Académique Documents
Professionnel Documents
Culture Documents
To respond to management’s need for control and Management Guidelines, KGIs and KPIs
measurability of information technology, the IT Governance In ITGI’s Management Guidelines, a key goal indicator is
Institute (ITGI) built on its Control Objectives for Information defined as ‘a measure of what has to be accomplished’ and by
and related Technology (COBIT) framework by providing in comparison a key performance indicator ‘a measure of how
2000 the management guidelines.2 The management guidelines well the process is performing’. It is also indicated that their
identify for the 34 COBIT IT processes two types of metrics: key relationship ‘looks for measures of outcome of the goal and for
performance indicators (KPIs) and key goal indicators (KGIs). measures of performance relative to the enablers that will
In this article, the meaning of these metrics will be clarified, a make it possible for the goal to be achieved’. As explained in
waterfall of KPIs and KGIs will be proposed and their Management Guidelines this is the same as the aforementioned
relationship with IT and business goals will be explained. The relationship between the outcome measures and performance
enhanced metrics and goal concepts explained in this article will drivers of the BSC approach. Key goal indicators and key
become important knowledge components of the new edition of performance indicators are exactly the same as outcome
COBIT—COBIT 4.0—which will be released this year. measures and performance drivers. It is important to stress that
they are synonyms because in practice there is a lot of
The Foundation: The Balanced Scorecard confusion about KGIs and KPIs. It has to be clear that KGIs
The balanced scorecard (BSC) is a performance are metrics representing goals and that a distinction has to be
management system that enables businesses, business units made between KGIs and KPIs, making it possible to express
and functional business areas to drive strategies based on goal the cause and effect relationships.
definitions, measurement and follow-up. The balanced
scorecard can be applied to IT resulting in four specific KGI/KPI Cascade
domains: the business contribution perspective capturing the Management Guidelines provides a limited list of possible
business value created from IT investments, the user KGIs and KPIs for each of the 34 COBIT IT processes, but not
perspective representing the user evaluation of IT, the their relationship. In analysing those proposed KGIs
operational excellence perspective evaluating the IT (COBIT) specifically, it appears that these goal metrics are often defined
processes employed to develop and deliver applications, and at different levels: IT process level, IT level and business level.
the future perspective representing the human and technology This insight enables users to define a cascade of metrics with
resources needed by IT to deliver its services over time.3 causal relationships among process KPIs, process KGIs, IT
To turn the BSC approach into a management tool, cause KGIs and business KGIs as visualised in Figure 1.
and effect relationships between metrics need to be
established. These relationships are articulated by two key
Figure 1—Causal Relationships at Process,
types of measures: performance drivers and outcome
IT and Business Level
measures. A well-developed IT BSC contains a good mix of
these two types of measures. Outcome measures such as
IT/COBIT Process
programmers’ productivity (e.g., number of function points per DS5: Ensure System Security
person per month) without performance drivers such as IT
staff education (e.g., number of educational days per person KPI KGI
per year) do not communicate how the outcomes are to be Security Number of
incidents
expertise
achieved. Performance drivers without outcome measures may because of
unauthorised
lead to significant investment without a measurement Process Level access
Figure 3: Goals and Metrics of COBIT Process DS5 Ensure Systems Security
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
© Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org