Seven Key Features Lessons and Tips from a COBIT Journey of 27 Years

Since time immemorial, the progress of civilization has been built on the edifice of accumulated knowledge being documented, carried forward and continuously improved upon over generations. The application of knowledge contributing to human progress can be observed in nearly every area of life, for example:

• The mode of commercial transactions involving products and services has evolved from primarily physical to largely digital.
• Many physical products and services have become digitized, and new digital delivery and service models have evolved in recent years.
• The primary medium of commerce has transformed from small and medium-sized enterprises to large conglomerates servicing billions of customers with a high number of employees.
• The mass availability of affordable and fast Internet services has enhanced instant communication across the globe, effectively shrinking physical distances and making geographical boundaries irrelevant.

Knowledge embedded in knowledge management systems and deployed through employees as knowledge workers has empowered enterprises to rapidly evolve from physical to digital and small to large. A critical enabler of successful enterprises is the effective use of relevant governance and risk management best practices. The larger the enterprise operating in a highly digital mode, the greater the need for structured risk management and governance. The structures, principles, approaches and best practices provided by frameworks, standards and models (FSMs) are key components of an enterprise’s ability to manage risk in the digital era. The rapid pace of digital transformation and expansion has been greatly facilitated by the effective deployment of knowledge repositories of relevant FSMs.

Seven Key Features of COBIT

One popular framework is COBIT, which can be used to effectively implement enterprise governance and management processes across sectors, industries, business models and technologies.

There are seven key features of COBIT:

1. Generic in structure, as it is built on the principles of conceptual model, open and flexible and aligned to major standards
2. Inbuilt business/IT alignment enabled through a goals cascade and mapping tables
3. Primary focus on benefit realization, risk optimization and resource optimization
4. Useful for internal stakeholders (e.g., executive management, business managers, IT managers, assurance providers, risk management) and external stakeholders (e.g., regulators, business partners, IT vendors)
5. Designed with governance system principles including:
   • Provide Stakeholder Value
   • Holistic Approach
   • Dynamic Governance System
   • Governance Distinct From Management
   • Tailored to Enterprise Needs
   • End-to-End Governance System
6. Knowledge repository which includes guidance for the seven components of Processes, Organizational Structures, Principles, Policies, Procedures, Information, Culture, Ethics and Behavior, People, Skills and Competencies and Services, Infrastructure and Applications
7. The core model of the COBIT 2019 Framework: Governance and Management Objectives has specific domains of guidance on Governance & Management with objectives, description, purpose, enterprise goal metrics and alignment goal metrics.

Seven Key Lessons in COBIT Implementation from the Trenches

COBIT has evolved from a collection of controls and control objectives with audit/management guidelines to a framework for enterprise governance of information and technology. It has evolved in accordance with best practices, business practices and digital transformation. COBIT has become an effective enabler that harnesses and leverages the power of technology to meet enterprise goals. Hence, COBIT has continued to maintain its relevance even after nearly three decades.

There are seven key lessons I have learned from my experience with COBIT implementation:

1. COBIT facilitates a holistic approach to governance. It is important to consider all aspects of IT including people, processes, technologies and information. This encourages organizations to view IT governance as an integral part of overall enterprise governance. This means aligning IT goals and strategies with the organization’s objectives and ensuring that IT resources are used efficiently and effectively to support business goals. When preparing a project plan for COBIT implementation, include regulatory and management requirements as part of the business case.
2. COBIT focuses on achieving business objectives aligned with IT. The central theme of COBIT is the alignment of IT with the overall business goals and strategy. It encourages enterprises to view IT as an essential part of the business and ensure that IT initiatives contribute to the achievement of business objectives. This also highlights the importance of understanding the needs and expectations of stakeholders and ensuring that IT investments and activities contribute to achieving business goals. When implementing COBIT, consider enterprise goals, align them with related IT goals, link them to specific processes, and extract content as required to prepare to achieve the applicable COBIT benchmark.
3. COBIT involves adopting a life cycle approach to the governance of enterprise IT and management. COBIT divides IT-related activities into different domains including governance, design, build, deliver and monitor. The COBIT life cycle approach enables enterprises to manage IT processes from inception to retirement, ensuring that they are well-controlled and provide value throughout their life cycle. COBIT can be implemented not only at a macro level, but also at a micro level as needed. Users can take or leave COBIT concepts as needed. The best way to derive value from COBIT is to identify specific areas where there are pain points and implement COBIT best practices by benchmarking with existing practices to identify gaps and areas of improvement. Consider missing links that exist in processes and update relevant policies, procedures and practices as needed.
4. COBIT is a rich knowledge repository of best practices. COBIT serves as a comprehensive knowledge base containing best practices for governance, risk, assurance, security, cybersecurity, controls, digital trust and more. It is designed to empower enterprises and professionals to be better prepared for the future, and to meet existing and emerging challenges of the digital age by enabling digital trust. COBIT should be treated as codified common sense that is presented in a structured, systematic way. Know the breadth and depth of coverage and use related frameworks and domain expertise to expand the repository as needed.
5. For effective deployment, COBIT requires professionals to possess strong skill sets.
   Because COBIT is a high-level framework applicable across many industries, it requires professionals with the domain expertise, competencies and skill sets to customize it per their enterprise requirements and derive value from implementation. The key to successful implementation is to combine the strengths of the experts with COBIT knowledge with those who possess enterprise, domain and process expertise. Professionals with domain expertise can expand the macro-level, generic guidance of COBIT to be more detailed and specific as required.
6. COBIT enables customization and flexibility. COBIT is a collection of best practices from various frameworks, standards and models, which is organized into domains, processes and activities representing the principles of COBIT. It has been designed as an umbrella framework with a valuable perspective on governance. The COBIT framework recognizes that every organization is unique and it provides the flexibility for organizations to tailor it to their specific needs and circumstances. This customization allows enterprises to adapt the framework to their size, industry and regulatory environment. The most critical aspect of effective COBIT implementation is to know how to navigate the vast repository and select relevant content. The extracted COBIT content, which is generic in nature, needs to be customized based on enterprise requirements, organization structure, business processes, technology deployed, and policies and procedures.
7. COBIT has a system of performance measurement and improvement. COBIT implementation is ultimately about creating value for stakeholders, with a focus on using  IT to achieve strategic goals and deliver value to customers. COBIT is designed with a set of Goals, Metrics and Capabilities at the enterprise, IT, process and activity levels. Use relevant performance indicators and metrics to assess the effectiveness and efficiency of IT processes and activities and to continuously monitor and improve IT governance and management practices. A crucial success factor for effective implementation of COBIT is to know the “why” before the “what.” It is imperative to set the right goals and metrics for key areas where COBIT is implemented to monitor its successful implementation and integration into regular processes.

Seven Tips for Implementing COBIT

The following seven tips are culled from more than 27 years of experience on a COBIT journey:

1. Know why. Identify enterprise objectives and determine the desired outcome of COBIT implementation.
2. Know where. Identify the specific business process, area, department or location where implementation is to be performed. Prepare the project plan including milestones and deliverables.
3. Know what. Identify which COBIT content is to be used and what other framework(s) or standard(s) are to be integrated. Focus on the COBIT components (e.g., processes, etc.) that are most relevant to enterprise needs.
4. Know who. Identify the stakeholders involved and their roles in implementation.
5. Know when. Identify the specific timelines within which the implementation is done.
6. Know how. Formulate and execute the strategy and methodology of implementation. Develop templates and customize the content from COBIT to meet enterprise needs. Implement the relevant processes and activities in a phased approach that includes identifying milestones and deliverables.
7. Know views. Implement a performance management system and dashboards to monitor and evaluate the deliverables to ensure that results are achieved on an ongoing basis. The performance metrics and dashboards should provide both a satellite view and a street view (i.e., a macro and a micro perspective) at different levels of processes and activities.

COBIT: A Ready-Made Knowledge Repository

COBIT is the de facto framework for enterprise governance of information and technology. It is not only designed to be a collection of best practices from various frameworks, but it also has a structure that allows for the integration of content from related frameworks. COBIT serves as a ready-made knowledge repository covering the areas of governance, risk management, cybersecurity, controls and digital trust. Professionals can not only derive value from the COBIT knowledge repository, but also add value with their skills and expertise, using knowledge as a key differentiator. COBIT serves as the one-stop shop solution for both enterprises and professionals to effectively channelize deployment of technology to survive and thrive in the digital era. This empowers enterprises and professionals to be better prepared to meet dynamic challenges in the ever-changing and expanding digital age. Explore and expand your knowledge horizon with COBIT to supplement and complement your core skills and expertise.

Abdul Rafeq, CISA, FCA

Is the managing director of Wincer Infotech Limited. He specializes in IT governance and analytics.