The evolution and growth of computer applications (apps) in the last several decades has been truly phenomenal in terms of increased speed, simplicity, ease of use and user-friendliness. The era of cloud computing has further accelerated the usage of such apps that, with mere clicks or swipes, they can be accessed across devices, anytime and anywhere. Popular apps such as Gmail, YouTube, Google Maps, Zoom, WhatsApp and the recent ChatGPT are considered superior to enterprise apps (e.g., enterprise resource planning [ERP] software) in terms of their simplicity and ease of use, allowing them to race ahead to the billion-user category in a short amount of time. Enterprises can achieve these qualities for their apps, too, by integrating existing app processes and controls with relevant frameworks, standards and models (FSMs). Mapping the straightforward functionality of popular apps (using the example of Google Maps) can help organizations understand how to make any FSM work with their app, thereby increasing quality and user experience.
Understanding the Difference Between a Framework, Standard and Model
Achieving transformation in enterprises using FSMs and technology is an accepted and time-tested strategy. Frameworks and standards comprise collections of best practices designed to meet business objectives.
A framework is a set of concepts, principles and practices that provide a common understanding of a problem or issue and a broad overview of a particular area. It can be used to help enterprises understand the different components of a process, identify risk and opportunities and develop strategies for improvement. Commonly used frameworks include COBIT®, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the International Organization for Standardization [ISO] 27001.
A standard is a set of specific requirements (i.e., rules or specifications) that must be met to achieve a specified level of quality or performance. It can be used to ensure that products, services or processes meet certain criteria. Common standards include ISO 9001, ISO 14001 and the Payment Card Industry Data Security Standard (PCI DSS).
A model is a simplified representation of a real-world system or process that is used to understand or explain a phenomenon. Models can be used to understand how a system or process works, make predictions about its behavior or improve its design. Several examples of model types include simulation models, data models, process models, customer journey models and machine learning (ML) models. Models enable users to learn and use any FSM.
The Value of FSMs
There is a plethora of FSMs issued, recommended or mandated by various professional institutions, technology enterprises and regulatory bodies around the world to ensure governance, risk management, compliance and assurance. The need to implement these FSMs arises from regulatory, management or customer requirements, or a combination of the three. FSMs may be generic and applicable to any type of enterprise (e.g., COBIT, ISO 27001) or applicable to a specific industry (e.g., the US Health Insurance Portability and Accountability Act [HIPAA],PCI DSS). These FSMs can be updated on a regular basis or retired altogether as per changes in technology, regulatory or business requirements. The implementation of these FSMs is automated through internal teams or external vendors.
The applicable processes, procedures and controls of FSMs as customized to the enterprise can be integrated within enterprise apps. However, this may require considerable time, effort and user training—and comes at a cost. The key enabler to success is in not only in simplifying the process of implementing or updating the relevant features of the FSM, but also ensuring that the enterprise apps with integrated FSMs are simple to use and can be deployed with minimal training to meet enterprise objectives and enhance value.
Using the 7 Phases of COBIT to Implement FSMs
Enterprise apps can be enhanced through the implementation of FSMs by following in the footsteps of popular app creators. For example, Google Maps is a cloud app that can be accessed from any device, at any time, from anywhere. The user must specify their destination, input their current location or starting location, identify their preferred mode of travel and choose their desired route. Based on these inputs, Google Maps provides the route map along with alternate routes, estimated time of arrival and expected traffic conditions. Once the journey is started, Google Maps guides the user by stating necessary turns and rerouting the user if they follow a different route. It dynamically updates the estimated time of arrival by monitoring traffic conditions. Finally, Google Maps confirms when the destination has been reached.
This process can be mapped to each of the 7 phases of the COBIT Implementation Road Map (figure 1).
Figure 1—Mapping the COBIT Implementation Road Map with Google Maps App Tasks
| Phase | COBIT Implementation Road Map | Google Maps App Task | Explanation |
|---|---|---|---|
| 1 | What are the drivers? |
Set the destination |
The objective of implementing any FSM must be set in advance by identifying relevant stakeholder needs and required drivers for change. Based on these needs, the required alignment/enterprise goals can be mapped, and the governance and management objectives set. |
| 2 | Where are we now? |
Select current location or starting point and mode of travel |
The status of current processes or controls must be assessed to identify their levels of maturity. Any related problems and opportunities should be defined to help resolve pain points (e.g., delay in response time) and to take advantage of trigger events (e.g., availability of new technology) that provide opportunities for improvement. |
| 3 | Where do we want to be? |
Destination/estimated time of arrival |
Based on the user’s current location, mode of travel, and the destination to be reached, the roadmap (i.e., route map) is prepared. Alternative routes to reach the destination should also be offered whenever feasible. This provides an outline of the high-level road map or project plan, including a change enablement plan and objectives. |
| 4 | What needs to be done? |
Estimated time of arrival, traffic conditions, alternate routes |
The roadmap is detailed with project/programs that include potential initiatives to be prioritized. Based on this, specific formal and justifiable projects are developed with deliverable and program objectives. |
| 5 | How do we get there? |
Start the journey |
The documented plans must be executed as per the integrated program plan. The execution plan should have a provision for regularly providing reports to stakeholders concerning relevant updates. The organization must document the progression of each phase of the plan and the project deliverables while progressing toward the required objectives. |
| 6 | Did we get there? |
Receive step-by-step directions until the destination is reached |
The overall performance of the program against business case objectives must be monitored to ensure that benefits are realized. Corrective action (i.e., course correction) should be taken as required. |
| 7 | How do we keep the momentum going? |
Actual time taken |
A final evaluation must be performed when programs are completed to review whether goals and objectives were achieved. Further, the integration of new processes into existing processes should be done seamlessly to ensure that the momentum of continual improvements is sustained. An overall review of the effectiveness of the program and to what extent the program benefits were achieved should be performed to document lessons learned. |
Conclusion
Popular apps are widely used because they are simple, contain user-friendly interfaces enabled through the cloud, require a mere swipe or click to engage and are accessible anytime, anywhere. The building blocks of these apps are their enabling technology infrastructure, systems, processes and FSMs. If popular apps can provide ease of use to billions of users despite their complex technologies and FSMs, then it would behoove enterprises to adopt this same approach for their apps.
Google Maps shows that technology can be a great enabler for facilitating simplicity and ease of use regardless of the complexity of enterprise processes and embedded controls of FSM. Effective mapping of Google Maps processes to enterprise apps can be achieved by keeping simple-by-design principles at the core of business processes and controls and integrating FSM using technology as an enabler. This saves time for users and ultimately enhances value for enterprises.
Abdul Rafeq, CISA, CA, FCA
Is the managing director of Wincer Infotech Limited. He specializes in IT governance and analytics.