There is an understanding that is spreading quickly throughout the world: The COVID-19 pandemic has shut down much of the physical world temporarily and the resulting void will be filled by the digital world permanently. Digital assurance specialists see a reflection of this understanding in the words and actions of their clients, regardless of their size and the nature of their business. Most of them have jumped onto the digitization bandwagon and the following statements are common:
- “We are changing everything from the ground up.”
- “You will not even recognize us next year.”
- “If we do not adapt, we will be history.”
Some are driven by a firm belief that digitization will enable them to reap more profits, others are driven by fear of being left behind by the competition.
This dynamic is present not only among organizations currently grappling with digital transformation. According to a recent article, research suggests that the appetite to digitize has been around for nearly a decade and is gathering steam.1 The article also points out the major trends that will underpin digital innovation, including continued adoption of the cloud, business processes centered on the customer, extensive use of data to deliver better services to customers and a focus on partnering with other entities. Furthermore, the importance of information security and privacy will continue to grow.
With such great intentions and in the spirit of most enterprises positively embracing digital transformation, the hope is that the results will be great. However, the reality is that that there are many digitization projects that fail—even at the most resourceful organizations.2
An enterprise can make use of the COBIT 2019 framework to better plan and implement leading practices that can help on the journey to governing and managing the digital enterprise.
Many believe that such failures will continue to occur unless adequate controls are designed and implemented in the right areas. An enterprise can make use of the COBIT® 2019 framework to better plan and implement leading practices that can help on the journey to governing and managing the digital enterprise. Figure 1 highlights some important COBIT® processes that must be taken seriously for an entity that is becoming, or aspires to become, an efficiently operating digital enterprise.
Figure 1—Key COBIT Processes for the Digital Enterprise
|
COBIT 2019 Management Objective |
Description of Management Objective |
Application to Digitization |
|
APO04 Managed Innovation |
Maintain an awareness of information and technology (I&T) and related service trends and monitor emerging technology trends. Proactively identify innovation opportunities and plan how to benefit from innovation in relation to business needs and the defined I&T strategy. Analyze what opportunities for business innovation or improvement can be created by emerging technologies, services or I&T-enabled business innovation; through existing established technologies; and by business and IT process innovation. Influence strategic planning and enterprise architecture decisions. |
Almost all organizations understand the importance of innovation. Many have innovative ideas floating around the organization, but very few are able to implement these ideas in a way that actually brings meaningful sustainable benefits to the enterprise. Larger organizations seem to struggle more when it comes to innovation as compared to smaller organizations.3 This COBIT objective can help make an environment open to generating truly innovative ideas and facilitating understanding and acceptance of innovation by a variety of stakeholders. Furthermore, it mentions leading practices related to understanding the current business environment and scanning the potential of emerging technologies. In addition, guidance is provided on how to monitor the implementation and use of innovation. |
|
APO07 Managed Human Resources |
Provide a structured approach to ensure optimal recruitment/acquisition, planning, evaluation and development of human resources (both internal and external). |
An organization embarking on the digital transformation journey will need to transform the human resources that support the new environment. This COBIT objective provides guidance on how to maintain adequate and appropriate staffing and plan for future required skills and competencies through training, reskilling or hiring of personnel. |
|
APO09 Managed Service Agreements |
Align I&T- enabled products and services and service levels with enterprise needs and expectations, including identification, specification, design, publishing, agreement and monitoring of I&T products and services, service levels and performance indicators. |
Customers are fast becoming used to a world in which we have access to products, services and experiences anytime and on demand.4 Therefore, the enterprise must ensure that digitised business processes are ready to exceed customer expectations. This COBIT process provides guidance on how to analyze business requirements and the degree to which I&T-enabled services and service levels support business processes. This analysis leads to maintaining live I&T-enabled services in the service catalogue along with formal service agreements. Management practices have also been provided to monitor and review these services agreements to ensure they remain relevant to business requirements. |
|
APO10 Managed Vendors |
Manage I&T-related products and services provided by all types of vendors to meet enterprise requirements. This includes the search for and selection of vendors, management of relationships, management of contracts and reviewing and monitoring of vendor performance and vendor ecosystem (including upstream supply chain) for effectiveness and compliance. |
The digital enterprise is likely to have close partnerships with other service providers and cloud service providers to expedite the delivery of customer-oriented products and services in a cost-effective manner. This COBIT process provides important guidance on how to identify and evaluate vendor relationships and contracts. In addition, very useful practices on managing vendor risk, performance and compliance have been provided. |
|
APO13 Managed Security |
Define, operate and monitor an information security management system (ISMS). |
The digital enterprise manages a large volume of customer, supplier and enterprise data that are likely to contain personal and confidential information. For long-term trust in the enterprise by its customers, the digital enterprise must ensure that information security is a priority. This COBIT objective provides guidance on the governance practices that are necessary to establish an ISMS, how to define and manage an information security and privacy risk treatment plan and how to monitor and review the ISMS. |
|
Align, Plan and Organize (APO) APO014 Managed Data |
Achieve and sustain effective management of the enterprise data assets across the data life cycle, from creation through delivery, maintenance and archiving. |
A digital enterprise is data-rich and uses data to make optimal business decisions. Enterprises today are successful in collecting vast amounts of data, but many are unable to realize the full benefits of this data. This COBIT objective identifies leading data management practices by providing guidance on how to define and communicate the enterprise’s data management strategy. This is followed by guidance related to building a business glossary, metadata management, data quality management, data profiling tools, a data cleansing approach, management of the data life cycle and archival of data. Implementation of the objective should create an environment that enables the enterprise to make the most of the data it holds and to securely archive/destroy data once they are no longer needed. |
|
Build, Acquire and Implement (BAI) BAI11 Managed Projects |
Manage all projects that are initiated within the enterprise in alignment with enterprise strategy and in a coordinated way based on the standard project management approach. Initiate, plan, control and execute projects, and close with a post-implementation review. |
Any kind of digitization effort will involve multiple interrelated projects to be executed. This COBIT objective can enable the cohesive delivery of a digitization program by providing guidance on building a standard approach for project management. Furthermore, it provides leading practices related to starting a project, managing stakeholder engagement, project planning, project quality management, project risk management, resource management and closing project steps. |
|
DSS05 Managed Security Services |
Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges. Perform security monitoring. |
The APO13 managed security objective is geared toward implementing an information security management system, while this COBIT objective provides guidance related to IT security processes such as protecting against malicious software, network and connectivity security, endpoint security, user identity and logical access, physical access to I&T assets and sensitive documents, and output devices. Furthermore, it provides guidance on how to manage vulnerabilities and monitor the infrastructure for security-related events. |
|
Deliver, Service and Support (DSS) DSS06 Managed Business Process Controls |
Define and maintain appropriate business process controls to ensure that information related to and processed by in-house or outsourced business processes satisfies all relevant information control requirements. Identify the relevant information control requirements. Manage and operate adequate input, throughput and output controls (application controls) to ensure that information and information processing satisfy these requirements. |
An important goal of the digital enterprise is to enhance the customer experience from initiation to termination. A tendency exists to rush into this area without taking into consideration controls that should be implemented. This COBIT objective will enable an enterprise to identify and document the necessary control activities for key business processes to satisfy control requirements for strategic, operational, reporting and compliance objectives. In addition, it provides guidance on how to continually monitor control activities on an end-to-end basis to identify opportunities for improvement. Finally, this objective informs how to continually improve the design and operation of business process controls. |
Conclusion
Terms such as “digital disruption,” “disruptive innovation” and “digitization” are used commonly in the enterprise realm and are generally perceived as chaotic, fast moving and prone to uncertainty. Adopting COBIT processes can bring method to the madness and a sense of certainty to digitization plans and strategies. No matter where in the digitization journey an enterprise finds itself, it is never too late to adopt leading practices advocated by COBIT.
Syed Salman, CISA
Is a senior manager in EY Consulting based in Melbourne, Australia. He has 15 years of experience delivering high-quality professional services to help organizations build trust in their digital environment. Salman has collaborated with global multidisciplinary teams to deliver services related to IT governance, information security, information privacy and IT management in the Middle East, Oceania and South Asia.
Endnotes
1 Little, J.; “Five Major Trends Which Will Underpin Another Decade of Digital Innovation,” EY, 8 January 2020
2 Morgan, B.; “Companies That Failed at Digital Transformation and What We Can Learn From Them,” Forbes, 30 September 2019
3 Doss, H.; “Why Big Business Fails at Innovation,” Forbes, 12 January 2015
4 World Economic Forum, “How Companies Can Win the Race to Meet Customer Expectations,” Switzerland