COBIT 5 is ISACA’s latest business framework for the governance, management and operation of IT across an enterprise. "Implementing COBIT" means different things to different people. For some a COBIT implementation can help enterprises create optimal value from IT through effectively and efficiently leveraging resources, optimizing risk management and delivering real benefits to the business. Consequently, there is not one, but a number of approaches to "implementing COBIT". The "best approach" will depend on the purpose for which COBIT is being used.
ISACA's "Enabling Change" Approach
ISACA's COBIT 5 Implementation Guide describes a good practice approach for implementing the governance of enterprise IT (GEIT) using the traditional programme management life-cycle. This approach can assist management plan and organize the activities necessary to introduce a change to the existing environment.
This implementation approach is typical of an externally led initiative to implement governance of enterprise IT or where management wishes to ring fence the effort and resources used. This approach is based on "empowering business and IT stakeholders and role players to take ownership of IT-related governance and management decisions and activities by facilitating and enabling change".
In practice, the ISACA Implementation Guide is suitable for a "Governance, Risk and Compliance" (GRC) initiative that aims to introduce controls and address compliance requirements. This approach does not use the COBIT 5 process reference model.
The IT Governance Framework Approach
The COBIT 5 process reference model consists of an integrated process model for all activities related to the use of information and information related technology. Included in this reference model is a process dedicated to establishing and maintaining better governance of enterprise IT. The objective of this process is to establish an IT governance framework that will assign responsibility, clarify accountability and communicate decision-making authority to support legal and regulatory compliance and the achievement of the enterprise's strategic objectives.
The approach starts with analyzing and articulating the requirements for the governance of enterprise IT. This is followed by putting in place and maintaining effective enabling structures, principles, processes and practices aimed at achieving the enterprise’s mission, goals and objectives.
Together with a management system, the IT governance framework enables management to plan and operate their IT organization more efficiently and effectively.
The Management System Approach
Every organisation needs to identify and manage many activities to function effectively. For example: strategic goals, customer requirements, corporate policies, business opportunities, risk management responses, regulatory compliance requirements and contractual obligations are possible triggers for action that will need to be managed. The COBIT 5 process reference model includes a process to establish and maintain a management system.
Enterprises start by organizing activities into processes, each with a common goal, and then they develop a management plan to prioritize the workload. Next they establish, implement, operate, monitor, review, maintain and improve their management system. This is a systematic approach to organizing and coordinating activities in order to reduce waste, minimize error and lift productivity.
Even in the best run organisations there is enormous waste of effort. Introducing a management system to better organize the effort will remove the duplication of activities and reduce the time spent waiting for related tasks to complete. It will cut costs and lead to substantial productivity improvements.
The Optimized Operating Model Approach
A LEAN IT operating model is one possible outcome from implementing COBIT. The COBIT 5 Framework provides an inherently lean approach to building capability. First, the processes and relevant process outcomes are identified based on the business' goals and enterprise's strategic objectives. Next, the essential activities within the process are identified together with the necessary process work products (inputs and outputs) essential to delivering the targeted outcomes. Finally, management supervision is added to ensure the expected outcomes are actually delivered.
Building process capability enables an enterprise to perform better and optimize its resource usage. Typically, the approach is incremental. Improvements are made by those responsible (i.e process owners) for the core processes. Individual processes and combinations of processes are analysed and optimized. Activities and work products are checked for relevance and completeness.
Confidence is gained in knowing the activities are essential to delivering the outcomes expected. Process workflow is improved to remove bottlenecks. Process artifacts such as plans, descriptions and schedules are developed to support process implementation and operation.
COBIT 5 for Risk
COBIT 5 for Risk focuses on establishing a risk management process and the risk management function. It addresses the establishment of a risk capability for information and related technology. The COBIT 5 for Risk guide complements the COBIT 5 Framework process "APO12 Manage Risk" and the COBIT 5 EDM03 "Governance of Risk" process.
COBIT 5 for Assurance
COBIT 5 for Assurance focuses on the assurance function and the assurance activities typical of an assurance provider. It addresses how to set up and maintain an efficient assurance function and provide assurance for the COBIT 5 enablers described in the COBIT 5 Business Framework.