consummati.comThe Consummate Professional Blog

It is exciting to see ISACA release the draft version of COBIT 5 which will finally consolidate some key ancillary and complementary frameworks onto one major framework under the COBIT umbrella.    Specifically,  CoBIT 5 will incorporate and integrate the COBIT 4.1, Val IT 2.0 and Risk IT frameworks and also draw significantly from the Business Model for Information Security (BMIS) and ITAF.  The draft standard can be  reviewed and downloaded on this link.

Now if only ISACA, PMI and International Institute of Business Analysis could work toward building a common framework incorporating key elements of risk management, value, and compliance then the future will immediately become brighter.   One of the issues which vexes the professional consultant, manager or executive is the competing standards and frameworks from so many different professional organizations.  The issue is similar to the competing standards in media: BluRay vs. HD-DVD;  Quicktime vs Flash.

If a standard model and framework can arise from Isaca’s move to Cobit 5 then it is a welcome change but it would be disappointing if it only leads to new and competing standards.

I recently took (and passed) the PMP (Project Management Professional – Fourth Edition) Certification Exam and it is one of the more difficult certifications to achieve for a variety of reasons.  Unlike most other certifications, the PMP requires (documented) a significant amount of hours in both work and training in project management as well as requiring candidates to apply for examination BEFORE they can even take the exam.

The exam itself is not difficult if you have been performing project management for a number of years and adhere to either the PMBOK project lifecycle methodology or adhere to other project management methodologies (e.g. Prince2 or APM).

For my own exam, I utilized three prep books including Learnkey’s Project Management Professional Study Guide Third Edition by Joseph Phillips, Sybex’s Project Management Professional Exam Study Guide Fifth Edition by Kim Heldman and PMP Exam Prep by Rita Mulcahy.   Many people rave about Rita Mucahy’s books but I did not find the book too helpful.   The best book, in my opinion, was Heldman’s text which sorts the project management methodology and text into a logical flowing process.   All books come with a CD-ROM which has sample test questions each with its own custom test engine and I found Learnkey’s CD the BEST of the three.   Although Sybex (Heldman) had the best textbook, Learnkey had the best test engine which simulated the exam more closely.   The only word of warning is that the test engine on Learnkey’s CD have 200 questions and there are 3 exams (sets) with questions.

In addition to the books, I also took a PMP exam prep course through QA (www.qa.com) which proved beneficial in addition to the simulated exams.  Unfortunately, there isn’t a single book or training course that contains ALL the material you may see on the actual exam and this is the most frustrating thing about the PMP exam.     The books, simulated exams and training courses are geared toward “getting you over the hump” and allowing you to pass the exam but there doesn’t appear to be a single source for a definitive guide on ALL things PMP.    Don’t expect to read (or memorize) the PMBOK (Project Management Book of Knowledge Fourth Edition) and assume you’re ready to take the test – this will prove to be disastrous for you!

The exam is 4 (yes FOUR) hours long and I managed to complete the exam in 3 hours 30 minutes and was fairly exhausted at the end of the exam.   I highly encourage consummate professionals to seek out the PMP credential as most professional individuals will, at many points in their lives, be part of managing or engaging in some type of project or project work and understanding the project life cycle and methodologies will prove extremely advantageous.

Fellow consummate professional Sean Rieger over at the E-marketing Rant blog recently posted an interesting article on social media and the direction it may or may not take over the next few years but one of the interesting aspects that is often overlooked is the “global” context of social media.

The BBC recently reported that a contingent of Indian Facebook users has petitioned Facebook to add the Indian flag to the popular game Farmville:

More than 20,000 people have called for India’s national flag to be added to a popular web game which allows users to develop and manage a farm online.

…

More than three million Facebook users live in India and there are many more Farmville players of Indian-origin who have backed the cause.

Consummate professionals need to think globally in all aspects of business, academics, and social settings.  There are clichés heard over and over again, “the world is flat” or “its a small world” or “the global village” except organizations, like Facebook, and many others continue to think locally to their own detriment.   As a consummate professional, you can’t afford to make this mistake!

There are two major schools of thought and theory in Project Management, one is the American based model from the Project Management Institute PMBOK (Project Management Book of Knowledge), while the other is British based Office of Government Commerce (OGC) PRINCE2, and while the two methodologies tend to complement each other, there seems to be an ever contentious one-upmanship between the two organizations.

Most recently, the PMI group revised their PMBOK from version 3 to version 4 and included a whole new breadth of material including risk management and a variety of other changes to improve consistency, clarification, process changes, and help render a path for a more complete project management framework. Not to be out done, the OGC recently released a new version of PRINCE2 dubbed “PRINCE2 2009″ which is an “evolution” from PRINCE2 2005 framework.

Like the PMI, the OGC released a variety of clarifications, consistency and process changes to their framework to render it more user friendly and a great summary of the changes can be found here. A review of the new PMI methodologies can be found here.

On a personal level, despite having been a member of the PMI organization for a few years, I find myself gravitating more toward the PRINCE2 methodology as it incorporates ITIL and ISO 20000 standards into its framework. I have found the PRINCE2 methodology to be more practical while the PMI framework is more theoretical. Whichever path you chose to follow, I would encourage any consummate professional to take a look at both frameworks and pursue the appropriate training and certification track to add to their skills portfolio.

A cornerstone role of an executive or person in a leadership role at an organization is to clearly understand risk management. Understanding risk management methodologies, risk analysis methods and having a plan to mitigate risk is key to the successful consummate professional.

There are various risk management methodologies and two of the more common and popular are FRAP (Facilitated Risk Analysis Process) and CRAMM. There are other standards, some specific to various industries (e.g. health care), the NIST SP 800-30 and 800-66 standard. The NIST 800-66 was initially created for the Health Care industry and contains many HIPPA provisions while the 800-30 policy is geared toward information security risk and management.

Regardless of which risk management methodology is selected, understanding risk analysis is key to successfully navigating the world of risk. Two key methods of conducting risk analysis are qualitative and quantitative. In qualitative methods or risk analysis, experience, judgment, and “what’s worked before” are factored into the analysis often driven or defined by “gut check” process. Conversely, in quantitative methods numerical values are assigned to elements of the risk process and the goal is to determine a mathematical value in terms of probability percentages to determine the likelihood of an event or threat.

There are five key steps to risk analysis and they include:

1. Assigning value to asset(s)
2. Estimating Potential Loss per event or threat
3. Performing a threat (event) analysis
4. Determine the overall annual loss potential of threat (event)
5. Reduce/Avoid/Transfer or Accept Risk

These data points culminate to form a “picture” of the overall exposure assessment and exposure factor. A derivative function of annualized rate of occurrence is determined by these data points to provide the best guesstimate of risk loss potential. *Please note that this is not a comprehensive review of risk management, if anything it is a simplified overview of risk management and readers are encouraged to seek additional information through online and offline resources.

While it is beneficial to understand theory, mathematical formulae, and policy, there is no substitute for practical experience, through real incidents, in risk management. Any consummate professional will ultimately encounter risks throughout their career in a lifetime and it is best practice to understand how to deal with them in a practical manner.

Consummate technology professionals that work for large organizations may have an interest in ISO/IEC 20000 training and certification.  ISO/IEC 20000 is the International Standard for IT Service management processes.  ISO 20000 is a recognized certifications by which organizations can demonstrate to their customers that the IT Service management processes represent the best practices.

The ISO/IEC 20000 certification exam covers such topics and is fairly comprehensive and includes topics such as:

• Planning & Implementation of Service Management
• Planning & Implementation of New and Changed Services
• Service Delivery Processes
• Relationship, Resolution, and Control Processes
• Release Processes

There are numerous detailed subtopics under each of these master topics which won’t be covered here but it is highly recommended for anyone involved in IT service delivery and those seeking a structured methodology for providing premier levels of service.

I recently took the ITIL v3 Foundation Exam as I am a firm believer in ITIL methodology and framework toward IT service management so I’ve opted to include a brief discussion about the exam and ITIL.

ITIL, short for Information Technology Infrastructure Library, emerged when the British government determined that the level of IT service quality provided to various government agencies was not sufficient.  The Central Computer & Telecommunications Agency, now Office of Government Commerce (OGC), developed the initial framework for efficient and financially responsible use of IT resources within the British government.

Today, ITIL has been adopted by many governments worldwide as well as private and public organizations in an effort to provide better controls, compliance and overall improved IT service management.

ITIL has gone many revisions and in July 2007, version 3 was released to supplement version 2 and ultimately replace it at some point in the future.

ITIL v3 has five volumes which consist of:

• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement

Each volume has a specific subset of core principles and processes.  For example, Service Design consists of:

• Service Level Management
• Capacity Management
• Availability Management
• IT Service Continuity Management
• Information Security Management
• Supplier Management
• Service Catalog Management

I won’t go into detail for each volume or subset but the information and framework provided is extremely important to anyone charged with managing Information Technology.

As for the ITIL v3 Foundation exam, it is fairly straightforward and simple if a person has worked, managed, and practiced the methodology and frameworks or has studied the materials in depth.

I highly recommend ITIL certification for any IT consummate professional in a management position or function within an organization.

A final note:   There are two key organizations that administer the ITIL exams.  In the United States, EXIN predominately administers the exam and provides training in the framework.   In the UK and elsewhere, ISEB (BCS) is the organization which certifies individuals.   Although both organizations cover ITIL there are subtle differences between the EXIN (US) approach and ISEB (UK) approach.   Which path to take is highly dependent on where you plan on practicing the methodology.

I just finished taking the CGBP Nasbite Exam and I won’t know the results for a few weeks but I figured I share a few thoughts about the exam.

First, I went through the training program for international commerce offered at a local college a few months ago. I also went to the test prep course offered last week to review to prepare for the exam. I also purchased James F. Foley’s The Global Entrepreneur book to prepare for the exam as well.

Secondly, while I can’t speak specifically about the exam as there is a confidentiality and non-disclosure clause I can say a few things in general terms. The exam had many questions I wasn’t expecting to see on it and it did not have many questions I was expecting to see on it.

The sample test questions available at the NasbiteCGBP website give a good overview of the exam but I felt some of the questions on the real exam were entirely subjective and no amount of preparation, study materials or coursework could help with deciphering the answers. Clearly, the exam relies on a person’s experience in a real world global business environment to factor into selecting the correct answers.

Overall, the exam was fairly comprehensive and does test on the four major domains as well as covering a great deal of regulatory, tariff, government agencies and compliance issues for any company doing business globally. I should get the results in about six weeks and I’ll keep everyone up to date on the results once I know them.

The CGBP (Certified Global Business Professional) credential is a credential offered by Nasbite.org to help establish standards and benchmarks for competency in global commerce. From the NasbiteCGBP.org site,

The NASBITE CGBP provides a benchmark for competency in global commerce. The CGBP designation demonstrates an individual’s ability to conduct global business including Global Business Management, Global Marketing, Supply Chain Management, and Trade Finance. For candidates experienced in international trade, the certification confirms that knowledge. For candidates just beginning, it establishes a professional development goal to ensure a full understanding of the profession. For companies, it assures that employees are able to practice global business at the professional level required in today’s competitive environment.

Specifically, the following domains are covered within a CGBP credential:

Global Business Management – Develop and/or assist with the strategic and operational planning, development, implementation, and assessment of the international aspects of the business.

Global Marketing – Manage, implement, coordinate and/or assist with marketing, including planning, sales, research and support functions to assess customer needs; evaluate opportunities and threats on a global scale; and meet corporate needs within environmental constraints and corporate goals.

Supply Chain Management - Evaluate all supply chain options which result in the best overall solutions to support the international business plan while complying with all rules, regulations, and security issues from sourcing to final distribution.

Trade Finance - Evaluate financial risks and methods, select and implement most favorable methods of payment to support global activities and ensure that all related costs are included at the time of quotation. Evaluate quantity and source of finance necessary to implement global activities.

In today’s globalized economy, knowledge, skills, experience and credentials in global commerce are essential tools of the trade and no consummate professional should be caught without them.

Chief Information Officers must comply with onerous regulatory requirements, business needs, and complex information management demands and there are various modeling systems and frameworks in place to facilitate implementation, maintenance and compliance. The table below illustrate some of the technological areas and their respective frameworks and models.

CIO Framework

The table above is not all inclusive. There are subsets of models and frameworks for specific industries, specific regulatory requirements and specific organizations. A CIO will need to have a base understanding of the various IT governance models and frameworks in each respective area.

In future posts, an in depth discussion of each of the functional areas with a detailed review of each model and framework will be conducted to provide an overview to readers.

References:

ISO 38500

AS 8015

NIST 800-30

COBIT

COSO

BISL

ITIL

eTOM

PMI

PRINCE2

IPMA

MSP

ISO 9000

TQM

EFQM

IT Balance Scorecard

Six Sigma

CMMI

eSCM-SP