• Bookmark

Better the Process You Know Than the Gaps You Don’t

By James Reeve, CISA, CRISC, CISM, CGEIT, COBIT 5 Foundation and Assessor

COBIT Focus | 20 August 2018

James Reeve The FirstRand Group is a financial services provider in South Africa. It is one of the largest financial institutions in South Africa and the holding company of First National Bank (FNB), a retail and commercial bank. One of the core principles of the FirstRand Group is an ownership culture in which each subsidiary is empowered to make business decisions. This ownership culture is evident in FNB, which consists of multiple complex and independent business units that are accountable for their business function lines’ enterprise. Each business function is supported by independent IT departments that are at varying levels of maturity. These varying levels of maturity, coupled with complexity, have introduced associated risk into the IT ecosystem of FNB.

To address the potential risk, the FirstRand group drafted an IT governance framework that was approved by the Governance Committee, where it obtained the support of the board of directors. The framework, which was based on King III principles (at that time), was principle-based to effectively govern the subsidiaries while allowing them flexibility to respond to the business environment and to select the supporting framework best suited to their needs.

Development of the IT Governance Program

To align to the group framework, an IT governance program was created and launched within the FNB. The primary goal of the program was to identify and address the risk and issues for IT across the organization to attain increased maturity and effectiveness of IT. The agreed deliverables for the program were:

  • Selecting and implementing the best-suited supporting framework
  • Measuring the process maturity of the various IT departments
  • Determining potential areas for remediation

FNB started an investigation to select the best-suited supporting framework to align to the group IT governance framework. Research led to COBIT 5 being selected as the best fit for FNB. COBIT 5 was recognized as the industry leader for IT governance and supported several of the existing frameworks already firmly entrenched across IT in FNB including ITIL, The Open Group Architecture Framework (TOGAF), the Project Management Body of Knowledge (PMBOK) Guide and Standards, and Projects in Controlled Environments 2 (PRINCE2).

Peter Alkema, chief information officer (CIO) for FNB Business Banking, explains:

COBIT 5 was agreed as our IT governance framework in FirstRand and, as a business unit CIO, I was keen to leverage any assets and internal support. The central IT risk team ran a number of workshops with our IT teams in the segment and helped us established not only the baseline of compliance, but also sufficient action plans in key focus areas for us to institute project plans to improve governance maturity. We then monitored progress on those projects during the year and used the COBIT 5 material to continually calibrate and benchmark ourselves. I really valued the incremental approach that we took because, although the framework is impressive and comprehensive, it is daunting to try and implement too much in one go. COBIT 5 also helps professionalize the IT function much as a Chartered Accountant does for a finance person. It means I can have better conversations with business stakeholders about what “good” looks like in IT and how to get there.

Once COBIT 5 was selected as the framework, various tools were investigated to assist in the implementation. This led to a partnership with Info-Tech Research Group, a research company that provided a diagnostic tool to assist with highlighting areas of concern. This tool helped fast-track the implementation of COBIT 5 across FNB through its easy-to-understand interface for IT executives.

Coby Bergman, senior director in Info-Tech Member Services, adds:

For the past 3 years, the Info-Tech Research Group has been collaborating with FNB to develop and implement the IT governance program. The goal of the program was to establish a practical approach to assessing the maturity of IT’s core capabilities—the processes that underlie all of IT’s successes and failures—and use those assessments to identify, prioritize and implement the IT process improvement initiatives that would enable successful delivery of business objectives. Essentially, it is an exercise to sharpen the saw.

Fast-forward 3 years and FNB has developed an outstanding IT governance program that maintains a rigorous focus on practicality and business value delivery

Development of the IT Governance Program

To help with the understanding of IT governance, an analogy of a Formula 1 race was used. Some of the key concepts used include (figure 1):

  • The CIO is the driver of the program.
  • The IT management team is the pit crew.
  • The race car is the architecture that is in place.
  • The risk-and-audit-combined assurance team represents the engineering crew that monitors the race car over the period of the race.

Figure 1—Formula 1 Race Analogy
Figure 1; View Large Graphic
View Large Graphic
Source: Bert van Dijk, Wikimedia Commons

In keeping with the Formula 1 theme, the program was broken into three phases: qualifying, race and podium (figure 2).

Figure 2—Three Phases of the Program
Figure 2; View Large Graphic
View Large Graphic
Source: Ben Ashcroft, Wikimedia Commons

The qualifying phase was when the COBIT process maturity assessment is completed in a 1-day workshop. All the IT management team members were invited to the workshop, which covered each of the 37 COBIT 5 processes using the following steps:

  • Discussion of the process description and purpose
  • Agreement on the process owner
  • Assessment of the current effectiveness and importance of the process
  • Assessment of the process against COBIT level-1 practices (the COBIT 5 base practices and work products as contained in the COBIT Process Assessment Model [PAM]: Using COBIT 5)

At the completion of the workshop, a heat map was developed, based on the IT management team’s self-assessment. The heat map was produced using the Info-Tech diagnostic tool (figure 3).

Figure 3—Example Heat Map<
Figure 3; View Large Graphic
View Large Graphic
Source: Info-Tech. Reprinted with permission.

To complete the qualifying phase and further understand the process maturity of the IT department, all identified high-risk areas, open audit findings and declared exceptions were mapped by the IT risk manager onto the same heat map shown in figure 3, extending the information describing the status of the process.

The heat map was then interpreted by applying different criteria to determine which processes would provide the best value to the business when the practices associated with those processes were improved.

The results of the interpretation were presented to the IT management team by suggesting potential processes for improvement. The decision to improve a process was the responsibility of the IT management team, which had the full mandate to select any process, not necessarily the suggested processes.

The next phase was the race. This is the implementation phase, when all improvement processes identified by IT management were remediated. The process owner identified in the workshop was responsible for ensuring that the process was successfully remediated. Targets were written into the process owner’s performance contract, and the IT risk manager provided oversight to ensure that the process was successfully remediated.

The final phase—still to be implemented as part of this program—is the podium, in which assurance will be provided to the business unit that processes selected for remediation were successfully implemented. The internal audit team will provide assurance by auditing the process against the same COBIT practices by checking for evidence of the process’s effectiveness in delivering the required business value.


The first step to implementation was to gain buy-in for the program. There was already buy-in from the board of directors as it had approved the IT governance framework. Additionally, there was buy-in from the CIO of FNB, who was the project sponsor of the IT governance program. This senior stakeholder support helped gain momentum in the implementation of the program. The remaining task was to gain support from the various CIOs from each of the FNB business units. This was done through an extensive communications plan that had 2 simple messages:

  • Adopting an IT governance framework will help the IT department become more efficient and effective.
  • The approach will be collaborative, ensuring that CIOs can make the IT governance framework fit for purpose.

One of the challenges was that not all the various CIOs bought into the need for an IT governance program. To overcome that challenge, the program was initially launched on a voluntary basis leading to the uptake of the program by the eager and supportive CIOs. The supportive CIOs’ successes were then communicated to those CIOs who did not buy into the program to get them involved.

The workshop to assess the IT processes ended up being extremely successful. It provided an opportunity for the IT management team to have a view into each other’s responsibilities outside of the normal work context while providing a platform to objectively debate the performance of the IT department. Although the workshop was a success, it was not without challenges. One of the challenges was the amount of work that needed to be covered during the workshop. Often the workshops would start early in the day and end late at night. Splitting the workshop over multiple days was suggested to senior management but ultimately rejected. Instead, the challenge was solved by focusing the workshop on the priority processes and performing only a light assessment on the nonpriority processes.

Richard Preston, CIO of FNB Foreign Exchange, explained the process this way:

For us to achieve our goal of continuous improvement, we first need to measure where we are and then prioritize key themes that need improvement. The IT governance team has helped us assess our maturity across the COBIT framework and helped us identify and prioritize key areas that require improvement. This has added significant value to our continuous improvement program, as it will allow us to focus on key themes that will provide the greatest return on investment, and objectively measure improvements that we make in the management and governance of our IT processes.

The program could only be considered successful if the ineffective processes identified by the IT management team were improved. However, as with all process improvement initiatives, the priority is often not appropriate, leading the project to being sidelined by operational issues. To ensure the appropriate priority was maintained, the initiatives were included on the IT management committee agenda as a regular status update. This resulted in some of the following successes of the IT governance program:

  • A knowledge platform was developed for the Business Banking segment to share knowledge.
  • The architectural process was improved to ensure all architectural diagrams remain current in the business unit.
  • Two IT departments that had merged to form an Enterprise Resource Planning (ERP) Technologies business unit used the results of the IT governance program to develop a new change management process.
  • Multiple and inconsistent asset databases in the Points of Presence (POP) business unit led to a project to identify why and what was causing the inconsistencies and improve the asset management process.
  • Process owners were assigned for each process and the assignments were labeled on a wall chart in clear sight. This provided clarity and a point of reference for all staff that was not present before the IT governance program.
  • Many CIOs have adopted the COBIT 5 process model as an IT universe.

According to Gerhard Buitendag, CIO of FNB Enterprise Resource Planning, “The COBIT framework has helped us focus on the high-impact, high-value problem areas in our processes, thereby ensuring big returns for relatively little change. It helped us declutter the problems we had in our processes.”

Plans for Future Use

The IT governance program was launched as a self-assessment against the various level-1 COBIT 5 practices and work products. The self-assessment was valuable in identifying many new areas of risk and issues, but to provide more assurance, the program will evolve to a class 3 assessment, as described in the COBIT Assessor Guide: Using COBIT 5, in which supportive evidence will be gathered to ensure base practices are effective.


The IT governance program successfully achieved its objectives by providing a clear understanding of the potential risk and issues in each of the processes. The priority risk and issues were addressed through remediation projects that improved the risk posture and IT service delivery of FNB. Another positive advantage was that the program provided knowledge sharing and education to the CIOs’ teams as to the coverage of IT. This could be seen especially in teams that were focused on very specific objectives like development, operations or support.

Overall, response to the program has been favorable. Sundesh Balraj, head of IT risk for FNB, noted the ability to use COBIT as a compass to map and prioritize the key IT goals together with the gap that needed to be bridged. “This enabled us to move from okay to good,” he added. “COBIT provided us with a standardized view across all IT domains, which meant stakeholders across the first and second line of defense now had the same vocabulary and expectations of IT.”


The author would like to extend thanks to Avin Mansookram, CISA, CGEIT, COBIT 5 Assessor, MFT Executive Advisory Services, who initiated the compilation of this article and performed extensive editing and review. In addition, the author would like to extend thanks to Sundesh Balraj, FNB, for providing valuable feedback.

James Reeve, CISA, CRISC, CISM, CGEIT, COBIT 5 Foundation and Assessor

Is the team lead at the divisional IT Risk team of FNB. His experience spans 17 years and covers many different industries including financial services, online gaming and fast-moving consumer goods (FMCG). He is passionate about IT governance and risk and believes both are essential to achieve a future of sustainable and ethical business that is desperately needed in the world today.