An engagement at a financial technology (fintech) organization provided a novel first-hand experience of working with COBIT 5. Despite more than 7 years’ experience in governance, risk and compliance (GRC) projects that involved COBIT 5, this engagement was the practitioner’s first opportunity not only to initiate a project under COBIT 5, but also to explore how it can be combined with other frameworks to provide a comprehensive, business-driven technology governance solution. The Information Technology Infrastructure Library (ITIL) and COBIT 5 would be used in this endeavor. Essentially, ITIL is a framework designed to standardize the selection, planning, delivery and maintenance of IT services within an enterprise. The goal is to improve efficiency and achieve predictable service delivery.
This particular financial technology risk management project had 3 principal goals:
- Identify all technology functions within the organization.
- Map all functions to ITIL v3 processes and develop corresponding formal policies.
- Draw control objectives for each of the functions from process practices and activities in COBIT 5.
Following are 4 top lessons learned in the process of combining best practices from ITIL and COBIT 5.
COBIT 5 or ITIL? Both!
Since both frameworks are designed by different organizations and serve different purposes, one might think that they do not overlap. However, this is an incorrect assumption. In the course of the fintech engagement, research and learning revealed that both frameworks complement one another. As COBIT helps identify what IT should be doing, ITIL prescribes how it should be done to maximize resource utilization within the IT purview. Even though the frameworks are different, they do have multiple touchpoints (e.g., from the COBIT 5 domain Build, Acquire and Implement [BAI], process BAI06 Manage Changes is approximately equivalent to ITIL Change Management; process BAI10 Manage Configuration is approximately equivalent to ITIL Configuration Management).
By following the implementation guidance provided by the COBIT 5 enablers, it is easy to understand how COBIT 5 helps to define appropriate IT investment, strategy, design, implementation and management by linking IT priorities to IT-related goals that support overall enterprise goals. The COBIT 5 goals cascade helps align IT-related goals and enterprise goals and, accordingly, helps refine and prioritize IT processes (figure 1). In the fintech enterprise, the COBIT 5 goals cascade showed stakeholders how to prioritize areas of focus when applying ITIL v3 processes and, in turn, how to determine the number of processes and maturity levels necessary for a well-run enterprise.
Figure 1—Mapping COBIT 5 Enterprise Goals to IT-Related Goals
View Large Graphic. Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission.
Based on the COBIT 5 goals cascade, perhaps priority IT-related goals could be 01 Alignment of IT and business strategy; 04 Managed IT–related business risk; 07 Delivery of IT services in line with business requirements; 08 Adequate use of applications, information and technology solutions; 09 IT Agility; 010 Security of information processing, infrastructure and applications; 012 Enablement and support of business process by integrating applications and technology into business processes; and 016 Competent and motivated business and IT personnel shown in figure 1.
Based on the IT-related goals, the fintech enterprise concluded that certain COBIT 5 processes allowed for effective scoping of ITIL v3 service management process definitions for effective delivery of IT services.
The relevant governance processes included Evaluate, Direct and Monitor (EDM) EDM01, EDM02, EDM03.Priority management processes included Align, Plan and Organize (APO) APO12 Manage risk and APO13 Manage security (figure 2), which map to Information Security Management in ITIL v3 Service Design.
Figure 2—Mapping COBIT 5 IT-Related Goals to Processes
View Large Graphic. Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission.
Focus on Common Goals
Even though COBIT 5 and ITIL overlap in some respects—and both are responsible for making sure that IT enables business—the frameworks do not share the same focus. The primary focus of ITIL is on IT service strategy and management, whereas the primary focus of COBIT 5 is end-to-end enterprise governance over IT by applying the COBIT 5 principles shown in figure 3.
Figure 3—COBIT 5 Principles
Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission.
ITIL Guidance Is Focused on IT and How It Should Be Managed to Provide Value
COBIT 5 covers the entire enterprise, ensuring that governance is achieved, stakeholder value is ensured, and holistic approaches to governing and managing IT are used. This is accomplished through policies, processes, people, information, culture and organizational structures, services, and applications that are implemented and integrated under a single overarching framework for ease of integration and customization. ITIL is focused entirely on IT and how it should be managed to provide value.
Guidance—But Not Implementation Guides
Though both COBIT 5 and ITIL provide detailed process, capability and performance guidance on how organizations should implement IT, neither of the frameworks provides an exact blueprint for implementation. This is by design—each organization is left to devise a solution appropriate to its own unique requirements, environments and priorities. This openness and flexibility ensure that the frameworks are suitable for all organizations—large or small, commercial, not-for-profit, government or multinational. All can draw conclusions from the guidance and can develop their own implementation plans based on the industry-recognized standards. This innate, universal quality of the frameworks further encourages organizations to select processes that are deemed important for their organizations, without fear of overly prescriptive implementation steps. As summarized by the Harvard Business Review, this flexibility empowers organizations to overcome the number-one challenge identified—fear of failure. According to the Harvard study, removing the nonessential processes encourages change and adoption of best practices.1
Conclusion
While the lessons herein came naturally with the role that was being performed, the conclusion is a generalized observation that an organization does not have to comply with all of the processes of COBIT 5. The goal should be to draw references and inferences from the framework as per the requirements of the organization, and not force the implementation to get 1 step closer to a better risk posture.
Shobhit Mehta, CISA, CISM, CISSP, ISO 27001:2013 LA, ISO 27005:31000, ITIL v3 Foundation
Is currently working in technology risk management at Fidelity Investments. In his role, he is responsible for developing effective policies and procedures that align with corporate objectives and for participating in special projects to balance the overall risk posture of the organization. Mehta constantly strives to bridge the gap between IT and information security by leveraging the knowledge he has acquired while working with many financial institutions. He also maintains a blog dedicated to governance, risk and compliance (GRCmusings.com), where he writes on his information security learnings, in addition to Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP) certification preparation.
Endnotes
1 Gino, F.; B. Staats; “Why Organizations Don’t Learn,” Harvard Business Review, November 2015