COBIT 5 is coming – will you be ready?

COBIT 5 (Control Objectives for Information Technology) will be published by the end of Quarter 1, 2012.  It is important to recognise that the new version shifts focus away from v4.1 control objectives to the governance and management processes set out in COBIT 5.  John W. Lainhart the co-chair of the COBIT 5 task force provides an overview.

John states that COBIT 5 goes into the business perspective not just the IT perspective. There is an increased business focus on enterprise governance and management of IT.  The starting point of governance and management activities are the stakeholder needs related to enterprise IT.

The business focus of COBIT 5 is further achieved through identifying all stakeholders and their needs.  There are many examples of internal and external stakeholder needs in Fig 10 (Page 25).

 The COBIT framework is based on these five principles:

The COBIT 5 Integrator Framework – includes Val IT, Risk IT, the Business Model for Information Security (BMIS) and the IT Assurance Framework (ITAF) plus integration with other frameworks, standards and practices  – ISO, TOGAF, PMBOK and ITIL.

The Governance Objective: Value Creation – Enterprises exist to create value for their stakeholders, so the governance objective for any enterprise is value creation. Value creation means realising benefits at an optimal resource cost whilst optimising risk.

Business and Context Focus – Having a business focus means focussing on enterprise goals and objectives. This relates to every enterprise’s objective for benefits realisation, risk optimisation and resource optimisation.  COBIT 5 covers all of the critical business elements, i.e. processes, organisational structures, principles & policies, culture, skills and service capabilities. In addition, a new information model provides a simple link between business information and the IT function.

The COBIT 5 Governance Approach—Enabler Based

The main elements of the governance approach are as follows:

• Governance enablers are the organisational resources for governance, such as frameworks, principles, structure, processes and practices
• Governance scope: Governance can be applied to the whole enterprise, an entity, a tangible or intangible asset, etc.
• Roles, Activities and Relationships: It defines who is involved in governance, how they are involved, what they do and how they interact, within the scope of any governance system.

Governance- and Management structured – The COBIT 5 framework makes a clear distinction between governance and management.

Governance is about the Senior Management team providing a steer and making, sponsoring and enforcing the right decisions to meet enterprise objectives.

Management is responsible for execution by making effective use of resources, people, processes, practices in line with the direction set by the governing body.

COBIT 5 Process Capability Model (replaces the Maturity Model)

An important update in COBIT 5 is the use of the process capability model from ISO/IEC 15504 IT / Software Engineering—Process Assessment which provides a sound standard for the assessment of a process to achieve its required outcome.

Level 0 – Incomplete.  Process is not implemented or fails to achieve its process purpose.

Level 1 – Performed.  The implemented process achieves its process purpose.

Level 2 – Managed.  Process is planned, monitored and work products are established.

Level 3 – Established.  Process is capable of achieving its process outcomes.

Level 4 – Predictable.  Process now operates within defined limits to achieve its process outcomes

Level 5 – Optimizing.  Process is continuously improved to meet current and projected business goals

Previously much debate has been generated about the need to align the Maturity definitions across frameworks.  For example:

CMMi (Development & Services) has 5 levels – Initial, Managed, Defined, Quantitavely Managed, Optimized

ITIL 2011 Edition (Service Management Practices) – Initial, Repeatable, Defined, Managed, Optimized

I suggest that more focus and attention is given to the new Business facing processes than on arguing the relative merits of one level definition against another.  It is what it is!

COBIT 5 Process Model

• Stakeholders – Processes have internal and external stakeholders
• Goal & Metrics – Goals are defined as a statement describing the desired outcome of a process
• Lifecycle – defined, created, operated, monitored and adjusted/updated, or retired
• Good Practices – are described in cascading levels of detail: practices, activities and detailed activities
• Attributes – provide the how, why and what to implement for each governance or management practice

COBIT 5 Process Reference Model

The COBIT 5 Process Reference Model divides the governance and management processes of enterprise IT into two main process domains:

• The GOVERNANCE domain, contains five governance processes; within each process, Evaluate, Direct and Monitor practices are defined
• EDM1  Set and Maintain the Governance Framework
• EDM2  Ensure Value Optimisation
• EDM3  Ensure Risk Optimisation
• EDM4  Ensure Resource Optimisation
• EDM5  Ensure Stakeholder Transparency
• The four MANAGEMENT domains, in line with the responsibility areas of Plan, Build, Run and Monitor (PBRM—an evolution of the COBIT 4.1 domains), provides an end‐to‐end coverage of IT.

In COBIT 5, the processes also cover the full scope of business and IT activities related to the governance and management of enterprise IT, thus making the process model truly enterprise-wide.

COBIT 5 Process Reference Guide – Volume 2 (c. 225 pages)

The Process Reference Guide incorporates COBIT 4.1, Val IT and Risk IT processes and describes the following for each process:

• Process Name, Area and Domain
• Process Description
• Process Purpose Statement
• IT Related Goals and Metrics
• Process Goals and Metrics
• RACI Chart
• Process (Governance or Management) Practices, Inputs/Outputs and Activities

The inputs and outputs of a process are defined in detail in the Process Reference Guide.

COBIT 5 Implementation Guide

There are seven phases in the implementation lifecycle which describe how to establish an approach to deliver a sustainable set of governance and management processes for the enterprise.

For the latest information access the ISACA COBIT 5 Initiative Status Update   

So what will COBIT 5 mean to my organisation?

The major improvement delivered by COBIT 5 is that the new guidance has been packaged in a way that Business leaders can understand and practice how to effectively govern their IT organization.  At a time when information assurance, risk and security controls are increasingly important to safeguard the reputation of the Business and meet regulatory requirements; COBIT 5 sets out how to align Business stakeholder needs wit IT related goals by implementing a rigorous governance and management framework. 

So, you effectively have four months to tailor the Evaluate, Direct and Monitor processes defined in the Governance domain by working closely with internal and external stakeholders.  The clock is ticking and you should expect that the IT Assurance consultants from the big audit practices and the traditional consulting firms are preparing their sales messages for their target clients.  By walking the halls and having the right conversations with the Business buyers they will commission engagements following the release of the new standard. 

Get ahead of the curve.  Download the COBIT Self Assessment Guide – Process Capability Assesment and the COBIT 5 Process Reference Guide.  Firstly conduct a gap analysis of your current governance and management framework, then perform an internal assessment  against the new process templates and share your findings with the business operations / operational excellence team.  Agree any investment spend required to uplift the maturity of the five Governance processes which are visible to the Business. Get tight with the Business in order to define and embed the key governance forums and roll out revised management processes across internal and external Service Providers.