IT Capability Maturity Framework (18.04)
The IT Capability Maturity Framework (IT-CMF) enables decision-makers to identify and develop the IT capabilities they need in the organization to deliver agility, innovation and business value.
For a complete introduction to IT-CMF and its structure, see Introduction to IT-CMF.
Structure
- Managing IT like a Business
- AAAccounting and Allocation
The Accounting and Allocation (AA) capability is the ability to define and manage the policies, processes, and tools used for calculating the costs of IT and distributing them across the organization. The Accounting and Allocation (AA) capability covers:
- Establishing policies for measuring the consumption of IT services by business units in the organization, and for the chargeback/showback of associated IT costs to those units.
- Managing how the chargeback/showback for IT service consumption is allocated.
- Influencing the demand for IT services.
- BPBusiness Planning
The Business Planning (BP) capability is the ability to produce an approved document that provides implementable detail for the IT strategy, setting out the IT function's tactical objectives, the operational services to be provided, and the financial and other resources and constraints that apply in the coming planning period. The Business Planning (BP) capability covers:
- Allocating responsibility to specific employees for IT business planning.
- Managing appropriate financial and non-financial resources and their capacities for ongoing IT business planning activities.
- Specifying the requirements for each activity in the IT business plan.
- Seeking the support of relevant stakeholders for the IT business plan.
- Reviewing the IT business plan against actual performance.
- BPMBusiness Process Management
The Business Process Management (BPM) capability is the ability to identify, design, document, monitor, optimize, and assist in the execution of both existing and new organizational processes. The Business Process Management (BPM) capability covers:
- Implementing process improvement initiatives and driving cultural change for business process improvement.
- Selecting, developing, and applying methods, governance models, technologies, skills, roles, and communication materials that support management of the organization's processes.
- Developing and applying graphical representations of processes—for example, process architecture diagrams.
- Adopting technologies that automate and assist with the execution of business process management.
- CFPCapacity Forecasting and Planning
The Capacity Forecasting and Planning (CFP) capability is the ability to model and forecast demand for IT services, infrastructure, facilities, and people. The Capacity Forecasting and Planning (CFP) capability covers:
- Collecting capacity-related strategic and operational information.
- Designing and advancing IT capacity forecasting models to demonstrate how business forecasts might impact the resources required by the IT function.
- Modelling the current and future capacity requirements across all IT-related resources — for example, services, infrastructure, facilities, and people.
- Communicating insights from capacity planning to the relevant stakeholders.
- DSMDemand and Supply Management
The Demand and Supply Management (DSM) capability is the ability to manage the IT services portfolio in such a way that there is a balance between the demand for and the supply of IT services. The Demand and Supply Management (DSM) capability covers:
- Analysing and managing the existing and future business demand for IT services.
- Analysing and managing the existing and future supply of IT services.
- Proposing responses to address gaps between the demand for and supply of IT services, for both the short term and the long term.
- Fostering collaboration between IT and other business units to manage the IT services portfolio.
- Understanding trade-offs between satisfying demand and the cost of supply — for example, by using emerging technologies or by changing the nature of the demand.
- EIMEnterprise Information Management
The Enterprise Information Management (EIM) capability is the ability to establish effective systems for gathering, analysing, disseminating, exploiting, and disposing of data and information. The data can be held in any medium — all forms of digital storage, film, paper, or any other recording mechanism used by the organization. The Enterprise Information Management (EIM) capability covers the strategic, operational, and security aspects of information management:
- Establishing an information management strategy.
- Establishing data and information governance mechanisms.
- Establishing information management standards, policies, and controls.
- Performing information valuations.
- Defining and maintaining master- and metadata — for example, metadata for information security classifications and continuity management.
- Making infrastructure and storage decisions.
- Managing data and information life cycles, including data and information tracking.
- Establishing information quality with inputs from stakeholders.
- Measuring how frequently information is accessed and assessing its value to the business.
- Analysing information, including exploratory and confirmative data analysis.
- Developing the skills and competences of information management and analytics practitioners.
- GITGreen Information Technology
The Green Information Technology (GIT) capability is the ability to minimize the environmental impact of IT, and to make the best use of technology to minimize environmental impact across the organization.
- ITGIT Leadership and Governance
The IT Leadership and Governance (ITG) capability is the ability to motivate employees towards a common strategic direction and value proposition, and to establish appropriate IT decision-making bodies and processes, including mechanisms for IT escalation, accountability, and oversight. While the leadership aspect establishes the IT function's direction, it cannot directly affect all IT decisions distributed across the various levels in the organization. The governance aspect addresses this by establishing appropriate IT decision rights, and mechanisms for accountability and oversight. The IT Leadership and Governance (ITG) capability covers:
- Uniting the IT function around a shared IT value proposition, vision, and direction.
- Determining the effectiveness of the partnership between IT and other business units.
- Determining the effectiveness of IT leadership.
- Establishing governance/decision-making bodies and processes, including decision rights, accountabilities, and escalation paths.
- IMInnovation Management
The Innovation Management (IM) capability is the ability to identify, fund, and measure technology-driven business innovation, which can be:
- Applied within the IT function.
- Applied to the organization's operations.
- Applied to the organization's products and services.
- ODPOrganization Design and Planning
The Organization Design and Planning (ODP) capability is the ability to manage the IT function's internal structure and its interfaces with other business units, suppliers, and business partners.
- RMRisk Management
The Risk Management (RM) capability is the ability to identify, assess, prioritize, treat, and monitor the exposure to and the potential impact of IT-related risks that can directly affect the business. Risks include traditional IT risks and those more specific to the transformational changes brought about by new and emerging technologies; they include those mainly associated with IT security, data protection and information privacy, business operations, continuity of business and recovery from declared disasters, IT investment and project/service delivery, and IT service contracts and suppliers.
- SAIService Analytics and Intelligence
The Service Analytics and Intelligence (SAI) capability is the ability to define and quantify the relationships between IT infrastructure, IT services, and IT-enabled business processes.
- SSMSourcing and Supplier Management
The Sourcing and Supplier Management (SSM) capability is the ability to evaluate, select, integrate, and manage IT suppliers in line with defined sourcing and supplier management strategies.
- SPStrategic Planning
The Strategic Planning (SP) capability is the ability to formulate a long-term vision and translate it into an actionable strategic plan for the IT function.
- Managing the IT Budget
- BGMBudget Management
The Budget Management (BGM) capability is the ability to oversee and adjust the IT budget to ensure that it is spent effectively. The Budget Management (BGM) capability covers:
- Planning the IT budget.
- Tracking actual expenditure and variances from the budget.
- Establishing budget accountability, oversight structures, and decision rights.
- Predicting future expenditure and out-of-tolerance variances.
- BOPBudget Oversight and Performance Analysis
The Budget Oversight and Performance Analysis (BOP) capability is the ability to compare actual IT expenditure against budgeted IT expenditure over extended time periods. Where appropriate, it offers management the opportunity to reprofile or reprioritize budget forecasts and allocations. The Budget Oversight and Performance Analysis (BOP) capability covers:
- Developing approaches and tools for budget performance analysis.
- Performing multi-year tracking and trend analysis of expenditure patterns in IT projects and IT budget categories.
- Reviewing IT budget plans versus actual expenditure.
- Providing a stimulus for rebalancing and reprioritizing budgets.
- Forecasting future IT funding levels, allocation requirements, and prices for IT services.
- Determining the impact of historical budget performance on future budget planning and on general cost management.
- Communicating IT budget performance metrics to key stakeholders.
- FFFunding and Financing
The Funding and Financing (FF) capability is the ability to determine the funding level required for IT and to allocate it appropriately. The Funding and Financing (FF) capability covers:
- Setting the overall levels of IT funding.
- Establishing leadership understanding regarding issues and options for IT funding and financing.
- Establishing funding and financing governance structures and decision-making processes.
- Allocating IT funds to broad categories of IT activities – for example, for capital and operational expenditure.
- Managing the IT Capability
- CAMCapability Assessment Management
The Capability Assessment Management (CAM) capability is the ability of the organization to conduct current state evaluations and plan improvements for its portfolio of IT capabilities. Current state evaluations involve gathering and documenting data about the specific IT capabilities in the organization. The results then inform the planning and execution of improvement actions to deal with any deficiencies. The Capability Assessment Management (CAM) capability covers:
- Selecting an overarching capability framework and mapping other frameworks used in the organization to it.
- Managing continuous improvement of the organization’s IT capabilities.
- Securing appropriate senior management sponsorship for IT capability improvement.
- Promoting organizational buy-in and incentivizing participation in capability improvement evaluation and planning.
- Planning, preparing, and conducting capability evaluations.
- Setting IT capability targets and defining development roadmaps for key IT capabilities.
- EAMEnterprise Architecture Management
The Enterprise Architecture Management (EAM) capability is the ability to plan, design, manage, and control the conceptualization of systems, processes, and/or organizations, and the relationships between them. The conceptualization may be layered to represent specific types of relationships – for example, those between applications, business services, internal IT services, security, networking, data storage, and so on. The Enterprise Architecture Management (EAM) capability covers:
- Establishing principles to guide the design and evolution of systems, processes, and/or organizations.
- Providing a framework, including models or templates, that articulates the business, the technical architecture, and the relationships between them.
- Providing the architecture vision, roadmap, and governance, together with the approaches required for managing their life cycle.
- Managing the architectural skills and architecture resourcing.
- Communicating the impact of enterprise architecture activities.
- ISMInformation Security Management
The Information Security Management (ISM) capability is the ability to manage approaches, policies, and controls that safeguard the integrity, confidentiality, accountability, usability, and availability of information.
- KMKnowledge Management
The Knowledge Management (KM) capability is the ability to identify, capture, classify, analyse, share, and exploit knowledge to improve organizational performance.
- PAMPeople Asset Management
The People Asset Management (PAM) capability is the ability to meet the organization's requirements for an effective IT workforce.
- PDPPersonal Data Protection
Personal data differs from other business data in that its ownership lies with the person to whom it refers and not the custodian company. This confers rights on the data subject, including the right to the privacy of the data. The custodian can vindicate the data subjects' right to privacy partly by protecting data from unauthorised access through access controls and other protection approaches, such as firewalls and physical isolation. Such measures (discussed in chapter 22, Information Security Management (ISM)), are designed to safeguard all data and information, while ‘data protection’ as discussed in this chapter refers primarily to the additional measures needed to protect personal or sensitive personal data, and to satisfy the legal obligations imposed on the custodian.
The Personal Data Protection (PDP) capability is the ability to develop, deploy, and implement policies, systems, and controls for processing personal and sensitive personal data relating to living persons in all digital, automated, and manual forms. It ensures that the organization safeguards the right to privacy of individuals whose information it holds, and that the organization uses personal data strictly for legitimate business purposes.
Policies, systems, and controls encompass and give effect to relevant standards and regulations, which may differ from country to country. The organization must consider the jurisdictions in which the data is acquired, processed, stored, and in some cases through which it is transmitted to identify what regulations are relevant.
The Personal Data Protection (PDP) capability covers:
- Processing personal data throughout its life-cycle.
- Maintaining the quality and integrity of personal data.
- Identifying and communicating data protection regulations and standards.
- Raising awareness and establishing a privacy culture.
- Managing data protection relationships and agreements with third parties.
- Communicating information (on database registrations, data breaches, audit data and so on) with statutory data protection officers.
- Managing data privacy risks and conducting privacy impact analysis assessments.
- Managing data subject rights.
- Identifying and applying applicable data protection standards and regulations.
- Verifying the effectiveness of data protection policies.
- PGMProgramme Management
The Programme Management (PGM) capability is the ability to assemble and assign resources to identify, select, approve, oversee, and deliver value from programme co-ordinated components (i.e. subprogrammes and projects). Managing the programme will prioritize, monitor, track, analyse, and report on programmes and programme components. It will also leverage component synergies.
- PMProject Management
The Project Management (PM) capability is the ability to assign resources to initiate, plan, execute, monitor, control, and close projects that deliver project objectives within agreed variances of cost, timeliness, quality, and scope of works. Projects are temporary (PMI, 2017b) and may deliver temporary or semi-permanent infrastructure, new capabilities, unique or new products or services, learning and awareness that a business can leverage.
- REMRelationship Management
The Relationship Management (REM) capability is the ability to analyse, plan, maintain, and enhance relationships between the IT function and the rest of the business.
- RDEResearch, Development and Engineering
The Research, Development and Engineering (RDE) capability is the ability to investigate, acquire, develop, and evaluate technologies, solutions, and usage models that are new to the organization and might offer value. The Research, Development and Engineering (RDE) capability covers:
- Ensuring that research into new technologies is managed appropriately, so that risk to the organization is minimized, while opportunities are maximized.
- Linking research into new technology to potential usage models that can benefit business units.
- Coordinating a research pipeline of promising new technology projects, through a series of phased investment decisions, as understanding of feasibility and relevance is enhanced.
- Managing the research portfolio to better align with business goals.
- Instilling an organizational culture that promotes research and innovation.
- Measuring the value contributed by technology research activities.
- SRPService Provisioning
The Service Provisioning (SRP) capability is the ability to manage the life cycle of IT services to satisfy business requirements. This includes ongoing activities relating to operation, maintenance, and continual service improvement, and also transitional activities relating to the design and introduction of services, their deployment, and their eventual decommissioning. The Service Provisioning (SRP) capability includes:
- Defining and describing the services provided by the IT function.
- Managing the IT services catalogue.
- Managing IT service configuration.
- Managing IT service availability.
- Managing the IT service desk.
- Managing requests, incidents, and problems.
- Managing access to IT services.
- Addressing requests for new IT services and decommissioning unwanted IT services.
- Managing IT service levels and service level agreements (SLAs).
- SDSolution Delivery
The Solutions Delivery (SD) capability is the ability to design, develop, validate, and deploy IT solutions that effectively address the organization's business requirements and opportunities.
- TIMTechnical Infrastructure Management
The Technical Infrastructure Management (TIM) capability is the ability to manage an organization's IT infrastructure across its complete life cycle of:
- Transitional activities including building, deploying, and decommissioning.
- Operational activities including day-to-day operations, maintenance, and continuous improvement.
- UEDUser Experience Design
The User Experience Design (UED) capability is the ability to proactively consider the needs of users at all stages in the life cycle of IT services and solutions.
- UTMUser Training Management
The User Training Management (UTM) capability is the ability to provide training that will improve user proficiency in the use of business applications and other IT-supported services.
- Managing IT for Business Value
- BARBenefits Assessment and Realisation
The Benefits Assessment and Realization (BAR) capability is the ability to establish an outcomes focus for the selection and management of IT-enabled business change initiatives to ensure that their potential value is delivered. BAR addresses the cultural and behavioural change needed to create and to sustain value from those initiatives. In this way, BAR ensures that business benefits are planned, dynamically adjusted, and actually achieved.
- PPMProject Portfolio Management
The Project Portfolio Management (PPM) capability is the ability to select, approve and balance project portfolio components (projects, programmes, or sub-portfolios) to deliver the organization's strategic objectives and its operational needs. Managing the project portfolio will prioritize, monitor, track, analyse, report, and as necessary, terminate project portfolio components that plan to, or that currently consume organizational resources.
- TCOTotal Cost of Ownership
The Total Cost of Ownership (TCO) capability is the ability to identify, compare, and control all direct and indirect costs associated with IT assets and IT-enabled business services. The Total Cost of Ownership (TCO) capability covers:
- Identifying and analysing IT costs across asset and service life cycles, from acquisition to operations, enhancements, and end of life.
- Identifying all costs that both directly and indirectly affect the bottom line — for example hardware and software acquisition, management and support, communications, training, end-user expenses, the opportunity cost of downtime, and other productivity losses.
- Establishing a common methodology for comparing costs within and across IT assets, processes, and services.
Changelog for 18.04
- Risk Management was introduced as an update to Risk Management (16).
- Knowledge Management was introduced, replacing Knowledge Asset Management (16).
- Solution Delivery was introduced as an update to Solutions Delivery (16).
- Technical Infrastructure Management was introduced as an update to Technical Infrastructure Management (16).
- Benefits Assessment and Realisation was introduced as an update to Benefits Assessment and Realization (16).