, Information technology—Security techniques—Information security management systems—Requirements, Switzerland, 2005
• ISO/IEC, 38500:2008, Corporate Governance of Information Technology Standard, Switzerland, 2008
• ISACA, COBIT 5, USA, 2012
• ISACA, COBIT 5 for Assurance, USA, 2013
• ISACA, COBIT 5: Enabling Process, USA, 2012
• ISACA, COBIT 5 Implementation, USA, 2012
• ISACA, COBIT 5 for Information Security, USA, 2013
• Project Management Institute, Project Management Body of Knowledge (PMBOK2^®), USA, 2008

James F. Aliquo Jr., CISA, CRISC
Is the global controls and compliance manager for the information technology and process (ITP) function at DuPont. Aliquo has designed and implemented many of the IT risk processes being used in DuPont’s ITP function. He is a strong proponent of the incorporation of COBIT, more specifically, the maturity modeling aspects and their usefulness in relation to comprehensive process execution and analysis.

Zhiwei Fu, Ph.D., CISA, CRISC, CGEIT, CFE, PMP
Is the senior principal of governance, risk and compliance (GRC) and cybersecurity at IBM Global Business Services. He has an extensive background in designing, implementing and assessing governance and compliance programs and IT controls in various industries and third-party service organizations. He is a renowned researcher and practitioner in business analytics, modeling and optimization, performance measurement, and process improvement, with multiple publications in international journals, book series and conference proceedings.

Endnotes

¹ ISACA, COBIT Process Assessment Model (PAM): Using COBIT 5, USA, 2013
² ISACA, COBIT 5 Assessment Programme, USA, 2013
³ ISACA, Assessor Guide: Using COBIT 5, USA, 2013