You are on page 1of 38

Chapter 1: Certified in the

Governance of Enterprise IT
Overview
The Certified in the Governance of Enterprise IT certification is for experienced professional
individuals with responsibilities in the governance needs of an enterprise. The certification is based
on the intellectual property of the IT Governance Institute and ISACA.
The exam covers the following disciplines and percentage scope:

IT Governance Framework

25%

Strategic Alignment

15%

Value Delivery

15%

Risk Management

20%

Resource Management

13%

Performance Management

12%

Exam Specifics
CISA Exams are proctored by ISACA. Registration and location information can be found on the
www.isaca.org web site. The exam is administered twice a year: June and December.
Exams are delivered in a secure environment, proctored, and timed.
Specifics about the exam are:

Time Limit:

240 minutes

# of Questions:

120

Question Type:

Multiple Choice

Chapter 2: IT Governance
Framework

2.1. Organizational Change


Change is a significant, yet essential, activity of business growth and competitive advantage.
Organizational change occurs whenever the overall strategy is changed by the organization and
evolves as the organization evolves through various life cycles. Each element of the business has its
own life cycle and may contribute to the progress of other element life cycles. For instance, the
business life cycle can be impacted by the life cycle of its IT solution. The IT solution, in turn, is
impacted by the life cycles of particular technologies, solutions, and processes.
Within Information Technology, the level of organizational change is dependent on the nature of
the change and the amount of difference from normal operations. A significant strategic change,
such as the adoption of an emerging technology, requires intense focus on organizational change
requirements. Guiding change can range from planned and structured approaches to more organic
methods. People may view the management of change from the present forward; while others look
to a desired future state and work backwards.

2.1.1. Defining Organizations


To understand the impact and management of organizational change, understanding the
organization is paramount. Each organization has its own systems and structures. Sometimes, the
language and defined roles may be different too, even between departments within a single
organization. In the most basic form, an organization is a person or group of people who have come
together to accomplish a shared goal or set of goals. The goals of the business organization and the
fulfillment of those goals have some common elements:

Vision - an agreement on how the organization should be working.


Mission - defines the overall purpose of the organization.
Values - defines the priorities of the organization which describe character, personality, or
culture of the organization.

Strategic Goals - organizational accomplishments which support the mission.

Strategies - the approaches or activities for fulfilling the organization's strategic goals.

Systems - the distinct operational parts of the organization which perform the duties
required to support the strategies of the organization. It this sense, systems are delineated
by function, such as department, programs, divisions, business lines, or product lines.

Processes - the plans, policies, and procedures which describe and control the activities of
the systems.

2.1.2. Organizations as Systems


A system is an organized collection of parts working together to accomplish a specific goal. A
system will take multiple inputs in with the intention of producing certain pre-defined outputs. The
various parts of the system have the capability to provide feedback to other parts of the system.
Organizations are considered social systems.
All systems have common elements, such as:

Input - the raw materials, money, technologies, and people provided to the system.

Processes - the alignment and coordination of inputs such that they can be transformed
into a desired output.
Outputs - the tangible results produced by the processes of a system.

Outcomes - another form of output which is not tangible but beneficial to the customer of
the system's process.

Feedback - information on and about the system which serves to improve the system's
performance.

2.1.3. Leadership
Within an organization, a leader is a person who is trusted with setting the direction of the
organization and influencing people. There are several theories surrounding leadership:

Great Man Theory - the concept behind this theory is that leaders are born not made and
rise up when a great need presents itself.
Trait Theory - asserts that people are born with inherited traits which are conducive to
leadership roles, specifically noting adaptability to situations, alertness to social
environment, ambitious, assertive, cooperative, decisive, dependability, dominant,
energetic, persistent, self-confident, tolerant, and responsible.

Behavioral Theory - defines as leadership as a definable and learnable behavior focusing


on the activities of a leader rather than the interpretative traits of a person.

Participative Leadership - describes the leader who involves other people in the decisionmaking process.

Situational Leadership - describes leadership effectiveness in terms of situational


components, such as the effort by subordinates, the ability of subordinates to perform
work, the organization of the work required, the cooperation and cohesiveness of the group,
availability of resources and support, and external coordination.

Contingency Theory - similar to situational leadership but describes the appropriate


behaviors which should be adopted given a particular situation.

Transactional Leadership - focuses on providing the structure and understanding of


motivation through clearly defined rewards and punishments.

Transformational Leadership - describes the inspiring leader who creates and markets a
vision for the future.

In addition to the theories surrounding leadership and leaders, different people may develop or
adopt a 'style' or approach.

2.1.4. Management
Leadership and management are now considered separate concepts in business. A person may be
a manager, but not a leader; while another person may be a leader, but not a manager. In the
simplest form, leadership is the characteristics embodied by a person from which to influence
others; management is the assigned role or position of the person from which to influence others.

Management concepts focus on four general activities: planning, organizing resources, leading, and
coordination.

2.1.5. Organizational Performance


Organizational change is not a haphazard activity: it is based on the achievement of specified
organizational goals. One class of goal which is of particular interest is the performance of the
organization. Performance describes the consistency, reliability, and stability of a person or group of
people to produce results in the form of products and services useful to customers inside and
outside of the organization. Performance does not focus on the busyness of a person, but on their
ability to produce a return on their work investment. Performance is an important measurement for
the organization, departments, processes, programs, products, systems, projects, and teams.
The following terms are used in the topic of performance management:

Domains - the focus of a performance management effort, such as departments,


processes, and systems.
Results - the specific outputs which are desired from the domain.
Measures - provides the needed information required to assess the accomplishment of
results.
Indicators - specific measures which identify the progress towards a result.

Preferred Goals - defines the overall accomplishments of the organization which are
typically established through strategic planning.

Preferred Results - the descriptions of organizational goals in terms of quantity, quality,


time, and cost.

Aligning Results - specific results to indicate alignment of a domain's goals with the
overall organization's goals.

Weighting Results - a prioritization of the domain's preferred results.

Standards - defines the extent in which the preferred result should be achieved by the
domain.

Performance Plans - the structured activities for achieving results, obtaining alignment
and adopting standards.

Observations - activities focused on identifying and comparing progress to performance


standards and providing feedback towards improvement.

Appraisals - documents the achievement of performance goals.

Rewards - identifies the incentives for meeting or exceeding performance standards.

Performance Gaps - defines the difference between actual performance and desired
performance.

Development Plans - describes the details of the decision that performance required
improvement and the actions required to improve that performance.

2.1.6. Systems Thinking


A system thinking perspective is a new application to organizational management. It is derived
from a field of study called systems theory, which focuses on the understanding specific systems
from the perspective of the whole system; in this case, the organization. The application of system
theory is performed through systems analysis, from which systems thinking is one of its tools.
Systems thinking is a paradigm for assisting people in understanding systems from a broad
perspective, including its overall structure, patterns of operations, and cycles. The advantage of
systems thinking is the ability to identify problem areas more quickly. The solutions identified to
overcome these problems can be leveraged to improve the entire system rather than in specific
areas and are called leverage points.
One evolution to systems theory is the chaos theory, where the dynamics of the system are
understood to have order even when no, or little, order is perceived. The effect of the chaos theory
is that a small change to one part of the system can cause complex changes in the overall system.

2.1.7. Process Change


Process change is a subset of organizational change, but has a great deal of impact on the
effective management of change in the environment, particularly in respect to continuous process
improvement. Business constructs, such as time, money, and resources may not allow the most
ideal solution to be implemented in the environment, or the business problem the solution
addresses may not be totally understood. The result is that businesses tend to implement partial
solutions and apply specific measurements to understand the effectiveness of the solutions over
time.
As more information becomes available, the solution needs to be adjusted or improved, to better
meet the needs of the business. These improvements typically start with changes in the process, or
the flow of operations from input to desired output.

2.1.8. Cultural Change


Almost all businesses are comprised of people; and with them comes their culture.
Culture can delineate different groups of people across geographies, beliefs, and ages.
Different cultures may be found in different organizations or different business lines in
the same organization. A culture is simply a paradigm formed by the values, beliefs, and
common behaviors of a group. Changes to an organization may require a change to those
values, beliefs, or behaviors.

2.2. Information Technology Governance


Framework

2.2.1. Corporate Governance


Corporate governance practices exist in an organization to promote ethical issues, specifically the
ethical corporate behavior by directors or others responsible for the creation and presentation of the
financial wealth of all stakeholders. The OECD defines the practice of corporate governance as, the
distribution of rights and responsibilities among different participants in the corporation, such as
board, managers, shareholders and other stakeholders, and (it) spells out the rules and procedures
for making decisions on corporate affairs. By doing this, it also provides the structure through which
the company objectives are set and the means of attaining those objectives and monitoring
performance.
The framework for corporate governance provides protection to the stakeholders by defining the
responsibilities of the board of directors and establishing rules in managing and reporting business
risks.

2.2.2. IT Governance
IT Governance is a subset of corporate governance which covers the alignment of IT and
enterprise objectives in the areas of:

Information systems

Business, legal and other issues

Stakeholder and management expectations.

Technology and communications

IT governance defined by ITGI as, a structure of relationships and processes to direct and control
the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus
return over IT and its processes. The purpose of IT governance ensures IT activities perform well
with respect to:

Alignment of IT with the enterprise

Exploiting opportunities and maximizing benefits of IT

Responsible use of IT resources

Management of IT-related risks.

Realization of promised benefits

Controls provide certain assurances that enterprises are governed by accepted best practices.
From an IT perspective, this governance ensures the information and related technology support of
the organization supports the business objectives, resources to meet those objectives, and
appropriate risk management. Executive management will agree on the strategic alignment between
IT and enterprise objectives. IT governance serves this alignment by effectively and efficiently
deploying secure, reliable information and applied technology.
The practice of IT governance is concerns with delivery value to the business from IT and
mitigating IT risks. It is the responsibility of the board of directors and executive management.
The key practices are:

IT strategy committee

IT balanced scorecard.

Risk Management

While corporate governance is a set of responsibilities and practices used to provide strategic
direction, IT governance provides a relationship structure and processes for directing and controlling
the enterprise to meet its objectives by balancing risk and return on investment.
Different layers are typically found in the application of IT governance: with supervisors reporting
to managers, who report to executives,
who report to the board of directors. Reporting usually identify deviations from targets and
recommendations for action which must be endorsed by the governing body. Changes to strategic
direction and goals are communicated in the opposite direction down through the organization. The
process for IT governance can be summarized into five basic steps:

Set Objectives

Provide Direction

Perform IT Activities

Measure Performance.

Compare Environment

2.2.3. IT Strategy Committee


The IT strategy committee is created to advice on strategy, IT value, risks, and performance. Its
purpose is to enable IT governance to be incorporated into corporate governance. Strategy
committees are different from steering committees.
Strategy committees are comprised of board members and specialist non-board members. They
have the authority to advise the board and management on the IT strategy. The committee is
delegated by the board to provide input to the strategy and to enable its preparation for approval.
Current and future strategic IT issues are handled at this level. The primary responsibility of the
strategy committee is to provide insight and advice to the board on the following topics:

Business perspective relevance of IT developments

Achievement of strategic IT objectives

Availability of IT resources, skills and infrastructure

Optimization of IT costs

IT investment aspects of risk, return and competitiveness

Status on major IT projects

Alignment of IT and business direction

IT contribution to the business

Exposure and containment of IT risks

Direction based on IT strategy

Drivers and catalysts for IT governance practices.

2.2.4. Standard IT Balanced Scorecard


The standard IT balanced scorecard is a method for assessing IT functions and processes by
supplementing financial information with information about user satisfaction, internal processes and
the ability to innovate. When the balanced scorecard is applied to IT, each of the four perspectives
shown on the scorecard is structured using mission, strategy, and measures.

2.2.5. Information Security Governance


Information security governance is delivered by the Board of Directors and senior executives and
must be integrated with the governance of the enterprise and aligned with IT governance. The
framework consists of leadership, organizational structures, and processes necessary to protect
informational assets. The outcomes of information security governance include:

Alignment of information security with business strategy to meet organizational


objectives.
Implementation of risk management to reduce potential impacts on information
resources.

Implementation of resource management to effectively and efficiently use the knowledge


and infrastructure of information security.

Measuring, monitoring, and reporting of performance metrics related to information


security governance.

Delivery of value in security investments needed to support organizational objectives.

Information security is a management discipline which provides strategic direction of all IT


security activities. The objective of information security management is to protect the interests of
those relying on the data stores, database and metadata used by the enterprise, the systems and
communication mediums used to deliver that information, and providing protection from harm due
to failures in confidentiality, integrity, and availability.
Often referred to as the CIA triad, confidentiality, integrity, and availability are the foundational
pillars of security. IT governance provides the framework for developing these pillars for the purpose
of safeguarding business assets and practices.
Confidentiality refers to the need for information to be saved from disclosure to unauthorized
individuals. Normally, several levels of confidentiality may be found within an organization, ranging
from classified, sensitive, confidential, to protected and public.
Integrity describes the wholeness and completeness of the information without any alteration
except by authorized sources. The integrity of a system has a direct affect on the integrity of the
information on that system. If the system has no integrity, the information cannot be considered

trusted. Integrity is different from confidentiality, in that integrity focuses on one's trust in the
information and not its security.
Availability speaks to the need to access the information when it is needed. Depending on the
information, availability may be restricted to users based on the confidentiality level of the
information. Traditional systems attributed higher integrity to lower availability; however open
sources have demonstrated that higher integrity is often found when greater availability is provided
to the user base.
The security objectives are typically met when:

Information is disclosed to only those individuals who have a right to know.


Information is complete, accurate, and protected against modification from unauthorized
individuals

Information is available and usable by customers when required and the systems
supporting the provision and delivery of this information can resist and recover from failure
or attack.

Information exchanges and business transactions between enterprises, partners, and


customers can be trusted.

2.3. IT Governance Activities


IT governance efforts are concerned with the delivery of value to the business and the mitigation
of IT risks. Within this scope, five focus areas comprise the general framework of IT governance.
Value delivery, risk management, strategic alignment, resources management, and performance
management.
These areas create a continuous life cycle for IT governance and can be entered at any point. The
most common starting point is the strategy and its alignment with the enterprise, followed by the
implementation. On a regular basis, the strategy and actual implementation is compared to identify
gaps. This is particularly important should the strategy or the solution should change. After the
comparison is completed, decisions are made to maintain the current direction or change the
direction. The level of change to the direction is dependent on the satisfaction of employees and
customers, competitiveness, and business need. This direction is translated into IT activities which
are performed on a daily basis within the operations of the enterprise or as temporary endeavors
called projects. The performance of these activities is measured to identify areas of improvement
and provide an overview of the implementation. The measurements gathered are used to compare
the strategy against the implemented IT solution and the delivered value of IT.
The strategy developed within IT governance is influenced by several factors:

Stakeholder values

Ethics and culture of the company and community

Laws, regulations, and policies

Enterprise mission, vision, and values

Industry practices.

The IT strategy developed through IT governance will drive the performance of IT process in
obtaining the necessary resources to deliver value. Each process is responsible for reporting on the
outcomes of the process, the performance of the process, the risks mitigated or accepted in the
environment, and the resources consumed. The purpose of the reports is to ensure the strategy is
being executed properly or further redirection is required.
IT strategic alignment ensures the strategic objectives of the enterprise are in line with the
investments in IT and are building the appropriate capabilities to deliver business need. IT
strategies must be aligned with the strategies of the overall enterprise. The question of strategic
alignment focuses on the current gap and the reduction of that gap in the near future and further
on. Also the operations of IT and the enterprise should be aligned to reduce the level of friction
between teams. Strategically, IT provides the enterprise:

Added value to products and service

Containment of costs

Improvement to administrative efficiency

Increased managerial effectiveness.

Aid in competitive positioning

To develop an IT strategy, the enterprise must review:

Business objectives

Costs, risks and benefits of current and future technologies

Capability of IT to deliver current and future services to the businesses

Cost of existing IT solutions

Lessons learned from past failures and successes.

Competitive market and landscape

To support strategic objectives, the following elements of the IT environment must be clearly
understood:

Enterprise Strategy

Application Architecture

Technical Infrastructure

Sourcing/Staffing

Funding.

Business Functions

Implementation plans should be created for each element which is written clearly and reviewed by
the board of directors or a dedicated IT strategy committee representing the board.
IT value focuses on delivery of IT services which are on-time, within a defined budget, and meets
the business need as promised. The business perspective of delivering IT value sees the following
elements in place:

Competitive advantage

Customer satisfaction

Customer wait time

Employee productivity

Employee profitability.

Order/service fulfillment

When the business set expectations on an IT deliverable; they generally look at:

Fit for purpose

Throughput

Response times

Ease of use, resiliency, and security

Integrity, accuracy, and currency of information.

Flexibility to handle future growth

IT value can be viewed different by different users and different levels of management. The
higher the level of management, the further away from the activities providing actual value the
management becomes. Thus, the measuring of the impact an IT investment has is easier at the
bottom of the management hierarchy. The most successful IT investments have a positive impact on
all four levels of the business value hierarchy:

Firmware IT Infrastructure

Business Unit Operational

Business Unit Financial.

Business Unit IT Applications

Risk management is the capability to protect IT assets against vulnerabilities in the business, IT,
and from disasters. IT governance is especially important in providing the greatest level of risk
management across the enterprise, as enterprise risk comes in many forms. While financial risks
are important, regulators are concerns primarily with operational and systemic risks where
vulnerabilities in technology and information security are prevalent. Enterprise risk is managed by
the board of directors by:

Ascertaining the transparency of significant risks and clarifying the policies on taking and
avoiding risks
Taking final responsibility for risk management, but delegating actions to executive
management with clearly communicated constraints
Promoting the cost-efficiency possibilities of implementing a system of internal controls
Exploiting the competitive advantages derived from transparent and proactive risk
management
Ensuring the implementation of risk management into the operations of the enterprise.

Resource management works to optimize the knowledge and infrastructure of the enterprise
through proper allocation and use of resources available to the enterprise, including people,
applications, technology, facilities, and data. This may require understanding when to use resources
in-house to the enterprise or outsourcing resources from a different company. Despite where the
resources are obtained, the board of directors still has responsibilities in addressing the investments
in infrastructure and capabilities, particularly:

Responsibilities of IT systems and service procurement

Improving workforce planning and recruitment capabilities

Identifying and addressing the needs for IT education, training and development

Providing the facilities and time appropriate to developing staff.

Ability to manage and support IT projects and systems

Performance management monitors IT services and tracks the delivery of project and operations
services. From a business perspective, performance management covers:

Finances

Internal processes

Staff education.

Customer satisfaction

The balanced scorecard delivers a quick overview of a business performance in respect to these
four areas.

2.4. Business Drivers


The reasons behind IT governance begin with understanding the importance of IT to the modern
business landscape. IT, in all of its facets, serve to bring a business closer to its customers through
the Internet; or allow greater communicating, collaboration, and partnerships between departments
within an enterprises or multiple enterprises. IT can continuous monitor business operations beyond
human capabilities, or perform required calculations and simulations which are too complex and

difficult for a single person. Automation can allow redundant and unskilled tasks to be performed
without human intervention, usually at a higher level of quality.
From an enterprise perspective, IT:

Critically supports and enables enterprise goals

Necessary in the understanding implications of mergers and acquisitions.

Provides innovation and growth to the business strategy options

Business drivers are the people, knowledge, and condition that identify and support efforts for
which the business was designed. The purpose of IT is to support the business. The business
identifies how IT must perform the support.
Despite the importance of IT to the business, understanding and governing IT requires more
technical insight than any other business area. Because of this, IT has historically been handled as a
separate entity to the business. IT solutions can be complex. The purpose of IT governance is to
ensure that the expectations of IT match the actual implementation of IT.
The board typically will set the expectations and communicate them to management.
Management will, in turn, implement IT solutions that will meet those expectations. Higher level
management, such as executive management, will usually address the expectations in the following
ways:

Communicate strategy, policies, and goals in the enterprise

Support IT strategies through effective organizational structures and IT infrastructure

Promote clear accountabilities for risk management across the enterprise

Ensure alignment of enterprise goals and the IT organization

Measures outcomes for business value and competitive advantage to understand


performance

Translates core business competencies into IT support requirements

Improves business values through core IT processes

Focus on core IT competencies related to planning and overseeing management of IT


assets, risks, projects, customer satisfaction, and vendors

Promotes the leveraging of information and knowledge throughout the enterprise

Enforcing technology standardization

Optimizing IT costs to obtain the right value from It at the most reasonable cost

Create clear external sourcing strategies.

2.5. IT Governance Implementation


When beginning an IT governance initiative, the board of directors must assume ownership of IT
governance and set the required direction for management. This can be done by:

Ensuring that IT topics are on the agenda


Challenging management activities are utilizing IT; for the purpose of discovering hidden
IT issues

Assisting management in aligning IT initiatives with real business needs

Measuring IT performance

Establishing an IT strategy committee as a communication body between the board and


management
Supporting a management framework for IT governance.

The recommended IT governance process has the following steps in a repeated fashion:
1.
2.

Establish a governance organizational framework.


Align IT strategy with business goals.

3.

Understand and define the risks.

4.

Define the process areas critical to managing risk areas.

5.

Analyze current capabilities and identify gaps.

6.

Develop improvement strategies.

7.

Measure results using a balanced scorecard.

2.6. IT Practices, Standards and Frameworks


2.6.1. COBIT (Control Objectives for Information and related Technology)
COBIT is a set of best practices created by the Information Systems Audit and Control
Association (ISACA) and the IT Governance Institute (ITGI) to provide a framework for
management of Information Technology. The framework consists of measures, indicators,
processes, and practices used to optimize IT benefits to the business.
34 high level processes and 214 control objectives modeled within four domains for
governance:
Planning and organization
[square4] PO1 Define a Strategic IT Plan and direction

[square4] PO2 Define the Information Architecture


[square4] PO3 Determine Technological Direction
[square4] PO4 Define the IT Processes, Organization and Relationships
[square4] PO5 Manage the IT Investment
[square4] PO6 Communicate Management Aims and Direction
[square4] PO7 Manage IT Human Resources
[square4] PO8 Manage Quality
[square4] PO9 Assess and Manage IT Risks
[square4] PO10 Manage Projects
Acquisition and implementation
[square4] AI1 Identify Automated Solutions
[square4] AI2 Acquire and Maintain Application
Software
[square4] AI3 Acquire and Maintain Technology Infrastructure
[square4] AI4 Enable Operation and Use
[square4] AI5 Procure IT Resources
[square4] AI6 Manage Changes
[square4] AI7 Install and Accredit Solutions and Changes
Delivery and supporting
[square4] DS1 Define and Manage Service Levels
[square4] DS2 Manage Third-party Services
[square4] DS3 Manage Performance and Capacity
[square4] DS4 Ensure Continuous Service
[square4] DS5 Ensure Systems Security
[square4] DS6 Identify and Allocate Costs
[square4] DS7 Educate and Train Users
[square4] DS8 Manage Service Desk and Incidents
[square4] DS9 Manage the Configuration
[square4] DS10 Manage Problems
[square4] DS11 Manage Data
[square4] DS12 Manage the Physical Environment
[square4] DS13 Manage Operations
Monitoring
[square4] ME1 Monitor and Evaluate IT Processes
[square4] ME2 Monitor and Evaluate Internal Controls
[square4] ME3 Ensure Regulatory Compliance
[square4] ME4 Provide IT Governance
Version 4.0 of COBIT package contains the following elements:
Executive Summary
Governance and Control Framework
Control Objectives
Management Guidelines
Implementation Guide
Implementation Guide
IT Assurance.
2.6.2. Val IT

The IT Governance Institute (ITGI) has created a framework comprising the principles
and processes for IT portfolio management. It complements COBIT focusing on the
investment decision while COBIT focuses on the implementation of IT. The principles of
Val IT include:
IT investments are managed as a portfolio.
IT investments include a full scope of activities required to attain business value.
IT investments are managed through their entire economic life cycle.
Different categories of investments are evaluated and managed different.
Key metrics are defined and monitored by value delivery practices and any change or
deviations will have a quick response.
All stakeholders will be engaged in value delivery practices and appropriate
accountability assigned for delivery of capabilities and realization of benefits to the
business.
Value delivery practices will be monitored, evaluated and improved continuously.
The major processes of Val IT include:
Value Governance
VG1 Ensure informed and committed leadership
VG2 Define and implement processes
VG3 Define roles and responsibilities
VG4 Ensure appropriate and accepted accountability
VG5 Define information requirements
VG6 Establish reporting requirements
VG7 Establish organizational structures
VG8 Establish strategic direction
VG9 Define investment categories
VG10 Determine a target portfolio mix
VG11 Define evaluation criteria by category
Portfolio Management
PM1 Maintain a human resource inventory
PM2 Identify resource requirements
PM3 Perform a gap analysis
PM4 Develop a resource plan
PM5 Monitor resource requirements and utilization
PM6 Establish an investment threshold
PM7 Evaluate the initial program concept business case
PM8 Evaluate and assign a relative score to the program business case
PM9 Create an overall portfolio view
PM10 Make and communicate the investment decision
PM11 Stage-gate (and fund) selected programs
PM12 Re-prioritize the portfolio
PM14 Monitor and report on portfolio performance
Investment Management
IM1 Develop a high-level definition of investment opportunity
IM2 Develop an initial program concept business case
IM3 Develop a clear understanding of candidate programs
IM4 Perform alternatives analysis

IM5 Develop a program plan


IM6 Develop a benefits realization plan
IM8 Identify full life cycle costs and benefits
IM8 Develop a detailed program business case
IM9 Assign clear accountability and ownership
IM10 Initiate, plan and launch the program
IM11 Manage the program
IM12 Manage and track benefits
IM13 Update the business case
IM14 Monitor and report on program performance
IM15 Retire the program.
2.6.3. Information Technology Information Library (ITIL)
ITIL consists of 34 books about the management of IT services to the enterprise.
Created by the Office of Government Commerce in the United Kingdom, the books are
categorized under 5 disciplines - the full scope of ITIL Service Management being:
Service Strategy
Demand Management
IT Financial Management o Supplier Management
Service Design
Service Catalog management
Service Level Management
Risk Management
Capacity Management
Availability Management
IT Service Continuity Management
Information Security Management
Compliance Management
IT Architecture Management
Supplier Management
Service Transition
Service Asset and Configuration Management
Service Validation and testing
Evaluation
Release Management
Change Management
Knowledge Management
Service Operations
Event Management
Incident Management
Problem Management
Request Fulfillment
Access Management
Continual Improvement
Service Level Management
Service Measurement and Reporting
Continual Service Improvement.

2.6.4. Capability Maturity Model Integration (CMMI)


The CMMI is an approach focusing on improving processes to optimize an enterprises
performance. The approach can be utilized within a project, a division, or throughout the
entire organization. The CMMI was developed by the Software Engineering Institute
(SEI) with the assistance of industry and government experts. Three areas of interest are
addressed by the approach:
Product and service development
Service establishment, management, and delivery
Product and service acquisition.
Two representations of CMMI are found: continuous and staged. The continuous
representation allows specific processes to be focused on for the purpose of meeting
immediate business objectives. The staged representation is designed for a standard
sequence of improvements.
A model framework (CMF) identifies eight process areas:
Requirements Management
Project Monitoring and Control
Project Planning
Configuration Management
Measurements and Analysis
Process and Product Quality assurance
Organizational Process Definition
Causal Analysis.
2.6.5. Projects IN Controlled Environments (PRINCE2)
PRINCE2 is a project management method developed by the Office of Government
Commerce. The method brings to project management a structured approach within a
clearly defined framework. The most recent version of PRINCE2 defines 40 activities
organized under seven processes:
Starting Up a Process
Initiating a Process
Controlling a Stage
Managing Product Delivery
Managing Stage Boundaries
Closing a Project
Directing a Project.
2.6.6. Guide to the Project Management Body of Knowledge (PMBOK)
PMBOK is a project management guide and international standard. Developed by the
Project Management Institute, the guide consists of 42 processes found in five process
groups and nine knowledge areas. A single process will fall into a process group and a
knowledge area. The five process groups are:
Initiating
Planning
Executing
Controlling and Monitoring
Closing.
The nine knowledge areas are:
Project Integration Management

Project Scope Management


Project Time Management
Project Cost Management
Project Quality Management
Project Human Resource Management
Project Communications Management
Project Risk Management
Project Procurement Management.
2.6.7. The Open Group Architecture Framework (TOGAF)
The Open Group Architecture Framework (TOGAF) provides several opportunities for
enterprise architects and IT organizations, including:
An iterative process model supported by best practices
A re-usable set of existing architecture assets
Methods and tools for the acceptance, development, use, and maintenance of enterprise
architecture.
The two primary components of TOGAF are the ADM and Enterprise Continuum. The
Architecture Development Method (ADM) provides a formal approach to developing the
architectural components required to meet the business needs of an enterprise. The
Enterprise Continuum is a framework for supporting the leveraged use of relevant
architecture assets while executing the ADM. It provides a way to categorize architecture
reference material, both from an organization's Architecture Repository and the industry's
relevant reference models.
The structure of the ADM is through phases:
Preliminary
A. Architecture Vision
B. Business Architecture
C. Information Systems Architectures
D. Technology Architectures
E. Opportunities and Solutions
F. Migration Planning
G. Implementation Governance
H. Architecture change Management
Requirements Management.
Each phase consists of specific steps to be completed to consistently meet the
objectives of the effort.
2.6.8. ISO/IEC 17799/27002
The International Electrotechnical Commission (IEC) published an information security
standard as ISO/IEC 17799. The same document is published by the International
Organization for Standardization as ISO/IEC 27002. The standard contains twelve
sections:
Risk assessment
Security Policy
Organization of information security
Asset management
Human Resources security
Physical and environmental security

Communications and operations management


Access control
Information systems acquisitions, development and maintenance
Information security incident management
Business Continuity management
Compliance.
2.6.9. Six Sigma
Six Sigma is a business management strategy developed by Motorola. The purpose of
the strategy is to improve the quality of process outputs through the minimizing variation
in processing and the identification and removal of the causes of defects or errors. Two
project methodologies are used by Six Sigma projects:
DMIAC
Define defines the problem, voice of the customer and project goals
Measure collect relevant data on key aspects of the current processes
Analyze investigates and verifies cause-and-effect relationships
Improve optimize the current process based upon data analysis
Control correcting any deviations from target before a defect is caused
DMADV
Define - define design goals consistent with customer requirements and enterprise
strategy
Measure identifies Critical To Quality characteristics, product capabilities, production
process capabilities, and risks
Analyze identify best design from alternatives
Design design details, optimizations, and plans
Verify ensure the design works and hand over to the process owner(s).

2.6.10. Total Quality Management


Total Quality Management was coined by W. Edwards Deming and is a management strategy for
reduce the number of errors produced during a process, as well as increasing customer satisfaction,
streamlining supply chain management, and improving equipment and employee reliability. The
process of TQM is to improve quality by ensuring that internal requirements are conformed to by the
enterprise.

2.6.11. Balanced Scorecard


The standard IT balanced scorecard is a method for assessing It functions and processes by
supplementing financial information with information about user satisfaction, internal processes and
the ability to innovate. When the balanced scorecard is applied to IT, each of the four perspectives
shown on the scorecard is structured using mission, strategy, and measures.

Chapter 3: Strategic Alignment


3.1. IT Strategy Elements
3.1.1. IT Strategies
Strategies are statements describing how information technologies will be used to improve
business processes. It involves identifying cost effective solutions and developing action plans. A
strategic plan will typically provide guidance for three to five years.
In considering the direction that strategies may take, planners must take into account the
demand for IT and the current capacity available from the IT. As the demand increases, the capacity
must increase as well. IT demand considers the impact of the strategic direction as described by
objectives and business initiatives. IT capacity is determined based on the requirements in place to
support these objectives and initiatives.

3.1.2. Strategy Committee


The board of directors may create, and are recommended to create, an IT strategy committee.
This committee does not assume the governance accountability of the board, but acts in an advisory
capacity related to:

Providing a business perspective on latest developments in IT

Achieving strategic IT objectives

Identifying the suitability and availability of IT resources, skills, and infrastructures

Optimizing IT costs

The value and scope of external IT outsourcing

The risk, return and competitiveness of IT investments

Progress on major business change projects

The value of IT to the business and stakeholder return

Managing IT risks.

Aligning IT with overall business direction

3.1.3. Steering Committee


Steering committees are comprised of sponsoring executive key users, the CIO, and key advisors
when required. They work with the executive to deliver IT strategies by focusing on implementation
of It services and technologies and overseeing the daily management of It service delivery and
project management. The responsibilities of the steering committee include:

Deciding on the overall level of IT cost allocations and spending

Approval of project plans and budgets

Setting priorities and milestones related to projects

Ensures the acquisition and assignment of appropriate resources

Ensures business requirements are met by projects

Ensures delivery of expected value and desired outcomes by projects

Monitors conflicts with resources and priorities

Provides recommendations and change requests to strategic plans

Communicates strategic goals

Contributes to IT governance responsibilities.

Aligns and approves the enterprise's IT architecture

3.1.4. Investment Committee


IT investment committees typically have authority over the consideration, approval and
monitoring of major business change projects involving IT solutions. The purpose of the committee
is to optimize the cost and return of IT projects and the alignment of business and IT. Business
cases are presented to the investment committee for approval before any project begins
implementation. The process for preparing and approving a business case is:

Formulate initial idea

Identify any existing solutions or parallel developments

Determine potential benefits to sharing solution

Determine costs, benefits, time lines, resource requirements

Identify high-level sponsor

Identify requirements for project management and project governance

Business area approval of business case

Submission and presentation to investment committee.

Get general approval for preparation tasks from business areas

The typical agenda for an investment committee is:

Review current state of IT investment portfolio

Discuss changing business or external environmental factors

Discuss learning points from completed projects

Review and provide approval for submitted business cases

Resolve potential conflicts for IT and business resources

Ensure accountability for project delivery and stated benefits.

3.1.5. Policies
Policies are used to communicate the strategic thinking of senior management and business
processes. They are high-level documents which provide the blueprint for a control environment
over the achievement of goals and directives. Corporate policies are meant to set the tone of
business for the entire organization. Individual divisions and departments will define lower-level
policies that are consistent with the corporate policies.
The best approach to developing policies is using a top-down approach, though some
organizations will start with the lower-level policies because their development and implementation
is cost effective and most directly associated to risk assessments. The development of corporate
policies becomes a collaboration of existing lower-level policies and may induce some inconsistency
and conflict between policies.
A schedule should be in place to review all policies regularly. They policies should be updated
whenever new technologies are adopted or significant changes in business processes are made.

3.1.6. Information Security Policy


The most important policy to be created and managed is the Information Security Policy. The
activities of Information Security Management are guided by and concentrate on security policies.
These policies are comprised of an overall Information Security Policy and several underpinning
security policies specific to the individual IT technologies implemented. They cover all aspects of
security and should have the full support and commitment of executive management.
The security policy is designed to aid in the achievement of objectives. The fulfillment of those
objectives is made when:

Information is disclosed to only those individuals who have a right to know.


Information is complete, accurate, and protected against modification from unauthorized
individuals

Information is available and usable by customers when required and the systems
supporting the provision and delivery of this information can resist and recover from failure
or attack.

Information exchanges and business transactions between enterprises, partners, and


customers can be trusted.

These policies are the basis for creating an Information Security Management System framework,
which consists of five elements:

Control

Plan

Implement

Evaluate

Maintain.

Control of security relates to the management framework, organization structure, roles and
responsibilities, and documentation required to provide a foundation for other elements of the
framework to succeed.
Planning is any attempt to define and recommend security measures based on the organization's
requirements. These requirements are gathered from the plans, strategies, and risks of the business
and It services, and well as service level and objective level agreements and compliance to legal
and regulatory agencies. Measures can be proactive or reactive to known threats and vulnerabilities.
They fall into any of the following categories:

Preventive intended to stop the occurrence of a security incident. Solutions related to


authentication, authorization, identification, and access control are typical examples of
preventive measures.
Reductive intended to minimize the possible damage resulting from a security incident
and typically consists of regular backups and implementation of contingency plans.

Detective intended to provide the earliest detection of a security incident possible.


Primary example of a detective measure is virus-checking software.

Repressive intended to reduce or stop the security incident from occurring again.
Disabling accounts after several sequential failed login attempts is an example of repressive
measures.

Corrective intended to repair the damage resulting from a security incident. Restoring,
roll-back, and back-out procedures are examples of corrective measures.

These measures eventually are implemented through a set of procedures, tools, and controls
needed to support the Information Security Policy, specifically in the areas of asset accountability
and classifying information. A number of factors determine successful implementation including:

Integration of security policy with business need.

Effective marketing and education of security requirements.

Integrated continuous improvement.

Management justification and support of security procedures.

Continuous evaluation of the implemented measures is required to ensure compliance to security


policy and meeting security requirements. In addition, these evaluations provide regular audits of
the systems and provide information to external auditors and regulators.
Continuous improvement mechanisms are in place to maintain and improve the Information
Security Management System to meet its objectives and ensure the confidentiality, integrity and
availability of information assets.

3.1.7. Procedures
Policies are used to drive the formation of procedures. These documented must be clear, concise,
and detailed. They document business processes and the controls used in the environment. They
translate policies into effective work products. They can be more dynamic than policies and reflect
regular changes in business focus and environment. Embedded into the procedures are the controls
met to fulfill the objectives supported by the policies. The procedures are used by auditors to test
the controls in the environment by determining the difference between actual operational practices
and the practices documented in the procedures.

3.2. Business Scenarios


Business Scenarios are used at various stages of the enterprise architecture to assist in identifying
and understanding business need and linking business requirements to the enterprise architecture.
A business scenario will describe:

Business processes, applications , or set of applications enabled by the architecture

People and computing components executing the scenario

Desired outcomes from proper execution.

Business and technology environment

Used to represent a significant business need or problem and enabling vendors to understand the
value of the architectural solution, business scenarios are 'SMART':

Specific defining what needs to be done

Actionable determining the elements and plans for the solution

Realistic solving the problem within the physical reality, time, and cost constraints

Time-bound clearly stating the expiration of the solution opportunity.

Measurable providing clear measures of success

3.2.1. Benefits to Business Scenarios


The benefit of a business scenario ensures:

The set of requirements addressed by the business scenario can be confirmed accurate
and lead to better development of the architecture.
The business value for solving the problem is clear.
The relevancy of potential solutions can be determined clearly.

A business scenario is a complete description of a business problem enabling individual


requirements to be reviewed in relationship to the context of the overall problem.

3.2.2. Business Scenario Process


Creating a business scenario involves:

Identifying, documenting, and ranking problems driving the scenario.


Identifying the business and technical environment of the scenario and documenting in
scenario models.

Identifying and documenting desired objectives.

Identifying the human actors and their role in the business model.

Identifying computer actors and their role in the business model.

Identifying and documenting roles, responsibilities, and measures of success.

Checking for 'fitness-for-purpose'.

The development of business scenarios involve several iterative phases of gathering, analyzing,
and reviewing information contained in the business scenario.
The Gathering phase focuses on collecting information in each of the steps of the process. The
techniques used to collect information will range from research and surveying to quantitative and
qualitative analysis.
The analyzing phase processes and documents the gathered information and models are created
to represent the information. Linkages between key elements of the business scenario are
maintained using matrices related to business processes and its:

Constituencies

Issues

Objectives.

Human and Computer Actors

The Reviewing phase feedback the results of analysis to the sponsors to gain shared
understanding of the problem and the depth of impact.

3.2.3. Business Scenarios Contents


Documentation of business scenarios contains all important details about the scenario. Content
types are either graphical (models) or descriptive text; in many cases both.
Models capture business and technology views in a graphical form to enable comprehension.
Descriptions capture details in textual form.

3.2.4. Goals and Objectives


The overall goals and objectives for developing an architecture are mapped to business goals and
objectives and provide guidance in developing business scenarios and solutions. Goals and
objectives are SMART.
Below is a list of goals and generic objectives:
Improve Business Process Performance

Increased process throughput

Predictable process costs

Increased re-use of existing processes

Reduced time of sending business information Decrease Costs

Redundancies and duplication at lower levels of enterprise assets

Decreased reliance on external service providers

Lower costs of maintenance.

Consistent output quality

Improve Business Operations

Increased budget

Decreased time-to-market

Increased quality of services

Improve quality of business information.

Decreased costs

Improve Management Efficiency

Increased business flexibility

Higher quality decisions.

Shorter decision making time

Reduce Risk

Ease of implementation

Decreased real-world safety hazards.

Decreased errors from complex and faulty systems

Improve Effectiveness of IT Organization

Increases rollout of new projects

Lower cost in rolling out new projects

Decreased loss of service continuity during roll-out

Common development

Open system environment

Use of off-the-shelf products

Software re-use

Resource sharing.

Decreased time to rollout

Improve User Productivity

Consistent user interface

Data sharing.

Integrated applications

Improve Portability and Scalability

Portability
Scalability.

Improve Interoperability

Common infrastructure
Standardization.

Increase Vendor Independence

Interchangeable components
Non-proprietary specifications.

Reduce Lifecycle Costs

Reduced duplication

Incremental replacement

Reduced training costs.

Reduced software maintenance costs

Improve Security

Consistent security interfaces for applications

Security independence.

Consistent security interfaces for users

Improve Manageability

Consistent management interface

Reduced operation, administration, and maintenance costs.

3.3. Enterprise IT Architecture


3.3.1. Zachman Framework
Most enterprise architecture projects start with the framework created by John Zachman in the
late 1980s. The framework recognizes that different participants are involved at different stages of
the project. It also identifies different artifacts which convey different aspects of the systems at
increasing levels of details. These artifacts can include:

Diagrams

Data models

Class Models

Code.

Flowcharts

The Zachman framework defines the scope, enterprise model.


Systems model, technological model, and documentation to describe different areas of the IT
environment:

Strategy

Application

Technology

Organization

Data

Workflow.

3.3.2. Technology-Based Frameworks


Enterprise Architectures frameworks that are technology-based focus on simplifying complex
technology options for the business. They aid in determine if and when advanced technical
environments should be used, or how to connect intra-organizational and inter-organizational
systems. The modernization of legacy and ERP systems which rely heavily on technologies are found
in these frameworks.

3.3.3. Process-Based Frameworks


Enterprise architectures which are focused on business processes attempt to understand the
organization as it relates to the value add that the processes provide. The concept enables business
improvement by understanding processes, their distinguishable parts and the technology supporting
them.
Several business models based on these types of architectures have been developed for specific
industries.

3.3.4. Federal Enterprise Architecture


The US Federal government requires its agencies to create enterprise architecture and provide
governance to that structure. The Federal Enterprise Framework is a business and performance
framework dedicated to building collaboration between agencies, transformation and improvements.
There are five reference models in the framework:

Performance

Service

Technical

Data.

Business

3.4. Benefits Management


3.4.1. Business Case
Business cases are used whenever a new development in a new system or investments in new
technologies are considered. These reports provide compelling information about the idea so that
decisions can be made. Business cases are usually developed in stages. The initial business case
takes on the feasibility of pursuing a specific direction and provides an early assessment of the
problem scope, possible solutions and recommendations. Each solution has a definitive business
case which is used to compare solutions.

3.4.2. Benefits Realization


Benefits to the business are often enabled by technology, but not by accident. Realization of these
benefits occurs by a planned approach that extends beyond the project. In many cases, the
realization doesn't always go as planned. To manage the realization of benefits, the organization
must:

Describe benefits realization as a process.

Establish a system of tracking or measuring the performance.

Document the assumption.

Establishing key responsibilities.

Validating predicted benefits.

Planning the predicted benefits.

Assign a measure and target for the new technology.

3.4.3. Benefits Realization Process


The process for realizing benefits is continuous, starting with an assessment and business case of
the process itself. Lessons learned and studies should be compiled.
Typically, a post-implementation review is performed after 6 to 18 months of the implementation.
The length of time before the review allows problems to be worked out and benefits to start accrue
for the solution.
The process is part of project governance and management; allowing business owners to
understand their investments into new solutions.

3.4.4. Stakeholder Management


Stakeholder management provides a discipline for gaining support between architecture
practitioners and benefits the enterprise by:

Identifying powerful stakeholders early for their input to shape the architecture.
Obtaining support from powerful stakeholders to enable more resources to be available
during engagement of architectures.
Early and frequent communications with stakeholders allow better understanding of the
architecture process.
Reaction to architecture models and reports can be more effectively anticipated.

Stakeholder analysis is used in vision phase to identify the key players in the engagement and
updated with each subsequent phase of IT governance. The complexity of architecture can be
difficult to manage and obtain agreement from large numbers of stakeholders.
The following concepts can be used to address these issues:

Stakeholders

Views

Viewpoints.

Concerns

3.4.5. Stakeholder Management Process


The process for stakeholder management includes the following steps:

Identify Stakeholders typically includes senior executives, project organization roles,


client organization roles, system developers, alliance partners, suppliers, IT operations, and
customers impacted by the enterprise architecture project.
Classify Stakeholder Positions analyzing the stakeholders to determine their readiness
to support the effort.

Determine Stakeholder Management Approach identifies the direction of the enterprise


architecture effort to engage with the stakeholders that have the greatest power or interest
to successfully support the effort.

Tailor Engagement Deliverables Identify the viewpoints, matrices, and views that need
to be produced to support demonstrating the enterprise architecture's ability to address a
particular stakeholder's concerns.

3.5. Gap Analysis


To validate a developing architecture, gap analysis is used throughout the Architecture
Development Method.
The potential sources of gaps include:

Business Domain
o
People

Process

Tools

Information

Measurement

Financial

Facilities

Data Domain

Insufficient currency

Missing data

Wrong data

Data availability

Data not created

Data not used

Data relationships

Application domain

Impacted applications

Eliminated applications

Created applications

Technology domain

Impacted technologies

Eliminated technologies

Created technologies.

Chapter 4: Value Delivery


4.1. Defining Value
Value delivery is defined by ITGI as about executing the value proposition throughout the
delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on
optimizing costs and proving the intrinsic value of IT.
The directors and senior managers of the enterprise are responsible for ensuring the attainment
of stakeholder value from all investments. There are several types of investments available to any
given business environment, including real estate, mergers and acquisitions, and equity

investments. Any activity requiring the use of shareholder funding is considered an investment. The
idea behind
an investment is a substantial and calculable return.

4.1.1. IT Investments
Investments in IT have historically provided greater returns in investment than other
opportunities. In many cases, the return is greater than originally proposed; however actual
realization of the proposed return can be elusive. Some IT investments can be rather disappointing
without proper governance.
To understand the significance of an investments return, the business and IT must work together
to understand costs and measure value. Business value from IT can be measured and achieved
using four strategies:

Manage business value to maximize benefits in profitability and growth for existing and
future IT investments.
Manage IT budget to enable cost reductions and flexibility to shift funds between
investments, specifically from low-yield investments to competitive high-yield investments.
Manage IT capability to enable sustainable capabilities which are competitive in the
marketplace.
Manage IT as a business to cultivate winning business practices.

4.1.2. Investment Categories


Different investments will yield different anticipated returns and require distinct methods of
governance and management. The META Group identifies three types of investments in IT,
including:

Running the business investments for maintaining existing operations


Growing the business investments for improving efficiency or consolidation for reduction
of costs and increase in competitiveness
Transforming the business investments for introducing new business, new markets, or
increase of revenues and profits.

Another recognized set of categories from Peter Weill of Sloan CISR are:

Transactional investment provides IT to process repetitive transactions for the business


in an efficient and cost-reductive manner
Informational investment provides management and control of the organization through
systems designed to management personnel, finances, decision-making, planning,
communication, and accounting.

Strategic investment designed to add value by improving competitive advantage, new


market entry, or improving revenue streams.

Infrastructure investment will not generate directly quantifiable financial benefits, but
rather prove beneficial to the business applications built upon the infrastructure.

The purpose of categorization is to enable the enterprise to create and monitor a balanced
portfolio of IT investments and better define risk and return targets for investments. An enterprise
with investments in all categories is deemed healthy and growing. Investments with a higher risk
generally will have a higher return on the investment.

4.2. Project Management Framework


The activities of an organization typically fall into two categories:

Operations ongoing and repetitive


Projects temporary and unique.

Projects occur at all levels of the organizations. Every project has a definitive beginning and
definitive end, making them temporary. Other aspects of projects being temporary include:

A limited opportunity or market windows to create a product of service.


Project teams are built for the sole purpose of performing the project, typically while still
performing operations.

Projects produce a unique project or service. The characteristics of a product or service are
considered progressively elaborate, or proceeding with thorough development in steps.
Project Management is the application of knowledge, skills, tools, and techniques used to meet
stakeholders needs and expectations.
Needs are loosely defined as identified requirements, while expectations are unidentified
requirements. Meeting, or exceeding, stakeholders needs and expectations require balancing
competitive demands such as:

Scope

Cost

Quality.

Time

Different stakeholders usually have different needs and expectations.

4.2.1. The PMBOK Framework


The PMBOK framework consists of:

A context
A set of processes.

The context for project management evolves within the environment from which projects operate,
such as the day-to-day activities.

The Project Management Book of Knowledge (PMBOK) presents 37 processes divided between 9
knowledge areas of project management. This collection encompasses the knowledge and best
practices of the discipline.

4.2.2. The Knowledge Areas


Nine areas of knowledge comprise the ideas, concepts, and best practices of project management.
The areas and their corresponding processes include:

Project Integration Management


o
Project Plan Development

Project Plan Execution

Overall Change Management

Project Scope Management

Initiation

Scope Planning

Scope Definition

Scope Verification

Scope Change Control

Project Team Management

Activity Definition

Activity Sequencing

Activity Duration Estimating

Schedule Development

Schedule Control

Project Cost Management

Resources Planning

Cost Estimating

Cost Budgeting

Cost Control

Project Quality Management

Quality Planning

Quality Assurance

Quality Control

Project Human Resource Management

Organizational Planning

Staff Acquisition

Team Development

Project Communications Management

Communications Planning

Information Distribution

Performance Reporting

Administrative Closure

Project Risk Management

Risk Identification

Risk Qualification

Risk Response Development

Risk Response Control

Project Procurement Management

Procurement Planning

Solicitation Planning

Solicitation

Source Selection

Contract Administration

Contract Close-out

4.2.3. Other Management Disciplines


General management describes the activities and resources required to plan, organize, staff,
execute, and control the operations of an ongoing enterprise. Project Management activities often
overlap general management practices.
Application areas are project categories which have common characteristics specific to projects
conducted within the area but not required by all projects. The application areas are defined within:

Technical elements

Industry groups

Management elements

4.2.4. Related Activities


When several projects are coordinated for the purpose of obtaining mutual benefits, the effort is
often considered a program. Programs can be a series of repetitive or cyclical activities. In some
application areas, project management is a subset of program management, or vice versa.
Sometimes, projects need to be divided into manageable components or subprojects. Subprojects
are usually contracted out to an external enterprise of functional unit in the organization. From an
organizational perspective, subprojects are often considered a provided service, rather than a
product.