COBIT5 has been around for a couple of years now, so I should probably stop referring to it as the new release and simply call it the latest. I was introduced to COBIT back in version 4.0, and have since been involved in several opportunities to use COBIT5. There are many cool things about it, and it’s difficult to outline all of them in this post, but I wanted to share some thoughts on what I feel are the biggest hitters for me. These observations are a culmination of many real-world experiences, all of which are unique to my journey, and I’m sure many of you have unique stories of your own. In any case, I hope you gain something from reading my top ten reasons why I’m a COBIT fan. And here they are…
1. COBIT is relevant- the goal is to deliver value.
The enterprise exists to create value for its stakeholders. This is simple in theory but tough in real life. COBIT was created from the top down, meaning that the entire model focuses on the primary facets of providing value: realizing benefits, while optimizing risks and resources. From the goals cascade to the enablers, COBIT helps you focus on value. Now, I’ll admit that you really should understand the complete framework to realize its full benefits. While implementing portions of the framework certainly helps, it may not identify where your gaps exist.
2. COBIT still focuses on information.
If an enterprise doesn’t manage its information, it will no longer exist. COBIT focuses on the information first, and that is the right way to look at it. Without information, there’s no need for the technology.
3. COBIT is not just for the big companies.
COBIT has escaped the “for big companies only” misconception. Whether you have a small IT organization, or several hundred resources, COBIT fits any size; you just need to identify your business goals, objectives and mission to operate as a going concern. I’ve seen an organization with two IT staff members leverage COBIT.
4. COBIT is a framework that looks beyond just processes.
COBIT’s seven enablers are designed to help you get beyond just looking at processes. These enablers include 1) Principles, Polices and Frameworks, 2) Processes, 3) Organizational Structures, 4) Culture, Ethics and Behavior, 5) Information, 6) Services, Infrastructure and Applications, and 7) People, Skills and Competencies. These provide a more holistic approach to governance where changes in one enabler must be adequately assessed across all enablers.
5. COBIT is a great reference for process owners.
All processes should have owners. I’ll even take that a step further and say that all processes should have assigned roles. Within COBIT5 there is a wealth of information regarding processes. There are 37 processes organized into five domains (one governance domain and 4 management domains). Within this process reference model, the biggest hitters for me include: process description and purpose, practices and activities, inputs and outputs, RACI charts, goals, and related industry standards and frameworks.
6. COBIT has a goals cascade that is flexible and useable.
This is not just an academic reference, but a really helpful tool. I’m often heard saying that this is one of the best kept secrets in our industry. To this day I am surprised that most people are not aware of its utility. The goals cascade is a series of mappings that allow you to link stakeholder needs to enterprise goals, to IT related goals, and to enabler goals. Once you’ve seen how this works, you will most certainly be hooked.
7. COBIT has a product family that is consistent, like a single playbook.
One of the key principles of COBIT is to provide an integrated framework that is complete in enterprise coverage. This provides a basis to integrate and align with the latest relevant standards and frameworks, as well as all knowledge previously dispersed over different ISACA frameworks. So what does this mean? The COBIT product family is my starting point, and lets me know where to look for additional information.
8. COBIT can be incorporated with other frameworks.
I often get challenged when I say that I’ve used COBIT as a “framework to manage my frameworks,” but this is a true statement, and it works. Some of the most prominent I’ve seen include ISO38500, ISO31000, ISO27000, ISO20000, ITIL, PRINCE2, and CMMI. Yes, you can use more than one framework in an enterprise, and COBIT helps you figure out how to do it.
9. COBIT is the “middleware” between Governance, IT, and Assurance.
Hopefully you don’t take me literally here by using middleware, but let’s look at middleware’s purpose. It provides a link to exchange information between dissimilar systems. Now considering the gaps we see between Governance, IT and assurance, doesn’t this make sense? Think of it as a common language that can finally bridge that gap. I’ve used COBIT as a translator that can get us all thinking about the same enterprise goals.
10. No more control objectives!
This doesn’t sit well with the folks who like the word control. I’ll admit that when COBIT5 replaced the term, I was skeptical. I’ve had a change of attitude about this. COBIT now uses terms like Management Practices and Activities, and for good reason. Instead of controlling the technologies that manage your information, shouldn’t you be focusing more on the management practices? I certainly think so, since they are the guidance necessary to achieve process goals. If it really bothers you, can you still use the term control objective? Sure.
Final thoughts on COBIT.
Whether you’re a board member, executive, auditor, or IT Operator, do yourself a favor and learn more about it. Admittedly, many people find it difficult to simply thumb through the various publications and experience the “ah, I get it now” feeling. My advice to anyone who wants to learn more about it is to go to the ISACA site (www.isaca.org) and download some of the key publications. For starters, you should get the COBIT5 Framework, Enabling Processes, and Implementation guides. Additionally, there are a lot of good resources on the site that might help you out, like COBIT Online and “ask the expert” sections of the site.
Having said all of these great things about COBIT, I want to emphasize that adopting a framework does not guarantee your governance success, but it sure does offer a great starting point. COBIT offers a common language that can be shared across the enterprise, but real adoption requires executive support, a desire to improve, and a strong desire towards achieving the governance of enterprise IT.
COBIT 2019 Governance and Management Objectives Domains
Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.
COBIT Governance and Management Objectives link to Processes.
This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.
Getting from the COBIT “Core” to a tailored governance system
One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.
As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.
What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.
Linking the COBIT2019 Core to a tailored system.
Design Factors and Focus Areas
In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.
Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:
- Enterprise strategy
- Enterprise goals
- Risk profile
- I&T-related issues
- Threat landscape
- Compliance requirements
- Role of IT
- Sourcing model for IT
- IT implementation methods
- Technology adoption strategy
- Enterprise size
- Future factors
If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.
Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.
Impact of Design Factors.
A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:
- Small and medium enterprises
- Cybersecurity
- Digital transformation
- Cloud computing
- Privacy
- DevOps
As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.
Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.
Workflow for designing a tailored governance system
COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.
Steps to creating a tailored governance system using the COBIT Design Guide.
By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.
Linking the Design Guide and Implementation Guides
The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.
In case you are not familiar with this, the COBIT implementation roadmap looks like this:
The Seven Phases of the COBIT Implementation Roadmap. 2018 ©Information Systems Audit and Control Association, Inc. (ISACA).
The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.
COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.
The Design Guide and Implementation Guide have a very distinct relationship and specific uses.
Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:
COBIT Design and Implementation Guide Relationships.
You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.
Using tools to assist in designing your new governance system
Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:
- Introduction and instructions
- A canvas tab that consolidates results including target capability levels
- One tab for each design factor
- Summary tabs that graphically represent the outcomes of steps 2 and 3
- Mapping tables for design factors
I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.
