On the improvement of IT process maturity : assessment , recommendation and validation

The use of information technology (IT) in enterprises must be governed and managed appropriately using IT processes. The notion of IT process maturity is useful to measure the actual performance and to define the desired performance of IT processes. Improvements are necessary when there are gaps between the actual and desired performance. Most literatures focus on IT process maturity assessment. They do not address how to improve IT process maturity. This paper proposes an approach to enterprise IT process maturity improvement for COBIT processes. The approach consists of three activities, i.e. IT process maturity assessment, recommendation, and validation. Assessment is to recognise the process’ control objectives maturity. From the assessment results, recommendation identifies control objectives that must be improved and then suggests improvement actions. The prescriptive nature of the control objectives facilitates in suggesting those actions. Recommendations for managements are defined by abstracting similar actions. Validation checks whether the recommendations match with the enterprise needs and capability. It includes a scale for validation, in which enterprise’s capability is categorized into (i) not capable, (ii) capable with great efforts, and (iii) fully capable. The paper illustrates the approach with a case study.


Introduction
As enterprises now depend much on information technology (IT) to carry out their business, the use of IT in the enterprises must be governed and managed appropriately.IT governance and management is to make sure that IT aligns strategically with enterprises' business, IT value are delivered as promised, IT risks are managed properly, IT resources are managed effectively and efficiently, and IT performance is measured against its investment [1,2].
Frameworks and standards have been established to give guidance for senior IT executives in conducting enterprise IT governance and management, e.g.COBIT [3,4], ITIL [5,6], ISO 20000 [7] and ISO 38500 [8].Those frameworks define a set of generic IT processes.For example, COBIT 5 comprises 37 processes; each of which consists of a number of activities to achieve one or more IT-related goals [4].
The frameworks usually also provide maturity models to assess the status of IT processes.IT process maturity indicates the degree of reliability of an IT process.For example, COBIT 4.1 maturity models has five levels, i.e. non-existent, initial/ad hoc, repeatable but intuitive, defined, managed and measurable, and optimised [3].Concepts of maturity models can also be found, among others, in the field of business process management [9,10], information security [11,12], and software development process [13].
The notion of process maturity is useful to measure the actual performance, to define a desired performance, and to determine necessary improvements to close gaps between the actual and desired performance [4].Nonetheless, the aforementioned frameworks do not suggest any method to assess IT process maturity.Several researches hence proposed assessment methods for COBIT processes [14][15][16][17].Those researches however do not address how to formulate recommendations to improve IT process maturity.
The objective of this paper is to propose an approach to enterprise IT process maturity improvement.It consists of three activities, i.e. assessment, recommendation and validation.The assessment is to recognise the maturity of an IT process.Recommendation is to suggest necessary actions to improve process maturity.Validation checks whether the suggested actions match with the enterprise needs.
This paper is further organised as follows.Section 2 presents the concepts of IT process maturity.Section 3 describes a case study conducted in our research that is used to illustrate our approach.Section 4 presents our assessment method for IT process maturity.[4].Thus COBIT 4.1 is still worth to be a reference in our research.
COBIT 4.1 consists of 34 processes that are grouped into four domains, i.e. plan and organise (PO), acquire and implement (AI), deliver and support (DS), and monitor and evaluate (ME).A process includes a number of control objectives, i.e. a set of high-level requirements for effective control of the process.Control objectives can be organisational structures, policies, and procedures [3].
All processes have the same attributes; each of which represents an aspect of a process.The attributes are (i) awareness and communication; (ii) policies, plans and procedures; (iii) tools and automation; (iv) skill and expertise; (v) responsibility and accountability; and (vi) goal setting and measurement.Those attributes are supposely to be used in assessing the maturity of a process; therefore, they are called maturity attributes [3].The attribute of awareness and communication (AC) of a process indicates whether the enterprise fully understands of the importance of that process and whether the management communicates this issue using mature communication techniques.The attribute of policies, plans and procedures (PPP) indicates whether the process is sound and complete, i.e. all related policies are approved, and procedures are adopted, followed and documented.The attribute of tools and automation (TA) indicates whether the enterprise implements standardised tools to automate and monitor the process.The attribute of skill and expertise (SE) indicates whether the enterprise updates skills required for the process, which includes training plans, certifications and knowledge sharing.The attribute of responsibility and accountability (RA) indicates whether process responsibility and accountability is defined clearly and whether a reward culture is employed to motivate positive actions towards the process.Lastly, the attribute of goal setting and measurement (GSM) indicates whether the enterprise measures the effectiveness and efficiency of the process and links the results to the enterprise's business strategic goals [3].
The maturity of a process evolves from a non-existent to an optimised process.COBIT provides a generic maturity model from which each process adapts it to define its specific maturity model.Table 1 shows the maturity model of process DS7 (educate and train users).
Several assessment methods for IT process maturity have been established [15][16][17].Those methods however do not consider maturity attributes in a proper and comprehensive way.Hence, a method for assessing IT process maturity based on process attributes and control objective has later been proposed [14].

Case Study
Our proposed approach is presented in the next sections.We conducted a study to apply our approach in a realworld case.The case study was about process DS7 during the implementation of electronic identity (e-ID) card in a citizen registration agency in a district in the province of Central Java, Indonesia.For assessing process maturity, we distributed a questionnaire to persons responsible for e-ID card implementation, i.e. head of citizen registration division, head of IT division, and IT operators.We observed current practices and asked the desired process maturity to those persons.Based on the resulted maturity gap, we recommended actions to improve the maturity of process DS7 by referring COBIT to practices.We then validated the recommendations by confirming them to persons that have authority to run the recommendations, i.e. head of citizen registration division and head of IT division.If the agency was not capable to implement a recommendation with proper effort, we further asked about any constraints that might hinder the agency.
This paper focuses on our approach for IT process maturity assessment, recommendation, and validation.This paper does not intend to give full and detailed description on how we apply our approach in the case study.

Maturity Assessment
In COBIT, an IT process consists of control objectives and activities (ITGI, 2007).Control objectives are requirements that must be satisfied by the process; while activities are means to satisfy the control objectives (Dirgahayu et.al, 2015).When control objectives are activities must have been done.Therefore we use control objectives as the basis for IT process maturity assessment.We can calculate IT process maturity from the process' 2 MATEC Web of Conferences 154, 03017 (2018) https://doi.org/10.1051/matecconf/201815403017ICET4SD 2017 satisfied, we can assume that their corresponding control objectives maturity.A control objective maturity is calculated based on the maturity of all attributes in that control objective.This way allows us to identify which control objectives have to be addressed to improve IT process maturity.
For example, process DS7 has three control objectives, i.e.DS7.1 (identification of education and training needs), DS7.2 (delivery of training and education), and DS7.3 (evaluation of training received).Table 2 depicts the calculation of process maturity in the case study.IT process maturity is the average of its control objectives maturity; while a control objective maturity is the average of that control objective's attributes maturity.The score of a maturity attribute of a control objective is the average of the scores given by our respondents.The result indicates that the process maturity is at level 2 (repeatable but intuitive).This level was obtained by rouding the IT process maturity score to the nearest integer.
A control objective may be described in several actions, e.g.DS7.2 is described as (i) identify target groups, (ii) identify efficient delivery mechanisms, (iii) appoint trainers, (iv) organise training sessions, and so on (ITGI, 2007).This prescriptive nature of the control objectives shall facilitate us in formulating recommendations to improve the maturity of the corresponding IT process.

Recommendation
In the case study, the desired process maturity was at level 4 (managed and measurable).As there was a maturity gap, actions and recommendations to improve IT process maturity were necessary.We define two steps for suggesting such actions and recommendations.
First, we identified control objectives and their attributes that need improvement, i.e. their actual maturity are lower than the target level.Note that when a control objective maturity is already at the target level or higher, its control objective does not need urgent improvement, although the maturity of some of their attributes are below the target level.
In Table 2, all control objectives DS7.1, DS7.2 and DS7.3 need to be improved.Also, the maturity of their attributes must be improved.Due to space limitation, this paper addresses attribute TA only.In the case study, tools and automation refers to methods, forms and softwares that can help in identifying training needs, delivering training contents, and evaluating training received.
Second, we identified the current practices related to those attributes and suggested actions for improvement.Similar actions were then grouped and abstracted into a recommendation for senior management.Recommendations at a management level are necessary to ensure that actions can be carried out successfully.Table 3 depicts this step for attribute TA.

Validation
In the case study, we provided seven recommendations.We validated them using a range of scores as depicted in Table 4.This table lists two recommendations only due to space limitation.Since two authorative persons were asked for confirmation, their answers were averaged and the results are indicated as checkmarks (√ ) in the table.
The validation was to check whether the agency was able to apply the recommendations (score is between 1 and 9).The agency may also indicate if the recommendations were not required (score = 0).Since all answers were less than 7 (below the agency's minimum capability for implementing the recommendations with proper effort), we further asked about any constraint that might hinder the agency.The main constraint was lack of personnels with sufficient expertise in managing and conducting training programes; however, no sufficient budget was allocated for improving personnels' expertise.

Concluding Remarks
Many literatures focus on methods for IT process maturity assessment [14][15][16][17].Many other researches present the application of those methods in case studies.In this paper we have presented an approach to IT process maturity improvement, that consists of activities of maturity assessment, recommendation, and validation.
The calculation in IT process maturity assessment is based on the maturity of the process' control objectives.The maturity of a control objective maturity is calculated from the maturity of the control objective's attributes.As illustrated in Table 2, this way of calculation is done horizontally as indicated with an arrow below the table.It differs from the calculation in [14] that is done vertically, i.e.IT process maturity is the average of its attributes maturity; while an attribute maturity is the average of that particular attribute maturity in all control objectives of that process By calculating the process maturity horizontally, we can recommend actions to improve process maturity based on its control objectives improvement.This way of recommendation is enabled by the prescriptive nature of control objectives.Such improvement actions typically formulated at a technical level.In the other hand, recommendations at a management level is also necessary in order to ensure that the actions can be carried out successfully in a proper effort.Recommendations for management are formulated by grouping and abstracting similar actions.Grouping is done based on maturity attributes.
Recommendations are validated to make sure that they match with the enterprise needs and capability.For recommendations that are required by the enterprise, we have developed a scale for validation, in which enterprise's capability is defined in three categories, i.e. (i) not capable, (ii) capable with great efforts, and (iii) fully capable.Each category can be further divided for finer granularity.Recommendation and validation should be done iteratively until they results in recommendations that are required by and within the capability of the enterprise.
In the future, we will use our approach in more case studies in different domains.From those case studies, we expect to learn valuable lessons that are beneficial to improve our approach.Futhermore, we will integrate IT Balance Score Card [18] in the recommendation.

Table 4 .
Validating the recommendations for process DS7