A while back, I wrote a story about a new IT management framework under development called the IT Capability Maturity Framework. The goal of this framework is to give CIOs a one-stop shop for measuring all IT processes, while at the same time proving the value of IT to the business.
The framework involves measuring a company’s capabilities across 36 processes that fall under four management categories:
- Managing IT like a business by evaluating such processes as IT governance and business process management.
- Managing the IT budget by rating processes such as portfolio planning and budget oversight.
- Managing the IT capability across process areas like enterprise architecture and research and development.
- Managing IT for business value in such process areas as total cost of ownership and investment analysis and performance.
What one reader quickly pointed out was that even this framework, meant to fill in the gaps in other IT management frameworks such as ITIL and COBIT– as explained by those who developed and are using IT-CMF — had an obvious gap of its own: None of the 36 processes addressed security.
I’ve heard that each framework lacks something. One IT management framework may be well suited for risk management but not IT governance or IT operations management, or strategic planning.
The bigger question, I guess, is not what’s missing, but how can CIOs fill in the gaps? Are they finding that they have to use several IT management frameworks? Are they picking and choosing aspects of several frameworks that suit their organization, and does this type of approach work?
One expert advises choosing individual processes within a given framework such as ITIL, rather than taking on the entire framework, to realize the most bang for your buck and buy-in from the business. After all, putting any type of framework in place is no easy task from a cost, time or cultural perspective, so perhaps a selective approach makes sense.