After the subprime mortgage crisis and the Lehman Brothers collapse in the US, the Financial Services Agency of Japan (FSA) strengthened financial regulations. The FSA regulations introduced an IT governance perspective, which detailed the rules for information security enhancement and IT risk minimization. In response to this, the management of financial institutions have been struggling with a kind of “defensive” IT governance, or a risk minimization and compliance approach.
On the other hand, the Japan Revitalization Strategy was approved by the Abe Cabinet of Japan in 2013 and the FSA applied the Corporate Governance Code in 2015, in which listed companies are urged to achieve sustainable growth and increase corporate value over the mid- to long term. Under these circumstances, financial institutions are seeking aggressive or proactive IT governance aiming at value creation for stakeholders rather than defensive or reactive risk minimization and compliance.
The requirements that management teams of enterprises, especially financial institutions, need to satisfy are intended to transform their IT governance from defensive risk management and compliance to proactive IT governance. Figure 1 shows the relationship between defensive risk management and proactive IT governance as well as the related frameworks. Enterprise management teams are seeking a transformation that focuses on moving from the left to the right in the figure.
Figure 1—Relationship Between Defensive Risk Management and Proactive IT Governance
Source: Y. Inaba. Reprinted with permission.
This article presents an enterprise IT governance (EITG) implementation model derived from the following practical experiences using COBIT:
- Implementation of a group IT governance system1 using the COBIT 4.1 process reference model and its Maturity Model at a global insurance group based in Japan
- Implementation of a governance, risk management and compliance (GRC) system2 at an IT service subsidiary of the insurance group using COBIT 5
- Practical experience as an employee of a major auditing firm in Japan, Deloitte Touche Tohmatsu LLC
The Proactive IT Governance Model
The core of the proactive IT governance model is value creation for stakeholders and fulfillment of the organization’s fiduciary duty and accountability. Figure 2 shows the concept of the proactive IT governance model developed and presented in this article.
Figure 2—IT Governance Implementation Model for Enterprise Seeking IT-enabled Value Creation
Source: Y. Inaba. Reprinted with permission.
Goals Cascade From Stakeholder Needs to Enabler Goals
The left-hand side downstream flow of figure 2 or the enlarged chart in figure 3 shows the goals cascade from stakeholder needs to enabler goals. This follows the COBIT 5 principle, Meeting Stakeholder Needs.
Figure 3—Relationship Between Defensive Risk Management and Proactive IT Governance
Source: Y. Inaba. Reprinted with permission.
First, the governance team, consisting of the directors, evaluates the value creation needs for the stakeholders, comprising shareholders, customers, employees, regulatory agencies and social communities such as economic societies, and reports to the management team on what kind of value it should create. The report can be made by creating mission, vision and values (MVV) statements. This corresponds to the action of aligning the governance objective with value creation.
Then, the management team sets the enterprise goals from the results of the evaluation of the stakeholder needs, which consist of the 4 components of the balanced scorecard (BSC), i.e., financial, customer, internal, and learning and growth. The result of this step is the creation of the management strategy document. The next step is that the management team sets the IT-related goals from the enterprise goals, formatting according to the same 4 components of the IT BSC. The output of this step is an IT strategy document. Finally, the goals are cascaded down to the enabler goals, as described in COBIT 5. The result of the enabler goals setting is represented in the enabler strategies, i.e., the strategies for principles/policies, processes, organizational structures, culture, information, service/systems and human resources (HR). Usually, those enabler strategies are included in the IT strategy documentation.
These series of goals cascades can be supported by the mapping from stakeholder needs to enterprise goals described in the COBIT 5 framework3 and the mapping from enterprise goals to IT-related goals and then to process enabler goals described in COBIT 5: Enabling Processes.4
Implementation of the 7 Enablers with Plan-Build-Run-Monitor Cycle
The next step is management execution, which includes a series of practices on the Plan-Build-Run-Monitor (PBRM) Cycle. The management team executes by focusing on 7 enablers. The bottom part of figure 2 shows this cycle and it is further described in figure 4.
Figure 4—Implementation of the 7 Enablers
Source: Y. Inaba. Reprinted with permission.
For the process enabler, the enabler goal setting corresponds to the selection of the priority processes from the 37 processes defined by the COBIT 5 process reference model, each with its targeted capability level defined in the COBIT 5 Process Assessment Model (PAM): Using COBIT 5. The selection of processes is driven by the goals cascade from stakeholder needs. The next step is to build enablers. The process capability assessment is made regarding the selected processes and following that, the improvement action plan is formulated to fill the gaps between the current capability level and the targeted level and the improvement is implemented. Then, the improved processes are operated to achieve the process enabler goals. Finally, the process performance or the process enabler goals are monitored.
Regarding the other enablers, the enterprise IT governance implementation model described in this article does not include detailed and concrete processes to follow because the focus is on the process enablers. The intent is to explore the other enablers after the completion of the process enabler implementation descriptions. This is supported by the fact that the detailed enabler guide5 for the process enabler already exists as do the process assessment model and the assessor guides.6, 7
Developing the information enabler can happen next because COBIT 5: Enabling Information gives the guidance needed to build that enabler. In addition, how to assess the current information enabler status and how to reach the targeted status for the information enabler needs to be described.
Experience would tend to indicate that implementation guidance for the service/system enabler and the HR enabler is in great demand because they seem to be the essential enablers for the era of disruptive innovations and digital transformations, where proactive IT governance is required. ISACA’s plans include issuing such guidance in the form of another 5 enabler guides to assist its members in implementing COBIT 5.
Monitoring Enabler Goals Up to Value Creation for the Stakeholders
The right-hand side upstream flow of figure 2 or the enlarged chart in figure 5 shows the goals monitoring from enabler goals up to value creation for the stakeholders.
Figure 5—Goals Monitoring
Source: Y. Inaba. Reprinted with permission.
First, the implementation and the operation of each enabler are monitored and the result of the monitoring is reported in an enabler monitoring report. The report is then summarized into an IT monitoring report, which describes the results of the monitoring of IT-related goals. Continuing the flow upstream, the IT monitoring report is integrated into a management monitoring report, which describes the monitoring results of not only IT, but also other governance areas.
Finally, the value created through the governance and management cycles is described in a value creation report, or the integrated monitoring report, and it is reported to the stakeholders as the fulfillment of accountability.
Enterprise IT Governance Perspective in the Enterprise Governance Environment
To enhance the governance and management cycle described above, it would be valuable to view it from the standpoint of enterprise governance—in other words, a corporate governance model which is shown in figure 6. The top circle describes enterprise governance and the bottom circle indicates governance of enterprise IT (GEIT), which is referred to here as EITG.
Figure 6—Enterprise IT Governance
Source: Y. Inaba. Reprinted with permission.
Enterprise governance is performed by C-suite executives under the direction and oversight of the board of directors (BoD). According to the EITG implementation model, it consists of the 2 major governance areas: business governance, referred to here as business value creation governance (BVCG), and corporate governance, referred to here as valued service governance (VSG).
On the top side, BVCG includes the enterprise’s business (e.g., property and casualty insurance or life insurance, in the case of an insurance company) and/or functional unit (underwriting, claims handling) governance. It can be an IT service delivery business and/or a system development function as well as a system operation function for an IT service company.
On the bottom side, VSG is broken down to the so-called corporate governance areas, i.e., corporate planning, financial reporting, HR, risk, information security, compliance and audit/assurance. These area definitions are generally similar for all industries.
Once the governance team sets up the management goals and strategies from the stakeholder needs, they are allocated into the individual areas of enterprise governance. IT governance is one of them.
Focusing on IT governance, the chief information officer (CIO), the chief executive officer (CEO) and the chief operating officer (COO) execute the goals cascade into enabler goals setting in order to align with the enterprise business and create IT value for the stakeholders. This is depicted in the circle at the bottom of figure 6, where IT governance is put at the center of the chart and BVCG and VSG are located around IT governance with the overlapped areas labeled “Align.”
It is important to note that there are several similar circles behind the scenes. For each governance area, each C-suite executive in charge of it is executing a PBRM cycle under another circle where each governance area is put at the center, and the other governance areas, including IT governance, are located around it with the overlapped “Align” label (figure 7).
Figure 7—Enterprise IT Governance From Each Governance Area Perspective
Source: Y. Inaba. Reprinted with permission.
In addition to cascading down to IT-related goals, the goals of each governance area are cascaded down in parallel. Then, the enabler goals are set for each governance area and the enabler implementations with the PBRM cycle for each governance area are executed.
For example, suppose there is a financial institution whose goals include the implementation of financial technologies (FinTech). Its HR management may plan to introduce an HR development program for FinTech and its IT management may plan to identify the skills for FinTech implementation and acquire people with the defined FinTech skills. Clearly, these 2 initiatives in these 2 departments should be aligned with each other.
Then the monitoring of the goals of each governance area is performed. And finally, working up to the enterprise governance chart (the top circle in figure 7), the governance team monitors the enterprise goals and integrates all the monitoring results from each governance area into a single management report.
Creating Value With the Enterprise IT Governance Implementation Model
COBIT 5 is a useful tool and guidance framework for EITG. Practitioners can create value for clients by combining the interpretation of service delivery from COBIT 5 guidance with the implementation practices outlined in the EITG implementation model described in this article.
By assuming this kind of advocacy role, practitioners can create value for clients as well as fulfill social responsibilities in Japan.
Yuichi (Rich) Inaba, CISA
Is a senior manager at Deloitte Touche Tohmatsu LLC where he developed an enterprise IT governance implementation model base on his COBIT experience. Previously, he was a manager at the holding company of a global insurance group based in Japan, where he had engaged in the implementation of a group IT governance system for the group by using COBIT 4.1. Subsequently, he was a senior consultant specialist in the areas of GRC, IT governance, risk management and information security at the IT service company of the group, where he implemented a GRC system for the IT service company of the group by using COBIT 5. He is a member of the Standards Committee of the ISACA Tokyo Chapter and currently working on the translation of COBIT 5 materials into Japanese as well as an advocacy of COBIT 5 in Japan.
Author’s Note
The content of this article is based on the author’s personal opinion and does not reflect an official position by Deloitte Touche Tohmatsu LLC.
Endnotes
1 Inaba, Y., H. Shibuya; “Executive Management Must Establish IT Governance,” COBIT Focus, vol. 1, 2013
2 Inaba, Y., “Creating Value With COBIT 5 at a Tokio Marine Group Company,” COBIT Focus, 24 November 2014
3 ISACA, COBIT 5, USA, 2012
4 ISACA, COBIT 5: Enabling Processes, USA, 2012
5 Ibid.
6 ISACA, COBIT Self-assessment Guide: Using COBIT 5, USA, 2013
7 ISACA, COBIT Assessor Guide: Using COBIT 5, USA, 2013