COBIT 5 – Business and Management Framework for better Governance!

Introduction

In today’s complex world, there are a number of standards and frameworks which are prepared and then published by various institutions with some set specific objectives. Some of the prominent ones among this superfluity of standards and frameworks are ITIL, ISO27001, PMBOK and TOGAF. Each of these is designed to meet the specific requirement of the user community.

Additionally, each has a specific depth and breadth of coverage in a specific focused area. There was no one comprehensive framework which could be the one overall holistic framework that could integrate and encompass requirements from other standards and frameworks, cover the enterprise end to end and meet the needs of all stakeholders.

The COBIT framework filled that need.

COBIT 5 is the comprehensive business framework created by ISACA for the governance and management of enterprise IT. It is the one single, integrated framework which integrates and aligns with other frameworks and is focused on enabling the goal of meeting the business requirements. This article will provide an overview of framework and will explain why the COBIT 5 is indispensable for every enterprise using IT for its business.

What Is a Framework?

“Framework is a real or conceptual structure intended to serve as a support or guide for the building of something that expands the structure into something useful”.

We need frameworks as they provide a structure for consistent guidance. So, if we need guidance about information security, we use ISO 27000 series of standards that together constitute an information security framework. If we need to design IT-enabled services, we use ITIL to provide guidance. All these niche standards can be integrated under the umbrella framework of COBIT 5.

COBIT 5 is a holistic business framework for the governance and management of the enterprise IT in its entirety. The COBIT 5 framework is based on five principles which are explained hereafter.

Principle 1: Meeting Stakeholder Needs

An enterprise has a number of stakeholders, both internal and external.

For example, an organisation has management and employees who are the internal stakeholders, and customers, partners, suppliers, government and regulators are the external stakeholders. These stakeholders have different and sometimes conflicting needs. Employees want job security, management wants productivity, customers want solidity of the organisation and good returns on their investments and regulators want strict adherence to the regulations and laws. The decision of the organisation to invest in modernization of IT to provide online facilities will have different meanings for different stakeholders. Employees will be worried about their jobs, management will be concerned about the selection of the right technology and quick returns on the investment, customers will be happy that they will get better service but, at the same time, worried about security and privacy of their information, and regulators will be keenly watching whether the organisation is complying with all the regulations.

To meet the diverse requirements of internal and external stakeholders, it is critical to keep in mind not only the management perspective, but also the governance perspective, when implementing IT. The objective of governance is to make a balanced decision, keeping all stakeholders’ interests in mind.  The governance team represents all the stakeholders and is composed of the board of directors headed by the Chairman. The ultimate objective of governance is to create value for the enterprise. This value creation leads to benefit realisation for the enterprise. Not all stakeholders can be happy with every decision. Governance is about negotiating and deciding amongst different stakeholders’ value interests. Every decision will have a different impact.

Principle 2: Covering the Enterprise End to end

In the earlier days of adoption of computers, the IT department was responsible for the ‘IT function’. The data was sent to the IT department and processed reports were sent back. This is no more the case. Information has become one of the critical assets of the organisation and it is rightly said in the information age: information is the currency of the enterprise. Every action and decision depends on the availability of the right information at the right time. COBIT 5 has taken this view and integrated governance of enterprise IT into enterprise governance. It not only focuses on the IT function, but also treats information and related technologies as assets like any other asset for the enterprise. This enterprise wide approach is possible by providing enterprise-wide governance enablers such as having a uniform framework, principles, structures, processes and practices. It also requires considering the enterprise’s resources, e.g. service capabilities, people and information.

COBIT 5 provides detailed roles, activities and relationships between stakeholders, the governing body, management, operations and execution team to have clear idea of accountability and responsibility and avoid any confusion. This is done by providing RACI charts (Responsible, Accountable, Consulted and Informed) for each key governance and management practice.

Principle 3: Applying a Single Integrated Framework

All frameworks and models have now been integrated in COBIT 5, a comprehensive business framework at a macro level. However, this does not preclude the use of other niche standards and frameworks dealing with specialised areas which can be integrated under COBIT. COBIT 5 aligns itself very well with other relevant standards and frameworks such as ISO 27000, ITIL, ISO, PMBOK and TOGAF so as to provide guidance on governance and management of enterprise IT keeping the overall focus as a business framework. This is a very important aspect as technical persons may get too focused on detailed technical activities and may ignore the main business objective. COBIT 5 ensures that you do not lose sight of the overall enterprise goals to meet the stakeholders’ needs while pursuing IT-related goals.

Principle 4: Enabling a Holistic Approach

An organisation cannot achieve enterprise goals through technical processes alone. To bring this thinking in clear focus, COBIT 5 has defined 7 enterprise enablers.

1. Principles, policies and framework
2. Processes
3. Organisational structures
4. Culture, ethics and behaviour
5. Information
6. Services, infrastructure and applications 7. People, skills and competencies

Each enabler has four dimensions – shareholders, goals, life cycle and good practices. Enabler performance can be managed by defining metrics for achievement of goals as well as metrics for application of practice. This helps us to monitor if we are on the right track and to measure the progress made toward achieving these goals.

Principle 5: Separating Governance from Management

Governance responsibility is to evaluate stakeholder needs, conditions and options; decide on balanced, agreed-on enterprise objectives; and set the direction for the enterprise. This alone is not enough.

Governance also requires monitoring the performance and compliance against agreed-on direction and objectives. To help governance of enterprise IT, COBIT 5 has identified five distinct governance processes under the domain of EDM (Evaluate, Direct and Monitor). These processes make the task of governance of enterprise IT very well-organised.

Management of enterprise IT requires a number of processes to be applied. The four areas of responsibility for management are: Plan, Build, Run and Monitor. These have been further elaborated as below:

  • Plan – APO (Align, Plan and Organise)
  • Build – BAI (Build, Acquire and Implement)
  • Run – DSS (Deliver, Service and Support)
  • Monitor – MEA (Monitor, Evaluate and Assess)

These four domains together have a total of 32 management processes. Each process has a link with IT-related goals, clearly defined goals and metrics, RACI charts, management practices, input/outputs and activities.

How Is This Accomplished by COBIT 5?

COBIT 5 has identified a large number of stakeholders’ questions for various situations. These questions lead us to the selection of the enterprise goals. How can a framework know what goals an enterprise may have?

COBIT 5, as a business framework, uses the approach of the balanced scorecard (BSC).

As per BSC principles, an enterprise has to balance its goals in four dimensions – financial, customer, internal, and learning and growth. An enterprise that has only financial goals, but no goals from the remaining three dimensions, might soon fail as its goals are not balanced.

The enterprise goals ought to be business oriented and should be required for enterprise governance. COBIT 5 provides a matrix to relate enterprise goals with IT-related goals. The IT-related goals are based on the BSC principle.

It is not necessary to simultaneously pursue each and every one of these goals.

Governance is also about prioritisation. The organisation can select specific goals to be pursued on higher priority. Armed with the selected IT-related goals, we can then identify specific enabler goals from the seven enablers identified by COBIT 5. There are total 37 process areas to guide us. These process areas cover all the operations and departments in any organisation.

 

Conclusion

Governance is the need of the hour as is amply demonstrated by failure of various enterprises that have not had an effective governance framework. Research has confirmed that enterprises which have effective governance in place are more successful and command a higher premium in the market. COBIT 5 is not just another framework but a holistic business framework essential for governance and management of enterprise IT. With growing importance of IT in enterprises and huge investments being made in e-Business and e-Governance projects and the e-way becoming the highway for all core business processes, it is essential that each one of us learns how to use COBIT 5 to make sure that we become more effective and can contribute in our chosen area of work to facilitate achieving the enterprise business goals.

 

*Opinions and images in the article have been derived from various references primarily ISACA website.

This post was written by Suraj Mulay

Suraj has over seven years of training, consulting and auditing experience (ISO, ITIL, COBIT, CMMI, SSAE16, PCI DSS, PMP, PRINCE2) while working with organizations in Information and Communications Technology, banking and financial institutions, automobile, manufacturing, construction and power utility company. He can be contacted on surajmulay@outlook.com