COBIT 5 is a renowned best practice framework for governing and managing enterprise information technology. This framework covers the entire enterprise from end to end in terms of processes, organization structures, policies, skills and talent, information, and other enablers, and top to bottom from the board of directors to incident management specialists working in operations. Before an enterprise thinks about implementing COBIT 5, it is necessary to understand the principles that are defined in the framework. During COBIT 5 implementation, the 5 principles act as a guiding light and provide adequate details of what should be done. If an organization wants a successful COBIT 5 implementation, it must first learn and understand the COBIT 5 principles.
This article elaborates on the first principle, Meeting Stakeholder Needs, and illustrates it with real-world examples.
Meeting Stakeholder Needs—Principle 1
Let us take up the principle from the framework guide and take a close look from top to bottom, as indicated in figure 1. This is the COBIT 5 Goals Cascade, which shows how stakeholder drivers create stakeholder needs, and those needs define the enterprise’s goals. The enterprise goals, in turn, generate IT-related goals, which define the enabler goals. These various components of the cascade must be addressed in order to carry out a successful implementation.
Figure 1—COBIT 5 Goals Cascade Overview
Source: ISACA,
COBIT 5, USA, 2012
To illustrate the principle, XYZ Tours and Travel will serve as the example enterprise.
Please note that the names and details are fictitious, and although the COBIT 5 framework guide is referred to, it is customized for this case study.
About the Enterprise: XYZ Tours and Travel
Figure 2 outlines the details of XYZ Tour and Travel.
Figure 2—XYZ Tours and Travel
|
Serial Number |
Details |
Description |
Remarks |
| 1 | Enterprise name | XYZ Tours and Travel | |
| 2 | Established | 1994 | |
| 3 | Owners | Tarun Verma, Ritika Sharma | |
| 4 | Turnover | US $98 Million | |
| 5 | Profit as per last balance sheet | US $31 Million | |
| 6 | Number of employees | 125 | |
| 7 | Number of fleet | 28 air-conditioned buses, sleeper class | |
| 8 | Business |
|
For sightseeing and customized tour packages, XYZ has reserved 3 buses. |
| 9 | Awards/accolades | The enterprise has been awarded Best Tour Operator in the last year. | |
| 10 | Departments | Sales, marketing and customer service
HR and training Administration Purchasing Finance Operations IT |
In the IT department, there are 7 resources working to provide support to the business. |
| 11 | Home office | New York City, New York, USA | There are offices leased or owned in 22 US cities. |
| 12 | Major IT services used |
|
Registration has integration with payment gateways, short message service (SMS) and chat services. |
Source: G. Kulkarni. Reprinted with permission.
Now that the details of the enterprise have been defined, the next step is to identify the enterprise’s stakeholders.
Stakeholders and Their Needs
XYZ Tours and Travel analyzed stakeholders and identified them in a separate document called a stakeholder map. Each stakeholder’s details are captured in the map document. The stakeholder details are shown in figure 3.
The reason to identify stakeholder needs is to better serve each of the stakeholders and fulfill their needs by way of properly governing and managing.
Figure 3—XYZ Tours and Travel Stakeholder Map
|
Serial Number |
Stakeholder Type |
Description |
Major Needs |
| 1 | External | Investors/shareholders | Higher return on investments year on year |
| 2 | External | Customer | Economical, safe and punctual travels |
| 3 | External | Booking agents | Accurate, timely payment of commissions |
| 4 | External | Government/regulators | On-time payment of taxes
Filing of income tax returns Compliance with data, emission and safety standards |
| 5 | External | Supplier | Accurate, timely payment of invoices |
| 6 | External | Audit agencies | Transparency in finance and bookkeeping |
| 7 | Internal | Employees | Job safety
Timely payment of salaries Bonuses Work/life balance |
Source: G. Kulkarni. Reprinted with permission.
Now the enterprise has been defined and the stakeholders and their needs have been identified. Note that the enterprise did not go to each stakeholder and ask, “Do you have this need?” Certain needs are implicit and must be understood by the enterprise unless explicitly stated by the stakeholders. Every stakeholder category has its own needs that may be the same as or different from the needs of other stakeholder categories.
Now, the enterprise must ask itself what will happen if it does not meet the defined stakeholder needs.
The answer to this is that the enterprise cannot continue to exist. The reason? Investors will shy away because they do not see any value in their investments, customers will disappear because they do not wish to continue to get bad service, suppliers will depart because they cannot get payments and dues, and employees will start to search for jobs elsewhere.
The COBIT 5 principles call for creating value for stakeholders, which means the stakeholder’s needs must be fulfilled. Governance is all about recognizing conflicting needs, and balancing, prioritizing and considering every stakeholder while making decisions to ensure that their needs continue to be fulfilled.
Enterprise Goals Aligned to Stakeholder Needs
Next, stakeholder needs must be reflected in the goals of the enterprise, as illustrated in figure 4.
Figure 4—Aligning Stakeholder/Enterprise Needs
|
Serial Number |
Stakeholder |
Major Needs |
Enterprise Goals of XYZ Tours and Travel |
Priority |
| 1 | Investors/shareholders | Higher return on investments year on year | Achieve higher returns in share prices through higher profit.
Increase investor satisfaction. Achieve sales targets. |
P1
P1 P1 |
| 2 | Customer | Economical, safe and punctual travels | Increase customer satisfaction. | P1 |
| 3 | Booking agents | Accurate, timely payment of commissions | Increase agent satisfaction. | P1 |
| 4 | Government/Regulators | On-time payment of taxes
Filing of income tax returns Compliance with data, emission and safety standards |
File taxes and returns with zero defects and delays.
Avoid penalties. |
P1
P1 |
| 5 | Supplier | Accurate, timely payment of invoices | Increase supplier satisfaction. | P2 |
| 6 | Audit agencies | Transparency in finance and bookkeeping | Avoid violations/breaches of compliance requirements. | P1 |
| 7 | Employees | Job safety
Timely payment of salaries Bonuses Work/life balance |
Increase employee satisfaction. | P1 |
Source: G. Kulkarni. Reprinted with permission.
COBIT 5 suggests 17 generic goals. In this example, for the sake of brevity, only 1 or 2 are used. Also, each goal is assigned a priority for its achievement.
Information Technology and Enterprise Needs
IT is an important department that needs to govern and manage information across the enterprise and play a key role in enabling XYZ Tours and Travel to achieve its goals.
If IT is not governed or managed properly, then the enterprise’s goals cannot be met and stakeholders’ needs will not be fulfilled.
This is the reason the enterprise’s goals and IT goals must align, as shown in figure 5.
Figure 5—Alignment of IT and Enterprise Goals
|
Serial Number |
Enterprise Goals of XYZ Tours and Travel |
IT Departmental Goals |
Priority |
| 1 |
Achieve higher returns in share prices through higher profit.
|
Achieve higher availability, security, continuity and capacity of services of ERP and CRM.
Ensure proper risk management. Align decisions on investment in IT to IT needs and policies. |
P1 |
| 2 | Increase customer satisfaction. | Achieve higher availability, security, continuity and capacity of services used by customers.
Ensure required functionality and ease of use. Ensure higher availability and correct functioning of the booking management system, scheduling management system and billing management system. Ensure proper risk management. |
P1 |
| 3 | Increase agent satisfaction. | Achieve higher availability, security, continuity and capacity of services used by booking agents.
Through ERP, issue timely commission disbursements. Ensure proper risk management. |
P1 |
| 4 | File taxes and returns with zero defects and delays.
Avoid penalties. |
Achieve higher availability, security, continuity and capacity of services of ERP.
Comply with regulations and legislation related to data protection, completeness, correctness and availability. |
P1 |
| 5 | Increase supplier satisfaction. | Achieve higher availability, security, continuity and capacity of services of ERP. | P1 |
| 6 | Avoid violations/breaches of compliance requirements. | Comply with regulations and legislation related to data protection, completeness, correctness and availability. | P1 |
| 7 | Increase employee satisfaction. | Achieve higher availability, security, continuity and capacity of services of ERP. | P2 |
Source: G. Kulkarni. Reprinted with permission.
IT Goals Aligned to Enabler Goals
IT depends on complete and appropriate use of 7 enablers. If all of the enablers are working properly, then they will help achieve IT goals. The 7 enablers defined by COBIT 5 are:
- Principles, policies and frameworks
- Processes
- Organizational structures
- Information
- Culture, ethics and behavior
- People, skills and competencies
- Services, infrastructure and applications
When implementing COBIT 5, it is advantageous to focus on all 7 enablers with equal importance rather then just focusing on, for example, processes, although processes play a crucial role. Hence, the mapping can be done as shown in figure 6. It is assumed that if these processes exist and are capable and mature, then IT goals will be met. Although these processes are indicative, they interface with other processes and provide outputs. We need to define process goals; process purpose; a responsible, accountable, consulted and informed (RACI) matrix; and practices and activities for each while implementing processes.
Figure 6—Aligning IT Goals With Enabler Goals
|
Serial Number |
IT Departmental Goals |
Processes |
| 1 | Achieve higher availability, security, continuity and capacity of ERP and CRM services.
Ensure proper risk management. Align decisions on investment in IT to IT needs and policies. |
Availability management
Capacity management Security management Business continuity management Risk management Portfolio management Finance management Service level management |
| 2 | Achieve higher availability, security, continuity and capacity of services used by customers.
Ensure required functionality and ease of use. Ensure higher availability and correct functioning of the booking management system, scheduling management system and billing management system. Ensure proper risk management. |
Availability management
Capacity management Security management Business continuity management Risk management Portfolio management Finance management Service level management Usability Transition and change management |
| 3 | Achieve higher availability, security, continuity and capacity of services used by booking agents.
Through ERP, issue timely commission disbursements. Ensure proper risk management. |
Availability management
Capacity management Security management Business continuity management Risk management Portfolio management Finance management Service level management Usability Transition and change management |
| 4 | Achieve higher availability, security, continuity and capacity of ERP services.
Comply with regulations and legislation related to data protection, completeness, correctness and availability. |
Availability management
Capacity management Security management Business continuity management Risk management Portfolio management Finance management Service level management Usability Transition and change management |
| 5 | Achieve higher availability, security, continuity and capacity of ERP services. | Availability management
Capacity management Security management Business continuity management Risk management Portfolio management Finance management Service level management Usability Transition and change management |
| 6 | Comply with regulations and legislation related to data protection, completeness, correctness and availability. | Availability management
Capacity management Security management Business continuity management Risk management Portfolio management Finance management Service level management Transition and change management External and internal controls monitoring |
| 7 | Achieve higher availability, security, continuity and capacity of ERP. | Availability management
Capacity management Security management Business continuity management Risk management Portfolio management Finance management Service level management Usability Transition and change management |
Source: G. Kulkarni. Reprinted with permission.
Conclusion
This brief case study is just an example to illustrate how enterprise stakeholders’ needs drill down to the enabler goals. It is recommended that the COBIT 5 framework guide, particularly the appendix section, be used for further mapping. True learning and understanding of COBIT 5 principles will happen only by mapping them to real-life scenarios.
Govind Kulkarni, COBIT 5, CSQA, DevOps Master, ISO 27000 Auditor, ITIL Expert, PMP
Is an experienced software developer with 2 decades of experience providing IT solutions. He has worked in the entire life cycle of software development and, currently, he conducts training in COBIT 5, ITIL and software testing. Kulkarni has completed consulting assignments for gap analysis, COBIT 5/ITIL implementation, assessments using the ISO 15504 standard and tool customization for clients across the globe. His current interests include business continuity, IT assessment and cost management, scalability and performance optimization of web applications, predictive analytics, and technology areas such as OpenStack and DevOps. He was one of the editors of the book How to Reduce the Cost of Software Testing, published by CRC Press in 2012. He can be reached at goodgovind1505@gmail.com.