2019 is off to a strong start—there is an exciting year to come, and a refreshed and revitalized IT governance framework to explore. Released in December 2018, COBIT 2019 is a major revision of the well-established set of guides for effective IT governance. Thankfully, the perfect opportunity presented itself to test-drive COBIT 2019 with a client in Asia whose project commenced only days after the new framework was published.
The COokBook for IT
One of the authors is a passionate advocate for COBIT and, since 2006, has conducted more than 100 IT governance assignments globally using the COBIT framework. Over the years, he developed a unique style to explain the benefits of COBIT to IT leaders in a way that anyone can understand. He talks about COBIT as the “COokBook for IT.” Processes are analogous to ingredients such as water, pepper, salt and chicken. With the right recipe of ingredients, any organization can create the perfect IT meal that optimally aligns business and IT around shared goals. Some organizations like their meal more spicy (innovative and risk tolerant), while others prefer a more traditional or conservative approach. Whatever the preference and environment, the COokBook for IT provides guidance, connections between theory and practice, transparency and tools to achieve success, while also ensuring the right prioritization.
COBIT 2019 Applied in a Major Asian Bank
A mere 22 days after COBIT 2019 was published, the opportunity presented itself to lead a team that would assess—and then recommend improvements for—IT governance at a major Asian bank. It was decided to use the newly revised framework in the project. During the client kick-off meeting, the COokBook philosophy was introduced. It was (again) well received, and the practitioners offered a 24/7 COBIT hotline to ensure that bank team members would never get lost in the expansive space of the COBIT universe.
Sessions with the bank team—rather than interviews—were conducted to develop an interactive and dynamic approach for communication, gain an understanding of the team’s current status and absorb the flavor of the organization. Does the bank team prefer salty or spicy? Each session ended with a request to pick the 5 top enterprise goals and rank them.
Results of these initial inputs were revealing (figure 1). Business management, the IT team and the chief information officer (CIO) did not quite align. This realization is already serving well in the prioritization of processes (i.e., the ingredients of the governance system) going forward.
Figure 1—5 Priority Enterprise Goals as Ranked by Business Management and IT
Although the project has just commenced, some initial impressions have already been gained:
- Participants share a common understanding that the organization is undergoing substantial digital transformation.
- The top 2 goals, as ranked by the CIO and business management, do not coincide with the internal IT team’s top 2 goals.
- EG10 Staff skills, motivation and productivity was not ranked first by any stakeholder.
- The IT team considers business-service continuity/availability (EG06) to be a critical concern, which was not shared by others. This may reflect an expectation by the business where achievement is not always appreciated.
- It is encouraging to see the IT team focused on innovative products (EG13) and business risk (EG02), given the rate of change in financial services.
The client was impressed that such a revealing output could be generated in the very early stages of an assessment. Currently, further discussion is underway to cascade the enterprise goals and lay the foundation for process prioritization.
Applying the COBIT 2019 Design Factors
It was decided to leverage the new design factors, which were introduced with COBIT 2019. The client specifically requested that teams focus on IT outsourcing. So, Design Factor 8 Sourcing Model for IT was chosen to streamline and fine-tune the approach. However, during practical execution, it became clear that approaching the outsourcing topic at the level of governance/management objectives alone may not reveal the full potential for improvement. Therefore, the decision was made to dive down to the governance/management practice level, to select those practices that are relevant for outsourcing and work back up to the objectives level. Finally, the teams decided to focus on the management practices during the assessment of capability levels—at which point, they introduced a more granular, nuanced capability-level scale (figure 2).
Figure 2—Bottom-Up Approach: Identifying Management Practices and Aggregating Up to Management Objective Level
View Large Graphic.
Fresh Perspectives on the Capability Model
Within 2 weeks of the engagement, it had been determined that the updated capability model in COBIT 2019 is more useful and practical than in previous guides. The model in COBIT 5 was somewhat challenging. COBIT 2019 can be further enhanced by adding reference activities for all capability levels, so applicability and transparency should be increased.
It can be strongly argued that a global capability benchmark database structured by industries, regions and organization size would be enormously helpful as a complementary tool for COBIT 2019. This would allow for the addition of another recipe to the COokBook of IT: How do organizations compare to peers in preparing their IT dish?
Positive Conclusion and Next Steps
In a nutshell, COBIT 2019 is a great update. Working with the new version is good fun. Various dimensions and perspectives can be addressed, based on a robust core process model with all the value-adding inputs. The COBIT 2019 capability model increases practicability, while the new concept of design factors allows enterprises to season its recipe for governance system design.
So, what is next? Efforts will continue to promote and introduce COBIT as the best available framework/COokBook for IT—to face digital challenges and to make the world (at least the IT world) a little bit better, with COBIT 2019 as the clear leader for enterprise governance that goes well beyond an audit checklist. The authors plan to address ways that COBIT 2019 can become more accessible, relevant and timely, e.g., through a mobile-application interface.
Stay tuned for more stories of COBIT 2019 practical use cases.
Markus Walter, CISA, CISM, COBIT Foundation, CISSP, ITIL, PMP, TOGAF
Is global digital CIO senior advisor within a big-4 consulting organization. He contributed to COBIT 2019 as an expert reviewer and is hyper-passionate about digital governance. COBIT made him travel the world, literally, performing assignments and presentations on all 5 continents in places such as Brunei, Mongolia, Trinidad and Tobago. He is always looking for like-minded digital musketeers to further drive/embark on the journey towards COBIX – Digital Governance. Feel free to contact him at firstname.lastname@example.org. He invites readers to contact him when they are in Salzburg, Austria, his hometown. He might arrange for a free ride on the tour of the city famous for Mozart and The Sound of Music.
Is an independent digital IT strategy consultant and an expert on IT, emerging technologies and the business impact of digital trends. He has worked in and lived across Asia, Australia, Europe and North America, working in senior regional roles with IT firms engaged in software, services and research. Hayward established Gartner in Asia Pacific, as well as Tivoli Systems and Candle Corporation. He has also cofounded several technology firms.