Using COBIT 2019 to Proactively Mitigate the Impact of COVID-19

Enterprises are established with set objectives of meeting stakeholders’ needs and serving customers with desired products or services that add value. To be able to continually meet these objectives, an appropriate risk management strategy with a relevant system of processes and controls must be implemented, considering both known and unknown risk. This strategy is expected to be robust enough to ensure resilience to meet challenges that may arise. The COVID-19 pandemic has demonstrated how unknown risk, with increasing elements of uncertainty, can affect most enterprises in a big way, whatever the size or industry. In a digital world, in which services are received and rendered across geographies, the uncertainty caused by unexpected shutdowns due to COVID-19 has impacted enterprises globally. This has impacted the resilience of service delivery, thereby affecting the very survival of many enterprises.

Successful enterprises are those that have demonstrated resilience via appropriate systems and controls to meet the continual challenge of operating in an uncertain environment. This resilience is not accidental; it is achieved through proactive implementation of robust processes and systems built on the edifice of technology and frameworks. The most important factor to consider in the challenging COVID-19 environment is the uncertainty in delivering regular services to customers due to unavailability of required processes, people and technology. Effective decision making is required to update processes and systems to be resilient and operate continually in a dynamically changing environment. This results from not just an effective management system, but also a strong governance and management system designed and developed on governance principles. Components from the COBIT^® framework can be used to build effective resilience with an appropriate risk management strategy to proactively mitigate the risk of the COVID-19 pandemic.

Looking Beyond Controls to the Governance System

COVID-19 has changed the world and the way enterprises manage service delivery with relevant systems and processes. It creates dynamic challenges with unexpected lockdowns and operational issues. Enterprises must focus on how to keep their processes and systems operational in this “new normal” of dynamic uncertainty. This can be achieved by implementing an overarching governance and management framework that is built on a strong edifice of information systems designed and deployed to meet set objectives despite the COVID-19 impact.

Enterprise governance of information and technology (EGIT) is an integral part of enterprise governance and is exercised by the board, which oversees the definition and implementation of processes, structures and relational mechanisms. The 2 most critical factors of governance are:

1. An effective decision-making framework at various management levels, backed by relevant policymaking by senior management (governance level) to provide mechanisms of direction and control for executive management to implement
2. Effective risk management designed to build resilience, which requires an accountability framework and appropriate responsibility structure. This framework/structure must empower management to dynamically respond with quick policies/decisions as required to meet the unexpected challenges of uncertain situations caused by COVI-19.

The COBIT framework includes components that have these 2 critical factors built into their design. It also provides guidance so the required governance and control framework can be implemented to effectively mitigate the risk of COVID-19 and demonstrate resilience in providing service delivery to customers.

Using COBIT Components

COBIT is a business framework that facilitates EGIT, which can be used to deploy new and existing digital platforms and technologies to survive and thrive. The COVID-19 pandemic is not the ideal one in which to implement a governance system in its entirety; however, it can be beneficial to use relevant COBIT components and guidance as required to update an enterprise’s risk management strategy to become more resilient. The challenges of COVID-19 have demonstrated that digital information systems enabled by technology are a critical success factor in ensuring resilient operations. This can be effectively achieved by using specific principles, components and guidance from COBIT. Further, the COBIT knowledge repository can be used to develop key strategies/steps that can be effectively adapted by any enterprise regardless of size and complexity of processes and systems.

The challenges of COVID-19 have demonstrated that digital information systems enabled by technology are a critical success factor in ensuring resilient operations.

Using the Goals Cascade to Align Objectives

Governance ensures (among other things) that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives. Stakeholder needs must be transformed into an enterprise’s actionable strategy. COBIT’s goals cascade supports the creation of enterprise goals, their prioritization and their translation into priorities for alignment goals. Based on the selected alignment goals, specific processes can be selected from COBIT’s governance and management objectives. The guidance for each of these specific processes can be used and adapted as relevant.

The COBIT goals cascade contains 13 enterprise goals and 13 alignment goals, which are mapped to enterprise goals. An enterprise’s governance body should review, revise, reset and reframe the enterprise goals after considering the impact of COVID-19 on the enterprise. Based on the updated enterprise goals set by the governance body, the management team can select alignment goals. Based on alignment goals, relevant governance and management objectives can be selected, and for these, relevant guidance and best practices can be extracted and used to implement and improve relevant processes and practices as required. These can be further customized and integrated with other standards and frameworks as required (figure 1).

Figure 1—Goals Cascade

Source: ISACA^®, COBIT^® 2019 Framework: Introduction and Methodology, USA, 2018.

Using COBIT Components to Implement Governance and Management

For information and technology (I&T) to contribute to enterprise goals, a number of governance and management objectives should be achieved. COBIT^® 2019 Framework: Governance and Management Objectives contains detailed guidance for each of the 40 governance and management objectives covering the 7 key components of a governance systems. COBIT defines 7 key components to satisfy governance and management objectives and provide a framework for enterprises to build, tailor and sustain a governance system. These components are factors that, individually and collectively, contribute to the effective operation of the enterprise’s governance system over information and technology (I&T). Enterprises can review the impact of COVID-19 using the principles of the following COBIT components and update the risk management strategy as required:

1. Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs that support the success of overall IT-related goals. COVID-19 situations may require changes to existing processes and new processes to be implemented to mitigate new risk. COBIT’s governance and management practices provide detailed guidance that can be selected/customized.
2. Organizational structures are the key decision-making entities in an enterprise. The existing organizational structure may have to be reviewed and revised based on COVID-19 impacts to empower employees to discharge their responsibilities and make effective decisions.
3. Principles, policies and frameworks translate desired behavior into practical guidance for day-to-day management. These must be reviewed and updated based on the demands of changing situations resulting from COVID-19 to ensure the delivery of products/services on a continuous basis.
4. Information is pervasive throughout any organization and includes all information produced and used by the enterprise. COBIT focuses on the information required for the effective functioning of the governance system of the enterprise. Information requirements of employees working from home/remote locations due to COVID-19 need to be managed by ensuring availability, but also by implementing appropriate security.
5. Culture, ethics and behavior of individuals and the enterprise are often underestimated as factors in the success of governance and management activities. As employees are empowered to work from home or elsewhere, monitoring may not be as rigorous. Hence, the need for reinforcing this component is critical for effective risk management.
6. People, skills and competencies are required for good decisions, execution of corrective actions and successful completion of all activities. Employee onboarding and regular training to work in new environments and situations due to COVID-19 impacts are required.

Services, infrastructure and applications provide the enterprise with the governance system for I&T processing. The COVID-19 situation makes it imperative to provide the required infrastructure to work from new locations such as home/remote offices. Ensuring the availability of enterprise systems in these new situations requires policies/procedures balancing security and availability. Not every enterprise will need to implement COBIT in its totality. Further, the COVID-19 situation may not be a conducive environment to implement COBIT as a comprehensive project. However, it is most appropriate to identify, select, use and adapt relevant governance and management practices for selected focus areas as per specific COVID-driven needs by using it as a reference framework to implement and improve systems and processes. The impact of COVID-19 encompasses new regulatory requirements, new threats, new roles, technology deployment choices, and the deployment of new processes and practices, and COBIT provides best practices to meet these needs of enterprises regardless of industry and size.

Practical Case Study of Adapting COBIT

The previously mentioned COBIT concepts, principles and components can be practically applied to improve the risk management strategy to meet the challenges of COVID-19 as described in the following scenario:

1. Identify changes to stakeholder needs—The stakeholder need is to keep the enterprise resilient and operational at full capacity by ensuring service delivery despite the restrictions of lockdown and staff having to operate from home. The governing body mandates that appropriate changes in policies, procedures and organizational structures are to be implemented.
2. Identify the enterprise goals/alignment goals—Based on the stakeholder need for resilience, the goals cascade is used to select relevant enterprise goals, alignment goals and governance and management objectives. A mapping table of enterprise goals - alignment goals is used to identify enterprise goal EG06 Business service continuity and availability. The alignment goal selected is AG07 Security of information, processing infrastructure and applications, and privacy.
3. Identify the governance and management objectives—The mapping table is used to identify primary governance and management objectives for AG07, which are as follows:
   • Evaluate, Direct and Monitor (EDM) EDM03 Ensured risk optimization
   • Align, Plan and Organize (APO) APO12 Managed risk
   • APO13 Managed security
   • Build, Acquire and Implement (BAI) BAI10 Managed configuration
   • Deliver, Service and Support (DSS) DSS04 Managed continuity
   • DSS05 Managed security services
4. Prioritize and select COBIT components to use—Based on review, the enterprise decides to implement/improve processes relating to DSS04 Managed continuity. Guidance from COBIT^® 2019 Framework: Governance and Management Objectives is used to set metrics for enterprise goals and alignment goals as relevant.
5. Identify management practices and activities—COBIT provides guidance on 7 components of governance and management. The enterprise decides to use best practice guidance from management practices and activities as relevant. The enterprise also maps and updates its organizational structure using the accountability/responsibility matrix. Further, the information flows and items are used to improve documentation as required in terms of inputs and outputs and the contents from policies and procedures are used to map and update policies and procedures as applicable.
6. Identify and extract best practices from COBIT contents—The enterprise uses the relevant content extracted from COBIT and customizes and translates it into specific policies and procedures that are integrated into enterprise policies and procedures. These are added to job responsibilities and staff is trained to perform them as part of day-to-day work.
7. Implement performance and monitoring measures—The governing body is updated on the changes required. Approval is obtained to roll this out with approval of budget, and relevant performance measurement metrics are implemented for all key goal areas with relevant key goal indicators and key performance indicators.

Conclusion

The COVID-19 crisis has fast-forwarded technology adaptation across enterprises both small and large. The use of technology has skyrocketed, with more people working at home, and enterprises and their staff have found ways to communicate with each other and continue to work during this crisis. COBIT^® 2019 defines components that can be used to build and sustain a governance and management system. Pertinent use of COBIT’s components and knowledge repository will empower enterprises to meet the challenges of COVID-19, ensure greater resilience and provide robust processes for achieving enterprise objectives.

Abdul Rafeq, CISA, FCA

Is the managing director of Wincer Infotech Limited. He has been a COBIT evangelist, user and trainer since the first edition of COBIT.