Establishing a Governance and Management Structure for E-commerce Using COBIT 5

A company based in Lagos, Nigeria, is in the business of sales and distribution of its brand of shoes through physical outlets in the Lagos area. In a bid to expand its operations to areas outside of its physical outlets and to also have a better competitive showing in the Nigerian marketplace, the enterprise’s decision makers decided to use the Internet as the platform of choice to achieve this need.

A consultancy was commissioned to help it actualize its dream of using the Internet as a platform. The consultancy had the following mandate from the board and management of the enterprise:

• Build an e-commerce web site for the business to serve as a storefront for the company’s brand of shoes.
• Provide a governance and management structure for the e-commerce platform to make sure that the new risk factors involved in doing business through the Internet as a platform are managed. And, ensure that the platform is maintained at optimal costs using optimal resources.
• Provide support for the entire project for an extended period of time in such a way as to act as the technology arm of the shoe business.

Some of the key web site features included:

• A storefront that displays a product—in this case, brands of shoes
• The ability to browse the product showcase, choose a shoe brand, add it to a shopping cart and pay with a credit/debit card
• Required site registration before processing any transaction with user information collected on the web site
• Completing payment processing via a reputable host country Payment Card Industry Data Security Standard (PCI-DSS)-compliant third-party provider
• E-commerce engine powering:
  • Stock management
  • Product management
  • Order management
  • Shipping

In other words, apart from being a storefront for product display and purchase, the web site also houses all of the key processes that are usually found in a small retail or wholesale store.

The web site project has a limited budget. For that reason, the company chose to host the site on a shared hosting platform with a trusted web host provider with whom the consultancy has been doing business for the past 10 years. Drupal open-source software (OSS) was chosen as the web development platform, while Drupal Ubercart powers the e-commerce engine. These platform choices are aimed at optimizing costs, while providing reasonable assurance that the attendant risk of outages and malicious attacks are preventable.

The criticality of the processes housed in this small e-commerce site created a number of challenges for the consultancy.

The key challenges were:

• Ensuring confidentiality, integrity and availability of all transactions on the web site
• Ensuring the privacy of all personally identifiable information (PII) stored on the web site
• Avoiding web site downtime
• Managing all third-party service providers considering the criticality of the processes under their control

To be able to manage these challenges (risk factors) effectively while optimizing costs and still creating value for all stakeholders, the consultancy, as part of its mandate from the enterprise, chose to seek guidance from the COBIT 5 framework.

Managing Challenges With the COBIT 5 Goals Cascade

COBIT 5 has a goals cascade that can be used to connect the needs of stakeholders in any enterprise or project with specific enterprise goals, which are further supported by specific IT-related goals. These IT-related goals are further linked to enabler goals that support the achievement of the overall goals and stakeholder requirements.¹

As stakeholders in this project, the enterprise’s needs revolved around realizing benefits from managing the e-commerce web site using optimal resources and making sure all risk associated with hosting the site on the Internet are managed.

These needs were tailored to the following enterprise goals on the COBIT 5 enterprise goals cascade:²

1. Managed business risk
2. Business service continuity and availability
3. Optimization of service delivery costs

These enterprise goals are supported by the following IT-related goals:³

1. Managed IT-related business risk
2. Transparency of IT costs, benefits and risk
3. Security of information, processing infrastructure and applications
4. Optimization of IT assets, resources and capabilities
5. Availability of reliable and useful information for decision making
6. Competent and motivated business and IT personnel

The IT-related goals were mapped to the following processes, which are COBIT 5 enablers:⁴

1. EDM02 Ensure benefits delivery
2. EDM03 Ensure risk optimization
3. EDM04 Ensure resource optimization
4. EDM05 Ensure stakeholder transparency
5. APO01 Manage the IT management framework
6. APO03 Manage enterprise architecture
7. APO04 Manage innovation
8. APO06 Manage budget and costs
9. APO07 Manage human resources
10. APO09 Manage service agreements
11. APO12 Manage risk
12. APO13 Manage security
13. BAI01 Manage programs and projects
14. BAI04 Manage availability and capacity
15. BAI06 Manage changes
16. BAI09 Manage assets
17. BAI10 Manage configuration
18. DSS01 Manage operations
19. DSS02 Manage service requests and incidents
20. DSS03 Manage problems
21. DSS04 Manage continuity
22. DSS05 Manage security services
23. DSS06 Manage business process controls
24. MEA01 Monitor, evaluate and assess performance and conformance
25. MEA02 Monitor, evaluate and assess the system of internal control
26. MEA03 Monitor, evaluate and assess compliance with external requirements

The mapping gives a picture of the processes that were needed to ensure that the consultancy’s project had a governance and management structure.

The enabler dimensions and enabler performance management needed to be focused on to make the processes extremely robust.

The above processes must also be considered together with the other enablers:

1. Principles, Policies and Frameworks
2. Organizational Structures
3. Culture, Ethics and Behavior
4. Information
5. Services, Infrastructure and Applications
6. People, Skills and Competencies

Focus was also required on the COBIT 5 enabler dimensions and its performance management.

This ensured that the consultancy had the governance and management structures to guarantee that stakeholders’ needs for the e-commerce site were addressed with optimal use of resources and all risk associated with the choice of the e-commerce platform was optimized.

Implementation

Implementation of COBIT 5 presented several challenges, including:

• Where to start and what to implement first
• Tailoring the COBIT 5 guidance terminology to the consultancy’s specific, identifiable requirements and peculiar environment
• Compressing and sharing the COBIT 5 Responsible, Accountable, Consulted and Informed (RACI) chart between a much smaller group of roles
• Most of the processes address the same IT-related goals

The following were undertaken to overcome the implementation obstacles:

• The consultancy took a phased approach to implementation, choosing to implement processes and other enablers that achieved quick-wins and then moving on to more complex scenarios. Priority was given to guidance that contributed to the confidentiality, availability and integrity of the e-commerce project.
• The consultancy applied the COBIT 5 terminology to their specific enterprise goal terminologies and into identifiable entities.
• RACI charts gave insights into the organizational roles that should be in place to achieve process goals. These were reduced to map with existing roles in the consultancy. Though there were overlaps, it enforced process ownership within the consultancy.
• When IT-related goals mapped to more than one process goal, the process purpose statement and activity description were used to choose which one to implement as a priority, keeping in mind the e-commerce project objective.

The following benefits were initially determined using COBIT 5 Implementation:

• The consultancy’s customized RACI charts helped to enforce process ownership enterprisewide.
• The COBIT 5 process activities’ step-by-step guidance on goal achievement was adopted by the consultancy and developed into a to-do list.
• Process goals and metrics gave great insight into what needed to be achieved.
• Governance practice inputs/outputs (I/Os) provided a rich source of resource guidance on tools to achieve governance and management objectives.

Post implementation, the initially identifiable benefits of instituting a governance structure are not only being successfully realized, but have helped the consultancy maintain viable processes to address not only the e-commerce web site project, but the enterprisewide, day-to-day running of its business.

A Trigger Event

The e-commerce web site project presented huge challenges and introduced a new risk to the enterprise’s operation and, hence, acted as a trigger event for the consultancy to embrace governance and management of its processes. COBIT 5 was adopted as a guidance framework. In the end, a sustainable governance and management structure was established for the enterprise as a whole.

The organizational roles and process ownership are now more firmly established, processes have been created and optimized, and the initial enterprise goals of Managing Business Risk, Business Service Continuity and Availability, and Optimization of Service Delivery Costs have been largely achieved.

Chidi Henry Emeribe, CISA, COBIT 5 Foundation

Is presently lead consultant for Greengate Consult Limited, a Nigerian-based IT and environmental consultancy. He has more than 12 years of experience in the IT industry. His expertise covers the areas of information security, audit, governance and assurance. He has also worked extensively in the areas of information systems infrastructure installation, maintenance and support. Emeribe has working knowledge of IS and infrastructure life cycle management, IS audit, IT governance, IT service delivery and support, protection of information assets, cloud computing, and process capability assessments.

Endnotes

¹ ISACA, COBIT 5, 2012, p. 17
² Ibid, app. D, p. 55
³ Ibid, app. B, p. 49
⁴ Ibid, app. C, p. 51