Add to collection(s) Add to saved
  1. Business
  2. Management

Proceedings of 23rd International Business Research Conference

advertisement 
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
A Comparative and Assessment Study of the Role of
Information Technology in South Pars Gas Complex (SPGC)
With Peer Companies (Industrial/Operational) in Other
Countries by Using of COBIT Framework
S.Radmanesh*, A.Tavakoli** and Sh.Nakhaei***
COBIT framework is a well-known IT Governance standard which is globally
accepted and used. The maturity model introduced in this framework is a common
ground for evaluation of importance and performance of IT within and between
organizations regardless of size or line of business. South Pars Gas Complex is one
of
the
large
companies
in
oil
and
gas
industry
This utilizes the IT extensively. Therefore, it is important to know current situation of
IT within the company and its position compared to other companies worldwide. In
this paper, maturity of 10 most important IT processes is measured in South Pars
Gas Complex based on COBIT framework. Then the results are compared with
statistics extracted from other companies around the world based on variety of
criteria including geographical region, size of company and line of business. The
results shows that SPGC is doing well in “Define and Manage Service Levels”,
“Manage third-party services” and “Manage Operations” processes , but situation of
other processes is not satisfactory and corrective actions are essential. This implies
that management is not fully aware of critical success factors in IT and as a result
cannot identify key IT processes. Therefore, control objectives and appropriate
measures are defined and proper solution is suggested.
1. Introduction
For many enterprises, information and the technology that supports it represent their most
valuable, but often least understood assets. Successful enterprises recognize the benefits of
information technology and use it to drive their stakeholders’ value. These enterprises also
understand and manage the associated risks, such as increasing regulatory compliance and
critical dependence of many business processes on information technology (IT).( IT Governance
2006)
The need for assurance about the value of IT, the management of IT-related risks and increased
requirements for control over Information is now understood as key elements of enterprise
Governance. (Salle2009, Webb 2010) Value, risk and control constitute the core of IT
governance. IT governance is the responsibility of Executives and the board of directors, and
consists of the leadership, organizational structures and processes that ensure that the
enterprise’s IT sustains and extends the organization's strategies and objectives. (Salle 2009,
ITIG 2010)
___________________
*Sima.Radmanesh, Department of ICT, South Pars Gas Complex (SPGC), Assalouyeh, Bushehr, Iran.
Email: sima.radmanesh@gmial.com
**Amin.Tavakoli, Department of ICT, South Pars Gas Complex (SPGC),Assalouyeh, Bushehr,Iran
Email: amin_tavakoli@yahoo.com
***Shahrokh.Nakhaei, Department of ICT, South Pars Gas Complex (SPGC), Assalouyeh, Bushehr, Iran.
Email: shahrokh.nakhaei@gmail.com
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
Furthermore, IT governance integrates and institutionalizes good practices to ensure that
enterprise’s IT supports the business objectives. IT governance enables the enterprise to take full
advantage of its information, thereby maximizing benefits, capitalizing on opportunities and
gaining competitive advantage. These outcomes require a framework for control over IT that fits
with and Supports the Committee of Sponsoring Organizations of the Tread way Commission’s
(COSO’s) Framework, the widely accepted control framework for enterprise governance and risk
management, and similar compliant frameworks (Grembergen 2008).
Organizations should satisfy the quality, fiduciary and security requirements for their information,
as for all assets. Management should also optimize the use of available IT resources, including
applications, information, infrastructure and people. To discharge these responsibilities, as well
as to achieve its objectives, management should understand the status of its enterprise
architecture for IT and decide what governance and control it should provide. (Guldentop 2011).
Control Objectives for Information and related Technology (COBIT) provides good practices
across a domain and process framework and presents activities in a manageable and logical
structure. COBIT’s good practices represent the consensus of experts. They are strongly focused
more on control, less on execution. These practices will help optimize IT-enabled investments,
ensure Service delivery and provide a measure against which to judge when things do go wrong
(Guldentop 2011).
The development of e-commerce, the question is whether oil and gas companies as businesses
need to have proper management of information technology governance, the role of ICT have a
similar strategic approach?
Have the companies been able to match their strategic of information technology with business
strategies? So base on this question in paper, we have attempted to measure the maturity of IT
Fig 1: Graphic Representation of Maturity Module
governance in the South Pars Gas Company and comparison with other competitors from the
perspective of the company's turnover, geographical area, field work and analysis of business
results by Using the COBIT framework and implementation strategies to compare and evaluate.
2. Definitions of COBIT Concepts
Differences in the maturity of the organization's business strategies and ultimately pay the world's
information technology solutions, and finally we propose to approach improved position of south
pars gas company position had improved more than other countries.
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
A. COBIT Maturity Model
Organizations should satisfy the quality, fiduciary and security requirements for their information,
as for all assets. Management should also optimize the use of available IT resources, including
applications, information, infrastructure and people. To discharge these responsibilities, as well
as to achieve its objectives, management should understand the status of its enterprise
architecture for IT and decide what governance and control it should provide.
COBIT provides good practices across a domain and process framework and presents activities
in a manageable and logical structure. COBIT’s good practices represent the consensus of
experts.
They are strongly focused more on control, less on execution. These practices will help optimize
IT-enabled investments, ensure service delivery and provide a measure against which to judge
when things do go wrong.
The business orientation of COBIT consists of linking business goals to IT goals, providing
metrics and maturity models to measure their achievement, and identifying the associated
responsibilities of business and IT process owners.
COBIT provides a generic process model that represents all the processes normally found in IT
functions, providing a common reference model understandable to operational IT and business
managers. The COBIT process model has been mapped to the IT governance focus areas,
providing a bridge between what operational managers need to execute and what executives
wish to govern.
To achieve effective governance, executives require that controls be implemented by operational
managers within a defined control framework for all IT processes. COBIT’s IT control objectives
are organized by IT process; therefore, the framework provides a clear link among IT governance
requirements, IT processes and IT controls.
B. Maturity Models
Maturity modeling for management and control over IT processes is based on a method of
evaluating the organization, so it can be rated from a maturity level of non-existent (0) to
optimized (5). This approach is derived from the maturity model that the Software Engineering
Institute (SEI) defined for the maturity of software development capability. In general, the
purpose is to identify where issues are and how to set priorities for improvements. The purpose is
not to assess the level of adherence to the control objectives. The maturity levels are designed
as profiles of IT processes that an enterprise would recognize as descriptions of possible current
and future states. A COBIT maturity assessment is likely to result in a profile where conditions
relevant to several maturity levels will be met, as shown in the example graph in figure (1).
When assessing maturity using COBIT’s models, it will often be the case that some
implementation will be in place at different levels even if it is not complete or sufficient. These
strengths can be built on to further improve maturity. For example, some parts of the process can
be well defined, and, even if it is incomplete, it would be misleading to say the process is not
defined at all. To make the results easily usable in management briefings, where they will be
presented as a means to support the business case for future plans, a graphical presentation
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
method needs to be provided. When assessing maturity using COBIT’s models, it will often be
the case that some implementation will be in place at different levels even if it is not complete or
sufficient. These strengths can be built on to further improve maturity. For example, some parts
of the process can be well defined, and, even if it is incomplete, it would be misleading to say the
process is not defined at all. To make the results easily usable in management briefings, where
they will be presented as a means to support the business case for future plans, a graphical
presentation method needs to be provided. Figure(2).
The COBIT framework, therefore, ties the businesses requirements for information and
governance to the objectives of the IT services function. The COBIT process model enables IT
activities and the resources that support them to be properly managed and controlled based on
COBIT’s control objectives, and aligned and monitored using COBIT’s goals and metrics, as
illustrated in figure(3).
C .Core COBIT Components
The COBIT framework is populated with the following core components, provided in the rest of
this publication and organized by the 34 IT processes, giving a complete picture of how to
control, manage and measure each process. Each process is covered in four sections, and each
section constitutes roughly one page, as follows:
• Section 1 contains a process description summarizing the process objectives, with the process
description represented in a waterfall.
• Section 2 contains the control objectives for this process.
• Section 3 contains the process inputs and outputs, RACI chart, goals and metrics.
• Section 4 contains the maturity model for the process. Figure (4).
Level1
Level2
Level3
Level4
Level5
Possible maturity level of an IT process: the example illustrates a process that is
largely at level 3 but still has some compliance issues with lower level
requirement whilst already investing in performance measurement (level4) and
optimization (level5)
Fig 1: Graphic representation of Maturity Module
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
Fig 2: COBIT Management, Control, alignment and Monitoring
3. What is the Research?
C. Implementation Procedure of COBIT Framework in SPGC.
The main goal of this work is to define clear policies and develop appropriate models for process
control and security of information technology. First, the governance structure in South Pars Gas
Company was studied, and then ICT master plan was considered. These structure documents
have been developed according to the balance scorecard. So the study of current status of
information technology in South Pars Gas Company has been addressed.
After identifying the current situation of IT management practices, the optimal IT processes were
determined and their expected maturity levels were extracted. For this, numerous meetings with
stakeholders carried out. A questionnaire method was used in these Sessions. Statistical
population includes experts in the field of information technology, various refinery managers and
executives, and experts from other business units. We were looking for information and views of
people who have experience and knowledge in the field of information technology and the
business.
During the meetings, members would have been reached a consensus on questions upon which
the current maturity level of the processes was calculated. Among the 34 processes defined in
the COBIT framework, top 10 prioritized processes were selected. The maturity of these
processes in the following table I is reflected. (COBIT VER4 2007)
Next, we have compared results from our company with other enterprises abroad based on
geographical area, the field of business, and size of business. For benchmarking purposes in all
three divisions, the most important processes from our company were considered. Information of
other companies was extracted from COBIT Online.
ISACA has categorized the participating companies according to geographical areas, business
Areas and business size. The world is divided into 5 geographical areas:
Business size. The world is divided into 5 geographical areas: North America, Asia Pacific,
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
Europe and the Middle East and Africa, Central America and South America and elsewhere. Iran
is in the category of Europe, Middle East, and Africa (COBIT VER4 2007)
Segmentation of the business defines 6 domains including: Operation / production, financial,
public sector, health, and information technology and service suppliers, and other sectors. Our
organization falls into the operation / production domain.
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
Fig 4: Overall COBIT Framework
In the last Segmentation is the size of business, with three sections included: large firms with
turnover greater than $ 5 million or more than 15,000 personnel, SMEs with a turnover of more
than $ 500 million or more than 1,500 employees and small companies with more than 50 million
dollar Turnover of $ 150 or less employees. In this classification, our organization is in the
category of large companies (COBIT VER4 2007)
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
Table I: The Maturity of Processes in SPGC
Process
The name of Process
Level of Maturity in
SPGC
PO6
Communicate Management Aims
and Direction
1.69
AI4
Enable Operation and Use
1.71
AI6
1.66
DS2
Manage Changes
Define and Manage Service
Levels
Manage Third-party Services
DS4
Ensure Continuous Service
1.67
DS11
Manage Data
1.65
DS13
Manage Operations
2.61
ME3
Ensure Compliance With External
Requirements
1.50
ME4
Provide IT Governance
1.18
DS1
1.89
2.66
D. The results of the Benchmarking process
The first phase of research is including understanding the current state of information technology;
then describing processes of COBIT framework for information technology; next, providing a
method for evaluating and measuring the maturity of these processes in the company; and finally
review the current status of IT management that consists of processes, investment, and human
resource.
The comparison between the maturity levels in different domains shows that in the plan and
organization sector with 1.69 score, in the implementation and acquisition sector with 1.68, in
delivery and support sector with 2.10 and in the last sector, monitoring and evaluation is 1.34
shows that in The highest score belongs to the support and delivery sector with a 2.10 and
lowest score belongs to the evolution and monitoring sector and with a score of 1.34. However,
the most mature field of information technology belongs to the delivery and support sector which
is less than 3.
In second phase, the results were assessed and compared the important processes of our
company with other organizations, from the perspective of geographic region, business size and
business area.
Only three processes of our organization, (table II) DS1, DS2, and DS13 with a moderate
average, approximately equals and in other processes have been away.
In the following figures, you can see the comparison of South Pars Gas Company processes with
others companies according to different criteria.
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
Table II: Role of information technology in terms of geographical area, size and scope of
business
Process
SPGC
Europe, Middle
East, Africa
production/
process
Large
Firms
PO6
1.69
1.84
1.88
1.97
AI4
1.71
1.84
1.82
1.88
AI6
1.66
2.07
2.27
2.23
DS1
1.89
1.83
1.8.0
1.85
DS2
2.66
2.00
1.67
2.01
DS4
1.67
1.97
1.90
2.00
DS11
1.65
1.89
1.92
1.93
DS13
2.61
2.16
2.15
2.11
ME3
1.50
1.88
1.81
2.04
ME4
1.18
1.65
1.79
1.87
Fig 5: Radar Chart of Information Technology processes in terms of, geographic region
Fig 6: Radar Chart of Information Technology processes in terms of business area
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
Fig 7: Radar Chart of Information Technology processes in terms of business size
Fig 8: Radar Chart of Information Technology processes in terms of overall
C .Improvement
Suggestions for South Pars Gas Company
After assessing the results and comparing the maturity of South Pars Gas Company with other
companies from different perspectives, it is seen that South Pars Gas Company performs equally
or better than the average of the industry in three processes and seven other processes are
lower than average performance.
Therefore, in order to improve IT processes and reduce the gap between our company and the
average peer companies worldwide, we need to provide the solutions for developing and
improving to achieve desired outcome. To this end, processes which are lower than average are
considered for improvement and are provided solutions. These proposed solutions are according
to the industry best practices. However, the solutions can be provided with different equivalents.
One of the problems in the PO6 process - goals and guidelines, and line management, is that IT
policies and controls are defined and communicated, but not uniformly. Proposed solution is that
the standards and procedures should be communicated to all relevant persons and will require
that part of the activities is grown. So, the controls should be evaluated and the results obtained.
These measures include the number of times that the control procedures, and standards are
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
communicated to users. For process control, measure can also be the percentage of
stakeholders who do not follow this procedure.
Also we can calculate the number of users that make complaints and do control. A problem in
AI4 - enable operations and application, is that in the South Pars Gas Company, transfer of
knowledge between users and technical support personnel is not properly carried out. Also, there
is not enough system documentation and training materials are not high quality. To resolve this
problem, users must be trained and documentation system for recording knowledge is formed.
In the last, the number of programs and services having user and technical guide to be
measured. Also, number of courses held for users and technical personnel will be calculated and
the percentage of user satisfaction can be measured from the courses offered.
There is a defect in manage changes (AI6). There is no standard for managing changes and it is
quite user-dependent and casual. Standards and procedures should be implemented to
overcome this defect. Hierarchy of approval is determined and authorization levels of the
changes are approved. Also, the definition and prioritization process to evaluate the effect of
changes and change strategies identified and documented and in emergency times to be
performed. Subsequent evaluation of the number of changes are documented and followed.
For proper implementation of DS11 process, we need the accurate and reliable data, But the
trustee for the preservation and quality control are not clear. Also, all data must be timely and
carefully and completely received and processed but this is not done correctly. Therefore, the
number of events or incidents associated with integrity and reliability of data (incomplete, false
and inaccurate) to be registered and assessed and its responsibility and transparency are also
determined.
One of the problems of proper implementation of ME3 process – ensure conformance with
external requirements, is that external requirements not correctly defined and adequate training
of users are not occurred. The external requirements must be documented and communicated.
And, the number of days of annual training related to external requirements are measured and
the number of non-compliance with the external requirements extraction.
In ME4 process – provide IT governance, governance structure is not appropriate and managers
look at information technology as a side section. Therefore, IT section should provide appropriate
governance framework, in line with information technology processes and control models. Also, it
should provide an unambiguous accountability and implement appropriate methods to prevent
failure in internal controls and monitoring. To confirm this claim, the IT governance framework
should be compliant with laws and regulations and is aligned with organizational strategy and
goals. Also we have to create a common understanding between business and information
technology on the potentials of information technology on business strategy issues.
4. Limitation and Future Direction of COBIT Implementation in SPGC
The main limitation of the COBIT project in South Pars Gas complex is Lack of proper training of
COBIT for key employees of organization. For proper implementation of COBIT, Everyone should
know what is COBIT? What is the use of COBIT and How to use that? After understanding by
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
stakeholders, is required to be Defined COBIT as a suitable model in policies and procedures of
the organization and be evaluated and finally, must be audited.
Other limitations of the COBIT project in SPGC is lack of coordination between IT strategy and
business objectives and needs to be explained and to be set IT strategy correctly and be aligned
with organization objectives. SPGC needs to know IT is an inevitable part of the business
process Compared with other countries to reach higher levels of maturity and IT Governance is
not a part of the organization management.
So R&D department of IT decided to be organized Steering Committee (in executive level) and
Strategy Committee (in management level) and prepare a plan for COBIT implementation
navigation. R&D department also tries to be prepared an organization framework for managers.
Therefore, the goals of business should be coordinated with IT goals. Risks must be identified.
Define and identify the level of process. Noncompliance and Inconsistencies become identified
and the last, development strategy will improve and evaluate the result and to be ensure the full
recovery tasks to be repeated
5. Conclusion
In this work maturity level of IT processes for South Pars Gas Company are measured and
results are compared with peer companies according to three criteria including geographical
region, line of business and business size. The result shows that our company is doing higher or
the same as peer companies in three processes (DS1, DS2, DS13), and lower than average in 7
other processes(PO6, AI4, AI6, DS4, DS11, ME3, ME4). Comparing the overall values show that
in three processes (AI6, ME3, ME4) the gap is large and more attention is required to keep
competitive advantages
Implementation of information technology governance in South Pars Gas Company is still in its
early stages and to achieve the full result, there is a long way ahead. With proper evaluation of IT
process capability based on maturity model, we can achieve the most important executive IT
governance.
Since information security is a key element in the governance of the organization, they need to
ensure that information technology can be considered as a value for the organization and it
manages IT related risks to control information.
South Pars Gas Company may also use this research to identify current state and plan desired
state of IT within organization and a roadmap of how to achieve it. This model can be uses as a
framework for monitoring and auditing process within the organization.
The next step to this research is to measure and evaluate the rest of IT processes in the
company and implement the required solutions. Also, integration of this framework with other
standards used in the company is necessary to merge similar activities.
Acknowledgement
Financial and intellectual support of South Pars Gas Company in this research is highly
appreciated
Proceedings of 23rd International Business Research Conference
18 - 20 November, 2013, Marriott Hotel, Melbourne, Australia, ISBN: 978-1-922069-36-8
References
IT Governance Executive Summery, IT Governance Institute, 2007.
Salle, M., IT Service Management and IT Governance, Review, Comparative Analysis and their
Impact on Utility Computing, HP Labs Technical Report, 2008.
Webb, P., Pollard, C. & Rridley, G., Attempting to Define IT Governance: Wisdom or Folly?
Proceedings of the 39th Hawaii International Conference on System Sciences, 2010.
ITGI, IT Governance Global Status Report, IT Governance Institute, 2009.
Grembergen, V. W .,Haes D.S.& Guldentops ,E .,Structures,Processes and Relational
Mechanisms for IT Governance, in Grembergen, V.M.(ED),Strategies for Information
Technology Governance, Idea Group Publishing,2004.
Guldentop ,E.,Governing Information Technology through COBIT, In Grembergen,
V.W.(Ed),Strategies for Information Technology Governance, Idea Group Publishing,2011.
IT Governance Institute (www.itgi.org), Control Objectives for Information and related
Technology, (COBIT). Ver. 4.1, USA, ITG, Apr2007
http://www.cobitonline4.info/Pages/Public/Benchmark/BrowseBenchmarkMaturity.aspx
Related documents
v DESIGN IT GOVERNANCE FOR PLANNING AND ORGANIZING
v DESIGN IT GOVERNANCE FOR PLANNING AND ORGANIZING
How Do You Measure Up?: IT Metrics
How Do You Measure Up?: IT Metrics
COBIT 5 Exec. Summary
COBIT 5 Exec. Summary
IT Governance and The 4 Cobit Domain Processes
IT Governance and The 4 Cobit Domain Processes
Abstract by: Graciela Braga
Abstract by: Graciela Braga
Microsoft Word - Tesis-Inggris
Microsoft Word - Tesis-Inggris
Impact of Sarbanes Oxley Act-on Information Security Governance
Impact of Sarbanes Oxley Act-on Information Security Governance
Download
advertisement