. 53
( 67 .)


and a roadmap for process improvement.
Others have adapted the ideas of the maturity model. For example, SEI itself
has developed a People Maturity Model,8 which deals with the management of
people in software development. Others have developed a Project Management
Maturity Model,9 an E-Business Maturity Model,10 and so forth. The Informa-
tion Systems and Audit and Control Foundation (ASACF), in conjunction with
PricewaterhouseCoopers (PwC) and Gartner, developed a set of maturity mod-
els that cover 34 IT management processes. This set of maturity models is col-
lectively called Control Objectives for Information and Related Technology
The COBIT models follow the SEI precedent of using a five-level maturity
scale with descriptions of the characteristics of each IT management process at
each of its maturity levels. The COBIT model also includes CSFs, key goal indi-
cators (KGIs), and key performance indicators (KPIs). The relationship between
these three elements can be expressed as:
CSFs are what you need to do based on the choices made in the maturity
model, while monitoring through KPIs whether you will reach the goals
set by the KGIs.12
COBIT applies the idea of maturity models to 34 IT management processes.
Its description of the generic maturity model states very well the basic charac-
teristics of each level. See Exhibit 12.10.

EXHIBIT 12.10 COBIT Generic Maturity Model
COBIT™s Statement of Generic Maturity Model
1 Initial/Ad There is evidence that the organization has recognized that the issues exist and need to
Hoc be addressed. There are, however, no standardized processes but instead there are ad
hoc approaches that tend to be applied on an individual or case-by-case basis. The overall
approach to management is disorganized.
2 Repeatable Processes have developed to the stage where similar procedures are followed by different
but Intuitive people undertaking the same task. There is no formal training or communication of
standard procedures, and responsibility is left to the individual. There is a high degree of
reliance on the knowledge of individuals and, therefore, errors are likely.
3 Defined Procedures have been standardized, documented, and communicated through training.
Process It is, however, left to the individual to follow these processes, and it is unlikely that
deviations will be detected. The procedures themselves are not sophisticated but are
the formalization of existing practices.
4 Managed and It is possible to monitor and measure compliance with procedures and to take action where
Measurable processes appear to be working effectively. Processes are under constant improvement
and provide good practice. Automation and tools are used in a limited or fragmented way.
5 Optimized Processes have been refined to a level of best practice, based on the results of continuous
improvement and maturity modeling with other organizations. IT is used in an integrated
way to automate the workflow, providing tools to improve quality and effectiveness,
making the enterprise quick to adapt.

COBIT is emerging as an important framework and standard that can sup-
port benchmarking between organizations while also allowing for company-
specific elements that connect to company-specific performance issues and

Appendix F contains detailed Business Value Maturity Model descriptions for
each NIE practice.

1. For example, the goal of “Produce action and use budgets, projects, and per-
formance measurement to achieve business results” sets the foundation for
employing the NIE Performance Measurement practice. See Chapter 1 for the
definition of the NIE goals.
2. Watts S. Humphrey, Managing the Software Process (Reading, MA: Addison-
Wesley, 1989) and A Discipline for Software Engineering (Reading, MA: Addison-
Wesley, 1996).
3. Software Engineering Institute, Carnegie Mellon University, The Capability
Maturity Model: Guidelines for Improving the Software Process (Reading, MA:
Addison-Wesley, 1995).
4. Note that we do not disagree with constructs like the Balanced Scorecard that
highlight the importance of measurement and management incentives that flow
from business strategy. Indeed, we highlight performance measurement as an
important NIE component. Our focus here is on the means for getting action
to occur ” that is, the maturity of individual processes and the maturity of the
holistic connection of those processes.
5. See Chapter 1 for a statement of process and business outcomes expected from
NIE practices.
6. Watts S. Humphrey, Managing the Software Process. Humphrey applied man-
agement process maturity concepts to software development and systems engi-
neering, on the premise that more mature processes produce better software.
7. Richard Nolan, “Managing the Computer Resource: A Stage Hypothesis,” Com-
munications of the ACM, vol. 16, no. 7, July 1973.
8. SEI, People Capability Maturity Model (P-CMM ) Version 2.0, July 2001,
9. Harold Kerzner, Strategic Planning for Project Management Using a Project
Management Maturity Model (Hoboken, NJ: John Wiley & Sons, 2001).
10. PricewaterhouseCoopers, with the assistance of Carnegie Mellon University, has
developed the E-Business Maturity Model (emm@ ).
11. Information Systems Audit and Control Association, COBIT, 3rd edition. Avail-
able at: www.isaca.org/cobit.htm.
12. Ibid.

Define What™s Next

T his chapter introduces IT Impact Management as a framework for helping
companies and managers decide how to move forward with Right Decisions/
Right Results and the NIE practices. The goal is to give managers guidance for
“what™s next.” Because companies, cul-
tures, and circumstances are unique, Control Spending and Maximize
there is no single right answer. There Impact on the Bottom Line
are, however, general guidelines that 1 Define the Goals
can be followed.
2 Ask the Right Questions
This chapter provides guidance
3 Connect to the Bottom Line
in three ways. First, we present three
4 Understand Costs and Resources
alternate methods to establish goals
for adopting Right Decisions/Right 5 Focus on the Right Things
Results. Each method assesses the 6 Adopt Effective Process to Produce Action
as-is and to-be with respect to IT 7 Tackle the Practical Problems
management processes, which then
8 Make the Right Decisions
become the basis for defining the
9 Plan for the Right Results
goals. Second, we present a method
10 Keep Score
to set goals from the perspective of
corporate governance and processes. 11 Deal with Culture
Third, we describe how a company 12 Char t the Path to Implementation
can establish a program for the adop- ¤ 13 Define What™s Next
tion of Right Decisions/Right Results,
14 Answer the “So What?” Question
which we call “IT Impact Manage-
Exactly what are the Right Decisions/Right Results goals? They fall into
three categories:

1. Where should we start? Which NIE practice should be done first?
2. Who should be involved? IT management? Business management?
3. What should the outcomes be? (See, for example, Exhibit 13.17).

This chapter shows how to answer these questions.


We offer three related methods to establish goals. In all three methods, the
approach is to determine the as-is, decide what the company™s goal should be
to achieve a to-be state, and then decide where to start and how to establish the
set of actions needed to reach the to-be goal.
The first method starts with the current performance stage of IT in the com-
pany, based on the stage model introduced in Chapter 2. This establishes an as-
is starting point for applying Right Decisions/Right Results. Companies then can
begin with one or two practices such as prioritization or alignment, based on
their as-is starting point.
The second method applies the Business Value Maturity Model from
Chapter 12. This establishes an as-is and to-be for each basic NIE practice, and
permits management to set goals to address maturity-level gaps. Management
decides which of the to-be gaps will become a “should be” and sets the roadmap
The third method works from the practical problems described in Chapter
7 and establishes an as-is and to-be goal. As with the maturity model approach,
management then decides what the priority should be and plans accordingly.

Method 1: Setting Goals Based on the Stage of IT Performance
The status of stakeholders, current management processes, and business/IT gov-
ernance comprise an important as-is in terms of applying the concepts and prac-
tices of Right Decisions/Right Results.
The stakeholders fall into four groups:

1. IT management (referred to as the Technology Leadership Team elsewhere
in the book).
2. Senior management (called the senior management team elsewhere in the
book), including business unit managers with bottom-line accountability for
the units they manage.
3. Business unit and functional managers (referred to as the Business Leader-
ship Team elsewhere).
4. Managers of related management processes in the company (e.g., corporate
budget, program management offices, and financial officers such as CFOs).

Each group™s perspective on current IT performance has a substantial effect
on what its members will regard as solutions to the problems they care about.
(It certainly is possible to go forward with individual NIE practices without
careful consideration of these groups™ points of view. The risk, however, is the
initiative won™t stick and will simply be a one-time exercise; worse, the expe-
rience can serve to harden management attitudes concerning IT management
Three Methods to Establish Right Decisions/Right Results Goals

EXHIBIT 13.1 Five IT Performance Stages

Stage 5: Performance in Creating Strategic Opportunities

Stage 4: Performance in Response to Strategic Needs

Stage 3: Performance in Response to Tactical Needs

Stage 2: Performance of Development Processes and Tasks

Stage 1: Performance of Operational Processes and Tasks

A company begins by determining the stakeholders™ attitudes about the cur-
rent stage of IT performance. In Chapter 2, we introduced a simple stage analy-
sis of IT performance. See Exhibit 13.1.
A company is at Stage 1 when IT can competently perform IT operations.
A company is at Stage 2 when IT is conducting systems development compe-
tently. A company is at Stage 3 when governance and planning processes react
well to new tactical needs. A company is at Stage 4 when governance and plan-
ning processes react well to new strategic requirements. Finally, a company is at
Stage 5 when IT significantly contributes to business planning with new, inno-
vative directions that lead to new strategic intentions or new ways to address
current strategic intentions.

EXHIBIT 13.2 Management Views on IT Performance
Company Stage Management View on IT Performance
Business Unit





with P/L

Stage Description

Stage 1 IT competently
Stage 2 IT competently
conducts systems
Stage 3 IT™s governance and planning
processes react well to new
tactical needs.


. 53
( 67 .)