IT Service Management
Showing results for 
Search instead for 
Do you mean 


‎08-20-2012 08:59 PM - edited ‎09-20-2015 07:25 AM

This is probably old news for many of you, but historically there has been an interesting set of relationships between COBIT, ITIL, and a myriad of other standards and regulations. In the height of the Sarbanes-Oxley Act (SOX) fallout, some HP service desk colleagues and I collaborated with HP Audit and HP IT on a compliance reporting concept. The idea was that by demonstrating effective controls (largely through a set of service desk and related operations metric reports), we (HP) could persuade our external auditor to put fewer IT auditors on the bus that was sent out to evaluate us. The IT audit bus was just a phrase - to the best of my knowledge anyhow. As an aside, the output may have been on older reporting platform, but the information managed was surprisingly similar to what we now present via our HP Executive Scorecard VP of Ops persona.


In this mid 2000’s COBIT 4 timeframe, there were a number of papers and presentations on the relationship between ITIL, COBIT, and ISO 17799 (security). There would be reasonable paths woven between a regulation like Sarbanes-Oxley, to COSO, to COBIT, and then to ITIL and ISO 20000. In those days, I would travel with a popular, lightweight COBIT 4 book that was full of Key Performance Indicators, Process Key Goal Indicators, and IT Key Goal Indicators. If you compared the COBIT 4 guidance with ITIL guidance and a few other sources you could come up with a reasonable (but potentially broad) set of KPIs to consider, and you can still find a lot of this material out on the internet.


Leaving those golden years behind and coming back to the future, COBIT 5 ( clearly supports an enterprise level balanced scorecard approach. Interestingly, this is the same foundation HP uses in our IT Performance Suite strategy supported by the HP Executive Scorecard. To COBIT 5’s credit, there appears to be fewer KPIs to choose from. But, that is the essence of a KPI. In an analyst conversation a few weeks, the comment was made to the effect “isn’t 150 KPIs an oxymoron”. Further while I haven’t dug through COBIT 5 like I had version 4, a more corporate governance approach incorporating value and risk is also clear.


So what is the point of all of this?

  1. If you’re looking for a rich set of IT metrics to consider tracking along with related goals, download a COBIT 4 document. No wonder SOX audits were so expensive and considered so onerous. But, this is still a great reference if you're evaluating KPIs.
  2. If you’re looking for a more balanced scorecard approach and looking for operational guidance, there are a smaller set of KPIs to be found in the COBIT 5 materials. Or, you could stay tuned to Myles’ postings to see what he writes next.

And again if you haven’t done so already, please help us with our service desk KPI survey.



Chuck Darst


P.S. COSO - - The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.


0 Kudos
About the Author


HPE IT Service Management Product Marketing team manager spanning our solutions for the service desk, asset mngt, CMS, and more. My background is engineering and computer science in the networking and telecom worlds. As they used to say in Telcom, "the network is the business" (hence huge focus on service management). I always enjoyed working with customers and on the business side of things, so here I am in ITSM marketing.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Jun 7-9
Las Vegas
Discover 2016 Las Vegas
Discover 2016 in Las Vegas, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all