USING MULTIPLE GUIDANCE SYSTEMS FOR THE GOVERNANCE OF ENTERPRISE IT

The most secured company in the world

I’ve been known to tell a story about when my CEO rounded up the executive management team (I was the CIO at the time) and pounded us with the question: “Why are we going out of business as the most secured company in the world?” We couldn’t believe it. There must be some mistake – we were passing audits, we were compliant, and we were secure. It was impossible to us that our balanced scorecard results were dismal. We were experiencing decreasing satisfaction scores, losing customers, and failing to meet our enterprise objectives around growth.

We were focusing our efforts on compliance, and our performance was struggling. The balance between performance and conformance were heavily tilted toward one side of the pendulum. Technical requirements were driving the business, rather than the business determining how to respond to those requirements in a manner that best served our stakeholders. Of course, compliance is crucial for business survival, but it’s not always the only guidance system to use for value creation. Compliance does not dictate security and security is not a guarantee that vulnerabilities will not be exploited. It is a matter of managing risk to an acceptable level of tolerance commensurate with business objectives.

Organizations should leverage multiple perspectives when determining how to prioritize efforts towards creating value. As in travel, you need to have a good fix on your coordinates: location, altitude, heading and speed before you determine your future moves. Where most companies go wrong is in choosing only one of these variables which gives you one perspective. Just like using a GPS to help you navigate, here’s how you should use more than one guidance system to help you focus efforts.

First, how does GPS work?

GPS satellites help you find your position on the ground based on time and position of satellites. A GPS receiver monitors multiple satellites and determines a precise position. At a minimum, four satellites must be in view of the receiver. This is called trilateration. The first satellite locates you, the second narrows your location, the third reduces the choice to two possible points, and the forth calculates a timing and location correction and selects one of the remaining two points as your position. Knowing the satellites’ locations and the distances to them allows the receiver to pinpoint its position on the Earth’s surface. It is possible to find your position from 3 satellites.  However, there is an advantage in using 4 satellites to determine your three dimensional position with no ambiguity.  

Develop pinpoint accuracy

A fine balance between performance and conformance are important in any organization. However, most enterprises that I encounter have a tendency to lean towards the conformance side to the point where it actually affects business performance. This is similar to finding your precise location on the ground by using only one satellite. Having tools available that offer pinpoint accuracy to where you need to focus efforts in an organization is crucial, hence, the GPS analogy. Decision making around efforts such as funding, assurance, improvements and compliance are all areas within an enterprise that require resources, and should not be determined with only one signal. The more ‘GPS’ signals you have looking into your ecosystem, the more accurate you can be at focusing your efforts.

I suggest using the GPS strategy where you have multiple perspectives, or guidance systems to determine the current status of your business. This will drastically improve your chances of NOT being like us: going out of business as the most secured company in the world. These four GPS signals include 1) Goals Cascading, 2) Risk Scenarios, 3) Pain Points, and 4) Regulatory & Compliance (see Figure 1.)

 

Figure 1, Using Multiple Satellites to Prioritize Efforts

The four satellites

One. Cascading goals.

One of the best-kept secrets in our industry today is the goals cascade. The cascade, as depicted in Figure 2 below, illustrates how an enterprise can select and prioritize practices that are the most applicable to meeting enterprise goals, and ultimately stakeholder needs. The model begins with stakeholder drivers that influence stakeholder needs. Stakeholder needs can be literally mapped to enterprise goals, IT-related goals, and finally enabler goals. Sounds like a daunting task? Here’s a bit of advice: the model is already done for you in COBIT. You’ll find a generic set of tables that map each of these levels. Although they are generic, they are adaptable and surprisingly relevant.

 

Figure 2, The COBIT Goals Cascade. Information from COBIT5, ISACA

This is not just an academic reference, but a really helpful tool. Once you’ve seen how this works, you will most certainly be hooked. At the enabler level is a more holistic view of the ingredients required to govern and manage enterprise IT. For example, if you know that a particular enterprise goal is the most important goal for the next year, then you can literally map that goal through the cascade and determine exactly which processes are critical to its success. This will result in a list of areas that you can use to compare to the other satellites, but remember, this is only one of four guidance systems.

Two. Risk scenarios.

The use of scenarios is key to risk management and is applicable to any enterprise. An IT risk scenario describes IT-related events that could lead to a business impact if it occurs. Luckily, COBIT5 for Riskcontains a set of generic IT risk scenarios and can serve as inputs to risk analysis activities, and their effects on overall business objectives. Although the generic scenarios in COBIT do not replace the creative and reflective phase that every exercise should contain, it is not wise to assume that no other risk scenarios are possible or applicable.

After you define a set of scenarios, use this for analysis, where you can assess frequency and likelihood analysis while considering all of the risk factors involved. Risk factors are the conditions that influence the frequency and/or business impact of risk scenarios. Part of this analysis can be in the form of a risk map as illustrated in Figure 3. The numbers in the map represent the various risk scenarios.

 

Figure 3, Risk Map

This process results in the risk register, which records each scenario’s specific events, actors, threat types, asset or resource at risk, response, and mitigation. This process gives you valuable information for informed decision making, as well as a substrate to all of the other guidance systems. Use the results of this “GPS signal” to come up with the most critical risk scenarios that could hinder enterprise objectives, determine pain points, or guide compliance mitigation responses.

Three. Pain points

We all have them. Whether they are the “elephant in the room” that nobody wants to talk about or well known throughout the enterprise, pain points are those areas that need little effort to identify. Use pain points as additional drivers from which efforts towards the Governance of Enterprise IT initiatives are chartered. This can have a positive effect on the buy-in of your business case and creates a sense of urgency and support as well.

In the COBIT5 product family, the COBIT5 Implementation Guide does a superb job of identifying some of the most common pain points associated with enterprise IT. It also maps these pain points to specific processes in COBIT. For example, let’s assume that outsourcing service delivery problems such as agreed–on service levels consistently not being met is an identified pain point. Go to Figure 45 of the publication, and it identifies the following processes that could be selected for guidance corresponding to that pain point:

  • EDM04, Ensure Resourced Optimization
  • APO09, Manage Service Agreements
  • APO10, Manage Suppliers

To take this a step further, refer to the COBIT5 Enabling Processes publication for more information on definitions, goals, practices, activities, inputs/outputs, and roles/responsibilities for each of those processes.

There you have it, your third GPS signal to help identify your priorities. Now, we move on to the last of our four required guidance systems.

Four. Legal/Regulatory/Compliance requirements

If you’ve been in the assurance space for any amount of time, you are aware that no organization can be 100% compliant to everything that is out there. You have to synchronize this with your risk management process to determine the right response to each requirement. Some requirements; however, are legally required and must be adhered to, but as stated earlier: what level of adherence is the most appropriate?

The point of the above story is this: if you put steel plates over every opening, you may not have the funds to pay the mortgage, so you have to link this with the risk analysis and management processes in the enterprise (see our earlier guidance system regarding risk) to help determine the right investment of resources. In any case, with the volumes of legal and compliance requirements facing most organizations, it is best to determine the level of response based on what is best for the organization by balancing performance and conformance. The results from analyzing this GPS signal will help you determine what you may be legally required to do, and the level of response required in order to create value.

Aligning your satellites

Each of these guidance systems should result in a very clear list of high interest areas that would be the most appropriate from that perspective. Now, compare the lists. Are there any recurring areas? Certainly, there are, but if not, you can devise a prioritization scheme for each of these lists and normalize them into a single list. Now that the most important areas have been identified, compared and analyzed, more focused efforts can be identified.

Up to this point, I’ve been referring to focus areas, but now that we’ve walked through the concept of having multiple perspectives, what does this mean exactly? Let’s do a review of what focus areas might be:

  • Assurance activities. Audit scoping, prioritization, frequency and level of effort of audits that ensure the service providers are focused on providing value for the enterprise.
  • Resource allocation and prioritization. Portfolio, program, and project funding  that support alignment with the real objectives of the enterprise.
  • Quality and improvement. Initiatives focused on the overall improvement of services, functions, performance indicators, goal attainment and compliance.
  • IT and business alignment. The BIG ONE! Ensuring that service providers are focused on what the higher level goals are, up to the stakeholder needs of creating value.

Conclusion

The enterprise exists to create value for its stakeholders: realizing benefits while optimizing risks and resources. This requires more than one perspective, or ‘guidance system’ to fully understand what is required to do this. This blog has only identified four potential perspectives that worked for one organization. Yours might have more, but should never have less.

To link this strategy back to the original problem, how did my company prevent going out of business? We implemented a cohesive and consistent approach, using the four satellites, to determine those processes, practices and activities that really focused on creating value.

Give it a try, you might find that the business case is hard to challenge. As always, this is my perspective, and I welcome your comments or suggestions.

COBIT 2019 Governance and Management Objectives Domains

Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.

COBIT Governance and Management Objectives link to Processes.

This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.

Getting from the COBIT “Core” to a tailored governance system

One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.

As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.

What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.

Linking the COBIT2019 Core to a tailored system.

Design Factors and Focus Areas

In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.

Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:

  • Enterprise strategy
  • Enterprise goals
  • Risk profile
  • I&T-related issues
  • Threat landscape
  • Compliance requirements
  • Role of IT
  • Sourcing model for IT
  • IT implementation methods
  • Technology adoption strategy
  • Enterprise size
  • Future factors

If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.

Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.

Impact of Design Factors.

A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:

  • Small and medium enterprises
  • Cybersecurity
  • Digital transformation
  • Cloud computing
  • Privacy
  • DevOps

As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.

Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.

Workflow for designing a tailored governance system

COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.

Steps to creating a tailored governance system using the COBIT Design Guide.

By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.

Linking the Design Guide and Implementation Guides

The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.

In case you are not familiar with this, the COBIT implementation roadmap looks like this:

The Seven Phases of the COBIT Implementation Roadmap. 2018 ©Information Systems Audit and Control Association, Inc. (ISACA).

The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.

COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.

The Design Guide and Implementation Guide have a very distinct relationship and specific uses.

Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:

COBIT Design and Implementation Guide Relationships.

You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.

Using tools to assist in designing your new governance system

Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:

  • Introduction and instructions
  • A canvas tab that consolidates results including target capability levels
  • One tab for each design factor
  • Summary tabs that graphically represent the outcomes of steps 2 and 3
  • Mapping tables for design factors

I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.

Closing and suggestions

We’ve covered a lot of ground in this post. I hope it has been valuable in helping you understand how leverage COBIT 2019 to truly create a governance and management framework that is customized to meet your specific enterprise needs.

As always, your thoughts and comments are appreciated on this post, as well as my Twitter posts @escoute1.

Skip to content