Sustainability, sustainable development and social responsibility are related terms.
Social responsibility includes an organization’s responsibility for the impact of its decisions and activities on society, the environment and economy, and, therefore, its contribution to sustainable development and sustainability.
A recent ISACA Journal article, “The Time for Sustainable Business Is Now: Leveraging COBIT 5 in Sustainable Businesses,” presents what COBIT 5 can do for sustainability, including:
- Improve governance. COBIT 5 ensures that all stakeholders are identified and their needs are evaluated in order to determine the enterprise’s sustainability goals and its associated IT-related goals.
- Improve measurement, monitoring and evaluation systems. COBIT 5 uses indicators and can adopt the existing sustainable development indicators as management tools at various levels and in various sectors in order to improve environmental monitoring and information systems at different scales.
- Assess the roles of public and private actors. COBIT 5 recognizes different stakeholders with different needs and obligations.
- Increase the resilience of human and natural systems. COBIT 5 suggests stakeholder needs related to sustainability and, thus, allows the use of its goals cascade to ensure the identification of enterprise goals and the evaluation of possible risk that can hurt their achievement. So, the implemented IT process will be capable of delivering outcomes even if the risk factors materialize and the conditions are not the best.
This article focuses on the COBIT 5 processes for governance of enterprise IT (GEIT) and proposes how governance practices and activities can be adapted to balance IT with environmental, social and economic aspects.
COBIT 5 IT Governance Process Domain
The board of directors (BoD) makes or approves all major decisions on sustainability and social responsibility. The COBIT 5 GEIT domain contains 5 governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. In order to include environmental, social and economic aspects, organizations have to rethink some practices and activities:
EDM01 Ensure Governance Framework Setting and Maintenance:
- What is the extent of the importance of sustainability and social responsibility in the business environment?
- Identify internal and external environmental factors (legal, regulatory and contractual obligations) and sustainability and social responsibility trends in the business environments.
- Determine the significance of IT and sustainability- and social responsibility-related IT issues
- Consider participation in local and internationally recognized working groups to identify trends, risk, new regulatory frameworks, practices and perceptions.
- Who are the stakeholders?
- External—Government, regulators, society in general (including future society), shareholders, business partners, customers, suppliers, consultants and external auditors
- Internal—The BoD, C-suite executives, business executives, business processes owners, IT managers and users, compliance managers, human resources (HR) managers, internal auditors, and personnel
- What are the sustainability and social responsibility principles that will guide the design of governance and decision-making of IT?
- Consider compliance with legal and other requirements, use and consumption of resources (natural and non-natural) and the impact on the environment, natural resources, economy, economic development, employment, eradication of poverty, and public and occupational health and safety.
- What about structure, decision making, communication and commitment?
- Include and coordinate sustainability-and social responsibility-related IT issues into all committees: risk management, compliance or audit, nomination and remuneration, and, of course, sustainability or responsibility committees. Come to an agreement with the chief sustainability officer or executive management on the way to establish informed and committed leadership.
EDM02 Ensure Benefits Delivery:
- What sustainability and social responsibility aspects constitute value for stakeholders and for the enterprise? Are both current and future generation requirements considered? What is the extent of these aspects on IT-related issues?
- Is this expected value considered when the contribution of the IT-enabled initiatives, services and assets to the overall enterprise value is set? Are both current and future uses of IT considered?
- Is this expected value well communicated, understood and applied in the IT decision-making process?
EDM03 Ensure Risk Optimization:
- What sustainability and social responsibility aspects constitute risk for stakeholders and for the enterprise? What are their risk appetite and tolerance? Are both current and future generation requirements considered? What is the extent of these aspects on IT-related issues?
- Are the effects of the risk continually evaluated for all IT-enabled initiatives, services and assets? Are both current and future uses of IT considered?
- Are risk, limits and effects well communicated, understood and applied in the IT decision-making process?
EDM04 Ensure Resource Optimization:
- Are resource needs met in a sustainable manner?
- Are sustainable management principles related to resource usage considered to enable optimal use of IT resources throughout their full economic life cycle?
- Are sustainable goals and metrics included in resource management monitor process?
EDM05 Ensure Stakeholder Transparency:
- Are sustainability- and social responsibility-related IT issues integrated in formal enterprise communications? Are stakeholders’ information requirements met?
IT governance implies evaluating, directing and monitoring the current and future use of IT in the enterprise. This entails considering the impact of the enterprise’s decisions and activities on society, the environment and the economy, and, therefore, its contribution to sustainable development and sustainability. COBIT 5 enables and facilitates a structured approach to the necessary evaluation and decision-making processes.
Graciela Braga, CGEIT, COBIT Foundation, CPA
Is an audit and internal control professional who conducts reviews for public and private entities using international frameworks such as COBIT, COSO and the ISO 27000 series. She has participated in the preparation and review of ISACA products and research related to COBIT, privacy and big data, and business benefits. She is the author of the ISACA Journal article “The Time for Sustainable Business Is Now: Leveraging COBIT 5 in Sustainable Businesses.” She also authored the COBIT Focus article “COBIT 5 Applied to the Argentine Digital Accounting System.”