“COBIT 5 is the only business framework for the governance and management of enterprise IT.
COBIT’s globally accepted principles, practices, analytical tools and models are designed for business executives – not just IT leaders. What’s more, COBIT 5 can be used in any industry and by organizations of all sizes”.
COBIT 5 – Govern and Manage Enterprise IT
ISACA International President Ken Vander Wal discusses the 5 Principles of COBIT 5 and how the framework helps Govern and Manage Enterprise IT.
COBIT 5 – Observations
“Specialists are very good at what they do,” he said. “Service management professionals manage and, for most, their preferred guidance is ITIL. Security professionals protect, and, for many of them, the preferred guidance is the ISO/IEC 27000 series.
By using a COBIT-inspired model, all groups were able to see how their work fit under an overall umbrella and how their work related to each other’s work.”
Bob Frelinger, manager of the Process Management program for Oracle’s Global IT group
Here is a smart tweet from Greg and an interesting comment from Mr TIPU.
“The difference between COBIT and ITIL is that a COBIT practitioner knows the difference”.
Gregory Tucker @ITSMinfo on Thursday !0th May
“Was asked if I could do an #ITIL assessment. No, I’d use ##COBIT. Surprised look: he hadn’t thought of that.”
COBIT 5 was officially launched on Tuesday the 10th of April.
The evolution from COBIT 4.1 shifts focus away from “Control Objectives for Information and Related Technology” to Governance and Management of Enterprise IT.
My take on the evolution of the COBIT 5 framework is that we now have a way of defining and agreeing “Common Objectives for Business and IT“.
The following number of downloads of the COBIT 5 Framework have been processed in just 4 days.
I wonder how many of these downloads have been made by individuals in the Business, Consultants and Trainers rather than IT folk.
The fresh guidance provided in COBIT 5 will make it possible to align Enterprise (Business) and IT related goals by defining and agreeing common objectives.
Common objectives are required to close the communication / expectation gap between IT and the Business. In this video the CEO is talking with the CIO.
How are you helping the Business drive revenue?
Is IT focussing on driving our strategic initiatives?
How are you enabling innovation within the Business?
How is IT aligning to the Business and adding value?
Looks like they both could use some help
So how should you address the gap in perception and reality?
A good place to start is to read the new Evaluate, Direct and Monitor processes for the Governance of Enterprise IT, specifically:
EDM02 Ensure Benefits Delivery and
EDM05 Ensure Stakeholder Transparency
these processes will help the Business and IT to develop a shared understanding of stakeholder needs and value realisation.
The spring issue of ServiceTalk dropped on my mat this week and contained an article by Robert E Stroud entitled COBIT 5 : Delivering Value Through Governance and Management. The 2 page article, tucked away at the back of the magazine, provides an overview of the COBIT 5 Framework, Enabler Guides and Professional Guides.
You have to a member of itSMF in order to view the article online. LINK
Stroud states that “Value can only be realised when COBIT is adopted and adapted to fit a particular environment. The implementationmust ddress the specific business challenges, including mnaging changes to culture and behaviour”.
WHY ARE COMMON OBJECTIVES FOR THE BUSINESS AND IT SO IMPORTANT?
There is an expectation gap between the Business and IT because Enterprise and IT related goals are not aligned.
The purpose of Internal or External IT Service Providers is to serve the Business. A successful relationship can only work if there is a set of shared goals and common objectives. COBIT 5 practical guidance is a great place to start in order to address communication gaps and have the right conversations.
The COBIT 5 framework enables the Business and IT to talk about the same things in the same way. Tighter integration is required between the Business and IT in order to drive solutions and lay the foundations for a Transformation journey. (from 37 seconds in)
We are operating in a Multi Sourcing environment and COBIT 5 will jump start the ability of Service Integrators to implement the right governance processes.
Failure to act and demonstrate value to Business Executives will open the door for the Consulting firms / Independent Consultants who sit at the intersect between the Business and IT.
Making excuses that the IT organisation is too busy to carve out time to understand, plan and implement the COBIT 5 guidance is not acceptable.
Get involved or you will be bypassed and become irrelevant.
The new COBIT 5 framework covers the Governance of Enterpise IT and sets out the guidance to achieve business objectives and help increase business user satisfaction with IT.
The three COBIT 5 publications introduce, define and describe the principles, enabling processes and the implementation steps.
“COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.”
Principle 1. Meeting Stakeholder Needs – Stakeholder needs are translated into specific Enterprise, IT-Related goals and Enabler goals
Principle 2. Covering the Enterprise End-to-End – Governance and Management of information and related technology is addressed from an enterprise-wide, end-to-end perspective.
Principle 3. Applying a Single Integrated Framework – COBIT 5 defines the overarching governance and management framework that has been designed to integrate seamlessly with other good practice guidance e.g. ISO 38500
Principle 4. Enabling a Holistic Approach – The seven categories of Interconnected Enterprise Enablers are set out below:
Principle 5. Separating Governance from Management
COBIT 5 advocates that organisations implement the key governance and management processes.
Significant attention should be given to the five Evaluate, Direct and Monitor processes.
COBIT 5 provides an end-to-end view of the 37 processes for successful governance and management of Enterprise IT.
A separate publication describes the 7 Implementation Steps in detail.
Derek Oliver, Co-Chair COBIT 5 Task Force at ISACA, discusses the business benefits of using COBIT 5.
Access this link to reserve/download your copy of COBIT 5. You will need to register with ISACA and state your affiliation before you are able to do so.
The COBIT 5 Framework of 3 concise Publications and supporting Toolkit provide fresh thinking and guidance on what is required to successfully Govern Enterprise IT.
This version is an evolution of the previous guidance and sets out how to implement key Enterprise IT Governance and Management processes.
The COBIT 5 Process Capability Model and Training Curriculum will be released shortly.
The launch of the COBIT 5 Framework enables Business Executives to articulate their specific stakeholder needs in a language that is common to Internal and External IT Service Providers.
Failure to understand and apply the new guidance will lead to an imperfect future for the IT organisation.
Business Executives have decision rights on how they source the provision of services. They will gravitate towards the IT organisations who can “talk the COBIT 5 talk” and can demonstrate value delivered.
Previously I have published two posts about COBIT 5
In my November 2011 POST – COBIT 5 is coming – will you be ready? there is a link to the Exposure Draft version of the Process Reference Guide.
and in my February 2012 POST – COBIT 5 is now approaching the finish line – there is a detailed description of the seven implementation steps.
For the two thirds of my readers who are in the US. COBIT 5 is here – HOOYAH
COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
The new processes definitions of COBIT 5 are based on the principles in ISO 38500 and the ISO 15504 Process Capability Assessment Model.
I recommend that you read the responses made by Peter Hill to this blog post
Far from muddying the water the COBIT 5 framework makes a clear distinction between governance and management. COBIT 5 is based on five high level principles and Principle 5 is about the separation of Governance from Management.
Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives [EDM]
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives [PBRM]
The COBIT 5 Development Team has digested all of the feedback from the public exposure and has been working diligently to incorporate the significant observations.
The completion of the Framework and Process Reference Guide are on schedule and both will be published in March or April 2012, along with COBIT 5:
The Implementation Guide, which is intended to assist stakeholders in implementing COBIT 5 for governance and management of enterprise information and technology assets.
The COBIT 5 Implementation Guide is being finalised for release in March.
There are seven phases in the implementation lifecycle which describe how to establish an approach to deliver a sustainable set of governance and management processes for the enterprise.
Phase 1 starts with recognising and agreeing to the need for an implementation or improvement initiative
Phase 2 is focused on defining the scope of the implementation or improvement initiative using COBIT’s mapping of enterprise goals to IT‐related goals to the associated IT processes.
During phase 3, an improvement target is set, followed by a more detailed analysis leveraging COBIT’s guidance to identify gaps and potential solutions.
Phase 4 plans practical solutions by defining projects supported by justifiable business cases.
The proposed solutions are implemented into day‐to‐day practices in phase 5.
Phase 6 focuses on the sustainable operation of the new or improved enablers and the monitoring of the achievement of expected benefits.
During phase 7, the overall success of the initiative is reviewed.
A practical COBIT 5 and IT governance seminar is scheduled for London (23rd Feb) this seminar provide delegates with an understanding of COBIT 5, how to implement IT governance and management processes, measure capability and manage performance.
In my experience the implementation of a governance framework enables strategic decision making and ensures IS investments are optimized, aligned with business strategy, and deliver required value within acceptable risk boundaries.
The governance framework sets out the hierarchy of forums that should be in place to allow IS leadership to monitor, measure and drive IS alignment to business priorities.
Decision making in the governance hierarchy takes place at the right level – i.e. empower people
The new COBIT 5 governance processes [Evaluate, Direct, Monitor] provide guidance on how to define and deliver Business value for identified stakeholders.
The role of IT is to serve the Business and the guidance provided in COBIT5 will help internal / external Service Providers take an Outside In approach.
This can be achieved by aligning Governance objectives and mapping Enterprise related goals with IT related goals.
COBIT 5 (Control Objectives for Information Technology) will be published by the end of Quarter 1, 2012. It is important to recognise that the new version shifts focus away from v4.1 control objectives to the governance and management processes set out in COBIT 5. John W. Lainhart the co-chair of the COBIT 5 task force provides an overview.
John states that COBIT 5 goes into the business perspective not just the IT perspective. There is an increased business focus on enterprise governance and management of IT. The starting point of governance and management activities are the stakeholder needs related to enterprise IT.
The business focus of COBIT 5 is further achieved through identifying all stakeholders and their needs. There are many examples of internal and external stakeholder needs in Fig 10 (Page 25).
The COBIT framework is based on these five principles:
The COBIT 5 Integrator Framework – includes Val IT, Risk IT, the Business Model for Information Security (BMIS) and the IT Assurance Framework (ITAF) plus integration with other frameworks, standards and practices – ISO, TOGAF, PMBOK and ITIL.
The Governance Objective: Value Creation – Enterprises exist to create value for their stakeholders, so the governance objective for any enterprise is value creation. Value creation means realising benefits at an optimal resource cost whilst optimising risk.
Business and Context Focus – Having a business focus means focussing on enterprise goals and objectives. This relates to every enterprise’s objective for benefits realisation, risk optimisation and resource optimisation. COBIT 5 covers all of the critical business elements, i.e. processes, organisational structures, principles & policies, culture, skills and service capabilities. In addition, a new information model provides a simple link between business information and the IT function.
The COBIT 5 Governance Approach—Enabler Based
The main elements of the governance approach are as follows:
Governance enablers are the organisational resources for governance, such as frameworks, principles, structure, processes and practices
Governance scope: Governance can be applied to the whole enterprise, an entity, a tangible or intangible asset, etc.
Roles, Activities and Relationships: It defines who is involved in governance, how they are involved, what they do and how they interact, within the scope of any governance system.
Governance- and Management structured – The COBIT 5 framework makes a clear distinction between governance and management.
Governance is about the Senior Management team providing a steer and making, sponsoring and enforcing the right decisions to meet enterprise objectives.
Management is responsible for execution by making effective use of resources, people, processes, practices in line with the direction set by the governing body.
COBIT 5 Process Capability Model (replaces the Maturity Model)
An important update in COBIT 5 is the use of the process capability model from ISO/IEC 15504 IT / Software Engineering—Process Assessment which provides a sound standard for the assessment of a process to achieve its required outcome.
Level 0 – Incomplete. Process is not implemented or fails to achieve its process purpose.
Level 1 – Performed. The implemented process achieves its process purpose.
Level 2 – Managed. Process is planned, monitored and work products are established.
Level 3 – Established. Process is capable of achieving its process outcomes.
Level 4 – Predictable. Process now operates within defined limits to achieve its process outcomes
Level 5 – Optimizing. Process is continuously improved to meet current and projected business goals
Previously much debate has been generated about the need to align the Maturity definitions across frameworks. For example:
I suggest that more focus and attention is given to the new Business facing processes than on arguing the relative merits of one level definition against another. It is what it is!
COBIT 5 Process Model
Stakeholders – Processes have internal and external stakeholders
Goal & Metrics – Goals are defined as a statement describing the desired outcome of a process
Lifecycle – defined, created, operated, monitored and adjusted/updated, or retired
Good Practices – are described in cascading levels of detail: practices, activities and detailed activities
Attributes – provide the how, why and what to implement for each governance or management practice
COBIT 5 Process Reference Model
The COBIT 5 Process Reference Model divides the governance and management processes of enterprise IT into two main process domains:
The GOVERNANCE domain, contains five governance processes; within each process, Evaluate, Direct and Monitor practices are defined
EDM1 Set and Maintain the Governance Framework
EDM2 Ensure Value Optimisation
EDM3 Ensure Risk Optimisation
EDM4 Ensure Resource Optimisation
EDM5 Ensure Stakeholder Transparency
The four MANAGEMENT domains, in line with the responsibility areas of Plan, Build, Run and Monitor (PBRM—an evolution of the COBIT 4.1 domains), provides an end‐to‐end coverage of IT.
In COBIT 5, the processes also cover the full scope of business and IT activities related to the governance and management of enterprise IT, thus making the process model truly enterprise-wide.
The Process Reference Guide incorporates COBIT 4.1, Val IT and Risk IT processes and describes the following for each process:
Process Name, Area and Domain
Process Description
Process Purpose Statement
IT Related Goals and Metrics
Process Goals and Metrics
RACI Chart
Process (Governance or Management) Practices, Inputs/Outputs and Activities
The inputs and outputs of a process are defined in detail in the Process Reference Guide.
COBIT 5 Implementation Guide
There are seven phases in the implementation lifecycle which describe how to establish an approach to deliver a sustainable set of governance and management processes for the enterprise.
The major improvement delivered by COBIT 5 is that the new guidance has been packaged in a way that Business leaders can understand and practice how to effectively govern their IT organization. At a time when information assurance, risk and security controls are increasingly important to safeguard the reputation of the Business and meet regulatory requirements; COBIT 5 sets out how to align Business stakeholder needs wit IT related goals by implementing a rigorous governance and management framework.
So, you effectively have four months to tailor the Evaluate, Direct and Monitor processes defined in the Governance domain by working closely with internal and external stakeholders. The clock is ticking and you should expect that the IT Assurance consultants from the big audit practices and the traditional consulting firms are preparing their sales messages for their target clients. By walking the halls and having the right conversations with the Business buyers they will commission engagements following the release of the new standard.
Get ahead of the curve. Download the COBIT Self Assessment Guide – Process Capability Assesment and the COBIT 5 Process Reference Guide. Firstly conduct a gap analysis of your current governance and management framework, then perform an internal assessment against the new process templates and share your findings with the business operations / operational excellence team. Agree any investment spend required to uplift the maturity of the five Governance processes which are visible to the Business. Get tight with the Business in order to define and embed the key governance forums and roll out revised management processes across internal and external Service Providers.
thisiswhatgoodlookslike 