CHAPTER 4: OVERVIEW OF COBIT 5 – GOVERNANCE OF ENTERPRISE IT
‘If I have seen further it is by standing on the shoulders of giants.’
Isaac Newton
(1643-1727)
This chapter explains the basic concepts that make up COBIT 5.
Why COBIT 5 was developed
Within a year of COBIT 4.1 being published in May 2007, the international Standard ISO/IEC 38500: 2008 Corporate Governance of IT was published. It was at this point that some ISO/IEC 38500 insiders started to express in public that the COBIT 4.1 framework which incorporated powerful IT governance approaches such as business goals driving IT goals driving IT processes was really only IT management rather than IT governance. This concern was addressed in February 2009 by an article by Gary Hardy, one of the founders of COBIT. His article, ITGI Enables ISO/IEC 38500:2008 Adoption59, demonstrated how ITGI’s family of products, in particular COBIT and Val IT™, provided the support for IT governance according to ISO/IEC 38500. Hardy’s article showed how ISACA’s frameworks of COBIT 4.1, Val IT™ and related guidance support the six principles (responsibility, strategy, acquisition, performance, conformance and human behaviour) and the three main tasks (evaluate, direct and monitor) of the ISO/IEC 38500 Standard. The debate died down, but clearly once an international Standard for the corporate governance of IT was in place, COBIT would need to take it on board at its next major upgrade. Now COBIT 5 has been published, ISACA admits that COBIT 4.1’s domains have evolved into the management domains of COBIT 560 and that a new governance domain has been created too.
Fascinating as that challenge to COBIT 4.1 may have been, it was not the only reason for upgrading the COBIT framework. A major factor that all committees responsible for international standards and frameworks recognise is that about every five years, they need to review their international standard or framework to take into account developments in the world and by ‘standing on the shoulders of giants’61 – that is, advance by using new or changed concepts developed by others.
What COBIT 5 addresses
ISACA decided its next generation of guidance covered by COBIT 5 should cover the governance and management of enterprise IT (GEIT) and should address the following:
• Integrate into COBIT 5 all ISACA’s frameworks and guidance, principally COBIT®4.1, Val IT V2.0 and Risk IT™ but also the Business Model for Information Security (BMIS™), the IT Assurance Framework (ITAF™), the Board Briefing on IT Governance (2nd Edition) publication and the Taking Governance Forward (TGF) research.
• Take on board other major frameworks and standards such as those discussed in Chapter 2.
• Take into account the pervasive nature of IT in businesses today and the increasing growth and dependency of businesses on other businesses, on IT organisations including outsourcing, reliance on suppliers, other service providers and consultants.
• Put in place an information model to deal with the significant increase in information62 and the need, not only to manage information but also to select appropriate information to make effective business decisions.
• Recognise that increased guidance is required to cover innovation that is increasingly based on emerging technologies and is vital for businesses to remain efficient and effective as well as extend their customer base.
• Cover not just IT processes but also ensure end-to-end business and IT functional responsibilities are addressed by the provision of governance and management of enterprise IT using organisational structures, policies and culture.
• Ensure the delivery of enterprise IT is fully engaged with the business to ensure core business expectations are achieved:
Key Ideas of COBIT 5
COBIT 5 is based simply on two concepts:
• Five principles
• Seven enablers (see Chapter 5)
The Five Principles
The five principles explain exactly what COBIT 5 has been designed to achieve:
1. Meeting stakeholder needs
2. Covering the enterprise end-to-end
3. Applying a single integrated framework
4. Enabling a holistic approach
5. Separating governance from management
Principle 1: Meeting stakeholder needs
Stakeholders are both internal and external. Internal stakeholders are roles given to members of the enterprise and range across the levels of the enterprise and include the board; CEO; CFO; business executives and managers; risk, security and audit managers; IT managers; and users. External stakeholders are not members of the enterprise and roles include, but are not limited to, shareholders, business partners, suppliers, regulatory officials, external auditors and customers.
Enterprises are expected to create value for their stakeholders and that is the reason why the key governance objective of an enterprise is value creation. Value creation is perceived as realising benefits at optimal resource costs while optimising63 risks (Figure 4.1).
The cogs of optimising resources and optimising risks together assist benefits realisation. It is the stakeholder needs that determine what the value should be and different stakeholders have different needs. Therefore, the governance system should take into account all stakeholder needs when making decisions.
Figure 4.1 Value Creation
Stakeholder needs are driven by many factors both internal and external. External factors are what is changing in the world: politics, economies, social factors, technology, laws and the environment64 together with what shareholders, citizens or customers want and what competitors are doing. Internal factors include the nature of the organisation in terms of its culture, its strategy, its mission and vision statements, and its risk appetite. Governance, therefore, needs to understand stakeholder needs in order to successfully determine decisions on benefits, risks and resources in order to customise governance. COBIT 5 has evaluated how stakeholder needs map to enterprise goals, IT-related goals and enabler goals. This is the COBIT 5 Goals Cascade that is covered later in this chapter.
Principle 2: Covering the enterprise end-to-end
In the past decade, it has been universally recognised that IT is a fundamental part of running an enterprise and realising benefits. It has always been recognised that the board and executive management are responsible for finance and human resource governance and now enterprise governance of IT too – as ISO/IEC 38500 (Corporate Governance of IT) made absolutely clear.
Figure 4.2a shows how the Board conducts governance of finance. The Board is responsible for governance of finance and therefore evaluates internal and external drivers and current performance and makes decisions on strategy, return on investment (ROI), solvency and value. The Board directs by allocation of responsibility and targets to management teams in the enterprise. The chief finance officer (CFO) is the person responsible for controlling finance and provides policy and objectives on finance to management teams in the enterprise. Management teams in the enterprise are responsible for providing performance in financial terms and they have an enabler in that the finance department of the enterprise assists them with understanding and managing costs, budgets, profits and ROI.
Reporting from management to the CFO is in detail but the CFO’s reporting to the Board is of a summary nature. The Board monitors financial results in the CFO’s reports and evaluates and directs management based on the monitoring.
Figure 4.2b takes a similar approach to demonstrate how the Board conducts governance of IT. As with governance of finance, the Board determines strategy, ROI, value and solvency and the Board directs by allocation of responsibility and targets to management teams in the enterprise. The chief information officer (CIO) is responsible for controlling IT and provides policies and objectives on IT to management teams in the enterprises. Management teams in the enterprise are responsible for the delivery of performance by their business unit and IT is essential for delivery. They request new IT services to be provided and they use existing IT services, and the enabler is the IT department. Reports from management teams in the enterprise to the CIO are reports on IT services and its impact on business performance (operational records), which comes directly from IT departments as well as from management teams. The CIO then provides operational reports to the Board that indicate operational business performance and the outcome benefits of investments (i.e. from IT projects). The Board monitors these reports and evaluates and directs the management teams as necessary.
Figure 4.2a: Board Governance of Finance
Figure 4.2b: Board Governance of IT
COBIT 5 addresses governance and management of IT from such an end-to-end perspective. Enterprise governance of IT is integrated into enterprise governance as just discussed. In addition, COBIT 5 addresses all the relevant internal and external IT services in addition to internal and external business processes. COBIT 5 states that ‘it provides a holistic and systemic view on governance and management of enterprise IT based on a number of enablers.’ As will become clear later in this chapter, when the seven categories of COBIT 5 enablers are discussed, these seven COBIT 5 enablers cover in detail the requirements that ensure the enabler in Figure 4.2b, the IT department, is using good practices and meets its goals.
The end-to-end governance approach of COBIT 5 in Figure 4.3 has these key components:
Figure 4.3: Governance and Management Approach of COBIT 5
(This figure is derived from Figure 8, p.23 of COBIT 5: A business framework
for the governance and management of enterprise IT).
• Governance Objective: Value Creation consisting of benefits realisation, risk optimisation and resource optimisation (see Principle 1).
• Governance Enablers, which are the seven Enablers (see Principle 4) that enable an enterprise to create value.
• Governance Scope, which means the part of the enterprise to which governance is applied. This can be the entire enterprise or part of it, referred to by COBIT 5 as ‘an entity, a tangible or intangible asset etc.’ In some enterprises, governance may be applied differently in different parts, for example, a major enterprise that is a group of companies which operate in very different business sectors.
• Roles, Activities and Relationships (Figure 4.465) shows the four major roles and their interactions:
• Owners and stakeholders
• The governing body
• Management
• Operations and execution
This is conformant with the view of corporate governance of Barger (2004) that was discussed in Chapter 1.
Figure 4.4: Roles, Activities and Relationships in an Enterprise
(This figure is derived from Figure 9, p.24 of COBIT 5: A business framework for
the governance and management of enterprise IT).
Principle 3: Applying a single integrated framework
COBIT 5 has integrated the existing ISACA frameworks discussed earlier in this chapter and the wide range of other standards and frameworks that are relevant to the governance of enterprise IT that were discussed in Chapter 2. In that sense ISACA sees COBIT 5 as a single integrated framework that is a ‘consistent and integrated source of guidance in a non-technical, technology-agnostic common language’.
Principle 4: Enabling a holistic approach
The holistic approach to delivering governance and management of enterprise IT is to implement enablers (Figure 4.5). COBIT 5 recognises the need for seven categories of enablers:
1. Principles, policies and frameworks
2. Processes
3. Organisational structures
4. Culture, ethics and behaviour
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies
Collectively, the final three enablers (5, 6 and 7) are enterprise resources.
Figure 4.5: The Seven Enablers of COBIT®5
(This figure is derived from Figure 12, p.27 of COBIT 5: A business framework
for the governance and management of enterprise IT).
It has long been recognised that processes alone will not successfully deliver governance and management of enterprise IT and other requirements are also needed. Other frameworks have recognised this too. For example, the ITIL framework (see Chapter 2), which is commonly seen to be a framework of IT service management processes, recognises that the implementation of ITIL processes will not be successful without having people with appropriate skills and competencies66 and designing suitable organisational structures, called functions: IT operations management, technical management and applications management. ITIL also recognises that for ITIL implementation to be successful cultural change is essential to ensure IT staff recognise that IT service management is a customer service provider.
COBIT 5 has a comprehensive set of enablers that need to be interconnected. Each enabler may be an input to assist other enablers. Outputs of an enabler may assist other enablers. For example, in Figure 4.6, the COBIT 5 processes include the Manage Service Requests and Incidents (DSS02) process. Information needed for that process would be the user, their incident and the components affected. The process would be run by a Service Desk doing 1st-line management of the incident, with more technically skilled IT staff running 2nd-line and 3rd-line support (i.e. the organisational structure). The people in 1st, 2nd and 3rd-line roles need appropriate skills and competencies to conduct the DSS02 process. The information output from the process would include the steps that resolved the incident and the time taken to resolve the incident. That information would act as information for the services, infrastructure and applications enabler to assist with recognition that service levels can be met. Detailed discussion of the seven COBIT 5 enablers is the content of Chapter 5.
Figure 4.6: Example of Links Between COBIT®5 Enablers
Principle 5: Separating governance from management
The COBIT 5 framework adheres to the principle of corporate governance that governance and management are separate (see Chapter 1), or put more specifically they are distinct but communicate.
COBIT 5 defines governance as:
‘Governance ensures that stakeholder needs, conditions and options are evaluated to determine:
• balanced, agreed-on enterprise objectives to be achieved;
• setting direction through prioritisation and decision making;
• and monitoring performance and compliance against agreed-on direction and objectives.’
Management is defined as:
‘Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.’
COBIT 5’s view is that governance is the responsibility of the board of directors with leadership from the chairperson. In reality, the board of directors is accountable (rather than responsible) for governance. Note that although the board of directors retains accountability for governance it is perfectly acceptable for them to appoint an IT Strategy Committee (sometimes called IT Steering Committee)67 to be responsible for governance.
In a few countries in the world the board of directors has a different name. For example, in the Netherlands, the Management Board consists of managing directors. Its members can be compared to the executive members of a board of directors in the UK or the US. However, it is possible, but not compulsory, for most enterprises to also have a Supervisory Board that oversees the Management Board (Loyens & Loeff, 2007)68.
COBIT 5’s view is that management is the responsibility of executive management under the leadership of the CEO. Executive management (aka senior management) is immediately beneath the board of directors and is responsible for the day-to-day activities of the enterprise and is usually led by the CEO who is often also an internal member of the board of directors.
As we have seen, governance is about evaluation, direction and monitoring and this requires interaction with management that plans, builds, runs and monitors the enterprise activities (Figure 4.7). The processes that cover governance and management outlined in Figure 4.7 are described in the COBIT 5 Process Reference Model (PRM) – see Appendix B. The PRM provides 37 processes and separates these into governance and management areas.
Overall there are five domains:
Governance: the single domain Evaluate, Direct and Monitor (EDM) consisting of five processes.
Management: four domains
• Align, Plan and Organise (APO) consisting of 13 processes
• Build, Acquire and Implement (BAI) consisting of 10 processes
• Deliver, Service and Support consisting of 6 processes
• Monitor, Evaluate and Assess (MEA) consisting of 3 processes
The PRM consists of what COBIT 5 sees as all the processes relating to IT activities that are normally found in an enterprise. The 37 processes are comprehensive, but there may still be other processes that an enterprise considers they require to meet its stakeholder needs.
Enterprises will select COBIT 5 processes to use that are appropriate and it is quite likely that small enterprises will use fewer processes than large enterprises. What is important to recognise is that all enterprises will select their own set of processes that best assists them to deliver the governance of enterprise IT.
Figure 4.7: COBIT®5 Governance and Management Areas
(This figure is derived from Figure 15, p.32 of COBIT 5: A business framework for
the governance and management of enterprise IT).
COBIT 5 Goals Cascade
ISACA has used almost a decade of research, conducted by its IT Governance Institute (ITGI) arm studying enterprises of all sizes worldwide, to develop the concept of a goals cascade that allows assessment based on knowledge of enterprise goals being mapped to IT-related goals and then mapping IT-related goals to COBIT processes. This goals cascade assists enterprises to recognise key COBIT processes.
For COBIT 5, the goals cascade has been extended and now it can (if required) be used to start with stakeholder needs and map those to the enterprise goals before mapping enterprise goals to IT-related goals and IT-related goals to COBIT processes. I have used this cascade approach for identifying key processes with several major clients in different countries for COBIT 4.1 and COBIT 5 and I would definitely recommend using this in your enterprise.
The COBIT 5 Goals Cascade is shown in Figure 4.8. It shows that Stakeholder Drivers arise from PESTLE changes69 coupled with competitors’ activities and this affects the Stakeholder Needs, which is what needs to be assessed. Assessment of Stakeholder Needs is best conducted by workshops with stakeholders to determine their needs.70 It is not essential to start with Stakeholder Needs if you believe stakeholders have strong views on what the enterprise goals are; in that case the Goals Cascade can start with Enterprise Goals. The Enterprise Goals are shown in Table 4.9 and the IT-related Goals in Table 4.10. These are generics that have been devised from about a decade of research by ITGI.
Table 4.9: Enterprise Goals (Generic)
| Perspective | No. | Enterprise Goal |
| Financial | 1 | Stakeholder value of business investments |
| 2 | Portfolio of competitive products and services | |
| 3 | Managed business risk (safeguarding of assets) | |
| 4 | Compliance with external laws and regulations | |
| 5 | Financial transparency | |
| Customer | 6 | Customer-oriented service culture |
| 7 | Business service continuity and availability | |
| 8 | Agile responses to changing business environment | |
| 9 | Information-based strategic decision making | |
| 10 | Optimisation of service delivery costs | |
| Internal | 11 | Optimisation of business process functionality |
| 12 | Optimisation of business process costs | |
| 13 | Managed business change programmes | |
| 14 | Operational and staff productivity | |
| 15 | Compliance with internal policies | |
| Learning and Growth | 16 | Skilled and motivated people |
| 17 | Product and business innovation culture |
Table 4.10: IT-related Goals (Generic)
| Perspective | No. | IT-related Goal |
| 1 | Alignment of IT and business strategy | |
| 2 | IT compliance and support for business compliance with external laws and regulations | |
| Financial | 3 | Commitment of executive management for making IT-related decisions |
| 4 | Managed IT-related business risk | |
| 5 | Realised benefits from IT-enabled investments and service portfolio | |
| 6 | Transparency of IT costs, benefits and risk | |
| Customer | 7 | Delivery of IT services in line with business requirements |
| 8 | Adequate use of applications, information and technology solutions | |
| Internal | 9 | IT agility |
| 10 | Security of information, processing infrastructure and applications | |
| 11 | Optimisation of IT assets, resources and capabilities | |
| 12 | Enablement and support of business processes by integrating applications and technology into business processes | |
| 13 | Delivery of programmes delivering benefits on time, on budget and meeting requirements and quality standards | |
| 14 | Availability of reliable and useful information for decision making | |
| 15 | IT compliance with internal policies | |
| Learning and Growth | 16 | Competent and motivated business and IT personnel |
| 17 | Knowledge, expertise and initiatives for business innovation |
COBIT 5 has provided mapping tables that are shown in Appendix C:
• Stakeholder Needs mapped to Enterprise Goals: Table C.1
• Enterprise Goals mapped to IT-related Goals: Table C.2
• IT-related Goals mapped to COBIT 5 Enablers (which in Q3 2013 are still solely processes)71: Table C.3
It is also vital to recognise that finding the desired COBIT 5 processes to use is not all that is needed; other Enablers (discussed earlier in this chapter and in detail in Chapter 5) also need to be in place.
Figure 4.8: COBIT®5 Goals Cascade
What needs to be recognised is that a spreadsheet needs to be set up to use the mapping tables so that they can be used effectively. It is best to give weightings to Stakeholder Needs if those are the start of the Goals Cascade, or to give weightings to Enterprise Goals if you plan to start with Enterprise Goals. Also, your spreadsheet should allow different values to be added for the Primary (P) and Secondary (S) mappings shown in Table C.2 and Table C.3 so that your views on the relative importance of P and S can be considered. If you believe some of the mappings do not fit your enterprise then you are advised by experts in the team that devised the Goals Cascade to adjust the mappings accordingly. Finally, the Goals Cascade is not definitive like a mechanical device or a program – it is enterprise-related and the COBIT processes that arise from the Goals Cascade that are considered as important should still be compared and aligned with other approaches such as selecting COBIT processes that assist with meeting the enterprise’s risk requirements or building on processes already in place. This is discussed further in Chapter 8.
_______________
59 Hardy, G (2009), ITGI Enables ISO/IEC 38500:2008 Adoption, Rolling Meadows, Illinois, ISACA®
60 ISACA® (2012), COBIT®5: Enabling Processes, Rolling Meadows, Illinois, ISACA®, p. 24.
61 A historical saying but most famously used by physicist Sir Isaac Newton in his letter to physicist Robert Hooke, in 1676.
62 Fashionably known as ‘Big Data’.
63 The term optimising risks is not liked by everyone since in many dictionaries risks are defined as negatives such as hazards or losses and so people feel minimising risks is a more conventional term. However, ISO/IEC 31000 (Risk management) defines risk as ‘effect of uncertainty on objectives’ and therefore covers both positives such as increased revenue or improved management, as well as negatives such as security breaches or loss of key staff. Therefore optimising risks is the term to use.
64 Commonly called PESTLE, the first letters of the words.
65 This diagram is very similar to Barger’s diagram (Figure 1.1 in Chapter 1) but has been rotated anticlockwise by 90° by ISACA®, plus work by Operations and Execution has been added that supports the Management.
66 Rudd, C. (2010), ITIL V3: Planning to Implement Service Management, London, The Stationery Office.
67 According to van Grembergen (2009), an IT Strategy Committee is at Board of Directors’ level whereas an IT Steering Committee is at executive management level. However, few organisations have both committees.
68 www.loyensloeff.com/en-US/AboutUs/CountryDesks/Documents/legal_aspects_of_doing_business_in_the_netherlands.pdf
69 Political, economic, social, technological, legal and environmental.
70 Workshops can often be more effectively conducted if you and your business and IT colleagues build a ‘straw man’, which is your view on Stakeholder Needs and then use that as the basis for getting workshops of stakeholders to work from that ‘straw man’ towards what they believe are their stakeholder needs.
71 In Q4 2013 COBIT®5: Enabling Information from ISACA® is planned for publication and that is also expected to have a goals cascade with the Enabler Goal being Information.