Nine executives (including the author) were in a conference room, when the vice president of IT operations stated that due to recent issues within the organization, they should be looking at a governance-focused framework called COBIT. The remaining eight executives stared at him blankly.
This managed service provider offered outsourced IT services for the small to mid-sized market nationally. The data center was a multitenant environment that provided outsourced email, infrastructure, applications, development, project management and service desk functions. The structure was typical to this type of organization in the private sector, with administration, finance, sales and marketing, operations, and IT functions. Security, risk and compliance efforts were largely delegated to IT and were typically discussed only when issues arose. There were several frameworks and standards in use, although their adoption was fragmented. The organization was suffering from what stakeholders called “framework exhaustion,” and, thus, COBIT adoption was expected to be a hard sell but surprisingly was not.
Instead, recent events made COBIT a must. The company had experienced a big setback when its first and largest customer decided to turn to a competitor for the same services. In addition to the loss of this major customer, there were several additional pain points:
- The organization had experienced a significant drop in customer satisfaction scores.
- Approximately one of five recent new customer migrations had been near failures.
- The overall availability percentage had dropped in the last nine months due to several significant incidents.
These issues prompted a management review that determined that there was a single root cause: lack of governance over IT.
Making the Case for COBIT
In making the case to adopt COBIT, the stakeholders essentially looked at COBIT’s five principles and matched those with the organization’s specific needs as addressed in figure 1:
Figure 1—COBIT Solution Crosswalk |
||
COBIT Principle | Organizational Needs | COBIT Solution |
Meeting stakeholder needs | Focus on creating value for stakeholders—realizing benefits while optimizing risk and resources. | Goals cascade from stakeholder needs to enablers |
Covering the enterprise end to end | Transition from IT governing itself to the governance of enterprise IT (GEIT). | Roles, activities and relationships model from owners and stakeholders to operations and execution |
Applying a single integrated framework | Consolidate multiple frameworks under a single governance structure. | COBIT framework integrator that references relevant standards and frameworks |
Enabling a holistic approach | Stop focusing on processes only and expand into all governance enablers. | Seven enablers and their four common dimensions |
Separating governance from management | Clearly delineate between governance processes and management processes. | COBIT process reference model with one governance domain and four management domains |
Source: Mark Thomas. Reprinted with permission. |
Practically Applying COBIT
There were several useful applications of the framework in this scenario, but two stood out as immediately helpful. One was the goals cascade and the other was the process reference model.
The goals cascade was used to specifically target and prioritize efforts. The strategy was to use the COBIT mapping documentation without modifications. Therefore, stakeholders were able to add an additional mapping into the goals cascade with organization-specific goals. One unique aspect discovered was that stakeholders could map not only to processes, but to the other enablers as well. The following steps (figure 2) demonstrate how the goals cascade was used:
Figure 2—Using the COBIT Goals Cascade
- Stakeholder drivers—These were mapped directly into the specific organizational goals.
- Specific organizational goals—These goals were unique to this business and included specific performance and growth goals. Therefore, the stakeholder needs were added and mapped directly into the model.
- Stakeholder needs—No modifications were necessary. COBIT mapping was sufficient.
- Enterprise goals—No modifications were necessary. COBIT mapping was sufficient.
- IT-related goals—No modifications were necessary. COBIT mapping was sufficient.
- Enablers—From a process perspective, the goals cascade revealed 10 processes that needed to be addressed. However, just focusing on processes was not sufficient. Because the organization is a service organization, goals were also mapped to the services from the portfolio (more specifically, the service catalog). This allowed a more holistic approach. These mappings do not exist in COBIT, so stakeholders created these. The current plans are to incorporate the other enablers into this goal mapping in the future.
In addition to the goals cascade, the process reference model, coupled with the COBIT 5: Enabling Processes guide, provided the details needed to select the most critical enablers to improve. The stakeholders aligned this approach with the internal audit function to ensure that stakeholders are providing assurance based on the relative risk of the enabler. As mentioned previously, the goals cascade exercise yielded 10 processes that had a meaningful impact on the organization’s goal attainment. Because stakeholders did not have the capacity to improve all processes, these were categorized into a grid with the X and Y axis as “ease of implementation” and “expected benefits.” This offered insight into quick-win projects that could readily produce benefits.
Using COBIT 5: Enabling Processes established key practices and activities for the processes selected. For example, BAI06 Manage changes was one of the first processes in this effort. The process owner was able to formalize BAI06 with very few modifications:
- Process description and purpose—No modifications were needed.
- IT and process goal metrics—There are many from which to choose in the guide. Stakeholders in this case chose the most pertinent goals to use based on business critical success factors and the ability to collect the information.
- Reponsible, Accountable, Consulted and Informed (RACI) Chart—Because stakeholders did not have all roles suggested in the guide, this was modified this to meet organization-specific roles.
- Management practices and activities—All management practices and activities were adopted with no modifications.
- Inputs and outputs—These were modified. The organization had not fully adopted all processes at this point, so there were many inputs and outputs that were not formally recognized. Several of these artifacts/work products would not be addressed until those processes became more formal.
- Related guidance—This was used to determine which parts of other frameworks and standards would be referenced. In the case of BAI06, these included ITIL and ISO/IEC 20000.
Continuous Alignment With COBIT
COBIT is not just academic. The success of this effort was largely based on stakeholders’ ability to modify and adjust COBIT to fit the organization. There were several major areas that were the most beneficial. The goals cascade visualized how IT processes supported stakeholder needs. This effort has become a regularly occurring activity that supports continuous goals alignment. Also, enablers expanded the organization’s view beyond just processes. Using all of the enablers allowed the stakeholders to analyze the effects of a change to one enabler on the others. Additionally, this effort encouraged collaboration between IT and assurance, which streamlined efforts to satisfy performance and conformance.
Mark Thomas, CGEIT
Is an internationally known IT governance expert and the president of Escoute Consulting. His background spans more than 20 years of professional experience including leadership roles from chief information officer (CIO) to management and IT consulting. Thomas has led large teams in outsourced IT arrangements, managed enterprise applications implementations, and implemented governance and risk processes across multiple industries. Additionally, he has forged a reputable competency as a consultative trainer and speaker in several disciplines including COBIT, ITIL and IT governance.