It is a well-known fact that one of the major improvements in COBIT 5 was the integration of both Val IT and Risk IT into the framework. This follows the logical development line of COBIT along its different versions and reflects better the needs of appropriate governance of enterprise IT (GEIT) for modern enterprises. For those using combinations of previous versions of these 3 frameworks, or parts of them, moving into a single, unified framework is definitely a promising perspective.
The First Surprise
After using COBIT 4.1, Val IT 2.0 and Risk IT not only in my current, but also in previous organizations with very good experiences, I decided to execute a proof of concept for COBIT 5, in order not only to assess the pros and cons of adopting the new version, but also to deliver some insight into the communicated alignment with current best practices, in this case, concretely with ITIL V3 and TOGAF 9. For this purpose, a noncritical area had to be chosen—not a trivial task in an international insurance corporation consisting of more than 50 companies in 25 countries. Our decision was to apply the framework principles and instruments on the delivery and steering of services for support processes not directly connected to production at the headquarters.
To be honest, the first contact was not only surprising; it was rather shocking. Not so much due to the expected major redesign needed to reflect the stronger focus on enablers and the revised process reference model, but because of the break from the Capability Maturity Model (CMM)-based approach to maturity, which had proven very useful for many working areas in the past. Giving up this commodity within the framework was, therefore, something that took some effort to get used to.
The Second Surprise
Sometimes, being able to break habits is crucial if you do not want to miss great opportunities to evolve. Once the initial reluctance mentioned previously was overcome, the possibilities of the new framework began to become visible and the decision to apply the updated approach to additional areas was not difficult to make.
Expectedly, the integration of Val IT and Risk IT into COBIT 5 shifts the focus of the framework to the contribution of IT to a successful and stable business. That contribution was, of course, an extremely important part of the previous versions as well, but the former approach was rather IT-centric. The key factor now is that the 3 frameworks were not just combined into 1, they were seamlessly integrated into a consolidated unit that considers value, risk and steering on all levels. Understanding this fact is an important realization, but putting it into practice is a real eye opener.
The integration of Val IT and Risk IT into COBIT 5 shifts the focus of the framework to the contribution of IT to a successful and stable business.
The surprising part is that despite the changes to something as central as the process reference model, the transition from the previous to the current approach in usage is not abrupt (with the maturity assessment being the exception that confirms the rule). In this case, the smooth transition had the interesting effect of subtly pivoting the main attention of our activities within IT governance from the regulation and custody of IT into a proactive striving for IT as an enabler for business.
Even in mature organizations, the picture of what IT governance is all about is not very clear. There are still many misconceptions and oversimplifications out there, which make the confusion even greater. This applies even more to the value it should provide.
In order to have a concrete starting point, we can take a look at the definition provided in COBIT:
IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.
Furthermore, IT governance integrates and institutionalises good practices to ensure that the enterprise’s IT supports the business objectives. IT governance enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage. These outcomes require a framework for control over IT that fits with and supports the Committee of Sponsoring Organisations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework, the widely accepted control framework for enterprise governance and risk management, and similar compliant frameworks.
Organisations should satisfy the quality, fiduciary and security requirements for their information, as for all assets. Management should also optimise the use of available IT resources, including applications, information, infrastructure and people. To discharge these responsibilities, as well as to achieve its objectives, management should understand the status of its enterprise architecture for IT and decide what governance and control it should provide.1
This is indeed a very sound definition, which confirms that IT governance concerns both business and IT management. But even though it is not difficult to achieve an agreement on this view, both sides are not always aware of the implications in terms of common goals and objectives. Creating this awareness is critical in order to avoid misalignments and conflicts that may harm the organization.
At this point, the need for a solid cooperation and communication base becomes imperative. This is an essential factor for IT to become an enabler and trusted partner for business, both in action and perception. And this brings us back to the pivoting of attention mentioned previously.
Moving the focus of your IT-related governance activities in the direction of value proposition and delivery transforms not only your own perception, but also the way you communicate and interact with both business and IT experts and, eventually, the way they cooperate with one another. Of course, you must not neglect the regulatory and custody aspects of IT governance, but by emphasizing the importance of the contribution to the common goals, those aspects become a supporting structure for cooperation instead of an inhibiting factor. In the process, the added value of the governance itself becomes visible and IT governance evolves to GEIT.
This transformation within our organization is still in progress, but we can already observe how this has started to change how some projects and initiatives are approached.
In retrospect, moving from the combined use of COBIT 4.1, Val IT 2.0 and Risk IT to the consolidated COBIT 5 triggered substantial changes to the role of IT governance in our organization. The most dramatic of these changes is the integrative aspect that has been added to the regulative side. The positive resonance of this transformation has shown its perfect alignment to the current cultural development of our organization and has a visible added value.
Arturo Umana, COBIT Foundation, ITIL Foundation
Is IT governance officer/group enterprise architect at the Vienna Insurance Group. During his career as a database architect, IT project manager, enterprise architect and IT governance officer, his work has emphasized the areas of methodology, enterprise architecture management, IT governance and IT strategy development.
1 ISACA, COBIT 4.1, USA, 2009