Taking the first step towards implementing COBIT 5 in an organisation can be daunting, especially for smaller businesses with few resources. To be fair, it is a large body of work and could well be the first formalised framework with which the organisation engages. Many organisations may view it as an unnecessary exercise, under the belief that a small IT department will not see significant benefits, and that the implementation itself will be costly and time consuming. However, this is an unfair assessment of a powerful tool.
COBIT 5 is non-prescriptive, and because there is no certification scheme for frameworks based on COBIT 5, there are no penalties for adapting it to suit any organisation. The strength of the framework is that it is based on decades of best practices and principles of good governance and management of enterprise IT (GEIT). These can be leveraged by any organisation that hopes to ensure that IT is and remains an overall benefit to the organisation.
COBIT 5 describes five principles that define effective GEIT. While all of these principles are important, the first principle is of particular interest to an organisation just starting out with COBIT. It establishes the business setting by asserting that IT should meet stakeholder needs. It seems a bland statement—as if this goes without saying. Unfortunately, in many cases the IT department is simply ‘bolted on’ and tasked with providing a set of services. The resulting business unit becomes a sort of arcane box that operates without clear direction or defined goals. More than simply setting direction and goals, however, IT should be directed such that each of its goals feeds into the enterprise’s broader goals.
These goals are set and understood through COBIT 5’s goals cascade, which describes how all enterprise goals trickle down from the stakeholder drivers in an organic process. For a small organisation, or one undergoing significant expansion, establishing this relationship is important not only to secure the best results from IT, but also to ensure that the board remains involved and develops the necessary understanding of IT to serve the needs of shareholders and other interested parties.
The process of implementing this principle—and the other core COBIT principles—can be managed as simply or with as much detail as the enterprise deems appropriate. It is sensible to ensure that COBIT is properly consumed and understood, of course, but even taking a basic approach is likely to provide the organisation with tangible benefits when properly considered. COBIT 5 Implementation provides a good high-level overview of the principles and how they relate to the life cycle. It also provides a more granular description of how these principles can be applied in practice.
For instance, an enterprise elects to begin implementing COBIT 5 from the top down, beginning with an analysis of how the IT function is currently positioned as opposed to the position recommended by the framework. It identifies that IT is currently poorly understood by the board and that oversight in its current state would offer few benefits and may simply alienate IT. Because stakeholder needs cannot be met without understanding how IT can fulfil those needs, the board establishes a steering committee tasked not only with providing governance of the IT function, but first with understanding the services that IT can provide and how those relate to the enterprise as a whole. From this single point, the organisation can identify and mould IT’s position within the enterprise and is in a significantly improved position to make recognisable gains from IT. By making reference to COBIT 5 Implementation, the enterprise is in a strong position to realise these gains by having a clearer perspective on COBIT 5’s life cycle.
The same process can be applied across all of the five principles, allowing small organisations, or those with limited resources, the opportunity to take advantage of the core features of COBIT 5. Later, after the principles have been absorbed and have formed a solid foundation, the now more mature organisation can examine COBIT in greater detail, implementing new processes as necessary and improving current processes in line with best practices.
Small businesses gain a key advantage by adopting COBIT early: Expansion of the IT function can be handled by using COBIT as a map. During expansion, it can be difficult to predict problems that can arise, such as managing changes in focus and maintaining an agile IT function that can adapt to the sorts of changes that come in the wake of expansion. For instance, an organisation that grows by offering an additional service—a service that is enabled by the expansion of IT—runs the risk of finding that it is too successful, putting excessive strain on both the service and IT, and harming the organisation’s core services. In such a scenario, having an appropriately governed IT facility minimises the risk that it will be overstretched when the new service comes into play and is able to preserve an appropriate level of agility. This capability arises because good governance ensures that the board is more intimately familiar with the IT function and can plan for and direct it in accordance with broader strategic aims.
Using COBIT as a guide to IT growth is, of course, a simplification. The organisation must identify for itself what it needs from IT and how expansion can serve those needs. Within this paradigm, however, COBIT 5 offers a set of structured processes to smooth the transition and ensure that such growth is a symptom of improvement, directed by a knowledgeable and engaged board. In an ongoing application of COBIT 5, in fact, this should become a matter of course as the framework develops and provides the components of a continual improvement life cycle. This enables the enterprise to fully leverage COBIT’s strengths, thereby developing a mature, flexible and effective IT function.
Is the senior technical writer at IT Governance, which provides books, tools, training and consultancy for IT governance, risk management and compliance. He has written extensively on topics such as information security, governance of enterprise IT and the implementation of management system standards, and was one of the authors behind the successful IT Governance Control Framework Implementation Toolkit, which is based on COBIT 5.