Creating Value With COBIT 5 at a Tokio Marine Group Company

COBIT 5
Author: Yuichi (Rich) Inaba, CISA
Date Published: 20 November 2014

Tokio Marine & Nichido Systems (TMN Systems) recently implemented a governance, risk and compliance ( GRC) system based on COBIT 5, which enables the organization to create significant value for its stakeholders as well as optimize risk and resources for value creation. The COBIT evolution to the concept of “governance and management of enterprise IT (GEIT)” made TMN Systems move toward COBIT 5 for guidance.

TMN Systems is an IT services company for Tokio Marine Group, which is a global corporate group engaged in a wide variety of insurance businesses. TMN Systems was established in 1983 and has approximately 1,400 employees. The key Tokio Marine Group companies to which TMN Systems provides IT services are Tokio Marine & Nichido Fire Insurance Co., Ltd., a property and casualty insurance company; and Tokio Marine & Nichido Life Insurance Co., Ltd., a life insurance company. Tokio Marine Group is one of the largest and most prestigious insurance companies in Japan. The scope of the IT services provided by TMN Systems includes systems development as well as systems operation for the group insurance companies. TMN Systems also supports a part of systems planning and monitoring for those organizations.

A GRC System for Value Creation

TMN Systems was faced with various risk and compliance response needs. In the past, the focus of the executive management had been on reactive risk management and compliance. Executives felt that it was easy to respond to risk and compliance needs in order to comply with the IT service agreement as well as laws and regulations of Japan, but that approach created uncertainty among some stakeholders about the company’s future.

Meanwhile, Tokio Marine Group’s IT governance system, implemented by Tokio Marine Holdings,1 recommended that the group companies establish equal partnership relations between business and IT, sharing proper roles and responsibilities. The result is the Application Owner System, which the company believes contributes to value creation for its stakeholders.

In addition, COBIT evolved to a governance and management of enterprise IT (GEIT) approach with COBIT 5,2 expanding the perspective beyond chief information officers (CIOs) and the IT department to include chief executive officers (CEOs) and the board of directors.

TMN Systems desired to resolve the uneasiness created by reactive risk management and compliance and create value for key stakeholders (i.e., customers such as Tokio Marine & Nichido Fire Insurance or other Tokio Marine Group companies). To achieve this, the organization decided to make the best use of the Application Owner System and COBIT 5.

As a result, TMN Systems has inevitably implemented the GRC System for value creation to the stakeholders.

The Concept of GRC at TMN Systems

Figure 1—Historical Inevitability of the GRC System

Figure 1
Source: Yuichi (Rich) Inaba. Reprinted with permission.

TMN Systems’ corporate motto states, “We globally deliver the technology with our whole heart.” Using the company’s motto, corporate philosophy and corporate mission statements as guides, TMN Systems defined three key governance/management fields: governance, risk management and compliance.

The governance objective is value creation. For each governance/management field, the organization determined its objectives, such as governance to create value, risk management to optimize risk and compliance to keep rules.

These three fields could easily become inefficient or contradictory if the operation of each were performed independently from GRC. To effectively and efficiently perform company operations, TMN Systems has integrated GRC into a single governance/management system, which it calls the GRC System, by using Tokio Marine Group’s Internal Control Framework (figure 2).

Figure 2—The GRC System Concept at TMN Systems

Figure 2
Source: Yuichi (Rich) Inaba. Reprinted with permission.

Tokio Marine Group’s Internal Control Framework

Following principle 3 of COBIT 5, “applying a single integrated framework,” TMN Systems used the Tokio Marine Group’s Internal Control Framework (TMG-ICF) as a single integrated framework.

TMG-ICF was established in 2002 by Tokio Marine Holdings to comply with corporate law in Japan. Tokio Marine Holdings has mandated that all Tokio Marine Group companies establish an internal control system by using TMG-ICF.

The outline of TMG-ICF is described in figure 3. A Tokio Marine Group company must do the following:

  1. Define its internal control areas, based on the type of operations it is performing.
  2. For each internal control area, establish the basic policies for the internal control area by using the prescribed format as well as by referring to the basic policies templates for each internal control area prepared by Tokio Marine Holdings as guidance.

Figure 3—Tokio Marine Group’s Internal Control Framework (TMG-ICF)

Figure 3
Source: Yuichi (Rich) Inaba. Reprinted with permission.

The Internal Control System at TMN Systems

Although it is actually a groupwide requirement to establish an internal control system, TMN Systems has proactively utilized TMG-ICF as an instrument for creating value rather than as a reactive compliance response. In other words, the organization complies with the group regulation, but is not limited to it. Rather, using this opportunity, it has evolved from an internal control system to the GRC System by adding the concept of governance and its value creation.

The internal control system established at TMN Systems is described in figure 4. There are 16 internal control areas. Of these, 15 are derived from and based on the Tokio Marine Group template, but they have intentionally added a TMN Systems-specific internal control area: IT services. Among the control areas, IT services and IT governance are the IT-related areas, whereas the other 14 are non-IT areas.

Figure 4—The Internal Control Areas at TMN Systems

Figure 4
Source: Yuichi (Rich) Inaba. Reprinted with permission.

The risk management internal control area is broken down into nine risk areas. The organization has established basic policies for each of the 16 internal control areas and a risk management policy for each of nine risk areas, which are TMN Systems-specific and original even though they are derived from the group templates.

In the basic polices for each internal control area, policies have been defined to establish the rule structure, organizational structure, plan-do-check-act (PDCA) processes and company culture that correspond to the seven enablers of COBIT 5.

The IT service area is a key internal control area for TMN Systems, because it is the core business at TMN Systems and it is an intentionally added internal control area into the TMG-ICF template. Special attention should be paid to article 3 of the basic policies for the IT service area (figure 5). It describes the guiding principles for the IT services area. It defines the way the organization conducts business, i.e., its culture, and is akin to setting the tone at the top.

Figure 5—Culture Definition in the Basic Policies for IT Services

The Basic Policies for IT Services

Article 3 (Guiding Principles)

Management shall engage in the business under the following policies:

  1. IT Services shall be propelled with transforming the business strategy of each Customer into the concrete business processes and sharing the objectives of Customer.
  2. The value of Customer shall be generated by both Customer and us in such a manner that we shall cooperate with the application owners of Customer and step into the business of Customer.
  3. Production volume of Customer system shall be as small as possible. The quality of our outcome shall be promoted to be maximized with Customer.
  4. The segregation of duties shall be made between development and operations as well as the work processes based on the cooperation between development units and operations units shall be performed.
Source: TMN Systems. Reprinted with permission.

The GRC System Over the Internal Control System

In addition to the establishment of the internal control system, a PDCA cycle has been implemented for the continuous improvement of TMN Systems’ GRC System. Figure 6 shows the outline of the GRC System.

Figure 6—The GRC System at TMN Systems

Figure 6

Source: Yuichi (Rich) Inaba. Reprinted with permission.

TMN Systems has explicitly applied the COBIT 5 principles to the GRC system as follows:

  1. Separating governance from management (principle 5)—Clearly separating governance from management, the governance layer performs the Evaluate, Direct and Monitor (EDM) cycles while the management layer performs the Plan, Build, Run, and Monitor (PBRM) cycles.
  2. Meeting stakeholder needs (principle 1)—As indicated in the upper left corner of figure 6, the governance objective is set as value creation and consists of three subobjectives: benefit realization, resource optimization and risk optimization. The three governance subobjectives are cascaded to the enterprise goals, in a one-to-one relationship:
    • Customer value creation—The most important benefit is to create customer value, such as project deliveries with the quality, cost and duration (QCD) as expected and IT service delivery in keeping with service level agreements (SLAs).
    • Company value creation—Its employees are the organization’s most valuable resource, so employee skills development optimizes that resource and creates company value.
    • Internal control optimization—The organization is willing to adjust its risk appetite to create value for stakeholders, and this drives internal control optimization.
    The enterprise goals then cascade into the internal control goals, or the enabler goals. Here, the organization does not use the process to cascade to IT-related goals defined in COBIT 5 principles because its internal control areas consist of not only IT-related areas, but also non-IT areas.
  3. Enabling a holistic approach (principle 4)—Management performs the business operation under the PBRM cycle (see bottom of figure 6). Management makes its best efforts to maximize use of internal control elements—the seven enablers of COBIT 5—in order to satisfy stakeholder needs and achieve the enterprise goals.
  4. Covering the enterprise end to end (principle 2)—The basic policies for the 16 internal control areas and the PDCA processes described in figure 6 cover the entire enterprise end to end. In addition, the monitoring process by management and the governance layer cover the entire enterprise business. Regarding the monitoring management layer, stakeholders monitor performance as well as internal control and compliance situations and report back to the governance stakeholders. Then, the governance stakeholders monitor and evaluate the reports and recommend actions to management. This is how the governance stakeholders proceed with the EDM cycle. In addition, the governance stakeholders report to outside stakeholders to ensure accountability.
  5. Applying a single integrated framework (principle 3)—As described in figure 4, the organization applies TMG-ICF to the GRC System as a single integrated framework. For each internal control area defined at TMN Systems, a PDCA process has been implemented for the governance and management of TMN Systems, where business operations are made more effective and efficient with the integrated GRC System.

Aligning Management and Enterprise Goals

TMN Systems recognized that the goal-setting process is performed by management, and those goals are linked to departmental goals and then to individual goals. But, the organization has struggled to come up with an effective way to integrate these goal-setting processes into the GRC System.

The most recent effort to formalize this goal setting and linking process is shown in figure 7.

Figure 7—The Goal-setting Process

Figure 7
Source: Yuichi (Rich) Inaba. Reprinted with permission.

The goal cascade process (governance objectives to enterprise goals to enabler goals) is a general and universal process, while management goal setting, chaining and embedding processes are specific and dependent on the management stakeholders involved.

The processes for management goal setting are part of the goal-cascading processes defined in COBIT 5.

Monitoring at the Management and Governance Layers

In the GRC system, the performance of the company’s operations as well as effectiveness of internal controls and compliance status is monitored, based on the processes defined in the MEA domain of COBIT 5. For the governance team to execute its EDM cycle in a timely manner, the monitoring reports, called management reports, are compiled and reported in monthly meetings with directors.

The reports are then evaluated by the governance team and the next steps are taken. In addition, the reports are shared with stakeholders in a meeting to maintain accountability among stakeholders. The processes are performed according to those defined in the EDM domain of COBIT 5.

Figure 8 shows how the monitoring system works in the GRC System.

Figure 8—The Management Report and the Stakeholder Report

Figure 8
Source: Yuichi (Rich) Inaba. Reprinted with permission.

The GRC System Is Determined by the Board of Directors in the Business Operation Standard

The governance and management cycle described in figures 6, 7 and 8 was determined and approved by the board of directors at TMN Systems. That is, board members have decided to regulate the GRC System in the Business Operation Standard and intend to comply with the GRC system themselves. The Business Operation Standard is a standard level rule body of TMN Systems in which the governance and management processes are defined as rules.

Having established a GRC system designed for value creation, it is natural that the company depends heavily on management, including the governance team. They have ensured that creating value for their stakeholders is always occurring as a result of the establishment of the GRC System, regardless of who the directors and executive officers are at any given time.

Stakeholder Needs Drive GRC System

Tokio Marine & Nichido Systems has established a GRC system that seeks to create value for its stakeholders. Changing from a reactive internal control management system to the proactive GRC System was inevitable and driven by stakeholder needs. Throughout the GRC implementation initiative, COBIT 5 has empowered and supported these changes.

Yuichi (Rich) Inaba, CISA

Is a senior consultant in the areas of GRC, IT governance, risk management and information security at Tokio Marine & Nichido Systems Co. Ltd. (TMN Systems), a Tokio Marine Group company. Before transferring to TMN Systems, he worked in the IT planning department of Tokio Marine Holdings Inc., and engaged in establishing Tokio Marine Group’s IT governance system based on the process reference model and the maturity model of COBIT 4.1. Inaba is the vice chairperson of the Standards Committee of the ISACA Tokyo Chapter, is currently working on the translation of COBIT 5 material into Japanese, and is a member of ISACA’s Government and Regulatory Advocacy Subcommittee 1 (GRASC1).

Endnotes

1 Inaba, Y., H. Shibuya; “Executive Management Must Establish IT Governance,” COBIT Focus, vol. 1, 2013
2 ISACA, COBIT 5, USA, 2012