COBIT 5—How to Get Inspired

Even best-in-class frameworks need to be half as inspiring as a good novel—and twice as inspiring for practitioners to read and use them! As a COBIT trainer, I use the following tips on how to capitalize on COBIT for IT governance-related projects and workshops.

Promote COBIT 5 Terminology and Concepts Using Local Language

Promoting the use of COBIT 5 terminology and explanations in the local language is a key success factor for COBIT acceptance among IT and business professionals. The existence of an official ISACA translation is critical for common interpretation and understanding in a local language.

Workshops With Stakeholders of All Disciplines and Competencies

It is a good idea to start each COBIT-related project with a preliminary workshop for all involved stakeholders (especially representatives from each line of business, along with those who are mostly unfamiliar with English and/or COBIT).

Use Pain Points to Generate Interest

Pain points and triggers discussions are a great starting point to raise interest. Real-life examples, as suggested by workshop participants, are extremely important. This could lead to mapping of business goals to enterprise IT goals and the COBIT goals cascade. Engaging business representatives in this exercise ensures the correct alignment of business and IT goals and fosters a mutual understanding of needs.

Understand Internal and External Compliance Requirements

Local and applicable global regulations (e.g., requirements for the internal audit function for organizations subject to specific regulations and organizations in the financial sector, the Committee of Sponsoring Organizations of the Treadway Commission [COSO], the Basel Committee on Banking Supervision [BCBS], the US Sarbanes-Oxley Act [SOX]) can motivate the adoption and implementation of COBIT 5 as an IT-related part of the overall control environment. Internal auditors, risk and compliance officers, even chief financial officers (CFOs) and chief executive officers (CEOs) can be supporters in these cases.

Encourage ISACA Certification Holder Participation

Involving IT auditors, especially ISACA certification holders, in a COBIT 5 implementation project or workshop can significantly increase the overall level of understanding and communication among stakeholders and, therefore, help overall GEIT implementation.

Highlight COBIT 5 Adaptability and Assessment Tools

What sets COBIT 5 apart from general standards and best practices is that COBIT 5 provides specific enabling guidance for processes and activities that support goal achievement and control management. The guidance found in COBIT 5: Enabling Processes provides details on goals; key performance indicators (KPIs) and metrics; detailed activities; and the responsible, accountable, consulted and informed (RACI) chart. Supporting guidance enables COBIT 5 to be attuned to each respective environment. The COBIT 5 Assessment Program and the COBIT Process Assessment Model (PAM): Using COBIT 5 are the basis for assessing an enterprise’s processes for the governance and management of IT and related services as described in COBIT 5. The ability to assess process capability also provides a current-state and future-state approach to resolving weaknesses.

Emphasize That Effective Governance of Enterprise IT Takes a Village

Processes and information are critical enablers to effective governance of enterprise IT (GEIT). However, other enablers such as organizational structures; culture, ethics and behavior; services, infrastructure and applications; or people, skills and competencies may be as important, depending on the type of business and its priority. In these cases, understanding control effectiveness while assessing IT governance process capabilities enables a holistic understanding of the current state and needed improvements. Moreover, the internal audit function can supplement the PAM capability levels derived through COBIT PAM by using a classic control assessment approach together with providing recommendations for improvements.

The COBIT 5 framework describes 7 categories of enablers:

1. Principles, policies and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management.
2. Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.
3. Organizational structures are the key decision-making entities in an enterprise.
4. Culture, ethics and behavior of individuals and the enterprise are very often underestimated as a success factor in governance and management activities.
5. Information is pervasive throughout any organization and includes all information produced and used by the enterprise. Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
6. Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with IT processing and services.
7. People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective action.

Some of these enablers are also enterprise resources that need to be managed and governed as well. This applies to:

• Information, which needs to be managed as a resource. Some information items, such as management reports and business intelligence information, are important enablers for the governance and management of the enterprise.
• Service, infrastructure and applications
• People, skills and competencies

Illustrate How GEIT Needs To Be Agile to Support Innovation

The latest digital transformation trend (sometimes even verging on hype/fashion) seems to be a bit more structured and logically realized if its related activities are aligned to tried-and-tested guidance such as that provided in COBIT 5’s APO04—Manage Innovation process. COBIT 5, ISACA’s IS Audit and Assurance Standards and ISACA’s extensive library of reference guides provide relevant tips and techniques for evaluating goal attainment by IT.

Figure 1—COBIT 5 Enterprise Enablers

Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission.

COBIT 5 is not just one publication. It is number of publications and related tools—a universe of best practices.

The COBIT 5 product family includes the following products:

• COBIT 5 (the framework)
• COBIT 5 enabler guides, in which governance and management enablers are discussed in detail. These include:
  • COBIT 5: Enabling Processes
  • COBIT 5: Enabling Information
  • Other enabler guides
• COBIT 5 professional guides, which include:
  • COBIT 5 Implementation
  • COBIT 5 for Information Security
  • COBIT 5 for Assurance
  • COBIT 5 for Risk
  • Other professional guides
• COBIT Online, a collaborative online environment, which is available to support the use of COBIT 5

Though COBIT 5 provides a plethora of guidance on governance needs, a successful implementation of GEIT frameworks requires a hybrid of best practice guidance such as COBIT 5, relevant industry standards and legislation, and experience and common sense.

Andrey Drozdov, CISA, CISM, CGEIT, COBIT 5 Accredited Trainer

Is a senior manager at KPMG Russia and CIS. He is also first vice president of the ISACA Moscow (Russia) Chapter. He is a COBIT 5 practitioner and trainer and a member of the COBIT 5 translation team responsible for translating and reviewing COBIT 5 in Russian.