The government of India is focused on ensuring the effective delivery of government services to its customers who consist of citizens, businesses, tourists or anyone who may require interaction with government departments at different levels for their day-to-day activities. The government of India’s aim is to improve the lives of the nation’s citizens by doing much more than simply implementing technology.
The prime minister is addressing challenges such as sanitation, health care and urbanization through a mission approach. For example, financial inclusion, the delivery of financial services at affordable costs to vast sections of disadvantaged and low-income groups, has several missions, as illustrated in figure 1.
Figure 1—Government Schemes to Achieve Financial Inclusion
Jan Dhan Yojana
A financial inclusion mission to provide access to financial services to all sections of Indian society
To ensure that all Indian households have at least 1 bank account
Pradhan Mantri Suraksha Bima Yojana
To create a universal social security system for the poor and the underprivileged who do not have any insurance coverage
To provide an accidental death-cum-disability coverage of INR 2 lakh in the age group of 18-70 years
Pradhan Mantri Jeevan Jyoti Bima Yojana
Creating a universal social security system, targeted especially at the poor and the underprivileged who do not have any insurance coverage
To provide life insurance coverage of INR 2 lakh to Indian citizens in the age group of 18-50 years
Atal Pension Yojana
To address old-age security needs
To provide people in the age group 18-40 years a fixed monthly payment after attaining the age of 60 years
To provide capital to small/micro units to encourage entrepreneurship
To provide easy funding to 57 million small businesses
Pradhan Mantri Awas Yojana
To address the housing requirements of urban poor
To enable 20 million urban poor to own houses by the year 2022
Source: www.narendramodi.in. Reprinted with permission.
To achieve their objectives, various departments are using IT to create systems for implementing various activities, then monitoring performance to track progress and reporting back to top management who are responsible for these missions. This clearly shows that IT is playing a big role at all levels to enable officials to deliver and fulfil the objectives of these missions.
The departments have domain experts with little or no IT knowledge and have to depend largely on external consultants (IT companies) to meet their IT needs. Hence, a gap is being created between the business and IT, which results in the creation of IT assets that create little to no value for the stakeholders. The result is dissatisfied users.
The Need for IT Governance
The primary goals of IT governance are to ensure that the investments in IT generate business value and to mitigate the risk that is associated with IT. This can be done by implementing an organizational structure with well-defined roles for those responsible for information, business processes, applications and infrastructure.
IT governance should be viewed as how IT creates value that fits into the overall strategy of the organization and never be seen as a discipline on its own. In taking this approach, all stakeholders should be required to participate in the decision-making process. This creates a shared acceptance of responsibility for critical systems and ensures that IT-related decisions are made and driven by the business.
Despite efforts of the software industry to identify and adopt best practices in the development of IT projects, there is still a high rate of failure and missed objectives. Most IT projects do not meet the organization’s objectives.
A key best practice is implementing an organizational structure, including an effective governance framework, with well-defined roles and responsibilities for IT stakeholders. Such a framework ensures that IT investments are aligned and delivered in accordance with corporate objectives and strategies.
Without this framework, IT projects are more susceptible to failure. However, many organizations fail to consider the importance of IT governance. They take on IT projects without fully understanding the organization’s requirements for the project and how the project links to the organization’s objectives.
To be successful, an organization should consider all of the following factors, which are incorporated in best practices: high-level framework, independent assurance, performance management reporting, resource management, risk management, strategic alignment and value delivery.
Among the available frameworks for IT governance and management, the COBIT 5 framework is especially well suited because it permits managers to bridge the gaps between control requirements, technical challenges and business risk. COBIT empowers clear policy development and good practice for IT control all through the organization. COBIT emphasizes regulatory compliance, helps organizations to enhance the value acquired from IT, enables alignment, and simplifies application of enterprises' IT governance and control framework.
The 5 principles of COBIT 5, depicted in figure 2, help organizations to adopt IT in a different perspective than is commonly done. That is, IT is often perceived as just a cost center that provides little to no help to the organization in fulfilling its objectives.
Figure 2—COBIT 5 Principles
Source: ISACA, COBIT 5, USA, 2012
Meeting Stakeholder Needs
In the case of government departments, the main stakeholders are the government itself, other departments, citizens and the employees of the department.
The needs of all the stakeholders must be analyzed, using the COBIT 5 goals cascade. Stakeholder needs must be mapped to IT needs, which, in turn, are mapped to enabler needs. This helps convert the needs into a more practical and achievable strategy. COBIT helps to maintain a balance between the use of available resources and the realization of the benefits by keeping in consideration the related risk.
This principle focuses on governance, negotiation and decision-making about the various conflicting needs of the stakeholders.
Covering the Enterprise End-to-End
Information plays a major role in decision-making at the government level. The timely access to information helps to frame the laws more accurately, thereby delivering benefits to the citizens.
COBIT covers the use of information and IT throughout the whole of the enterprise rather than just the IT function.
COBIT performs the integration of IT governance and enterprise governance and includes all the processes used to manage information and technology.
Applying a Single Integrated Framework
The continuous changes in technology and added pressure from stakeholders and suppliers have made the lives of various government department staffs complicated. The department staff, which has limited knowledge of technology, faces the herculean task of managing and governing its information and related technology.
COBIT 5 aligns at a high level with a number of other frameworks and methodologies, such as the IT Infrastructure Library (ITIL) and the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 27001 standard. It can act as a single integrated framework providing enterprise coverage and consistency, and it can be customized to meet the needs of the department.
The department staff with little IT knowledge can benefit by adopting COBIT to deliver its IT solutions as per IT industry standards.
Enabling a Holistic Approach
The higher-level management of the departments makes important decisions that have a huge impact on the department staff and the department’s beneficiaries, and that will result in meeting the government’s missions. To achieve that, management needs to have a complete view of the department, including the management and governance structures and processes.
COBIT 5 facilitates effective management and governance of IT across the department by means of enablers. Enablers are the factors driving the outcome of activities that are governance- and management-related.
Enablers can be applied across the entire department, including all the internal and external resources relevant to the governance and management of IT.
There are 5 enablers defined in COBIT 5:
Principles, policies and frameworks—Perform day-to-day activities of translating required behavior into logical guidance
Processes—Consist of applications required to achieve objectives that, in turn, produce outputs required to achieve IT-related goals
Organizational structures—Responsible for making informed decisions in an organization
Information—The key product of the enterprise itself; keeps the enterprise well governed and operating successfully
People, skills and competencies—Link people with the right skills to the right tasks, and includes taking corrective steps and making corrective decisions
Separating Governance From Management
Governance and management are not the same thing. Governance says what needs to be done, while management focuses on how it will be done.
The teams handling governance and management are different. They need to demarcate their responsibilities but work in tandem to deliver on the organization’s objectives.
Governance is understanding the needs of the organization, defining the direction through prioritization and decision-making, and monitoring compliance against objectives. Management is the mechanism through which plans are created and run in line with the agreed upon objectives.
COBIT 5 clarifies that governance and management each serve different purposes, have different responsibilities, require different types of activities and need different supportive organizational structures.
COBIT 5 uses the Evaluate, Direct, and Monitor (EDM) domain for governance, and plan-build-run-monitor (PBRM) processes for management.
Governance (or EDM) ensures that the needs of the stakeholders are evaluated by identifying and agreeing on objectives to be achieved, an activity that is directed by prioritization and is monitored for performance against objectives. Management (or PBRM) ensures monitoring of the activities and confirms that they are in alignment with those described in the governance set.
COBIT can be implemented in every organization, corporate or government, to help improve IT performance. Its flexibility is because it can be customized to the needs of the organization. It starts from understanding stakeholder needs and business challenges and then utilizing the goals cascade guidelines (enterprise goals to IT goals to enabler goals). This process is not only important, but also extremely helpful and productive. It is always critical to gain senior management buy-in by showing the business benefit of using the COBIT framework.
One of the keys to successful implementation is choosing the required controls (key practices) rather than blindly following the framework and implementing the process. Ensuring that roles and responsibilities within an organization are clearly defined and shared with the team (using the responsible, accountable, consulted, informed [RACI] charts) is also critical. Dividing the improvement project into small phases helps keep the project going while the organization continues to reap the benefits, and ISACA’s COBIT 5 Implementation can be used to assist with this.
The process of adopting the COBIT framework is well supported by a number of guides from ISACA, but one should not hesitate to seek help from experts. It is important to focus more on people than on documentation. Documentation is not implementation. It is about people and educating them to behave in a new way.
Panduranga Bichal, COBIT Implementer, ISO 27001 LI, ITIL Expert, PRINCE2 Practitioner, TOGAF
Is a senior consultant with expertise in governance, risk management and compliance, risk management, IT service management, information systems security management ISO 20000 audits, and COBIT 5 implementation.