Home / Resources / ISACA Journal / Issues / 2023 / Volume 3 / Improving Governance at a National Bank With COBIT

Improving Governance at a National Bank With COBIT

Author: Bruno Horta Soares, CISA, CRISC, CGEIT, PMP
Date Published: 24 May 2023

In 2019, the National Bank of Angola (BNA) in southern Africa initiated a program to improve the governance and management of information and technology (I&T) practices, driven mainly by the guidelines of the Southern African Development Community (SADC). The SADC guidelines aimed to harmonize and improve the governance and management of the I&T of central banks within the region through a phased approach to establishing 16 I&T COBIT® objectives (figure 1).1

Additionally, the BNA set out to answer the key question, “How can the improvement of governance and management of I&T practices contribute to value creation at the BNA?” In this context, the BNA initiated a transformation program that resulted in the successful training of nearly 60 employees in different best practices of governance and management of I&T, which contributed to internal recognition of the importance of I&T to value creation. The methodology for the operationalization of the program considered the principles and best practices of the COBIT® 2019 framework.2

The Challenge

Because the initiative was launched in 2019, the question of what framework would be adopted was immediately raised: COBIT® 53 or COBIT® 20194? However, the main constraint was that the program was launched at the start of the COVID-19 pandemic, which limited physical access to the premises of external partners and consultants. Taking this scenario into account, the executive board of the BNA, represented by Chief Information Officer (CIO) Pedro Castro e Silva, decided to adopt the COBIT 2019 framework and move forward with the BNA’s existing human capital. This decision posed a high risk considering the BNA employees’ lack of knowledge of the COBIT 2019 framework or experience with similar initiatives.

Five critical success factors were immediately identified:

  1. Need for the involvement of several organizational units in addition to the IT department—The BNA strove to make it clear from the start that the project was not merely an IT initiative, but rather an initiative related to the value of I&T at the scale of the entire organization.
  2. Enterprisewide COBIT 2019 Foundation training—Four COBIT 2019 Foundation training cycles were carried out, involving approximately 60 employees.
  3. Training of multidisciplinary teams—The training of teams for each of the governance and management objectives, with participants from different departments, facilitated knowledge sharing between different areas and improved commitment to the objectives.
  4. Capability-building workshops—In addition to providing general training in COBIT 2019, it was important to hold training sessions on the different governance and management objectives so that team members could learn about the seven COBIT 2019 components and best practices in more detail, which would serve as a basis for the implementation.
  5. Use of specialized external advisor—The training and execution of the workshops were carried out with the support of an external consultant who, in addition to imparting knowledge and experience, designed the tools that facilitated the implementation of the program. Support was offered directly to members of the dedicated program management team as the main interlocutors of the organization’s initiative.

The Solution

The program involved an initial phase of general COBIT 2019 Foundation training so that everyone involved could learn the methodology and to ensure the alignment of concepts and the sharing of a common language. The identified objectives were subsequently grouped into three phases, and teams composed of staff from different departments of the organization were defined for each objective. A critical element at the beginning of the program was the definition of a reference framework aligned with COBIT 2019 that facilitated, in a simple manner, several objectives:

  • Clarification of the scope of the program, highlighting its alignment with the organization’s business objectives (enterprise goals)
  • Creation of a shared model for alignment between different teams that included a common vision and information repositories
  • Establishment of an overview of the framework implementation’s evolution over time, with clarification of the current state and the results expected throughout the three horizons of implementation (figure 2):
    • Current state—Lack of a systemic view of information and technologies at the BNA; informal practices, scattered information and considerable non-explicit knowledge
    • Horizon 1—Definition of a reference model and alignment of I&T objectives with BNA objectives; priority I&T governance and management objectives and practices defined, with emphasis on the processes component
    • Horizon 2—Reinforcement of the alignment of the reference model with the operational areas of the BNA; I&T governance and management objectives and practices reinforced, concentrating on other components in addition to processes
    • Horizon 3—Consolidation of the reference model for I&T governance, management and operation at the BNA; consolidation of the I&T governance and management objectives and practices, with a holistic view of all main components

During team training, it was important to ensure that workshops were not merely theoretical, but also supportive of the methodology defined for implementing the program.

Phase 1: Problem Definition and Opportunities
The BNA team recognized that there were some I&T-related practices already implemented. However, those practices were designed in accordance with the organization’s existing departments rather than being aligned with the COBIT 2019 framework and the governance and management objectives identified as being in scope. It was important to design a documentation model that would allow for mapping the organization’s reality with the best practices of COBIT 2019.

For this purpose, multiple mapping spreadsheets were created, including:

  • A repository of alignment goals and I&T governance and management objectives and metrics (the CIO dashboard)
  • A repository of processes (Component 1)
  • A repository of organizational structures (Component 2)
  • A repository of information flows and items (Component 3)
  • A repository of people, skills and competencies (Component 4)
  • A repository of policies and procedures (Component 5)
  • A repository of culture, ethics and behavior (Component 6)
  • A repository of services, infrastructure and applications (Component 7)

The spreadsheets were created using training workshops and teamwork sessions to assess the processes and analyses of documentation from operational teams. A three-step methodological approach was used to achieve each of the governance and management objectives in scope:

  1. Workshop, Part 1—Know/Understand:
    • Know and understand the COBIT 2019 governance and management objective.
    • Analyze the COBIT 2019 objectives and related metrics.
    • Analyze the COBIT 2019 process component.
    • Know and understand the process capability assessment.
  2. Teamwork sessions—Map and Document:
    • Adapt the objectives and metrics to the organization’s reality.
    • Assess the COBIT 2019 process capability.
    • Map COBIT 2019 practices and activities (i.e., process components) with the operational documentation.
    • Document the information repositories related to each of the components.
  3. Workshop, Part 2—Review and Improve:
    • Analyze the remaining components related to the objective.
    • Update the documentation.
    • Identify and document quick wins and improvement opportunities.

The objective of the exercise was not only to assess the BNA’s alignment with the COBIT 2019 framework, but also to effectively document the practices of governance and management of I&T. The use of COBIT 2019 best practices allowed the organization to create a reference model (figure 3), map the practices that were already implemented and identify those that would be considered opportunities for improvement.

This model documented the governance and management practices in accordance with COBIT 2019 terminology, while operational practices were documented with the operational language of the departments involved. A practice or document could be mapped with only one operational practice or document, or with multiple operational practices or documents.

Therefore, each documentation repository was not only considered a self-assessment instrument, but also an internal tool for documentation of best practices. The program management team began to monitor the level of implementation of each component and report it to the CIO on a weekly basis.

All analysis, documentation and evaluation were carried out by the organization internally using computer tools such as Microsoft Excel (e.g., documenting mappings) or Microsoft PowerPoint (e.g., compilation of assessments, presentation of results) to make the documentation process simpler and to ensure that the focus was mainly on knowledge and understanding of best practices and mapping with the organization’s operational reality.

Finally, the improvement opportunities repository was a central element of the initiative because it encompassed all individual practices that should be considered in future initiatives. The basic principle of the documentation of improvement opportunities was that if a COBIT 2019 practice existed, it should be documented and mapped with the operational documentation. If a COBIT 2019 practice was not found, an improvement opportunity should be named so that it could be implemented in the future.

At the end of the phase, nearly 300 opportunities for improvement were identified, resulting from the misalignment of the organization’s current state with COBIT 2019. Important existing practices for work documenting and mapping were also carried out, making it possible to assess the organization’s reality using COBIT 2019 language.

Phase 2: Definition of Objectives and Road Map
Identifying different levels of capability was important for the BNA because it helped the bank understand that in addition to implementing something new, it was aligning its already existing practices with best practices. In this sense, it was necessary to define a target capability objective to align all critical objectives with the same capability level.

At this stage, several tasks were carried out:

  • Definition (formalization) of the target capability for each process in scope
  • Analysis of gaps and prioritization of improvements
  • Definition of the road map

The involvement of top management at the BNA was important for their understanding and recognition of the current status of I&T governance. It contributed to their acceptance of the target state, and, later, their approval of the initiatives that needed to be carried out to reach the target state.

Phase 3: Planning Initiatives
The objective of this phase was to ensure that improvement opportunities were grouped in a structured way to represent improvement initiatives. Because this was not a compliance program, it was important to ensure that improvement opportunities were not perceived as mere checklists of changes to make, but rather, as requirements that should be considered in the context of improvement initiatives. Opportunities related to different components of COBIT 2019 objectives and opportunities to improve different COBIT 2019 objectives were grouped, taking into account the implementation logic.

Several tasks were performed during this phase, including:

  • Definition of improvement initiatives
  • Identification of quick wins
  • Launching of improvement initiatives

At the end of the planning phase, the program’s team prepared a record for each of the initiatives with the proposed sponsor, involved areas, objectives, scope, results and related opportunities.

The program distinguished the implementation phase so that emphasis was placed on the commitment to transformative goals and the road map to achieve them.

Phase 4: Implementation
The program distinguished the implementation phase so that emphasis was placed on the commitment to transformative goals and the road map to achieve them. This way, the initiatives were designed considering only their requirements, independent of the team that would implement them. The initiative forms served as a basis for launching internal projects and for defining requests for proposals (RFPs) if it became necessary to involve external entities. During this phase, the program team started to monitor the performance of the initiatives and, consequently, the impact on the previously identified best practices gap. This ensured that it was always possible to identify the degree of implementation of best practices for each objective and component considered in the scope.

The Outcomes

The results of the program thus far can be quantified in a number of ways:

  • Approximately 60 employees completed COBIT 2019 Foundation training.
  • More than 30 training seminars were attended by the employees who participated.
  • A reference framework for the governance and management of I&T that aligned with COBIT 2019 was defined.
  • A dashboard was defined for the governance and management of I&T with alignment goals (29 metrics) and objective goals (240 metrics).
  • An assessment of the capability of 17 processes was conducted.
  • Best practices were documented for the seven components associated with the objectives in scope.
  • Control panels for monitoring best practice gaps were defined.
  • Summary sheets for the 17 objectives in the scope were documented for communication purposes.
  • Nearly 300 improvement opportunities were identified.
  • Characterization of 15 initiatives took place.

In terms of qualitative results, the internal team is recognized for its newfound capability to understand and implement COBIT 2019 best practices autonomously.

As with the implementation of any program, basic knowledge and a clear understanding of the starting point are essential to progress toward the desired goal. The BNA recognized that the challenge of improving governance and management of I&T practices could not be tackled with a bottom-up approach, as had been attempted in the past. A top-down approach was necessary.

Traditional Approach (Bottom Up)

The bottom-up approaches the BNA relied on in the past and linked to the organizational chart ultimately failed because the effort to systematize and formalize all operational activities was not compatible with the internal complexity and pace of external transformation (figure 4).

Systemic Approach (Top Down)

The top-down approach is considered a systemic view of I&T in the organization, promoting a reference model that goes beyond the IT department and values the transformation of governance and management practices more than the transformation of operational practices (figure 5).

The main benefits obtained from the program so far have been:

  • Alignment of the BNA’s operational model with external requirements—The adoption of governance and management best practices aligned with COBIT 2019 was crucial because it allowed for the mapping of existing operational practices and the implementation of a continuous improvement system, mainly involving monitoring the operational layer. This helped inform the operational areas or external entities in terms of the best practices needed for governance and management, providing a better opportunity to implement the operational practices considered most appropriate.
  • Adoption of a holistic view of I&T at the BNA—Although the processes component received significant attention throughout the capability assessment, the analysis of the other components allowed for a more comprehensive understanding of the best practices already implemented at the BNA. In certain situations, despite having identified gaps in activities, certain human factors (e.g., staff turnover, teams’ lack of experience and knowledge, lack of communication skills) were identified as important and valued.
  • Adoption of a program implementation methodology—The existence of a strong motivation to respond to external requirements could lead to the adoption of a “compliance by compliance” strategy. However, it was recognized that the value of improving the practices of governance and management of I&T went beyond mere compliance and could have a broader impact on the organization’s value creation.
  • Employee training—The training and qualification sessions in which employees participated were essential for the entire organization to understand the value of sharing responsibilities in terms of I&T.

By the conclusion of the BNA’s COBIT 2019 initiative, it became clear to a significant number of employees that the responsibility for good governance and management of I&T goes beyond the direct responsibilities of the IT department. When managed effectively, I&T can contribute to a real transformation of internal culture. Employees organizationwide can harness the potential of I&T for value creation—not merely the IT department.

It became clear to a significant number of employees that the responsibility for good governance and management of I&T goes beyond the direct responsibilities of the IT department.

Endnotes

1 ISACA®, COBIT® 2019 Framework, USA, 2018, https://www.isaca.org/resources/cobit
2 Ibid.
3 ISACA, COBIT® 5: A Business Framework for the Governance and Management of Enterprise IT, USA, 2012, https://www.isaca.org/bookstore/cobit-5/wcb5
4 Op cit ISACA, COBIT 2019

BRUNO HORTA SOARES | CISA, CRISC, CGEIT, PMP

Is an experienced information and technology (I&T) professional with more than 20 years of experience in audit, consulting and advisory services. He has expertise in governance, risk and compliance (GRC), information security, privacy, and digital transformation. He founded Governance Advisors-as-a-Service (GOVaaS) and is currently a senior advisor. He also teaches at various universities in Portugal and abroad, and is the founder and president of the ISACA® Lisbon (Portugal) Chapter. In 2019, he was awarded the John Kuyers Award for Best Speaker by ISACA.