Copyright © 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

COBIT’s Management Guidelines Revisited:

The KGIs/KPIs Cascade1
By Wim Van Grembergen and Steven De Haes

To respond to management’s need for control and
measurability of information technology, the IT Governance
Institute (ITGI) built on its Control Objectives for Information
and related Technology (COBIT) framework by providing in
2000 the management guidelines.2 The management guidelines
identify for the 34 COBIT IT processes two types of metrics: key
performance indicators (KPIs) and key goal indicators (KGIs).
In this article, the meaning of these metrics will be clarified, a
waterfall of KPIs and KGIs will be proposed and their
relationship with IT and business goals will be explained. The
enhanced metrics and goal concepts explained in this article will
become important knowledge components of the new edition of
COBIT—COBIT 4.0—which will be released this year.
The Foundation: The Balanced Scorecard
The balanced scorecard (BSC) is a performance
management system that enables businesses, business units
and functional business areas to drive strategies based on goal
definitions, measurement and follow-up. The balanced
scorecard can be applied to IT resulting in four specific
domains: the business contribution perspective capturing the
business value created from IT investments, the user
perspective representing the user evaluation of IT, the
operational excellence perspective evaluating the IT (COBIT)
processes employed to develop and deliver applications, and
the future perspective representing the human and technology
resources needed by IT to deliver its services over time.3
To turn the BSC approach into a management tool, cause
and effect relationships between metrics need to be
established. These relationships are articulated by two key
types of measures: performance drivers and outcome
measures. A well-developed IT BSC contains a good mix of
these two types of measures. Outcome measures such as
programmers’ productivity (e.g., number of function points per
person per month) without performance drivers such as IT
staff education (e.g., number of educational days per person
per year) do not communicate how the outcomes are to be
achieved. Performance drivers without outcome measures may
lead to significant investment without a measurement
Management Guidelines, KGIs and KPIs
In ITGI’s Management Guidelines, a key goal indicator is
defined as ‘a measure of what has to be accomplished’ and by
comparison a key performance indicator ‘a measure of how
well the process is performing’. It is also indicated that their
relationship ‘looks for measures of outcome of the goal and for
measures of performance relative to the enablers that will
make it possible for the goal to be achieved’. As explained in
Management Guidelines this is the same as the aforementioned
relationship between the outcome measures and performance
drivers of the BSC approach. Key goal indicators and key
performance indicators are exactly the same as outcome
measures and performance drivers. It is important to stress that
they are synonyms because in practice there is a lot of
confusion about KGIs and KPIs. It has to be clear that KGIs
are metrics representing goals and that a distinction has to be
made between KGIs and KPIs, making it possible to express
the cause and effect relationships.
KGI/KPI Cascade
Management Guidelines provides a limited list of possible
KGIs and KPIs for each of the 34 COBIT IT processes, but not
their relationship. In analysing those proposed KGIs
specifically, it appears that these goal metrics are often defined
at different levels: IT process level, IT level and business level.
This insight enables users to define a cascade of metrics with
causal relationships among process KPIs, process KGIs, IT
KGIs and business KGIs as visualised in Figure 1.
Figure 1—Causal Relationships at Process,
IT and Business Level
IT/COBIT Process
DS5: Ensure System Security
KPI KGI
Security Number of
incidents
expertise
because of
unauthorised
Process Level access

indicating whether the chosen strategy is effective. KPI KGI

Number of IT
security
incidents
IT Level
KPI KGI
Number of incidents
causing public
embarrassment
Business Level

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005

 The example cascade in figure 1 is applied to the DS5
COBIT process Ensure system security. In the top left rectangle Figure 2—Multiple KPIs Driving Business KGI
the KPI/KGI relationship is illustrated for the security process.
Security expertise (process KPI) can be a strategy to decrease
the Number of incidents because of unauthorised access KPI
(process KGI). In the middle rectangle a typical KGI for the IT KPI
KGI
level is displayed, Number of security breaches, with as its KPI
KPI
corresponding IT KPI, the previously mentioned process KGI, KPI
KGI KGI
Number of incidents because of unauthorised access. This
KPI KPI
suggests that the KGI of the lower IT process level is now the
KPI of the higher IT level. In the same logic, the IT KGI Process Level KGI KGI
becomes a KPI at the business level, driving the business KGI KPI KPI KGI
of Number of incidents causing public embarrassment. IT Level
Important to note is that this example is, of course, over-
simplified. In practice, multiple KPIs will affect the business Business Level
KGIs as is illustrated in figure 2.
be provided of process goals, with corresponding process goal
KGIs for IT Process Goals, KGIs. In figure 3, an example process goal for the COBIT
IT Goals and Business Goals process Ensure systems security is Minimise the impact of
The previous section introduced KGIs at three levels: process, security vulnerabilities and incidents that can be measured by
IT and business. These KGIs are metrics representing specific number and type of expected and actual access violations. By
goals on each of those three levels. For example, the business extension, these process goals are linked to the IT goals they
KGI, Number of incidents causing public embarrassment, can be enable, such as Maintain the integrity of information and
one of the metrics referring to a business goal, such as Manage processing infrastructure, also with corresponding IT goal
business risks. Similar examples of goals can be given for IT KGIs such as Number of systems where security requirements
KGIs and IT process KGIs. are not met. Finally, activity goals are listed as enablers for the
In the upcoming COBIT 4.0, detailed guidance on those IT process goals, such as Managing user identities and
and IT process goals and metrics will be provided as shown in authorisations in a standardised manner, and supplemented
figure 3. More specifically, for each COBIT process, a list will with corresponding process KPIs such as Number of access

Figure 3: Goals and Metrics of COBIT Process DS5 Ensure Systems Security

Activity Goals Process Goals IT Goals

• Understanding security requirements, • Permit access to critical and sensitive • Ensure critical and confidential
vulnerabilities and threats data to only authorised users. information is withheld from those who
• Managing user identities and • Identify, monitor and report security should not have access to it.
authorisations in a standardised manner vulnerabilities and incidents. • Ensure automated business transactions
• Defining security incidents • Detect and resolve unauthorised access to and information exchanges can be trusted.
• Testing security regularly information, applications and • Maintain the integrity of information and
D infrastructure. D processing infrastructure.
r • Minimise the impact of security r • Account for and protect all IT assets.
i i
v vulnerabilities and incidents. v • Ensure IT services can resist and recover
e e from failures due to error, deliberate attack
or disaster.

are measured by are measured by are measured by

Process Key Performance Indicators
• # and type of security incidents
• # and type of obsolete accounts
• # of unauthorised IP addresses, ports and
traffic types denied
• % of crytographic keys compromised and
revoked
• # of access rights authorised, revoked,
reset or changed
Process Key Goal Indicators IT Key Goal Indicators
• # and type of suspected and actual access • Time to grant, change and remove access
violations privileges
• # of violations in segregation of duties • # of systems where security requirements
• % of users who do not comply with are not met
password standards
• # and type of malicious code prevented

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005

rights authorised, revoked, reset or changed. This entire the University of Antwerp Management School (UAMS). Van
picture offers a complete cascade from key management Grembergen is engaged in the continuous development of the
practices enabling process goals, which in turn enable IT goals, COBIT framework. He is also member of the Academic
each time with corresponding metrics. Relations Task Force of ISACA and is currently conducting
As mentioned before, similar tables have been developed for research projects for ITGI on IT governance. Van Grembergen
all COBIT processes. The development of these tables was is a frequent speaker at academic and professional meetings
preceded by detailed research into the existing KGIs and KPIs and conferences and has served in a consulting capacity to a
of COBIT, including defining causal relationships between number of firms. He is a member of the board of directors of
them, and into business goals and IT goals in eight different IT companies, including an IT consultancy firm and an IT firm
industries.4 The tables were composed by a group of 40 servicing a Belgian financial group. Recently he established at
practitioners and academics during a COBIT development UAMS the ITAG Research Institute, which aims to contribute
workshop. These tables provide a rich foundation to build a to the understanding of IT alignment and governance through
measurement and management system, in the format of research and dissemination of the knowledge via publications,
scorecards, for IT and its processes. conferences and seminars. He can be contacted at
wim.vangrembergen@ua.ac.be.
Endnotes
1
Research funded by ISACA/ITGI Steven De Haes
2
ITGI, COBIT Management Guidelines, 2000 is responsible for the Information Systems Management
3
Van Grembergen; R. W. Saull; S. De Haes; ‘Linking the IT executive programs at the University of Antwerp Management
Balanced Scorecard to the Business Objectives at a Major School. He is engaged in research in the domain of IT
Canadian Financial Group’, Journal of Information governance and conducts research in this capacity for ITGI.
Technology Cases and Applications, 2003 Currently, he is preparing a Ph.D. on the practices and
Van Grembergen, W.; ‘The Balanced Scorecard and IT mechanisms of IT governance. He has published several
governance’, Information Systems Control Journal, 2000 articles on IT governance, most recently in the Information
4
Van Grembergen, W.; S. De Haes; J. Moons; ‘Linking Systems Control Journal, the Journal for Information
Business Goals to IT Goals and COBIT Processes’, Technology Case Studies and Applications (JITCA), and the
Information Systems Control Journal, volume 4, 2005 proceedings of the Hawaiian International Conference on
System Sciences (HICSS). He can be contacted at
steven.dehaes@ua.ac.be.
Wim Van Grembergen
is professor and chair of the Information Systems Management
Department at the Economics and Management Faculty of the
University of Antwerp (Belgium) and executive professor at

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.

© Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005