Monday, October 14, 2013

IT Governance - COBIT 5 version - S1E9 - The COBIT 5 Process Capability Model


Users of COBIT 4.1, Risk IT and Val IT are familiar with the process maturity models included in those frameworks. These models are used to measure the current or ‘as-is’ maturity of an enterprise’s IT-related processes, to define a required ‘to-be’ state of maturity, and to determine the gap between them and how to improve the process to achieve the desired maturity level.

The COBIT 5 product set includes a process capability model, based on the internationally recognized ISO/IEC 15504 Software Engineering—Process Assessment standard. This model will achieve the same overall objectives of process assessment and process improvement support, i.e., it will provide a means to measure the performance of any of the governance (EDM-based) processes or management (PBRM-based) processes, and will allow areas for improvement to be identified.

However, the new model is different from the COBIT 4.1 maturity model in its design and use, and for that reason, the following topics are discussed:
• Differences between the COBIT 5 and the COBIT 4.1 models
• Benefits of the COBIT 5 model
• Summary of the differences that COBIT 5 users will encounter in practice
• Performing a COBIT 5 capability assessment

Although this approach will provide valuable information about the state of processes, processes are just one of the seven governance and management enablers. By consequence, process assessments will not provide the full picture on the state of governance of an enterprise. For that, the other enablers need to be assessed as well.

Differences Between the COBIT 4.1 Maturity Model and the COBIT 5 Process Capability Model:

4.1 Maturity Model

Using the COBIT 4.1 maturity model for process improvement purposes—assessing a process maturity, defining a target maturity level and identifying the gaps—required using the following COBIT 4.1 components:
• First, an assessment needed to be made whether control objectives for the process were met.
• Next, the maturity model included in the management guideline for each process could be used to obtain a maturity profile of the process.
• In addition, the generic maturity model in COBIT 4.1 provided six distinct attributes that were applicable for each process and that assisted in obtaining a more detailed view on the processes’ maturity level.
• Process controls are generic control objectives—they also needed to be reviewed when a process assessment was made. Process controls partially overlap with the generic maturity model attributes.

5 Capability Model

There are six levels of capability that a process can achieve, including an ‘incomplete process’ designation if the practices in it do not achieve the intended purpose of the process:
0 Incomplete process—The process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the process purpose.
1 Performed process (one attribute)—The implemented process achieves its process purpose.
2 Managed process (two attributes)—The previously described performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained.
3 Established process (two attributes)—The previously described managed process is now implemented using a defined process that is capable of achieving its process outcomes.
4 Predictable process (two attributes)—The previously described established process now operates within defined limits to achieve its process outcomes.
5 Optimizing process (two attributes)—The previously described predictable process is continuously improved to meet relevant current and projected business goals.

Each capability level can be achieved only when the level below has been fully achieved. For example, a process capability level 3 (established process) requires the process definition and process deployment attributes to be largely achieved, on top of full achievement of the attributes for a process capability level 2 (managed process).

There is a significant distinction between process capability level 1 and the higher capability levels. Process capability level 1 achievement requires the process performance attribute to be largely achieved, which actually means that the process is being successfully performed and the required outcomes obtained by the enterprise. The higher capability levels then add different attributes to it. In this assessment scheme, achieving a capability level 1, even on a scale to 5, is already an important achievement for an enterprise. Note that each individual enterprise shall choose (based on cost-benefit and feasibility reasons) its target or desired level, which very seldom will happen to be one of the highest.

The most important differences between an ISO/IEC 15504-based process capability assessment and the current COBIT 4.1 maturity model (and the similar Val IT and Risk IT domain-based maturity models) can be summarized as follows:
• The naming and meaning of the ISO/IEC 15504-defined capability levels are quite different from the current COBIT 4.1 maturity levels for processes.
• In ISO/IEC 15504, capability levels are defined by a set of nine process attributes. These attributes cover some ground covered by the current COBIT 4.1 maturity attributes and/or process controls, but only to a certain extent and in a different way.

Requirements for an ISO/IEC 15504:2-compliant process reference model prescribe that in the description of any process that will be assessed, i.e., any COBIT 5 governance and/or management process:
• The process is described in terms of its purpose and outcomes.
• The process description shall not contain any aspects of the measurement framework beyond level 1, which means that any characteristic of a process attribute beyond level 1 cannot appear inside a process description. Whether a process is measured and monitored, or whether it is formally described, etc., cannot be part of a process description or any of the management practices/activities underneath. This means that the process descriptions—as included in COBIT 5: Enabling Processes—contain only the necessary steps to achieve the actual process purpose and goals.
• Following from the previous bullets, the common attributes applicable to all enterprise processes, which produced duplicate control objectives in the COBIT® 3rd Edition publication and were grouped into the process control (PC) objectives in COBIT 4.1, are now defined in levels 2 to 5 of the assessment model.

Differences in Practice:

From the previous descriptions, it is clear that there are some practical differences associated with the change in process assessment models. Users need to be aware of these changes and be prepared to take them into account in their action plans.

The main changes to be considered include:
• Although it is tempting to compare assessment results between COBIT 4.1 and COBIT 5 because of apparent similarities to the number scales and words used to describe them, such a comparison is difficult because of the differences in scope, focus and intent.
• In general, scores will be lower with the COBIT 5 process capability model. In the COBIT 4.1 maturity model, a process could achieve a level 1 or 2 without fully achieving all the process’s objectives; in the COBIT 5 process capability level, this will result in a lower score of 0 or 1.

The COBIT 4.1 and COBIT 5 capability scales can be considered to ‘map’ approximately:
• There is no longer a specific maturity model per process included with the detailed process contents in COBIT 5 because the ISO/IEC 15504 process capability assessment approach does not require this and even prohibits this approach. Instead, the approach defines the information required in the ‘process reference model’ (the process model to be used for the assessment):
– Process description, with the purpose statements
Base practices, which are the equivalent of process governance or management practices in COBIT 5 terms

Work products, which are the equivalent of the inputs and outputs in COBIT 5 terms

• The COBIT 4.1 maturity model produced a maturity profile of an enterprise. The main purpose of this profile was to identify in which dimensions or for which attributes there were specific weaknesses that needed improvement. This approach was used by enterprises when there was an improvement focus rather than a need to obtain one maturity number for reporting purposes. In COBIT 5 the assessment model provides a measurement scale for each capability attribute and guidance on how to apply it, so for each process an assessment can be made for each of the nine capability attributes.
• The maturity attributes in COBIT 4.1 and the COBIT 5 process capability attributes are not identical. They overlap/map to a certain extent, as shown in figure 21. Enterprises having used the maturity model attributes approach in COBIT 4.1 can reuse their existing assessment data and reclassify them under the COBIT 5 attribute assessments.

Benefits of The Changes:

The benefits of the COBIT 5 process capability model, compared to the COBIT 4.1 maturity models, include:
• Improved focus on the process being performed, to confirm that it is actually achieving its purpose and delivering its required outcomes as expected.
• Simplified content through elimination of duplication, because the COBIT 4.1 maturity model assessment required the use of a number of specific components, including the generic maturity model, process maturity models, control objectives and process controls to support process assessment.
• Improved reliability and repeatability of process capability assessment activities and evaluations, reducing debates and disagreements between stakeholders on assessment results.
• Increased usability of process capability assessment results, because the new model establishes a basis for more formal, rigorous assessments to be performed, for both internal and potential external purposes.
Compliance with a generally accepted process assessment standard and therefore strong support for the process assessment approach in the market.

Performing Process Capability Assessments in COBIT 5:

The ISO/IEC 15504 standard specifies that process capability assessments can be performed for various purposes and with varying degrees of rigor  Purposes can be internal, with a focus on comparisons between enterprise areas and/or process improvement for internal benefit, or they can be external, with a focus on formal assessment, reporting and certification.

The COBIT 5 ISO/IEC 15504-based assessment approach continues to facilitate the following objectives that have been a key COBIT approach since 2000 to:
• Enable the governance body and management to benchmark process capability.
• Enable high-level ‘as-is’ and ‘to-be’ health checks to support the governance body and management investment decision making with regard to process improvement.
• Provide gap analysis and improvement planning information to support definition of justifiable improvement projects.
• Provide the governance body and management with assessment ratings to measure and monitor current capabilities.

This section describes how a high-level assessment can be performed with the COBIT 5 process capability model to achieve these objectives.

The assessment distinguishes between assessing capability level 1 and the higher levels. Indeed, as described previously, process capability level 1 describes whether a process achieves its intended purpose, and is therefore a very important level to achieve—as well as foundational in enabling higher capability levels to be reached.

Assessing whether the process achieves its goals—or, in other words, achieves capability level 1—can be done by:

1. Reviewing the process outcomes as they are described for each process in the detailed process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what degree each objective is achieved. This scale consists of the following ratings:
N (Not achieved)—There is little or no evidence of achievement of the defined attribute in the assessed process. (0 to 15 percent achievement)
P (Partially achieved)—There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable. (15 to 50 percent achievement)
L (Largely achieved)—There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process. (50 to 85 percent achievement)
F (Fully achieved)—There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process. (85 to 100 percent achievement)

2. In addition, the process (governance or management) practices can be assessed using the same rating scale, expressing the extent to which the base practices are applied.

3. To further refine the assessment, the work products also may be taken into consideration to determine the extent to which a specific assessment attribute has been achieved.

Although defining target capability levels is up to each enterprise to decide, many enterprises will have the ambition to have all their processes achieve capability level 1. (Otherwise, what would be the point of having these processes?) If this level is not achieved, the reasons for not achieving this level are immediately obvious from the approach explained above, and an improvement plan can be defined:
1. If a required process outcome is not consistently achieved, the process does not meet its objective and needs to be improved.
2. The assessment of the process practices will reveal which practices are lacking or failing, enabling implementation and/or improvement of those practices to take place and allowing all process outcomes to be achieved. For higher process capability levels, the generic practices are used, taken from ISO/IEC 15504:2. They provide generic descriptions for each of the capability levels.

Sunday, October 13, 2013

IT Governance - COBIT 5 version - S1E8 - Implementation Guide


Optimal value can be realized from leveraging COBIT only if it is effectively adopted and adapted to suit each enterprise’s unique environment. Each implementation approach will also need to address specific challenges, including managing changes to culture and behavior.

ISACA provides practical and extensive implementation guidance in its publication COBIT 5 Implementation, which is based on a continual improvement life cycle. It is not intended to be a prescriptive approach nor a complete solution, but rather a guide to avoid commonly encountered pitfalls, leverage good practices and assist in the creation of successful outcomes. The guide is also supported by an implementation tool kit containing a variety of resources that will be continually enhanced. Its content includes:
• Self-assessment, measurement and diagnostic tools
Presentations aimed at various audiences
• Related articles and further explanations

The purpose of this chapter is to introduce the implementation and continual improvement life cycle at a high level and to highlight a number of important topics from COBIT 5 Implementation such as:
• Making a business case for the implementation and improvement of the governance and management of IT
• Recognising typical pain points and trigger events
• Creating the appropriate environment for implementation
Leveraging COBIT to identify gaps and guide the development of enablers such as policies, processes, principles, organisational structures, and roles and responsibilities

Considering the Enterprise Context:

The governance and management of enterprise IT do not occur in a vacuum. Every enterprise needs to design its own implementation plan or road map, depending on factors in the enterprise’s specific internal and external environment such as the enterprise’s:
• Ethics and culture
• Applicable laws, regulations and policies
Mission, vision and values
• Governance policies and practices
• Business plan and strategic intentions
• Operating model and level of maturity
• Management style
• Risk appetite
• Capabilities and available resources
• Industry practices

It is equally important to leverage and build on existing enterprise governance enablers.

The optimal approach for the governance and management of enterprise IT will be different for every enterprise, and the context needs to be understood and considered to adopt and adapt COBIT effectively in the implementation of governance and management of enterprise IT enablers. COBIT is often underpinned with other frameworks, good practices and standards, and these, too, need to be adapted to suit specific requirements.

Key success factors for successful implementation include:
• Top management providing the direction and mandate for the initiative, as well as visible ongoing commitment and support
• All parties supporting the governance and management processes to understand the business and IT objectives
• Ensuring effective communication and enabling of the necessary changes
• Tailoring COBIT and other supporting good practices and standards to fit the unique context of the enterprise
• Focusing on quick wins and prioritizing the most beneficial improvements that are easiest to implement

Creating the Appropriate Environment:

It is important for implementation initiatives leveraging COBIT to be properly governed and adequately managed. Major IT-related initiatives often fail due to inadequate direction, support and oversight by the various required stakeholders, and the implementation of governance or management of IT enablers leveraging COBIT is no different. Support and direction from key stakeholders are critical so that improvements are adopted and sustained. In a weak enterprise environment (such as an unclear overall business operating model or lack of enterprise-level governance enablers), this support and participation are even more important.

Enablers leveraging COBIT should provide a solution addressing real business needs and issues rather than serving as ends in themselves. Requirements based on current pain points and drivers should be identified and accepted by management as areas that need to be addressed. High-level health checks, diagnostics or capability assessments based on COBIT are excellent tools to raise awareness, create consensus and generate a commitment to act. The commitment and buy-in of the relevant stakeholders need to be solicited from the beginning. To achieve this, implementation objectives and benefits need to be clearly expressed in business terms and summarized in a business case outline.

Once commitment has been obtained, adequate resources need to be provided to support the programme. Key programme roles and responsibilities should be defined and assigned. Care should be taken on an ongoing basis to maintain commitment from all affected stakeholders.

Appropriate structures and processes for oversight and direction should be established and maintained. These structures and processes should also ensure ongoing alignment with enterprise-wide governance and risk management approaches.

Visible support and commitment should be provided by key stakeholders such as the board and executives to set the ‘tone at the top’ and ensure commitment for the programme at all levels.

Recognizing Pain Points and Trigger Events:

There are a number of factors that may indicate a need for improved governance and management of enterprise IT. 

By using pain points or trigger events as the launching point for implementation initiatives, the business case for governance or management of enterprise IT improvement can be related to practical, everyday issues being experienced. This will improve buy-in and create the sense of urgency within the enterprise that is necessary to kick off the implementation. In addition, quick wins can be identified and value-add can be demonstrated in those areas that are the most visible or recognizable in the enterprise. This provides a platform for introducing further changes and can assist in gaining widespread senior management commitment and support for more pervasive changes.

Examples of some of the typical pain points for which new or revised governance or management of IT enablers can be a solution (or part of a solution), as identified in COBIT 5 Implementation, are:
• Business frustration with failed initiatives, rising IT costs and a perception of low business value
• Significant incidents related to IT risk, such as data loss or project failure
Outsourcing service delivery problems, such as consistent failure to meet agreed-on service levels
Failure to meet regulatory or contractual requirements
• IT limiting the enterprise’s innovation capabilities and business agility
• Regular audit findings about poor IT performance or reported IT quality of service problems
• Hidden and rogue IT spending
• Duplication or overlap between initiatives or wasting resources, such as premature project termination
• Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction
• IT-enabled changes failing to meet business needs and delivered late or over budget
• Board members, executives or senior managers who are reluctant to engage with IT, or a lack of committed and satisfied business sponsors for IT
Complex IT operating models

In addition to these pain points, other events in the enterprise’s internal and external environment can signal or trigger a focus on the governance and management of IT. Examples are:
Merger, acquisition or divestiture
• A shift in the market, economy or competitive position
• A change in the business operating model or sourcing arrangements
New regulatory or compliance requirements
• A significant technology change or paradigm shift
• An enterprise-wide governance focus or project
• A new CEO, CFO, CIO, etc.
• External audit or consultant assessments
• A new business strategy or priority

Enabling Change:

Successful implementation depends on implementing the appropriate change (the appropriate governance or management enablers) in the appropriate way. In many enterprises, there is a significant focus on the first aspect—core governance or management of IT—but not enough emphasis on managing the human, behavioral and cultural aspects of the change and motivating stakeholders to buy into the change.

It should not be assumed that the various stakeholders involved in, or impacted by, new or revised enablers will readily accept and adopt the change. The possibility of ignorance and/or resistance to change needs to be addressed through a structured and proactive approach. Also, optimal awareness of the implementation programme should be achieved through a communication plan that defines what will be communicated, in what way and by whom, throughout the various phases of the programme.

Sustainable improvement can be achieved either by gaining the commitment of the stakeholders (investment in winning hearts and minds, the leaders’ time, and in communicating and responding to the workforce) or, where still required, by enforcing compliance (investment in processes to administer, monitor and enforce). In other words, human, behavioral and cultural barriers need to be overcome so that there is a common interest to properly adopt change, instill a will to adopt change, and to ensure the ability to adopt change.

A Life Cycle Approach:

The implementation life cycle provides a way for enterprises to use COBIT to address the complexity and challenges typically encountered during implementations. The three interrelated components of the life cycle are the:
1. Core continual improvement life cycle—This is not a one-off project.
2. Enabling of change—Addressing the behavioral and cultural aspects
3. Management of the programme

As discussed previously, the appropriate environment needs to be created to ensure the success of the implementation or improvement initiative.

Phase 1 starts with recognizing and agreeing to the need for an implementation or improvement initiative. It identifies the current pain points and triggers and creates a desire to change at executive management levels.

Phase 2 is focused on defining the scope of the implementation or improvement initiative using COBIT’s mapping of enterprise goals to IT-related goals to the associated IT processes, and considering how risk scenarios could also highlight key processes on which to focus. High-level diagnostics can also be useful for scoping and understanding high-priority areas on which to focus. An assessment of the current state is then performed, and issues or deficiencies are identified by carrying out a process capability assessment. Large-scale initiatives should be structured as multiple iterations of the life cycle—for any implementation initiative exceeding six months there is a risk of losing momentum, focus and buy-in from stakeholders.

During phase 3, an improvement target is set, followed by a more detailed analysis leveraging COBIT’s guidance to identify gaps and potential solutions. Some solutions may be quick wins and others more challenging and longer-term activities. Priority should be given to initiatives that are easier to achieve and those likely to yield the greatest benefits.

Phase 4 plans practical solutions by defining projects supported by justifiable business cases. A change plan for implementation is also developed. A well-developed business case helps to ensure that the project’s benefits are identified and monitored.

The proposed solutions are implemented into day-to-day practices in phase 5. Measures can be defined and monitoring established, using COBIT’s goals and metrics to ensure that business alignment is achieved and maintained and performance can be measured. Success requires the engagement and demonstrated commitment of top management as well as ownership by the affected business and IT stakeholders.

Phase 6 focuses on the sustainable operation of the new or improved enablers and the monitoring of the achievement of expected benefits.

During phase 7, the overall success of the initiative is reviewed, further requirements for the governance or management of enterprise IT are identified, and the need for continual improvement is reinforced.

Over time, the life cycle should be followed in an iterative way while building a sustainable approach to the governance and management of enterprise IT.

Getting Started: Making The Business Case:

To ensure the success of implementation initiatives leveraging COBIT, the need to act should be widely recognized and communicated within the enterprise. This can be in the form of a ‘wake-up call’ (where specific pain points are being experienced, as discussed previously) or an expression of the improvement opportunity to be pursued and, very important, the benefits that will be realized. An appropriate level of urgency needs to be instilled and the key stakeholders should be aware of the risk of not taking action as well as the benefits of undertaking the programme.

The initiative should be owned by a sponsor, involve all key stakeholders and be based on a business case. Initially, this can be at a high level from a strategic perspective—from the top down—starting with a clear understanding of the desired business outcomes and progressing to a detailed description of critical tasks and milestones as well as key roles and responsibilities. The business case is a valuable tool available to management in guiding the creation of business value. At a minimum, the business case should include the following:
• The business benefits targeted, their alignment with business strategy and the associated benefit owners (who in the business will be responsible for securing them). This could be based on pain points and trigger events.
• The business changes needed to create the envisioned value. This could be based on health checks and capability gap analysis and should clearly state both what is in scope and what is out of scope.
• The investments needed to make the governance and management of enterprise IT changes (based on estimates of projects required)
• The ongoing IT and business costs
• The expected benefits of operating in the changed way
• The risk inherent in the previous bullets, including any constraints or dependencies (based on challenges and success factors)
• Roles, responsibilities and accountability related to the initiative
• How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used (based on goals and metrics)

The business case is not a one-time static document, but a dynamic operational tool that must be continually updated to reflect the current view of the future so that a view of the viability of the programme can be maintained.

It can be difficult to quantify the benefits of implementation or improvement initiatives, and care should be taken to commit only to benefits that are realistic and achievable. Studies conducted across a number of enterprises could provide useful information on benefits that have been achieved.

IT Governance - COBIT 5 version - S1E7 - Principle 5: Separating Governance From Management

Governance and Management:

The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes. The COBIT 5 view on this key distinction between governance and management is:

Governance: ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.

Management: Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.

Interaction Between Governance and Management:

From the definitions of governance and management, it is clear that they comprise different types of activities, with different responsibilities; however, given the role of governance—to evaluate, direct and monitor—a set of interactions is required between governance and management to result in an efficient and effective governance system. 

COBIT 5 Process Reference Model:

COBIT 5 is not prescriptive, but it advocates that enterprises implement governance and management processes such that the key areas are covered.

An enterprise can organize its processes as it sees fit, as long as all necessary governance and management objectives are covered. Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives.

COBIT 5 includes a process reference model, which defines and describes in detail a number of governance and management processes. It represents all of the processes normally found in an enterprise relating to IT activities, providing a common reference model understandable to operational IT and business managers. The proposed process model is a complete, comprehensive model, but it is not the only possible process model. Each enterprise must define its own process set, taking into account its specific situation.

Incorporating an operational model and a common language for all parts of the enterprise involved in IT activities is one of the most important and critical steps towards good governance. It also provides a framework for measuring and monitoring IT performance, providing IT assurance, communicating with service providers, and integrating best management practices.

The COBIT 5 process reference model divides the governance and management processes of enterprise IT into two main process domains:
Governance—Contains five governance processes; within each process, evaluate, direct and monitor (EDMpractices are defined.
Management—Contains four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM), and provides end-to-end coverage of IT. These domains are an evolution of the COBIT 4.1 domain and process structure. The names of the domains are chosen in line with these main area designations, but contain more verbs to describe them:
– Align, Plan and Organise (APO)
– Build, Acquire and Implement (BAI)
– Deliver, Service and Support (DSS)
– Monitor, Evaluate and Assess (MEA)

Each domain contains a number of processes. Although, as described previously, most of the processes require ‘planning’, ‘implementation’, ‘execution’ and ‘monitoring’ activities within the process or within the specific issue being addressed (e.g., quality, security), they are placed in domains in line with what is generally the most relevant area of activity when looking at IT at the enterprise level.The COBIT 5 process reference model is the successor of the COBIT 4.1 process model, with the Risk IT and Val IT process models integrated as well.

Saturday, October 12, 2013

IT Governance - COBIT 5 version - S1E5 - Principle 3: Applying A Single Integrated Framework

COBIT 5 is a single and integrated framework because:
• It aligns with other latest relevant standards and frameworks, and thus allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator.
• It is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used. A single overarching framework serves as a consistent and integrated source of guidance in a nontechnical, technology-agnostic common language.
• It provides a simple architecture for structuring guidance materials and producing a consistent product set.
• It integrates all knowledge previously dispersed over different ISACA frameworks. ISACA has researched the key area of enterprise governance for many years and has developed frameworks such as COBIT, Val IT, Risk IT, BMIS, the publication Board Briefing on IT Governance, and ITAF to provide guidance and assistance to enterprises. COBIT 5 integrates all of this knowledge.

COBIT 5 Framework Integrator:

The COBIT 5 framework delivers to its stakeholders the most complete and up-to-date guidance on governance and management of enterprise IT by:
• Researching and using a set of sources that have driven the new content development, including:
Bringing together the existing ISACA guidance (COBIT 4.1, Val IT 2.0, Risk IT, BMIS) into this single framework
Complementing this content with areas needing further elaboration and updates
Aligning to other relevant standards and frameworks, such as ITIL, TOGAF and ISO standards.
• Defining a set of governance and management enablers, which provide a structure for all guidance materials
• Populating a COBIT 5 knowledge base that contains all guidance and content produced now and will provide a structure for additional future content
• Providing a sound and comprehensive reference base of good practices

IT Governance - COBIT 5 version - S1E4 - Principle 2: Covering the Enterprise End-to-End

COBIT 5 addresses the governance and management of information and related technology from an enterprise-wide, end-to-end perspective. This means that COBIT 5:
• Integrates governance of enterprise IT into enterprise governance. That is, the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system. COBIT 5 aligns with the latest views on governance.
• Covers all functions and processes required to govern and manage enterprise information and related technologies wherever that information may be processed. Given this extended enterprise scope, COBIT 5 addresses all the relevant internal and external IT services, as well as internal and external business processes.

COBIT 5 provides a holistic and systemic view on governance and management of enterprise IT (see principle 4), based on a number of enablers. The enablers are enterprise-wide and end-to-end, i.e., inclusive of everything and everyone, internal and external, that are relevant to governance and management of enterprise information and related IT, including the activities and responsibilities of both the IT functions and non-IT business functions.

Information is one of the COBIT enabler categories. The model by which COBIT 5 defines enablers allows every stakeholder to define extensive and complete requirements for information and the information processing life cycle, thus connecting the business and its need for adequate information and the IT function, and supporting the business and context focus.

Governance Approach:

In addition to the governance objective, the other main elements of the governance approach include enablers; scope; and roles, activities, and relationships.

Governance Enablers:

Governance enablers are the organisational resources for governance, such as frameworks, principles, structures, processes and practices, through or towards which action is directed and objectives can be attained. Enablers also include the enterprise’s resources—e.g., service capabilities (IT infrastructure, applications, etc.), people and information. A lack of resources or enablers may affect the ability of the enterprise to create value.

Governance Scope:

Governance can be applied to the entire enterprise, an entity, a tangible or intangible asset, etc. That is, it is possible to define different views of the enterprise to which governance is applied, and it is essential to define this scope of the governance system well. The scope of COBIT 5 is the enterprise—but in essence COBIT 5 can deal with any of the different views.

Roles, Activities, and Relationships:

A last element is governance roles, activities and relationships. It defines who is involved in governance, how they are involved, what they do and how they interact, within the scope of any governance system. In COBIT 5, clear differentiation is made between governance and management activities in the governance and management domains, as well as the interfacing between them and the role players that are involved.

IT Governance - COBIT 5 version - S1E3 - Principle 1: Meeting Stakeholder Needs


Enterprises exist to create value for their stakeholders. Consequently, any enterprise—commercial or not—will have value creation as a governance objective. Value creation means realizing benefits at an optimal resource cost while optimizing risk. Benefits can take many forms, e.g., financial for commercial enterprises or public service for government entities.

Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting—things to each of them. Governance is about negotiating and deciding amongst different stakeholders’ value interests. By consequence, the governance system should consider all stakeholders when making benefit, risk and resource assessment decisions. For each decision, the following questions can and should be asked: For whom are the benefits? Who bears the risk? What resources are required?

COBIT 5 Goals Cascade:

Every enterprise operates in a different context; this context is determined by external factors (the market, the industry, geopolitics, etc.) and internal factors (the culture, organisation, risk appetite, etc.), and requires a customized governance and management system.

Stakeholder needs have to be transformed into an enterprise’s actionable strategy. The COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific, actionable and customized enterprise goals, IT-related goals and enabler goals. This translation allows setting specific goals at every level and in every area of the enterprise in support of the overall goals and stakeholder requirements, and thus effectively supports alignment between enterprise needs and IT solutions and services.

Step 1. Stakeholder Drivers Influence Stakeholder Needs
Stakeholder needs are influenced by a number of drivers, e.g., strategy changes, a changing business and regulatory environment, and new technologies.

Step 2. Stakeholder Needs Cascade to Enterprise Goals
Stakeholder needs can be related to a set of generic enterprise goals. These enterprise goals have been developed using the balanced scorecard (BSC) dimensions, and they represent a list of commonly used goals that an enterprise may define for itself. Although this list is not exhaustive, most enterprise-specific goals can be mapped easily onto one or more of the generic enterprise goals.
COBIT 5 defines 17 generic goals, as shown in figure 5, which includes the following information:
• The BSC dimension under which the enterprise goal fits
• Enterprise goals
• The relationship to the three main governance objectives—benefits realization, risk optimization and resource optimization. (‘P’ stands for primary relationship and ‘S’ for secondary relationship, i.e., a less strong relationship.)

Step 3. Enterprise Goals Cascade to IT-related Goals
Achievement of enterprise goals requires a number of IT-related outcomes, which are represented by the IT-related goals. IT-related stands for information and related technology, and the IT-related goals are structured along the dimensions of the IT balanced scorecard (IT BSC). COBIT 5 defines 17 IT-related goalsThe mapping table shows how each enterprise goal is supported by a number of IT-related goals.

Step 4. IT-related Goals Cascade to Enabler Goals
Achieving IT-related goals requires the successful application and use of a number of enablers. Enablers include processes, organizational structures and information, and for each enabler a set of specific relevant goals can be defined in support of the IT-related goals.

Enterprise Goals

IT-Related Goals

Using the COBIT 5 Goals Cascade:

Benefits of the COBIT 5 Goals Cascade
The goals cascade is important because it allows the definition of priorities for implementation, improvement and assurance of governance of enterprise IT based on (strategic) objectives of the enterprise and the related risk. In practice, the goals cascade:
• Defines relevant and tangible goals and objectives at various levels of responsibility
• Filters the knowledge base of COBIT 5, based on enterprise goals, to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects
• Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals

Using the COBIT 5 Goals Cascade Carefully:
The goals cascade—with its mapping tables between enterprise goals and IT-related goals and between IT-related goals and COBIT 5 enablers (including processes)—does not contain the universal truth, and users should not attempt to use it in a purely mechanistic way, but rather as a guideline. There are various reasons for this, including:
• Every enterprise has different priorities in its goals, and priorities may change over time.
• The mapping tables do not distinguish between size and/or industry of the enterprise. They represent a sort of common denominator of how, in general, the different levels of goals are interrelated.
• The indicators used in the mapping use two levels of importance or relevance, suggesting that there are ‘discrete’ levels of relevance, whereas, in reality, the mapping will be close to a continuum of various degrees of correspondence.

Using the COBIT 5 Goals Cascade in Practice:
From the previous disclaimer, it is obvious that the first step an enterprise should always apply when using the goals cascade is to customize the mapping, taking into account its specific situation. In other words, each enterprise should build its own goals cascade, compare it with COBIT and then refine it.
For example, the enterprise may wish to:
• Translate the strategic priorities into a specific ‘weight’ or importance for each of the enterprise goals.
• Validate the mappings of the goals cascade, taking into account its specific environment, industry, etc.

Governance and Management Questions on IT:

The fulfillment of stakeholder needs in any enterprise will—given the high dependency on IT—raise a number of questions on the governance and management of enterprise IT

Governance and Management Questions (Internal)
Governance and Management Questions (External)