COBIT5 has been around for a couple of years now, so I should probably stop referring to it as the new release and simply call it the latest. I was introduced to COBIT back in version 4.0, and have since been involved in several opportunities to use COBIT5. There are many cool things about it, and it’s difficult to outline all of them in this post, but I wanted to share some thoughts on what I feel are the biggest hitters for me. These observations are a culmination of many real-world experiences, all of which are unique to my journey, and I’m sure many of you have unique stories of your own. In any case, I hope you gain something from reading my top ten reasons why I’m a COBIT fan. And here they are…
1. COBIT is relevant- the goal is to deliver value.
The enterprise exists to create value for its stakeholders. This is simple in theory but tough in real life. COBIT was created from the top down, meaning that the entire model focuses on the primary facets of providing value: realizing benefits, while optimizing risks and resources. From the goals cascade to the enablers, COBIT helps you focus on value. Now, I’ll admit that you really should understand the complete framework to realize its full benefits. While implementing portions of the framework certainly helps, it may not identify where your gaps exist.
2. COBIT still focuses on information.
If an enterprise doesn’t manage its information, it will no longer exist. COBIT focuses on the information first, and that is the right way to look at it. Without information, there’s no need for the technology.
3. COBIT is not just for the big companies.
COBIT has escaped the “for big companies only” misconception. Whether you have a small IT organization, or several hundred resources, COBIT fits any size; you just need to identify your business goals, objectives and mission to operate as a going concern. I’ve seen an organization with two IT staff members leverage COBIT.
4. COBIT is a framework that looks beyond just processes.
COBIT’s seven enablers are designed to help you get beyond just looking at processes. These enablers include 1) Principles, Polices and Frameworks, 2) Processes, 3) Organizational Structures, 4) Culture, Ethics and Behavior, 5) Information, 6) Services, Infrastructure and Applications, and 7) People, Skills and Competencies. These provide a more holistic approach to governance where changes in one enabler must be adequately assessed across all enablers.
5. COBIT is a great reference for process owners.
All processes should have owners. I’ll even take that a step further and say that all processes should have assigned roles. Within COBIT5 there is a wealth of information regarding processes. There are 37 processes organized into five domains (one governance domain and 4 management domains). Within this process reference model, the biggest hitters for me include: process description and purpose, practices and activities, inputs and outputs, RACI charts, goals, and related industry standards and frameworks.
6. COBIT has a goals cascade that is flexible and useable.
This is not just an academic reference, but a really helpful tool. I’m often heard saying that this is one of the best kept secrets in our industry. To this day I am surprised that most people are not aware of its utility. The goals cascade is a series of mappings that allow you to link stakeholder needs to enterprise goals, to IT related goals, and to enabler goals. Once you’ve seen how this works, you will most certainly be hooked.
7. COBIT has a product family that is consistent, like a single playbook.
One of the key principles of COBIT is to provide an integrated framework that is complete in enterprise coverage. This provides a basis to integrate and align with the latest relevant standards and frameworks, as well as all knowledge previously dispersed over different ISACA frameworks. So what does this mean? The COBIT product family is my starting point, and lets me know where to look for additional information.
8. COBIT can be incorporated with other frameworks.
I often get challenged when I say that I’ve used COBIT as a “framework to manage my frameworks,” but this is a true statement, and it works. Some of the most prominent I’ve seen include ISO38500, ISO31000, ISO27000, ISO20000, ITIL, PRINCE2, and CMMI. Yes, you can use more than one framework in an enterprise, and COBIT helps you figure out how to do it.
9. COBIT is the “middleware” between Governance, IT, and Assurance.
Hopefully you don’t take me literally here by using middleware, but let’s look at middleware’s purpose. It provides a link to exchange information between dissimilar systems. Now considering the gaps we see between Governance, IT and assurance, doesn’t this make sense? Think of it as a common language that can finally bridge that gap. I’ve used COBIT as a translator that can get us all thinking about the same enterprise goals.
10. No more control objectives!
This doesn’t sit well with the folks who like the word control. I’ll admit that when COBIT5 replaced the term, I was skeptical. I’ve had a change of attitude about this. COBIT now uses terms like Management Practices and Activities, and for good reason. Instead of controlling the technologies that manage your information, shouldn’t you be focusing more on the management practices? I certainly think so, since they are the guidance necessary to achieve process goals. If it really bothers you, can you still use the term control objective? Sure.
Final thoughts on COBIT.
Whether you’re a board member, executive, auditor, or IT Operator, do yourself a favor and learn more about it. Admittedly, many people find it difficult to simply thumb through the various publications and experience the “ah, I get it now” feeling. My advice to anyone who wants to learn more about it is to go to the ISACA site (www.isaca.org) and download some of the key publications. For starters, you should get the COBIT5 Framework, Enabling Processes, and Implementation guides. Additionally, there are a lot of good resources on the site that might help you out, like COBIT Online and “ask the expert” sections of the site.
Having said all of these great things about COBIT, I want to emphasize that adopting a framework does not guarantee your governance success, but it sure does offer a great starting point. COBIT offers a common language that can be shared across the enterprise, but real adoption requires executive support, a desire to improve, and a strong desire towards achieving the governance of enterprise IT.