COBIT 5 in an organization is an ambitious aspiration and a noteworthy endeavor. It demonstrates the maturity, willingness
and commitment to improve. However, practical implementation challenges are often daunting and numerous. While the COBIT
5 framework and the
COBIT 5 Implementation
guide, along with several other references, do provide a very solid foundation on which to build, it often helps to take
lessons from “tales from the trenches” directly from COBIT 5 trainers and implementation specialists.
Here are some quick tips from a trainer to steer those who are planning to initiate and implement COBIT 5 in their organizations
in the right direction.
Leverage the Enterprise Context to Create an Appropriate Environment for Change Enablement
Some common attributes or comparable parameters may exist in every type of organization, but each organization has its own
unique enterprise context, its own unique set of stakeholders and their expectations for value creation, its own unique
business regimen and organizational culture, and its own unique history and future aspirations.
One of the most critical steps is to identify and use this unique enterprise context to understand the various internal
and external drivers and how they may impact the organization and its stakeholders. These could be related to emergent
technological, evolutionary or environmental factors that may influence the stakeholders’ needs and should be mapped
to create an appropriate environment for change enablement.
Identify the Pain Areas or Trigger Events to Relate With the Enterprise Context
Every organization has its own sore points, whether it acknowledges them or not. By virtue of simply existing in a constantly
changing environment, an organization is also subjected to business environmental factors that may impact or influence
the decisions of the stakeholders or the business owners.
Identifying and understanding the known problematic areas and opportunities for improvement, or even potential emerging
threats or major board-level decisions of an organization in its unique context, can help establish the desire to change
and ensure the justification of the change is relevant to the stakeholders.
Use the Goals Cascade to Align the Business Strategies to the IT Strategies
A challenge for any organization is to align its business objectives with IT objectives and operations. Frequent and chronic
misalignment between these 2 usually shows up as pain points within the organization. Furthermore, such misalignments
breed negative perceptions about IT not being able to create value or inspire trust for the business owners.
COBIT 5 recommends using the balanced scorecard (BSC) and directly linking the 17 most common enterprise goals to the
17 most common IT-related goals, cascading through the hierarchy of governance to management and, finally, to operations.
Hence, the goals cascade is one of the most useful mechanisms to directly address alignment issues.
Assess the Current State of Processes to Help Prioritize IT Initiatives
Defining and measuring the organizational processes as they mature and improve over a period of time are necessary and important
activities. They help the organization define the starting point as a reference for critical processes, and then specify
the target state as a baseline where these processes need to be with the sufficient capabilities to support the business
outcomes of the organization.
With the help of the goals cascade, specific IT processes can be selected and prioritized based on their criticality
to the business. Recording the as-is state of current capabilities and identifying existing deficiencies help justify
the business case for the desired state of capabilities of existing and future IT initiatives.
Create the Business Case to Secure Top Management Commitment
Business cases justify the investments for IT initiatives in a language that business owners and key business decision makers
understand. Since the business case tracks the IT investment across its full economic life cycle, it gives the decision
makers more accountability and visibility and, in turn, helps get their direction and insights at each strategic milestone.
A business case for COBIT 5 implementation definitely helps secure the continued commitment from top management and also
helps secure the required resources for the selected IT initiatives. It also ensures the engagement of the right stakeholders
and clear articulation, communication and tracking of the expected business benefits from the IT initiatives over the
entire economic life cycle of the IT investment.
Initiate the Implementation Program to Kick Off the IT Projects
Based on the approved business case, a well-defined program can be chartered for starting off the constituent IT projects.
An organization’s resources can then be focused on the development of feasible and practical IT solutions to specifically
address the gaps in the previously defined target state of the selected processes and IT capabilities.
A well-developed and justifiable business case for COBIT 5 helps to make sure that all the selected IT projects have
continuing support from top management from the beginning, and the expected business benefits are continuously monitored.
Furthermore, the alignment of outputs from IT projects to business objectives helps muster support from the affected
business and IT process owners.
Monitor Performance Metrics to Sustain Continual Improvement Initiatives
Any enterprisewide initiative can never be just a one-off endeavor. To ensure value creation is sustained, a continual approach
for organizational commitment toward improvement and maturity is crucial. Key performance indicators (KPIs) need to be
identified, defined and monitored. Effective preventive and corrective interventions must be applied at appropriate stages.
By identifying quick wins and monitoring enterprise goals, IT-related goals, enabler goals and process goals at regular
intervals, initial success can be easily communicated with stakeholders. Improved capabilities and maturity can be easily
transitioned into normal day-to-day practices and operations, thereby ensuring continued engagement and support from
the business.
These tips are listed in a chronological order, but they can be adapted as appropriate to the enterprise context and
the maturity of the organization. The most important aspect of implementing COBIT 5 is to adapt and tailor it as per
the organization context (
figure 1). While it may seem to be a long journey, it definitely demonstrates the benefits at the appropriate
stages to the relevant stakeholders. The key is to select the most critical and relevant few processes to begin with
and then steadily mature other supporting processes in the long run. It is a marathon, not a sprint.
Figure 1—Fitting COBIT 5 to the Enterprise and the Business Environment
Rohit Banerjee, CRISC, CGEIT, COBIT 5 Implementation, CSX Foundation, ISO/IEC 27001 Lead Auditor, ISO/IEC 38500 Lead IT Corporate Governance Manager, ISO 21500 Lead Project Manager, ISO 9001 Lead Auditor and Lead Implementer, ITIL v3 2011 Foundation, MSP Practitioner, PRINCE2, PMP, Six Sigma Black Belt
Is an enterprise IT governance, risk management, and compliance trainer; consultant; auditor/assessor; and an emerging thought leader and speaker at international technology and management forums and conferences. He is currently the principal consultant for MAGE IT Training and Consulting Private Limited. Previously, Banerjee was IT governance and IT project management office consultant at the Ministry of Manpower, Sultanate of Oman. He has also served as director of the ISACA Muscat (Oman) Chapter for the Certified in the Governance of Enterprise IT (CGEIT)/Certified in Risk and Information Systems Control (CRISC) certifications, an ISACA International volunteer, and a volunteer for Project Management Institute International and Project Management Institute Oman. Banerjee has authored technical research papers and articles and has been published in international journals and magazines. He is currently the only official APMG Accredited COBIT 5 independent trainer for Oman and is one of the very few independent trainers in the Middle East and African regions. He can be reached at Rohit@mageit.in.