COBIT Case Study: Kuwait Turk 

 

Abstract

Kuwait Turk is a participation bank established in Turkey in 1989. Its objectives are to bring diligence to the interest-free banking system; research fields of investment; and introduce contemporary, reliable, rapid and high-quality services to its customers. Kuwait Turk, which started its operations with a head office and one branch, now has 78 branches throughout Turkey. It has more than 1,350 employees who serve more than 810,000 customers. In accordance with its vision of becoming an international finance house, Kuwait Turk currently has a branch in Bahrain and a representative office in Germany.

Kuwait Turk began using Control Objectives for Information and related Technology (COBIT), developed by the IT Governance Institute (ITGI), to comply with rules and requirements set by the Banking Regulation and Supervision Agency of Turkey (BRSA), but soon realized that the use of COBIT provided many additional benefits, including more controlled IT processes that are integrated with business processes.

Background

In May 2006, BRSA passed legislation requiring all banks operating in Turkey to adopt COBIT’s best practices when managing IT-related processes. Article 30 of the legislation specifically required all banks to comply with auditing requirements based on COBIT’s control objectives. As BRSA noted in the legislation, COBIT was selected as the framework with which to comply because its control objectives are internationally recognized and considered to be effective at controlling IT-related processes.

Kuwait Turk also recognized a need to restructure IT processes for better control and measurability—which COBIT could help accomplish.

Process

The initial phase of the COBIT implementation project was the formation of a project team consisting of four members from the security, operations, business consulting, and application development and support units in the IT department. The project team received assistance from consultants from the Enterprise Risk Services division of Deloitte-Touche Turkey.

The COBIT implementation project started by identifying the tangible and intangible IT assets and their owners. After the identification of IT assets and owners, the control owners and the responsible employees of IT processes included in COBIT were determined. Then, a COBIT gap analysis was performed by documenting the existing controls and control deficiencies. After reviewing the COBIT control objectives and analyzing the applicability of each COBIT control to the Kuwait Turk environment, the bank documented the additional controls it needed to develop to meet COBIT control requirements.

Finally, an action plan was prepared to address control deficiencies identified by COBIT, delete redundant controls and redesign some existing controls to be compliant with COBIT control objectives. These controls were prioritized according to their risk level. Study groups were formed to work on processes such as systems development life cycle (SDLC), project management, information security policies and change management, to develop new controls and ensure that existing controls were aligned with the desired COBIT controls. Controls such as standards, policies and procedures were approved by IT and business senior management and published on the corporate intranet.

Kuwait Turk’s board of directors empowered two board members, who are also members of the IT Steering Committee, for the implementation of COBIT. Upon reaching every milestone of the project, the results were presented to the IT Steering Committee.

Kuwait Turk’s goals for COBIT were to help the organization:

  • Comply with BRSA requirements
  • Ensure that IT processes are designed to support the business processes and objectives
  • Ensure that long-term IT strategy and plans are consistent with business strategy and plans
  • Implement a process-centric environment where IT activities are grouped and organized in processes
  • Develop controls such as policies, procedures and standards to reduce risk to an acceptable level
  • Establish an IT quality function to monitor process improvement and compliance to COBIT controls
  • Redesign/implement critical IT processes, such as project management, SDLC, change management, security management, configuration management, risk management, quality management, application management, service level management, third-party management, backup management and IT value management

Conclusion

Goals Achieved
Kuwait Turk’s goals for COBIT were achieved as follows:

Comply with BRSA requirements.
Kuwait Turk developed COBIT controls and started implementing these controls to IT processes. The COBIT project team and IT quality assurance personnel continue to help promote awareness of COBIT controls for the bank’s personnel.

Ensure that IT processes are designed to support the business processes and objectives.
Throughout the implementation of COBIT, the project team worked with IT senior management to prepare IT strategic and tactical planning frameworks aligned with the business strategic plan to support business objectives. The IT Steering Committee later reviewed and approved the IT strategic and tactical plans.

Implement a process-centric environment where IT activities are grouped and organized in processes.
Prior to the implementation of COBIT controls, IT activities were grouped into units and job positions. Since the roles and responsibilities of IT activities were not clear, the Kuwait Turk IT department faced a challenge. After the implementation, IT activities were grouped and organized successfully into COBIT processes.

Develop controls such as policies, procedures and standards to reduce risk to an acceptable level.
The COBIT project team realized that the IT department did not have sufficient policies, procedures and standards. IT personnel rarely documented IT activities they performed and there were few internal controls with which they complied, which increased the level of IT risk. Once the COBIT project team began to develop new COBIT controls, most of the IT risks were minimized in critical processes and they were able to quantify risk exposure.

Establish an IT quality function to monitor process improvement and compliance with COBIT controls.
During the COBIT implementation, the need to establish an IT quality function was realized. One of the responsibilities assigned to IT quality assurance personnel was to consistently attempt to improve the key IT processes and increase the overall performance of services delivered to all users. Another responsibility was to ensure that business and IT users comply with COBIT controls.

An IT customer survey was conducted to measure the satisfaction level of business users with IT services, and an action plan was prepared to resolve issues reported through the survey.

Redesign/implement critical IT processes.
When establishing a process-based environment in IT, Kuwait Turk had the challenge of redesigning and implementing the IT processes. To overcome the challenge, the organization communicated with study groups/teams formed in the department.

Additional Benefits
Additional benefits Kuwait Turk has realized as a result of implementing COBIT include:

  • Changes on the systems supporting business processes are being handled in a more controlled and effective manner.
  • Through service level agreements, business users were informed about the services the IT department provides, and service level performance is provided to the business and IT senior management team.
  • Customer satisfaction is being measured, and response plans have been generated.
  • Notification of stakeholders and the visibility of IT processes have improved.
  • Problem management is more timely and efficient.
  • The business has greater involvement in IT processes where possible (system ownership in SDLC, stakeholder management in project management, etc.).

Future Plans
In the future, the Kuwait Turk IT Department will use COBIT to measure the performance of IT processes, as performance measurement is vital for effective IT governance. The IT department’s goal is to develop a process performance model, enabling the organization to keep track of performance of IT goals based on how they deliver and what they need to deliver. Key performance indicators (KPIs) and key goal indicators (KGIs) will be decided for each IT process. With the cooperation of IT and business senior management, standard performance targets and metrics of IT processes will be determined. The results of IT process performance will be reported periodically to the IT Steering Committee. After evaluating and analyzing the results of performance, continuous improvement will be further discussed. Kuwait Turk’s target is to approach the “managed and measured” level in the maturity model of each IT process.

When introducing new controls, goals, processes and standards, Kuwait Turk’s IT department examines them on a level to which new IT personnel are not accustomed. Awareness of COBIT controls and cultural change in IT department will continue to be promoted through training sessions and periodic compliance audits.

Despite beginning the COBIT project to comply with the BRSA requirement, Kuwait Turk quickly realized that IT governance helps critical IT processes become more controlled and integrated with business processes. Implementation of COBIT at Kuwait Turk also proved that senior IT management was innovative and forward-thinking about bringing IT services to a level where the IT department become one of the core competencies of Kuwait Turk Participation Bank.