This past April, the Information Systems Audit Control Association (ISACA) came out with a new version of the COBIT framework. For the uninitiated, COBIT was first released in 1996 with the mission is “to research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.” The previous version of COBIT, initially an acronym for 'Control objectives for information and related technology,' defined 34 generic processes to manage IT. The latest version of COBIT is now comprised of 37 processes – 5 governance processes, and 32 management processes. Here is ISACA’s new description of the framework:
“COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.”
As with previous versions of the framework, COBIT 5 defines each process with process inputs and outputs, key process activities, process objectives, performance measures and a maturity model. Much of the previous version is carried over but the latest version of COBIT has some significant changes. These are the changes highlighted by ISACA:
- New GEIT Principles
- Increased Focus on Enablers
- New Process Reference Model
- New and Modified Processes
- Practices and Activities
- Goals and Metrics
- Inputs and Outputs
- RACI Charts
- Process Capability Maturity Models and Assessments
After reading all of the COBIT 5 collateral (and there’s a bunch of it), I found the first three items on the list above to be the most noteworthy. Anyone acquainted with previous versions of COBIT will find Items #4 through #9 to be relatively minor so this post will focus on the first three.
NEW GEIT PRINCIPLES
COBIT 5 is based on five key principles (shown in the figure below) for the governance and management of enterprise IT.
Here are the descriptions of the principles according to ISACA, with some follow-up comments:
Principle 1: Meeting Stakeholder Needs—Enterprises exist to create value for their stakeholders by maintaining a balance between the realisation of benefits and the optimisation of risk and use of resources. COBIT 5 provides all of the required processes and other enablers to support business value creation through the use of IT. Because every enterprise has different objectives, an enterprise can customise COBIT 5 to suit its own context through the goals cascade, translating high-level enterprise goals into manageable, specific, IT-related goals and mapping these to specific processes and practices.
This is my favorite of the five principles and I’ll be discussing it at length later in this post.
Principle 2: Covering the Enterprise End-to-end—COBIT 5 integrates governance of enterprise IT into enterprise governance:
- It covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise
- It considers all IT-related governance and management enablers to be enterprisewide and end-to-end, i.e., inclusive of everything and everyone—internal and external—that is relevant to governance and management of enterprise information and related IT
There are things I like and don’t like about this principle. I don’t like the inference that “governance of enterprise IT” needed to be “integrated into enterprise governance.” IT governance has always been intended to be integrated into enterprise governance. I’ll be the first to acknowledge this has seldom been the case, but COBIT 5 is not the founder of this idea. I’ll give ISACA the benefit of the doubt and assume they are simply noting that this integration is clearly articulated in the new version of COBIT.
What I like about this principle is that it “does not focus only on the IT function.” Far too many folks view IT governance as “the governance of IT” when in fact it is “the governance of information technology.” This said, COBIT 5 applies as much to “Shadow IT” as it does to “corporate IT.”
Principle 3: Applying a Single, Integrated Framework—There are many IT-related standards and best practices, each providing guidance on a subset of IT activities. COBIT 5 aligns with other relevant standards and frameworks at a high level, and thus can serve as the overarching framework for governance and management of enterprise IT.
ISACA does a nice job of mapping COBIT 5 to ITIL, TOGAF, Prince2, CMMI, ISO/IEC 38500, ISO/IEC 31000, and ISO/IEC 27000. But I’m not sure if each of the organizations necessarily agrees with the mappings.
Principle 4: Enabling a Holistic Approach—Efficient and effective governance and management of enterprise IT require a holistic approach, taking into account several interacting components. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. Enablers are broadly defined as anything that can help to achieve the objectives of the enterprise. The COBIT 5 framework defines seven categories of enablers:
- Principles, Policies and Frameworks
- Processes
- Organisational Structures
- Culture, Ethics and Behaviour
- Information
- Services, Infrastructure and Applications
- People, Skills and Competencies
“Increased focus on enablers” is one of the changes to COBIT 5 highlighted by ISACA and I’ll address that change later.
Principle 5: Separating Governance from Management—The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes. COBIT 5’s view on this key distinction between governance and management is:
Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives. In most enterprises, overall governance is the responsibility of the board of directors under the leadership of the chairperson. Specific governance responsibilities may be delegated to special organisational structures at an appropriate level, particularly in larger, complex enterprises.
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. In most enterprises, management is the responsibility of the executive management under the leadership of the chief executive officer (CEO).
I have long had problems with the contention that “governance is separate from management.” This distinction is also “clearly stated” in the ISO/IEC 38500 IT Governance Standard. I understand the spirit of this separation, but I believe it is often misunderstood. I much prefer the idea of management being integrated with governance and I discuss it at length in my book. This post will be long enough so I won’t go down that rabbit-hole here.
INCREASED FOCUS ON ENABLERS
ISACA isn’t kidding when they claim there is an increased focus on enablers. The discussion of enablers is one of the best changes to COBIT5. ISACA provides extensive detail describing the challenges of implementing the framework and what is required to make COBIT successful in an enterprise.
According to ISACA, enablers are factors that, individually and collectively, influence whether something will work—in this case, governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve. The COBIT 5 framework describes seven categories of enablers.
- Principles, policies and frameworks
- Processes
- Organisational structures
- Culture, ethics and behaviour
- Information
- Services, infrastructure and applications
- People, skills and competencies
NEW PROCESS REFERENCE MODEL
There is a new Process Reference Model but processes are not new to COBIT at all. Many of the processes in COBIT 5 are carry-overs from previous versions. The most notable change is the distinction between governance processes and management processes.
THE MOST SIGNIFICANT CHANGE TO COBIT
Of all of the changes to COBIT, I believe the most significant change is found in the first of the five new COBIT Principles – Meeting Stakeholder Needs. COBIT 5 describes how stakeholder needs have to be transformed into an enterprise’s actionable strategy. To accomplish this, the COBIT 5 ‘Goals Cascade’ translates stakeholder needs into specific, actionable and customised goals within the context of the enterprise, IT-related goals and enabler goals. Here is their Goals Cascade diagram:
According to ISACA, “the Goals Cascade allows setting specific goals at every level of the enterprise in support of the overall goals and stakeholder requirements.” The COBIT 5 Goals Cascade “provides the link between stakeholder needs and practical goals by translating these into increasing levels of detail and specificity.”
The need to fulfill enterprise goals has always been the mission of COBIT, but it has never been described as explicitly and comprehensively as it is in COBIT 5. The COBIT Goals Cascade places on exclamation-point on something I have been saying for years, “IT governance is a function of the business and not a function of IT. The business is accountable for governing information technology.” If the COBIT 5 Goals Cascade does not make this clear, one look at the list of COBIT 5 ‘internal stakeholders,’ listed in ISACA’s chart below should do the trick.
Almost every one of the COBIT 5 stakeholders is outside of the IT organization. Following this list, COBIT 5 can only be accomplished with the full participation of the business. And this participation is not passive. A very simple but meaningful ‘Roles, Activities and Relationships’ COBIT 5 graphic shows how COBIT 5 (Governance of Enterprise IT) begins and ends with enterprise ‘owners and stakeholders.’
The COBIT 5 Goals Cascade and the list of owners and stakeholders remove any doubt that IT governance is driven by the business. And that is the most significant change to COBIT version 5. Every COBIT implementation I have ever experienced or witnessed was driven by IT. In most cases it was instigated by the Audit organization, but the implementation of any vestige of COBIT was considered to be an undertaking by the IT department. With the latest version of COBIT, if the CEO and the CFO, and business leaders are not involved in the effort, then the enterprise is not implementing COBIT 5.
Though the explicit identification of IT governance accountability is expertly described in COBIT 5, I have doubts about the likelihood of it finally fostering the business participation and accountability required to ensure sound IT governance. Anyone who has walked into their CIO’s office and dropped COBIT on hers or his desk is acutely aware of the challenge of selling the need to implement and manage 34 information technology control processes. With COBIT 5, the CEO, CFO, and business leaders now need to be sold.
In COBIT 5, ISACA has provided an incredibly comprehensive IT governance framework. Given their attention to stakeholders and enablers, I have yet to find a stone left unturned. Now it is a matter of whether or not future implementations of COBIT will adhere to the COBIT 5 Goals Cascade and fully engage COBIT 5 internal stakeholders. As in the past, I think it is going to be a tough-sell.
~Steve~