COBIT: An A – Z Guide for 2019
COBIT is a framework designed to support the governance and management of enterprise IT. It helps organizations to deliver value to various groups of stakeholders by putting their needs first. It also assists organizations in achieving their goals by partnering IT with the rest of the business rather than treating it as a separate entity. Of course, there’s a lot more to it than this. So, I’ve written another one of my A – Z blog posts to provide some high-level insight into what COBIT is all about that goes beyond my previous COBIT 101 blog. Please also take a look at my latest COBIT 2019 blog (LINK) that highlights the key changes between 2012’s COBIT 5 and the new, improved version.
Analysis (of stakeholder needs)
Stakeholders are always the starting point for COBIT. This analysis of stakeholders includes finding out who they are, what they need, and what they want.
It’s important to then differentiate between their needs and wants – wants are often “nice to haves” that simply aren’t feasible, whereas needs are requirements that must be met in order to provide stakeholder value, which, as COBIT states, is why organizations exist.
Balanced scorecard (BSC)
The balanced scorecard system has been used in business for many years to help organizations track their operational activities, and ensure they’re working to meet the company’s vision, mission, and goals. COBIT brings the balanced scorecard system to the IT department to help keep IT goals aligned with the needs of the business.
The balanced scorecard itself involves four dimensions:
- Financial (is the organization working within its budget and achieving profit?)
- Customer (is the organization providing services/products the customer loves?)
- Internal (are all processes optimized to provide the organization’s services efficiently?)
- Learning and growth (is the organization continually improving?)
COBIT’s goals are split into the four dimensions of the balanced scorecard and detail whether the relationship of each goal is primary or secondary to COBIT’s governance objectives: benefits realization, risk optimization, and resource optimization (more on all of this later).
COBIT, and even more so in COBIT 2019, is customizable – which means it can be used by any organization regardless of its size or industry.
COBIT 2019 introduces two new elements that aid the alignment of the framework to your organization’s needs:
- Components (formerly called enablers in 2012, and more on these shortly in letterE) – which can be either generic or “variants of generic”
- Focus areas – here it’s tailored for a specific purpose or context such as information security, DevOps, small and medium enterprises, and risk
- Design factors – these make some governance and management objectives more important than others
You can read more on each of these in mypreviously mentioned blog (LINK).
COBIT is all about keeping organizations compliant and reducing risks within IT, which can in turn help organizations to save money. For instance, being exposed to a particular risk could result in a very expensive, and unwanted, outcome for a business – both financially and reputationally.
It also helps to translate stakeholder needs into goals, and uses thorough methods (such as the balanced scorecard mentioned above) to ensure that operational activities stay on track (performance-wise) and remain aligned with the business’ vision. This too saves dollars in the long run because money is not wasted on activities or processes that add no value to the organization.
Enablers and components
In COBIT 2019 components – you might know them as enablers in COBIT 5 – exist to help an organization successfully govern and manage enterprise IT. The purpose of each component is defined by the organization’s alignment goals as part of a goals-cascade process. (I go into more detail on this under the letter T for: top-down approach).
In COBIT there are seven components:
- Principles, policies, and procedures
- Organizational structures
- Culture, ethics, and behavior
- People, skills, and competencies
- Services, infrastructure, and applications.
These seven components work together to ensure that IT remains in line with the vision of the organization.
An underlying principle for COBIT is that it integrates well with other industry frameworks and standards such as ISO, ITIL, and TOGAF.
Importantly, it doesn’t seek to be used in place of other frameworks. Instead, they should be used together to achieve the desired outcomes. COBIT also helps enterprises to fully utilize frameworks that might already be in place – think of it as an overarching framework.
Governance AND management
The primary purpose of COBIT is to provide guidance to organizations on the governance AND management of enterprise IT.
COBIT sees these disciplines as separate areas and therefore treats them as such. The governance aspect of COBIT helps organizations to remain compliant and reduce IT-related risk. Management is then required to plan, build, run, and monitor activities in line with the direction provided by governance to successfully complete the objectives of the organization.
The framework enables a holistic approach to the governance and management of enterprise IT. The balanced scorecard (that I’ve already mentioned) helps to map the goals of IT to the goals of the organization, and shows how they relate to the governance objectives of COBIT.
By using this holistic approach, that’s to say merging IT with the business, relationships between the organization and IT can be vastly improved. And IT becomes part of the business instead of being treated as a separate entity.
Interaction and collaboration
Two of COBIT’s generic IT goals, and two of its generic enterprise goals, fall into the “learning and growth” dimension on the balanced scorecard.
To this end, COBIT aims to encourage interaction and collaboration between IT professionals and the business to create an educational environment for continual-improvement success.
COBIT encourages non-technical language such that the framework can appeal to the business as a whole rather than alienating those outside of IT. This helps to integrate IT within the business and assists with the holistic approach that COBIT aims to embed.
COBIT can thus be seen as bridging the gap between IT and the business.
COBIT is based on a number of key concepts and anything related to COBIT stems from at least one of these:
- Principles – there are six principles, and these are described as “the core requirements for a governance system for enterprise information and technology”
- Governance and management objectives – these are grouped into five domains (please see the letter P for more on these)
- Goals cascade – a way to ensure that the goals of the enterprise and IT align with the needs of stakeholders (please see more on this under letter T)
- Components of a governance system – as discussed under the letter E: enablers and components
- Focus areas – these are almost unlimited, and this makes COBIT an open-ended model
- Design factors – these “influence in different ways the tailoring of the governance system of an enterprise.”
These key concepts are the foundation of COBIT 2019 and will drive the successful governance and management of IT in your organization.
Law and regulation
The world of law and regulation can be very confusing and tough to keep on top of. Just like in the world of IT, things can change pretty quickly.
COBIT can help organizations to remain compliant because it aligns itself with accepted governance standards. It also looks at laws, regulations, and contractual agreements, and aids the development of internal policies for compliance.
It’s definitely a word we can associate with COBIT because mapping crops up in several areas:
- Goals are mapped to governance objectives on the balanced scorecard
- Stakeholder needs are mapped to enterprise goals
- The COBIT framework can be mapped to other frameworks, working together to achieve success.
New in COBIT 2019
COBIT 2019 was released in November 2018. There are a number of new, changed, and updated elements within it. I’ve already mentioned components, focus areas, and design factors. Another one worth mentioning here is COBIT Performance Management (CPM) which looks at how well your organization’s governance and management system, plus all of the components, are working.
Optimization (risk and resources)
The primary governance objective of COBIT is stated as: “value creation,” with this consisting of three elements:
- Benefits realization – the quote, “the only valid reason for investing in technology-enabled change is to generate benefits,” is a good place to start in describing this element.
- Risk optimization – there are two types of risk, the bad kind and the good kind. Risk optimization is about avoiding the bad risks as much as possible and proactively looking for those good risks that will pay off.
- Resource optimization – this is ensuring that IT has the right resources in place to meet enterprise goals, and this includes technology, people, and processes. It focuses on optimizing these resources for efficient and consistent delivery of IT services. And, without the right resources in place, organizations can waste money, let down consumers, and damage staff morale.
The framework assists in working out how to best balance these such that optimal value can be delivered to each group of stakeholders (please see the letter R for more detail on value creation.)
Because COBIT differentiates between governance and management, its 40 processes (up from 37 in COBIT 5) are split between these two areas (and are collectively called the COBIT Core Model).
The governance area has one domain and the management area has a further four domains:
Area 1: Governance
The governance domain is Evaluate, Direct and Monitor (EDM), COBIT states that “Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance, and progress against agreed-on direction and objectives.”
Area 2: Management
- Align, Plan, and Organize (APO) looks at optimizing the use of information and technology in order to successfully meet the organization’s objectives. It also shows the way IT is to be structured to achieve benefit realization
- Build, Acquire, and Implement (BAI) involves assessing the requirements of IT, acquiring the right technology, and implementing it
- Deliver, Service, and Support (DSS) looks at delivering IT, including the use of applications and their outcomes
- Monitor, Evaluate, and Assess (MEA) assists with the organization’s strategy, looking into the needs of the company and checking how the current IT set up is performing – is it meeting its objectives and fully compliant?
COBIT can be employed by any organization that needs technology to hold and deliver its information. It provides guidance on organizational information systems to ensure that they’re compliant, secure, and dependable. Plus, COBIT provides businesses with the information they need to understand, use, and manage IT processes and infrastructure.
Realization of business benefits
ISACA has stated that “…a majority of enterprises report that less than half of their IT initiatives actually deliver the expected business benefits.” It’s an incredible waste of money, so it’s worth understanding COBIT’s benefits-realization process to avoid this pitfall.
If you work in IT (or frankly any department that relies on IT services) you’re bound to have come across, for example, a technology product that was purchased and installed with all the promise in the world, only to find that it doesn’t deliver what was expected. This is the purpose of business-benefit realization and it’s what COBIT helps organizations to do: to use IT to actually achieve the desired results.
(A) System of governance for digital transformation
The updated COBIT 2019 recognizes that digital transformation is changing the way businesses work. It advises that it’s no longer acceptable for an organization’s governing board to “delegate, ignore, or avoid information and technology-related decisions.” Information and technology are key enablers in a digital world, so governing boards and senior managers need to be closely involved as value-creation reliance on digitalization continues to grow.
COBIT’s goals-cascade concept is a top-down approach that helps organizations to create enterprise goals from its stakeholder drivers and needs. These enterprise goals then cascade into alignment goals – which are goals that “emphasize the alignment of all IT efforts with business objectives.” And finally, the alignment goals cascade into the governance and management objectives of COBIT.
User satisfaction will increase
With COBIT, the needs of business users are analyzed and cascaded into goals (as shown above) which helps to increase their satisfaction with both the use of services (because these now address their needs) and the interaction with IT (because they’ve been considered in the process development). Ultimately, the framework, along with other elements of the framework, help IT to deliver the best user experience possible.
COBIT isn’t just a single framework document, there are a number of parts that, put together, make it what it is:
- Introduction and Methodology – “The heart of the COBIT framework incorporates an expanded definition of governance and updates COBIT principles while laying out the structure of the overall framework.”
- Governance and Management Objectives – “This publication contains a detailed description of the COBIT Core Model and its 40 governance/management objectives.”
- Designing an Information and Technology Governance Solution (Design Guide) – “This new publication fills an important need for COBIT users—how to put COBIT to practical use.”
- Implementing and Optimizing an Information and Technology Governance Solution (Implementation Guide) – “This guide is an updated version of the previous COBIT 5 Implementation Guide, taking a similar approach to implementation. However, the new terminology and concepts of COBIT 2019, including the design factors, are built into this guidance.”
COBIT is used by businesses globally. Recognized worldwide, it really can be implemented in any organization that relies on information and technology to aid its business operations.
How long is it going to be before you get bored of me using x-ray for the letter X? Once again though, it fits nicely because of the transparency that COBIT provides for stakeholders (and because there’s no other X-word that will do – please chime in with alternatives though.)
You should know…
… that COBIT was originally, and still is, developed by ISACA – a nonprofit, independent association of more than 140,000 governance, security, risk, and assurance professionals in 187 countries. Going forward, ISACA states that, because an “open-source” model has been adopted for COBIT 2019, there’s now the ability for people to proactively provide feedback and propose enhancements, with further evolutions released as needed.
Through its key concepts and elements, COBIT helps organizations to make the governance and management of their IT completely black and white, no gray areas at all. Like a zebra… okay I was getting tired at this point.
So that’s my A – Z of COBIT, and I’ve tried to include the changes in the 2019 version where possible. What else would you add? Please let me know in the comments.
Posted by Joe the IT Guy