Setting the Record Straight: Convincing Management of COBIT’s Value in Risk Management

Risk Management
Author: Julian Marquez, CISA, CRISC, CDPSE, COBIT Foundation, ISO 27001 Lead Auditor, ITIL Foundation
Date Published: 30 December 2016

Although COBIT remains an extremely valuable tool for IT risk management, many Latin American companies still find themselves slightly confused when trying to understand what it takes to carry out a complete or partial COBIT implementation. In fact, organizations still struggle with how to achieve long-term business and IT goals through proper use of the framework's tools, and advice from experienced or well-informed practitioners is not sought because top management often considers any external consultancy as an expenditure with little or no return on investment. In addition, due to multiple mergers and acquisitions currently taking place, there is a growing interest in the region in implementing COBIT as an IT risk management framework and even as a way to comply with globally accepted regulations, particularly the US Sarbanes-Oxley Act 2002 (SOX).

In those terms, the main challenge that must be addressed by COBIT practitioners is encouraging top management to actively participate in the transformation process for integrating and standardizing IT management practices. Also, the COBIT practitioner must be focused on helping the involved stakeholders understand that “IT guys” are friends interested in taking the company to the next level and providing solutions, not foes who should be pointed to when looking for scapegoats. Some of the elements to be considered when implementing COBIT as a reference for risk management practices are:

  • According to the COBIT goals cascade, every endeavor regarding the enterprise enablers must be driven by IT-related goals, which are also leveraged by the enterprise goals and the stakeholder needs, which includes risk optimization.
  • Going along with this definition, the concept and scope of governance of enterprise IT (GEIT) must be clarified and communicated within the organization to enable the achieving of the goals in which IT has participation and accountability. Once GEIT has been established, the cornerstone for the IT internal control model is established.
  • In addition, a business case must be generated to create an interface between the stakeholders’ expectations and IT plans as referenced in the publication COBIT 5 for Business Benefits Realization. The definitions included in the aforementioned business case will be the confirmation that the GEIT goal is to generate potential benefits for the organization as a whole, considering the pervasive nature of IT.
  • According to the white paper Getting Started With Governance of Enterprise IT (GEIT) and in this author’s experience, GEIT ensures greater alignment of IT functionality with business needs. However, commitment from the enterprise leadership at the highest levels (e.g., C-suite, board of directors) is fundamental to ensuring a successful implementation and a sustainable model.

Based on the aforementioned facts and on each organization’s background—determined by factors such as industry, rate of automation of its processes, and applicable regulation (e.g., SOX, anti-money laundering, fraud prevention) it is also important for the COBIT practitioner to set the record straight with the organization’s top management about the culture and practices that must be embraced when adopting the framework into their organizations:

  • Definition of governance and risk management structures required for the implementation of COBIT practices is not a one-time effort.
  • The effectiveness of the framework's risk management practices depends on the management fomenting and fostering COBIT’s enablers as a primary commitment.
  • Although IT must actively participate in defining practices, COBIT maintenance and periodic review must be sponsored by core business and controlling dependencies.
  • Management must be aware that there is not a standard timeline for implementing COBIT. Therefore, COBIT practitioners must set realistic expectations with management when defining and analyzing which COBIT enablers will be implemented and how many resources (e.g., time, money, people) will be required to use COBIT practices and ensure their sustainability through early life support and other management review and follow-up activities. In some cases, it could even take years to get to the maturity level agreed on by the enterprise!

So, what should COBIT practitioners do to fight against these misconceptions? What actions will generate more COBIT supporters, based on the framework’s applicability, and counteract any perception that COBIT is an excuse invented by consultants to sell high-end products and obtain a constant income on a periodic basis? In this case, the experts’ experience, vision and judgment are fundamental, not only to set a solid cornerstone for IT risk management, but also to ensure the business processes will be optimized thanks to COBIT’s benefits, due to the relevance assigned by the standard to the management’s goals. The presentation prepared by the COBIT implementer and the individuals to whom it is presented will also affect the outcome, since the same presentation should not be used for top management, business areas, IT staff and support dependencies. Nonetheless, the main message must remain consistent: The entire organization is responsible for COBIT’s success and proper operation, with periodic consultations from external experts.

Another important factor is to assign proper accountability to ensure the defined practices are properly implemented and operate consistently over time. Robust activities and processes with no accountability are practically useless. The stakeholder accountable for each process must be defined according to business goals and requirements, and that person must act as a translator of the general strategic plan and as a mediator when change is to be implemented. The accountable stakeholder must be also aware of the process’s maturity level, what it is required to achieve the next level (assuming the enterprise has agreed that a higher level is optimal for the business) and what should be changed after a review is performed. Phrases such as “I do not have to change it since we have not have any outages” or “I have always done things this way and I have been with the organization for more than 20 years” pose a huge challenge for the accountable stakeholder, suggesting his/her role must also consider skills for dealing with change and transforming it into an opportunity to understand the importance and impact that each factor has for an organization.

With that being said, when initiating a COBIT implementation, practitioners should instruct the project’s stakeholders with these messages:

  • COBIT maintenance requires resources and infrastructure, but, in the end, it will greatly improve an organization’s stance regarding risk management.
  • COBIT promotes the importance of leadership and teamwork because, without proper guidance, commitment, and assignment of roles and accountability, the policies, procedures and rules that come along with COBIT fall into the perception that IT is an expenditure.

Conclusion

COBIT is a very powerful tool with numerous features that can be adapted to different circumstances, but it also takes a great deal of commitment to ensure it operates as expected. If management understands that everything is capable of being improved, nothing eternally remains in the same state and expert judgement is required on a periodic basis, the mystery of how to properly use COBIT to achieve business, compliance and operational goals could finally be solved.

Julian Marquez, CISA, CRISC, COBIT Foundation, ISO 27001 LA, ITIL Foundation

Is an experienced risk management professional. He has worked with Deloitte on IT auditing and consulting services for projects in Colombia, Chile and Canada. He has worked on initiatives to use COBIT as a reference framework for different retail, manufacturing, financial services, and energy and resources companies. He has also participated as a trainer on internal and external COBIT-related training.