- Principles are the guiding thoughts established to underpin the implementation of good practices. COBIT implementers should not overlook the 5 principles of COBIT 5, which are pointers to the right way to implement COBIT 5. Adherence to the COBIT 5 core principles can help you avoid a misstep. The principles must govern the use of the business framework. The first principle, Meeting Stakeholder Needs, is the prime principle without which other principles become ineffectual.
- Endeavor to obtain clarity on the business needs that need addressing. COBIT 5 is about value creation, so the implementation must start with “why?”. COBIT 5 helps to balance benefit delivery with risk optimization and responsible use of resources. Therefore, it is important to gain stakeholders’ agreement on who is receiving the benefits of your intervention, who is bearing the risk of the initiatives, and who is providing and managing the program resources.
- Keep in mind that COBIT 5 is not an IT framework. The framework is not primarily about what IT does, but about what the business does with what IT does. This business framework must be used to solve business problems, not as an IT solution looking for a business problem. The focus should be on business results, not IT projects. The quote attributed to Peter Drucker serves as a warning: “There is nothing so useless as doing efficiently that which should not to be done at all.”1 What needs to be done are things that contribute to business value.
- Remember that COBIT 5 is more than a collection of processes. It is a collection of guiding enablers for the governance and management of IT-related business capabilities. The process reference model constitutes one of the 7 enablers to keep in mind. The other enablers must be performed to address stakeholders’ needs and goals while managing the life cycle and applying the good practices of each enabler.
- Remember that COBIT is not a framework to be used as a prescription. The good practices must be customized to suit the purpose of the enterprise. Tools and techniques have been developed as maps to tailor the use of COBIT to the needs of the organization. Examples include the mapping of pain points to processes, IT-related goals to processes, and stakeholders’ needs to enterprise goals and the goals cascade mechanism.
- As the popular saying goes, you can change without improving, but you cannot improve without changing. Do not forget to enable organizational change. COBIT 5 is designed to be implemented using a continuous improvement approach. Since every improvement introduces change, organizational change enablement must be managed in such a way as to realize the benefits of the changes. Kotter’s 8-Step Process for Leading Change are expounded on in chapter 5 of COBIT 5 Implementation.
- It has been said that it is better to do something imperfectly than do nothing flawlessly. Therefore, do not fall into the trap of trying to solve all the problems or address all the needs at once. Look for low-hanging fruit. Low-cost, low-complexity initiatives should be tackled as first steps in overcoming resistance to the changes being brought on board. Be guided by the need to gain and maintain credibility while prioritizing the implementation efforts.
These tips will save time, energy and resources in the implementation effort; help to avoid unnecessary mistakes; and enable practitioners to demonstrate the value of COBIT in the organization.
Opeyemi Onifade, CISA, CISM, CGEIT, BRMP, CISSP
Is founder of the digital strategy consultancy firm Afenoid Enterprise Limited. He leads the IT governance and cybersecurity consultancy and competence development practice of the firm out of Abuja, Nigeria, and is the first Certified COBIT Assessor in Africa.