Saturday, June 23, 2012

45 - COBIT 5 Response to Stakeholder Needs

Very recently, ISACA has come up with a new version of its flagship product Control Objectives for Information and related Technology i.e. COBIT 5. Undoubtedly there will be a lot of debate whether COBIT 5 will be as popular or more than the previous versions of COBIT.

As is well known, COBIT has gone through some “Avatars”. What started in 1995-96 was the Auditor’s version of Control Objectives. In subsequent versions it went through flavors of Control-focus, IT Management focus and then IT Governance focus in the previous version i.e. COBIT 4. As an IT Governance and Control framework, COBIT 4 scaled ever higher than previous versions and is recognized as a de-facto Standard for Enterprise IT Governance. Obviously there are number of comparisons and discussion vis-à-vis the ISO Standard for IT Governance viz. ISO 38500. COBIT 4 encompassed all the required principles to assume its position as an IT Governance Frameworks.
IT Governance Focus Areas
Rightly COBIT 4 set out the focus areas viz. Strategic Alignment, Value Delivery, Risk Management, Resource Management and Performance Management. Always implicit (and many times explicit) was the direction to start with the Business Goals, cascade down to IT Goals and then accordingly go about selecting Control Objectives and Processes relevant to the organization. Thus the focus on “Stakeholder Needs” (which is now the First Principle of COBIT 5) was always there, though implicit.

Unfortunately the knowledgebase of COBIT 4 (and earlier versions) set out the Control Domains and Objectives so well in terms of “Plan and Organize”, “Acquire and Implement”, “Deliver and Support” and “Monitor and Evaluate” that it was always a very tempting option for IT Departments to pick up the guidance and get “down to implementation”. Leave alone being Business driven or starting from Business goals, Business teams are not even aware of any framework called COBIT being taken up for implementation.

For instance we were proudly presented the IT Policies and Procedures by an IT Manager saying these were “A&B Policies” (where A&B stands for the name of a leading Big 4 Audit Firm). These “A&B Policies” were being used as the IT Policy and Procedures or Manual document by the IT Department. We were dismayed to see the documents were a verbatim reproduction of COBIT 4 content down to the “PO1”, “PO2” … “AI3”, “AI4” and so on …

In another IT Department an IT Governance Manager (yes there is actually that title in use) showed us the numerous documents, policy and records she had built up over more the 3 4 years. To be fair, a tremendous amount of effort and meticulous documentation had gone into the artifacts. When we asked her about which Business or IT Goals were selected to start with, she casually told us that the Business teams had not really go around to sharing any goals with the IT.

So, in all, though COBIT 4 was positioned as an IT Governance framework, my guess is it is still received or used as a more glamorous IT Management guidance. In that, COBIT 5 is surely beating a new path but also entering an un-chartered territory. Unequivocally it has set across that IT Governance needs to start with Stakeholder needs. This promises to take the COBIT framework and future IT Governance implementations to an all new level.

Yet, this by itself may also be a big challenge or risk that COBIT framework itself may face in the days to come. IT Departments which were comfortable adopting COBIT as an IT Management framework may think twice before taking such a potent tool to the Business Departments. Come to think of it, IT Governance is an excellent tool for the Business Stakeholders to evaluate the value delivery from investments into IT. But how many IT departments are truly confident of standing up to such scrutiny? There lies the real problem behind adoption of IT Governance.

We always expect IT Departments to adopt and drive COBIT implementations in the organization. For obvious reasons there is a natural conflict of interest there – why would IT Departments make things more difficult for themselves? Besides it is always easy to say that Business Departments have no real understanding of Technology and going to them for “Approvals” or so on would only delay everything increasing inefficiencies. For instance, anyone who has gone through a Business Impact Analysis for a Business Continuity Management project is well aware of such arguments.

So what then is the way forward? Internal Audit Departments or independent IT Risk Management teams are still the most likely candidates to drive IT Governance adoption and succeed in implementing IT Governance in organizations. COBIT 5 has stepped forward and taken some risks in moving the focus to Stakeholder Needs. Business Departments need to mover forward and embrace COBIT too. Boards, CxOs, Business Leaders across the spectrum have to shed their inherent anxiety of COBIT as an “IT framework” and work with it to really strengthen Enterprise Governance in the organization. After all, the key concept is that IT Governance is an integral part of Enterprise Governance. One, without the other, is just not there …

No comments: