The COBIT framework, with its rich knowledge repository of best practices in governance, risk, assurance, security, cybersecurity, controls, digital trust, and more, is designed to empower enterprises and professionals to be better prepared for the future, and to meet existing and emerging challenges of the digital age by enabling digital trust. The specific value of COBIT is greatly enhanced through effective implementation and especially when customized to the user’s specific needs.
COBIT has a diverse suite of publications, each of them designed with a specific purpose. Further, within these publications, specific components may have to be selected as required. Hence, the best strategy to understand COBIT is to have a general understanding of the complete COBIT suite of publications so that relevant publication and components can be used as required.
COBIT is rarely implemented in its entirety but used selectively as required by selecting the relevant contents, customizing them, and implementing this customized COBIT content as per specific objectives. Therefore, the best approach to implement COBIT is to navigate through the COBIT knowledge repository to select relevant content as required, customizing, adapting, and adding relevant content as needed. (Readers may want to refer to the articles Using COBIT 2019 to Proactively Mitigate the Impact of COVID-19 and “A Systematic Approach to Implementing a Governance System Using COBIT 2019: A COVID-19 Case Study,” which explain in detail the seven steps for implementing and customizing COBIT 2019).
COVID-19 resulted in a drastic increase in outsourcing of IT and use of cloud computing by enterprises. In this article, we illustrate how to customize each of the specific components from the “Governance and Management” Publication of COBIT 2019, with the specific scenario of using COBIT for benchmarking existing policies and procedures, and job descriptions in the specific area of cloud computing, implementing the best practices from COBIT as required. The strategy and steps detailed here for customizing COBIT could be used not only for COBIT 2019 but also for earlier versions of COBIT by using specific components as applicable. The following overview provides a brief illustration of each of the COBIT components:
1. Governance or Management Objectives (GMO) Description
This is used for understanding the scope of coverage of the GMO. A quick walk-through of the description will provide a preliminary list of specific GMOs that are relevant for the purpose. These are further validated by detailed review of Governance and Management practices to shortlist specific contents of GMOs to be used. The GMO of APO08 Managed Relationships, APO09 Managed Service Agreements and APO10 Managed Vendors are selected.
2. Purpose
This purpose statement aids in understanding the specific benefits and the value that can be achieved. This can be used for presenting the business case and setting the overall goals for the COBIT implementation project.
3. Enterprise Goals and Alignment Goals with Example Metrics
The Enterprise Goals and Alignment Goals can be selected as required and customized as per the goals and metrics of the enterprise. The enterprise goals selected is “EG08 Optimization of internal business process functionality” and alignment goals selected are: “b. Average time to market for new I&T-related services and Applications and c. Average time to turn strategic I&T objectives into agreed and approved initiatives”.
Selection and Customization from 7 Components of COBIT 2019 Processes: Governance or Management Practices (GMP) and Activities
1. Governance or Management Practices with Example Metrics
Use specific GMP as a benchmark to map what is specified in COBIT to the existing practice of the enterprise. Identify the gaps/risks of the enterprise that can be bridged/mitigated by implementing the best practices of COBIT. Identify the metrics that are set up for specified practice and update it as required. If additional details/guidance are required, the frameworks from the related guidance section can be used and added to the benchmark.
The practice “APO08.03 Manage the business relationship” states: “Manage the relationship between the IT service organization and its business partners. Ensure that relationship roles and responsibilities are defined and assigned, and communication is facilitated.”
The enterprise based on benchmarking the current enterprise practice notices gaps in managing relationships and that roles and responsibilities are not clearly specified in the service level agreement (SLA). The enterprise updates the SLA by adding the specific roles and responsibilities of vendor and enterprise staff, and by setting relevant metrics for measuring the performance.
2. Set of Activities with Capability levels
A capability level can be assigned to specific practices of the enterprise by using relevant capability level of COBIT Activities as a benchmark. Further, each of the tasks/activities performed in the enterprise can be mapped to identify any gaps in activities/capability level.
Based on the mapping of existing activities of the enterprise with COBIT Activities for activities under practice “APO08.03 Manage the business relationship,” the enterprise finds gaps in activities 3 & 4 as these are not performed, although they are critically important for the enterprise. COBIT Activities selected are: “3. Define and communicate a complaints and escalation procedure to resolve any relationship issues and 4. Ensure that key decisions are agreed and approved by relevant accountable stakeholders.”) The enterprise implements an escalation procedure as relevant by involving relevant stakeholders in finalizing all critical processes of outsourcing cloud computing.
Processes: Organizational Structures
The organizational structures of the enterprise for selected practices can be mapped with what is specified in COBIT to identify gaps in defining responsibilities. These gaps can be bridged by adding them in the organizational chart after discussion with the relevant enterprise stakeholders.
For the practice: “APO08.03 Manage the business relationship,” it is noticed that the accountability for the CIO is not documented and responsibility is not assigned to specific business process owners. The enterprise updates the organizational chart with the roles and responsibilities of the CIO and business process owner after discussion and approval from management.
Processes: Information Flows and Items with Inputs and Outputs
The documents generated as inputs and shared as outputs for selected GMP can be used for identifying and benchmarking the existing work products of the enterprise to identify gaps in documentation. The enterprise finds based on benchmarking for GMP “APO08.03 Manage the business relationship” the input document covering “Classified and prioritized incidents and service requests” and output document of “Complaint and escalation status” is not prepared and shared internally for better monitoring of the process. Considering the criticality and relevance of these documents, a standard template for the documents is prepared, and after approval from the stakeholders, responsibility is assigned to specific staff for preparing and sharing these documents within the enterprise.
Processes: People, Skills and Competences
The enterprise can use the guidance from COBIT for specific G&MP to map the personnel within the enterprise and to identify gaps in personnel or skill sets. Based on the mapping of G&MP for “APO08 — Managed Relationships,” the enterprise finds gap in the relationship management skills in the current personnel assigned with the responsibility. Guidance from “Framework for the Information Age V6, 2015” is used to map existing skill sets with specified skill sets to help train the personnel to bridge the gap in skillsets.
Processes: Policies and Procedures
The existing policies and procedures of the enterprise are mapped with the content from COBIT for specific G&MP and gaps are identified that will be bridged by updating policies and procedures as required.
Based on the mapping G&MP for “APO08 — Managed Relationships,” the enterprise finds a gap in the policy of “Business—IT relationship management policy,” which is expected to provide guidelines to establish and maintain relations between the business and IT, and to foster transparency, mutual trust, and a common focus on achieving strategic goals within the context of budget and risk tolerance. The enterprise updates the policy document after discussion with the stakeholders and includes aspects covering relationships, budget, and risk tolerance as relevant.
Processes: Culture, Ethics and Behavior
The enterprise reviews the existing culture, ethics and behavior, and finds gaps in the culture as there are issues in mutual trust, transparency in communication, open and understandable terms, a common language, ownership, and accountability. Further, the relationship between the business and IT within the enterprise is not harmonious as the goals are not shared due to confidentiality concerns.
The enterprise mitigates the identified issues in culture, ethics and behavior by having a process for regular communication, meetings and sharing of goals between business and IT, and promoting a culture of participation for achieving enterprise goals.
Processes: Services, Infrastructure and Applications
The enterprise reviews the existing services, infrastructure and applications, and identifies that there are more processes that can be outsourced to the cloud computing vendor to complete the process cycle.
COBIT requires implementing collaboration platforms’ internal training and awareness building services for the specific G&MP. The enterprise improves the process of identifying outsourcing and the collaboration platform between vendor and enterprise, and conducts internal training to ensure that the business processes outsourced to the cloud computing vendor are completed on time and are monitored for performance and cost. The enterprise uses the ITIL framework as an additional reference and integrates the contents to COBIT’s benchmark of the enterprise.
COBIT implementation at a Micro Level
Implementing COBIT as relevant is the need of the hour in an IT-enabled enterprise to enhance digital trust and provide value by using its rich knowledge repository. The benefits of COBIT implementation can be derived not only by large enterprises but also by small and medium-sized enterprises.
The best part of COBIT is that it can be implemented not only at a macro level but at a micro level as required. The best way to learn COBIT is to identify specific areas where there are pain points and implement COBIT best practices as relevant to benchmark and to identify gaps and areas of improvements.
The knowledge of COBIT can empower professionals to add value in their area of work, whether it is governance, business, IT, compliance management or assurance services. COBIT can be used as the single integrated framework with its repository of global best practices to be adapted and integrated with other frameworks and existing enterprise practices. The key question in using COBIT is not whether it is applicable, but whether you know how to use COBIT to add value with maximum impact and efficiency.
About the author: Abdul Rafeq, CISA, FCA, is the managing director of Wincer Infotech Limited. He has been a COBIT evangelist, user, and trainer since the first edition of COBIT.