Tips for COBIT^® Implementation

Name: COBIT Implementation Tips
Author: Neil Broadhead

COBIT 5 is the only business framework for the governance and management of enterprise IT. COBIT Version 5 incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems.

There are many different ways to implement COBIT in a business or company. Neil Broadhead, one of ALC’s COBIT trainers, shares his tips and recommendations on how to implement COBIT in your workplace.

Tip 1

It’s more than just processes!

Many frameworks and standards focus on processes for improvement.

Although processes are one area, COBIT also focuses on seven other enablers that are essential for effective governance.

The enablers are

Principles, policies and frameworks
Processes
Organisational structures
Culture, ethics and behaviours
Information
Services, infrastructure and applications
People, skills and competencies

Consider which of these seven enablers will give you the greatest improvement benefits.

Tip 2

Do your policies make sense?

Policies should make sense to those that have to use and abide with them. It guarantees the success in implementation.

If you have difficulty answering the question “Why do we have to do this?” then consider if the policy is appropriate and fit for its purpose.

Tip 3

Create a Terms of Reference for any new Organisational Structure.

COBIT describes the good practices needed for any organisational structure. These should be embedded within a terms of reference (ToR).

Tip 4

As part of the People, Skills and Competencies enabler, job descriptions should be thorough.

When was the last time you reviewed the skill requirement for a job and ensured the job owner had the opportunity to develop the stated skills?

You have come to the realisation that the pain that you are suffering can no longer be treated with simply more palliative quick fixes… it is time for a more permanent cure.

Symptoms include:

High stress levels due to rising costs often caused by failure of IT initiatives or projects delivered late or over budget or not meeting the expectations of the customers
Alienation and social exclusion due to the perception that business value is not being gained from IT investments and now the board members or senior managers are reluctant to engage with IT. You are being ‘unfriended’
Sleepless nights caused by lost productivity due to significant incidents … unplanned downtime or lost data.
Palpations and paranoia caused by failure to meet regulatory or contractual requirements (audit reports or missed service level targets). Aren’t the auditors supposed to be helping us to continually improve and not just find fault?
Headaches and frustration caused by inconsistent service delivery because of insufficient IT resources or wasted resources / poor utilisation due to duplication or overlapping IT initiatives
Depression because even though you have heroic staff, they are feeling burnt out and dissatisfied and all you hear is “We need you to do more with less”.

For a while now, your staff members have been pointing to best practices such as ISO20000 (service management), ISO27000 (security), ISO31000 (risk), ISO38500 (governance) and ITIL, COBIT, TOGAF and PRINCE2.

You have sent them away to find out which might be useful to and appropriate for your organisation.

They have reported back that ITIL is no longer focused on information or technology or infrastructure … it is a Library, and you wonder why it isn’t just called ‘—L’.

The have explained that COBIT no longer has any ‘control objectives’ and it occurs to you that it should now be called ‘—IT’.

And PRINCE2 has nothing to do with royalty!

In 2011 we saw an updated version of ITIL; now known as the 2011 update, version numbers have been officially removed from ITIL world.

In 2012 we saw an updated version of COBIT; now known as COBIT 5, yes version numbers still exist here.

So… what to do?

You need to find something that creates the right balance between:

Performance vs. conformance
Achieving 100% stability (easy… change nothing!) vs. 100% responsiveness (easy… change everything)
The instinct to keep a tight ship and save money the vs. demand to be adaptive to the changing needs of your customers and accountable for delivering their desired outcomes
A focus on strict and enforceable internal policies and procedures vs. the desire to enable a creative, innovative and risk-taking work force.

But which framework should you choose?

Option A – Neither

This implies that you have decided that the way you are already doing things fully meets the needs of all your various internal and external stakeholders.

I wonder what they think about this, have you asked them?

Score 0/10

Option B – ITIL

You can decide to do ITIL. You will get all the benefits of effective and efficient IT Service Management in your organisation.

You will be using internationally recognised good practices to deliver processes that will be effective in the delivery of efficient services to your customers and users.

Indeed ITIL will tell you that (take a deep breath…) you will be able to deliver value for customers through a focus on services, enable the integration of the strategy for IT-related services with the business strategy and the customer needs and be able to manage the IT investment and budget, manage risk, manage knowledge, manage capabilities and resources to deliver services effectively and efficiently.

ITIL includes details of how to measure, monitor and optimise IT services and service provider / supplier performance and enable you to adopt a consistent approach to service management across the whole enterprise.

ITIL provides information on how to change the organisational culture to support the achievement of sustained success, improve the interaction and relationship with customers, co-ordinate the delivery of goods and services across the value network and, at the same time, optimise and reduce costs and risks.

Within the scope of the ITIL publications are five stages of a service lifecycle and include 26 processes and 4 functions.

It provides details on the activities needed to achieve success for the process outcomes. It defines roles and responsibilities and suggests (lists) success factors and performance indicators.

Overall, ITIL provides a clear and comprehensive solution to the objective of providing effective IT Service Management within an organisation.

But what about programme and project management and where is the governance? ITIL Service Strategy section 5.1.1.1 states that “the governance process itself is out of the scope of this publication”.

So maybe you should look elsewhere?

Score 6/10

Option C – COBIT

You can decide to do COBIT. You will get the benefits of value creation through good governance to ensure you have effective benefits realisation, risk and resource optimisation in place.

COBIT will give you the essentials at the governance layer. Effectively it will ‘overpin’ and set the direction across a range of frameworks needed to cover the enterprise from end to end. These include PRINCE2, TOGAF, ITIL, ISO 38500, ISO 31000, ISO20000, ISO 27002.

COBIT has tied all these separate but complementary frameworks together so that an enterprise (any kind of enterprise, large or small) can achieve its goals and deliver value through effective governance of enterprise IT.

COBIT will:

Define the starting point of governance and management activities with the stakeholder needs related to enterprise IT. With the exception of perhaps only SABSA (which focuses on security), it is the only popular framework that does not assume that a well-defined business strategy already exists. It helps you create an IT strategy without such.
Create a holistic (and simultaneously, reductionist), integrated, end-to-end view of enterprise governance and management of IT that is consistent, usable, understandable and owned external to IT
Create a common language between IT and business for the enterprise governance and management of IT
Mean that you are consistent with generally accepted corporate governance standards, and thus help to meet regulatory requirements

With COBIT you will be able to provide the direction setting that is needed to satisfy your stakeholder needs, but will need to utilise other frameworks to achieve the direction that you have set that will be owned internally, within the IT organisation.

COBIT outlines 37 processes across five domains that it sees are needed for the delivery of enterprise wide end to end delivery of governance and management of IT. It includes the link from stakeholder needs to enterprise goals to IT goals to IT enablers (your people, policies, processes services, management structure infrastructure and applications and more).

Within these 37 processes are 208 key practices (15 for governance and 193 for management). Each of these practices pre-define a RACI (responsible, accountable, consult and inform) chart so you are able to see clearly defined business and IT roles and responsibilities.

The COBIT 5 picture is nearly complete. At present there are COBIT 5 publications on:

Enabling Processes (37 of them within 5 domains),
The business framework overview guide,
Implementation,
Information Security and
The new COBIT Assessment program.

Publications on Risk and Assurance are in the pipeline and ISACA are reviewing the issue of translations into other languages.

But it is high-level. Although it does cover all of programme and project management and service management and it does describe the practices and the related activities that need to be performed, it does not explain how to do them.

It does include a generic method of implementing these practices but does not include the definitions of roles, the process flow diagrams and the detailed guidance for executing procedures.

Score 6/10

D – Both

Congratulations! You have realised that there is not a single solution, there is no panacea to take away your pain, no single quick fix to the challenges facing organisations with respect to leveraging value from the investment in IT.

By having an overarching governance framework you are ensuring that IT is doing the right things in the right way and setting the right direction for all aspects of IT within the enterprise.

With a service management framework to underpin this, you are ensuring that the direction set by the governance body is aligned to the needs of your stakeholders.

And, of course, the complete approach is more than just governance and service management. Other frameworks that involve architecture, security, risk, and programme and project management and so on will also need to be considered adopted and adapted.

Score 10/10

The next step is to gain awareness of the similarities and differences, benefits and potential pitfalls of the various frameworks.

Then and crucially, determine what are the drivers for change and whether your organisation is ready, culturally, to accept the need for change. You may have recognised the need to act now but if there is no widespread desire for it, it will not succeed. Start preparing for it and then, when there is a significant event (a merger / acquisition, a shift in the market, economy or competitive position, a change in business operating model or sourcing arrangements or new regulatory or compliance requirements) you will have your business case already prepared.

Prepare one business case for the overall programme including the budget for an assessment of your current state and the building of a long term road map.

Once prioritised and mapped to the enterprise goals, each subsequent improvement initiative will also need its own business case.

COBIT5 is designed to assist you with the mapping to / from your enterprise’s goals.

As we all know, medicine is never easy to swallow and it is a long course of treatment. It is a journey that does not end.

Well, there is a reason that it is called ‘continual’ improvement!

———————————————-

Neil Broadhead

Principal Consultant, ALC Education & Consulting Pty Ltd

Tips for COBIT® Implementation