The COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution outlines a robust, logical and quantifiable process for designing a governance system over enterprise information and technology (I&T).1 Its methodology, examples and tools update COBIT 5 in several critical respects: new concepts including design factors and focus areas increase flexibility and help enterprises customize the design process. While COBIT 2019 improves enterprise adaptability to the unique dynamics of any industry and local context, the framework also promotes and encourages methodological innovation on the part of practitioners in the field. This article proposes an alternative for defining target capability levels, and thus, further enhances COBIT’s responsiveness to any enterprise’s environment and goals.
Current Methodology in COBIT 2019: Defining Target Capability Levels
Organizations applying the design process in COBIT 2019 must first understand the enterprise context and strategy. From there, the organization determines the initial scope of the governance system, based on 4 design factors, and then refines the scope, considering 7 additional design factors. Finally, the enterprise resolves inherent priority conflicts among governance and management objectives, assigns a target process capability level for each objective, and concludes the governance system design.
In the COBIT 2019 Design Guide, Chapter 7 describes 3 representative examples of the application of the governance system design process. Example 1 refers to a corporation that manufactures goods, is a large enterprise, is very cost conscious and desires to be a cost leader in its market.
Figure 7.28 in the COBIT 2019 Design Guide shows the proposed target capability levels for processes underlying the most important governance and management objectives selected by the model manufacturer through its design procedure. Figure 1 replicates this information.
Figure 1—Governance and Management Objectives and Target Process Capability Levels for Chapter 7, Example 1 of COBIT 2019 Design Guide
Ensured risk optimization
Ensured resource optimization
Managed budget and costs
Managed service level agreements
Managed IT changes
Managed service requests and incidents
Managed security services
Managed business process controls
Managed system of internal control
Managed compliance with external requirements
Source: ISACA, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018, figure 7.28. Reprinted with permission.
Figure 1 presents the reference, governance or management objective title, and the target capability level at which the related processes should be implemented. At this stage, target capability levels reflect manual refinements by the sample manufacturing enterprise.
Section 220.127.116.11 of the COBIT 2019 Design Guide explains the enterprise’s logic for adjusting target capability levels, as follows:
Given the high importance of a number of processes, the target capability level has been set at a higher value (3 or 4). The logic applied by the enterprise was that:
- Any governance/management objective that scored 75 or higher—meaning that its importance was at least 75% higher compared to a benchmark situation—would require a capability level 4.
- Any governance/management objective that scored 50 or higher would require a capability level 3. Any governance/management objective that scored 25 or higher would require a capability level 2.
It is reasonable to consider that the remaining processes should reach capability level 1.2
To customize its results, the enterprise refines the governance and management objective scores resulting automatically from standard calculations in the design process based on enterprise context and goals. Then, the enterprise further adjusts target capability levels for processes related to high-scoring objectives. In this method, the governance and management objective score is an important factor used to set the target capability level for related processes—and all processes under objectives with the same score received the same, single capability level.
An Alternative Methodology for Defining Target Capability Levels
The proposed alternative methodology defines more nuanced capability levels for processes related to a single objective. It starts with the characteristics of capability levels defined in figure 6.2, Capability Levels for Processes, in COBIT 2019 Framework: Introduction and Methodology.
These characteristics are:
Level 0—The process lacks basic capability and reflects an incomplete approach to address the governance and management purpose; it may or may not be meeting the intent of any process practices.
Level 1—The process more or less achieves its purpose through the application of an incomplete set of activities that can be characterized as initial or intuitive—not very organized.
Level 2—The process achieves its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed.
Level 3—The process achieves its purpose in a much more organized way using organizational assets. Processes typically are well defined.
Level 4—The process achieves its purpose, is well defined and its performance is quantitatively measured.
Level 5—The process achieves its purpose, is well defined, its performance is measured to improve performance and continuous improvement is pursued.
Activities of the processes can be rated according to a simple binary pass/fail rating, or in a more detailed—and fully differentiated—way, using achievement ratings similar to those defined in International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standard ISO/IEC 33004, as follows:
Fully (F)—The capability level is achieved for more than 85 percent. (This remains a judgment call, but it can be substantiated by the examination or assessment of the components of the enabler, such as process activities, process goals or organizational structure good practices.)
Largely (L)—The capability level is achieved between 50 percent and 85 percent.
Partially (P)—The capability level is achieved between 15 percent and 50 percent.
Not (N)—The capability level is achieved less than 15 percent.3
To introduce more flexibility—and recognize the fact that not all processes or activities are uniformly critical—the step-by-step procedure of the proposed method is:
- For every process in an organization's list—regardless of its governance and management objective score—the desired rating (N, P, L or F) should be assigned for every activity in level 2.
It is important to remember that in level 2, the process achieves its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed. Next, organizations should proceed as follows:
- If all level 2 activities in every practice have been rated L or F, this process, at least, has to attend the requirements of level 2.
- If any level 2 activities in all practices of the process have been rated N or P, then:
- Evaluate whether to reach the goals defined for this process, it is necessary, somehow, to achieve its purpose.
• If it is necessary, then a capability level of 1 should be the target for the process.
• Otherwise, the process should be set aside.
- For every process on the list that has been assigned a level 2 capability, the desired rating (N, P, L or F) should be assigned for every activity in level 3.
It is important to remember that in level 3, the process achieves its purpose in a much more organized way using organizational assets. Processes typically are well defined. Then, organizations should proceed as follows:
- If all level 3 activities in every practice have been rated L or F, the process, at least, has to attend the requirements of level 3.
- If any level 3 activities in all practices of the process have been rated N or P, then:
- Assign a target of level 2 for the process.
- For every process in the list that has been assigned a level 3 capability, the desired rating (N, P, L or F) should be assigned for every activity in level 4.
Remember that in level 4, the process achieves its purpose, is well defined and its performance is quantitatively measured. Then, organizations should proceed as follows:
- If all level 4 activities in every practice have been rated L or F, the process, at least, has to attend the requirements of level 4.
- If any level 4 activities in all practices of this process have been rated N or P, then:
- A target of level 3 should be assigned for this process.
- For every process in the list that has been assigned a level 4 capability, the desired rating (N, P, L or F) should be assigned for every activity in level 5. If level 5 activities have not been defined for this process, then the process target level is 4. If there are level 5 activities for the process, then organizations should continue.
Remember that in level 5, the process achieves its purpose, is well defined, its performance is measured to improve performance and continuous improvement is pursued. Proceeding to the next steps, then:
- If all level 5 activities in every practice have been rated L or F, the process has to attend the requirements of level 5.
- If any level 5 activities in all practices of the process have been rated N or P, then:
- A target of level 4 for this process should be assigned.
Influence of Other Processes
The influence that each process can have on other selected processes is important in distinguishing relative target capability levels. In its column headings, figure 2 presents the highest-scoring objectives from figure 1—namely APO06, APO13, BAI10, DSS02, DSS03 and DSS04. In its rows, figure 2 lists objectives processes with lower target capability levels. Each cell designates the number of outputs that a lower-scoring process sends to the highest-scoring processes.
Figure 2—Outputs From Lower-Scoring Processes to Higher-Scoring Processes
In computer science, the phrase “garbage in, garbage out (GIGO)” describes the concept that flawed input data produce flawed output data. The same is true for COBIT 2019 processes. The outputs of a process depend not only on its capability level but also on the quality of its inputs.
In the case of Example 1 in the COBIT 2019 Design Guide, one can see, for instance, that objective MEA02 Managed System of Internal Control has been assigned a low target capability level of 2. However, by analyzing figure 2, it is possible to conclude that MEA02 and its associated processes are essential because it sends outputs to every one of the top-scoring objectives. Therefore, it is not advisable to assign a low capability level to MEA02 automatically. Evaluating what capability level will be sufficient for MEA02 to provide the outputs required by other processes is recommended.
To cope with this situation, managers should follow the step-by-step procedure proposed in the previous section and evaluate whether, in fact, a low target capability level should be assigned to objectives such as MEA02, MEA04 and APO11, since they highly influence critical objectives and processes. In that way, one can guarantee quality inputs for the top-scoring processes.
This article proposes an alternative, step-by-step procedure to define process target capability levels. This procedure demonstrates that it is possible to supplement the COBIT 2019 design process and define process target capability levels in a more robust manner.
By assigning the desired rating (N, P, L or F) for every activity in the different capability levels, organizations can become aware of the efforts needed to improve the most important capabilities.
Also, by taking into account the interdependencies between processes, organizations can discern the most influential processes that impact other, high-scoring processes.
Joao Souza Neto, Ph.D., CRISC, CGEIT, COBIT Certified Assessor
Has more than 15 years of experience in IT governance, applying the COBIT framework in the Brazil Post. He is also responsible for the IT governance research area at the Universidade Catolica de Brasilia (Brazil). He is the founder and vice-president of the ISACA Brasilia (Brazil) Chapter.
Is an IT governance researcher, INOV—Inesc Inovação. He is also a Ph.D. student at Instituto Superior Técnico, University (Lisbon, Portugal).
Miguel Mira da Silva, Ph.D.
Is an associate professor of Information Systems at the Instituto Superior Técnico in the University of Lisbon (Portugal) and a research group leader at INOV INESC Inovação.
1 ISACA, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018
2 Ibid., p. 91
3 International Organization for Standardization/International Electrotechnical Commission, ISO/IEC 33004:2015, Information technology—Process Assessment—Requirements for process reference, process assessment and maturity models, Switzerland, 2015, referenced in ISACA, COBIT 2019 Framework: Introduction and Methodology