We are living in exciting times where the impact of disruptive technology is seen in all aspects of our professional and personal lives. We are witnessing the phenomenal pace of technology change and the resultant impact on enterprises in terms of innovative business processes facilitated by information systems with underlying technology. This technology tsunami impacts governance, risk, compliance, assurance and processes of management of information and technology (I&T).
Despite these rapid changes, the need for enterprises to enhance stakeholder value and for professionals to add value remains unchanged. This need can be met through the use of an overriding governance and management framework to home in on which information systems and processes should be prioritized to get the greatest return for enterprise governance of I&T (EGIT). This, in turn, will optimize meeting enterprise objectives.
Information is said to be the currency of 21st century, and digital information is enabled by technology and underlying information systems. The era of managing technology as boxes insulated from the business is outdated. It has become imperative to bring about a paradigm shift in the way technology is deployed in enterprises and to ensure involvement of senior technology management as a strategic partner. Data are said to be the new oil, but without the appropriate information systems and related technology, the power of data cannot be harnessed effectively. Hence, there is a need to use an I&T framework that has a built-in connection between information, information systems and related technology.
Value of COBIT for Enterprises and Professionals
COBIT is the I&T framework that facilitates enterprise governance of information technology. This is an era of dynamic changes which is creating new enterprises with new digital service offerings enabled by disruptive technology. This impacts both enterprises and professionals. Over the last 20 years, COBIT has been continuously evolving in its quest to enable enterprises and professionals to create optimal value from information and related technology. This evolution has ensured the continuing relevance of COBIT to enterprises in the digital age, which have to deploy new digital platforms and technologies to survive and thrive. Whether it is improving/implementing governance and management of IT, IT/IS/information/cybersecurity, risk management, compliances, assurance, strategic alignment, etc., for enterprises (large, medium or small), COBIT can help deliver business benefits.
COBIT and Knowledge Workers
Modern enterprises require knowledge workers who can contribute value by using systemic thinking and who can apply a systematic approach, best practices and the tools to make effective use of I&T as applicable. COBIT provides an integrated governance and management perspective and best practices that empower professionals to upgrade skills to remain relevant. Age-old methodologies cannot be applied to new age technologies. New digital platforms and business models require new insights and perspectives. Enterprises require innovative information systems and business processes with the right blend of availability and controls. COBIT 2019 provides a holistic approach to implement the right level of controls under an umbrella framework within a tightly woven governance and management framework. COBIT best practices provide practical, actionable insights to add value.
Tailoring Governance: The Challenges
COBIT 2019 has evolved into multiple publications to meet the diverse needs of multiple users. New users may be lost in the maze of content and this, coupled with an incomplete understanding of the framework, makes COBIT look complex. Mere understanding of the core principles and content of COBIT is not enough to ensure effective implementation. The COBIT knowledge repository is vast and extensive, and there are few enterprises that will need to implement COBIT in its entirety.
Most enterprises will use and adapt COBIT per their specific needs. The goals cascade of COBIT is a useful tool for selecting the processes and related contents, but it does not consider many critical factors and is very generic and subjective. Hence, there was a need for a standard tool/approach to select and customize governance content based on COBIT tailored to enterprise needs. The key differentiator in using COBIT is to know the why before the what. This requires skills to drill down into relevant COBIT contents and select relevant best practices and adapt them for use as required. This ability is very subjective and varies depending on the skill sets of users/implementors of COBIT. Thus, there was a dire need for a standard approach and framework to select relevant COBIT content to optimize governance practices within an enterprise.
COBIT Design Factors: The Solution
The COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, provides the solution to the previously stated challenges. This Design Guide helps users design a customized governance solution for enterprise I&T by considering all critical factors (known as design factors). The COBIT 2019 Design Guide also satisfies the following COBIT principles:
Dynamic governance system—A governance system should be dynamic. This means that each time one or more of the design factors are changed (e.g., a change in strategy or technology), the impact of these changes on the EGIT system must be considered. A dynamic view of EGIT leads toward a viable and future-proof EGIT system.
Tailored to enterprise needs—An effective governance system must be tailored to the enterprise’s needs using a set of design factors as parameters to customize and prioritize the governance system components.
Tailoring Governance as per COBIT’s Design Factors
COBIT is a generic framework, hence, it must be tailored to the needs of the enterprise, which are dynamic in nature. Every enterprise, whether large, medium or small, is unique due to the specific stakeholder needs, mission, vision and goals, business processes, organization structure, technology deployed, compliance requirements, and management style. Hence, there can be no one-size-fits-all governance system for enterprise I&T. COBIT implementation requires considering key factors such as: the enterprise’s own distinct character and profile, size, industry sector, regulatory landscape, threat landscape, role of IT in the organization, tactical technology-related choices, and other relevant attributes. COBIT 2019 refers to these, collectively, as design factors, which the enterprise must consider in tailoring its governance systems to realize the most value from its use of I&T. Tailoring means that an enterprise should start from the COBIT core model and from there, apply changes to the generic framework based on the relevance and importance of a series of design factors. This process is called designing the governance system for enterprise I&T.
What Are Design Factors?
Design factors are factors that can influence the design of an enterprise’s governance system and position it for success in the use of information and technology. Design factors include the goals cascade of an enterprise and includes additional design factors broadly categorized as:
Contextual—Design factors that are outside the control of the enterprise (e.g., its size, geopolitical situation or threat landscape)
Strategic—Design factors that reflect decisions made by the enterprise (e.g., the enterprise strategy, the role of IT for the success of the enterprise or formulation of risk appetite)
Tactical—Design factors that are based on implementation choices regarding resourcing models (e.g., outsourcing, cloud), IT methods (e.g., Agile, DevOps) and technology adoption choices (e.g., bleeding/leading edge.).
There are 11 design factors in the COBIT 2019 Design Guide (figure 1), which can be further refined as required.
Figure 1—COBIT Design Factors
Source: ISACA, COBIT 2019, USA, 2018. Reprinted with permission.
How to Use COBIT Design Factors
The different stages and steps in the design process are provided in the COBIT 2019 Design Guide. Following this approach will result in recommendations for prioritizing governance and management objectives or related governance system components, for target capability levels or for adopting specific variants of a governance system component. The recommended workflow for using the design factors can be seen in figure 2.
Figure 2—Governance System Design Workflow
Source: ISACA, COBIT 2019, USA, 2018. Reprinted with permission.
It is strongly recommended that users download the COBIT 2019 Design Guide Tool Kit—an Excel tool that facilitates the governance system design workflow. This tool kit includes a sample template with filled-in data that can be used as a reference. The tool kit, however, is intended to be a working document, and users should modify the data to reflect the enterprise’s particular context. Further, it is not necessary to use all the design factors, only what is required by the particular enterprise. The design factors are not prescriptive but are generally applicable. Hence, practitioners may use the design factors and its approach to understand the perspective and adapt it considering the enterprise’s context and objective.
For enterprises in the digital age, for whom technology is not just an enabler but the key differentiator to ensure strategic success, it is critical to deploy I&T with strong governance at the center. COBIT 2019 defines the components to build and sustain a governance system. COBIT 2019 also defines the design factors that should be considered by enterprises to build a best fit, tailored governance system. The ultimate objective of the design factors is to select specific processes/content from the COBIT core model as relevant and adapt and prioritize this content as required. Hence, a certain level of experience and a thorough understanding of the enterprise is required. Such experience and understanding allows users to customize core COBIT guidance into tailored and focused guidance for the enterprise.
CA. Abdul Rafeq, CISA, CGEIT, FCA
Is the managing director of Wincer Infotech Limited. He has been a COBIT evangelist, COBIT user and trainer since the first edition of COBIT.