SOLVING FRAMEWORK FATIGUE. USING COBIT5 TO MANAGE FRAMEWORKS AND ACHIEVE BUSINESS VALUE

With a multitude of models, standards, bodies of knowledge and frameworks in our industry, it’s easy to see how navigating through these becomes utterly exhausting for an IT service organization. The jigsaw puzzle of frameworks is daunting. Frameworks, whether adopted from industry models or built internally, provide critical structure. Nonetheless, many feel that they are a hindrance.

If this sounds familiar, then take a look at COBIT.  COBIT is a framework that can assist the enterprise in not only creating a holistic approach to the Governance of Enterprise IT, but can also be effectively used as a framework to integrate other frameworks.

Understanding Value

A large challenge many organizations face is not realizing that there are several governing levels and areas that must be considered when selecting the most appropriate frameworks. In today’s environment, one single industry framework simply won’t suffice.

Looking through a governance lens, it is important to understand that adopting frameworks requires a solid understanding of the business environment as well as the value that each of these frameworks provides. Therefore, it is vital that frameworks are analyzed and adopted based on several factors, all of which should focus on one theme: create value for the enterprise. This means that IT enabled investments provide expected business benefits while optimizing resources and risks. Recognizing this is the first step towards creating a system of frameworks to support value.

 

The Framework Ecosystem

Consider looking at the framework ecosystem from multiple levels as illustrated below. These levels provide good starting point for determining what value is created by leveraging a framework. Stakeholder needs have many drivers, but these must have a balance between performance and conformance.

At the Enterprise Governance level, the Balanced Scorecard helps measure business performance, while COSO (Committee of Sponsoring Organizations) creates a system of internal controls for conformance. This is followed by the GEIT level (Governance of Enterprise IT) where frameworks such as COBIT exist. At the Standards and Good Practices levels, frameworks can be selected based on their ability to satisfy the stakeholder needs.

 

Shot of computer programmers looking through data in the office

Simply understanding these levels will not automatically select the right frameworks. Since every enterprise sees value differently, an inventory of appropriate solutions must be conducted.

An Inventory of Frameworks

Now that we have identified the layers, what are the specific frameworks that exist? First, it is important to understand that frameworks come in many shapes and sizes, and all have very specific business challenges and value propositions. The table below illustrates generic categories, and some of the more popular frameworks being adopted today to support them. Of course, these are not complete lists, but represents how many of these can be placed in the enterprise to provide the most value.

 

It is usually at this point where framework overload begins to emerge, and many organizations simply go right to the solution before truly understanding the reasons why, or jump to a single framework that appears to satisfy the most requirements.

It is impossible to simply pick a few frameworks and decide that they are the right fit because the industry says so. A key success factor to consider when integrating frameworks and standards is to strategically leverage several models based on their value contribution to the enterprise.

Integrating frameworks

There are a few myths about frameworks should be known before you start: First, a ‘best practice’ is only as good as how well it is adopted; Second, frameworks are suggestive not prescriptive; and finally, there is no such thing as a single silver bullet.

Therefore, it is no surprise that one of the top questions today regarding multiple frameworks is this: Is there a at least framework that will help me manage all of my frameworks? The answer is simple. Yes, and it is called COBIT. This comprehensive framework is part of the ISACA product family (www.isaca.org/cobit) and assists enterprises in achieving value through the governance and management of enterprise IT. At the core of the framework are five principles, which are major inputs to how an enterprise selects, adopts and leverages other frameworks.

  1. Meeting Stakeholder Needs. Creating value through benefits realization by optimizing costs and risks.
  2. Covering the Enterprise End to End. Include owners and stakeholders, a governing body, executive management, and operations and execution.
  3. Applying a Single Integrated Framework. Integrating all common industry frameworks and standards under a single model.
  4. Enabling a Holistic Approach. Using enablers to ensure that the governance objectives are met.
  5. Separating Governance from Management. Providing a clear separation between direction and the management of executing that direction.

Principle number four above consists of seven core enablers. Think of an enabler as an ingredient to success. Within the context of an initiative to integrate multiple frameworks, these factors can guide in the successful selection and integration of multiple frameworks. Although many frameworks today have a tendency to focus on processes (one of the seven enablers), it is important to consider a holistic approach to an IT governance initiative. This means connecting the dots between multiple areas that can have an effect on each other. The list of these enablers is below:

  1. Principles, Policies and Frameworks
  2. Processes
  3. Organizational Structures
  4. Culture, Ethics and Behavior
  5. Information
  6. Services, Infrastructure and Applications
  7. People, Skills and Competencies

How does COBIT become a framework to manage frameworks? From a holistic view, the enablers will not only help identify which frameworks are appropriate, but can also assist in determining the level of adoption as well. One of the powerful features of COBIT is that it references other frameworks. Within the COBIT Process Reference Model, there are 37 processes in 5 domains. Each process is further described with information noted below.

 

Developing programming and coding technologies. Website design. Cyber space concept.

In the Related Guidance section, COBIT refers to the applicable industry frameworks and standards that offer the most guidance from a best practice perspective. For example, if an organization is adopting formal practices for the process of managing changes COBIT suggests further guidance in both ITIL and ISO20000, and where to look. If enterprise architecture is the focus, the COBIT suggests TOGAF, etc. Therefore, it is not enough to just adopt COBIT, because there is further guidance in the form of other frameworks and standards that provide further good practices.

Adopting COBIT as a framework to integrate other frameworks is a good business decision. Since COBIT is first and foremost a business framework, it focuses on stakeholder needs and assists organizations in balancing performance and conformance when suggesting supporting frameworks.

Suggestions for success

Of course there are a few good practices to consider when selecting, integrating, and adopting multiple frameworks in this ecosystem. The list below are some of these good practices.

  1. Understand how the levels of governance interact. It is very important to understand how the enterprise sees the levels so that frameworks can be correctly positioned.
  2. Use COBIT as a framework integrator. COBIT uses a holistic approach to governance enablers, and assists in determining which industry frameworks and standards are applicable.
  3. Use more than one framework. They each have unique focus areas. The framework ecosystem must provide value for the enterprise, and one single framework cannot provide everything needed to accomplish this objective alone.
  4. Train the stakeholders on the utility and applicability of each framework. Companies love to train, but often fail to go to the next step of transforming the things learned from training into actual value. The lack of training and understanding of how frameworks help an organization is the number one silent killer of any adoption.

Regardless of industry or size, all companies need governance, and with that need comes multiple frameworks, models and standards. Using COBIT to assist in integrating a holistic approach to governance while managing multiple best practices will ultimately help meet the governance goal of meeting stakeholder needs. COBIT has many tools and techniques in the product architecture that can be adopted to reduce the exhaustion of managing multiple frameworks, and allow the enterprise to focus on value.

As always, this is my perspective and I welcome your comments.

COBIT 2019 Governance and Management Objectives Domains

Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.

COBIT Governance and Management Objectives link to Processes.

This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.

Getting from the COBIT “Core” to a tailored governance system

One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.

As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.

What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.

Linking the COBIT2019 Core to a tailored system.

Design Factors and Focus Areas

In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.

Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:

  • Enterprise strategy
  • Enterprise goals
  • Risk profile
  • I&T-related issues
  • Threat landscape
  • Compliance requirements
  • Role of IT
  • Sourcing model for IT
  • IT implementation methods
  • Technology adoption strategy
  • Enterprise size
  • Future factors

If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.

Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.

Impact of Design Factors.

A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:

  • Small and medium enterprises
  • Cybersecurity
  • Digital transformation
  • Cloud computing
  • Privacy
  • DevOps

As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.

Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.

Workflow for designing a tailored governance system

COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.

Steps to creating a tailored governance system using the COBIT Design Guide.

By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.

Linking the Design Guide and Implementation Guides

The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.

In case you are not familiar with this, the COBIT implementation roadmap looks like this:

The Seven Phases of the COBIT Implementation Roadmap. 2018 ©Information Systems Audit and Control Association, Inc. (ISACA).

The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.

COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.

The Design Guide and Implementation Guide have a very distinct relationship and specific uses.

Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:

COBIT Design and Implementation Guide Relationships.

You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.

Using tools to assist in designing your new governance system

Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:

  • Introduction and instructions
  • A canvas tab that consolidates results including target capability levels
  • One tab for each design factor
  • Summary tabs that graphically represent the outcomes of steps 2 and 3
  • Mapping tables for design factors

I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.

Closing and suggestions

We’ve covered a lot of ground in this post. I hope it has been valuable in helping you understand how leverage COBIT 2019 to truly create a governance and management framework that is customized to meet your specific enterprise needs.

As always, your thoughts and comments are appreciated on this post, as well as my Twitter posts @escoute1.

Skip to content