Before we start, it’s worth clarifying the use of the term ‘I&T’ for this series of papers. COBIT 2019 uses ‘I&T’ to describe “all the technology and information processing the enterprise puts in place to achieve its goals regardless of where this happens in the enterprise”.
As we’ll be discussing COBIT 2019 throughout, we’ll use this definition and accept that if the term ‘IT’ is just as meaningful or comfortable to the reader, that’s fine. We’ll also use ‘company’, ‘organization’, and ‘enterprise’ interchangeably to refer to an organized effort by one or more parties to achieve a set of objectives.
So, back to the question of ‘When would a company need an I&T Governance Framework?’ The answer is quite simple – if an organization uses information and technology, then it’ll be a good candidate for such a framework. That covers most organizations, but where should we focus our attention when it comes to using a framework like COBIT 2019?
COBIT 2019 reminds us that information and technology are central in the support, sustainability, and growth of organizations, especially in terms of digital transformation. It also recognizes, perhaps somewhat alarmingly, that directors and senior managers in the past could delegate, ignore, or even avoid I&T-related decisions, but that this approach and attitude would most certainly be ill-advised now.
Happily, though, the governance of I&T is not a separate discipline unto itself. Indeed, it is being brought into the remit of corporate governance, which has implications for senior management, directors, and the board and owners of companies. For example, the UK Corporate Governance Code’s Section 4, Principle O, states the board “… should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives”.
We don’t have to look too far to see how many failures there have been, regarding information and technology, to recognize that proper governance and management of information and technology is crucial.
It may be worth making a slight aside here to recognize that, in many ways, the information and technology profession(s) are perhaps less regulated than other professions; and before arms are thrown about and laptops shut, let’s explain this observation. Without a doubt, the I&T sphere has many applicable frameworks and standards, of which some are required to be addressed according to the law (e.g., Article 32 ‘Security of Processing’ of the GDPR). This, we might conclude, is a structural requirement, but when we look at the non-technical (‘technical’ in this case including hardware, software, protocols, firmware, IoT devices, AI, etc.) portion of I&T, it is the people side that interests us. It’s often been said that the most challenging aspect of change is the people element and that the biggest challenge facing I&T is the same.
At the same time, it is true that I&T includes extremely capable and knowledgeable people and that many of them are very well qualified. However, there is no recourse to any single professional disciplinary body if they fail, unlike, for example, doctors, lawyers, pilots, or accountants. This means that in organizations, we will often see educated and qualified people working without a common standard of defined ethics, behaviour, attitudes, responsibilities and accountabilities, or controls. We recognize that this should not be read as a blanket statement and that some exceptions do exist, but our point here is that it is not universal, which leads us to recognize the value of a global effort by way of a framework for the governance and management of I&T: COBIT 2019.
One framework won’t solve all our problems, but having one that is well thought out and can be adapted to our organization’s requirements is a great start. So, cutting a long introduction short, it should be clear to see why an organization would need an I&T governance and management framework like COBIT 2019.
Looking at organizations generally, they exist for a purpose, which is typically to provide some form of recognized, defined, and measurable value for their stakeholders. It is how they go about this that causes us to become interested in when they would need a framework such as COBIT 2019.
Central to this framework is the concept of creating stakeholder value, which is defined as “realizing benefits at an optimal resource cost while optimizing risk”. If you’re doing this effectively and efficiently already, then you might not need COBIT 2019. Otherwise, you should certainly look into it!
We also need to consider the challenges inherent in recognizing the freedom of organizations to meet their objectives of creating stakeholder value and how these must be balanced by the appropriate accountabilities, responsibilities, controls, actions, and so on. In many ways, this is the role of the organization’s governance and management system. Clearly, we’re interested in other areas of information and technology as well, but this still holds true.
We often hear that governance is about decisions, which is true, but that isn’t the whole picture. If we think about decision-making, we need to consider who makes the decisions, what decisions must be made, what criteria are needed to support our decision-making process, when decisions are made, how they are made binding, and how decisions are made in a consistent manner, what the likely impact of change is on the organization, competitors, industry, law, suppliers, and customers, etc. Here we see that decision-making if it is to be effective, efficient, consistent, and transparent, requires the support of a framework that will help us understand and ensure that it happens properly.
Here’s one way to get what’s needed across the governance and management of I&T. This diagram is meant purely to get you thinking about both management and governance from an organizational and operational perspective, without requiring the specific language of COBIT 2019. Later on, as you integrate the COBIT 2019 framework, you’ll see where this will play a central role and also provide prompts for related areas.
Thinking about when a company would need a framework like COBIT 2019, it’s worth considering the range of challenges that need to be addressed to establish an effective governance and management system for information and technology. One of the central areas of COBIT 2019 is the ‘Core Model’, which identifies 40 top-level governance and management objectives that must be met in order to establish, customize, and sustain an I&T governance and management system with several distinct components. These cover;
- Organizational structures
- Policies and procedures
- Culture and behaviour
- Skills and competencies
- Services, infrastructure, and applications
Knowing if and when your company should use COBIT 2019 will require a quick look at two activities that nearly every company will use in some form or another: governance and management. These shouldn’t be confused because they serve different purposes (very important), cover different activities, and require different structures within an organization in order to function effectively. If it isn’t clear as to which is which in your organization, this may be yet another indicator that you need to consider utilizing a framework like COBIT 2019.
Briefly, then, ‘governance’ is about three things:
- Ensuring that stakeholder needs, conditions, and options are properly evaluated to determine agreed enterprise objectives
- Setting direction to meet the organizational objectives through prioritization and decision-making
- Monitoring the performance and compliance of meeting the agreed-on objectives
This is different from ‘management’, which is about the planning, building, running, and monitoring of the activities undertaken to meet the objectives set through governance.
If this sounds reasonable, then you’ll likely be interested in how to address these using COBIT 2019. One of the first and potentially easiest ways to understand its applicability is to look at the Core Model, which has two main parts: governance objectives and management objectives. The governance objectives are grouped into a single domain known as ‘Evaluate, Direct, and Monitor (EDM)’, while the management objectives are grouped into four domains:
- Align, Plan, and Organize (APO), which addresses the overall organization, strategy and supporting activities of I&T
- Build, Acquire, and Implement (BAI), which deals with the definition, acquisition, and implementation of I&T solutions and their integration in business processes
- Deliver, Service, and Support (DSS), which addresses the operational delivery and support of I&T services, including security
- Monitor, Evaluate, and Assess (MEA), which addresses performance monitoring and conformance of I&T with internal performance targets, internal control objectives, and external requirements
Considering the very brief outline of the two domains of governance and management, and considering how your organization addresses these, you should be able to judge whether your organization would benefit from adopting COBIT 2019.
 Other countries have similar requirements e.g., Germany’s Accounting Standards Board, the US SEC requirements on company disclosure.
 Asset/compliance/service delivery diagram © Alan Simmonds (informed by C MacDougall)