You are on page 1of 3

Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

COBITs Management Guidelines Revisited:


The KGIs/KPIs Cascade1
By Wim Van Grembergen and Steven De Haes
To respond to managements need for control and
measurability of information technology, the IT Governance
Institute (ITGI) built on its Control Objectives for Information
and related Technology (COBIT) framework by providing in
2000 the management guidelines.2 The management guidelines
identify for the 34 COBIT IT processes two types of metrics: key
performance indicators (KPIs) and key goal indicators (KGIs).
In this article, the meaning of these metrics will be clarified, a
waterfall of KPIs and KGIs will be proposed and their
relationship with IT and business goals will be explained. The
enhanced metrics and goal concepts explained in this article will
become important knowledge components of the new edition of
COBITCOBIT 4.0which will be released this year.

The Foundation: The Balanced Scorecard


The balanced scorecard (BSC) is a performance
management system that enables businesses, business units
and functional business areas to drive strategies based on goal
definitions, measurement and follow-up. The balanced
scorecard can be applied to IT resulting in four specific
domains: the business contribution perspective capturing the
business value created from IT investments, the user
perspective representing the user evaluation of IT, the
operational excellence perspective evaluating the IT (COBIT)
processes employed to develop and deliver applications, and
the future perspective representing the human and technology
resources needed by IT to deliver its services over time.3
To turn the BSC approach into a management tool, cause
and effect relationships between metrics need to be
established. These relationships are articulated by two key
types of measures: performance drivers and outcome
measures. A well-developed IT BSC contains a good mix of
these two types of measures. Outcome measures such as
programmers productivity (e.g., number of function points per
person per month) without performance drivers such as IT
staff education (e.g., number of educational days per person
per year) do not communicate how the outcomes are to be
achieved. Performance drivers without outcome measures may
lead to significant investment without a measurement
indicating whether the chosen strategy is effective.

Management Guidelines, KGIs and KPIs


In ITGIs Management Guidelines, a key goal indicator is
defined as a measure of what has to be accomplished and by
comparison a key performance indicator a measure of how
well the process is performing. It is also indicated that their
relationship looks for measures of outcome of the goal and for
measures of performance relative to the enablers that will
make it possible for the goal to be achieved. As explained in
Management Guidelines this is the same as the aforementioned
relationship between the outcome measures and performance
drivers of the BSC approach. Key goal indicators and key
performance indicators are exactly the same as outcome
measures and performance drivers. It is important to stress that
they are synonyms because in practice there is a lot of
confusion about KGIs and KPIs. It has to be clear that KGIs
are metrics representing goals and that a distinction has to be
made between KGIs and KPIs, making it possible to express
the cause and effect relationships.

KGI/KPI Cascade
Management Guidelines provides a limited list of possible
KGIs and KPIs for each of the 34 COBIT IT processes, but not
their relationship. In analysing those proposed KGIs
specifically, it appears that these goal metrics are often defined
at different levels: IT process level, IT level and business level.
This insight enables users to define a cascade of metrics with
causal relationships among process KPIs, process KGIs, IT
KGIs and business KGIs as visualised in Figure 1.
Figure 1Causal Relationships at Process,
IT and Business Level
IT/COBIT Process
DS5: Ensure System Security

KPI

KGI

Security
expertise

Number of
incidents
because of
unauthorised
access

Process Level

KPI

KGI
Number of IT
security
incidents

IT Level

KGI

KPI

Number of incidents
causing public
embarrassment

Business Level

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005

The example cascade in figure 1 is applied to the DS5


COBIT process Ensure system security. In the top left rectangle
the KPI/KGI relationship is illustrated for the security process.
Security expertise (process KPI) can be a strategy to decrease
the Number of incidents because of unauthorised access
(process KGI). In the middle rectangle a typical KGI for the IT
level is displayed, Number of security breaches, with as its
corresponding IT KPI, the previously mentioned process KGI,
Number of incidents because of unauthorised access. This
suggests that the KGI of the lower IT process level is now the
KPI of the higher IT level. In the same logic, the IT KGI
becomes a KPI at the business level, driving the business KGI
of Number of incidents causing public embarrassment.
Important to note is that this example is, of course, oversimplified. In practice, multiple KPIs will affect the business
KGIs as is illustrated in figure 2.

KGIs for IT Process Goals,


IT Goals and Business Goals
The previous section introduced KGIs at three levels: process,
IT and business. These KGIs are metrics representing specific
goals on each of those three levels. For example, the business
KGI, Number of incidents causing public embarrassment, can be
one of the metrics referring to a business goal, such as Manage
business risks. Similar examples of goals can be given for IT
KGIs and IT process KGIs.
In the upcoming COBIT 4.0, detailed guidance on those IT
and IT process goals and metrics will be provided as shown in
figure 3. More specifically, for each COBIT process, a list will

Figure 2Multiple KPIs Driving Business KGI

KPI
KPI
KPI
KPI

Process Level

KGI
KPI
KGI
KPI

KGI
KPI

KGI
KPI

KGI
KPI

KGI

IT Level
Business Level

be provided of process goals, with corresponding process goal


KGIs. In figure 3, an example process goal for the COBIT
process Ensure systems security is Minimise the impact of
security vulnerabilities and incidents that can be measured by
number and type of expected and actual access violations. By
extension, these process goals are linked to the IT goals they
enable, such as Maintain the integrity of information and
processing infrastructure, also with corresponding IT goal
KGIs such as Number of systems where security requirements
are not met. Finally, activity goals are listed as enablers for the
process goals, such as Managing user identities and
authorisations in a standardised manner, and supplemented
with corresponding process KPIs such as Number of access

Figure 3: Goals and Metrics of COBIT Process DS5 Ensure Systems Security

Activity Goals
Understanding security requirements,
vulnerabilities and threats
Managing user identities and
authorisations in a standardised manner
Defining security incidents
Testing security regularly

are measured by
Process Key Performance Indicators
# and type of security incidents
# and type of obsolete accounts
# of unauthorised IP addresses, ports and
traffic types denied
% of crytographic keys compromised and
revoked
# of access rights authorised, revoked,
reset or changed

Process Goals
Permit access to critical and sensitive
data to only authorised users.
Identify, monitor and report security
vulnerabilities and incidents.
Detect and resolve unauthorised access to
information, applications and
D infrastructure.
r Minimise the impact of security
i
v vulnerabilities and incidents.
e

are measured by
Process Key Goal Indicators
# and type of suspected and actual access
violations
# of violations in segregation of duties
% of users who do not comply with
password standards
# and type of malicious code prevented

IT Goals
Ensure critical and confidential
information is withheld from those who
should not have access to it.
Ensure automated business transactions
and information exchanges can be trusted.
Maintain the integrity of information and
processing infrastructure.
D
r Account for and protect all IT assets.
i
v Ensure IT services can resist and recover
e
from failures due to error, deliberate attack
or disaster.

are measured by
IT Key Goal Indicators
Time to grant, change and remove access
privileges
# of systems where security requirements
are not met

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005

rights authorised, revoked, reset or changed. This entire


picture offers a complete cascade from key management
practices enabling process goals, which in turn enable IT goals,
each time with corresponding metrics.
As mentioned before, similar tables have been developed for
all COBIT processes. The development of these tables was
preceded by detailed research into the existing KGIs and KPIs
of COBIT, including defining causal relationships between
them, and into business goals and IT goals in eight different
industries.4 The tables were composed by a group of 40
practitioners and academics during a COBIT development
workshop. These tables provide a rich foundation to build a
measurement and management system, in the format of
scorecards, for IT and its processes.

the University of Antwerp Management School (UAMS). Van


Grembergen is engaged in the continuous development of the
COBIT framework. He is also member of the Academic
Relations Task Force of ISACA and is currently conducting
research projects for ITGI on IT governance. Van Grembergen
is a frequent speaker at academic and professional meetings
and conferences and has served in a consulting capacity to a
number of firms. He is a member of the board of directors of
IT companies, including an IT consultancy firm and an IT firm
servicing a Belgian financial group. Recently he established at
UAMS the ITAG Research Institute, which aims to contribute
to the understanding of IT alignment and governance through
research and dissemination of the knowledge via publications,
conferences and seminars. He can be contacted at
wim.vangrembergen@ua.ac.be.

Endnotes
Research funded by ISACA/ITGI
ITGI, COBIT Management Guidelines, 2000
3
Van Grembergen; R. W. Saull; S. De Haes; Linking the IT
Balanced Scorecard to the Business Objectives at a Major
Canadian Financial Group, Journal of Information
Technology Cases and Applications, 2003
Van Grembergen, W.; The Balanced Scorecard and IT
governance, Information Systems Control Journal, 2000
4
Van Grembergen, W.; S. De Haes; J. Moons; Linking
Business Goals to IT Goals and COBIT Processes,
Information Systems Control Journal, volume 4, 2005
1
2

Wim Van Grembergen


is professor and chair of the Information Systems Management
Department at the Economics and Management Faculty of the
University of Antwerp (Belgium) and executive professor at

Steven De Haes
is responsible for the Information Systems Management
executive programs at the University of Antwerp Management
School. He is engaged in research in the domain of IT
governance and conducts research in this capacity for ITGI.
Currently, he is preparing a Ph.D. on the practices and
mechanisms of IT governance. He has published several
articles on IT governance, most recently in the Information
Systems Control Journal, the Journal for Information
Technology Case Studies and Applications (JITCA), and the
proceedings of the Hawaiian International Conference on
System Sciences (HICSS). He can be contacted at
steven.dehaes@ua.ac.be.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005