COBIT 5: A Business Framework for Governance and Management of Enterprise IT
In the IT industry, standard institutions have been rolling out several niche standards geared toward specific objectives. Among this superfluity of standards and frameworks, a few prominent ones are ITIL, ISO27001, PMBOK, and TOGAF.
Each of these has been designed to address a specific requirement of the user community. Their depth and breadth of coverage had been focused on a specific area. What has been lacking so far was an overarching framework that could cover end-to-end needs of enterprise IT by integrating requirements from the various existing standards.
The COBIT (Control Objectives for Information and Related Technologies) framework from ISACA fills that need.
COBIT 5 is the comprehensive business framework for the governance and management of enterprise IT. As a single, integrated framework it integrates and aligns with other IT frameworks to enable enterprises to meet their business objectives.
This article provides an overview of the COBIT 5 framework and explains why it is indispensable for every enterprise using IT as a business enabler.
Defining a Framework
In a general sense, a framework can be defined as a real or conceptual structure that serves as a guide for developing a product or solution, which expands and builds on that structure into something useful.
Frameworks are essential to provide consistent guidance. For example, to design information security solutions, we use the ISO 27000 series of standards that together constitute an information security framework. If we need to design IT-enabled services, we use ITIL to provide guidance. All these niche standards can be integrated under the umbrella framework of COBIT 5.
COBIT 5 is a holistic business framework for enterprise IT governance and management in its entirety. It is based on five main principles as discussed here.
Principle 1: Meeting Stakeholder Needs
An enterprise has a number of stakeholders, both internal and external. For example, in an organization, management and employees are the internal stakeholders, while customers, partners, suppliers, government, and regulators are the external stakeholders.
The various stakeholders typically have different priorities and at times conflicting needs. For employees, job security is a prime consideration. For the management team productivity is important, customers and investors are interested in product quality, organizational stability and good returns on their investments. Regulators hold the organization accountable for legal and regulatory compliance.
Hence, when an organization intends to invest in IT and digital as business enablers, that may impact different stakeholders differently. Employees may be concerned about how that impact their jobs. Management might be concerned about selecting the right technology within budget and to improve ROI, Customers would be happy if they get better service but, at the same time, worried about security and privacy of their information, while the regulators would be keenly watching the organization’s IT compliance with all relevant regulations.
To meet the diverse requirements and expectations of internal and external stakeholders, it is critical to keep in mind not only the management perspective but also the governance perspective, when implementing IT. The objective of governance is to make a balanced decision, keeping all stakeholders’ interests in mind.
Principle 2: Covering the Enterprise End to end
In the earlier days of IT adoption, the IT department was solely responsible for the ‘IT function.’ All organization data was sent to the IT department for processing and report generation. This, however, is no longer the case
For every enterprise, information has become one of the critical assets and it is rightly said in the information age: information is the currency of the enterprise. Every action and decision depends on the availability of the right information at the right time. COBIT 5 has taken this view and integrated governance of enterprise IT into enterprise governance. It not only focuses on the IT function but also treats information and related technologies as assets like any other asset for the enterprise.
COBIT 5 provides detailed roles, activities, and relationships between stakeholders, the governing body, management, operations, and technical teams to have a clear idea of accountability and responsibility and to avoid any confusion. This is done by providing RACI charts (Responsible, Accountable, Consulted and Informed) for each key governance and management practice.
Principle 3: Applying a Single Integrated Framework
COBIT 5 is a comprehensive business framework at a macro level that integrates all other enterprise IT frameworks and models. However, this does not preclude the use of other niche standards and frameworks dealing with specialized areas which can be integrated under COBIT.
COBIT 5 aligns itself very well with other relevant standards and frameworks such as ISO 27000, ITIL, ISO, PMBOK, and TOGAF to provide guidance on enterprise IT governance and management by keeping the overall focus as a business framework. This is very important as technical staff may often tend to focus too much on technical details while ignoring the main business objective. COBIT 5 ensures that you do not lose sight of the overall enterprise goals to meet the stakeholders’ needs while pursuing IT-related goals.
Principle 4: Enabling a Holistic Approach
An organization cannot achieve enterprise goals through technical processes alone. To bring this thinking in clear focus, COBIT 5 has defined seven enterprise enablers.
- Principles, policies, and framework
3. Organizational structures
4. Culture, ethics, and behavior
6. Services, infrastructure and applications
- People, skills, and competencies
Each enabler has four dimensions – shareholders, goals, life cycle and good practices. Enabler performance can be managed by defining metrics for achievement of goals as well as metrics for application of practice. This helps us to monitor if we are on the right track and to measure the progress made toward achieving these goals.
Principle 5: Separating Governance from Management
Governance responsibility is to evaluate stakeholder needs, conditions and options; decide on balanced and agreed-upon enterprise objectives, and to set the direction for the enterprise. Also, governance must also monitor the performance and compliance against agreed-upon direction and objectives. To help governance of enterprise IT, COBIT 5 has identified five distinct governance processes under the domain of EDM (Evaluate, Direct, and Monitor). These processes help to organize enterprise IT governance properly.
As a business framework, COBIT 5 uses the approach of the balanced scorecard (BSC).
COBIT 5 has identified a large number of stakeholders’ questions for various situations. These questions lead us to the selection of the enterprise goals. How can a framework know what goals an enterprise may have?
As per BSC principles, an enterprise has to balance its goals in four dimensions – financial, customer, internal, and learning and growth. An enterprise that has only financial goals, but no goals from the remaining three dimensions, might soon fail as its goals are not balanced. The enterprise goals ought to be business oriented and should be required for enterprise governance. COBIT 5 provides a matrix to relate enterprise goals with IT-related goals. IT-related goals are based on the BSC principle.
Governance is the need of the hour as is amply demonstrated by the failure of various enterprises who lacked an effective governance framework. Research has confirmed that enterprises which have effective governance in place are more successful and command a higher premium in the market.
COBIT 5 is not just another framework but a holistic business framework essential for governance and management of enterprise IT. With the growing importance of IT in enterprises and huge investments being made in e-Business and e-Governance projects and the e-way becoming the highway for all core business processes, it is essential that enterprise stakeholders take COBIT 5 as essential to business. Staff training needs to ensure employee proficiency in COBIT 5 to become more effective and contribute to achieving the enterprise business goals.