COBIT 101 – So Much More Than “Control Objectives for Information and Related Technologies”

COBIT might have started life as a tool for IT auditors, and the requirement for IT-related internal controls (hey, there’s no need to yawn), but it has since blossomed into a good-practice framework for both IT management and governance. Read on to find out how COBIT can help your organization and the IT service management (ITSM) practitioners that work within it.

Following on from my previous blog on IT4IT, this blog provides a “beginners guide” to COBIT (formerly also known as “Control Objectives for Information and Related Technologies,” which was dropped with version 5), a good-practice framework for IT management and governance created by the international professional association ISACA. In particular, I focus on information about COBIT’s seven enablers and how their use will help your organization.

So, What’s COBIT?

Bear with me for a moment, as this might sound a little bit formal… COBIT complements ITIL and other ITSM best practice methodologies by providing a practical framework on which to base governance as well as a maturity model to facilitate CSI.

But it gets better… In other words, COBIT helps organizations to ensure that:

• IT is aligned with the business
• IT enables the business and maximizes benefits
• IT resources are used responsibly
• IT risks are managed appropriately

Positioning COBIT

So where does COBIT fit in?

Hopefully you’ll agree that IT is now a critical enabler for any business and with this comes the need to deliver against governance, risk, and compliance (GRC) needs. Thus, one way of understanding what COBIT is, is to think of it as a kind of middleware – a method of exchanging information between different systems and layered services or, in our case, departments and business units. For instance, IT, governance, legal, quality assurance, business operations all have very different ways of working, so there’s the risk of key activities or details being missed or falling through the cracks. The use of COBIT means that these cracks are bridged using a common language that gets everyone on the same page.

COBIT was also created from the top down, meaning that it focuses on the primary business objective of providing value: realizing benefits, while optimizing risks and resources. And in doing so, it offers advice on seven designed to help organizations to create a holistic view of their service offerings rather than just looking at internal processes.

Enabler 1: Policies

Principles, policies, and frameworks are the way of conveying an organization’s management directives and instructions in a clear, consistent, and easy to understand format.

Policies set out the organization’s stall, a comprehensive list of dos and don’ts. And, to be effective, these should be aligned to organizational goals and comprehensive enough to cover the related processes or services from end to end.

Solid policies should also be flexible, because business goals will change over time and the policies should be agile enough to keep up. They should also be kept current, so build in a regular review cycle – on at least an annual basis – to ensure that policies are still fit for purpose.

Enabler 2: Processes

If policies are your high-level dos and don’ts, then processes are your ways of working – documented so that day-to-day roles and responsibilities are understood and communicated, for example in a RACI (responsible, accountable, consulted, informed) chart, like this one.

Effective processes should also have clearly-defined inputs and outputs, as well as clearly-defined boundaries and touch points into other processes to avoid duplication or rework.

Enabler 3: Organizational Structures

Every organization needs the right structure to be effective. Mature organizational structures have clear operating principles in place that set out the day-to-day ways of working.

Having the right structures in place means that everyone is on the same page regarding key tasks and deliverables. Not very exciting I know, but everyone – no matter their role – needs to know about tasks such as meeting frequencies or reporting requirements.

Organizational structures will also document spans of control and escalation procedures – providing guidelines on how many direct reports a role should have and how things should be escalated should the need arise.

The need for escalation is often seen as a negative, for example a customer complaint, but escalations can be made for all kinds of reasons such as requesting more resources or an additional level of support. COBIT uses organizational structure as a way of enabling organizations to map out the most effective strategies for escalations within their environment.

Enabler 4: Culture, Ethics, and Behavior

The right culture, ethics, and behaviors can drive high standards and performance. Making sure that these are right is key to working effectively, for example setting the bar for quality or the appetite for risk. For instance, any highly-regulated organization such as legal, financial, or pharmaceutical enterprises will operate to, and comply with, a very high level of legislation and so will have a very limited tolerance for risk. Whereas other types of organizations, like tech start-ups, may be able to tolerate higher levels of risk – so build these tolerances into your culture and ethics statements so that you can drive the right behaviors.

The expected “right” behaviors need to be communicated at multiple levels. But there’s no one-size-fits-all approach, so look at how this can incorporate into day-to-day life. Some possible channels are via induction training, employee handbooks, or annual recaps in the form of online training.

The right behaviors also need to be modelled, no one gets a free pass. Everyone in the organization from the newbie on their first day to the CEO needs to behave in the right way – so it’s imperative that everyone from the top down “walks the walk.”

Enabler 5: Information

You’ve probably heard the saying “knowledge is power,” and COBIT sets out how to manage information (and knowledge) effectively within an organization. Information is very often the output of a process or service so there needs to be a way of formalizing the way it’s managed such that it’s contextual, representational, secure, and accessible when needed.

Having an effective way to manage information means that perspectives and experiences can be shared and stored in a way such that it can be called on as and when appropriate. Having a clear strategy around information means that it can be a key enabler – ensuring that the right data is available to the right person at the right time to enable management and staff to make more informed decisions. It also reduces the need for re-work. If everything is managed and stored centrally, there’s no need for duplication of work to redo or re-discover knowledge.

Enabler 6: Services, Infrastructure, and Applications

These are the physical and virtual “nuts and bolts” that deliver your organization’s products and services.

COBIT uses the following areas to help organizations map out an appropriate support model for their IT estates:

• Architecture: What does the architecture look like and are we making the most efficient use of our resources?
• Reuse: Can we save financially by reusing retired servers or re harvesting/redeploying software licenses?
• Buy vs. build: Should we buy off-the-shelf or do we have the expertise to build what we need in-house?
• Simplicity: The more we customize, the more complex the solution and the more difficult the service is to support. How can we best balance the need for complexity against the need for stability?
• Agility: Being able to remain responsive to business needs and direction.
• Openness: The ability to conduct all work in a transparent environment.

The sixth enabler also ensures that the needs of business stakeholders are delivered via the appropriate supporting infrastructure.

Finally, having an effective IT infrastructure isn’t just about hardware or software; COBIT also covers transition planning, how changes are managed, how support needs are defined, and how to remain responsive to changing business needs.

Enabler 7: People, Skills, and Competencies

I’ve said it before and I’ll say it again – IT is all about people. The reality is, you can have the best processes and the newest technology in place, but without people nothing will work.

Qualifications, experience, knowledge, and behavioral skills are required to provide and perform processes and to carry out organizational roles effectively. Your people are everything, so make sure you map skills to roles so you have the best fit in terms of the right people being in the right places. If you’re unsure how to do this, industry frameworks such as SFIA (Skills Framework for the Information Age) will provide your organization with real life, practical help.

Why Does My Organization Need COBIT?

It’s the killer question. After all, there’s no point adopting COBIT just because it seems a good thing to do.

Your organization can use COBIT to support a variety of needs, including:

• Keeping IT running
• Value optimization – increasing business value and reducing business risk
• Cost management
• Mastering complexity
• Better aligning IT with the business
• Meeting regulatory compliance
• Increasing the maturity of other standards and best practices
• The need for benchmarking.

COBIT already maps directly onto ITIL, so they share similar language and ways of working. One way to look at their relationship is that COBIT tells you what you should be doing, while ITIL tells you how you should be doing it.

The reality is that, when your IT department hits a certain size or level of complexity, it will need a way to keep its house in order. COBIT can help it to identify any gaps in operations and controls, as well as any improvement opportunities.

Are you already using COBIT or starting to use it? If so, what have you achieved so far? I’d love to hear how COBIT is helping. Please let me know in the comments!