What constitutes true adoption of COBIT 5? Is it a minimum condition that at least one principle of COBIT 5 is adopted for true adoption of COBIT 5? To answer this question, one must look at COBIT 5’s principles, in other words, its raison d'être. The five principles of COBIT 5 are Meeting Stakeholder Needs, Covering the Enterprise End-to-End, Applying a Single Integrated Framework, Enabling a Holistic Approach, and Separating Governance From Management.1 This article focuses on the Covering the Enterprise End-to-end and the Separating Governance From Management principles, or more specifically, how to enhance alignment of business and IT embodying the concept described by figures 1, 2 and 3 to address the questions stated previously: Is it a true adoption of COBIT 5 to simply change the processes of COBIT 4 into those of COBIT 5 as the basis of controls?2
From COBIT 4 to COBIT 5
Since October 2012, members of the COBIT study group (the “group”) of the ISACA Tokyo (Japan) Chapter have been meeting to explore case studies on the adoption of COBIT in Japanese enterprises. As part of this effort, the group conducted a web-based survey of all members of the ISACA chapters in Japan (Tokyo, Osaka, Nagoya and Fukuoka) regarding adoption and usage of COBIT in general and the use of COBIT 5.
The results of the survey indicated:
- 48 percent of respondents’ enterprises have adopted COBIT. Eighty percent of those enterprises have adopted COBIT 4.1 or an earlier version, and 20 percent use COBIT 5.
- 61 percent of the enterprises have adopted COBIT for complying with domestic and/or overseas regulations such as the US Sarbanes-Oxley Act of 2002 (SOX) or Japan’s equivalent, the revision of the Financial Instruments and Exchange Act of 2006 (J-SOX).
- 52 percent of the enterprises that have adopted COBIT 4.1, COBIT 4 or a previous version replied “No” or “Don’t Know” when asked about upgrading to COBIT 5.3
How does one interpret these results? Do enterprises in Japan not understand the value of COBIT 5? The survey suggests that 65 percent of the respondents generally understand all or part of COBIT 5, and one of the most important factors contributing to the popularity of COBIT may be introducing lessons learned from the experiences of other organizations that have adopted and use COBIT.4 Yet, in Japan, there are very few cases of adoption and usage of COBIT 5, possibly because most Japanese COBIT users depend on the Japanese versions and not much time has passed since the issuing of the Japanese version of COBIT 5.5
However, there is another issue to be considered: the widespread adoption of COBIT 4.1 and COBIT 4 in Japan, mentioned previously. Quite a few Japanese public enterprises have adopted COBIT 4.1 or COBIT 4 for the establishment of IT general controls in order to comply with the US or Japanese SOX acts. Thus, if an enterprise simply changes COBIT 4.1 or 4 into COBIT 5 as the basis of its controls for complying with regulation, does this mean that it has truly adopted COBIT 5, which intentionally avoids the concept of control objectives? If an enterprise has adopted COBIT 5 without the core of its principles, has it truly adopted COBIT 5? A necessary condition for true adoption of COBIT 5 would be introducing at least one principle of COBIT 5.
Of the five COBIT 5 principles, Covering the Enterprise End-to-end and Separating Governance From Management can be more easily implemented into real organizational structures of enterprises than the others.
Relationship of Governance and Management
Three COBIT 5 figures illustrate the principles of Covering the Enterprise End-to-end and Separating Governance From Management (figures 1, 2 and 3).
Figure 1—Key Roles, Activities and Relationships
Source: ISACA, COBIT 5, USA, 2012
Figure 2—COBIT 5 Governance and Management Key Areas
Source: ISACA, COBIT 5, USA, 2012
Figure 3—COBIT 5 Process Reference Model
View Large Graphic
Source: ISACA, COBIT 5, USA, 2012
The relationship between governance and management described in these figures is clear and provides a better understanding of the core elements of COBIT 5. So how can one adapt this concept to actual organizational functions? Especially for relationships among processes, figure 3 reminds users to utilize input/output (I/O) flows/networks. Since its legacy versions, COBIT has explained the relationships among activities in several processes systematically and organically, showing I/O flows/networks, which is one of the strongest points of difference from other frameworks, guidelines or standards. However, COBIT 5 has transformed its I/O flows/networks, changing the unit of I/O relationships from processes in COBIT 4.1 to management practices. Thus, I/O flows/networks to support the governance management cycle must be traced back to processes as outlined in the conceptual model of business case processes in the article “The Business Case as an Operational Management Instrument—A Process View”6 (the “article”) because:
- The business case processes discussed in the article can be used as a mechanism for improving IT-related investments in enterprises.7 ,8 Through assessment of IT-related investments, business case processes are critical management mechanisms for the enhancement of alignment between business and IT, which has been the most important theme of COBIT since its legacy versions and continues in COBIT 5. This is repeatedly emphasized in its principle of Covering the Enterprise End-to-end, and it is elaborated within the goals cascade concept.9
- It is important to grasp the relationships between a business case and COBIT 5 mapping business case processes to COBIT 5: Enabling Processes. Indeed, COBIT 5 it does not mention I/O flows/networks in, but it presents a starting point for considering the flows/networks.10
- The difficulty of adoption and review of business cases and their accommodation in enterprises provides an opportunity to consider how to recognize to-be activities that promote and improve critical management mechanisms such as business case processes in the governance management cycle in COBIT 5.11
Furthermore, some elements offer double-loop learning, which is recommended for organizational learning in the plan-do-check-act (PDCA) cycle for the achievement of an organization’s objectives.12 Under the concept of double-loop learning, an organization should not only learn direct lessons from the results of its actions for achieving its objectives and take corrective actions for improving its tactics, but also reconsider the probabilities of changes of backgrounds or environments around it and the appropriateness of its strategies, which are the basis of its tactics. The organization should then modify its strategies, organizational structure and critical management mechanism if needed.
If enterprises only rotate the PDCA cycle for improving the individual investment program in which they develop, maintain and review the business cases for them, they are conducting single-loop learning. However, if they also rotate another PDCA cycle at a higher level, reconsider internal and external environments around them and their strategies, and accommodate business case processes, they are conducting double-loop learning.
COBIT 4.1 and 4 insist on a PDCA cycle for IT governance structures as a whole (the plan, build, run and monitor [PBRM] cycle),13 however, they do not definitively explain the definition of and difference between the two types of PDCA cycles, stated previously, as related to the concept of double-loop learning.
COBIT 5 APO05, which uses the words “business case” most out of all the processes, explains how enterprises accomplish effectiveness of investment programs using business cases. Here one can read a single-loop learning or single PDCA cycle for the assessment of an investment program; however, it may be hard to gain insight into the existence of the concept of double-loop learning with another PDCA cycle for improvement of business case processes for effectiveness of investment programs.
COBIT 5 has evolved the PBRM cycle of COBIT 4.1 and COBIT 4, deemed to be mainly applied to the IT division of enterprises, to the governance management cycle of COBIT 5 with more involvement of top management and business-side executives. Thus, the concept of double-loop learning, a PDCA cycle of monitoring backgrounds or environments around enterprises, evaluating their strategies, and directing improvement of critical management mechanisms such as business case processes by a governing body, are more definitively recognized in COBIT 5’s governance management cycle.
Based on these considerations, COBIT 5: Enabling Processes and its governance management cycle can be used to promote and improve business case processes. And, in doing so, one takes COBIT guidance beyond its traditional use, from COBIT 4.1/4, as a basis of controls in enterprises, as follows:
- Trace I/O mappings from the management practices of COBIT 5 mapped from business case practices to relevant processes and management practices in the Evaluate, Direct and Monitor (EDM) domain. Because solving issues such as difficulties of implementation and promotion of a critical management mechanism (i.e., business cases) needs high-level decisions and actions, which are explained in the EDM domain, is one able to find any to-be activities or a PDCA cycle for solving these issues, elements of double-loop learning?
- Connect the results of the trial by completing the mapping for the governance management cycle, because mapping only management practices does not provide the meaning of a strong point of the governance management cycle—in other words, a principle of COBIT 5 itself. And, these can be considered to-be activities that promote and improve business case processes.
- Extract recommendations for establishing a governance management cycle using COBIT 5, i.e., adopting COBIT 5.
Tracing I/O flows and networks in COBIT 5 Enabling Processes, as suggested in the Maes, De Haes and Van Grembergen article, provides a governance management cycle for enhancing business cases and their accommodation.
COBIT 5 is intended to establish and promote governance of enterprise IT (GEIT), which is the evolution of IT governance—mainly applied only to the IT division of an enterprise—for closer alignment between business and IT. As a result, the enterprisewide plan-do-check-act (PDCA) cycle has also evolved to the governance management cycle in COBIT 5. Therefore, true adoption of COBIT 5 inevitably requires the establishment of the cycle in which a governing body should monitor backgrounds or environments around enterprises, evaluate their strategies and direct improvement of critical management mechanisms, such as business case processes, under the concept of double-loop learning.
Watch for an expanded version of this article in the upcoming ISACA Journal, vol. 3, 2015, which will be available online on 4 May. Makoto Miyazaki’s full article, “Navigating I/O Flows/Networks to Enhance the Governance Management Cycle,” in the ISACA Journal will include a more in-depth exploration of tracing I/O flows/networks to find activities at the governance level for the promotion and improvement of business case processes.
Makoto Miyazaki, CISA, CPA
Is the manager of the internal audit office of Toukei Computer Company. He was previously an IT auditor at The Bank of Tokyo-Mitsubishi, UFJ.
1 ISACA, COBIT 5, USA, 2012, p. 13-33
2 Ibid., p. 24, 32-33
3 The result of the survey on understanding the use of COBIT in Japan. ISACA Tokyo Chapter, September 2014
5 The Japanese version of COBIT 5 was released in April 2012.
6 Maes, K.; S. De Haes; W. Van Grembergen; “The Business Case as an Operational Management Instrument—A Process View,” ISACA Journal, vol. 4, 2014
7 ISACA, Enterprise Value: Governance of IT Investment Business Case, 2008
8 ISACA, The Business Case Guide: Using Val IT 2.0, 2010
9 Op cit, Maes, et al.
12 Argyris, C.; D. Schon; Organizational Learning: A Theory of Action Perspective, Addison-Wesley, June 1978
13 Op cit, Maes, et al.