BAI01-Manage Programs and Projects

COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Build, Acquire, and Implement

Process: BAI01 - Manage Programs and Projects
BAI01 – Process Setting

Process Description1
Manage all programs and projects from the investment portfolio in alignment with enterprise strategy and in a coordinated way. Initiate, plan, control, and execute
programs and projects, and close with a post-implementation review.
Process Purpose Statement1

Realize business benefits and reduce the risk of unexpected delays, costs and value erosion by improving communication to and involvement of business and end
users, ensuring the value and quality of project deliverables, and maximizing their contribution to the investment and services portfolio.
Process Objectives1
The objectives of this assessment are to determine that:
 Relevant stakeholders are engaged in the programs and projects.

 The scope and outcomes of programs and projects are viable and aligned with objectives.
 The program and project expected benefits are achieved and accepted.
 The project is completed displaying the quality expectations of the organization.
 Identified risks are managed to achieve project success.
Process Risk Drivers2
 Accreditation and implementation delays

 Confusion and uncertainty caused by different project management approaches within the organization
 Contract disputes with outsourced resources
 Different project management approaches within the organization
1 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
2 - © 2015 Wescott and Associates. All rights reserved.

 Disorganized and ineffective approach to project programs
 Failure of projects to meet business and user requirements
 Failure to respond to project issues with optimal and approved decisions
 Gaps in expected and delivered quality within the projects
 Gaps in skills and resources jeopardizing critical project tasks
 Implemented system or changes adversely impact existing systems and infrastructure
 Inability to manage resources
 Inappropriate project prioritization
 Inconsistent tools for project management
 Ineffective and/or inefficient assurance activities
 Ineffective reporting on project progress and unidentified issues
 Inefficient and fragmented approach to quality assurance
 Inefficient use of resources
 Insufficient stakeholder participation in defining requirements and reviewing deliverables
 Lack of alignment of projects to the organization’s vision
 Lack of alignment of projects to the organization's objectives and to other interdependent projects
 Lack of compliance with the organization's reporting structure
 Lack of control over project progress
 Lack of control over project scope, cost and schedule
 Lack of mitigating actions for identified risks
 Loss of focus on customer expectations and business needs
 Lost business focus
 Misalignment of project and program objectives
 Missed opportunities from lessons learned
 Misunderstanding of project objectives and requirements
 Misunderstanding of the impact of this project with other related projects
 Poor utilization of resources

 Project deliverables failing to meet business and user requirements
 Reduced understanding and delivery of business benefits
 Unclear responsibilities and accountabilities for ensuring cost control and project success
 Undetected deviations from the overall project plan
 Undetected deviations from the project plan
 Undetected errors in project planning and budgeting
 Undetected project management weaknesses
 Undetected project risks
 Undetected project show stoppers
 Untrustworthy assurance activities
 Wrong prioritization of projects
BAI01 – Process Goal Assessment

BAI01.01 Management Practice1

Maintain a standard approach for program and project management. Maintain a standard approach for program and project management that enables
governance and management review and decision-making and delivery management activities focused on achieving value and goals (e.g., requirements, risk,
costs, schedule, and quality) for the business in a consistent manner.
Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
BAI01.01.01 - Standard To determine how IT maintains Note: Ensure that the assessment approach covers the full life cycle and disciplines to be
Approach and enforces a standard followed, including the management of scope, resources, risk, cost, quality, time, communication,
approach to program and stakeholder involvement, procurement, change control, integration and benefit realization.
project management aligned to
the enterprise's specific 1. Obtain, determine, and analyze the program management framework to verify:
environment and with good
practices based on defined a) That the framework is adequately designed to assess the aggregated portfolio of IT
processes and uses of projects against program objective
appropriate technology. b) that the program specifies required resources, including funding, project managers,
project teams, IT resources and business resources, where applicable, and that the
program management team assigns accountability for each project, including
achieving the benefits, controlling the costs, managing the risks, and coordinating the
project activities clearly and unambiguously
c) where accountability is assigned, that such accountability was accepted; there is a
clear mandate and scope; and the person accountable has sufficient authority and
latitude to act, requisite competence, commensurate resources, clear lines of
accountability, an understanding of rights and obligations, and relevant performance
measures.
2. Obtain and understand plans, policies and procedures to verify that the program
management team:
a) determines the interdependencies of multiple projects in the program

Objectives1
b) develops a schedule for completion that will enable the overall program schedule to be
met
c) identifies program stakeholders inside and outside the enterprise
d) establishes appropriate levels of co-ordination, communication and liaison with
program stakeholders
e) maintains communication for the duration of the program with program stakeholders
3. Inquire and analyze that, on a regular basis, the program management team:
a) verifies with business management that the current program as designed will meet
business requirements, and makes adjustments as necessary
b) reviews progress of individual projects and adjusts the availability of resources, as
necessary, to meet schedule milestones
c) evaluates changes in technology and IT markets to determine if adjustments to the
program should be made to avoid newly occurring risks, takes advantage of newer and
more effective technological solutions, or takes advantage of changes in the market
that can lower costs
4. Obtain, determine, and analyze plans, policies and procedures to verify that the project
management framework:
a) is consistent with, and an integral component of, the organization’s program

management framework
b) includes a change control process for recording, evaluating, communicating and
authorizing changes to the project scope
c) is subject to periodic assessment to ensure its ongoing appropriateness in light of
changing conditions

Objectives1
d) includes guidance on the role and use of an existing program or project office, or the
creation of such a function for a project
BAI01.01.02 - Updates to Determine that IT updates the 1. Obtain any documentation of changes to the approach since the last assessment.
Approach program and project
management approach based 2. Inquire whether and confirm that effective mechanisms exist to track and implement changes
on lessons learned from its use in the approach based on formal lessons learned.


Initiate a program. Initiate a program to confirm the expected benefits and obtain authorization to proceed. This includes agreeing on program sponsorship,
confirming the program mandate through approval of the conceptual business case, appointing program board or committee members, producing the program
brief, reviewing and updating the business case, developing a benefits realization plan, and obtaining approval from sponsors to proceed.

Objectives1
BAI01.02.01 - Program Understand if IT agrees on 1. Sample a set of projects for review. This should include all disciplines used by the
Sponsor program sponsorship and has organization (e.g., Waterfall, Agile, etc.)
appointed a program
board/committee with members 2. For each project sampled, determine the program sponsorship.
who have strategic interest in
the program, have 3. Determine if there is and who are the participants on program board/steering committee with
responsibility for the investment members who have strategic interest in the program.
decision making, will be
significantly impacted by the 4. Determine the extent of the Committees decision-making power.
program and will be required to
enable delivery of the change.
BAI01.02.02 - Program Understand if IT confirms the 1. For the projects under review, determine the mandate and confirm this with identified sponsors
Mandate program mandate with and stakeholders.
sponsors and stakeholders.
2. Obtain the project charter and outline the strategic objectives the project is supporting,
potential strategies for delivery, improvement, and benefits that are expected to result, and how
the project fits with other initiatives.
Note:
An alternate approach to getting to the heart of how the program sees its strategic fit and the

Objectives1
benefits it is to bring to the organization. The following is a generic discussion, as an example, of
use with the Agile approach (may be applied to any approach with some modifications)
A. Agile Value Proposition - https://www.projecttimes.com/robert-galen/agile-value-

propositions.html
Definition: A value proposition is a promise of value to be delivered and acknowledged and a

belief from the customer that value will be delivered and experienced. The Agile value
proposition is one where the project meets project time and scope commitments and delivers
business value. The value should be easy when IT brings value by focusing on value.
Inquire of the Agile Project Management Office:
1. Describe what you do to ensure that Agile projects meet project time and scope
commitments and delivers business value.
2. What documentation do you produce that shows that value was achieved?
3. What challenges do you face when trying to achieve value?
4. How often do you meet with the business clients to align business expectations with IT
delivery in a test of your assumptions of value?
5. Describe a time when assumed value became different than actual value.
6. How much of the work of Agile is rework because things were not done right in the first

Objectives1
place? What is in place to prevent this kind of situation?
7. In your implementation of Agile, how do you ensure that value is not just in the eyes of IT
but also in the eye of the business?
8. What do you measure to ensure value?
9. Can you think of any recent project that brought no business value?
B. Agile Governance - https://www.cprime.com/tag/agile-governance/
Definition: “Governance” is about decision-making. The term governance refers to a formalized

set of meetings and practices whose purpose is to ensure that the right decisions are made
about what deliverables to produce, and how to produce them effectively. Agile governance
means working on the right things at the right times to meet well-defined objectives that fulfill
that mission and vision.
Inquire of the Agile Project Management Office:
1. Describe how you tie the Agile portfolio to the organizational strategy so that you can ensure
the organization is accomplishing what it needs to within an Agile framework.
2. To the best of your ability, describe if there is an Agile Portfolio charter. (The portfolio
charter defines: (1) what specifically is this portfolio going to accomplish in line with the
overall organizational strategic objectives? (2) roles and responsibilities, who is going to be
fulfilling the three major roles (portfolio owner, program manager, and area product owner)

Objectives1
as well as three additional roles involved in portfolio management (COO, CTO, and CIO)?
(3) expectations and requirements of relevant stakeholders. (4) Communication
requirements
3. Describe your project level governance (the work of a single Team). That is, how do you
achieve identifying and advocating for specific goals to be reached during each sprint? How
do you decide on the goals to achieve? How do you decide if additional goals are needed?
4. What is your approach to controlling multiple related projects in a coordinated fashion?

(Collaboration between Teams).
5. Describe how you filter down the company’s strategic goals to individual projects to produce
tangible results.
6. To what extent to the Scrum Masters understand this link? (They should be in a position to
understand and translate the overarching strategic goals of the organization to project
managers who may otherwise suffer from tunnel vision.)
7. Describe how ceremonies and artifacts help in Agile project governance. What do they add
to the decision-making process to ensure that the right things happen?
8. Describe how you monitor and report on the progress of projects under your oversight.
9. Describe how you monitor and measure individual projects in terms of time, money, and
personnel.
BAI01.02.03 - Business Determine if IT has developed Note: Involve a sample of key stakeholders to develop and document a complete understanding
Case a detailed business case for a of the expected enterprise outcomes, how they will be measured, the full scope of initiatives

Objectives1
program, if warranted. required, the risk involved and the impact on all aspects of the enterprise. Identify and assess
alternative courses of action to achieve the desired enterprise outcomes.
A. From a sample of SDLC projects and inquiry, determine the extent and quality of the
following:
a) From the charter and initial project documentation, determine the detailed business case
for the project.
b) From the documentation, detail the understanding of the expected outcomes and how they
will be measured.
c) From the project documentation, determine if an initial risk assessment has been
performed that outlines the impact on all aspects of the enterprise.
d) Determine if alternate courses of action were Identified and assessed.
B. Inquire of the Agile managers how they come to understand who the stakeholders are, how
they come to understand and document the expected outcomes, how the outcomes are
measured, the scope of the project, the risks involved. Determine also how alternate courses
of action are identified and considered.
BAI01.02.04 - Benefits Determine that IT has From a sample of SDLC projects, determine if the project documentation details a benefits
Realization developed a benefits realization realization plan that will be managed throughout the project to ensure that planned benefits
plan that will be managed always have owners and are achieved.
throughout the program to
ensure that planned benefits Note: This will not be available for Agile projects.
always have owners and are
achieved, sustained and
optimized.

Objectives 1
BAI01.02.05 - Approval Determine if IT has prepared 1. From a sample of SDLC projects, determine the approvers for the business case and project
and submitted for in-principle charter.
approval the initial (conceptual)
program business case, 2. Inquire of the Agile managers how stakeholders come to review and approve the work before
providing essential decision- it is started.
making information regarding
purpose, contribution to
business objectives, expected
value created, periods, etc.
BAI01.02.06 - Dedicated Understand that IT has From the sample of projects, determine the identify of the manager for the project and, through
Management appointed a dedicated manager inquiry and review, understand their scope of authority.
for the program, with the
commensurate competencies
and skills to manage the
program effectively and
efficiently.


Manage stakeholder engagement. Manage stakeholder engagement to ensure an active exchange of accurate, consistent and timely information that reaches all
relevant stakeholders. This includes planning, identifying and engaging stakeholders and managing their expectations.

Objectives1
BAI01.03.01 - Stakeholders Determine that IT plan how From a sample of SDLC projects, determine if stakeholders inside and outside the enterprise
Identified stakeholders inside and outside have been identified.
the enterprise will be identified,
analyzed, engaged and
managed through the life cycle
of the projects
BAI01.03.02 - Stakeholder Determine that IT management 1. From a sample of projects, determine, analyze, and confirm whether:
Coordination has identified, engaged and
managed stakeholders by a) The project management framework provides for commitment and participation by key
establishing and maintaining stakeholders, including management of the affected user department and key end users,
appropriate levels of in the initiation, definition and authorization of a project
coordination, communication b) Key stakeholder and end-user participation is sought during project initiation and further
and liaison to ensure that they refined during the project life cycle
are involved in the
program/project 2. Based on the sample of Agile projects, inquire of the Agile managers how they get
commitment and participation by key stakeholders throughout the Agile process.
BAI01.03.03 - Effectiveness Understand how IT measures 1. From the sample of SDLC projects, analyze project reporting to verify that ongoing
Monitoring the effectiveness of stakeholder involvement includes project approval, project phase approval, project checkpoint reporting,
engagement and takes project board representation, project planning, product testing, user training, user procedures
remedial actions, as required. documentation and project communication materials development.
2. From inquiries of Agile managers, determine how and when approvals are made during the

Objectives1
course of the project and if there are any project communication materials developed.
BAI01.03.04 - Stakeholder Determine how IT analyzes From the sample of SDLC projects, determine that stakeholder interests and requirements have
Interests stakeholder interests and been identified.
requirements.


Develop and maintain the program plan. Formulate a program to lay the initial groundwork and to position it for successful execution by formalizing the scope of
the work to be accomplished and identifying the deliverables that will satisfy its goals and deliver value. Maintain and update the program plan and business case
throughout the full economic life cycle of the program, ensuring alignment with strategic objectives and reflecting the current status and updated insights gained to
date.

Objectives1
BAI01.04.01 - Program Plan Determine that IT has defined Obtain and analyze the completeness of the SDLC program plan covering all projects, including
Documentation and documented the program what is needed to bring about changes to the enterprise, it's image, products and services;
plan covering all projects, business processes; people skills and numbers; relationships with stakeholders, customers,
including what is needed to suppliers and others; technology needs; and organizational restructuring required to achieve the
being about changes to the programs expected enterprise outcomes.
enterprise, it's image, products
and services; business
processes; people skills and
numbers; relationships with
stakeholders, customers,
suppliers and others;
technology needs; and
organizational restructuring
required to achieve the
programs expected enterprise
outcomes.
BAI01.04.02 - Project Determine that IT has specified Note: During research, determine and document funding, cost, schedule and inter-dependencies
Resources and Skills required resources and skills to of the multiple projects. Specify the basis for acquiring and assigning component staff members
execute the project, including and/or contractors to the project. Define the roles and responsibilities for all team members and
project managers and project other interested parties

Objectives1
teams as well as business
resources. 1. From a sample of SDLC projects, determine the extent and quality of the following:
a) if the project plan specifies required resources and skills to execute project.
b) if there is a schedule of resources divided among independent contractors, employees,
and implementation partner staff.
2. Inquire from some Agile managers
a) if their project plan specifies required resources and skills.

b) if there is a documented resource schedule divided among independent contractors and
employees.
BAI01.04.03 - Project Determine that IT has assigned From the sample of SDLC projects, determine if there is clear and
Accountability accountability clearly and unambiguous accountability for the selected project, including achieving benefits, controlling the
unambiguously for each costs, managing the risk, and coordinating the project activities.
project, including achieving
benefits, controlling the costs,
managing the risk, and
coordinating the project
activities.
BAI01.04.04 - Project Determine how IT ensures that 1. From the sample of SDLC projects, determine of there is an effective communication of plans
Communication there is effective and progress reports.
communication of program
plans and progress reports 2. Inquire the sample of Agile managers how they communicate their plans and progress reports
amongst all projects and with to relevant stakeholders.
the overall program ensure that
any changes made to individual

Objectives1
plans are reflected in the other
enterprise program plans.
BAI01.04.05 - Plan Understand that IT maintains Note: Determine that the business drives the objectives and prioritizes the work throughout to
Maintenance the program plan to ensure that ensure that the program as designed will meet enterprise requirements. The business areas
it is up to date and reflects responsible should review progress of individual projects and adjust the projects as necessary to
alignment with current strategic meet scheduled milestones releases
objectives, actual progress and
material changes to outcomes, 1. Obtain the SDLC and determine if IT maintains it to ensure that it is up to date and reflects
benefits, costs and risk. alignment with current strategic objectives.
2. On the sample of SDLC projects, determine the extent that the business drives the objectives
and helps to prioritize the work to ensure that the program as designed will meet requirements.
3. On the sample of SDLC projects, review progress reports to determine, if applicable, if the
project will meet scheduled milestones releases.
BAI01.04.06 - Business Determine that IT updates and For the selected SDLC projects, determine if the project updates the business case, as
Case Update maintains, throughout the necessary, and a benefit register to identify and define key benefits arising from undertaking the
programs economic life, the project.
business case and a benefit
register to identify and define
key benefits arising from
undertaking the program.
BAI01.04.07 - Budget Understand if IT prepares a 1. From the sample of SDLC projects, obtain and review the project budget to determine that
program budget that reflects it reflects the full economic life cycle costs and the associated financial and non-financial
the full economic life cycle benefits.
costs and the associated
financial and non-financial 2. Determine that management has reviewed and approved these cost projections.

Objectives1
benefits.


Launch and execute the program. Launch and execute the program to acquire and direct the resources needed to accomplish the goals and benefits of the
program as defined in the program plan. In accordance with stage-gate or release review criteria, prepare for stage-gate, iteration or release reviews to report on
the progress of the program and to be able to make the case for funding up to the following stage-gate or release review.

Objectives1
BAI01.05.01 - Stage Determine that IT plans, 1. For a sample of SDLC projects, determine if there are stage reviews by the Steering
Reviews resources, and commissions the Committee and/or stakeholders.
necessary projects required
achieving the program results, 2. Determine what is reviewed during each stage-gate review.
based on funding review and
approvals at each stage-gate 3. Determine what occurs if abnormalities are determined at the review. Obtain any
review. documentation on these abnormalities and their disposition.
BAI01.05.02 - Develop Determine if IT has established Note: At the end of each stage, the project managers should facilitate formal discussions of
Stages agreed-on stages of the approved criteria with the stakeholders. After successful completion of functionality,
development process performance and quality reviews, and before finalizing stage activities, managers should obtain
(development checkpoints). formal approval and sign-off from all stakeholders and the sponsor/business process owner
For a sample of SDLC projects,
a. Determine, from the available documentation, if there are agreed-on stages of the
development process (development checkpoints).
b. During the life of the project and at the end of each stage, determine if there are formally
documented discussions of approved criteria with the stakeholders.

Objectives1
c. At the end of the project, determine if and how there is formal approval and sign-off from
all stakeholders and the sponsor/business process owners.
BAI01.05.03 - Benefits Determine if IT undertakes a Note: Project management should monitor benefits delivery and report against performance
Realization benefits realization process targets at the stage-gate or iteration and release reviews. They should perform root cause
throughout the program to analysis for deviations from the plan, identify, and address any necessary remedial actions.
ensure that planned benefits
always have owners and are 1. For a sample of SDLC projects,
likely to be achieved, sustained
and optimized. a. Understand and document if there is a benefits realization process.
b. Determine if the Steering Committee or stakeholders monitor benefits delivery and report
against performance targets at stages or iteration and release reviews.
c. Determine if there is root cause analysis performed for deviations from the plan and that
this identifies and addresses any necessary remedial actions.
2. From inquiries of Agile managers (and any available documentation),
a. Understand how they monitor benefits delivery

b. Report performance to stakeholders
c. Perform root cause analysis for deviations from the plan
d. Identify, track, and address remedial actions.
BAI01.05.04 - Value Focus Determine that IT manages For the sample of projects being reviewed, determine if and how the project ensures that
each program or project to decision making and delivery activities are focused on value by achieving benefits for the
ensure that decision making and business and goals in a consistent manner, addressing risk, and achieving stakeholder
delivery activities are focused on requirements.

Objectives1
value by achieving benefits for
the business and goals in a
consistent manner, addressing
risk and achieving stakeholder
requirements.
BAI01.05.05 - PMO Setup Understand that IT sets up a Document if IT/the project has set up program/project management office(s) and plans quality
program/project management reviews, phase/stage gate reviews, and reviews of realized benefits.
office(s) and plan assessments,
quality reviews, phase/stage
gate reviews and reviews of
realized benefits


Monitor, control and report on the program outcomes. Monitor and control program (solution delivery) and enterprise (value/outcome) performance against
plan throughout the full economic life cycle of the investment. Report this performance to the program steering committee and the sponsors.

Objectives1
BAI01.06.01 - Performance Understand if IT monitors and Note: Reporting may include schedule, funding, functionality, user satisfaction, internal controls
Control controls the performance of the and acceptance of accountabilities.
overall program and the projects
within the program, including 1. Determine how IT monitors and controls the performance of the overall program and the
contributions if the and IT to the projects within the program.
projects, and report in a timely,
complete and accurate fashion. 2. Determine if reporting includes, potentially, schedule, funding, functionality, user satisfaction,
internal controls and acceptance of accountabilities.
BAI01.06.02 - Monitor Determine that IT monitors and Determine, analyze, and confirm that the IT program, project governance, and management
Against Strategies and Goals controls performance against frameworks consist of the presence of key IT project performance criteria, including scope,
enterprise and IT strategies and schedule, quality, cost and level of risk.
goals, and reports to
management on enterprise
changes implemented, benefits
realized against the benefits
realization plan, and the
adequacy of the benefits
realization process.
BAI01.06.03 - Monitor Determine that IT monitors and Through inquiry and review of available documentation:
Services and Resources controls IT services, assets and
resources created or changed 1. Determine how IT monitors and controls IT services, assets and resources created or
because of the program. changed because of the program.

Objectives1
2. Understand if reports to management pertain to performance levels, sustained service

delivery, and contribution to value.
BAI01.06.04 - Program Understand how IT manages Through inquiry and review of available documentation, determine if IT manages program
Performance Against Criteria program performance against performance against key criteria (e.g., scope, schedule, quality, benefits realization, costs, risk,
key criteria (e.g., scope, and velocity), identifies deviations from the plan and takes timely remedial action when required.
schedule, quality, benefits
realization, costs, risk, and
velocity), identifies deviations
from the plan and takes timely
remedial action when required.
BAI01.06.05 - Monitor Understand how IT monitors Through inquiry and review of available documentation, determine if and how IT monitors
Capability Delivery individual project performance individual project performance related to delivery of the expected capabilities, schedule, benefits
related to delivery of the realization, costs, risk or other metrics to identify potential impacts on program performance.
expected capabilities, schedule,
benefits realization, costs, risk or
other metrics to identify potential
impacts on program
performance.
BAI01.06.06 - IT Portfolio Understand if IT updates Through inquiry and review of available documentation, determine if and how IT updates
Updates operational IT portfolios operational IT portfolios reflecting changes that result from the program in the relevant IT
reflecting changes that result service, asset or resource portfolios.
from the program in the relevant
IT service, asset or resource
portfolios.
BAI01.06.07 - Progress Determine, in accordance with Review a sample of baseline project plans to determine if the IT program management team

Objectives 1
Reports stage-gate, that IT performs recommends, implements, and monitors remedial action when required. The plans should be in
release or iteration review line with the program and project governance framework.
criteria, undertakes reviews to
report on the progress of the
program so that management
can make go/no go or
adjustment decisions and
approve further funding up to the
following stage-gate release or
iteration


Start up and initiate projects within a program. Define and document the nature and scope of the project to confirm and develop amongst stakeholders a
common understanding of project scope and how it relates to other projects within the overall IT-enabled investment program. The definition should be formally
approved by the program and project sponsors.

Objectives1
BAI01.07.01 - Written To create a common 3. Inquire of SDLC project managers to determine if IT creates a common understanding of
Stakeholder Statement understanding of project scope project scope among stakeholders and the process of providing to the stakeholders a clear
among stakeholders, determine written statement defining the nature, scope and benefit of every project.
that IT provides to the
stakeholders a clear written 4. Obtain and review any documentation related to this activity.
statement defining the nature,
scope, and benefit of every
project
BAI01.07.02 - Sponsors With Understand how IT ensures that 1. Inquire of a group of SDLC managers; if and how IT ensures that each project has one or
Authority each project has one or more more sponsors with sufficient authority to manager execution of the project.
sponsors with sufficient authority
to manager execution of the 2. Obtain and review any documentation related to this activity.
project within the overall
program
BAI01.07.03 - Stakeholder Understand how IT ensures that 1. Inquire from a group of SDLC managers, how IT ensures that key stakeholders and
Requirement Agreement key stakeholders and sponsors sponsors and IT agree on accepting the requirements for the project, including definition of
within the enterprise and IT project success (acceptance) criteria and key performance indicators (KPIs).
agree on accept the
requirements for the project, 2. Obtain and review any documentation related to this activity.
including definition of project
success (acceptance) criteria

Objectives1
and key performance indicators
(KPIs)
BAI01.07.04 - Understand how IT ensures that 1. Inquire of a group of SDLC managers if IT ensures that the project definition describes the
Communication Plan the project definition describes requirements for a communication plan that identifies internal and external project
Requirements the requirements for a communications
communication plan that
identifies internal and external 2. Obtain and review any documentation related to this activity.
project communications.
BAI01.07.05 - Project Determine that IT, with the 1. Inquire from a group of SDLC managers how IT, when necessary and with the approval of
Definition Maintenance approval of stakeholders, stakeholders, maintains the project definition throughout the project, reflecting changing
maintains the project definition requirements
throughout the project, reflecting
changing requirements 2. Obtain and review any documentation related to this activity.
BAI01.07.06 - Phase To track the execution of a 1. Inquire of SDLC managers if IT, to track the execution of a project, puts into place
Reviews and Reporting project, determine that IT has mechanisms such as regular reporting and stage-gate, release or phase reviews in a timely
put in place mechanisms such manner with appropriate approval.
as regular reporting and stage-
gate, release, or phase reviews 2. Obtain and review any documentation related to this activity.
in a timely manner with
appropriate approval.


Plan projects. Establish and maintain a formal, approved integrated project plan (covering business and IT resources) to guide project execution and control
throughout the life of the project. The scope of projects should be clearly defined and tied to building or enhancing business capability.

Objectives1
BAI01.08.01 - Progressive Understand that IT develops a Note: The plan should include details of project deliverables and acceptance criteria, required
Project Control project plan that provides internal and external resources and responsibilities, clear work breakdowns, estimates of
information to enable resources required, milestones/release plans/phases, key dependencies, and identification of a
management to control project critical path.
progress progressively.
From a sample of SDLC project documentation, determine and analyze plans, policies and
procedures to verify that the integrated project plan provides information to permit management
to control project progress and that the plan includes:
1. a statement of scope,
2. details of project products and deliverables,
3. required resources and responsibilities,
4. clear work breakdown structures and work packages,
5. estimates of resources required,
6. milestones,
7. key dependencies, and
8. identification of a critical path.
BAI01.08.02 - Changes Understand that IT maintains the From a sample of SDLC project documentation, understand whether dependent plans are
project plan and any dependent updated with the agreement plan owner to reflect the actual progress and material changes from
plans (e.g. risk plan, quality master project plan checkpoints.
plan, benefits realization plan) to
ensure that they are up to data

Objectives1
and reflect actual progress and
approved material changes.
BAI01.08.03 - Understand how IT ensures that From a sample of SDLC projects, analyze whether and confirm that the project plan includes a
Communications there is effective communication communication plan that addresses changes and status reporting to key stakeholders.
of the project plans and
progress reports amongst all
projects and with the overall
program.
BAI01.08.04 - Inter-Project Determine that IT understands From a sample of SDLC project documentation,
Communications the activities, interdependencies
and required collaboration and 1. Determine and analyze whether and confirm that resource needs are identified for the project
communication among multiple and appropriate roles and responsibilities are clearly mapped out, with escalation and
projects within a program decision-making authorities agreed to and understood.
2. Determine the activities, interdependencies and required collaboration and communication

among multiple projects within a program
BAI01.08.05 - Milestone Determine if IT ensures that 1. Inquire of both Agile and SDLC managers, if and that each milestone requires review and
Deliverables each milestone is accompanied sign-off.
by a significant deliverable
requiring review and sign-off. 2. Obtain, review, and analyze samples of these items.
BAI01.08.06 - Project Determine that IT establishes a 1. For selected SDLC projects, understand that IT has established a project baseline (e.g.
Baseline project baseline (e.g. costs, costs, schedule, scope, quality) that is appropriately reviewed, approved, and incorporated
schedule, scope, quality) that is into the integrated project plan.
appropriately reviewed,
approved, and incorporated into 2. Obtain examples of these items and determine their completeness.
the integrated project plan



Manage program and project quality. Prepare and execute a quality management plan, processes and practices, aligned with the QMS that describes the
program and project quality approach and how it will be implemented. The plan should be formally reviewed and agreed on by all parties concerned and then
incorporated into the integrated program and project plans.

Objectives1
BAI01.09.01 - Assurance Understand if and how IT Note: Ensure that the tasks provide assurance that internal controls and security solutions meet
Tasks and Practices identifies assurance tasks and the defined requirements.
practices required to support the
accreditation of new or modified Determine and analyze plans, policies, and procedures to verify that the quality plan clearly
systems during program and identifies ownership/responsibilities, processes and metrics to provide quality assurance of the
project planning and includes project deliverables that make up the project quality system.
them in the integrated plans.
BAI01.09.02 - Quality To provide quality assurance for Determine that IT, to provide quality assurance for the project deliverables, identifies ownership
Assurance the project deliverables, and responsibilities, quality review process, success criteria and performance metrics.
understand that IT identifies
ownership and responsibilities,
quality review process, success
criteria and performance
metrics.
BAI01.09.03 - Independent Determine that IT defines any Understand plans, policies and procedures to verify that the quality plan outlines the
Validation requirements for independent requirements, where appropriate, for independent validation and verification of the business and
validation and verification of the technical solution.
quality of deliverables in the
plan.
BAI01.09.04 - QA and Understand if IT performs quality Understand that IT performs quality assurance and control activities in accordance with the
Controls In line With QMS assurance and control activities quality management plan and QMS.

Objectives1
in accordance with the quality
management plan and QMS
(should they exist).


Manage program and project risk. Eliminate or minimize specific risk associated with programs and projects through a systematic process of planning,
identifying, analyzing, responding to, and monitoring and controlling the areas or events that have the potential to cause unwanted change. Risk faced by program
and project management should be established and centrally recorded.

Objectives1
BAI01.10.01 - Risk Understand if IT has established Note: Determine that the approach includes identifying, analyzing, responding to, mitigating,
Management Approach a formal project risk monitoring, and controlling risk.
management approach aligned
with the ERM framework. 1. Inquire of both Agile and SDLC project managers to determine whether and confirm that
a formal project risk management framework has been established.
2. Obtain, if possible, the documentation of each risk management program.
Note:
There is no definite consensus on the need for risk management within the Agile method. This
has led many to believe that risk management is irrelevant in an iterative model. Some follow
the approach of ignoring risks until they manifest into issues; they then manage them through
the natural sprint progression. Ideally, it's better to manage risks proactively in Agile.
Fundamentally speaking, risk is something that may occur and cause unexpected or
unanticipated outcomes. Bear in mind that the outcome may have a positive or a negative
effect. A positive effect is an opportunity, while a negative effect is a threat. This is distinct from
an issue, which is an unexpected or unanticipated outcome. As there is a probability aspect
attached to risk, its exact occurrence is unknown but does fall within the limits of the project.
Because of this, managing risks may not seem to fit naturally into the Agile context.

Objectives1
Traditional project management techniques would recommend an objectives register with

identified risks that would prevent the objective from being achieved. This will allow
management to monitor for managing and controlling risks to objectives. A simple register with
concise information is best. Too many fields in a register complicate the process and its
administration. A simple register should consist of the following attributes:
1. A project objective
2. An identified risk
3. A description of the risk: A one- or two-line overview of the risk. It should be simple and
easy to comprehend.
4. Date identified: Date when the risk was identified.
5. Likelihood: Estimated probability of occurrence of the risk.
6. Severity: The severity of the risk is assessed based on impact of the undesired outcome.
7. Priority (optional): This could be either given an independent value or set as a product of
likelihood and severity (above). A high-severity risk with a high likelihood should receive
more importance than a high-severity risk with a low likelihood.
8. Owner: The person who manages, controls, and takes action in response to the risk.
9. Action: The response defined to manage/control the risk. Status: Indicates whether the
risk is open or closed or being monitored.
It is imperative that the register be made available for the team so that it can be managed and
monitored collaboratively. At every sprint meeting, the register must be reviewed and updated
with any new information obtained over the sprint. This way, risk management becomes an
integral part of Agile.
BAI01.10.02 - Risk Process Understand if IT assigns to Inquire of both Agile and SDLC project managers, if a formal risk management frame work

Objectives1
Oversight appropriately skilled personnel exists, to determine and analyze
the responsibility for executing
the enterprise's project risk a) plans, policies and procedures to verify that responsibility for executing the organization’s
management process within a project risk management framework within a project is clearly assigned to an
project and ensuring that this is appropriately skilled individual.
incorporated into the solution b) plans, policies and procedures to verify that this role may be performed by the project
development practices. manager or delegated by the project manager to another member of the project team.
Consider allocating this role to an independent team, especially if an objective view point is
required to a project is considered critical.
BAI01.10.03 - Risk Determine that IT performs the Note: Project management should manage and communicate the risk appropriately within the
Assessment project risk assessment by project governance structure.
identifying and quantifying risk
continuously throughout the From the sample of all projects, if a formal risk management framework exists, determine and
project. analyze whether and confirm that a project risk assessment was performed to identified project
risks and issues.
BAI01.10.04 - Reapply Risk Understand if IT reassesses From the sample of projects, if a formal risk management framework exists, determine and
Assessment project risk periodically, analyze whether and confirm that project risks are reassessed periodically, including at entry
including at initiation of each into each major project phase and as part of major change request assessments.
major project phase and as part
of major change request
assessments
BAI01.10.05 - Risk Owners Determine that IT identifies From the sample of projects, if a formal risk management frame work exists, determine and
owners for actions to avoid, analyze documentation to verify that risk and issue owners are identified; actions for risk
accept or mitigate risk. avoidance, acceptance or mitigation (i.e., contingency plan) are identified for these risks;
corrective actions are assigned to owners; cost implications are considered; and actions are
managed to agreed-upon action due dates.

Objectives1
BAI01.10.06 - Project Risk Understand that IT maintains Note: PMs should analyze the log periodically for trends and recurring problems to ensure that
Register and reviews a project risk root causes are corrected.
register of all potential project
risk, and a risk mitigation log of From the sample of projects, if a formal risk management frame work exists, determine and
all project issues and their analyze whether and confirm that a project risk log and a project issues log are maintained and
resolution. reviewed regularly.


Monitor and control projects. Measure project performance against key project performance criteria such as schedule, quality, cost and risk. Identify any
deviations from the expected. Assess the impact of deviations on the project and overall program, and report results to key stakeholders.

Objectives1
BAI01.11.01 - Project Determine that IT has From inquiries of project managers and a review of a sample of projects, determine if IT
Criteria established and uses a set of establishes and uses a set of project criteria including, but not limited to, scope, schedule,
project criteria including, but not quality, cost and level of risk.
limited to, scope, schedule,
quality, cost and level of risk.
BAI01.11.02 - Performance Understand how IT measures 1. From inquiries of project managers and a review of a sample of projects, determine if and
Measurement project performance against key how IT measures project performance against key project performance criteria.
project performance criteria.
2. Analyze deviations from established key project performance criteria for cause, and assess
positive and negative effects on the program and its component projects.
BAI01.11.03 - Stakeholder Determine if and how IT reports From inquiries of project managers and a review of a sample of projects, determine if IT
Progress Reports to identified key stakeholders provides reports to identified key stakeholders project progress within the program, deviations
project progress within the from established key project performance criteria, and potential positive and negative effects on
program, deviations from the program and its component projects.
established key project
performance criteria, and
potential positive and negative
effects on the program and its
component projects.
BAI01.11.04 - Program Determine that IT monitors 1. From inquiries of project managers, determine and analyze whether and confirm that a
Change Review changes to the program and change control process exists to manage, assess, justify and approve project changes.
reviews existing key project Assess the appropriateness of the change request as part of the process.

Objectives1
performance criteria to
determine whether they still 2. Select a sample of project change requests to determine whether they are initiated by
represent valid measures of designated individuals and contain a complete description of the change, associated risks
progress. and expected benefits.
3. Determine for a sample of projects whether and confirm that the program and project plan
and documentation are updated for approved changes.
BAI01.11.05 - Change Understand if and how IT From the sample of projects, determine that IT documents and submit any necessary changes
Approval documents and submits any to the program’s key stakeholders for their approval before adoption.
necessary changes to the
program’s key stakeholders for
their approval before adoption.
BAI01.11.06 - Remedial Determine if IT recommends From inquiries of project managers and from the sample of projects, determine that IT
Actions and monitors remedial action, recommends and monitors remedial action, when required, in line with the program and project
when required, in line with the governance framework.
program and project governance
framework.
BAI01.11.07 - Iteration Understand that IT gains From inquiries of project managers and a review of a sample of projects, determine if IT gains
Deliverables Approval approval and signs-off on the approval and signs-off on the deliverables produced in each iteration, release or project phase
deliverables produced in each from designated managers and users in the affected business and IT functions.
iteration, release or project
phase from designated
managers and users in the
affected business and IT
functions.
BAI01.11.08 - Acceptance Determine that IT bases the From inquiries of project managers, determine if IT bases their approval process on clearly
Criteria approval process on clearly defined acceptance criteria agreed on by key stakeholders prior to work commencing on the

Objectives1
defined acceptance criteria project phase or iteration deliverable.
agreed on by key stakeholders
prior to work commencing on the
project phase or iteration
deliverable.
BAI01.11.09 - Stage Determine if IT assesses the From inquiries of project managers, determine if IT assesses the project at agreed-on major
Assessment project at agreed-on major stage-gates, releases or iterations and make formal go/no-go decisions based on predetermined
stage-gates, releases or critical success criteria
iterations and makes formal
go/no-go decisions based on
predetermined critical success
criteria.
BAI01.11.10 - Baseline Understand if IT has established From inquiries of project managers, determine that IT establishes and operates a change
Change Control System and operates a change control control system for the project so that all changes to the project baseline (e.g., cost, schedule,
system for the project so that all scope, quality) are appropriately reviewed, approved and incorporated into the integrated project
changes to the project baseline plan in line with the program and project governance framework.
(e.g., cost, schedule, scope, and
quality) are appropriately reviewed,
approved and incorporated into the
integrated project plan in line with
the program and project
governance framework.


Manage project resources and work packages. Manage project work packages by placing formal requirements on authorizing and accepting work packages,
and assigning and coordinating appropriate business and IT resources.

Objectives1
BAI01.12.01 - Resource Determine that IT identifies From inquiries of project managers and a review od sample project documentation, determine
Needs business and IT resource needs that IT identifies business and IT resource needs for the project and clearly maps appropriate
for the project and clearly maps roles and responsibilities
appropriate roles and
responsibilities, with escalation
and decision-making authorities
agreed on and understood.
BAI01.12.02 - Skill Understand that IT identifies From inquiries of project managers, determine that IT can identify required skills and time
Requirements required skills and time requirements for all individuals involved in the project phases in relation to defined roles. Staff
requirements for all individuals the roles based on available skills information (e.g., IT skills matrix).
involved in the project phases in
relation to defined roles.
BAI01.12.03 - Project Determine that IT utilizes From inquiries of project managers, determine if IT utilizes experienced project management
Management Experience experienced project and team leader resources with skills appropriate to the size, complexity and risk of the project
Match management and team leader
resources with skills appropriate
to the size, complexity and risk
of the project.
BAI01.12.04 - Third-Party Understand if IT considers and From inquiries of project managers, understand how IT considers and clearly defines the roles
Roles clearly defines the roles and and responsibilities of other involved parties, including finance, legal, procurement, HR, internal
responsibilities of other involved assessment and compliance
parties, including finance, legal,

Objectives1
procurement, HR, internal
assessment, and compliance.
BAI01.12.05 - Vendor Understand if IT clearly defines From inquiries of project managers, determine how IT clearly defines and agrees on the
Procurement and and agrees on the responsibility responsibility for procurement and management of third-party products and services, and
Management for procurement and manage the relationships
management of third-party
products and services, and
manage the relationships.
BAI01.12.06 - Work Understand that IT identifies and Determine if and how IT identifies and authorizes the execution of the work according to the
Authorization authorizes the execution of the project plan.
work according to the project
plan.
BAI01.12.07 - Project Plan Determine if and how IT From inquiries of the project managers, understand if IT identifies project plan gaps and
Gaps identifies project plan gaps and provides feedback to the project manager to remediate.
provides feedback to the project
manager to remediate.


Close a project or iteration. At the end of each project, release or iteration, require the project stakeholders to ascertain whether the project, release or iteration
delivered the planned results and value. Identify and communicate any outstanding activities required to achieve the planned results of the project and the benefits
of the program, and identify and document lessons learned for use on future projects, releases, iterations and programs.

Objectives1
BAI01.13.01 - Project Determine that IT defines and 1. Determine and analyze whether and confirm that IT policies and procedures include key
Closure Steps applies key steps for project steps for project closure, including an effective post-implementation review.
closure, including post-
implementation reviews that 2. Select a sample of post-implementation reviews to determine if the reviews are effectively
assess whether a project planned and executed.
attained desired results and
benefits.
BAI01.13.02 - Post- Determine if IT plans and From inquiries of project managers, determine if IT plans and executes post-implementation
Implementation Review executes post-implementation reviews to determine whether projects delivered expected benefits and to improve the project
reviews to determine whether management and system development process methodology.
projects delivered expected
benefits and to improve the
project management and system
development process
methodology.
BAI01.13.03 - Uncompleted Understand if IT identifies, Analyze through the process used to identify, communicate and track any uncompleted activities
Activities Tracking assigns, communicates, and required to achieve project program benefits. Inspect post-implementation documentation to
tracks any uncompleted determine if uncompleted activities are identified, communicated and resolved.
activities required to achieve
planned program project results

Objectives1
and benefits.
BAI01.13.04 - Lessons Determine if IT regularly, and Determine and analyze through the process used to collect lessons learned to determine if the
Learned upon completion of the project, process is effective in improving future projects.
collects from the project
participants the lessons learned. Note: IT should review them and key activities that led to delivered benefits and value analyze
the data and make recommendations from improving the current project as well as project
management method for future projects
BAI01.13.05 - Stakeholder Determine if IT obtains Determine and analyze through the process used to collect lessons learned.. Assess customer
Acceptance and Ownership stakeholder acceptance of involvement in the review and analysis process.
project deliverables and transfer
of ownership.


Close a program. Remove the program from the active investment portfolio when there is agreement that the desired value has been achieved or when it is clear
it will not be achieved within the value criteria set for the program.

Objectives1
BAI01.14.01 - Orderly Close Understand how IT brings the Through inquiry and available documentation, determine how IT brings the program to an
program to an orderly closure, orderly closure, including formal approval, disbanding of the program organization and
including formal approval, supporting function, validation of deliverables, and communication of retirement.
disbanding of the program
organization and supporting
function, validation of
deliverables, and
communication of retirement.
BAI01.14.02 - Lessons Understand if IT reviews and 1. Review and analyze documented lessons learned.
Learned documents lessons learned.
2. Determine that IT, once the program is retired, removes it from the active investment
portfolio.
BAI01.14.03 - Continued Determine how IT puts Determine if IT puts accountability and processes in place to ensure that the enterprise
Value Assurance accountability and processes in continues to optimize value from the service, asset or resources.
place to ensure that the Additional investments may be required at some future time to ensure that this occurs
enterprise continues to optimize
value from the service, asset or
resources.

BAI01 Assessment Summary1

Management Practice Practice Description Practice Assessment Summary
Maintain a standard approach for Maintain a standard approach for program
program and project and project management that enables
management. governance and management review and
decision-making and delivery management
activities focused on achieving value and
goals (e.g., requirements, risk, costs,
schedule, and quality) for the business in a
consistent manner.
Initiate a program. Initiate a program to confirm the expected
benefits and obtain authorization to proceed.
This includes agreeing on program
sponsorship, confirming the program mandate
through approval of the conceptual business
case, appointing program board or committee
members, producing the program brief,
reviewing and updating the business case,
developing a benefits realization plan, and
obtaining approval from sponsors to proceed.
Manage stakeholder engagement. Manage stakeholder engagement to ensure
an active exchange of accurate, consistent
and timely information that reaches all
relevant stakeholders. This includes planning,
identifying and engaging stakeholders and
managing their expectations.
Develop and maintain the Formulate a program to lay the initial

program plan. groundwork and to position it for successful
execution by formalizing the scope of the
work to be accomplished and identifying the
deliverables that will satisfy its goals and
deliver value. Maintain and update the
program plan and business case throughout
the full economic life cycle of the program,
ensuring alignment with strategic objectives
and reflecting the current status and updated
insights gained to date.
Launch and execute the program. Launch and execute the program to acquire
and direct the resources needed to
accomplish the goals and benefits of the
program as defined in the program plan. In
accordance with stage-gate or release review
criteria, prepare for stage-gate, iteration or
release reviews to report on the progress of
the program and to be able to make the case
for funding up to the following stage-gate or
release review.
Monitor, control and report on the Monitor and control program (solution
program outcomes. delivery) and enterprise (value/outcome)
performance against plan throughout the full
economic life cycle of the investment. Report
this performance to the program steering
committee and the sponsors.
Start up and initiate projects Define and document the nature and scope of
within a program. the project to confirm and develop amongst

stakeholders a common understanding of
project scope and how it relates to other
projects within the overall IT-enabled
investment program. The definition should be
formally approved by the program and project
sponsors.
Plan projects. Establish and maintain a formal, approved
integrated project plan (covering business and
IT resources) to guide project execution and
control throughout the life of the project. The
scope of projects should be clearly defined
and tied to building or enhancing business
capability.
Manage program and project Prepare and execute a quality management
quality. plan, processes and practices, aligned with
the QMS that describes the program and
project quality approach and how it will be
implemented. The plan should be formally
reviewed and agreed on by all parties
concerned and then incorporated into the
integrated program and project plans.
Manage program and project risk. Eliminate or minimize specific risk associated
with programs and projects through a
systematic process of planning, identifying,
analyzing, responding to, and monitoring and
controlling the areas or events that have the
potential to cause unwanted change. Risk
faced by program and project management

should be established and centrally recorded.
Monitor and control projects. Measure project performance against key
project performance criteria such as schedule,
quality, cost and risk. Identify any deviations
from the expected. Assess the impact of
deviations on the project and overall program,
and report results to key stakeholders.
Manage project resources and Manage project work packages by placing
work packages. formal requirements on authorizing and
accepting work packages, and assigning and
coordinating appropriate business and IT
resources.
Close a project or iteration. At the end of each project, release or
iteration, require the project stakeholders to
ascertain whether the project, release or
iteration delivered the planned results and
value. Identify and communicate any
outstanding activities required to achieve the
planned results of the project and the benefits
of the program, and identify and document
lessons learned for use on future projects,
releases, iterations and programs.
Close a program. Remove the program from the active
investment portfolio when there is agreement
that the desired value has been achieved or
when it is clear it will not be achieved within
the value criteria set for the program.


BAI01 Risk Summary1

Create multiple risk scenarios for each risk identified in the summary above that affects achieving the objective.
Risk Scenario - Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the threat/
vulnerability type and includes the actors, events, assets and time issues.
Risk Scenario Component Mark all that apply

Threat Type (Describe the nature of the event) ⃣ Malicious
⃣ Accidental
⃣ Error
⃣ Failure
⃣ Natural
⃣ External requirement
Actor (Who or what could trigger the threat that exploits a vulnerability) ⃣ Internal
⃣ External
⃣ Human
⃣ Non-Human
Event (Something that happens that was not supposed to happen, something does not happen ⃣ Disclosure
that was supposed to happen, or a change in circumstances. Events always have causes and ⃣ Interruption
usually have consequences. A consequence is the outcome of an event and has an impact on ⃣ Modification
objectives.) ⃣ Theft
⃣ Destruction
⃣ Ineffective design
⃣ Ineffective execution
⃣ Rules and regulations
⃣ Inappropriate use

Risk Scenario Component Mark all that apply
Asset (An asset is something of tangible or intangible value that is worth and skills protecting, ⃣ Process
including people, systems, infrastructure, finances and reputation.) ⃣ People and Skills
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Resource (A resource is anything that helps to achieve a goal.) ⃣ Process
⃣ People and Skills
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Time Timing ⃣ Critical ⃣ Non-Critical
Duration ⃣ Short ⃣ Moderate ⃣ Extended
Detection ⃣ Slow ⃣ Moderate ⃣ Instant
Time lag ⃣ Immediate ⃣ Delayed
Velocity ⃣ Slowing ⃣ Constant ⃣ Increasing
Likelihood ⃣ Highly ⃣ Moderate ⃣ Unlikely
Impact ⃣ Great ⃣ Moderate ⃣ Little
Possible Risk Response Risk Avoidance:

Risk Acceptance:
Risk Sharing/Transfer:
Risk Mitigation:

BAI01-Manage Programs and Projects

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BAI01-Manage Programs and Projects

Uploaded by

Copyright:

Available Formats

COBIT® 5 Process Assessment Worksheet

Area: Management Domain: Build, Acquire, and Implement

BAI01 – Process Setting

Process Purpose Statement1

 Relevant stakeholders are engaged in the programs and projects.

Process Risk Drivers2

 Accreditation and implementation delays

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

BAI01 – Process Goal Assessment

2 - © 2015 Wescott and Associates. All rights reserved.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

a) determines the interdependencies of multiple projects in the program

2 - © 2015 Wescott and Associates. All rights reserved.

a) is consistent with, and an integral component of, the organization’s program

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

BAI01.02 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.

A. Agile Value Proposition - https://www.projecttimes.com/robert-galen/agile-value-

Definition: A value proposition is a promise of value to be delivered and acknowledged and a

Inquire of the Agile Project Management Office:

3. What challenges do you face when trying to achieve value?

2 - © 2015 Wescott and Associates. All rights reserved.

8. What do you measure to ensure value?

B. Agile Governance - https://www.cprime.com/tag/agile-governance/

Definition: “Governance” is about decision-making. The term governance refers to a formalized

Inquire of the Agile Project Management Office:

2 - © 2015 Wescott and Associates. All rights reserved.

4. What is your approach to controlling multiple related projects in a coordinated fashion?

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

BAI01.03 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

BAI01.04 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.

2. Inquire from some Agile managers

a) if their project plan specifies required resources and skills.

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

BAI01.05 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

For a sample of SDLC projects,

2 - © 2015 Wescott and Associates. All rights reserved.

2. From inquiries of Agile managers (and any available documentation),

a. Understand how they monitor benefits delivery

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

BAI01.06 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.

2. Understand if reports to management pertain to performance levels, sustained service

2 - © 2015 Wescott and Associates. All rights reserved.

2 - © 2015 Wescott and Associates. All rights reserved.

BAI01.07 Management Practice1

Activity Title1 Activity Assessment Activity Assessment Step(s)2

2 - © 2015 Wescott and Associates. All rights reserved.