Despite its name, the Central Bank of Nigeria (CBN) is not a financial institution in the traditional sense. Rather, it is a regulatory body governing the overall control and administration of the monetary and financial sectors of the federal government of Nigeria. Per the CBN website:
[T]he Bank is charged with the responsibility of administering the Banks and Other Financial Institutions Act of 2020, with the sole aim of ensuring high standards of banking practice and financial stability.1
The proper and effective governance of all processes, therefore, is of crucial importance.
The CBN maintains branch offices in each of the 26 states in Nigeria and has an additional administrative location in the city of Abubakar, bringing the total number of managed locations to 27. At present, CBN employs 9,000 people and its IT systems are centralized, managed by a team of approximately 300 IT staff.
CBN maintains an IT standards blueprint, which reflects international and global standards of IT, drawing on industry frameworks, best practices and recommendations for optimal IT operations throughout CBN. Information technology governance is a key element of that blueprint. Though CBN’s governance program runs smoothly today, until recent years elements of IT governance were lacking, resulting in inefficiencies and departmental misalignment.
Challenge
Nsuhoridem Okon, CBN’s IT risk and compliance lead, joined the organization in 2015. At the time the IT department was misaligned with business units and, while it initiated many projects, the team was failing to meet expected results. Okon said that while projects started with promise, business benefits were not realized, and the IT team spent a lot of time “firefighting,” or attending to the most recent and/or pressing IT issue.
Much of this was due to the fact that, at that time, CBN’s management was not focused on long-term IT strategy, she said. The general feeling among staff in the IT department was that there was not enough governance for IT decisions. As a result, the team noticed that other departments were circumventing IT, gaining business approval, then presenting IT with the necessary forms to begin a project.
To give more background, CBN has a board-level committee that provides approvals for major endeavors. In the case of IT projects, business units would bypass IT to gain approval from the board of directors (BoD). The director of IT would then receive a mandate to deliver the projects—whether the team had the capacity to do so or not. Because the projects had not been approved by IT, they often could not fit into the existing IT infrastructure. This haphazard process was impacting work schedules and leading to suboptimal project completion.
The entire department knew it had to improve its relationships with internal stakeholders to ameliorate processes and guarantee better outcomes for the organization’s IT projects.
Further, the IT department was feeling underappreciated, especially in light of a technology refresh that had occurred several years prior. The IT department had spent significant amounts of time, money and effort to bring CBN’s IT infrastructure up to speed per digital transformation (i.e., business) requirements. Nonetheless, the service delivery outcomes of the refresh were not as effective as they could have been and pain points remained (figure 1). The IT department and its steering committee realized that the IT department was not consistently delivering reliable services—even after deploying the improved technology—and some end-user projects were not delivering the expected and intended value. While CBN’s IT department had put sophisticated systems in place and automated formerly manual processes to improve efficiencies, a lack of internal partnerships with business leaders was hampering the entire program. IT had put much effort into researching how to stabilize core operations, yet the team was still challenged because governance had not been established, let alone from a top-down perspective.
Okon said the entire department knew it had to improve its relationships with internal stakeholders to ameliorate processes and guarantee better outcomes for the organization’s IT projects.
Thus, in 2016, approximately one year after Okon started her position at CBN, there was an organizationwide decision, driven by the IT steering committee of which she was part, to embark on a governance improvement project. The committee included five business directors in the project to ensure its success. The non-IT members consisted of business leaders from the enterprise risk group, internal audit and human resources (HR). The mandate of the project was to solve IT governance issues by implementing the COBIT® framework. While it was initially an IT steering committee decision, the backing of the business partners who participated in the steering committee efforts helped convince business leaders that a governance overhaul was necessary, and CBN embraced the idea.
The concept of implementing frameworks was not new to CBN. Prior to this project, CBN used ITIL, a set of best practices designed to help organizations standardize IT selection, planning, delivery and maintenance. According to Okon, ITIL was extremely effective at helping CBN restructure, put in place fundamental project management processes and incorporate automation to streamline the project delivery. CBN also relied on International Standards Organization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 27001 Information Security Management for security systems management. Thus, the steering committee understood the importance of implementing a framework for continuous improvement and was ready to take the organization to the next level with COBIT.
The organization desperately needed to facilitate change enablement and culture change to fully embrace digital transformation.
Solution
The steering committee’s initial assessment consisted of a step-by-step review of the COBIT framework (figure 2). Members of the committee spoke with nearly 20 different departments within CBN to understand their technology needs. They developed a gap analysis to identify pain points, mapped those pain points to IT risk, and found the areas where improvement was needed. This assessment was evidence that the IT team was doing its part in trying to align with the business’ requirements.
Source: ISACA®, COBIT® 2019 Implementation Guide, USA, 2018, https://www.isaca.org/resources/cobit. Reprinted with permission.
Through this assessment, C-level executives within the organization gained an awareness of how detrimental the current processes and procedures were. The assessment highlighted the fact that failures were not due to the technology systems themselves, but to the people running projects and the collaboration, or lack thereof, between groups.
By following COBIT guidance, the committee could clearly see and demonstrate to the executive team that what was needed was people transformation: Employees needed access to the training, guidance and processes necessary to keep pace with digital transformation. The organization desperately needed to facilitate change enablement and culture change to fully embrace digital transformation.
Through a comparison of the initial assessment and further analysis of the organization to the guidance of COBIT, the steering committee also realized that CBN needed a stronger focus on benefits and how or if benefits were realized from every IT project requested and completed. CBN’s IT teams learned from the framework that they needed to be tracking benefits and changes from the start of every project through delivery and maintenance. The benefits were not limited to the quality of the IT systems delivered; they included how successful delivery positively impacted business units and their daily operations.
In addition, the CBN steering committee found that the COBIT framework specified a separation between IT and the BoD—a separation that would remove the workarounds business units had leveraged to move their projects to the front of the line without IT’s knowledge. Removing political implications and conflicts of interest from the IT projects’ approvals process would result in a more effective program with better outcomes for all parties involved.
Benefits
Okon said COBIT was chosen because it was the only governance framework at the time that encompassed an enterprisewide IT strategy. She called the framework “frighteningly comprehensive,” and, therefore, best-in-class.
COBIT had been chosen, Okon said, because it was the highest standard for quality management, and the IT steering committee understood that quality had to be built into any governance improvements. CBN wanted to be an early adopter of the framework for Nigeria’s finance sector, test its effectiveness and lead the way in terms of how technology optimization relies on governance and quality. As the regulatory arm of the monetary and financial sectors, CBN knew it was important for other financial institutions to see how adopting COBIT would produce positive results for each organization.
One of the main benefits of COBIT realized by CBN was greater visibility between the BoD and IT. IT had clearer insight into board-level strategic goals, and board directors understood more about the inner workings of the IT department and its effect on enterprisewide business operations. The visibility ultimately trickled down to other groups—including corporate strategy, finance, risk, audit and more—and improved other aspects of governance. IT was able to internally agree that enterprise strategy would include IT strategy moving forward. An IT road map was created and presented to the strategic decision makers of CBN to ensure awareness and alignment, and help business leaders understand how IT decisions impacted departments beyond IT and how the technology needs of the business units impacted the overall ability to operate and, therefore, meet (or fail to meet) strategic goals.
As governance has taken on a greater role at CBN, the entire organization has experienced improved alignment between IT and operations, with more accountability and greater awareness of risk.
Results
The CBN assessed its success in the implementation of COBIT based on the inclusion of technology in enterprise strategy discussions and formal organizational plans. Prior to the implementation of COBIT, CBN had a two-step strategy in which the enterprise strategy drove IT’s initiatives. Following COBIT implementation, IT became part of the overall enterprise strategy, meaning the impact of IT is now considered by the executive team and BoD in conjunction with important business initiatives rather than being seen as an add-on or a delivery mechanism for enterprise operations.
The CBN governor, the equivalent of a chief executive officer (CEO), now includes technology when discussing or presenting enterprise plans and actions. A revised charter for the enterprise board committee also includes terms of reference to include IT governance. And last, but certainly not least, Okon said CBN has achieved closer alignment between enterprise risk management and IT risk management teams. This translates into monthly risk reporting between IT and cyberrisk teams, which, in turn, feeds the enterprise risk framework. Although a numeric metric for improved IT governance cannot be quantified within the greater enterprise risk strategy, Okon said CBN has definitively achieved risk reduction.
Quantitative metrics demonstrating the results of the implementation of COBIT at CBN are not available, but Okon said the IT steering committee and enterprise leaders can qualitatively speak to increased IT quality and improved internal relations that have led to higher quality IT project delivery. As governance has taken on a greater role at CBN, the entire organization has experienced improved alignment between IT and operations, with more accountability and greater awareness of risk. In short, CBN is better positioned today to understand what needs to happen in IT and how IT drives digital transformation.
There were various systemic improvements from the program that are summarized in figure 3.
Though COBIT was used to drive governance change across CBN in 2016, COBIT continues to be the underpinning of its strategy in 2022. Okon said most of CBN’s governance challenges have been solved by adhering to the methods outlined in COBIT, which have been updated, refined and adjusted to meet present-day business requirements. Today, the IT steering committee references the COBIT framework any time it wants to analyze governance and measurements of work outputs.
Governance, Okon said, is no longer an issue that needs to be corrected; instead, it drives success for both IT and business.
In addition, based on the guidance in COBIT, the CBN maintains a regular cycle of compliance assessments and updates policy documents. Every year, it conducts a KPI review to identify what projects and initiatives will be measured, determine how they will be measured and analyze the results.
On top of COBIT, CBN continues to rely on ITIL, and the organization has implemented several cybersecurity project management frameworks (note that the cybersecurity team does not report to the IT organization, but the two departments rely on each other for optimal operation). Further, CBN is looking to extend its use of COBIT. The IT team has been trained in the latest version of COBIT and is using process descriptions outlined in the framework to map CBN’s current programs and strategy. CBN continues to rely on COBIT for guidance in determining process control points, updating process templates and preparing for compliance assessments. COBIT has become a standard part of the tool kit the IT department uses to continuously improve and ensure positive outcomes for the technology projects it delivers.
Okon said that the entirety of CBN has come a long way since 2016 when COBIT was first used. Today, based upon that foundation, CBN has achieved synergy across the organization as it relates to IT projects and their place in enterprise risk and strategy. The awareness gained and the changes that have taken place over the last six years were a direct result of improvements and restructuring in IT governance. CBN was able to successfully move beyond the pain points that were regularly occurring in 2015 to a maturity level that supports business alignment, internal cooperation, improved processes, increased awareness and reduced risk. Governance, Okon said, is no longer an issue that needs to be corrected; instead, it drives success for both IT and business.
Endnotes
1 Central Bank of Nigeria, ”About CBN,” https://www.cbn.gov.ng/aboutcbn/
KATIE TEITLER
Is a senior product marketing manager at Axonius where she is responsible for the company’s cybersecurity asset management product messaging. She is also a co-host on the popular podcast Enterprise Security Weekly. Prior to her current roles, Teitler was a senior analyst at a small cybersecurity analyst firm, advising security vendors and end-user organizations and authoring custom content. In previous roles, she managed, wrote and published content for various research firms including MISTI (now part of the CyberRiskAlliance), a cybersecurity events company; and was the director of content at Edgewise Networks, now part of ZScaler.