It Governance Frameworks and Cobit a Literature Review

Information technology Policy Framework based on COBIT 5

Author: Steven De Haes, Ph.D., Roger Debreceny, Ph.D., and Wim Van Grembergen, Ph.D.
Appointment Published: ane Jan 2013

The COBIT v good-practise framework for governance and management of enterprise It (GEIT) incorporates many widely accustomed concepts and theories from full general management and academic IT literature. Exploring how the core principles of the framework are derived from insights from theory and literature,^one this article provides guidance to practitioners every bit they employ COBIT 5 in their organizations.

Governance of Enterprise IT and COBIT 5

Data and related engineering accept become increasingly crucial in the sustainability, growth and management of value and risk in most enterprises. Equally a result, IT has moved from a support role to a central position within enterprises. The enhanced function of Information technology for enterprise value creation and risk direction has been accompanied past an increased emphasis on GEIT. Enterprise stakeholders and the governing board wish to ensure that IT fulfills the goals of the enterprise.^{2 , 3} GEIT is an integral part of overall corporate governance. GEIT addresses the definition and implementation of processes, structures and relational mechanisms within the enterprise that enable business and IT staff to execute their responsibilities in support of creating or sustaining business value.⁴ GEIT is complex and multifaceted. Members of the governing board and senior direction typically need assistance in implementing GEIT. Over the years, skilful-practice frameworks have been adult and promoted to assist in this process.⁵

Released in 2012, COBIT 5⁶ builds on and integrates 20 years of development in this field. From its foundation in the IT audit community, COBIT has become a broader and comprehensive It governance and management framework and continues to found itself as a mostly accustomed framework for IT governance.

COBIT v was further complemented with alignment of Val IT and Risk IT. Before COBIT five, Val It addressed It-related business processes and responsibilities in enterprise value cosmos and Run a risk It provided a holistic business view on risk management. Now, incorporated into COBIT 5, the single comprehensive framework guides managers as they implement GEIT in their enterprise.

Substantiating the COBIT 5 Principles

The COBIT 5 framework is congenital around five core principles, illustrated in figure 1. Each principle is discussed in this department and relates to concepts and insights from professional and academic literature. The following subsections address the COBIT 5 principles and the concepts that are advisable for the given principle.

Coming together Stakeholder Needs—Strategic Business concern/Information technology Alignment
Principle one (coming together stakeholder needs) implies that COBIT 5 provides all the required processes and other enablers to back up business value creation through the employ of IT. This principle closely aligns with the long-continuing concept of strategic alignment. The belief that a core component of IT governance is to achieve strategic alignment between Information technology and the residue of the organization is a cadre element of COBIT. However, a continuing challenge for organizations is how to achieve alignment. To assistance organizations with enhancing strategic alignment, the COBIT 5 development squad undertook enquiry to provide guidance in understanding how enterprise goals drive It-related goals and vice versa. This research was based on in-depth interviews in different sectors and skilful (Delphi Method) assessments. A generic list of enterprise goals, IT-related goals and their interrelationships was established (run into figure 2). This pour constitutes the core entry point for COBIT v. It suggests that organizations should start with analyzing their concern/It strategic alignment through defining and linking enterprise goals and IT-related goals.^{seven , viii}

COBIT v uses the term "enterprise goals" (every bit opposed to "concern goals" in COBIT 4) to signal explicitly that the framework includes turn a profit-oriented, not-for-profit and governmental enterprises. Further, COBIT 5 talks about IT-related goals (as opposed to "Information technology goals" in COBIT iv); this is addressed in the next subsection.

Figure two shows that the enterprise goal of "external compliance with laws and regulation" requires a primary focus (P) on the It-related goals of "IT compliance and support for business compliance with external laws and regulations" and "security of information and processing infrastructure." In COBIT 5, the weighted importance of It-related goals leads in plough to a primary focus on the subset of COBIT 5 enablers, such as management and governance processes. In this example, the subset of processes includes manage risk, manage security and manage changes.

Coming together Stakeholder Needs—The Counterbalanced Scorecard
To verify whether stakeholder needs are indeed existence met, a audio measurement process should be established. Traditional performance methods such equally return on investment (ROI) capture the fiscal worth of Information technology projects and systems, but reflect just a limited (tangible) part of the value that can be delivered past It.⁹

To facilitate a broader measurement process, the developers of COBIT 5 have built on the counterbalanced scorecard concepts.^{10 , 11} As shown in figure 2, all enterprise goals and IT-related goals are grouped in the counterbalanced scorecard perspectives. COBIT as well provides samples of issue metrics to measure each of those goals and to build a scorecard for It-related activities. Figure three provides examples of metrics for the customer perspective of the enterprise and IT-related goals.

Moreover, COBIT v provides outcome measures at the level of the 37 detailed COBIT 5 processes. An case providing specific process goals and related metrics is shown in figure 4 for the procedure of Manage security. Of class, these process goals and metrics cannot just be reported to stakeholders—including senior operational direction and the governing lath—considering the stakeholders would be overwhelmed with information. Rather, the process goals and metrics must be consolidated and aggregated in a style that facilitates a usable and comprehensive balanced scorecard for the entire Information technology-related environment. The balanced scorecard allows the organization to determine if stakeholder needs are existence met.

Covering the Enterprise End-to-end—Information technology Savvy
The principle of covering the enterprise end-to-end articulates that COBIT 5 covers all functions and processes within the enterprise. COBIT 5 does non focus only on the Information technology function, but treats data and related technologies as assets that need to exist dealt with just similar any other asset within the enterprise.¹² Concern managers should accept on responsibility for managing their IT-related assets just every bit they do for other assets, such as physical plant and financial and human resource avails, within their own organizational units and functions. The business organisation must take ownership of, and be answerable for, governing the apply of Information technology in creating value from IT-enabled business investments.¹³

A focus on roofing the enterprise end-to-terminate implies a crucial shift in the minds of business and Information technology management; it comprises a movement from managing It as a cost to managing IT as an asset. This shift is an essential chemical element of business value creation. "If senior managers do not accept accountability for IT, the company will inevitably throw its It money to multiple tactical initiatives with no articulate impact on the organizational capabilities. IT becomes a liability instead of a strategic nugget."¹⁴

COBIT v, so, covers both IT and IT-related business organization responsibilities. Equally a demonstration of this, COBIT 5 provides Responsible, Accountable, Consulted and Informed (RACI) charts for its processes, in which business and It roles are included. To illustrate this, an example RACI nautical chart for the process Manage service agreements is shown in figure 5. This RACI chart indicates that for the service level understanding (SLA) process, both business concern and IT functions take accountabilities and responsibilities.

Applying a Single, Integrated Framework—COBIT/Risk IT/Val IT and Other Frameworks
Principle three (applying a single, integrated framework) explains that COBIT five aligns with other relevant standards and frameworks at a high level and thus can serve equally the overarching framework for GEIT. ISACA has made a major investment over the years in adjustment COBIT with other frameworks including the Commission of Sponsoring Organizations of the Treadway Committee (COSO) Internal Control–Integrated Framework, Information technology Infrastructure Library (ITIL), the Project Management Trunk of Knowledge (PMBOK), The Open Grouping Compages Framework (TOGAF), and Projects in Controlled Environments, Version 2 (PRINCE 2). Many of the processes in COBIT 5 are inspired past the guidance in these frameworks. Every bit such, many of the processes and practices in COBIT v relate to and align with one or more detailed frameworks in the field. To work effectively with COBIT five and other frameworks, a high level mapping of COBIT v to each is included at the procedure level in COBIT 5: Enabling Processes. Because that COBIT 5 too integrates Risk IT and Val It, COBIT 5 is a one-stop shop that includes in its scope previous guidance from ISACA and guidance from other standards and frameworks in the field.¹⁵

In its overarching approach, COBIT v identifies a fix of governance and management enablers that includes 37 processes (see figure 6). At the governance layer, at that place are five processes in the Evaluate, Direct and Monitor (EDM) domain. These processes gear up out the board's responsibilities for evaluating, directing and monitoring the utilize of It assets to create value for the enterprise. The EDM domain covers setting the governance framework, establishing responsibilities in terms of value (e.g., investment criteria), risk factors (e.g., risk appetite) and resource (east.g., resources optimization), and maintaining transparency on IT to stakeholders.

At that place are 4 domains defined at the management layer: Marshal, Plan and Organize (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and Monitor, Evaluate and Assess (MEA). The APO domain concerns the identification of how Information technology can all-time contribute to the achievement of the concern objectives. Specific processes inside the APO domain chronicle to Information technology strategy and tactics, enterprise compages, innovation and portfolio management. Other important processes address the management of budgets and costs, human resource, relationships, service agreements, suppliers, quality, risk, and security. The BAI domain makes Information technology strategy concrete by identifying the requirements for It and managing the It investment program and projects inside that program. This domain also addresses the direction of capacity; organizational alter; Information technology change management; acceptance and transitioning; and noesis, asset and configuration management. The DSS domain refers to the actual commitment of the Information technology services required to meet strategic and tactical plans. The DSS domain includes processes to manage operations, service requests and incidents, also as the management of bug, continuity, security services and business process controls. The fourth management domain, MEA, includes processes that are responsible for the cess of procedure performance and conformance, evaluation of internal control adequacy, and monitoring of regulatory compliance.¹⁶

Applying a Single Integrated Framework—IT Savviness
Compared to its previous versions, COBIT 5 includes a more thorough and complete involvement of business management in governing and managing IT. For example, three newly inserted processes that address specific business roles are APO3 Manage enterprise architecture, APO4 Manage innovation and BAI05 Manage organizational change. Also, in line with this change, there are fewer processes in the Evangelize, Service and Support (DSS) domain (six) compared to the number of processes in the Deliver and Back up domain of COBIT 4.1 (thirteen). Some of these processes were moved to a higher domain inside the framework. A typical case is the shift of the Manage service agreements process to the APO domain, recognizing the evolution in IT operations with an increasing importance in outsourcing and deject calculating.

Enabling a Holistic Arroyo—Organizational Systems
The fourth principle (enabling a holistic arroyo) explains that efficient and constructive implementation of GEIT requires a holistic arroyo, taking into account several interacting components—processes, structures and people. This implementation challenge is related to what is described in strategic management literature as the need for an organizational system, i.e., the manner a firm gets its people to work together to conduct out the business organization.¹⁷ Such organizational systems require the definition and application, in a holistic manner, of structures (e.g., organizational units and functions) and processes (to ensure that tasks are coordinated and integrated), likewise every bit attention to people and relational aspects (e.g., civilization, values, joint beliefs).

In applying this organizational system theory to GEIT, organizations are deploying information technology using a holistic mixture of structures, processes and relational mechanisms.^{18 , xix} GEIT structures include organizational units and roles responsible for making It-related decisions and for enabling contacts betwixt business organization and Information technology management decision-making functions (e.g., Information technology steering commission). This can be seen as a form of blueprint for how the governance framework should be structurally organized. GEIT processes refer to the formalization and institutionalization of strategic Information technology determination making and It monitoring procedures to ensure that daily behaviors are consistent with policies and provide input back to decision makers (e.g., IT counterbalanced scorecard). The relational mechanisms are ultimately about the active participation of, and collaborative relationship amidst, corporate executives, It direction and business management, and include mechanisms such as announcements, advocates and education efforts.

COBIT five builds on these insights. A primal change in COBIT 5 is the concept of enablers. "Enablers" are defined as factors that individually and collectively influence whether something will piece of work—in this case, governance and direction over enterprise It. The COBIT 5 framework describes seven categories of enablers (see figure 7)—of which processes; organizational structures; and civilization, ideals and beliefs are closely related to the organizational systems concept. COBIT five then complements these organizational systems insights with other important enablers including principles, policies and frameworks; information; service, infrastructure and applications; and people, skills and competencies.

Separating Governance From Management—ISO/IEC 38500 (2008)
Finally, principle v (separating governance from management) is near the stardom COBIT 5 makes between governance and management. As discussed previously, this distinction aligns with the guidance in ISO/IEC 38500.²⁰ In COBIT v, ISACA states for the first fourth dimension that IT governance and IT management processes cover different types of activities. The governance processes are organized following the EDM model, as proposed by ISO/IEC 38500. IT governance processes ensure that enterprise objectives are accomplished by evaluating stakeholder needs; setting management through prioritization and decision-making; and monitoring performance, compliance and progress against plans. In enterprises, IT governance should be the accountability of the board of directors or equivalent. Based on these governance activities, business and Information technology management plans, builds, runs and monitors activities (a COBIT translation of Deming's Plan, Do, Cheque, Human activity [PDCA] wheel) in alignment with the management fix past the governance torso to achieve the enterprise objectives.

Decision

In summary, GEIT is the lath's accountability and responsibility and the execution of the set direction is management's accountability and responsibility.²¹ COBIT 5 is primarily a framework made by and for practitioners and includes insights from It and general management literature, including concepts and models such as strategic alignment, balanced scorecard, IT savviness and organizational systems. Past conspicuously indicating how the core elements of COBIT 5 are built on these Information technology and general management insights, this article provides guidance to practitioners in their endeavors to apply COBIT five in their organizations.

Endnotes

¹ For additional details on this topic, read: De Haes, Steven; Roger Debreceny; Wim Van Grembergen, "COBIT 5 and Enterprise Governance of Information Applied science: Building Blocks and Research Opportunities," Journal of Data Systems, USA, 2013.
² De Haes, Southward., West. Van Grembergen; "An Exploratory Written report Into the Blueprint of an It Governance Minimum Baseline Through Delphi Research," Communications of AIS, USA, 2008
³ Thorp, J.; The Information Paradox, McGraw-Colina, U.s., 2003
⁴ Van Grembergen, West.; S. De Haes; Enterprise Governance of It: Achieving Strategic Alignment and Value, Springer, The states, 2009
⁵ Ibid.
^vi ISACA; COBIT 5, 2012, www.isaca.org/cobit
^vii De Haes, South., W. Van Grembergen; "Prioritizing and Linking Business concern Goals and It Goals in the Financial Sector," International Journal of IT/Business organization Alignment and Governance, Us, 2010
^eight Van Grembergen, Due west., S. De Haes; H. Van Brempt: Understanding How Business Goals Bulldoze Information technology Goals, 2008, www.isaca.org
⁹ Op cit, Van Grembergen and De Haes, Springer, 2009
¹⁰ Kaplan, R., D. Norton; "The Balanced Scorecard—Measures That Drive Functioning," Harvard Business Review, United states of america, 1992
¹¹ Van Grembergen, W.; R. Saul; S. De Haes; "Linking the IT Balanced Scorecard to the Business organisation Objectives at a Major Canadian Financial Grouping," Journal for Information technology Cases and Applications, U.s., 2003
¹² Weill, P.; J. Ross; IT Savvy: What Elevation Executives Must Know to Go From Pain to Gain, Harvard Business Printing, USA, 2009
¹³ Ibid.
^xiv Ibid.
¹⁵ ISACA, COBIT four.1, U.s.a., 2007, www.isaca.org/cobit
¹⁶ Op cit, ISACA 2012
¹⁷ De Wit, B.; R. Meyer; Strategy Synthesis: Revolving Strategy Paradoxes to Create Competitive Advantage, Cengage Learning EMEA, Usa, 2005
¹⁸ Peterson, R.; "Crafting It Governance," Information Systems Management, USA, 2004
¹⁹ De Haes, S.; W. Van Grembergen; "An Exploratory Study Into Information technology Governance Implementations and Its Impact on Business/It Alignment," Data Systems Direction, United states of america, 2009
²⁰ International System for Standardization (ISO) and International Electrotechnical Commission (IEC), ISO/IEC 38500:2008, Corporate governance of information technology, 2008, http://www.iso.org
²¹ Op cit, Van Grembergen and De Haes, Springer, 2009

Steven De Haes, Ph.D., is associate professor at the University of Antwerp and the Antwerp Management School (Kingdom of belgium) and academic director of the It Alignment and Governance (ITAG) Research Found and the Executive Masters in IT Governance & Assurance and Enterprise IT Architecture. He tin be contacted at steven.dehaes@ua.air-conditioning.be.

Roger Debreceny, Ph.D., is the distinguished professor of accounting in the Shidler College of Concern, University of Hawaii at Manoa (USA). He can exist reached at rogersd@hawaii.edu.

Wim Van Grembergen, Ph.D., is a professor at the University of Antwerp (Belgium), executive professor at the University of Antwerp Management School and academic managing director of the ITAG Inquiry Institute. He can be contacted at wim.vangrembergen@ua.ac.be.

maxwellhillowitich.blogspot.com

Source: https://www.isaca.org/resources/isaca-journal/past-issues/2013/it-policy-framework-based-on-cobit-5

Share this post