• Bookmark

Tips for Making COBIT 5 Implementation Fit the Enterprise

By Rohit Banerjee, CRISC, CGEIT, COBIT 5 Implementation, CSX Foundation, ISO/IEC 27001 Lead Auditor, ISO/IEC 38500 Lead IT Corporate Governance Manager, ISO 21500 Lead Project Manager, ISO 9001 Lead Auditor and Lead Implementer, ITIL V3 2011 Foundation, MSP Practitioner, PRINCE2, PMP, Six Sigma Black Belt

COBIT Focus | 25 June 2018 Chinese Simplified

Rohit Banerjee Implementing COBIT 5 in an organization is an ambitious aspiration and a noteworthy endeavor. It demonstrates the maturity, willingness and commitment to improve. However, practical implementation challenges are often daunting and numerous. While the COBIT 5 framework and the COBIT 5 Implementation guide, along with several other references, do provide a very solid foundation on which to build, it often helps to take lessons from “tales from the trenches” directly from COBIT 5 trainers and implementation specialists.

Here are some quick tips from a trainer to steer those who are planning to initiate and implement COBIT 5 in their organizations in the right direction.

Leverage the Enterprise Context to Create an Appropriate Environment for Change Enablement

Some common attributes or comparable parameters may exist in every type of organization, but each organization has its own unique enterprise context, its own unique set of stakeholders and their expectations for value creation, its own unique business regimen and organizational culture, and its own unique history and future aspirations.

One of the most critical steps is to identify and use this unique enterprise context to understand the various internal and external drivers and how they may impact the organization and its stakeholders. These could be related to emergent technological, evolutionary or environmental factors that may influence the stakeholders’ needs and should be mapped to create an appropriate environment for change enablement.

Identify the Pain Areas or Trigger Events to Relate With the Enterprise Context

Every organization has its own sore points, whether it acknowledges them or not. By virtue of simply existing in a constantly changing environment, an organization is also subjected to business environmental factors that may impact or influence the decisions of the stakeholders or the business owners.

Identifying and understanding the known problematic areas and opportunities for improvement, or even potential emerging threats or major board-level decisions of an organization in its unique context, can help establish the desire to change and ensure the justification of the change is relevant to the stakeholders.

Use the Goals Cascade to Align the Business Strategies to the IT Strategies

A challenge for any organization is to align its business objectives with IT objectives and operations. Frequent and chronic misalignment between these 2 usually shows up as pain points within the organization. Furthermore, such misalignments breed negative perceptions about IT not being able to create value or inspire trust for the business owners.

COBIT 5 recommends using the balanced scorecard (BSC) and directly linking the 17 most common enterprise goals to the 17 most common IT-related goals, cascading through the hierarchy of governance to management and, finally, to operations. Hence, the goals cascade is one of the most useful mechanisms to directly address alignment issues.

Assess the Current State of Processes to Help Prioritize IT Initiatives

Defining and measuring the organizational processes as they mature and improve over a period of time are necessary and important activities. They help the organization define the starting point as a reference for critical processes, and then specify the target state as a baseline where these processes need to be with the sufficient capabilities to support the business outcomes of the organization.

With the help of the goals cascade, specific IT processes can be selected and prioritized based on their criticality to the business. Recording the as-is state of current capabilities and identifying existing deficiencies help justify the business case for the desired state of capabilities of existing and future IT initiatives.

Create the Business Case to Secure Top Management Commitment

Business cases justify the investments for IT initiatives in a language that business owners and key business decision makers understand. Since the business case tracks the IT investment across its full economic life cycle, it gives the decision makers more accountability and visibility and, in turn, helps get their direction and insights at each strategic milestone.

A business case for COBIT 5 implementation definitely helps secure the continued commitment from top management and also helps secure the required resources for the selected IT initiatives. It also ensures the engagement of the right stakeholders and clear articulation, communication and tracking of the expected business benefits from the IT initiatives over the entire economic life cycle of the IT investment.

Initiate the Implementation Program to Kick Off the IT Projects

Based on the approved business case, a well-defined program can be chartered for starting off the constituent IT projects. An organization’s resources can then be focused on the development of feasible and practical IT solutions to specifically address the gaps in the previously defined target state of the selected processes and IT capabilities.

A well-developed and justifiable business case for COBIT 5 helps to make sure that all the selected IT projects have continuing support from top management from the beginning, and the expected business benefits are continuously monitored. Furthermore, the alignment of outputs from IT projects to business objectives helps muster support from the affected business and IT process owners.

Monitor Performance Metrics to Sustain Continual Improvement Initiatives

Any enterprisewide initiative can never be just a one-off endeavor. To ensure value creation is sustained, a continual approach for organizational commitment toward improvement and maturity is crucial. Key performance indicators (KPIs) need to be identified, defined and monitored. Effective preventive and corrective interventions must be applied at appropriate stages.

By identifying quick wins and monitoring enterprise goals, IT-related goals, enabler goals and process goals at regular intervals, initial success can be easily communicated with stakeholders. Improved capabilities and maturity can be easily transitioned into normal day-to-day practices and operations, thereby ensuring continued engagement and support from the business.

These tips are listed in a chronological order, but they can be adapted as appropriate to the enterprise context and the maturity of the organization. The most important aspect of implementing COBIT 5 is to adapt and tailor it as per the organization context (figure 1). While it may seem to be a long journey, it definitely demonstrates the benefits at the appropriate stages to the relevant stakeholders. The key is to select the most critical and relevant few processes to begin with and then steadily mature other supporting processes in the long run. It is a marathon, not a sprint.

Figure 1—Fitting COBIT 5 to the Enterprise and the Business Environment

Rohit Banerjee, CRISC, CGEIT, COBIT 5 Implementation, CSX Foundation, ISO/IEC 27001 Lead Auditor, ISO/IEC 38500 Lead IT Corporate Governance Manager, ISO 21500 Lead Project Manager, ISO 9001 Lead Auditor and Lead Implementer, ITIL v3 2011 Foundation, MSP Practitioner, PRINCE2, PMP, Six Sigma Black Belt

Is an enterprise IT governance, risk management, and compliance trainer; consultant; auditor/assessor; and an emerging thought leader and speaker at international technology and management forums and conferences. He is currently the principal consultant for MAGE IT Training and Consulting Private Limited. Previously, Banerjee was IT governance and IT project management office consultant at the Ministry of Manpower, Sultanate of Oman. He has also served as director of the ISACA Muscat (Oman) Chapter for the Certified in the Governance of Enterprise IT (CGEIT)/Certified in Risk and Information Systems Control (CRISC) certifications, an ISACA International volunteer, and a volunteer for Project Management Institute International and Project Management Institute Oman. Banerjee has authored technical research papers and articles and has been published in international journals and magazines. He is currently the only official APMG Accredited COBIT 5 independent trainer for Oman and is one of the very few independent trainers in the Middle East and African regions. He can be reached at Rohit@mageit.in.