The COBIT 5 good-practice framework for governance and management of enterprise IT (GEIT) incorporates many widely accepted concepts and theories from general management and academic IT literature. Exploring how the core principles of the framework are derived from insights from theory and literature,1 this article provides guidance to practitioners as they apply COBIT 5 in their organizations.
Governance of Enterprise IT and COBIT 5
Information and related technology have become increasingly crucial in the sustainability, growth and management of value and risk in most enterprises. As a result, IT has moved from a support role to a central position within enterprises. The enhanced role of IT for enterprise value creation and risk management has been accompanied by an increased emphasis on GEIT. Enterprise stakeholders and the governing board wish to ensure that IT fulfills the goals of the enterprise.2, 3 GEIT is an integral part of overall corporate governance. GEIT addresses the definition and implementation of processes, structures and relational mechanisms within the enterprise that enable business and IT staff to execute their responsibilities in support of creating or sustaining business value.4 GEIT is complex and multifaceted. Members of the governing board and senior management typically need assistance in implementing GEIT. Over the years, good-practice frameworks have been developed and promoted to assist in this process.5
Released in 2012, COBIT 56 builds on and integrates 20 years of development in this field. From its foundation in the IT audit community, COBIT has become a broader and comprehensive IT governance and management framework and continues to establish itself as a generally accepted framework for IT governance.
COBIT 5 was further complemented with alignment of Val IT and Risk IT. Before COBIT 5, Val IT addressed IT-related business processes and responsibilities in enterprise value creation and Risk IT provided a holistic business view on risk management. Now, incorporated into COBIT 5, the single comprehensive framework guides managers as they implement GEIT in their enterprise.
Substantiating the COBIT 5 Principles
The COBIT 5 framework is built around five core principles, illustrated in figure 1. Each principle is discussed in this section and relates to concepts and insights from professional and academic literature. The following subsections address the COBIT 5 principles and the concepts that are appropriate for the given principle.
Meeting Stakeholder Needs—Strategic Business/IT Alignment
Principle one (meeting stakeholder needs) implies that COBIT 5 provides all the required processes and other enablers to support business value creation through the use of IT. This principle closely aligns with the long-standing concept of strategic alignment. The belief that a core component of IT governance is to achieve strategic alignment between IT and the rest of the organization is a core element of COBIT. However, a continuing challenge for organizations is how to achieve alignment. To assist organizations with enhancing strategic alignment, the COBIT 5 development team undertook research to provide guidance in understanding how enterprise goals drive IT-related goals and vice versa. This research was based on in-depth interviews in different sectors and expert (Delphi Method) assessments. A generic list of enterprise goals, IT-related goals and their interrelationships was established (see figure 2). This cascade constitutes the core entry point for COBIT 5. It suggests that organizations should start with analyzing their business/IT strategic alignment through defining and linking enterprise goals and IT-related goals.7, 8
COBIT 5 uses the term “enterprise goals” (as opposed to “business goals” in COBIT 4) to signal explicitly that the framework includes profit-oriented, not-for-profit and governmental enterprises. Further, COBIT 5 talks about IT-related goals (as opposed to “IT goals” in COBIT 4); this is addressed in the next subsection.
Figure 2 shows that the enterprise goal of “external compliance with laws and regulation” requires a primary focus (P) on the IT-related goals of “IT compliance and support for business compliance with external laws and regulations” and “security of information and processing infrastructure.” In COBIT 5, the weighted importance of IT-related goals leads in turn to a primary focus on the subset of COBIT 5 enablers, such as management and governance processes. In this example, the subset of processes includes manage risk, manage security and manage changes.
Meeting Stakeholder Needs—The Balanced Scorecard
To verify whether stakeholder needs are indeed being met, a sound measurement process should be established. Traditional performance methods such as return on investment (ROI) capture the financial worth of IT projects and systems, but reflect only a limited (tangible) part of the value that can be delivered by IT.9
To facilitate a broader measurement process, the developers of COBIT 5 have built on the balanced scorecard concepts.10, 11 As shown in figure 2, all enterprise goals and IT-related goals are grouped in the balanced scorecard perspectives. COBIT also provides samples of outcome metrics to measure each of those goals and to build a scorecard for IT-related activities. Figure 3 provides examples of metrics for the customer perspective of the enterprise and IT-related goals.
Moreover, COBIT 5 provides outcome measures at the level of the 37 detailed COBIT 5 processes. An example providing specific process goals and related metrics is shown in figure 4 for the process of Manage security. Of course, these process goals and metrics cannot merely be reported to stakeholders—including senior operational management and the governing board—because the stakeholders would be overwhelmed with information. Rather, the process goals and metrics must be consolidated and aggregated in a way that facilitates a usable and comprehensive balanced scorecard for the entire IT-related environment. The balanced scorecard allows the organization to determine if stakeholder needs are being met.
Covering the Enterprise End-to-end—IT Savvy
The principle of covering the enterprise end-to-end articulates that COBIT 5 covers all functions and processes within the enterprise. COBIT 5 does not focus only on the IT function, but treats information and related technologies as assets that need to be dealt with just like any other asset within the enterprise.12 Business managers should take on responsibility for managing their IT-related assets just as they do for other assets, such as physical plant and financial and human resource assets, within their own organizational units and functions. The business must take ownership of, and be accountable for, governing the use of IT in creating value from IT-enabled business investments.13
A focus on covering the enterprise end-to-end implies a crucial shift in the minds of business and IT management; it comprises a move from managing IT as a cost to managing IT as an asset. This shift is an essential element of business value creation. “If senior managers do not accept accountability for IT, the company will inevitably throw its IT money to multiple tactical initiatives with no clear impact on the organizational capabilities. IT becomes a liability instead of a strategic asset.”14
COBIT 5, then, covers both IT and IT-related business responsibilities. As a demonstration of this, COBIT 5 provides Responsible, Accountable, Consulted and Informed (RACI) charts for its processes, in which business and IT roles are included. To illustrate this, an example RACI chart for the process Manage service agreements is shown in figure 5. This RACI chart indicates that for the service level agreement (SLA) process, both business and IT functions have accountabilities and responsibilities.
Applying a Single, Integrated Framework—COBIT/Risk IT/Val IT and Other Frameworks
Principle three (applying a single, integrated framework) explains that COBIT 5 aligns with other relevant standards and frameworks at a high level and thus can serve as the overarching framework for GEIT. ISACA has made a major investment over the years in aligning COBIT with other frameworks including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control–Integrated Framework, IT Infrastructure Library (ITIL), the Project Management Body of Knowledge (PMBOK), The Open Group Architecture Framework (TOGAF), and Projects in Controlled Environments, Version 2 (PRINCE 2). Many of the processes in COBIT 5 are inspired by the guidance in these frameworks. As such, many of the processes and practices in COBIT 5 relate to and align with one or more detailed frameworks in the field. To work effectively with COBIT 5 and other frameworks, a high level mapping of COBIT 5 to each is included at the process level in COBIT 5: Enabling Processes. Considering that COBIT 5 also integrates Risk IT and Val IT, COBIT 5 is a one-stop shop that includes in its scope previous guidance from ISACA and guidance from other standards and frameworks in the field.15
In its overarching approach, COBIT 5 identifies a set of governance and management enablers that includes 37 processes (see figure 6). At the governance layer, there are five processes in the Evaluate, Direct and Monitor (EDM) domain. These processes set out the board’s responsibilities for evaluating, directing and monitoring the use of IT assets to create value for the enterprise. The EDM domain covers setting the governance framework, establishing responsibilities in terms of value (e.g., investment criteria), risk factors (e.g., risk appetite) and resources (e.g., resource optimization), and maintaining transparency on IT to stakeholders.
There are four domains defined at the management layer: Align, Plan and Organize (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and Monitor, Evaluate and Assess (MEA). The APO domain concerns the identification of how IT can best contribute to the achievement of the business objectives. Specific processes within the APO domain relate to IT strategy and tactics, enterprise architecture, innovation and portfolio management. Other important processes address the management of budgets and costs, human resources, relationships, service agreements, suppliers, quality, risk, and security. The BAI domain makes IT strategy concrete by identifying the requirements for IT and managing the IT investment program and projects within that program. This domain also addresses the management of capacity; organizational change; IT change management; acceptance and transitioning; and knowledge, asset and configuration management. The DSS domain refers to the actual delivery of the IT services required to meet strategic and tactical plans. The DSS domain includes processes to manage operations, service requests and incidents, as well as the management of problems, continuity, security services and business process controls. The fourth management domain, MEA, includes processes that are responsible for the assessment of process performance and conformance, evaluation of internal control adequacy, and monitoring of regulatory compliance.16
Applying a Single Integrated Framework—IT Savviness
Compared to its previous versions, COBIT 5 includes a more thorough and complete involvement of business management in governing and managing IT. For example, three newly inserted processes that address specific business roles are APO3 Manage enterprise architecture, APO4 Manage innovation and BAI05 Manage organizational change. Also, in line with this change, there are fewer processes in the Deliver, Service and Support (DSS) domain (six) compared to the number of processes in the Deliver and Support domain of COBIT 4.1 (13). Some of these processes were moved to a higher domain within the framework. A typical example is the shift of the Manage service agreements process to the APO domain, recognizing the evolution in IT operations with an increasing importance in outsourcing and cloud computing.
Enabling a Holistic Approach—Organizational Systems
The fourth principle (enabling a holistic approach) explains that efficient and effective implementation of GEIT requires a holistic approach, taking into account several interacting components—processes, structures and people. This implementation challenge is related to what is described in strategic management literature as the need for an organizational system, i.e., the way a firm gets its people to work together to carry out the business.17 Such organizational systems require the definition and application, in a holistic manner, of structures (e.g., organizational units and functions) and processes (to ensure that tasks are coordinated and integrated), as well as attention to people and relational aspects (e.g., culture, values, joint beliefs).
In applying this organizational system theory to GEIT, organizations are deploying it using a holistic mixture of structures, processes and relational mechanisms.18, 19 GEIT structures include organizational units and roles responsible for making IT-related decisions and for enabling contacts between business and IT management decision-making functions (e.g., IT steering committee). This can be seen as a form of blueprint for how the governance framework should be structurally organized. GEIT processes refer to the formalization and institutionalization of strategic IT decision making and IT monitoring procedures to ensure that daily behaviors are consistent with policies and provide input back to decision makers (e.g., IT balanced scorecard). The relational mechanisms are ultimately about the active participation of, and collaborative relationship among, corporate executives, IT management and business management, and include mechanisms such as announcements, advocates and education efforts.
COBIT 5 builds on these insights. A key change in COBIT 5 is the concept of enablers. “Enablers” are defined as factors that individually and collectively influence whether something will work—in this case, governance and management over enterprise IT. The COBIT 5 framework describes seven categories of enablers (see figure 7)—of which processes; organizational structures; and culture, ethics and behavior are closely related to the organizational systems concept. COBIT 5 then complements these organizational systems insights with other important enablers including principles, policies and frameworks; information; service, infrastructure and applications; and people, skills and competencies.
Separating Governance From Management—ISO/IEC 38500 (2008)
Finally, principle 5 (separating governance from management) is about the distinction COBIT 5 makes between governance and management. As discussed previously, this distinction aligns with the guidance in ISO/IEC 38500.20 In COBIT 5, ISACA states for the first time that IT governance and IT management processes encompass different types of activities. The governance processes are organized following the EDM model, as proposed by ISO/IEC 38500. IT governance processes ensure that enterprise objectives are achieved by evaluating stakeholder needs; setting direction through prioritization and decision-making; and monitoring performance, compliance and progress against plans. In enterprises, IT governance should be the accountability of the board of directors or equivalent. Based on these governance activities, business and IT management plans, builds, runs and monitors activities (a COBIT translation of Deming’s Plan, Do, Check, Act [PDCA] cycle) in alignment with the direction set by the governance body to achieve the enterprise objectives.
Conclusion
In summary, GEIT is the board’s accountability and responsibility and the execution of the set direction is management’s accountability and responsibility.21 COBIT 5 is primarily a framework made by and for practitioners and includes insights from IT and general management literature, including concepts and models such as strategic alignment, balanced scorecard, IT savviness and organizational systems. By clearly indicating how the core elements of COBIT 5 are built on these IT and general management insights, this article provides guidance to practitioners in their endeavors to apply COBIT 5 in their organizations.
Endnotes
1 For additional details on this topic, read: De Haes, Steven; Roger Debreceny; Wim Van Grembergen, “COBIT 5 and Enterprise Governance of Information Technology: Building Blocks and Research Opportunities,” Journal of Information Systems, USA, 2013.
2 De Haes, S., W. Van Grembergen; “An Exploratory Study Into the Design of an IT Governance Minimum Baseline Through Delphi Research,” Communications of AIS, USA, 2008
3 Thorp, J.; The Information Paradox, McGraw-Hill, USA, 2003
4 Van Grembergen, W.; S. De Haes; Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, USA, 2009
5 Ibid.
6 ISACA; COBIT 5, 2012
7 De Haes, S., W. Van Grembergen; “Prioritizing and Linking Business Goals and IT Goals in the Financial Sector,” International Journal of IT/Business Alignment and Governance, USA, 2010
8 Van Grembergen, W., S. De Haes; H. Van Brempt: Understanding How Business Goals Drive IT Goals, 2008, www.isaca.org
9 Op cit, Van Grembergen and De Haes, Springer, 2009
10 Kaplan, R., D. Norton; “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review, USA, 1992
11 Van Grembergen, W.; R. Saul; S. De Haes; “Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial Group,” Journal for Information Technology Cases and Applications, USA, 2003
12 Weill, P.; J. Ross; IT Savvy: What Top Executives Must Know to Go From Pain to Gain, Harvard Business Press, USA, 2009
13 Ibid.
14 Ibid.
15 ISACA, COBIT 4.1, USA, 2007
16 Op cit, ISACA 2012
17 De Wit, B.; R. Meyer; Strategy Synthesis: Revolving Strategy Paradoxes to Create Competitive Advantage, Cengage Learning EMEA, USA, 2005
18 Peterson, R.; “Crafting Information Technology Governance,” Information Systems Management, USA, 2004
19 De Haes, S.; W. Van Grembergen; “An Exploratory Study Into IT Governance Implementations and Its Impact on Business/IT Alignment,” Information Systems Management, USA, 2009
20 International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), ISO/IEC 38500:2008, Corporate governance of information technology, 2008, http://www.iso.org
21 Op cit, Van Grembergen and De Haes, Springer, 2009
Steven De Haes, Ph.D., is associate professor at the University of Antwerp and the Antwerp Management School (Belgium) and academic director of the IT Alignment and Governance (ITAG) Research Institute and the Executive Masters in IT Governance & Assurance and Enterprise IT Architecture. He can be contacted at steven.dehaes@ua.ac.be.
Roger Debreceny, Ph.D., is the distinguished professor of accounting in the Shidler College of Business, University of Hawaii at Manoa (USA). He can be reached at rogersd@hawaii.edu.
Wim Van Grembergen, Ph.D., is a professor at the University of Antwerp (Belgium), executive professor at the University of Antwerp Management School and academic director of the ITAG Research Institute. He can be contacted at wim.vangrembergen@ua.ac.be.