• Bookmark

Delivering Disruptive Innovation Using the COBIT 5 Framework

By Oluwaseyi Ojo, CEng, CRISC, CISM, CGEIT, COBIT 5 Certified Assessor, CISSP, SABSA CSA, TOGAF 9

COBIT Focus | 4 December 2017 Japanese

Oluwaseyi Ojo In today’s competitive and dynamic business environment, it is mandatory to have disruptive innovation capability or capabilities both for growing a business and protecting existing markets. Yet delivering disruptive innovation needs new mindsets and behaviors for organization leaders and the organizations they lead. This article describes how to use the COBIT 5 framework to deliver disruptive innovation.

“Those who disrupt their industries change consumer behavior, alter economics, and transform lives.”1

What Is Disruptive Innovation?

Disruptive innovation2 describes a process whereby a smaller organization (entrant) with fewer resources is able to successfully challenge an established, successful competitor (incumbent) (figure 1). Specifically, as the large organization focuses on improving its products/services for its most demanding (and, usually, most profitable) customers, it exceeds the needs of some segments and ignores the needs of others. The entrant begins by successfully targeting those overlooked segments, gaining a foothold by delivering more suitable functionality, frequently at a lower price. For example, with Google Apps, Google challenged conventional word processing, calendaring and spreadsheet programs. By focusing on simplicity, effectiveness, collaboration and the cloud, it has created an industry for online integrated document sharing.

Figure 1—Four Elements of the Theory of Disruptive Innovation
Figure 1
Source: Massachusetts Institute of Technology (MIT) (Cambridge, USA), Sloan Management Review. Reprinted with permission.3

“Disruptors don’t have to discover something new; they just have to discover a practical use for new discoveries.”4

How Does Disruptive Innovation Occur?

Disruptive innovation occurs when a product or service takes root initially in simple applications at the bottom of a market and then relentlessly moves up market, eventually displacing established competitors.

For example, Nokia, a pioneer in the mobile/smartphone market, introduced consumers to the mobile/smartphone with its initial Symbian Series 60 devices in 2002 and had no trouble maintaining a leadership position in the smartphone industry. However, Nokia did not see the likes of Apple, Samsung and HTC as a threat and by the time Nokia realized that they were a threat, it was too late, as Apple’s iPhone changed the definition of what a smartphone should be with its full touchscreen and app-based operating system. Still, Nokia failed to respond to the Apple’s iPhone and the shifting consumer demand that came with it. “When mainstream customers start adopting the entrants’ offerings in volume, disruption has occurred.”5

All innovations can be sorted into 2 categories (figure 2):6

  • Sustaining innovation—This maintains the “rules of the game,” whether incremental or radical. They sustain the direction of improvement set by market leaders.
  • Disruptive innovation—This is often thought of as “game changers.” These are products, services or processes that have successfully overturned the dominant thinking, behaviors or technology in a market.

For example, Google Apps is a disruptive innovation (game changer), while Pfizer, the world’s biggest pharmaceutical company (by revenue), is an example of sustaining innovation. Google Apps changed the industry through the use of free online integrated document sharing. Pfizer was founded in 1849 as a manufacturer of chemicals and quickly expanded into a research-based pharmaceutical company. It augmented its research by building its brands, pipeline and profile through major acquisitions.

There are 2 types of markets that make disruptive innovation possible:7

  • Low-end markets—Footholds exist because incumbents typically try to provide their most profitable and demanding customers with ever-improving products and services, and they pay less attention to less demanding customers. This opens the door to a disrupter focused (at first) on providing those low-end customers with a “good enough” product.
  • New market—Disrupters create a market where none existed before.

Figure 2—Disruptive Innovation Model
Figure 2
Source: C. Christensen, M. Raynor. The Innovator’s Solution: Creating and Sustaining Successful Growth,
Harvard Business School Press, USA, 2003. Reprinted with permission.

Historically, customers are not willing to switch to the new offering merely because it is less expensive. They wait until its quality rises enough to satisfy them. Once that has happened, customers adopt the new product and happily accept its lower price. This is how disruption drives prices down in a market.

Using the COBIT 5 Framework to Deliver Disruptive Innovation

COBIT 5 is a framework rather than a standard, and it is designed to be adapted and adopted by organizations. It aligns systematically with cognate frameworks and standards and provides best practice guidance for the governance and management of enterprise IT. It is supported by a suite of management tools with supporting guidance that help enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT (figure 3).

Figure 3—COBIT 5 Reference Model
Figure 3
Source: ISACA, COBIT 5, USA, 2012. View Large Graphic.

Governance of Disruptive Innovation

Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions, and options; setting direction through prioritization and decision making; and monitoring performance, compliance, and progress against agreed-on direction and objectives.8

COBIT 5’s Evaluate, Direct and Monitor (EDM) domain covers governance of enterprise IT (GEIT).

To deliver disruptive innovation, the following COBIT 5 processes must be considered under EDM:

  • EDM01 Ensure Governance Framework Setting and Maintenance
  • EDM02 Ensure Benefits Delivery
  • EDM03 Ensure Risk Optimization
  • EDM04 Ensure Resource Optimization

COBIT Process—EDM01 Ensure Governance Framework Setting and Maintenance

Brief description of process: This process focuses on providing GEIT, preparing and maintaining effective enabling structures, principles, processes and practices, with clarity of purpose, responsibilities and authority to achieve the enterprise’s mission, goals and objectives.

How to use it for delivering disruptive innovation: To deliver disruptive innovation, a strong governance system (i.e., corporate vision, mission, process, leadership, strategy, branding and a variety of other business practices) must be established, implemented and effectively maintained. It is the engineering of these practices to be disruptive that maximizes opportunities.

COBIT Process—EDM02 Ensure Benefits Delivery

Brief description of process: This process focuses on optimizing the value contribution to the business from the business processes.

How to use it for delivering disruptive innovation: Disruptive innovation is often driven by needs and resources. Disruptive innovation is an investment, however; it helps take a share of the market and delivers growth opportunities to organizations that adapt to new trends. It benefits both competition and consumers by providing better, cheaper products and more accessible services. With a defined, balanced set of performance objectives, metrics, targets and benchmarks, it is crucial to monitor the key business goals and metrics to determine the extent to which the leading new trends of disruptive innovation are generating the expected value and benefits to the enterprise.

COBIT Process—EDM03 Ensure Risk Optimization

Brief description of process: This process focuses on ensuring that the enterprise’s risk management framework is established and monitored.

How to use it for delivering disruptive innovation: The pace and impact of innovation, coupled with the dynamics of the business environment, create a risk environment that requires careful management while delivering disruptive innovation. This process helps an organization remain constantly vigilant for disruptive innovation risk and helps manage business risk.

As described previously, examples of the risk of industry disruption abound. In 2011, the world leader in mobile phone production, Nokia, lost its global lead in smartphones and was on its way out of business. Four years earlier, it had recorded record profits. Nokia was unable to keep up with the pace and impact of disruptive innovation, the dynamics of the business environment, etc. Organizations from outside the mobile communications industry suddenly entered and, in a period of only a few years, became market leaders. It is crucial to remain watchful for disruptive innovation risk and ensure risk optimization.

COBIT Process—EDM04 Ensure Resource Optimization

Brief description of process: This process ensures the availability of adequate and sufficient capabilities (people, process and technology) to support enterprise objectives effectively.

How to use it for delivering disruptive innovation: An organization that wishes to deliver disruptive innovation must have the business capabilities and resources needed. This process focuses on establishing and maintaining those required resources (people, process and technology). The resource needs of the enterprise must be met in the optimal manner that will increase likelihood of benefit realization and readiness for disruptive innovation. Disruptive innovation resources must be allocated to best meet enterprise priorities within budget constraints and overall enterprise goals and objectives.

Management of Disruptive Innovation

Management plans, builds, runs and monitors (PBRM) activities in alignment with the direction set by the governance body to achieve the enterprise objectives.

Align, Plan and Organize (APO) Domain

This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of business objectives. The realization of the strategic vision through disruptive innovation needs to be planned, communicated and managed from different perspectives.

To develop and deliver disruptive innovation, the following COBIT 5 management processes from the APO domain must be considered:

  • APO02 Manage Strategy
  • APO04 Manage Innovation
  • APO06 Manage Budget and Costs
  • APO11 Manage Quality
  • APO12 Manage Risk
  • APO13 Manage Security

COBIT Process—APO02 Manage Strategy

Brief description of process: This process provides a holistic view of the current business environment, the future direction and the initiatives required to achieve the desired future environment. Also, this process, through its practice APO02.02 Assess the Current Environment, Business Capabilities and Performance, helps organizations assess the current environment, business capabilities and performance.

How to use it for delivering disruptive innovation: Enterprises that wish to deliver disruptive innovation must understand their own strategy and objectives, their current operational environment and challenges, and their external environment. They can begin by identifying opportunity areas and key markets. Once a consensus is reached, they can identify priority market segments. This may lead to redefining market segments and segmentation criteria.

At this point, they should analyze the industry structure—segment clients, suppliers, potential new entrants, substitution products—and then identify what makes each player powerful, using strategic tools. For example, “The Five Competitive Forces That Shape Strategy”9 shows that suppliers boasting strong concentration, high switching costs, genuine differentiation, unique intellectual property (IP) and strong value for clients will command higher prices than industry incumbents. A similar analysis can be performed for other players as well. Enterprises seeking to use disruptive innovation should then identify value streams by estimating how value is transferred from one player to another. In other words, they should assess who is paying whom how much and for what. Another useful question is: In what ways could the entrant enterprise decrease and increase the dominant player’s claim for industry value?

Next is to assess the performance of current internal business and IT capabilities and external services, and develop an understanding (baseline) of the current business and IT environment, capabilities and services against which future requirements can be compared. This includes the relevant high-level detail of the current enterprise architecture (business, information, data, applications and technology domains), business processes, IT processes and procedures, the organization structure, external service provision, governance of IT, and enterprisewide IT-related skills and competencies.10

COBIT Process—APO04 Manage Innovation

Brief description of process: This process identifies innovation opportunities; analyzes what opportunities for business innovation or improvement can be created by emerging technologies, services, or IT-enabled business innovation; and plans how to benefit from the innovation in relation to business needs.

How to use it for delivering disruptive innovation: The organization needs to establish a culture of innovation—a difficult process that must be embraced from both the top down and the bottom up. Innovative cultures share a number of key tenets, including:11

  • Encouragement for the open expression of ideas—No idea, regardless of how seemingly outrageous it may appear on the surface, is summarily dismissed.
  • Recognition that great ideas can come from anywhere—They are not the exclusive province of senior managers; they can surface at any level within the organization. All internal stakeholders should be welcome at the table of innovation. An appreciation for the fact that great ideas may emanate from outside the organization, and creation of a culture of disruptive innovation cultivates an appetite for research into how disruptive innovation can or has changed other industries and the degree to which some innovations have applicability in that industry. Recognition that change is both difficult and threatening, in various degrees, must be conveyed to employees throughout the organization. Rather than being chastised for trying something new and different, employees should be encouraged to understand the virtues of embracing innovation.

COBIT Process—APO06 Manage Budget and Costs

Brief description of process: This process provides consultation with stakeholders to identify and control the total costs and benefits within the context of the strategic and tactical plans and initiates corrective action where needed.

How to use it for delivering disruptive innovation: Charging nothing for a valuable product is not an act of charity by a company, but instead, part of a long-term business strategy based on predictable technology trends. It is important to establish and use a costing model based on this tactic of providing a valuable product for free, ensuring that allocation of costs for innovation is identifiable, measurable and predictable, to encourage the responsible use of resources. Otherwise, the disruptor may become disrupted and even extinct.

It is important to regularly review and benchmark the appropriateness of innovation cost/chargeback models to maintain their relevance and appropriateness to evolving business activities.

COBIT Process—APO11 Manage Quality

Brief description of process: This process defines and communicates quality requirements in all processes, procedures and the related enterprise outcomes, including controls, ongoing monitoring, and the use of proven practices and standards in continuous improvement and efficiency efforts.12

How to use it for delivering disruptive innovation: It is important to establish and maintain a quality management system (QMS) that provides a standard, formal and continuous approach to quality management for information, enabling technology and business processes that are aligned with business requirements and enterprise quality management.13

COBIT Process—APO12 Manage Risk

Brief description of process: This process is a prerequisite for any set of security controls and is referenced by virtually every framework or standard on information security.

How to use it for delivering disruptive innovation: A risk assessment process is essential to identify an organization’s “crown jewels” and to focus resources on the most critical, sensitive, threatened and vulnerable areas. Data should be collected from all relevant sources (e.g., systems, applications, networks, databases) in multiple categories (e.g., access, configurations) to support the understanding of risk. These data should be considered in the risk analysis, especially for business impact analysis (i.e., what is important to the enterprise), estimating the probability of different threats and identifying the mitigating controls in place. Risk profiles should be maintained on an inventory of business processes and the supporting IT systems, applications, infrastructure, data, facilities and capabilities. This inventory should be used to identify the IT elements/assets that are most critical (highest risk) and that require the strongest controls. Risk indicators or factors (internal/external) used to maintain this inventory should be reviewed and validated periodically. Key stakeholders should be kept informed through the articulation of risk status, including worst-case and most-probable scenarios. A risk management action portfolio should be defined and maintained for the control activities to manage, avoid, prevent or transfer (insurance) risk. Response to risk events should be timely and effective based on formal test plans.14

COBIT Process—APO13 Manage Security

Brief description of process: This process requires that an information security management system (ISMS) be developed and implemented to coordinate and manage effectively and efficiently the resources and processes used, and the controls required to ensure ongoing confidentiality, integrity and availability of information and information systems in line with predefined operational and strategic objectives.

How to use it for delivering disruptive innovation: Security is crucial in innovation. This is an essential link to translate the risk process into effective security services. This process consists of defining, operating and monitoring an ISMS. An ISMS should be established as a standard, formal and continuous approach to IT security. This approach should be aligned with business requirements and business processes. An information security risk treatment plan should be defined based on realistic business cases and implemented as part of strategic objectives and enterprise architecture. The overall ISMS should be monitored and reviewed regularly through management reviews and security audits. An underlying theme here is a culture of security and continual improvement.15

Build, Acquire and Implement (BAI) Domain

The BAI domain covers identifying IT requirements, acquiring the technology solutions and implementing these within the organization’s current business processes. These BAI processes address the objective of delivering disruptive innovation:

  • BAI05 Manage Organizational Change Enablement
  • BAI06 Manage Changes

COBIT Process—BAI05 Manage Organizational Change Enablement

Brief description of process: This process helps to maximize the likelihood of successfully implementing sustainable enterprisewide organizational change quickly and with reduced risk.

How to use it for delivering disruptive innovation: Enterprises that hope to achieve disruptive innovation must prepare and commit stakeholders for business change and reduce the risk of failure. The desire for change must be understood and accepted by stakeholders. Role players must be empowered to deliver the change and be enabled to operate, use and maintain the change. This makes the change embedded and sustained, and prevents resistance to change.

COBIT Process—BAI06 Manage Changes

Brief description of process: This process helps manage all changes in a controlled manner, including standard changes and emergency maintenance relating to business processes, applications and infrastructure. It also enables fast and reliable delivery of change to the business and mitigation of the risk of negatively impacting the business environment.

How to use it for delivering disruptive innovation: It is vital for key business processes and services not to be disrupted while adopting innovation and adapting to it. It is important to use formal change requests to enable business process owners to request changes to business process, infrastructure, systems or applications, making sure that all such changes arise only through the change request management process with minimal impact on the business processes and services.16

Deliver, Service and Support (DSS) Domain

The DSS domain focuses on the delivery aspects of IT. It covers areas such as the execution of the applications within the IT system and its results, as well as the support processes that enable the effective and efficient execution of IT solutions. This DSS process addresses the objective of delivering disruptive innovation:

  • DSS04 Manage Continuity

COBIT Process—DSS04 Manage Continuity

Brief description of process: This process helps define business continuity policy and scope based on the strategy and aligns this with enterprise and stakeholder objectives.

How to use it for delivering disruptive innovation: Because organizations cannot have complete control over their business environment, they must establish business continuity management (BCM) and crisis management capabilities that can be activated when a crisis or disaster occurs. Research has shown that organizations that have innovation strategies correlated with a BCM program have increased turnover and market share.


“To be successful, innovation is not just about value creation, but value capture.”17 Disruptive innovation can bring create wealth for its proponents and drive change in the market (e.g., Amazon, Google, Netflix). But it is a game with losers as well: those who ignore it and subsequently see their business sustainability falter or disappear entirely (e.g., Nokia, Blockbuster, Xerox).

Oluwaseyi Ojo, CEng, CRISC, CISM, CGEIT, COBIT 5 Certified Assessor, CISSP, SABSA CSA, TOGAF 9

Is a seasoned professional with expertise in enterprise and security architecture, audit, process development and improvement, governance, risk and compliance, IT service management, best practice standards/frameworks implementation and assessment.


1 Simmons, H.; Reinventing Dell: The Innovation Imperative, Murmurous Publishing, USA, 2015
2 Christensen, C.; Disruptive Innovation
3 King, A. A.; B. Baatartogtokh; “How Useful Is the Theory of Disruptive Innovation?MIT Sloan Management Review, 15 September 2015
4 Samit, J.; Disrupt You!: Master Personal Transformation, Seize Opportunity, and Thrive in the Era of Endless Innovation, Flatiron Books, USA, 2015
5 Christensen, C.; M. Raynor; R. McDonald; “What Is Disruptive Innovation?” Harvard Business Review, December 2015
6 Christensen, C.; M. Raynor; The Innovator`s Solution: Creating and Sustaining Successful Growth, Harvard Business School Press, USA, 2003
7 Op cit Christensen, Raynor, McDonald
8 ISACA, COBIT 5, USA, 2012
9 Porter, M.; “The Five Competitive Forces That Shape Strategy,” Harvard Business Review, January 2008
10 ISACA, COBIT 5 : Enabling Processes , USA, 2012
11 Leifer, J.; “A Step-by-Step Guide to Creating a Culture of Disruptive Innovation at Your Hospital,” Hospitals & Health Networks, 25 January 2016
12 Op cit ISACA, COBIT 5 : Enabling Processes
13 ISACA, COBIT Process Assessment Model (PAM): Using COBIT 5, USA, 2013
14 Greene, F.; “Selected COBIT 5 Processes for Essential Enterprise Security,” ISACA Journal, vol. 2, 2015
15 Ibid.
16 Tomczak, P.; “Improving the RFP and Contracts Process With COBIT 5,” COBIT Focus, 22 September 2014
17 Op cit Samit