COBIT 5: A control framework takes on IT governance

The word “CIO” doesn’t appear until page 76, but when it does, this is how the role is defined by the fifth version of one of the industry’s best-known documents on IT.

The most senior official of the enterprise who is responsible for aligning IT and business strategies and accountable for planning, resourcing and managing the delivery of IT services and solutions to support enterprise objectives .

It’s not necessarily a bad way of explaining what many chief information officers do. In fact, to many business executives it may seem like common sense. But that’s exactly what the latest volume of Control Objectives for Information and Related Technology (COBIT) offers: common sense rendered in textbook form for those who want to make technology-driven processes more effective and efficient.

Released in draft form this summer and open to public review until the end of September, COBIT 5 is published by ISACA, formerly known as the Information Systems Audit and Control Association and which claims 95,000 members around the world, growing in its early days out of the IT audit functions in corporations. ISACA plans to finalize the control framework, the accompanying process reference guide and implementation guide to be published in early 2012.

When the final version is released, COBIT 5 will be more than a mere update from its predecessor, COBIT 4.1. Along with its usual laundry list of ideas around specific processes, the framework will attempt to integrate elements of other standards and guides ISACA has offered separately until now. This includes Val IT, which focuses on areas such as portfolio management and investment management; a risk management framework called Risk IT, the IT Assurance Framework and the Business Model for Information Security (BMIS). 

Although Public Works and Government Services Canada, Canada Housing and Mortgage Corp. and a number of auditor general offices have all used COBIT and other ISACA frameworks, the organization has had difficulty gaining the traction and reputation enjoyed by the IT Infrastructure Library, or ITIL. A few years ago, for example, ITGI published the results of a survey by PricewaterhouseCoopers which tried to gauge the awareness and adoption of its frameworks. The survey showed awareness of COBIT and Val IT has doubled since the study was done in 2005, but there was also a 23 per cent jump in the number who cited insufficient staff to manage IT effectively. A number of IT executives have also told CIO Canada over the years that COBIT covers too much ground already, and picking and choosing which of its processes are most important can be a challenge.

According to Robert Stroud, vice-president with ISACA, bringing some level of consolidation to all the guidance it currently was critical for this revision of COBIT.

“What we’ve seen from most organizations is that they use a combination of them,” he said. “We had to allow for all of them as we brought it together. We needed to aggregate it to have a single core starting point.”

It makes a lot of sense to Gary S. Baker, an Toronto consultant who participated in one of the workshops that helped develop COBIT 5. While Val IT and Risk IT filled in some gaps, it may have been overkill. “It led to a lot of confusion in the marketplace,” he said. “Now it’s starting to take a more holistic approach.”

Gert Du Preez, director of the IT advisory practice at PricewaterhouseCoopers in Calgary, agreed.

“Most of the organizations I speak to are suffering from framework overload,” he said. “It’s all great, it’s fantastic to have a whole hunch of guidance, but question becomes how do I use this?”

Baker is concerned, however, about the positioning of the brand COBIT and the way it puts it head-to-head with ITIL. Whereas the latter has been traditionally associated with best practices around technology operations, COBIT has been more about measurement and auditing.  

“ISACA trying to position it as a governance model than a control model. That carries a certain connotation in the marketplace,” he said. “What they call governance is really management.”

Stroud sees this as a natural evolution for COBIT, where organizations can align their goals with metrics and controls to achieve an effective governance model.

“The other aspect we spent a lot of time on in the maturity model was to understand not only where you are today but to assess where you need to go, then get a gap out of that which will help in guiding your implementation,” he said. “These are things that will become part of the DNA of your organization and enshrined in your processes. Then you’ll feed up the metrics to effectively govern the environment so you’re not worried about all the noise.”

It all might seem a little granular for CIOs, few of whom seem to have been involved in COBIT 5’s development. While the contributor’s page list many from the audit side, actual IT executives are by no means a large segment.

“Typically CIOs are busy people,” Stroud explained. “There were a number of senior people involved in the detailed framework and if you go through the list of names you’ll see people from IT, audit, security, risk and business persons.”

Du Preez pointed out that COBIT 5 is really focused around stakeholder value, and there are different needs for each. “The CIOs have a need for a different level of detail than someone using COBIT for assurance, for example,” he said. “It can provide a common language for business and IT. If the process is this way, why is it this way? If implemented in a certain way, why is that?”

Technology has changed, Baker added, particularly as BYOD and consumerization of IT has infiltrated the enterprise. He suggested frameworks like COBIT should be positioned more as a business issue that certainly the CIO plays a key role in, but more of an advocacy role than a responsibility role.

“In the mainframe days, IT ran the whole show. Organizations today have IT everywhere, not all of which is under the direct control of the CIO. COBIT 5 emphasizes it even more.”

Either way, don’t expect CIOs or organizations to adopt COBIT 5 en masse, Baker added, even if they already like previous versions ISACA has produced.

“The challenge we’ve got is that people have invested a lot in COBIT 4 and will they be ready, willing and able to invest in COBIT 5? COBIT 4 will continue to be of value and used and co-exist in practice.”

At least it’s not all theory.

Related Download
CanadianCIO Census 2016 Mapping Out the Innovation Agenda Sponsor: Cogeco Peer 1
CanadianCIO Census 2016 Mapping Out the Innovation Agenda
The CanadianCIO 2016 census will help you answer those questions and more. Based on detailed survey results from more than 100 senior technology leaders, the new report offers insights on issues ranging from stature and spend to challenges and the opportunities ahead.
Register Now