At the 2016 COBIT Conference in New Orleans, many of the presenters talked about the need to adopt and adapt the COBIT framework. You will find this tailoring concept as a principle of many modern frameworks (e.g., PRINCE2). With frameworks, one size does not fit all. No doubt these 2 action verbs—adopt and adapt—are necessary to gain success in implementing your framework using COBIT 5; however, I think we need to add 3 additional verbs: alert, align and assure. For success, your organization must take action on the Five A’s of the governance of enterprise information technology (GEIT).
The first action is to alert. The COBIT 5 Implementation guide calls this a “call to action,” because you must make everyone aware of the need to do something. If you are not prepared or ready to act, you will do nothing.
Alerting also calls for disruption. You cannot survive doing the status quo in the future. I often hear other consultants talk about how they are helping their clients move from a level 1 process to a level 3 process. Well, unless the client originally designed the process as a level 5 process, this transition might prove difficult—so difficult it is often easier to blow it up. If you designed your process as a level 5 process,1 then, yes, it is possible to undertake Just Do It and Kaizen events to work on improvements. Otherwise, you need to do something more significant such as undertaking a Kaikaku event.2
Your organization must boldly embrace GEIT. Far too often, I run across organizations that tell me they are aligned to or compliant with COBIT-, ITIL-, ISO 27001-or what-have-you. Yet, these organizations are what I call “CINO” or COBIT-in-name-only. When it comes to COBIT, you often find organizations that talk the talk, but do not walk the walk. Adopt also means that you accept and actually implement the governance and management practices and produce the work products. You need to, as they say, walk the talk. You must show excitement about the path you have taken, because others will take their cue from you.
Adapt means you must adjust the framework to your organization. It must fit within your environment. Remember the Political, Economic, Social, Technological, Legal and Environmental (PESTLE) analysis when creating the right environment for successful implementation. Throw out the parts you do not need. There are no COBIT police to blow the whistle on you and put you in ISACA jail. Perhaps you only want to focus on value delivery; well, focus on that. It is a lofty endeavor by itself.
Additionally, adapt means to familiarize yourself and everyone else with your organization’s framework. Communication is key to successfully enabling change.
Next you need to bring your environment into line with the components of the framework you need to implement. In the COBIT Assessor Guide: Using COBIT 5 you learn that one of the first tasks is to map COBIT processes to your processes. You need not have a process called APO02 Manage Strategy, but you must manage your strategy. Call it what you may.
As well, aligning your processes with stakeholder needs and enterprise goals using the goals cascade mechanism is an efficient way to determine the enterprise enablers you will need to employ later to deliver value to stakeholders.
Finally, you must assure that you have done what you declared you would do. You must pick key performance indicators (KPIs) that matter and fanatically track them. In The 4 Disciplines of Execution,3 the authors offer advice on how to do this that smacks of a Scrum or Lean IT technique. You have a short meeting every day where you announce what you will do to contribute to your KPIs; otherwise, you get caught up in the whirlwind of your job and forget about contributing to your goals. Manage your top 3 priorities daily if you want to succeed in your governance effort. These priorities define your value and contributions and, ultimately, your career.
So the next time someone gets up in front of you and talks about adopt and adapt, raise your hand and tell them they forgot alert, align and assure. Should you want to have a successful governance implementation, get going on the Five A’s.
Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 27005 Lead Risk Manager, ISO 28000 FC, ISO 31000 Lead Risk Manager, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, RESILIA FC, SSGB
Is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 Foundation/Lead Implementer/Lead Auditor, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.
1 iSixSigma, Design for Six Sigma (DFSS) Versus DMAIC
2 Kaikaku, Japanese for “radical change,” concerns itself with making fundamental and radical changes to a production system, unlike Kaizen that focuses on incremental, minor changes.
3 McChesney, C.; Covey, S.; Huling, J.; The 4 Disciplines of Execution, Free Press, USA, 2012