Controlling Escalating costs of IT Investments Using COBIT5
The Hypothetical case of how Akpos (a fictional character) obtained Stake-holder buy-in to implement Governance and Management of Enterprise IT for ABC Limited Using the COBIT5 Goals Cascade.
A company ABC Limited due to increasing demand for their products and services and the need to automate most of its processes have had to acquire more computing units over a period of one year. Though processes now deliver at shorter time intervals, ABC Limited’s Stakeholders are worried about the escalating costs of maintaining the computing units that power their production.
Mr Akpos, an IT Auditor in the employ of ABC has suggested the Enabling of Governance and Management of Enterprise IT in the organization using COBIT5. In order to guarantee Stakeholder buy-in for the COBIT5 Implementation, Akpos has decided to use the COBIT5 Goals Cascade to demonstrate how the specific stakeholder needs can be addressed by the framework.
The COBIT5 Framework: (Culled from COBIT5 Framework)
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.
COBIT 5 is based on five key principles (shown in figure 2) for governance and management of enterprise IT:
Principle 1: Meeting Stakeholder Needs—Enterprises exist to create value for their stakeholders by maintaining a balance between the realisation of benefits and the optimisation of risk and use of resources. COBIT 5 provides all of the required processes and other enablers to support business value creation through the use of IT. Because every enterprise has different objectives, an enterprise can customise COBIT 5 to suit its own context through the goals cascade, translating high-level enterprise goals into manageable, specific, IT-related goals and mapping these to specific processes and practices.
Principle 2: Covering the Enterprise End-to-end—COBIT 5 integrates governance of enterprise IT into enterprise governance:
It covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.
It considers all IT-related governance and management enablers to be enterprisewide and end-to-end, i.e., inclusive of everything and everyone—internal and external—that is relevant to governance and management of enterprise information and related IT.
Principle 3: Applying a Single, Integrated Framework—There are many IT-related standards and good practices, each providing guidance on a subset of IT activities. COBIT 5 aligns with other relevant standards and frameworks at a high level, and thus can serve as the overarching framework for governance and management of enterprise IT.
Principle 4: Enabling a Holistic Approach—Efficient and effective governance and management of enterprise IT require a holistic approach, taking into account several interacting components. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. Enablers are broadly defined as anything that can help to achieve the objectives of the enterprise. The COBIT 5 framework defines seven categories of enablers:
- Principles, Policies and Frameworks
- Organisational Structures
- Culture, Ethics and Behaviour
- Services, Infrastructure and Applications
- People, Skills and Competencies
Principle 5: Separating Governance From Management—The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes. COBIT 5’s view on this key distinction between governance and management is:
Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives.
In most enterprises, overall governance is the responsibility of the board of directors under the leadership of the chairperson. Specific governance responsibilities may be delegated to special organisational structures at an appropriate level, particularly in larger, complex enterprises.
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
In most enterprises, management is the responsibility of the executive management under the leadership of the chief executive officer (CEO).
Together, these five principles enable the enterprise to build an effective governance and management framework that optimises information and technology investment and use for the benefit of stakeholders.
COBIT 5 Goals Cascade
Every enterprise operates in a different context; this context is determined by external factors (the market, the industry, geopolitics, etc.) and internal factors (the culture, organisation, risk appetite, etc.), and requires a customised governance and management system.
Stakeholder needs have to be transformed into an enterprise’s actionable strategy. The COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific, actionable and customised enterprise goals, IT-related goals and enabler goals. This translation allows setting specific goals at every level and in every area of the enterprise in support of the overall goals and stakeholder requirements, and thus effectively supports alignment between enterprise needs and IT solutions and services.
The COBIT 5 goals cascade is shown in figure 4.
Step 1. Stakeholder Drivers Influence Stakeholder Needs
Stakeholder needs are influenced by a number of drivers, e.g., strategy changes, a changing business and regulatory environment, and new technologies.
Step 2. Stakeholder Needs Cascade to Enterprise Goals
Stakeholder needs can be related to a set of generic enterprise goals. These enterprise goals have been developed using the balanced scorecard (BSC)1 dimensions, and they represent a list of commonly used goals that an enterprise may define for itself. Although this list is not exhaustive, most enterprise-specific goals can be mapped easily onto one or more of the generic enterprise goals.
Step 3. Enterprise Goals Cascade to IT-related Goals
Achievement of enterprise goals requires a number of IT-related outcomes which are represented by the IT-related goals. IT-related stands for information and related technology, and the IT-related goals are structured along the dimensions of the IT balanced scorecard (IT BSC). COBIT 5 defines 17 IT-related goals, listed in figure 6.(COBIT5 Framework)
The mapping table between IT-related goals and enterprise goals is included in appendix B (COBIT5 Framework), and it shows how each enterprise goal is supported by a number of IT-related goals.
Step 4. IT-related Goals Cascade to Enabler Goals
Achieving IT-related goals requires the successful application and use of a number of enablers.
Processes are one of the enablers, and appendix C (COBIT5 Framework) contains a mapping between IT-related goals and the relevant COBIT 5 processes, which then contain related process goals.
Back to ABC Nigeria Limited and Akpos
Akpos, an IT Auditor with ABC has proposed that ABC Limited embrace Governance and Management of Enterprise IT as a way of ensuring that IT investments create value for ABC’s stakeholders through the realization of benefits from IT investments, Resource Optimization and also ensuring that all risks associated with the use of IT in ABC’s operations are well managed.
Akpos was able to obtain Stakeholder buy-in for the use of COBIT5 as the framework of choice by using the COBIT5 Goals cascade to link ABC’s Stakeholder needs to its Enterprise Goals. He also mapped Enterprise Needs to IT-related Goals which are in turn mapped to Enablers for the IT-related Goals. Thereby demonstrating firsthand how ABC can link IT and its Enablers to the overall enterprise Goal of the company up to taking care of Stakeholder Needs.
Using COBIT5 generic Stakeholder Goals, this will map to the following Stakeholder Goals:
‘How do I control the cost of IT? How do I use IT resources in the most effective and efficient manner? What are the most effective and efficient sourcing options?’ (Appendix D COBIT 5 Framework page 55).
Enterprise Goals (Appendix D COBIT5 Framework page 55)
The above stakeholder goals have primary relationships with the following Enterprise Goals:
- Optimization of service delivery costs
- Optimization of business process costs
- Operational and staff productivity
Enterprise Goals Map to IT-Related Goals (Figure 22-Mapping COBIT5 Enterprise Goals to IT-related Goals. Page 50 COBIT5 Framework)
The above Enterprise Goals will map to the following IT-related Goals:
- Management of IT-related Business Risks
- Transparency of IT costs, benefits and risk
- Optimization of IT assets, resources and capabilities
- Realized Benefits from IT-enabled investments and services portfolio
- Adequate use of applications, information and technology solutions
- Competent and motivated business and IT personnel
IT- Related Goals Map to IT- Processes (Enablers)
- EDM02 – Ensure Benefits Delivery
- EDM03 – Ensure Risk Optimization
- EDM04 – Ensure Resource Optimization
- EDM05 – Ensure Stakeholder Transparency
- APO01 – Manage The IT Management Framework
- APO03 – Manage Enterprise Architecture
- APO04 – Manage Innovation
- APO05 – Manage Portfolio
- APO06 – Manage Budgets and Costs
- APO07 – Manage Human Resources
- APO 10 - Manage Suppliers
- APO11 - Manage Quality
- APO12 – Manage Risks
- APO13 – Manage Security
Using the COBIT5 Goals cascade, Akpos is able to tie high level Stakeholder Needs of Controlling IT Costs to IT Enablers that will address those Needs. This is a good example of how IT professionals can set the stage for an IT Governance Implementation by tieing actual Enterprise Stakeholder pain points to the processes that can address those problems.
Being excepts from a presentation by Chidi Henry Emeribe CISA, at the Abuja, Nigeria Chapter of the Information Systems Audit and Control Association (ISACA®).
COBIT5 is a famework for the Governance and Management of Enterprise IT and is the property of the Information Systems Audit and Control Association (ISACA®). Litterature and Figures in this writeup are culled from the COBIT5 Framework. They remain the property of ISACA®.