Governance over a complex and continuously evolving domain such as enterprise information and technology (I&T) requires a multitude of components, including processes, organizational structures, information flows, behaviors, etc. All of these elements must work together in a holistic way to correctly understand, design and implement a fit-for-purpose enterprise governance system for I&T.
COBIT 2019 brings these components together in a generic framework of good practices for the achievement of 40 governance and management objectives. However, experience and research have shown there is no such thing as a one-size-fits-all governance system for enterprise I&T. Every enterprise has its own distinct culture and profile and differs from other organizations in several aspects, including:
- Size of the enterprise
- Industry sector
- Regulatory landscape
- Threat landscape
- Role of IT for the organization
- Tactical technology-related choices
These differences in external and internal context and strategy are important influencers for the design and implementation of the organization’s governance system. Any COBIT 2019 implementation will, thus, require tailoring before it can be fit-for-purpose.
The purpose of the design workflow is to allow every organization to start from the COBIT core model and, from there, adapt the governance system to its own priorities and specificities.
To assist with the tailoring of the standard and generic COBIT framework and allow every organization to maximize value from its use of I&T, the COBIT 2019 design workflow was developed. The purpose of the design workflow is to allow every organization to start from the COBIT core model and, from there, adapt the governance system to the enterprise’s own priorities and specificities. It is difficult to do everything at once when implementing or improving I&T governance—organizations have limited resources and change capacity. The design workflow helps organizations to identify and focus on the right priorities first. Designing a tailored governance system is an iterative process that is repeated when changes in the organizational context or strategy (or in any other design factor) occur.
The design workflow takes into consideration a number of design factors (DFs). These are factors that can influence the design of an enterprise’s governance system (figure 1).
Figure 1—COBIT Design Factors
Source: ISACA, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018. Reprinted with permission.
DFs help the organization describe its context and strategy by proposing a set of values for each design factor. For example, DF 6 Compliance Requirements has 3 possible values—High, Normal or Low—and these values, in turn, are associated with numeric scores. When the enterprise describes its regulatory environment, it chooses one of the 3 values; together, the values and related scores contribute to a finely calibrated design workflow1 and help the organization determine:
- Priorities when implementing the 40 governance and management objectives defined in COBIT 2019
- Target capability levels for selected corresponding processes
Additional guidance on specific topics, or focus areas, is in development; focus area content will provide even more tailored guidance specific to digital transformation, cloud, DevOps, small and medium enterprises, risk, and information security.
When starting an I&T governance implementation project—or when looking to improve the existing I&T governance system—the enterprise’s first step should always be to apply the design workflow and tailor the COBIT 2019 framework to be fit-for-purpose for the organization at hand.
This tailoring exercise coincides with phases 1 through 4 of the 7-phase workflow described in the COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution. The COBIT 2019 Design Guide and COBIT 2019 Implementation Guide are, therefore, complementary, and each provides specific guidance for a subsection of the end-to-end governance implementation process. Together, they form the manual for every organization looking to implement or improve its governance system for I&T.
The COBIT 2019 Design Guide and the design workflow enrich the COBIT suite with the potential to support many organizations on their unique paths toward value-add I&T governance. Share your experiences in the COBIT and Frameworks area of the Engage portal.
Is a consultant on a wide range of governance projects in both the public and private sectors as a senior manager with PricewaterhouseCoopers. Her work has included acting as a consultant for ISACA for almost 10 years. She was actively involved in the development of COBIT 5 and its related publications and again played a key role in developing the COBIT 2019 series of publications.
1 ISACA, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018