Share on:

COBIT 5: Creating Buy-in and Empowering Teams to Change

By Paul Wilkinson and Gary Hardy

COBIT Focus | 28 November 2016

It is an inescapable fact that IT is changing the way organizations do business. There is a global emphasis on “digital transformation,” which means that IT is increasingly becoming a critical enabler to realizing business value. At the same time, IT represents a significant risk if not governed effectively.

However, as the latest Draft King IV Report on IT Governance for South Africa 2016 concluded, there is a need to focus on outcomes, not just a tick in the box when it comes to governance. Another significant finding in the report was that people are the biggest risk to achieving effective governance.

As a result of this need for governance of enterprise IT (GEIT), more and more organizations are adopting COBIT as a framework and sending staff to COBIT 5 Foundation training. However, simply gaining a certificate is no guarantee that:

  • People will be able or willing to translate the theory into practice (i.e., behavior).
  • People will be able to use it to focus on outcomes, rather than as a compliance and control instrument (i.e., competence).
  • Once they return to their organization and enthusiastically try to deploy COBIT practices they will be less likely to encounter the challenges posed by people in achieving effective governance (i.e., change enablement).

As stated in chapter 5, The Need for Change Enablement, of COBIT 5 Implementation, there is not enough emphasis on managing the human, behavioral and cultural aspects of the change and motivating stakeholders to buy into the change. Change enablement is one of the biggest challenges to GEIT implementation.

Case Study

This case study shows how a business simulation game, a form of experiential learning, was used to support the COBIT Culture, Ethics and Behavior and People, Skills and Competencies enablers, and, at the same time, served as an instrument to support COBIT 5 Implementation to focus on realizing outcomes.

The simulation workshop was facilitated by Gary Hardy from ITWinners and Paul Wilkinson from GamingWorks.

In this case, the use of the simulation game took place at the ISACA South Africa Chapter’s annual conference in Johannesburg. The overall theme of the conference was Gaining the Edge—Shaping the Future. Delegates from 8 different organizations participated, all with different levels of awareness and understanding of COBIT. Some were implementing COBIT and, therefore, had a profound understanding of the framework; others, consisting of the quality auditors and process owners in attendance, were not actively involved in COBIT implementation and were, thus, less aware of the framework’s content and scope.

Participants had a variety of learning objectives:

  • Building awareness of COBIT and IT best practices and how they can support the quality and audit function
  • Gaining more buy-in for COBIT within the organization. Some delegates recognized the “tick in the box” attitude within their oganizations rather than using COBIT to create a sustainable change in behaviors.
  • Identifying how COBIT can solve some of the issues organizations currently face
  • Getting senior management buy-in to COBIT
  • Improving the chance of success with a COBIT implementation

As can be seen from the list of learning objectives, delegates were at various phases within the change enablement life cycle.

Some of the quotes from delegates who attended the simulation workshop include:

  • “Connected the dots”
  • “Lightbulb for me”
  • “Eye opener”
  • “Made COBIT come alive”
  • “Showed the value of one team”
  • “Understood the big picture”
  • “Turned an academic subject into the real world”

In figure 1, the left-hand column identifies COBIT guidance and good practices. The right-hand column shows how this guidance and these practices are supported in the simulation game.

Figure 1—COBIT Guidance Supported by the Simulation Game

COBIT Value Creation

Simulation Game Enablement

“Enterprises exist to create value for their stakeholders. Consequently, any enterprise—commercial or not—will have value creation as a governance objective. Value creation means realizing benefits at an optimal resource cost while optimizing risk.”1

In the simulation game, delegates focus not just on compliance and control and using COBIT as an audit instrument; the business goals in the game are focused on benefits realization (revenue, growth), as well as mitigating risk and balancing resources between keeping the lights on and digital transformation. COBIT is also used as a dialog instrument between business and IT, and as an assessment and improvement instrument.

COBIT 5 Implementation: Phases in the Change Enablement Life Cycle Create the Appropriate Environment

Simulation Game Enablement.
The Simulation Game Was Used to:

Establish the Desire to Change

“…Current pain points and trigger events can provide a good foundation for establishing the desire to change.”2

Pinpoint and gain a recognition of current pain points, and more importantly the impact on business drivers and outcomes, which helped create a desire to change. People saw, felt and experienced the need to change.

Delegates also discovered how using the simulation with their own internal stakeholders could create a shared, recognized need for change’.

Form an Effective Implementation Team

“…It is important to identify potential change agents within different parts of the business that the core team can work with.”

Empower delegates to become change agents. During the game delegates needed to demonstrate their skills for convincing, coaching, giving feedback and facilitating an improvement meeting.

Delegates also recognized how the simulation could be used with internal teams and stakeholders to identify further potential change agents.

Communicate Desired Vision

“...The emphasis is on two-way communication. Reactions, suggestions and other feedback should be acted upon and captured.”

Create a dialogue and solicit reactions, feedback, suggestions and share real-life examples.

Delegates also recognized how the simulation can be used with internal stakeholders to communicate the reason for COBIT within their own organization, to identify buy-in and resistance, and to structure and capture feedback.

Empower Role Players and Identify Quick Wins

“…It is imperative to use a participative approach in the design and building of the core improvements. By engaging those affected by the change in the actual design, e.g., through workshops and review sessions, buy-in can be increased.”3

Test and apply COBIT practices, identify current weakness and more importantly at the end of the session improvement suggestions are captured as takeaway actions (individual and organizational level).

Delegates recognized how the simulation game can be used to engage various stakeholders (business and IT) representing the end-to-end delivery chain. These stakeholders work together creating a shared desire to change, buy-in and empower people to provide input to the improvements needed.

Culture, Ethics and Behavior Enabler Good Practices

Simulation Game Enablement.
The Simulation Game Was Used to:

“…Communication throughout the enterprise of desired behaviours and the underlying corporate values.”4

Explore, identify and capture a shared view of “desirable behaviors” required to govern and manage IT effectively. At the same time recognize current “undesired behaviors” that are a barrier to success.

Delegates also recognized how the game can be used to communicate and to experiment with defined desired and undesired behaviors.

“…Awareness of desired behavior is strengthened by the example behavior exercised by senior management”.5

Show the impact of “undesirable behavior” on the business goals and outcomes and to see the impact when desirable behavior is applied.

Capture desirable behavior and improvement actions that the delegates want to take away and apply.

Delegates also recognized how the simulation can be used to capture improvements in behavior and processes from within their own teams and organization, and how senior management can demonstrate their commitment to following up on these captured improvements.

The culture, ethics and behavior enabler describes links to other enablers. For the purpose of this case, the most significant was:

“…Processes can be designed to a level of perfection, but if the stakeholders of the process do not wish to execute the process activities as intended—i.e., if their behavior is one of noncompliance—process outcomes will not be achieved.”6

By seeing, feeling and experiencing the impact of applying processes and desirable behaviors there is buy-in and commitment to follow agreed processes.

Delegates also recognized how the simulation can be used to engage various stakeholders in assessing and improving processes and for recognizing the impact when procedures are circumvented.

People, Skills and Competencies Enabler Good Practice

Simulation Game Enablement.
The Simulation Game Was Used to:

“…Defining the need for objective skill requirements for each role played by the various stakeholders.”7

Allow stakeholders to test new behaviors and skill sets and identify needs to develop new skills.

Source: P. Wilkinson. Reprinted with permission.

The Business Simulation Workshop

Grab@Pizza8 is a dynamic, interactive, classroom-based business simulation experience. It is a form of experiential learning or learning by doing.

Grab@Pizza is a very successful company selling millions of pizzas every year, but after 6 months in the current year, the sales figures are far below expectations. IT is posing a significant business risk due to downtime and the inability of IT to respond to changing business needs (risk optimization). The chief executive officer (CEO) urges the business manager to make a challenging recovery plan. This plan is based on a 6-month strategy to bring the sales and profit back on target (benefit realization). Existing IT capabilities are poor and resources are tied up in “keeping the lights on” rather than supporting and enabling new innovations. The IT department must ensure the appropriate capabilities are in place to execute the strategic plan and sufficient, appropriate and effective resources are provided to ensure both benefits realization and risk mitigation (resource optimization).

The simulation game has the following roles:

  • Three business unit directors with separate goals
  • IT director
  • IT finance
  • IT operations
  • Application development
  • Change management
  • IT support
  • Supplier

These roles represent the complete end-to-end value chain with the game facilitator playing the role of the CEO.

The simulation is played in a number of game rounds and encourages interaction and the exchange of practical insights and approaches, and it explores how to use these frameworks and concepts to solve recognized issues. The simulation can be played with both business and IT delegates.

The Current Reality: “Us and Them”

The first game round was characterized by chaos; there were unclear roles and responsibilities, particularly concerning prioritization and decision making. Processes were either unstructured or not being followed, causing delays and mistakes. There was a clear divide between business and IT in terms of communication and collaboration.

As one delegate reflected, shaking his head, “This is painful and frustrating. It is just like our daily reality.”

As can be seen, the experience helped create a desire for change and recognition of current pain points.

The team had created an “us and them” culture resulting in a lack of trust. This was partly fueled by IT and business both speaking in different terms. The business was talking in terms of business processes and outcomes; IT was talking in terms of infrastructure changes and percentages and volumes of incidents and changes realized.

The result of the first game round was US $9 million lost due to downtime and a US $25 million loss of revenue as a result of failing to deploy a new business initiative.

“I‘m not happy,” said the chief information officer (CIO). “I understand that delegates have had COBIT training. Let them show me how they can translate all that theory into practice to save my business.”

Between game rounds, the team then explored “undesirable” and “desirable” behaviors and how:

  • The COBIT goals cascade could be used to help business and IT align and agree on their strategic goals.
  • The IT goals could then be mapped to the enabling processes.
  • The relevant process owners could be given the process enabler activities and be made responsible for assessing weaknesses and identifying improvements.
  • The business relationship manager (BRM) role could facilitate a continual service improvement session to capture all identified improvements and help business and IT communicate in terms of value creation.
  • To classify and create transparency in all types of changes and map these to business benefits vs. risk optimization (business case)
  • To use problem management to gain a better understanding of incidents relating to changes
  • To ensure service level agreements (SLAs) are related to business outcomes and not internal key performance indicators (KPIs)
  • To ensure that IT support understands the business impact of outages to aid with prioritization
  • To deal with resource conflicts. Not all improvement actions can be implemented at once. As the team had learned in the ISACA conference, “The business case is everything.”
  • To prioritize. The team, both business and IT, agreed on how to prioritize their portfolios based on agreed performance goals—which improvements help enable benefits realization or help mitigate risk caused by mistakes, delays and downtime.
  • To ensure that, for each improvement action, the responsible, accountable, consulted and informed (RACI) model (for both business and IT) was agreed on, especially the decision-making authorities

From Alignment to Convergence

In the final game round, the team acted as a converged team focused on the business outcomes.

The processes were aligned. Information to enable prioritization and decision making flowed swiftly and smoothly throughout the organization.

When resourcing and prioritization issues arose, decision-making authorities were clear. Business goals and performance demands (benefits to be realized, risk to be mitigated) drove the prioritization.

The team built a visible portfolio of business projects relating to changes. All changes had a business case; all were discussed in terms of impact on revenue growth, preventing revenue loss or the potential damage to business reputation.

Theory to Practice: Knowledge Translated Into Results

In the final game round, US $27 million additional revenue was generated, downtime loss was reduced from US $9 million to less than US $1 million and the portfolio of projects and initiatives necessary to realize the ultimate goal—the Super Bowl—were agreed on and planned. There was clear visibility at strategic, tactical and operational levels (figure 2).

Figure 2—Grab@Pizza Team in Action

Source: P. Wilkinson. Reprinted with permission.

At the end of the session, the delegates were asked, “What did you apply today in this simulation that you will now take away and apply in your organization to help you shape the future and bring business and IT convergence a step closer?” The responses included:

  • Include business representation in the change advisory board (CAB) to support and empower decision making (e.g., benefits realization vs. risk optimization).
  • “Fingers on the data”—Quantify business benefit and risk in terms of revenue/value.
  • Analyze problems properly. Problem management can identify where value leakage occurs and the impact on risk and benefits throughout the complete end-to-end chain.
  • Problem managers need to learn to make a business case. This means understanding business impact, business strategy and goals.
  • The service desk can help determine impact on business (BRM can help play a role by understanding each business unit, their critical business times, the actual impact of downtime).
  • There is no substitute for structured roles and tasks. Go back and review and agree on these.
  • Simplify the scenario (end-to-end processes that are fit-for-use and fit-for-purpose; avoid processes for the sake of processes).
  • See the big picture (start with understanding the business drivers and the goals cascade).
  • Use end-to-end communication (information needs, priority and decision making) and confirm these needs, ensuring they are then embedded into the processes.
  • Value of a BRM—a partner role to both the business and IT
  • Business must own everything, including projects, business cases, what is the need vs. what is a want, decision making and escalation authorities.
  • Sharing relevant information throughout the delivery chain
  • Business and IT must collaborate if an organization is to be successful. Create trust and credibility and break down the “us and them” attitude and behavior.
  • Change the language used. Take out the “I,” and talk about business outcomes, value creation, benefits vs. risk and quantifying these in business performance terms rather than internal IT metrics.


The simulation experience brought the theory alive, translating COBIT, which is sometimes seen as an academic subject, into the real world. Delegates understood the importance of acting as one team with the business. They gained an edge in shaping the future of their organizations by capturing improvement actions to take away and help bring the convergence of business and IT a step closer. This type of experiential learning helps people translate theory learned in a COBIT Foundation or Implementation course into practice and can be used by COBIT practitioners as a change enablement instrument.

One Month Later: What Did You Do Differently?

“My key take away was that IT must always ensure that it support business to achieve their strategic objectives by implementing all projects based on a business case, doing prioritization of all the IT projects based on business needs and revenue generation for the organization taking into consideration the budget required. Lastly, the role of a BRM is extremely important to ensure that there is always clear communication between IT and business. Now that I have understood the importance of not starting an IT project without a business case, I am educating my executives about it. I am also introducing SLAs between IT and business.” –CIO of a public organization

Paul Wilkinson

Is co-owner and director of GamingWorks, developers of business simulation games used to support personal, team and organizational learning and development. He has more than 30 years of experience in the IT industry fulfilling a wide range of positions, from IT operator to IT operations manager, before switching to the consulting industry. He was a co-author of the ITIL publication Planning to Implement Service Management and was a member of the ITIL V3 advisory group and the ITIL practitioner architects team. Wilkinson has been actively engaged in an organizational change advisory role with hundreds of international organizations adopting best practices such as ITIL, BRM and COBIT.

Gary Hardy

Has more than 30 years of experience in the IT industry. He has held director level positions at Deloitte and Arthur Andersen and also with one of the UK’s leading IT security companies. He is a long-standing member of ISACA, a past board member, UK chapter President, and regional vice president. Hardy was one of 3 people who created COBIT in 1992 and has been a key member of ISACA’s COBIT development team for the past 20 years. He was a lead developer of all the COBIT versions including COBIT 5.


1 ISACA, COBIT 5, USA, 2012
2 ISACA, COBIT 5 Implementation , USA, 2012, chapter 5 Enabling Change
3 Ibid.
4 Op cit, COBIT 5
5 Ibid.
6 Ibid.
7 Ibid.
8 Gamingworks, Grab@Pizza , Business simulations