Practicing proper governance with Cobit 5
This article was originally published on my old blog.
Governance is essential for any organization to be in place, be it in the enterprise, function, platform or solution level. In this article, I will discuss how you can get started with governance with the Cobit 5 framework.
The sales pitch for Cobit
I have seen many initiatives and projects failed due to the lack or having proper governance in place. Let’s be realistic it can be difficult to get governance correct and in most cases people don’t even know where to get started with governance.
This is where Cobit 5 comes to the rescue. Cobit 5 is the leading framework for the governance and management of enterprise IT. It is maintained by the ISACA institute.
You might want to run away now and stop reading this article because you think governance of enterprise IT is scary. If you continue reading, you will see it is not that scary and valuable to have the insights of the Cobit 5 governance framework.
So what does the Cobit 5 framework offer? Continue reading to get a better idea of the Cobit 5 governance framework.
What is Cobit 5?
The following is the definition from the official book:
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use.
Cobit goals cascade
- Stakeholder drivers influence stakeholder needs.
- Stakeholder needs cascade to enterprise goals.
- Enterprise goals cascade to IT-related goals.
- IT-related goals cascade to enabler goals.
There are 17 generic and IT-related goals, distributed according to balance score card’s four dimensions (Financial, Customer, Internal, Learning / Growth).
Principles of Cobit
Cobit defines 5 key principles for governance and management of enterprise information technology.
- Principle 1 — Meeting stakeholders needs.
- Principle 2 — Covering the enterprise end-to-end.
- Principle 3 — Applying a single integrated framework.
- Principle 4 — Enable a holistic approach.
- Principle 5 — Separating governance from management.
The Cobit framework has two areas namely Governance and Management. Each area contains domains with three letter acronym names, and each domain has its own unique processes. In total, there are 5 domains and 37 processes. Here is the structure for areas and domains:
Governance of Enterprise IT
- Evaluate, Direct, Monitor (EDM)
- 5 processes
- Plan (APO — Align, Plan, and Organize)
- 13 processes
- Build (BAI — Build, Aquire, and Implement)
- 10 processes
- Run (DSS — Deliver, Service, and Support)
- 6 processes
- Monitor (MEA — Monitor, Evaluate, and Assess)
- 3 processes
The following is the detailed processes for each domain in the Cobit 5 framework.
Evaluate, Direct, Monitor (EDM)
- EDM 1 — Set and maintain the governance framework.
- EDM 2 — Ensure value optimization.
- EDM 3 — Ensure risk optimization.
- EDM 4 — Ensure resource optimization.
- EDM 5 — Ensure stakeholder transparency.
Align, Plan, and Organize (APO)
- APO 1 — Define the management framework for IT.
- APO 2 — Manage strategy.
- APO 3 — Manage enterprise architecture.
- APO 4 — Manage innovation.
- APO 5 — Manage portfolio.
- APO 6 — Manage budget and cost.
- APO 7 — Manage human resources
- APO 8 — Manage relationships.
- APO 9 — Manage service agreements.
- APO 10 — Manage suppliers.
- APO 11 — Manage quality.
- APO 12 — Manage risk.
- APO 13 — Manage security.
Build, Acquire, and Implement (BAI)
- BAI 1 — Manage programs and projects.
- BAI 2 — Define requirements.
- BAI 3 — Identify and build solutions.
- BAI 4 — Manage availability and capacity.
- BAI 5 — Manage organizational change enablement for delivery, service and support.
- BAI 6 — Manage changes.
- BAI 7 — Manage change acceptance and transitioning.
- BAI 8 — Manage knowledge.
- BAI 9 — Manage assets.
- BAI 10 — Manage configuration.
Deliver, Service, and Support (DSS)
- DSS 1 — Manage operations.
- DSS 2 — Manage service requests and incidents.
- DSS 3 — Manage problems.
- DSS 4 — Manage continuity.
- DSS 5 — Manage security services.
- DSS 6 — Manage business process controls.
Monitor, Evaluate, and Assess (MEA)
- MEA 1 — MEA performance and conformance.
- MEA 2 — MEA the system of internal control.
- MEA 3 — MEA compliance with external requirements.
If you want to know more about each process’ practices and activities, then please read the publication Cobit 5 Enabling Processes
Cobit Enterprise Enablers
The Cobit 5 framework contains seven enterprise enablers. The following are the defined enablers:
Principles, Policies, and Frameworks.
- Are the vehicle to translate the desired behavior into practical guidance for day-to-day management. Internal and External stakeholders.
- Describe an organized set of properties and activities.
- Lifecycle of a process.
- Governance and management processes.
- Describe RACI and roles.
Culture, ethics and behavior of individuals
- In the enterprise, it is very often underestimated as a success factor in governance and management activities.
- Define its attributes: Physical, Empirical, Syntactic, Semantic, Type, Currency, Pragmatic, Retention, Status, Contingency, Novelty, Social.
Services, infrastructure, and applications
- Includes: Reuse, Buy vs Build, Agility, Simplicity and openness, Definition of Architecture Principles, Architecture Viewpoints, Service Levels.
People, Skills, and Competencies
- Are linked to people.
- Define role skills.
- Skill levels.
- Skill categories.
- Skill definitions
These enablers are measured by four dimensions as follow:
- Internal Stakeholders
- External Stakeholders
- Intrinsic Quality
- Process according to best practices.
- Information is actual and true.
- Contextual Quality
- Fit for purpose.
- Easy to apply.
- Access and security
- Build / Acquire / Create / Implement
- Use / Operate
- Evaluate / Monitor
- Update / Dispose
Process Capability Model and Levels
The capability model is based on ISO/IEC 15504 (SPICE). The capability model defines six levels as follow:
Level 0 — Incomplete
- The process is not implemented or fails to achieve its purpose.
Level 1 — Performed (Informed)
- The process is implemented and achieves its purpose.
Level 2 — Managed (Planned and monitored)
- The process is managed and results are specified, controlled and maintained.
Level 3 — Established (Well defined)
- A standard process is defined and used throughout the organization.
Level 4 — Predictable (Quantitively managed)
- The process is executed consistently within defined limits.
Level 5 — Optimizing (Continuous improvement)
- The process is continuously improved to meet relevant current and projected business goals.
The capability of processes is measured using process attributes. The international standard defines nine process attributes as follow:
1.1 Process Performance
2.1 Performance Management
2.2 Work Product Management
3.1 Process Definition
3.2 Process Deployment
4.1 Process Measurement
4.2 Process Control
5.1 Process Innovation
5.2 Process Optimization
Each process attribute is assessed on a four-point (N-P-L-F) rating scale:
- Not achieved — 0–15%
- Partially achieved →15% — 50%
- Largely achieved →50% — 85%
- Fully achieved →85% — 100%
The Cobit 5 framework has clear guidance and information available on how to setup and maintains a governance implementation. Even if you start small at taking small pieces of the framework to get started on governance, then you are on the right path. Let me challenge you to pick a couple of elements of the framework and apply it to your next project or solution. Then start building it up from there. If you have an Enterprise Architecture Board in your organization, then ask them for help and guidance to implement Cobit 5.
I hope you enjoyed this article and let me know if you have any feedback or questions.