Toward Better IT Governance With COBIT 5
By Alpaslan Menevse, CISA, CRISC
As an advisory and regulatory body, the Basel Committee plays a very important role in structuring the global banking sector. The latest guidance publications from Basel have one common viewpoint: the need for sound governance practices for all banks around the world. Today, from banking to all lines of business, so much is dependent on IT, and it is almost impossible to separate IT governance from enterprise governance. This dependency raises a need for an integrated framework to satisfy the needs of business and fulfill the demands of good governance practices.
The upcoming COBIT 5, an exposure draft of which was released earlier this year, with the final document expected in early 2012, strikes with important changes in governance processes, proving that COBIT is not intended for IT audit only, which is a common misconception. One of the most important changes with COBIT 5 is the precise definitions of “governance” and “management” and their respective responsibilities, which help to define clear roles and responsibilities for all stakeholders. The COBIT 5 Evaluate, Direct and Monitor (EDM) process set is designed to govern and encapsulate the processes of all other management processes. This major upgrade in COBIT 5 is intended to increase awareness of the need for a structured governance framework for all organizations at an enterprisewide level, from operations to the strategic board.
In general, governance practices are considered at their best when they are linked and embedded as continuous management life cycles, such as enterprise risk management, in all processes within an organization. COBIT 5 will enable organizations to implement auditable, dedicated IT governance processes and measurable performance metrics, which are among the biggest and most valuable changes in COBIT 5.
COBIT 5, like COBIT 4.1, offers an easy-to-implement mapping tool to map the strategic objectives of an organization to related IT objectives in order to achieve the required governance model.
One way to analyze these mappings is to draw a COBIT process occurrence chart from the result of the mappings. The process occurrence chart represents the result of one of the sample mappings (figure 1). The organization’s corporate goals are mapped to the generic enterprise goals. Those are then mapped to IT goals, which are then mapped to the COBIT 5 IT goals. The result can be summarized by a COBIT IT process graph displaying the number of occurrences of COBIT processes after all mappings are done (figure 2). The graph can be interpreted as the dependency of corporate strategic goals on COBIT 5 processes. As the relative number of occurrences increases related to a specific process, interdependency of corporate goals also increases proportionally, which affects the conditional ability of goal achievement and demonstrates the need for more attention on the related governance practices of this process.
For organizations that have already implemented COBIT or that are planning to implement the framework for the first time, a good starting point is to conduct a gap analysis throughout the organization, starting from the governance framework to tactical-level policies and then operational-level processes. After a gap analysis and an assurance audit, the process capabilities can be assessed. Therefore, COBIT process occurrence values, as shown in the process dependency graph (figure 2), are a good indicator of where to focus. They enable senior management to ensure that the resources are allocated where most needed to achieve objectives. A process occurrence chart can also be used as a relative weighting factor between different domains. Of course, the mapping can be adjusted and balanced with other objectives such as risk management and compliance functions on an as-needed basis.
In a sample case involving a growing bank, the corporate goals were:
Improvement of the sales culture and number of customers
Correct localization for the target group
Increased effectiveness of the organization
Increased effectiveness of the marketing strategy and processes
After all mappings were done in the sample case, it was shown that APO04 Manage innovation, a new process from the Align, Plan and Organize (APO) process set in COBIT 5, occurred a total of 20 times. Enabling new products by innovation in the IT domain was found to be the crucial element for achieving the corporate goals of the bank. One can conclude that, from the governance perspective, all objectives will be met without achieving a high-enough capability score for the innovation process.
Suggested sample primary metrics for IT goals for APO04 include the:
Percentage of business process owners who are satisfied with supporting IT products and services
Percentage of IT-enabled investments in which benefit realization is monitored through the full economic life cycle
Suggested sample metrics for process goals for APO04 include:
An increase in market share or competitiveness due to innovations
The percentage of implemented initiatives with a clear link to an enterprise objective
Process APO07 Manage human resources has an occurrence score of 16 in the sample case, which is also consistent with the objectives. Having highly skilled IT personnel and a competitive human resources policy plays an important role in achieving the enterprise goals.
Suggested sample primary metrics for IT goals for APO07 include the:
Percentage of personnel whose IT-related skills are sufficient for the competency required for their role
Number of approved initiatives resulting from innovative IT ideas
As shown in figure 2, one of the most important processes in the sample case is EDM01 Set and maintain the governance framework, which is also a new process in COBIT 5. EDM01 plays a key role in the overall COBIT 5 framework. The purpose of the process is explained in COBIT 5: Process Reference Guide Exposure Draft:
Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the enterprise’s strategies and objectives, IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements is confirmed, and the governance requirements for board members are met.1
Some of the suggested process metrics for EDM01 include:
Actual vs. target cycle time for key decisions
The degree by which agreed-upon governance principles for IT are evidenced in processes and practices (the percentage of processes and practices with clear traceability to principles)
The capability of EDM processes should be seen as a crucial success factor in the overall COBIT 5 framework. Therefore, necessary emphasis and priority should be allocated by the governance bodies.
Advances in COBIT 5
An important update in COBIT 5 is the use of the process capability model from ISO/IEC 15504 Information technology—Process assessment instead of the maturity model structure found in COBIT 4.1. This is a major change and must be studied extensively. The overarching COBIT 5 framework and its addenda will provide more concentrated information while preserving the information’s integrity and ensuring proper enterprise governance.
The information model is also renewed in COBIT 5 such that it considers information as both a product and a service, covering all aspects of information attributes for different perspectives, referred to as the “information cycle.” In the information cycle, business processes generate and process data, transforming them to information and knowledge and, ultimately, generating value for the enterprise. The information cycle will enable organizations to implement necessary policies and procedures and to set required information quality attributes for all stakeholders.
Current global economic conditions impose very tight regulations for business governance. Additionally, proper governance of an enterprise is one of the biggest concerns of all stakeholders. With the aid of an enterprise governance concept, better utilization of IT governance methods will continue to be one of the hot topics in the foreseeable future. The latest studies show that there is still much to achieve on the governance and management sides of IT, especially in relation to the blurred roles and responsibilities of business and IT.2 Adoption of COBIT 5 is one of the best opportunities to clarify and solve these issues. As an IT governance framework, COBIT 5 can be integrated with other standards and practices. COBIT 5’s comprehensive structure and easy adaptability promises better IT governance for all areas as well as for all members of the financial sector.
Alpaslan Menevse, CISA, CRISC
is the operational risk manager, enterprise risk management project facilitator and a member of the audit committee at Sekerbank. He represents the enterprise on the Banks Association of Turkey Operational Risk Sub-Committee. Menevse’s current focus includes the human side of change management in organizations. He was a subject matter expert on the CRISC™ Review Manual 2011.
ISACA, COBIT 5: The Framework Exposure Draft, USA, 2011
1 ISACA, COBIT 5: Process Reference Guide Exposure Draft, USA, 2011
2 See the following:
Banking Regulation and Supervision Agency (BRSA), “The Regulation on the Internal Systems of Banks,” Official Gazette, 1 November 2006, no. 26333, http://www.bddk.gov.tr/WebSitesi/english/Legislation/8839internalsystems03032011.pdf
BRSA, “Regulation on the Bank’s Corporate Management Principles,” Official Gazette, 1 November 2006, no. 26333, http://www.bddk.gov.tr/WebSitesi/english/Legislation/8805eng_corporatemanagement_10_06_2011.pdf
Basel Committee on Banking Supervision, Principles for Enhancing Corporate Governance, Bank for International Settlements, Switzerland, 2010, http://www.bis.org/publ/bcbs176.pdf
Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risks, Bank for International Settlements, Switzerland, 2011, http://www.bis.org/publ/bcbs195.pdf
Directorate for Financial and Enterprise Affairs and Organisation for Economic Co-operation and Development (OECD) Steering Group on Corporate Governance, Corporate Governance and the Financial Crisis: Conclusions and Emerging Good Practices to Enhance Implementation of the Principles, OECD, France, 2010, http://www.oecd.org/dataoecd/53/62/44679170.pdf
European Banking Authority, EBA Guidelines on Internal Governance (GL 44), European System of Financial Supervision, UK, 2011, http://www.eba.europa.eu/cebs/media/Publications/Standards%20and%20Guidelines/2011/EBA-BS-2011-116-final-(EBA-Guidelines-on-Internal-Governance)-(2)_1.pdf
International Organization for Standardization (ISO), ISO 31000:2009 Risk management—Principles and guidelines, Switzerland, 2009, http://www.iso.org/iso/iso_catalogue/management_and_leadership_standards/risk_management.htm