The Role of COBIT5 as a Reference for Quality Service Quality Improvement Case Study: Private Bank in Indonesia

PT. Bank Central Asia Tbk. is the largest private bank company in Indonesia, which is now owned by one of the largest cigarette group companies in the world, namely Djarum. PT. Bank Central Asia Tbk. make various efforts to improve the quality of service quality by setting a standard and policy. One of them is the determination of ITIL V3 standardization, which covers the entire IT Service process. ITIL V3 is a series of concepts and techniques for infrastructure management, development, and information technology operations. These efforts were made to meet the ISO 20000 standardization to obtain ISO 20000 certification in 2011. However, PT Bank Central Asia Tbk wants to continue to improve the quality of IT services for the better, therefore PT Bank Central Asia Tbk. choose to use the COBIT 5 framework as a method of measuring the quality of IT service quality, especially in the field of IT Service Management (ITSM) in the DSS02 (Manage Service requests and Incidents) and DSS03 (Manage Problems) processes. The result of this research is that the Capability Level of the DSS02 and DSS03 processes is known at PT Bank Central Asia Tbk. the current condition is level 3 (Established Process), while the target level to be achieved is level 4 (Predictable Process). So that to reach the next level, PT Bank Central Asia is expected to have followed the recommendations for improvement given.


I. INTRODUCTION
Information technology is becoming a must-have in the corporate sector, opening up a slew of new company and job prospects [1]. The output of a business process is heavily influenced by information technology, from everyday operational activities to the company's business processes, the majority of which are influenced by information technology implementation. Information technology management can serve as a guarantee for a company process' efficiency as well as an assessment tool for ongoing development and improvement [2].
PT. Bank Central Asia Tbk. is one of Indonesia's largest private banking firms, with shares worth $47.64 million (67 trillion rupiahs) as of September 23, 2019 [3]; it is now owned by Djarum, one of the world's largest tobacco companies. The service procedure was carried out with sufficient information technology, making it easy for PT. Bank Central Asia Tbk. to serve clients. PT. Bank Central Asia Tbk. is always innovating in financial and information technologies to ensure that its clients are satisfied [4].
PT. Bank Central Asia Tbk. makes various efforts in the IT field, especially IT Service Management, to continuously improve the quality of service by setting a standard and policy, one of which is the establishment of ITIL V3 standardization, which covers the entire IT Service process, where ITIL V3 is a series of concepts and techniques for infrastructure management, development, and information technology (IT) operations [5]- [7].
PT Bank Central Asia Tbk. has the goal of continuously improving service quality from various angles, according to the results of field interviews conducted with one of the leaders of the ITSM (Information Technology Service Management) work unit of the GSIT (Group Strategic Information Technology) division. They aim to employ COBIT 5 as a measurement tool for assessing the quality of service quality, which is unique and has never been tried before. As a result, by executing an assessment process in the ITSM work unit, COBIT 5 will be used as a measuring framework to improve service quality.
PT Bank Central Asia Tbk. currently requires improved service quality in the areas of problem management and service requests, so the DSS (Deliver, Service, and Support) domain in the DSS02 process code, namely Manage Service Requests and Incidents, and DSS03, Manage Problems, will be focused on based on the COBIT 5 framework process domain.

A. COBIT (Control Objectives For Information & Related Technology)
COBIT 5 is the most recent set of ISACA IT governance and management guidelines. COBIT 5 was developed by ISACA based on the experiences of ISSN 2085-4579 of organizations that had been using earlier versions of COBIT for over 15 years [8]. The five fundamental principles of COBIT 5 for IT governance and management are [8]: 1) Assisting stakeholders in meeting their demands.
2) COBIT 5 integrates IT governance with corporate governance, protecting end-to-end business completely and responsibly.

4)
COBIT 5 is consistent with other related standards and other high-level frameworks.

5)
Separating governance and management.
B. Capability Level COBIT 5 introduces a functional process model. This series contains an internationally recognized evaluation standard, a process capability model based on the ISO / IEC 15504 software engineering process. This model achieves the same goal of supporting process evaluation and process improvement. Functional models provide a means of measuring the performance of governance processes (EDMs) or management processes (PBRMs) and identifying areas that need improvement [9]. The process evaluation ability aspect consists of six skill levels. There are PAs (process attributes) within 6 skill levels. Level 0 means that the process failed and was not implemented, or the process was only partially successful. Evaluation activities are conducted to distinguish between level 1 and higher level evaluations. If you are 100% successful in the previous level, you can reach the next level. Each level of assessment by ISACA falls into four categories [8]: In this category, there is little evidence of the achievement of the attributes of the process. The range of scores achieved in this category ranges from 0-15%.

2) P (Partially achieved)
Within this category, there is some evidence of the approach and some of the achievement attributes of the process. The range of scores achieved in this category ranges from 16-50% 3) L (Largely Achieved) There is evidence of a systematic approach within this category, and significant achievements over the process, although there may still be few weaknesses. The range of scores achieved in this category ranges from 51-84%.

4) F (Fully achieved)
Within this category, there is evidence of a comprehensive and systematic approach and full achievement of the attributes of the process. There are no weaknesses related to the attributes of the process. The range of scores achieved in this category ranges from 85%-100%. The Largely achieved (L) or fully achieved (F) category must be achieved to state that the process has achieved a level of capability. Still, a fully achieved (F) category must be a process to continue the assessment to the next level. For example, a process must reach the Fully achieved (F) category at levels 1 and 2. Then it can proceed to level 3. The six capability processes are as follows [8], [10]: The process is not implemented or has failed in achieving its process objectives. At this level, there is little or no evidence of any systematic achievement of a process.

2) Level 1 -Process has done (Performed Process)
The implemented process achieves its process objectives. The PA (Process Attribute) provisions at this level are as follows: • PA 1.1 Process Performance Measurements related to the goals that

ISSN 2085-4579
have been achieved to what extent. The achievement of goals marks full achievement.

3) Level 2 -Managed Process
The processes that have been implemented have been successfully planned, monitored, and adjusted. Appropriate work products have been appropriately applied, controlled, and maintained. The PA (Process Attribute) provisions at this level are: • PA 2.1 Performance Management Measuring the performance of the managed processes to what extent.
• PA 2.2 Work Product Management Measures the extent to which the work produced by the process is managed. The results of the work referred to in this case are the results of the process.

4) Level 3 -Defined Process (Established Process)
Managed processes are now implemented using defined processes capable of achieving their process outcomes. The process attribute requirements at level 3 are as follows: • PA. 3.1 Process Definition Measuring the extent to which standard processes are managed to support the execution of the described processes.
• PA. 3.2 Process Deployment Measuring how to process standards have been effectively implemented as defined processes to achieve the process results.

5) Level 4 -Predictable Process
The current process operates within defined limits to achieve its process results. The process attribute requirements at level 4 are as follows: • PA 4.1 Process Measurement Measurements related to the extent to which measurement results have been achieved help confirm that process performance supports company goals.
• PA 4.2 Process Control A related measurement of the extent to which the stability and capability of the process can be quantitatively and predictably within certain limits.

6) Level 5 -Optimizing Process
Due processes are continuously improved to meet current relevant business objectives. The process attribute requirements at level 5 are as follows: • PA 5.1 Process Innovation Changes to the process are identified and measured. Analyze common causes of variation in performance. There is a need to investigate innovative approaches to defining and implementing processes.
• PA 5.2 Process optimization Measures the extent to which changes to the definition, management, and performance of effective process outcomes impact relevant process improvement objectives.
C. RACI Chart COBIT 5 provides a RACI Chart, a matrix of all activities or decision-making powers carried out in an organization for all people or roles for each process [8], [10], [11].
1). Responsible: People who do an activity or do work.
2) Accountable: The person who is responsible and has the authority to decide a case.
3) Consulted: People who need feedback or suggestions and contribute to the activity.

4)
Informed: People who need to know the outcome of a decision or action.

D. Audit Procedures
ISACA developed a guide on performing audit procedures step-by-step, entitled; Information Systems Auditing: Tools and Techniques Creating Audit Programs. There are three main processes in carrying out an audit in the guide: planning, fieldwork/documentation, and reporting/follow-up. Figure 3. Three phases of the audit process [8] At each stage, there is a step-by-step process that researchers can develop independently. The planning phase typically consists of planning the pre-audit process, determining the scope, defining what to audit, and describing the steps that are performed during the audit process. In the second stage, fieldwork / documentation is the stage in which the audit process takes place, where data acquisition, test control, problem identification and validation, and document analysis results are performed. The final phase is the reporting / follow-up phase. This phase occurs after the audit process is complete and all data conclusions / collections have been received. This process involves collecting report requirements, creating reports, creating and completing reports, and tracking the parties involved in the audit. Step-by-step audit process [8] The following are data collection methods related to the assessment process carried out in this study [12]- [15]:

E. Observation
Observations made at PT Bank Central Asia Tbk Head Office aim to identify and seek some information that can be collected. Observations began in June 2019 until August 2019. Through observations, data collection was carried out by observing firsthand how the system and services were provided by the ITSM work unit in the GSIT division.

F. Interview
This interview was conducted by discussing with several managers and staff from the ITSM work unit. The Manager consists of 2 Service requests & Incidents Management Managers, four other staff, one problem management manager, and three staff. This interview is helpful to obtain the data needed in the analysis of the business processes currently running in the company, especially those related to service management applications. This interview refers to a questionnaire based on key activity levels 1-5 in the COBIT 5 framework, DSS02, and DSS03 processes process.

G. Literature review and document study
The literature review is done by collecting data in descriptions or explanations related to what is being studied. Data collection was carried out by reviewing several journals and books related to the research carried out and reviewing and studying the procedures carried out by the ITSM work unit by observing and analyzing existing procedure documents.

A. Data Gathering
In the data-gathering phase, before the assessment process begins, this phase consists of 3 parts: the collection of pre-assessment information, Requirements Gathering, and Identification of the target sources.

1). Collection of pre-assessment information
At this stage, the activities carried out are to identify field conditions directly by conducting a work environment survey, followed by identifying the hierarchical structure of the work unit, and asking what needs an assessment is needed regarding the work process in consultation with the relevant managers.

2). Requirements Gathering
The Requirements Gathering activity is to determine what needs are needed for conduct an assessment, including determining a list of documents based on COBIT 5 and the target sources who want to be interviewed. Document requirements, or so-called work products from each process are as follows:

B. Identification of Target Sources
The identification of the sources was determined based on the RACI Chart COBIT 5 in the DSS02 and DSS03 processes. A total of 10 resource persons were appointed. The Manager consisted of 2 Service Request & Incidents Management Managers, four other staff, one problem management manager, along with three staff.

C. Observation
At this stage, field observations were carried out after a literature study of related documents and SOPs was carried out, field observations were carried out within the ITSM work unit work environment to match work procedures with the SOP documents that had been studied.
The DSS02 and DSS03 assessment processes are carried out by identifying the subprocesses listed in COBIT 5 and then matching them to the work process being carried out. Field observations focused on level 1 assessment activities on the DSS02 and DSS03 processes. After conducting a comparative study of SOPs with work processes, it can be concluded that the DSS02 process has no findings, all activity processes have been well documented, but for DSS03, there are two findings related to service management applications that are not fully integrated, and also related to cost monitoring.

D. Interview
The interview process focuses on the assessment process level 2 to 5, where direct interviews are carried out with resource persons who have been identified on the RACI chart. After the interview, the DSS02 and DSS03 processes achieved capability level 3 (Established Process). There are still shortcomings in the determination of process standards, especially in the field of SOP documentation standard-setting; this causes the two processes not to achieve capability level 4 (Predictable Process).

ISSN 2085-4579
Judging from the table above, based on the assessment process carried out, it can be concluded that the DSS02 and DSS03 processes meet the Fully Achieved value at levels 1 to 3. However, for level 4, it is still included in the Largely Achieved because there are still incomplete documents and standard procedures that have not been completed.
The following are recommendations for improvements that can be made by PT Bank Central Asia TBK. to achieve a higher capability score: Identifying infrastructure and work environment needs based on business process objectives, and documenting them into service request & incident management procedures as a standard process, this is done to assist as a guideline in smooth process activities to achieve business goals. 2 Referring to the procedure for managing the service request process based on the standard that is used as a reference if further review and review is needed. 3 Establish a maintenance documentation process for infrastructure and work environment as a reference for process improvement. 4 Plan and determine the goals to be achieved from the evaluation process of improving the performance of the service request & incident management process, as well as the actions that need to be taken to improve the performance of the processes that have been carried out so that the process is more effective and efficient. 5 Determine control limits & normal parameters in the service request & incident management process such as CPU threshold, server load, etc. and document it as part of the standard process. 6 Identify control techniques in the form of actions taken to maintain process normalization so as not to exceed the threshold limit in accordance with the normal parameters of the specified service request & incident management process, and document it as a standard process. 7 Determination of a change in control procedures in the form of documentation of change actions taken if needed during the improvement process, and making it a process standard.

Recommendations of DSS03 # Recommendations 1
Connecting Configuration Items (CI) to known error/established, so that the fundamental structure of the problem management system is more integrated. 2 Monitor costs related to resources used in order to maintain transparency to process stakeholders. 3 Identify infrastructure and work environment needs, and document them into problem management procedures as a standard process. 4 Establish documentation procedures in the maintenance of infrastructure and work environment as a reference for process improvement, and make it a standard process. 5 Plan and determine the goals to be achieved from the evaluation process of improving the performance of the problem management process, as well as the actions that need to be taken to improve the performance of the processes that have been carried out so that the process is more effective and efficient. 6 Define normal control limits & parameters on the performed process and document it as part of the process standard. This can help in the running of the process so as not to go outside the specified normal limits.

7
Establish a data measurement analysis method for the special causes of a variety of events, so that the results of the data analysis can be used as a reference in carrying out follow-up on the variation in the occurrence of these events.

IV. CONCLUSION
Based on the results of the analysis and description of the discussion of the previous chapter, the following conclusions can be drawn: 1). The evaluation results using the COBIT 5 capability level for the Manage Service requests and Incidents (DSS02) process the current capability level is at level 3. For the Manage Problems (DSS03) process, the current capability level is at level 3. Both processes are at level 3 ( Established Process), which means the process has been identified and carried out with formal standard procedures and is mostly well documented. Due to the target level to be achieved by PT Bank Central Asia Tbk. is level 4, the process still needs improvement to reach that level. However, overall, the processes that have been implemented so far are pretty good, and most have followed general standards.
2). To achieve the target level to be achieved, namely level 4 (Predictable Process), the results of this study have resulted in recommendations for improvements that need to be made to achieve the target level of process capability