COBIT 5 and ITIL Adaptation at a Saudi Municipality

The Municipality of Eastern Region (MER) based in Dammam, Saudi Arabia, is a government-owned institution that has been in existence for 50 years. Its main purpose is to serve citizens within the scope of its region.

Some of the most prominent services rendered to citizens are health care, sanitation, water, electricity, roads and schools, among others. These services are provided to 7 million residents. All of the information related to these 7 million citizens is managed by the municipality’s IT department.

Some of the IT services in the municipality are consumed within the municipality (e.g., enterprise resource planning [ERP]) and some are open to the public (e.g., health care, schools, police services). Providing good service to citizens is the main aim of the municipality, and information plays a crucial role. The information may be related to a citizen’s name, age, gender, education, health, housing, sanitation, complaint, personal likes and dislikes, etc.

A massive amount of information is created by the municipality, and managing this information correctly, consistently and efficiently is a challenge. Moreover, language poses one more dimension as some citizens want information in Arabic only and some want the same information presented in English as well.

A massive amount of information is created by the municipality, and managing this information correctly, consistently and efficiently is a challenge.

The municipality has to pay proper attention to, and focus on, information management. The unavailability of information when absolutely needed, or incorrect information even when it’s available, leads to citizens’ frustration, and the municipality cannot take this risk. Information is managed through a list of services that the municipality provides to internal and external users and customers.

Thus, the municipality chose to adapt and implement an enterprise governance and service management framework to bring discipline, structure and an organized approach to information management. In this case, the municipality looked to both COBIT 5 and the Information Technology Infrastructure Library (ITIL).

While the COBIT 5 and ITIL implementation at the Saudi Arabia municipality is still in progress and it is expected that it will take another year or so to complete, this case study will discuss how the COBIT 5 and ITIL adaptation was initiated, its drivers, the approach used and the enablers focused on to provide lessons and details; the approach taken to establish processes; and how the COBIT 5 and ITIL adaptation assisted in the achievement of IT and municipality goals.

The municipality’s IT is led by a chief information officer (CIO). Several departments, such as IT network management, IT infrastructure management and the project management office (PMO), are led by managers who report to the CIO. IT applications are mostly purchased from vendors.

There are several departments, such as legal, tender generation and strategy management, that consume IT services. Every department requires the right type of information to create, edit, modify, store and archive. Hence, it is important that a structured approach based on proven frameworks such as COBIT and ITIL is adopted.

Drivers for Implementing Governance and Service Management Principles

The main drivers for implementing a governance and service management framework were the municipality’s pain points, particularly:

• Lack of business continuity
• IT asset management in need of discipline
• Major incidents causing unavailability of services
• Not enough IT risk management and security management
• Business value creation to stakeholders

Another key driver was to derive value from IT. Money was not an important factor. Because it is a government organization, the only criteria to be met for spending is that any investment needs justification.

Year after year, IT was well funded. However, determining the value generation of IT was a main reason for implementing these frameworks. The goal was to realize a return on investment (ROI) from IT. IT also needed to deliver in a number of areas, including:

• Reduction in incidents
• Number of users who are satisfied with municipal services
• A strategy in place to meet the upcoming challenges as the demand for services increases
• Integration with other municipalities and submunicipalities
• Meeting ongoing compliance
• Risk management

The municipality was eager to implement best practice frameworks; therefore, getting commitment from top management was never an issue. The CIO personally kicked off the project and guided every member to demonstrate the importance of several frameworks and information management.

Implementation Team Formation

For IT to deliver value, it was decided that a best practice framework needed to be implemented. The question was: Who would be the ideal members of this team and who needed to report to whom?

The municipality has 60 IT staff members working in various departments. Figure 1 shows the reporting structure created for implementation.

Figure 1—Framework Implementation Reporting Structure

Source: Govind Kulkarni. Reprinted with permission.

Team preparation, roles and responsibilities included:

• Every member was trained in best practice frameworks; standards; major COBIT 5 Align, Plan and Organize (APO), Build, Acquire and Implement (BAI), and Deliver, Service and Support (DSS) processes; and governance.
• Critical resources were provided training and certification in COBIT 5 at the foundation and implementation levels.
• Critical resources also received ITIL training at the expertise level. The PMO was responsible for weekly tracking of issues, reporting, costing and value delivery.
• The translations team was responsible for converting the processes and other documents into Arabic and guiding the users in the language.
• The implementation team was responsible for overall implementation of best practice frameworks and prioritizing. The implementation team was comprised of process writers.
• The tool team was responsible for converting processes into tools and enabling tool and process mapping as needed.

Assessing the Current Situation

The current situation assessment was completed through a standardized checklist. Meetings and workshops were used as a means to identify weaknesses of IT functioning in major areas over the last 6 months, including:

• IT investments
• IT vision/objectives
• IT strategy for the next 5 years
• IT pain points
• Major IT processes
• Compliance needs

These areas were discussed with IT and, at times, with end users and then documented and shared with all stakeholders. These current-situation assessment documents helped to bring focus and attention to areas of user interest.

Implementation Focus and Strategy

As COBIT 5 mentions, the areas that can be implemented quickly and can provide quick wins while addressing pain points are the ones that need to be implemented in the initial phases. This concept drove the plan for implementation based on current pain points.

The focus of implementation was on the Processes enabler. The process reference model (PRM) was referenced for implementation. Processes selected from the PRM were put in 2 categories, priority 1 and priority 2. Then, the implementation plan was created. Priority 1 and priority 2 process implementation are grouped in phase 1.

Phase 1

Priority 1 processes for implementation include:

• APO02—Manage strategy
• APO05—Manage portfolio
• DSS02—Manage service requests and incidents
• DSS03—Manage problems
• DSS04—Manage continuity
• BAI10—Manage configuration
• BAI06—Manage changes
• BAI04—Manage availability and capacity
• BAI07—Manage change acceptance and transitioning

Priority 2 processes for implementation include:

• BAI08—Manage knowledge
• APO09—Manage service agreements
• APO10—Manage suppliers
• APO08—Manage relationships
• APO13—Manage security

Phase 2

In the second phase (i.e., following implementation of all management processes), the plan is to include governance processes. Hence, this case study highlights only management processes.

After discussions with senior management and the strategy department, an IT strategy was created. The strategy included a short- and long-term (5 years) IT vision aligned with the business vision, a mission statement, and objectives.

Several workshops with users, the IT department and members of the business units were conducted to coach stakeholders on IT strategy and their likely participation, roles and responsibilities.

Implementation Plan Preparation and Project Kickoff

The framework implementation was led like any project, with a specific start date and end date, milestones, and responsibilities. The standard set of tasks listed in figure 2 was to be carried out for each process.

Figure 2—Major Implementation Plan Tasks

Source: Govind Kulkarni. Reprinted with permission.

A yearlong calendar was created and submitted to management. A quarterly review of implementation was scheduled and included weekly status reviews, challenges and replanning activities.

A stakeholder register was also included with details including:

• Name
• Designation
• Department
• Relationship
• Contact details
• How the stakeholder will be engaged in each of the implementation tasks

Process Contents

Every process determined in priority 1 and 2 contains the same basic elements, including:

• Introduction to the process
• Purpose and objectives of the process
• Scope of the process
• Acronyms, definitions and terminologies used in that process
• References used to create process document
• Process policies that need to be adhered to by users and IT
• Value to business
• Methods, techniques and activities
• Escalations
• Service agreements to achieve
• Process statuses
• Key inputs/outputs (I/O) and interfaces with other processes
• Key performance indicators (KPIs) and critical success factors (CFSs) of the process and methods to collect measurements
• Meetings to check status of the process implementation and issues
• Process reporting
• Risk factors, assumptions and challenges

Process requirements were captured during workshops in which discussions, suggestions, disagreements, and pros and cons were worked through to come up with a process document.

Business goals were mapped to process goals in each process, for example:

• Business goal: End user satisfaction needs to be maintained or increased.
• DSS02 Manage service requests and incidents process goal: What is the time taken to respond to and resolve an incident? The earlier an incident is resolved, the more satisfied users will be.

Standard templates for documenting processes were created. The workshop planning as per the following details was created (figure 3).

Figure 3—Workshop Planning

Source: Govind Kulkarni. Reprinted with permission.

Workshop Planning

Participants chose to attend workshop batches based on their convenience.

The workshops:

• Were conducted in batches to educate all users. Thus far, 18 workshops have been conducted.
• Continued even after a process went live
• Concluded with action items for users included in the minutes of each meeting
• Included process and tool integration
• Included a pilot run of the process by users
• Were conducted to explain how to use the process and the tool to users

Key factors realized during process implementation included:

• Training all stakeholders is imperative. Everyone needs to be properly trained to use the tools and processes. Only then will end users use it.
• Effective tool implementation is only possible when stakeholders know both the process and tool features well.
• Workshops are the only means of engaging with stakeholders for implementation.
• Workshops should be focused on the facilitator providing appropriate explanation and, second, on the user putting it into practice. The more practice users have, the higher the adoption rate and the lower need for retraining.
• Workshops must explain the importance of following a process and its policies.
• Workshops must explain the benefits of following a process.
• End users who are not used to following processes will face challenges. Changing their mind-set is facilitated through workshops and allowing them to use the process on their own. A facilitator needs to be part of selling the concept.
• Facilitators must carefully observe who is following and learning in the workshop and who is not.
• Workshops should not last more than half an hour. The first 10 minutes should be spent explaining the agenda and process.
• Workshop achievements and challenges must be conveyed to senior management to get guidance and direction when necessary.
• The concept of providing good service to citizens should always be top of mind for stakeholders.
• All the measurements required must be collected from the tool only. There should be no manual data collection.

Challenges Faced

Process development and implementation were not without challenges and included:

• Interdepartmental barriers (overcome by using workshops)
• Language
• Tool implementation expertise
• Logistics such as travel visas for consultants
• Getting stakeholders together for workshops based on everybody’s availability

Implementation Benefits

Although the implementation is still in progress, much has been achieved and stakeholders see a tremendous improvement in the way they work. Some stakeholders feel that following the process and using the tool effectively helps them do their job better, serve better, track statuses, generate better reports and stay on top of issues.

Regardless of how good the process, incidents cannot be brought to zero, and that is not the goal here, rather responding to incidents and working through them within a time line ensures proper service to users.

For the first time, IT is in the habit of managing problems to reduce recurrence, carrying out risk assessments for critical IT assets, and planning and implementing business continuity. All this ensures that IT is becoming a valuable asset supplying necessary services, and this change is reflected in the satisfaction of users. The results in terms of financial value have yet to be quantified.

Moving forward, other enablers will be implemented one by one. As success continues, the governance processes will be implemented in the coming months and these will ensure that benefits are realized to meet stakeholder needs.

Govind Kulkarni, COBIT5, CSQA, ITIL Expert, PMP

Is an experiences software developer with 2 decades of experience providing IT solutions. He has worked in the entire life cycle of software development and, currently, he conducts training in COBIT 5, ITIL and software testing. Kulkarni has completed consulting assignments for gap analysis, COBIT 5/ITIL implementation, assessments using the ISO 15504 standard and tool customization for clients across the globe. His current interests include business continuity, IT assessment and cost management, scalability and performance optimization of web applications, predictive analytics, and technology areas such as OpenStack and DevOps. He was one of the editors of the book How to Reduce the Cost of Software Testing, published by CRC Press in 2012. He can be reached at Govind.kulkarni@vyomlabs.com or goodgovind1505@gmail.com.