• Bookmark

Bridging the Governance Gap in Japan With COBIT 5

By Katsumi Sakagawa, CISA, CRISC, and Hiroyuki Yonekawa, CISA

COBIT Focus | 29 December 2014

Katsumi Sakagawa Hiroyuki Yonekawa Since the evolution of COBIT 5 in 2012 and its resultant widespread use, many companies across the globe have adopted it as the primary business framework for the governance and management of enterprise IT (GEIT).

In Japan, there is a fundamental concern over the deliberation to agree upon and adopt corporate governance standards. Though world-renowned for the origination of Kaizen1 and for its fine quality-management technologies, Japan struggles with the aspect of evolution, adopting a conservative approach that borders on the extreme to avoid change. However, there are discussions underway to revise the regulatory environment and to improve the governance style of enterprises, including the methods by which governance is performed. These discussions are primarily focusing on both an application and a cultural shift. In order to define how governance should be, it is indispensable to decide what framework should be adopted. And, when improving governance style, the highlight must be on improving the governance process rather than increasing the power of an internal control organization or individual candidate to perform the governance role. The use of continuous improvement approaches such as Kaizen in conjunction with Total Quality Management (TQM)2 standards, such as ISO 9000, to identify the gap between the goal and the status quo, provides a foundation for the COBIT 5 holistic framework and associated enabler dimensions.

Though making strides, it is widely accepted in Japan that assessing the risk of a governance gap is an urgent issue. In reviewing the COBIT 5 product family and its solutions, it is evident that there exists important strategic and process guidance to help deal with the situation at hand; COBIT 5 establishes the creation of value through the realization of benefits at an optimal resource cost while optimizing risk that, in turn, satisfies stakeholder needs (figures 1, 2 and 3).

Figure 1—COBIT 5 Goals Cascade
Figure 1
Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission.

Figure 2—COBIT Enabler Processes
Figure 2
Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission.

Figure 3—COBIT Governance and Management Key Areas
Figure 3
Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission.

Every enterprise has its own valuable activities from which economic value is derived. An example of how COBIT 5 can satisfy multiple stakeholder needs simultaneously is when a company outsources its business processes or technology environment to a cloud service provider (CSP).

The appropriate governance and management of both the process and business environment are valuable, not only for the outsourcing company, but also for the company that outsources the services or processes.

As previously stated, because of Japan’s conservative cultural approach, there is an overall hesitation to evolve to a standard GEIT approach. However, it is widely recognized that critical business processes need to be managed and monitored for optimal performance. Kaizen and TQM are applied toward continuous process improvement and are instituted within organizations by motivated and committed employees. Moreover, these motivated and committed employees, instead of top management, are taking the important roles of Gemba Walk3 to grasp organizational issues and determine solutions within the Kaizen/TQM framework. This, of course, is encouraged and welcomed by most organizations (figure 4).

Figure 4—Gap Detection Under EDM
Figure 4
Based on: COBIT 5 Implementation, USA,2012

As gaps between the improvement goal and the current-state value stream are detected via the Gemba Walk and discussed at Kaizen workshops, stakeholders are tasked with not only evaluating why gaps exist, but also determining how to eliminate gaps and consistently monitor for effectiveness. This approach is successfully supported by the COBIT 5 Process Assessment Model with its capability and process dimension aspects (figure 5).

Figure 5—COBIT Process Assessment Model
Figure 5
Source: This figure is adapted from ISO/IEC 15504-2:2003, Table 1 on page 12 with the permission of ANSI on behalf of ISO. (c) ISO 2014 - All rights reserved.

At the heart of all Kaizen and TQM activities in Japan, the following core principles are found:

  • To maximize customer satisfaction, the current processes to provide services to customers must be well operated and organized.
  • To protect sensitive customer information from disclosure, the processes to use, store and back up confidential customer data must be well organized, monitored and governed.

The COBIT 5 Implementation4 professional guide is an extremely useful resource. Because Kaizen focuses on human assets as well as gradual evolution, rather than radical change, chapter 5, Enabling Change, in COBIT 5 Implementation provides enhanced direction by discussing how “Human, behavioural and cultural barriers must be overcome so that there is a common interest to properly adopt, instill a will to adopt and ensure the ability to adopt a new way.”

The COBIT 5 framework integrates the principles of many internationally recognized process improvement and quality initiatives such as ISO 9000/90015 and, as such, provides flexible, practical guidance and specific approaches to help satisfy the achievement of these core principles. The COBIT 5 framework clearly defines effective management and governance of enterprise IT, and because of its versatility, also provides models that help define and measure improvement to satisfy quality goals and create value for the enterprise.

As enterprises continue to evaluate appropriate governance and management approaches, COBIT 5 as an enterprisewide framework has already incorporated and aligned with many standards and best practices currently applied and would facilitate bridging the gap in governance recognized in Japan today.

Katsumi Sakagawa, CISA, CRISC, and Hiroyuki Yonekawa, CISA

Is project board review and audit administrator at JIEC Co.(Sumitomo Computer Service group company). He has more than 10 years of technical risk audit and consulting experience, and more than 20 years of professional software development and delivery project management experience. He is a member of ISACA’s Professional Standards and Career Management Committee, a chair of the ISACA Tokyo (Japan) Chapter’s CRISC Committee and the former chair of the Tokyo Chapter’s Standards Committee.

Hiroyuki Yonekawa, CISA

Is a senior IT auditor at SMBC Nikko Securities Inc. He has 10 years of IS audit and assurance experience, including global US Sarbanes-Oxley and J-SOX engagement at KPMG AZSA LLC. He is a member of the ISACA Tokyo Chapter’s Standards Committee.


1 National Institute of Informatics, http://ci.nii.ac.jp/naid/110007682188. Nagayoshi, Sanetake; “A Case Study on Service Design in an Egyptian Professional Consulting Firm,” IBIMA Business Review, 2013
2 American Society of Quality, TQM
3 Gemba Walk, http://itmanagersinbox.com/1488/the-gemba-walk-a-tool-it-management-and-leadership/
4 ISACA, COBIT 5 Implementation, USA, 2012
5 ISO, ISO 9000/9001, http://www.iso.org/iso/iso_9000