I have been working on introducing COBIT 5 to the IT function at Vector Ltd. since November 2011 (when the framework was available in exposure draft). In particular, I have focused on increasing our IT leadership team’s understanding of the processes as well as increasing clarity with regard to the ISO/IEC 15504 process capability standard.
Vector took a chance last year and decided from the get-go to adopt COBIT 5 whilst it was still in exposure draft. We recognised the risk that any work might have to be revisited once the final framework was released. However, we were working to fairly tight timeframes and needed to get things moving. Therefore, using 4.1 and then having to migrate to COBIT 5 a few months down the track didn’t look attractive.
As it’s transpired, the changes in the final version have not been insurmountable.
So what have been the biggest challenges for us so far? Three come to mind:
Challenge 1: Prioritizing which of the 37 processes we needed to focus on in the initial wave of effort. We had to take a very pragmatic approach based on our understanding of the business’ strategic goals as indicated in discussions with business-unit management and executives. The actual priorities were agreed upon in a workshop setting and were based on the perceived gap between our current and our target process capability levels. Using this method, we identified eight high-priority and 12 medium-priority processes that formed the basis of our process-improvement plans for 2012/2013.
Later this year or in early 2013, we may complete a “process-occurrence analysis” with the aim of providing a more robust prioritisation for process improvement to verify our initial work.
Challenge 2: Getting our heads around how ISO/IEC 15504 works and interpreting the meaning of L1 to L5 from the viewpoint of an IT team using COBIT 5 to drive improved management processes, rather than from an auditor’s viewpoint:
- Our view is that you need to forget the SEI CMMI rating scale if you have been using it previously. CMMI doesn't align with or map to the ISO/IEC 15504 process capability attributes or levels, and it could get very confusing if both scales were used together. As it happens in our case, we had spent considerable time and effort informing and communicating the CMMI scale to our executives. Therefore, it was clear that we needed to carefully manage the transition to the new scale because it would be vital that apparent variations were not misinterpreted as a reduction in capability, but rather as a different way of assessing and measuring the same thing.
- We note that attaining Level 1 in ISO/IEC 15504 is a major achievement. Many of our long-term targets are Level 2 as we believe this surpasses our needs in many process performance areas.
- Moving to Level 3 is a major jump. Our interpretation is that in ISOIEC 15504, a Level 3 process must be defined and managed at the enterprise level in the organization. It is then used within functional areas based on clearly documented enterprise guidelines. These prescribe its use and how it can and cannot be modified. This means that if a process is only documented within a business area or functional group, it cannot score higher than L2.
- That said, we have identified several candidate L3-and-higher processes in our company. For example, Risk Management and the Financial Management processes are defined across the whole company and then adopted/adapted within each business unit, whilst always complying with the policies and processes defined by the Risk and Financial functions.
Challenge 3: Another interpretation issue—working through the outcomes and activities defined in the framework and identifying ways to make them work for a particular organization:
- Whilst taking the flexible and pragmatic approach of “adopt and adapt,” you also need to take care not to stray too far away from the framework’s base requirements.
- Interpretation—and then deciding the level to which you can adopt/adapt the framework—is a real challenge. You must ensure outcomes and activities make sense for your organization. But on the other hand, you must avoid completely rewriting a process definition. To do so, in my opinion, reduces the value of aligning and measuring your organization’s capability against a recognized framework.
- If you do make changes when adapting the framework, make sure they are based on informed discussion and are signed off at the appropriate level. This ensures you can justify the decision down the track if challenged, either by your own senior management team or by the auditors.
We are learning a lot about COBIT 5 during the completion of our initial baseline self-assessment. We decided to go the self-assessment route for reasons of simplicity and timing. However, we may move onto a full Process Assessment Model (PAM) approach later as ISACA publishes COBIT 5 tools and guidance materials and we become more proficient at what we are doing.
That is the real trick here—taking small steps and always asking questions if something doesn't make sense.
Who do you ask questions of? Firstly, we are working closely with our internal auditors as they too must understand COBIT 5. It makes sense that we work as a team. Then there are various ISACA forums and discussion groups on the ISACA web site.
Finally, there are some interesting groups in LinkedIn where fellow travellers can offer advice and “food for thought.”
Security and Compliance Manager, Vector Ltd., New Zealand
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.