DON’T LET YOUR DIGITAL TRANSFORMATION EFFORTS OUTPACE YOUR ABILITY TO GOVERN THEM – REVIEW AND ASSESS YOUR POLICY FRAMEWORK NOW

In today’s high velocity business environment, it’s easy to lose sight of some basic governing principles that might be viewed as cumbersome and restrictive. Be careful, because governance principles exist to ensure the proper balance of performance and conformance when achieving business objectives. If your organization ignores your essential internal controls, it can introduce vulnerabilities that were never intended. Those vulnerabilities can then expose you to risk scenarios that could thwart your achievement of business goals. One of the key components of your governance system is policies, and this blog post is a result of my thoughts and experience in this area.

Ready or not, digital transformation is here

The Fourth Industrial Revolution, often referred to as the “digital transformation” age is here. Whether you are on board or not, it is certainly going to affect your enterprise sooner than later. Going digital is on the tip of nearly every business and technology leaders’ tongues today. The term itself differs by industry and organization, but at a minimum you should define its value in business terms. It is, of course, impossible for business and IT leaders to devise and pursue an effective digital transformation strategy without a solid grasp of the term itself. Here’s my definition:

Any digital transformation effort should be focused on driving value. A major factor in this transformation requires new and innovative technologies that enhance user and customer experiences. However, as we extend our digital capabilities, we should also be mindful of our governance, risk and compliance structure. Now that we have evolved digitally…why haven’t we evolved our governance structures too?

Of course, there are some inherent obstacles to success: resource requirements, new vulnerabilities, organizational silos, thinking this is an IT responsibility, concerns over IT capabilities and failure to consider customer/user experience (CX/UX). All of these can be mitigated by updating your governance system which focuses on the value aspects of delivering benefits while optimizing risks and resources.

Time to take a look at your governance system over enterprise information and technology

Digitized enterprises are increasingly dependent on I&T for survival and growth. Given the importance of I&T to support the enterprise in achieving objectives, Enterprise Governance of Information and Technology (EGIT) is an integral part of any governance framework. According to the latest release of the COBIT Framework, COBIT 2019 by ISACA, a governance system should consist of the following governance components:

Components of a governance system: COBIT2019, ISACA

You may recognize these as enablers from an earlier version of COBIT, and these are finally getting the attention they deserve.

Think of these components as ingredients to a governance system. They can be addressed independently, but should be used as a collection of interconnected requirements. This helps to fully grasp how technology organizations can meet the various governance or management objectives to support a governance system. These complex interconnections between components can invalidate your efforts if you don’t understand their connections and dependencies. For example, if you make a major change to a PROCESS, then you should also look at how that affects, or is affected by, the other components.

Here is an example of a client who had great intentions, but completely misunderstand how this ecosystem works:

Policies are critical to the governance system

One very important governance component in today’s high velocity environments is policy. Too many organizations outpace their policies when aggressively pursuing a digital posture This creates more confusion and vulnerabilities than necessary. There are many elements involved when understanding policies, these are outlined below.

A principle is a clear expression of the core values of the enterprise. Principles should be limited in number and expressed in simple language. Principles influence policies and are driven by culture, legislation and regulations, standards, and most importantly, the enterprise values and vision.

A policy is a statement of principles that supports the achievement of the enterprise’s goals. Policies are the communication mechanisms to convey direction and instructions and are central to enterprise governance systems. They guide organizational principles or requirements that set directional tone and can be applied to an entire organization, department or specific area.

Finally, a procedure supports policies with more detailed activities. They should have an internal focus and can connect related functions and processes. Think of procedures as an established way of accomplishing the outcome of a policy. This can be through the use of processes, practices and activities.

Now that I’ve reviewed some basic definitions, it’s time to look at my thoughts on how you can either establish or review your policies to ensure they are not being left behind.

Step one, understand your policy “ecosystem”

My quest for policy framework guidance started when I was doing a COBIT process capability assessment for a client a few months ago. They asked me to assess their policy framework maturity. This organization was in an aggressive growth phase and actively funding a digital transformation effort. They wanted to ensure that their governance framework, more specifically, their policy component, was in pace with their modernization efforts. I searched everywhere, but the only framework with any substantive guidance of this level was COBIT. Of course, there are plenty of articles and whitepapers on do’s, don’ts and good practices, but nothing solid.

Based on my previous experiences and research, my first task was to determine what I call my altitudes of policy, as illustrated below:

Policy altitudes and ecosystem

These altitudes helped me understand where policies fit in the larger picture. Your organization may see this differently, but my advice for you is to really understand your terminology. Your ecosystem could look completely different from mine.

Step 2, Understand Key Practices and activities

My second task was to determine HOW I was going to set up the practices and activities within a policy framework to analyze and assess maturity. I decided to make my own guidance using the COBIT format. As you can see below, we have key practices supported by activities. I used these as a basis for my evaluation. You might think of these as control objectives. Of course, this is not an exhaustive list, but it provided a basis for my understanding of what should be accomplished.

Practice 1. A policy framework is documented, approved, and enforced

a. The policy framework includes dependencies and interrelationships with all other enterprise policies.

b. Appropriate KPIs are created for policy management and are tracked, monitored, reported and acted upon.

c. The policy framework includes a central system of record repository that is considered the source of authority for the enterprise’s policies and procedures.

d. The policy framework includes a mechanism for monitoring internal and external factors that may require policy framework modifications.

e. The policy framework aggregates and reconciles compliance with multiple regulations and requirements, the policies that result from them, and the processes that ultimately monitor and control them.

Practice 2. A policy lifecycle management system is approved and recognized

a. The processes for drafting, approval, implementation, continuous monitoring and retirement of policies is defined and adhered to.

b. Policies are developed in consultation with key stakeholders.

c. Ownership of the policy should be clearly identified and administration should occur collaboratively.

d. Changes and modifications to policies are subject to the enterprise governance approval process.

Practice 3. Policies are communicated and distributed to all stakeholders

a. Policies are published and distributed to all stakeholders, including employees and business partners whose actions they govern.

b. Policy training and awareness is conducted.

c. There is an established process of communicating changes to appropriate stakeholders, owners, and applicable practitioners.

Practice 4. Policies are monitored, enforced and maintained

a. The policy framework ensures that verification and validation of stakeholder training and understanding are an integral part of policy management.

b. Organizations should assess the level of non-compliance with any given policy to determine whether the policy should be amended or left in place without notification.

c. Compliance is monitored and violations investigated and addressed.

Practice 5. Technology is used to support the policy framework

a. A common technology platform is used to consolidate enterprise policies and procedures from various departments.

b. The most recent and approved versions of all policies and procedures should be stored and managed through a centralized policy repository.

c. Enterprise policies and procedures are readily available to all stakeholders, owners, and practitioners.

Practice 6. Each policy should meet good practice criteria

a. Policies have a purpose statement, owner or appointed steward.

b. Policies must be clearly aligned to an organizational principle or desired behavior.

c. Policies must provide references to any specific laws, regulations and standards they are intended to support.

d. Policies are linked to enterprise risk appetite and internal controls.

e. Policies must include scope, validity and an effective compliance date in which adherence will be monitored and enforced.

f. Policies must include consequences for failure to comply.

g. Policies must include escalation procedures for handling exceptions.

h. Policies are reviewed and approved on a consistent basis or updated as necessary.

i. Internal and external stakeholders are identified.

j. Policies should be effective—they achieve the stated purpose.

k. Policies should be efficient—they ensure that principles are implemented in the most efficient way.

Although the practices and activities identified above may need some updating or consolidation, they are a great start to determine the requirements for your policy environment and are not dependent on the size and type of organization. As far as I know, this is the first set of publicly available ”control objectives” for policy assurance in our industry today – so it’s a work in progress.

Step 3, Determine a consistent approach to measuring and assessing maturity

There is much confusion right now about maturity and capability models. As of this writing, I have not found a definitive resource to assist in assessing and rating the level of maturity for a policy framework.

My next step was to create a maturity model for the policy component. Since my client was asking for an assessment of their policy framework maturity, I chose to turn to CMMI to help me with this. Stay tuned, that is the subject of a future blog post.

Conclusion

The scope of this blog post is the policy framework associated with the enterprise’s governance over enterprise information and technology, not the entire organization. What you have just read is what I believe to be the first set of potential control objectives for policy frameworks. As mentioned earlier, they may exist somewhere but I couldn’t find anything clean and concise so I made my own based on many different standards, bodies of knowledge and client needs.

Look out for an upcoming blog on how to create a maturity assessment of your policies soon.

COBIT 2019 Governance and Management Objectives Domains

Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.

COBIT Governance and Management Objectives link to Processes.

This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.

Getting from the COBIT “Core” to a tailored governance system

One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.

As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.

What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.

Linking the COBIT2019 Core to a tailored system.

Design Factors and Focus Areas

In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.

Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:

  • Enterprise strategy
  • Enterprise goals
  • Risk profile
  • I&T-related issues
  • Threat landscape
  • Compliance requirements
  • Role of IT
  • Sourcing model for IT
  • IT implementation methods
  • Technology adoption strategy
  • Enterprise size
  • Future factors

If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.

Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.

Impact of Design Factors.

A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:

  • Small and medium enterprises
  • Cybersecurity
  • Digital transformation
  • Cloud computing
  • Privacy
  • DevOps

As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.

Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.

Workflow for designing a tailored governance system

COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.

Steps to creating a tailored governance system using the COBIT Design Guide.

By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.

Linking the Design Guide and Implementation Guides

The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.

In case you are not familiar with this, the COBIT implementation roadmap looks like this:

The Seven Phases of the COBIT Implementation Roadmap. 2018 ©Information Systems Audit and Control Association, Inc. (ISACA).

The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.

COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.

The Design Guide and Implementation Guide have a very distinct relationship and specific uses.

Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:

COBIT Design and Implementation Guide Relationships.

You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.

Using tools to assist in designing your new governance system

Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:

  • Introduction and instructions
  • A canvas tab that consolidates results including target capability levels
  • One tab for each design factor
  • Summary tabs that graphically represent the outcomes of steps 2 and 3
  • Mapping tables for design factors

I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.

Closing and suggestions

We’ve covered a lot of ground in this post. I hope it has been valuable in helping you understand how leverage COBIT 2019 to truly create a governance and management framework that is customized to meet your specific enterprise needs.

As always, your thoughts and comments are appreciated on this post, as well as my Twitter posts @escoute1.

Skip to content