IVI Framework Viewer

IT Capability Maturity Framework (16)

The IT Capability Maturity Framework (IT-CMF) enables decision-makers to identify and develop the IT capabilities they need in the organization to deliver agility, innovation and business value.

For a complete introduction to IT-CMF and its structure, see Introduction to IT-CMF.

Structure

Managing IT like a Business
AAAccounting and Allocation

The Accounting and Allocation (AA) capability is the ability to define and manage the policies, processes, and tools used for calculating the costs of IT and distributing them across the organization. The Accounting and Allocation (AA) capability covers:

  • Establishing policies for measuring the consumption of IT services by business units in the organization, and for the chargeback/showback of associated IT costs to those units.
  • Managing how the chargeback/showback for IT service consumption is allocated.
  • Influencing the demand for IT services.
BPBusiness Planning

The Business Planning (BP) capability is the ability to produce an approved document that provides implementable detail for the IT strategy, setting out the IT function's tactical objectives, the operational services to be provided, and the financial and other resources and constraints that apply in the coming planning period. The Business Planning (BP) capability covers:

  • Allocating responsibility to specific employees for IT business planning.
  • Managing appropriate financial and non-financial resources and their capacities for ongoing IT business planning activities.
  • Specifying the requirements for each activity in the IT business plan.
  • Seeking the support of relevant stakeholders for the IT business plan.
  • Reviewing the IT business plan against actual performance.
BPMBusiness Process Management

The Business Process Management (BPM) capability is the ability to identify, design, document, monitor, optimize, and assist in the execution of both existing and new organizational processes. The Business Process Management (BPM) capability covers:

  • Implementing process improvement initiatives and driving cultural change for business process improvement.
  • Selecting, developing, and applying methods, governance models, technologies, skills, roles, and communication materials that support management of the organization's processes.
  • Developing and applying graphical representations of processes—for example, process architecture diagrams.
  • Adopting technologies that automate and assist with the execution of business process management.
CFPCapacity Forecasting and Planning

The Capacity Forecasting and Planning (CFP) capability is the ability to model and forecast demand for IT services, infrastructure, facilities, and people. The Capacity Forecasting and Planning (CFP) capability covers:

  • Collecting capacity-related strategic and operational information.
  • Designing and advancing IT capacity forecasting models to demonstrate how business forecasts might impact the resources required by the IT function.
  • Modelling the current and future capacity requirements across all IT-related resources — for example, services, infrastructure, facilities, and people.
  • Communicating insights from capacity planning to the relevant stakeholders.
DSMDemand and Supply Management

The Demand and Supply Management (DSM) capability is the ability to manage the IT services portfolio in such a way that there is a balance between the demand for and the supply of IT services. The Demand and Supply Management (DSM) capability covers:

  • Analysing and managing the existing and future business demand for IT services.
  • Analysing and managing the existing and future supply of IT services.
  • Proposing responses to address gaps between the demand for and supply of IT services, for both the short term and the long term.
  • Fostering collaboration between IT and other business units to manage the IT services portfolio.
  • Understanding trade-offs between satisfying demand and the cost of supply — for example, by using emerging technologies or by changing the nature of the demand.
EIMEnterprise Information Management

The Enterprise Information Management (EIM) capability is the ability to establish effective systems for gathering, analysing, disseminating, exploiting, and disposing of data and information. The data can be held in any medium — all forms of digital storage, film, paper, or any other recording mechanism used by the organization. The Enterprise Information Management (EIM) capability covers the strategic, operational, and security aspects of information management:

  • Establishing an information management strategy.
  • Establishing data and information governance mechanisms.
  • Establishing information management standards, policies, and controls.
  • Performing information valuations.
  • Defining and maintaining master- and metadata — for example, metadata for information security classifications and continuity management.
  • Making infrastructure and storage decisions.
  • Managing data and information life cycles, including data and information tracking.
  • Establishing information quality with inputs from stakeholders.
  • Measuring how frequently information is accessed and assessing its value to the business.
  • Analysing information, including exploratory and confirmative data analysis.
  • Developing the skills and competences of information management and analytics practitioners.
GITGreen Information Technology

The Green Information Technology (GIT) capability is the ability to minimize the environmental impact of IT, and to make the best use of technology to minimize environmental impact across the organization.

ITGIT Leadership and Governance

The IT Leadership and Governance (ITG) capability is the ability to motivate employees towards a common strategic direction and value proposition, and to establish appropriate IT decision-making bodies and processes, including mechanisms for IT escalation, accountability, and oversight. While the leadership aspect establishes the IT function's direction, it cannot directly affect all IT decisions distributed across the various levels in the organization. The governance aspect addresses this by establishing appropriate IT decision rights, and mechanisms for accountability and oversight. The IT Leadership and Governance (ITG) capability covers:

  • Uniting the IT function around a shared IT value proposition, vision, and direction.
  • Determining the effectiveness of the partnership between IT and other business units.
  • Determining the effectiveness of IT leadership.
  • Establishing governance/decision-making bodies and processes, including decision rights, accountabilities, and escalation paths.
IMInnovation Management

The Innovation Management (IM) capability is the ability to identify, fund, and measure technology-driven business innovation, which can be:

  • Applied within the IT function.
  • Applied to the organization's operations.
  • Applied to the organization's products and services.
ODPOrganization Design and Planning

The Organization Design and Planning (ODP) capability is the ability to manage the IT function's internal structure and its interfaces with other business units, suppliers, and business partners.

RMRisk Management

The Risk Management (RM) capability is the ability to assess, prioritize, handle, and monitor the exposure to and the potential impact of IT-related risks that can directly impact the business in a financial or reputational manner. Risks include those associated with (among others) IT security, data protection and information privacy, operations, continuity of business and recovery from declared disasters, IT investment and project delivery, and IT service contracts and suppliers. The Risk Management (RM) capability covers:

  • Establishing an IT risk management programme and policies.
  • Establishing risk management roles and responsibilities.
  • Communicating and training in the area of risk management.
  • Understanding the organization's tolerance for IT-related risks.
  • Defining risk profiles.
  • Assessing and prioritizing different types of risks.
  • Defining risk handling strategies for identified IT risks (accept, avoid, mitigate, or transfer).
  • Monitoring IT risk exposures.
  • Integrating IT risk management with wider ERM practices such as business continuity planning, disaster recovery, information security, audit and assurance.
SAIService Analytics and Intelligence

The Service Analytics and Intelligence (SAI) capability is the ability to define and quantify the relationships between IT infrastructure, IT services, and IT-enabled business processes.

SRCSourcing

The Sourcing (SRC) capability is the ability to evaluate, select, and integrate IT service providers according to a defined strategy and sourcing model, which could include service providers both inside and outside the organization. The Sourcing (SRC) capability covers:

  • Defining the strategy for sourcing IT services and the high-level business cases for sourcing initiatives.
  • Defining the sourcing model, including, for example, considering internal or third-party sourcing arrangements, on-shoring, near-shoring, or far-shoring, and single or multiple IT service providers.
  • Developing criteria for selecting providers and processes for choosing the most advantageous provider.
  • Defining approaches for preparing, negotiating, closing, and re-evaluating contracts with IT service providers.
  • Establishing a win-win culture to promote enduring and successful relationships with the supply base.
  • Managing potential operational impacts when transitioning to a new provider.
SPStrategic Planning

The Strategic Planning (SP) capability is the ability to formulate a long-term vision and translate it into an actionable strategic plan for the IT function.

Managing the IT Budget
BGMBudget Management

The Budget Management (BGM) capability is the ability to oversee and adjust the IT budget to ensure that it is spent effectively. The Budget Management (BGM) capability covers:

  • Planning the IT budget.
  • Tracking actual expenditure and variances from the budget.
  • Establishing budget accountability, oversight structures, and decision rights.
  • Predicting future expenditure and out-of-tolerance variances.
BOPBudget Oversight and Performance Analysis

The Budget Oversight and Performance Analysis (BOP) capability is the ability to compare actual IT expenditure against budgeted IT expenditure over extended time periods. Where appropriate, it offers management the opportunity to reprofile or reprioritize budget forecasts and allocations. The Budget Oversight and Performance Analysis (BOP) capability covers:

  • Developing approaches and tools for budget performance analysis.
  • Performing multi-year tracking and trend analysis of expenditure patterns in IT projects and IT budget categories.
  • Reviewing IT budget plans versus actual expenditure.
  • Providing a stimulus for rebalancing and reprioritizing budgets.
  • Forecasting future IT funding levels, allocation requirements, and prices for IT services.
  • Determining the impact of historical budget performance on future budget planning and on general cost management.
  • Communicating IT budget performance metrics to key stakeholders.
FFFunding and Financing

The Funding and Financing (FF) capability is the ability to determine the funding level required for IT and to allocate it appropriately. The Funding and Financing (FF) capability covers:

  • Setting the overall levels of IT funding.
  • Establishing leadership understanding regarding issues and options for IT funding and financing.
  • Establishing funding and financing governance structures and decision-making processes.
  • Allocating IT funds to broad categories of IT activities – for example, for capital and operational expenditure.
PPPPortfolio Planning and Prioritization

The Portfolio Planning and Prioritization (PPP) capability is the ability to select, prioritize, approve, and terminate programmes and projects that are seeking organizational resources. The Portfolio Planning and Prioritization (PPP) capability covers:

  • Establishing a framework for selecting and prioritizing programmes and projects.
  • Involving key personnel in selecting programmes and projects.
  • Assessing and prioritizing programmes and projects based on their alignment with business objectives and operational needs.
  • Approving and terminating programmes and projects.
  • Maintaining oversight of financial, people, and technical resources for portfolio resource planning purposes.
Managing the IT Capability
CAMCapability Assessment Management

The Capability Assessment Management (CAM) capability is the ability of the organization to conduct current state evaluations and plan improvements for its portfolio of IT capabilities. Current state evaluations involve gathering and documenting data about the specific IT capabilities in the organization. The results then inform the planning and execution of improvement actions to deal with any deficiencies. The Capability Assessment Management (CAM) capability covers:

  • Selecting an overarching capability framework and mapping other frameworks used in the organization to it.
  • Managing continuous improvement of the organization’s IT capabilities.
  • Securing appropriate senior management sponsorship for IT capability improvement.
  • Promoting organizational buy-in and incentivizing participation in capability improvement evaluation and planning.
  • Planning, preparing, and conducting capability evaluations.
  • Setting IT capability targets and defining development roadmaps for key IT capabilities.
EAMEnterprise Architecture Management

The Enterprise Architecture Management (EAM) capability is the ability to plan, design, manage, and control the conceptualization of systems, processes, and/or organizations, and the relationships between them. The conceptualization may be layered to represent specific types of relationships – for example, those between applications, business services, internal IT services, security, networking, data storage, and so on. The Enterprise Architecture Management (EAM) capability covers:

  • Establishing principles to guide the design and evolution of systems, processes, and/or organizations.
  • Providing a framework, including models or templates, that articulates the business, the technical architecture, and the relationships between them.
  • Providing the architecture vision, roadmap, and governance, together with the approaches required for managing their life cycle.
  • Managing the architectural skills and architecture resourcing.
  • Communicating the impact of enterprise architecture activities.
ISMInformation Security Management

The Information Security Management (ISM) capability is the ability to manage approaches, policies, and controls that safeguard the integrity, confidentiality, accessibility, accountability, and usability of digitized information resources5. The Information Security Management (ISM) capability covers:

  • Preventing unauthorized access, use, disclosure, disruption, modification, or destruction of digitized information resources.
  • Establishing an information security governance model, including allocating roles, responsibilities, and accountabilities.
  • Measuring the effectiveness of existing security approaches, policies, and controls – for example, by applying security standards and conducting internal audits.
  • Managing security-related communications and training of employees.
  • Assessing, prioritizing, responding to, and monitoring information security risks and incidents.
  • Securing physical IT components and IT areas.
  • Providing expertise to protect, preserve, and/or destroy data in line with business, regulatory, and/or other security requirements.
  • Reporting on information security activities and compliance levels.
KAMKnowledge Asset Management

The Knowledge Asset Management (KAM) capability is the ability to identify, capture, profile, classify, store, maintain, protect, and exploit the organization’s knowledge assets in pursuit of business outcomes. The Knowledge Asset Management (KAM) capability covers:

  • Establishing a knowledge management policy, strategy, and programme.
  • Assigning roles and accountabilities, and determining requisite employee skills.
  • Fostering a knowledge-sharing culture.
  • Providing tools, technologies, and other resources to support knowledge management activities.
  • Managing the knowledge asset life cycle, from identifying, capturing, profiling, classifying, storing, and maintaining, to archiving or discarding, as appropriate.
  • Assessing the impact of knowledge asset management activities.
PAMPeople Asset Management

The People Asset Management (PAM) capability is the ability to meet the organization's requirements for an effective IT workforce.

PDPPersonal Data Protection

Personal data differs from other business data in that its ownership lies with the person to whom it refers and not the custodian company. This confers rights on the data subject, including the right to the privacy of the data. The custodian can vindicate the data subjects' right to privacy partly by protecting data from unauthorised access through access controls and other protection approaches, such as firewalls and physical isolation. Such measures (discussed in chapter 22, Information Security Management (ISM)), are designed to safeguard all data and information, while ‘data protection’ as discussed in this chapter refers primarily to the additional measures needed to protect personal or sensitive personal data, and to satisfy the legal obligations imposed on the custodian.

The Personal Data Protection (PDP) capability is the ability to develop, deploy, and implement policies, systems, and controls for processing personal and sensitive personal data relating to living persons in all digital, automated, and manual forms. It ensures that the organization safeguards the right to privacy of individuals whose information it holds, and that the organization uses personal data strictly for legitimate business purposes.

Policies, systems, and controls encompass and give effect to relevant standards and regulations, which may differ from country to country. The organization must consider the jurisdictions in which the data is acquired, processed, stored, and in some cases through which it is transmitted to identify what regulations are relevant.

The Personal Data Protection (PDP) capability covers:

  • Processing personal data throughout its life-cycle.
  • Maintaining the quality and integrity of personal data.
  • Identifying and communicating data protection regulations and standards.
  • Raising awareness and establishing a privacy culture.
  • Managing data protection relationships and agreements with third parties.
  • Communicating information (on database registrations, data breaches, audit data and so on) with statutory data protection officers.
  • Managing data privacy risks and conducting privacy impact analysis assessments.
  • Managing data subject rights.
  • Identifying and applying applicable data protection standards and regulations.
  • Verifying the effectiveness of data protection policies.
PPMProgramme and Project Management

The Programme and Project Management (PPM) capability is the ability to initiate, plan, execute, monitor, control, and close programmes and projects in line with the business objectives, and to manage associated risks, changes, and issues. The Programme and Project Management (PPM) capability covers:

  • Establishing governance structures, such as programme/project reporting lines, stage gate reviews, and the roles, responsibilities, and accountabilities required to support programme and project management.
  • Establishing and adopting approaches to initiate, plan, execute, monitor, control, and close individual programmes and projects.
  • Identifying and using appropriate programme/project management methodologies, tools, and techniques.
  • Defining and developing the necessary programme/project management competences of individuals.
  • Managing programme/project risks, changes, and other issues.
  • Implementing lessons learned from programme and project execution.
REMRelationship Management

The Relationship Management (REM) capability is the ability to analyse, plan, maintain, and enhance relationships between the IT function and the rest of the business.

RDEResearch, Development and Engineering

The Research, Development and Engineering (RDE) capability is the ability to investigate, acquire, develop, and evaluate technologies, solutions, and usage models that are new to the organization and might offer value. The Research, Development and Engineering (RDE) capability covers:

  • Ensuring that research into new technologies is managed appropriately, so that risk to the organization is minimized, while opportunities are maximized.
  • Linking research into new technology to potential usage models that can benefit business units.
  • Coordinating a research pipeline of promising new technology projects, through a series of phased investment decisions, as understanding of feasibility and relevance is enhanced.
  • Managing the research portfolio to better align with business goals.
  • Instilling an organizational culture that promotes research and innovation.
  • Measuring the value contributed by technology research activities.
SRPService Provisioning

The Service Provisioning (SRP) capability is the ability to manage the life cycle of IT services to satisfy business requirements. This includes ongoing activities relating to operation, maintenance, and continual service improvement, and also transitional activities relating to the design and introduction of services, their deployment, and their eventual decommissioning. The Service Provisioning (SRP) capability includes:

  • Defining and describing the services provided by the IT function.
  • Managing the IT services catalogue.
  • Managing IT service configuration.
  • Managing IT service availability.
  • Managing the IT service desk.
  • Managing requests, incidents, and problems.
  • Managing access to IT services.
  • Addressing requests for new IT services and decommissioning unwanted IT services.
  • Managing IT service levels and service level agreements (SLAs).
SDSolutions Delivery

The Solutions Delivery (SD) capability is the ability to design, develop, validate, and deploy IT solutions that effectively address the organization's business requirements and opportunities. The Solutions Delivery (SD) capability covers:

  • Managing requirements (functional and non-functional) and their traceability throughout the IT solution's delivery life cycle.
  • Developing IT solutions based on the output from requirements analysis and the solution's architecture.
  • Selecting appropriate methods and IT solutions delivery life cycle models (for example, waterfall, incremental, agile).
  • Reviewing and testing IT solutions throughout the development process.
  • Managing changes and releases that occur during the IT solution's delivery life cycle.
SUMSupplier Management

The Supplier Management (SUM) capability is the ability of the IT function to manage interactions with its suppliers in line with the sourcing strategy. The Supplier Management (SUM) capability covers:

  • Developing relationships with suppliers to improve levels of performance, quality, and innovation.
  • Managing risks associated with the organization's use of outside suppliers.
  • Validating that suppliers' performance is in accordance with contract terms.
  • Facilitating lines of communication with suppliers.
  • Managing procurement activities with suppliers.
  • Building two-way performance evaluation between the IT function and its suppliers.
TIMTechnical Infrastructure Management

The Technical Infrastructure Management (TIM) capability is the ability to manage an organization's IT infrastructure across the complete life cycle of:

  • Transitional activities including building, deploying, and decommissioning infrastructure.
  • Operational activities including operation, maintenance, and continual improvement of infrastructure.
  • IT infrastructure is comprised of:
  • Physical devices — for example, servers, storage, and mobile devices.
  • Virtual devices/resources — for example, virtual storage and virtual networks.
  • Infrastructure-related software — for example, middleware, operating systems, and firmware.
  • Communications components — for example, LAN/WAN, Wi-Fi, MPLS, and voice infrastructure.
  • Platform services — for example, content management and web services.
  • IT infrastructure governance — for example, asset management and configuration management.
UEDUser Experience Design

The User Experience Design (UED) capability is the ability to proactively consider the needs of users at all stages in the life cycle of IT services and solutions.

UTMUser Training Management

The User Training Management (UTM) capability is the ability to provide training that will improve user proficiency in the use of business applications and other IT-supported services.

Managing IT for Business Value
BARBenefits Assessment and Realization

The Benefits Assessment and Realization (BAR) capability is the ability to forecast, realize, and sustain value from IT-enabled change initiatives. The Benefits Assessment and Realization (BAR) capability covers:

  • Establishing systematic, objective, and consistent approaches to managing benefits across the full investment life cycle for IT-enabled change — that is, from benefits forecasting and planning, to benefits reviewing and reporting.
  • Identifying and advocating cultural and behavioural changes to maximize the value of IT-enabled change.
PMPortfolio Management

The Portfolio Management (PM) capability is the ability to monitor, track, and analyse the programmes in the IT portfolio, and to report on their status. The Portfolio Management (PM) capability covers:

  • Monitoring and tracking the progress and impact of programmes within the portfolio.
  • Reviewing the programmes in the portfolio for adherence to the original business case.
  • Monitoring utilization rates against planned resource allocations, including financial, technical, and people resources.
  • Providing the Portfolio Planning and Prioritization (PPP) capability with an up-to-date portfolio status, including any deviations beyond a defined threshold on progress and expected impact.
TCOTotal Cost of Ownership

The Total Cost of Ownership (TCO) capability is the ability to identify, compare, and control all direct and indirect costs associated with IT assets and IT-enabled business services. The Total Cost of Ownership (TCO) capability covers:

  • Identifying and analysing IT costs across asset and service life cycles, from acquisition to operations, enhancements, and end of life.
  • Identifying all costs that both directly and indirectly affect the bottom line — for example hardware and software acquisition, management and support, communications, training, end-user expenses, the opportunity cost of downtime, and other productivity losses.
  • Establishing a common methodology for comparing costs within and across IT assets, processes, and services.

Changelog for 16