APPROACH – IMPLEMENTING COBIT 5

I want to on the day of today, especially for the spanish-speaking show some of the ways to implement this framework for corporate governance of information technology. And the idea is to make it more visual as possible.

Before Visual schemes, some taken from the page of ISACA and others created in a simple way for me, I want to make some general characteristics of the implementation of this framework:

The corporate governance of I.T., (its acronym in English, GEIT) is widely recognized by top management as an essential part of corporate governance in the countries of the first world. Our challenge in Latin-america is to convince stakeholders that this framework helps them realize the business benefits, risk optimization and enterprise resources.

Information technologies are more and more part of all aspects of business and public life; they are as omnipresent.

Today more than ever and increasingly there is the necessity that the I,T. area, deliver greater business value; This means that you will have to invest smarter investments in I.T. and manage one increasing body of risks associated with I.T., who do not act promptly become serious business risk.

Ever increasing regulation and legislation on use of the internal and external business information; In addition brings us to have a greater awareness of the importance of a well governed and managed I.T. environment.

Remember the life cycle implementation of COBIT 5, provided by ISACA:

Source: COBIT® 5, figure 17. © 2012 ISACA® All rights reserved.

Source: COBIT® 5, figure 17. © 2012 ISACA® All rights reserved.

One of the biggest challenges for the implementation of COBIT, especially in these countries is given by the following:

We must establish the GEIT within an enterprise. I.e., we have to properly sell not as a temporary solution but start it and align it with the life cycle of enterprise-wide.

To tell those interested are the first steps towards the implementation of GEIT, the challenges overcome by the company and show which will be the first success factors.

Show which will be the organizational change required for company and business behavior associated with GEIT; Establish how continuous improvement of the overall program will be administered and how it will run empowerment programs management.

Use, COBIT 5 and its components, its recommendations. Also establish mechanisms for training and business update.


Using COBIT 5 and its components

Components that proposes to use COBIT 5, are as follows:

The five principles of COBIT

  1. Meet the needs of stakeholders.
  2. Covering the company’s end-to-end.
  3. Applying a framework of integrated working.
  4. Holistic approach.
  5. Separate management of Government.

The enabling objectives from COBIT.

  1. Processes.
  2. Organizational structures.
  3. Ethics, culture and behavior.
  4. Principles, policies and Frameworks.
  5. Information.
  6. Services, infrastructure and applications.
  7. People, skills and competencies.

Implementation Guide: Will develop this scope in this Blog.

Process assessment programme: this programme of evaluation of ability of processes and maturity that has been adopted by ISACA COBIT 5.


Deployment: steps

Rather than follow the life cycle of the Guide as we see in the image of the COBIT implementation, I would like to establish the steps and explain them, and try to view them in the way most simple possible, knowing that an implementation in can be very complex in business environments.

In this order of ideas, the steps could be:

  1.  1 Make clear to stakeholders about the implementation of COBIT.
  2. 2. Select the processes that will take part in the implementation of COBIT.
  3. 3. To determine which instances of processes are essential for the implementation.
  4. 4 “Mapping” business processes with the processes of COBIT 5 reference model.
  5. 5. Establish the current gaps in the Organization and the roadmap for business improvement.
  6. 6. Build the capacity of the processes:
    1. Processes with discrete life cycle
    2. Processes that are management systems
    3. Processes that include collection of tasks “ad-hoc”
  7. 7 Check the work done in the implementation.
  8. 8 Report the progress of the implementation of COBIT 5.

When we are making clear to stakeholders on the scope of an implementation of COBIT, must place the elements hopefully visually, so business stakeholders understand where comes a program of this type. The best practice is to divide the program in multiple projects for to not distort the scope and perfectly feasible implementation.

Let’s look at the following diagram:

Basado y tomado de ITgovernance.com

Based and Taken from ITgovernance.com

Remember, to generate value, which is the center of any business implementation program (SOX, COBIT, COSO, ISO XXXX, etc.), should be aimed to realize the economic and non-economic benefits, optimize risk and optimizing resources. Those interested should arrive and meet the business vision and so need some motivators that allow them to reach compliance with the proposed vision; However, these motivations arise from having priority, and specific business goals that must take the company to a desired capacity and compliance with corporate governance, pictured GRC (Governance, Risk Management, Compliance).

To comply with corporate governance, we need to improve business processes; to improve business processes we have to meet a route for the improvement of those business processes and the plan of action on the part of the area of I.T. becomes necessary, who is with their tools and schemes of work, fulfilling the vision of company will make it possible to.

The CIO must ensure the company has sufficient capabilities, and through a program management system (a PMO for example), will run various programs and projects that remove or are on the way to mitigate gaps or business pain points (i.e. what need you effectively the company to fulfil the business vision). And we must also establish control functions in the programs of specific projects that must ensure that the gaps in business are mitigating keeping informed sponsors of programs of projects who must comply with the provisions on corporate governance (GRC) requirements.

Auditing external will be the guarantor to GRC requirements are met fully; on the other hand business leaders should know what are the gaps that are preventing the company comply with the objectives to sponsor programs of projects that van aimed at mitigation of the gaps in business or found pain points.

And that we obtain the implementation?

Government custom company framework.

Better management of the risk business.

Improvements in controls to mitigate the risks found and / or business obligations.

Resolution of the entrepreneurial gap.

Optimization of processes according to the desired outputs. It is clear that in the first interaction of implementation program surely, there will be no optimization process, but surely if processes implemented.

Identification and awareness of key business processes.

Elimination of gaps in the activities of processes.

Association of business risks found versus constructed processes.

Standardization of processes.

Business synergy

Build / enhance the capabilities of the processes as desired. For example

  • -Troubleshooting of incidents
  • -The adoption of technological change speed.
  • -Implementation of business obligations specific
  • -Protection of sensitive company data

What processes could do part of a deployment?

Turning to the second point (select processes that will take part in the implementation of COBIT), let’s all processes that COBIT 5 proposes:

Source: COBIT® 5, figure 17. © 2012 ISACA® All rights reserved.

If there are business goals related to operational productivity and employees, because gaps or business pain points have been found, then the processes of Government to establish such a first iteration will be the EDM2 and EDM4; Because this goal is directly related to the benefits for the company (in this case in the first internal measurement) and enterprise resource optimization. Subsequently the EDM1 process, must implement that it is who believes everything the Government framework, and is just one of the deliverables. It is a first approach to the implementation of processes.

Now processes that must implement management, continue using the cascade of goals. This business goal is directly related to the following goals of information technology:

  • -Realization of profits from the portfolio of investment and IT-related services
  • -Proper use of applications, information, and technology solutions
  • -Optimization of assets, resources, and capabilities of the IT
  • -Training and support of business processes by integrating applications and – technology in business processes
  • -Business and the IT competent and motivated personnel

If we observe well, the first goal of IT, has more to do with the financial part of a company, and as we saw this business goal belongs more to the desire to close a domestic gap. The second goal, “Proper use of applications, information, and technology solutions”, is much more oriented towards one of the reasons for its existence and the company and its customers. Last goal “Business and the IT competent and motivated personnel” has been designed more in the training and development of staff of the company.

We are left with two goals from I.T., than if they are related to the internal aspect of the company that are “Optimization of assets, resources, and capabilities of the IT” and “Training and support for business processes by integrating applications and – technology in business processes”. Let’s look at COBIT processes to help us achieve these goals. For training and support of business processes by integrating applications and – technology in business processes:

  • S: EDM02 Ensure the delivery of benefits
  • S: APO01 Manage the IT management framework
  • S: APO02 Manage strategy
  • S: APO03 Manage the enterprise architecture
  • P: APO08 Manage relationships
  • P: BAI02 Manage the definition of requirements
  • S: BAI03 Manage the identification and construction of solutions
  • S: BAI05 Managing organizational changes
  • S: BAI06 Manage changes
  • P: BAI07 Manage the acceptance of change and transition
  • S: DSS03 Manage problems
  • S: SS04 Managing continuity
  • S: DSS05 Managed security services
  • S: DSS06 Manage the controls of the business process

For optimization of assets, resources and capabilities of the I.T. have:

  • S: EDM01 Ensure the establishment and maintenance of the frame of Government
  • S: EDM02 Ensure the delivery of benefits
  • P: EDM04 Ensure the optimization of resources
  • P: APO01 Manage the IT management framework
  • S: APO02 Manage strategy
  • P: APO03 Manage the enterprise architecture
  • P: APO04 Manage innovation
  • S: APO05 Manage the portfolio
  • S: APO06 Manage budget and costs
  • P: APO07 Manage human resources
  • S: APO08 Manage relationships
  • S: APO09 Manage service agreements
  • S: APO10 Manage providers
  • S: APO11 Manage quality
  • S: BAI01 Manage programs and projects
  • S: BAI02 Manage the definition of requirements
  • S: BAI03 Manage the identification and construction of solutions
  • P: BAI04 Manage availability and capacity
  • S: BAI05 Managing organizational changes
  • S: BAI06 Manage changes
  • S: BAI08 Managing knowledge
  • P: BAI09 Manage assets
  • P: BAI10 Manage the configuration
  • P: DSS01 Manage operations
  • P: DSS03 Manage problems
  • S: DSS04 Managing continuity
  • S: DSS05 Managed security services
  • S: DSS06 Manage the controls of the business process
  • P: MEA01 Monitor, assess and evaluate performance and compliance

Notice the highlighted process. These processes already give us an idea about what processes must implement or build if it is the first iteration; If there is already an indication of these, the idea is to improve them precisely as part of the deliverables of the implementation.

Conclusion the processes to be implemented are as follows for this corporate goal, where the company has problems:

  • EDM04 Ensure the optimization of resources
  • APO01 Manage the IT management framework
  • APO03 Manage the enterprise architecture
  • APO04 Manage innovation
  • APO07 Manage human resources
  • APO08 Manage relationships
  • BAI02 Manage the definition of requirements
  • BAI04 Manage availability and capacity
  • BAI09 Manage assets
  • BAI10 Manage the configuration
  • BAI07 Manage the acceptance of change and transition
  • DSS01 Manage operations
  • DSS03 Manage problems
  • MEA01 Monitor, assess and evaluate performance and compliance
  • EDM01 Ensure the establishment and maintenance of the frame of Government
  • EDM02 Ensure the delivery of benefits

Here we could ask ourselves, and other processes? It is not that the others are less important, but they are secondary to effects of accomplish this goal in particular business that I used as an example. Now, if any other business goals included in the implementation would come also as part of the list to be implemented.


Which instances of processes are essential for the implementation?

Now, we need to indicate the process instances. Using the list of processes to be implemented, I will refer to the instances as those entities that will be responsible for how build processes within an organization.

So in the process model will be implemented, the instances could be something as we see it in the following schema example:

In this example, instances that perform processes:

  • EDM04 Ensure the optimization of resources
  • APO01 Manage the IT management framework
  • APO03 Manage the enterprise architecture
  • EDM01 Ensure the establishment and maintenance of the frame of Government
  • EDM02 Ensure the delivery of benefits

Will the office of enterprise architecture, thinking that this exists within the company and it is that which helps to execute the business strategy; Meanwhile the office of I.T., will be responsible for build processes:

  • BAI02 Manage the definition of requirements
  • BAI04 Manage availability and capacity
  • BAI09 Manage assets
  • BAI07 Manage the acceptance of change and transition
  • DSS01 Manage operations
  • DSS03 Manage problems

Moreover, the area of human resources, will be responsible for making them processes:

  • APO04 Manage innovation
  • APO07 Manage human resources
  • APO08 Manage relationships
  • BAI07 Manage the acceptance of change and transition

Finally, the area of quality, if it exists, will be the body responsible for this process:

  • MEA01 Monitor, assess and evaluate performance and compliance

It must be borne in mind that the guiding instance will be the Board of Directors, which may be formed by managers and other stakeholders in the implementation.


“Mapping” the business processes with the processes of COBIT reference model

We already have and know that processes must implement for this Mint of business in particular. We also know that bodies are responsible for the construction of processes and all that entails.

Then here you should verify if the processes that are going to build, already exist in the organization. Exist, we relate it directly, relying on the map of processes of the organization. Not exist, clearly noted that it is one of the points of pain or breach of the organization because not to have it cannot us reach the corporate goal.


Business improvement route

Using the same example, and the same corporate goal and after doing a business mapping of existing against processes that they intend to implement, think that the processes that are organizational gaps because they don’t have are the following:

  • EDM01 Ensure the establishment and maintenance of the frame of Government
  • EDM02 Ensure the delivery of benefits
  • EDM04 Ensure the optimization of resources
  • BAI02 Manage the definition of requirements
  • BAI04 Manage availability and capacity
  • APO04 Manage innovation
  • APO08 Manage relationships
  • APO07 Manage human resources
  • BAI07 Manage the acceptance of change and transition

The road map could be to implement something like this:

We have only limited to processes; But what we are saying here is that the processes that should begin to be implemented are in your order EDM04, APO04, BAI02, APO08, BAI04, EDM01 and BAI07 and shows the responsible authorities and milestones with their dates. These milestones will be important for the control of project program to show the corresponding to the concerned progress in the implementation. This was just an example, surely there are many more possibilities and these could change according to priorities and availability of resources at the level of the program of the project office.


Build the desired capacity of processes

Here we have to take into account both existing in the company and also the ability to process; i.e. If it does not exist, you must implement it, formalize it and document it. If already exists but is done intuitively or “ad-hoc” will have to formalize it, document it, and begin to extract certain metrics.

We have 3 possible cases to build capacity that are processes with discrete life cycle, processes that are management systems and processes that include collection of tasks “ad-hoc”

For example in the list of processes are going to suppose that the innovation process is a process ad-hoc. We proceed to formalize internal innovation, carried out by the human resources area:

Now let’s look at processes BAI02 manage the definition of requirements and BAI04 manage availability and capacity. These processes may be part perfectly from an already existing business services management system. Then the implementation here, would be to include these processes within this system. This could be create or acquire the application components that execute these process to the existing system.


The programme of implementation and progress report

To control the program’s implementation here it is useful a project (PMO) office or if there is it an outsourcing of projects that also have the possibility of a Government to implement properly which is make the corresponding controls and verify proposed deliverables and perform evaluations and audits related to report to the Board advances and remarks to the implementation.

Consider a scheme following the example we have been driving with the goal of business Operational productivity and employees:

Here I do summary where I show processes to implement decisive instances in the program’s implementation, the “paint points” to remove the creation and improvement of processes and as the realization of this program will deliver the benefit of enterprise resource optimization and the Board could make implementation program evaluations to make adjustments that are required during the execution of the same.

The body responsible for managing the reporting is the same PMO and also through assessments to the program, during the execution of the same, may arise recommendations to implementation where the goal of the program is to deliver the desired capacity to meet the goal of business and deliver value to the company.

If you want to know more contact me here.