Chapter 8: COBIT 5 Process Assessment Model (PAM) – Governance of Enterprise IT based on COBIT®5

CHAPTER 8: COBIT 5 PROCESS ASSESSMENT MODEL (PAM)

Measurement is the first step that leads to control and eventually to improvement. If you can't measure something, you can't understand it. If you can't understand it, you can't control it. If you can't control it, you can't improve it.’

H. James Harrington

This chapter discusses the approach to process assessment. As discussed in Chapter 7 this is needed in Phase 2 of the implementation lifecycle to implement GEIT but is also regularly used to assess the state of COBIT 5 processes with the goal of recognising process improvements needed or to gain confirmation about the current status of COBIT 5 processes.

Traditionally, COBIT has used a maturity model based on CMMI® as its technique of assessing processes. However, with the introduction of COBIT 5 this has changed and now the standard COBIT approach to assessment is to use the COBIT 5: Process Assessment Model (PAM) that is conformant with ISO/IEC 15504-2 Software Engineering – Process Assessment: Performing an Assessment. Now the terminology used is ‘capability assessment based on a process capability model’ rather than ‘maturity assessment using a maturity model’.

COBIT 5 Process Assessment Model

The COBIT 5 Process Assessment Model (PAM) is shown in Figure 8.1.

Figure 8.1: COBIT®5 Process Assessment Model (PAM)83
(This figure is derived from Figure 19, p.42 of COBIT 5: A business framework
for the governance and management of enterprise IT).

The PAM model has to completely obey the rules set out in the ISO/IEC 15504 international Standard. This means there must be a Process Reference Model (PRM) formulated using ISO/IEC 15504 terminology. As already discussed in Chapter 6, the formal COBIT 5 Process Reference Model conformant with ISO/IEC 15504 terminology is in COBIT 5: Process Assessment Model (PAM): Using COBIT 5. It is recommended that to fully understand this difference in terminology, you should spend 10 minutes comparing a process in the COBIT 5 Enabling Processes book with the COBIT 5: Process Assessment Model (PAM): Using COBIT 5. This will make it absolutely clear what terminology is being used to conduct assessment. If conducting a self-assessment then you can manage without viewing the PAM book, but it is better to use it, I would suggest.

How assessment is conducted

There are six capability levels 0–5 and these are listed in Table 8.1, which shows the name of each capability level. Levels are assessed using process attributes. Apart from Level 1, each capability level has two process attributes that must both be assessed for that capability level.

Assessment of Level 1 uses only base practices, that is, practices that belong to the process being assessed. Failing to meet Level 1 means the process is at Level 0 Incomplete.

Levels 2–5 use only generic practices that are identical for every COBIT process. However, each process attribute has different generic practices. Generic practices are described in COBIT 5: Self-assessment Guide: Using COBIT 5 as well as in the PAM guide, but generic work products are not described in the COBIT 5: Self-assessment Guide: Using COBIT 5 book but are only in the PAM guide. Finally, note that in Figure 8.1, the Generic Resources shown in the COBIT 5 Process Assessment Model – Capability Indicators are formally a part of ISO/IEC 15504 but have not been used as part of the COBIT 5 Process Assessment Model.84

Table 8.1: COBIT®5 Capability Levels, Process Attributes, Practices and Work Products Used for Assessment

1 Work Products are helpful for assessing Base Practices, but for Self-Assessment they do not have to be used

Assessment of a Process Attribute uses an ISO/IEC 15504 rating scale. The rating scales are labelled as N, P, L, F and are shown in Table 8.2, which is based upon ISO/IEC 15504-2: 2003:

Table 8.2: COBIT®5 PAM Rating Scales

Rating Rating Name Achievement percentage
N Not achieved 0 – 15
P Partially achieved >15 – 50
L Largely achieved >50 – 85
F Fully Achieved >85 – 100

Level 1 Assessment

What is being assessed for a process is, ‘Are Process Outcomes being achieved?’

Process Outcomes are listed in the PAM guide and are shown with labels such as DSS02-01, which are assessed by Base Practices labelled for example as DSS02-BP1. Work Products are labelled for example as DSS02-WP1. Note that the Process Outcomes are what the COBIT 5 Enabling Processes book labels as Process Goals (with numbers 1, 2, 3 and so on) and it labels Base Practices as Management Practices85 labelled for example as DSS02.01 (i.e. with decimal point). It labels as Inputs and Outputs what the PAM guide calls Work Products.

Level 2–5 Assessments

What is being assessed for a process is, ‘Are Generic Practices being achieved?’

Generic Practices (GP) are different for each process attribute (PA) but are identical for every process. The PAM guide labels Generic Practices, for example for Capability Level 2, as:

• Level 2 PA2.1 as GP 2.1.1, GP 2.1.2, GP 2.1.3, GP 2.1.4, GP 2.1.5, GP 2.1.6

• Level 2 PA2.2 as GP 2.2.1, GP 2.2.2, GP 2.2.3, GP 2.2.4

Generic Work Products (GWP) are a set of values that are applied differently to each Capability Level. This is tabulated clearly in section 4.0 of the PAM guide. The Generic Work Products are labelled as:

• GWP 1.0, GWP 2.0, GWP 3.0, GWP 4.0, GWP 5.0, GWP 6.0, GWP 7.0, GWP 8.0, GWP 9.0

Generic Work Products that are listed in the table in PAM guide section 4.0 against a Generic Practice are used to assist the assessment of Generic Practices.

There are strict rules about how assessment at different Capability Levels can be evaluated:

• Essentially to meet a Capability Level then L or F as the Rating Scale must be achieved.

For Capability Levels 2–5 both PAs must be at Rating Scale L or F and all Capability Levels below that level must be at Rating Scale F.

Table 8.3 demonstrates these rules to show what Rating Scales are needed for Process A to be at Capability Level 1, Process B to be at Capability Level 2 and Process 3 to be at Capability Level 3.

Table 8.3 Demonstration of Rules for Attainment of a Capability Level

Advantages of the Process Assessment Model (PAM) scheme

Unlike the traditional CMMI®-based scheme that COBIT used in the past, this COBIT 5 PAM scheme is reliable and repeatable because specific practices (Base Practices and Generic Practices) and specific work products (Work Products and Generic Work Products) have been defined. This means assessors have much detail to formally examine when making their assessments. With the old scheme, the approach to conducting assessment was not rigorously defined and so different assessors did assessment in different ways.

Further, assessment is conducted according to an international standard and it is worth noting that ISO20000 is currently working to develop assessment using ISO15504, too.

_______________

83 People often ask me ‘why is there an arrow linking Level 1 Performed Process to The COBIT®5 PAM – Capability Indicators when Level 1 does not use Generic Practices and Generic Work Products, only Levels 2–5 use those.’ It is absolutely true that Levels 2–5 use Generic Practices and Generic Work Products, but according to ISO/IEC 15504 Generic Practices can be used to aid the audit of Base Practices. COBIT®5 documentation contradicts its diagram and does state that ‘only Levels 2-5 assessment use Generic Practices and Generic Work Products.’

84 Generic Resources has been shown on Figure 8.1 to be consistent with diagrams used in COBIT®5 books, but it was not defined as part of COBIT®5 as it is not essential.

85 Since DSS02 is a Management Process not a Governance Process.