COBIT® 5 Process Assessment Worksheet

Area: Governance Domain: Evaluate, Direct and Monitor

Process: EDM04 – Ensure Resource Optimization

EDM04 – Process Setting

1
Process Description
Ensure that adequate and sufficient IT-related capabilities (people, process and technology) are available to support enterprise objectives effectively at optimal cost.

Process Purpose Statement1

Ensure that the resource needs of the enterprise are met in the optimal manner, IT costs are optimized, and there is an increased likelihood of benefit realization and readiness
for future change.

Process Assessment Objectives1

The objectives of this assessment are to determine if
 The resource needs are met with optimal capabilities.
 Resources are allocated to best meet priorities within budget constraints.
 Optimal use of resources is achieved throughout their full economic life cycles.

Process Risk Drivers2

 Decreased stakeholder confidence

 Fragmented, inefficient infrastructures
 Inappropriate priorities used for allocation of resources
 Insufficient capabilities, skills, and resources to achieve desired goals
 Performance gaps not identified in a timely manner
 Service deviations and degradations not recognized and addressed, resulting in failure to deliver business requirements
 Service performance failures causing legal and regulatory compliance exposures
 Strategic objectives not achieved

1 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM04 – Ensure Resource Optimization

EDM04 – Process Goal Assessment

1
EDM04.01 Governance Practice
Evaluate resource management. Continually examine and make judgement on the current and future need for IT-related resources, options for resourcing (including
sourcing strategies), and allocation and management principles to meet the needs of the enterprise in the optimal manner.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
EDM04.01.01 - Strategy Determine how IT examines and For a selected number of IT managers, ask them to describe any strategic, high-level direction for
makes judgment on the current sourcing and use of IT resources that they may have in place.
and future strategy, options for
providing resources, and
developing capabilities to meet
current needs and future needs
(including sourcing options).
EDM04.01.02 - Guiding Understand if IT has defined the For a selected number of IT managers, ask them to of their basic philosophy that drives and
Principles principles for guiding the guides the allocation and management of resources.
allocation and management of
resources and capabilities so that
IT can meet the needs of the
enterprise, with the required
capability and capacity according
to the agreed-on priorities and
budgetary constraints.
EDM04.01.03 - Resource Review the resource plan and 1. For a selected number of IT managers,
Plan enterprise architecture strategies  
for delivering value and a. Ask them to how they would assess the current state of IT resources, skills and
mitigating risk with the allocated infrastructure.

2 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM04 – Ensure Resource Optimization

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
resources.
b. Ask if they are sufficient to meet the objectives.

c. Ask how they will sustain availability of resources.

2. Based on the inquiry, assess ITs state of resources, skills and infrastructure. Use the
resource plan as a measure against the answers.
EDM04.01.04 - IT/HR Understand how IT aligns 1. For a selected number of IT managers, ask them to what extent there is a requirement
Alignment resource management with to align resource management with enterprise financial and human resources (HR)
enterprise financial and human planning.
resources (HR) planning.
2. Obtain and assess any guidance documents that help managers align their resource
management with enterprise financial and human resources (HR) management
EDM04.01.05 - Determine if IT has defined For a selected number of IT managers, ask them to describe if IT has defined principles for the
Architecture Principles principles for the management management and control of the enterprise architecture.
and control of the enterprise
architecture.

3 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM04 – Ensure Resource Optimization

EDM04.02 Governance Practice1

Direct resource management. Ensure the adoption of resource management principles to enable optimal use of IT resources throughout their full economic life cycle.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
EDM04.02.01 - Understand that IT For a selected number of IT managers, ask them to describe their resource management
Communicate and Drive communicates and drives the strategy, principles, and agreed-on resource plan.
adoption of the resource
management strategies,
principles, and agreed-on
resource plan and enterprise
architecture strategies.
EDM04.02.02 - Assign Determine that IT assigns 1. For a selected number of IT managers, ask them who has the responsibility for executing
Responsibilities responsibilities for executing resource management and how this is tracked.
resource management.
2. Obtain, if possible, any documentation that shows resource management tracking.

EDM04.02.03 - Define Goals Determine if IT has defined key 1. For a selected number of IT managers, get their resource plan.
and Metrics goals, measures and metrics
for resource management. 2. Determine any key goals, measures, and metrics for resource management. If necessary,
for a selected number of IT managers, ask them to explain their key goals, measures, and
metrics for resource management.
EDM04.02.04 - Establish Understand if IT has For a selected number of IT managers, ask them to explain if IT has established principles
Principles established and follows related to safeguarding resources and how this is communicated.
principles related to
safeguarding resources.
EDM04.02.05 - Align Understand if IT has aligned its For a selected number of IT managers, ask them to how IT resource requirements align with

4 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM04 – Ensure Resource Optimization

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
Resource Management resource management with financial and HR planning methodologies.
enterprise financial and HR
planning.

5 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM04 – Ensure Resource Optimization

EDM04.03 Governance Practice1

Monitor resource management. Monitor the key goals and metrics of the resource management processes and establish how deviations or problems will be identified,
tracked and reported for remediation.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
EDM04.03.01 - Monitor Determine that IT monitors the For a selected number of IT managers, ask them how IT monitors the allocation and optimization
Allocation allocation and optimization of of resources.
resources in accordance with
the enterprise objectives and
priorities using agreed on goals
and metrics
EDM04.03.02 - Monitor Determine that IT monitors IT For a selected number of IT managers, ask them to how IT management monitors IT sourcing
Strategy sourcing strategies, enterprise strategies, enterprise architecture strategies, IT resources and capabilities to ensure that current
architecture strategies, IT and future needs of the enterprise can be met.
resources and capabilities to
ensure that current and future
needs of the enterprise can be
met.
EDM04.03.03 - Monitor Understand if IT management For a selected number of IT managers, ask them to how IT management monitors resource
Performance monitors resource performance performance against targets, analyses the cause of deviations, and initiates remedial action to
against targets, analyses the address the underlying causes of deviations.
cause of deviations, and
initiates remedial action to
address the underlying causes.

EDM04 Assessment Summary1

6 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM04 – Ensure Resource Optimization

Governance Practice Practice Description Practice Assessment Summary

Evaluate resource management. Continually examine and make judgement on
the current and future need for IT-related
resources, options for resourcing (including
sourcing strategies), and allocation and
management principles to meet the needs of
the enterprise in the optimal manner.
Direct resource management. Ensure the adoption of resource management
principles to enable optimal use of IT
resources throughout their full economic life
cycle.
Monitor resource management. Monitor the key goals and metrics of the
resource management processes and
establish how deviations or problems will be
identified, tracked and reported for
remediation.

7 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM04 – Ensure Resource Optimization

EDM04 Risk Summary1

Create multiple risk scenarios for each risk identified in the summary above that affects achieving the objective.

Risk Scenario - Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the
threat/ vulnerability type and includes the actors, events, assets and time issues.

Risk Scenario Component Mark all that apply

Threat Type (Describe the nature of the event) ⃣

Malicious
⃣ Accidental
⃣ Error
⃣ Failure
⃣ Natural
⃣ External requirement
Actor (Who or what could trigger the threat that exploits a vulnerability) ⃣ Internal
⃣ External
⃣ Human
⃣ Non-Human

Event (Something that happens that was not supposed to happen, something does not happen ⃣ Disclosure
that was supposed to happen, or a change in circumstances. Events always have causes and ⃣ Interruption
usually have consequences. A consequence is the outcome of an event and has an impact on ⃣ Modification
objectives.) ⃣ Theft
⃣ Destruction
⃣ Ineffective design
⃣ Ineffective execution
⃣ Rules and regulations
⃣ Inappropriate use

Asset (An asset is something of tangible or intangible value that is worth and skills protecting, ⃣ Process
including people, systems, infrastructure, finances and reputation.) ⃣ People and Skills

8 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM04 – Ensure Resource Optimization

Risk Scenario Component Mark all that apply

⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Resource (A resource is anything that helps to achieve a goal.) ⃣ Process
⃣ People and Skills
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Time Timing ⃣ Critical ⃣ Non-Critical
Duration ⃣ Short ⃣ Moderate ⃣ Extended
Detection ⃣ Slow ⃣ Moderate ⃣ Instant
Time lag ⃣ Immediate ⃣ Delayed
Velocity ⃣ Slowing ⃣ Constant ⃣ Increasing
Likelihood ⃣ Highly ⃣ Moderate ⃣ Unlikely
Impact ⃣ Great ⃣ Moderate ⃣ Little

Possible Risk Response Risk Avoidance:

Risk Acceptance:
Risk Sharing/Transfer:
Risk Mitigation:

9 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.