Article
Avinash Kadam [CISA, CISM, CGEIT, CRISC] Advisor to the ISACA India Task Force
Why Do We Need the COBIT 5 Business Framework? Introduction In today’s complex world, there are a number of standards and frameworks which are issued by various institutions with their own specific objectives. Some of the prominent ones among this plethora of standards and frameworks are ITIL, ISO27001, PMBOK and TOGAF. Each of these is designed to meet the specific requirement of the user community. Additionally, each has a specific depth and breadth of coverage in a specific focused area. There was no one comprehensive framework which could be the one overall holistic framework that could integrate other standards and frameworks, cover the enterprise end to end and meet the needs of all stakeholders. The COBIT framework filled that need. The recently released COBIT 5[1] is the comprehensive business framework created by ISACA for the governance and management of enterprise IT. COBIT 5 is the one single, integrated framework which integrates and aligns with other frameworks and is focused on enabling the goal of meeting the business requirements. This article will provide an overview of the five principles of COBIT 5 and will explain why the COBIT 5 framework is indispensable for every enterprise using IT for its business.
What Is a Framework? “Framework is a real or conceptual structure intended to serve as a support or guide for the building of something that expands the structure into something useful”[2]. We need frameworks as they provide a structure for consistent guidance. So, if we need guidance about information security, we use ISO 27000 series of standards that together constitute an information security framework. If we need to design IT-enabled services, we use ITIL to provide guidance. Similarly, when it comes to project management, we use PMBOK. For software architecture, we use TOGAF. All these niche standards can be integrated under the umbrella framework of COBIT 5. COBIT 5 is a holistic business framework for the governance and management of the enterprise IT in its entirety. The COBIT 5 framework is based on five principles which are explained hereafter.
Principle 1: Meeting Stakeholder Needs An enterprise has a number of stakeholders, both internal and external.
1. Meeting Stakeholder Needs
5. Separating Governance From Management
4. Enabling a Holistic Approach
COBIT 5 Principles
2. Covering the Enterprise End-to-end
3. Applying a Single Integrated Framework
Source: ISACA, COBIT 5, 2012, www.isaca.org/ cobit. Used with permission
For example, a bank has management and employees who are the internal stakeholders, and customers, partners, suppliers, government and regulators are the external stakeholders. These stakeholders have different and sometimes conflicting needs. Employees want job security, management wants productivity, customers want stability of the bank and good returns on their investments and regulators want strict adherence to the regulations and laws. The decision of the bank to invest in modernisation of IT to provide online banking facilities will have different meanings for different stakeholders. Employees will be worried about their jobs, management will be concerned about the selection of the right technology and quick returns on the investment, customers will be happy that they will get better service but, at the same time, worried about security and privacy of their information, and regulators will be keenly watching whether the bank is complying with all the regulations. To meet the diverse requirements of internal and external stakeholders, it is critical to keep in mind not only the management perspective, but also the governance perspective, when implementing IT. The objective of governance is to make a balanced decision, keeping all stakeholders’ interests in mind. The governance team represents all the stakeholders and is composed of the board of directors headed by the Chairman. The ultimate objective of governance is to create value for the enterprise. This value creation leads to benefit realisation for the enterprise. Not all stakeholders can be
happy with every decision. Governance is about negotiating and deciding amongst different stakeholders’ value interests. Every decision will have a different impact. For example, adoption of cloud computing for banks will reduce investment in infrastructure, thereby reducing capital investment and increasing profitability. However, it will increase the security concerns for customers. Regulators will be concerned about the location of the data and whether there is a cross-border flow of customer information in breach of the IT Act. So governance has to optimise not only the resources but also the risks to realise the benefits. At the same time, it also has to do a balancing act of keeping all the stakeholders’ needs in mind while pursuing the goal of value creation.
How Is This Accomplished by COBIT 5? COBIT 5 has identified a large number of stakeholders’ questions for such situations. These questions lead us to the selection of the enterprise goals. How can a framework know what goals an enterprise may have? COBIT 5, as a business framework, uses the approach of the balanced scorecard (BSC). As per BSC principles, an enterprise has to balance its goals in four dimensions financial, customer, internal, and learning and growth. An enterprise that has only financial goals, but no goals from the remaining three dimensions, might soon fail as its goals are not balanced. In our example of modernizing IT for the bank, the enterprise goals could be: Financial dimension: 1. Managed business risk (safeguarding of assets) 2. Compliance with external laws and regulations Customer dimension: 1. Customer-oriented service culture 2. Agile response to a changing business environment 3. Business service continuity and availability Internal dimension: 1. Optimisation of business process functionality 2. Optimisation of business process costs 3. Operational and staff productivity
CSI Communications | October 2012 | 25
Learning and growth: 1. Skilled and motivated people 2. Product and business innovation culture These enterprise goals are business oriented and required for enterprise governance. We need to convert these into IT-related goals that can be pursued for IT governance. COBIT 5 provides a matrix to relate enterprise goals with ITrelated goals. The IT-related goals again are based on the BSC principle. Using the matrix, we can identify the following ITrelated goals. Financial: 1. Alignment of IT and business strategy 2. IT compliance and support for business compliance with external laws and regulations 3. Managed IT-related business risk 4. Realised benefits from IT-enabled investments and service portfolio 5. Transparency of IT costs, benefits and risk Customer: 1. Adequate use of applications, information and technology solutions Internal: 1. IT agility 2. Security of information and processing infrastructure and applications 3. Optimisation of IT assets, resources and capabilities 4. Enablement and support of business processes by integrating applications and technology into business processes Learning and growth: 1. Competent and motivated IT personnel 2. Knowledge and expertise and initiative for business innovation It is not necessary to simultaneously pursue each and every one of these goals. Governance is also about prioritisation. The bank can select specific goals to be pursued on higher priority. Armed with the selected IT-related goals, we can then identify specific enabler goals from the seven enablers identified by COBIT 5. These enablers are listed under principle no. 4 below. Specifically, the enabler no. 2, “processes”, provides a detailed mapping of IT-related goals with governance and management processes. This helps in selecting the right processes and practices to achieve these IT-related goals. There are total 37 processes to guide us. CSI Communications | October 2012 | 26
Principle 2: Covering the Enterprise End to end In the earlier days of adoption of computers, the IT department was responsible for the ‘IT function’. The data was sent to the IT department and processed reports were sent back. This is no more the case. Information has become one of the critical assets of the organisation and it is rightly said in the information age: information is the currency of the enterprise. Every action and decision depends on the availability of the right information at the right time. COBIT 5 has taken this view and integrated governance of enterprise IT into enterprise governance. It not only focuses on the IT function, but also treats information and related technologies as assets like any other asset for the enterprise. This enterprisewide approach is possible by providing enterprise-wide governance enablers such as having a uniform framework, principles, structures, processes and practices. It also requires considering the enterprise’s resources, e.g. service capabilities, people and information. Information itself is a key enabler. Every stakeholder has different needs for information. A bank customer will require very specific information. The banker will require different type of information to perform the task. COBIT 5 enables every stakeholder to define extensive and complete requirement of information and its life cycle. This helps the IT function to identify and support all stakeholders’ needs for information. COBIT 5 also provides detailed roles, activities and relationships between stakeholders, the governing body, management, operations and execution team to have clear idea of accountability and responsibility and avoid any confusion. This is done by providing RACI charts (Responsible, Accountable, Consulted and Informed) for each key governance and management practice.
Principle 3: Applying a Single Integrated Framework ISACA, a non-profit global association of 100,000 IT professionals in 180 countries, has always strived to create best practices for the IT profession. It has been a collaborative effort of numerous experts and practitioners. The collective efforts created a number of valuable frameworks such as COBIT 4.1, Val IT 2.0, Risk IT and the Business Model for Information Security (BMIS). All these frameworks
and models have now been integrated in COBIT 5, a comprehensive business framework at a macro level. However, this does not preclude the use of other niche standards and frameworks dealing with specialised areas which can be integrated under COBIT. COBIT 5 aligns itself very well with other relevant standards and frameworks such as ISO 27000, ITIL, ISO, PMBOK and TOGAF so as to provide guidance on governance and management of enterprise IT keeping the overall focus as a business framework. This is a very important aspect as technical persons may get too focused on detailed technical activities and may ignore the main business objective. COBIT 5 ensures that you do not lose sight of the overall enterprise goals to meet the stakeholders’ needs while pursuing IT-related goals.
Principle 4: Enabling a Holistic Approach ISACA believes that one cannot achieve enterprise goals through technical processes alone. To bring this thinking in clear focus, COBIT 5 has defined 7 enterprise enablers. 1. Principles, policies and framework 2. Processes 3. Organisational structures 4. Culture, ethics and behaviour 5. Information 6. Services, infrastructure and applications 7. People, skills and competencies These enablers were briefly explained in the previous article published in CSI Communications September 2012 issue[3]. Each enabler has four dimensions - shareholders, goals, life cycle and good practices. Enabler performance can be managed by defining metrics for achievement of goals as well as metrics for application of practice. This helps us to monitor if we are on the right track and to measure the progress made toward achieving these goals. For example, the quality of information available to the bank customer should improve substantially by adopting modern IT infrastructure and improved processes. This should be measured to identify whether the enablers have actually contributed toward better information quality achieved through effective governance and management of enterprise IT.
Principle 5: Separating Governance from Management We discussed this principle in the September article[3]. Governance responsibility is to www.csi-india.org
evaluate stakeholder needs, conditions and options; decide on balanced, agreed-on enterprise objectives; and set the direction for the enterprise. This alone is not enough. Governance also requires monitoring the performance and compliance against agreed-on direction and objectives. To help governance of enterprise IT, COBIT 5 has identified five distinct governance processes under the domain of EDM (Evaluate, Direct and Monitor). These processes make the task of governance of enterprise IT very well-organised. Management of enterprise IT requires a number of processes to be applied. The four areas of responsibility for management are: Plan, Build, Run and Monitor. These have been further elaborated as below:
To date, ISACA has published the following documents to help in understanding and implementing COBIT 5: 1. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT 2. COBIT 5 : Enabling Processes 3. COBIT 5 Implementation 4. COBIT 5 for Information Security
Plan - APO (Align, Plan and Organise)
Other forthcoming publications are COBIT 5: Enabling Information and other enabler guides, COBIT 5 for Assurance, COBIT 5 for Risk and other practitioner guides. There is also an India-specific document published by ISACA: Securing Sensitive Personal Data or Information: Using COBIT 5 for India’s IT Act[4]. ISACA plans to bring other India-specific publication for facilitating COBIT 5 implementation for Indian enterprises.
Build - BAI (Build, Acquire and Implement)
Conclusion
Run - DSS (Deliver, Service and Support)
Governance is the need of the hour as is amply demonstrated by failure of various enterprises that have not had an effective governance framework. Research has confirmed that enterprises which have effective governance in place are more successful and command a higher premium in the market. COBIT 5 is not just another framework but a holistic business framework essential for governance
Monitor - MEA (Monitor, Evaluate and Assess) These four domains together have a total of 32 management processes. Each process has a link with IT-related goals, clearly defined goals and metrics, RACI charts, management practices, input/ outputs and activities.
and management of enterprise IT. With growing importance of IT in enterprises and huge investments being made in e-Business and e-Governance projects and the e-way becoming the highway for all core business processes, it is essential that each one of us learns how to use COBIT 5 to make sure that we become more effective and can contribute in our chosen area of work to facilitate achieving the enterprise business goals. Avinash Kadam, CISA, CISM, CGEIT, CRISC, is currently advisor to the ISACA India Task Force. He is also a past international vice president of the association. He can be contacted via e-mail
[email protected] Opinion expressed in the blog are his personal opinions and do not necessarily reflect the views of Hyperlink reference not valid.ISACA.
References [1] www.isaca.org/cobit [2] http://whatis.techtarget.com/definition/ framework [3] http://www.csi-india.org/web/csi/ (Printed version: CSI Communications, ISSN 0970-647X |Volume No. 36 | Issue No. 6 | September 2012) [4] http://www.isaca.org /KnowledgeCenter/ n
Continued from Page 7 software. Tuners such as Guitar Pro tuner use very simple algorithms and consider the most pronounced frequency to be the fundamental frequency, and hence can be inaccurate at times. But the tuner module on AGTAB suffers no such flaws and proved to be 100% accurate in testing.
Conclusion The idea of developing something like AGTAB started off when one of the teammates asked another, why there wasn’t a computer-based guitar tabs generator software. The aim of the team was not to make a 100% accurate, fully functioning tabs generator, but a tabs generator software that proved tabulation could be automated and that it had its advantages. The software has potential application in the music industry if created and distributed commercially. Musicians don’t have to waste their time in tabulation which is very tiresome for someone who isn’t familiar with computers.
As mentioned above, AGTAB does have its flaws, being the first if its kind. A simple solution to overcome the inability of AGTAB to detect guitar effects is to have the user specify these effects explicitly using buttons. This solution takes away the concept of the software being fully automated. So the designers have left the idea and have come up with a whole new algorithm called the frequency pattern recognition (described earlier under “Detection of Frequency-B”) which is expected not to have any of the short comings listed above. The algorithm stores the patterns based on amplitude vs. frequency graph of the various notes and the effects. These can be compared to the input to obtain the proper output. Though AGTAB only deals with guitar and keyboards, it can, not so easily, be extended to other instruments also viz. drums. Recording of drum beats requires costly recording hardware, which may not always be possible, apart from recordings done in high-end studios. So usually in other
studios the drum beats are programmed. This takes lot of time and effort. With the extension of AGTAB to drums, the drummer can play the drums and the software could automatically generate the programmed drum beats. This provides more freedom to the drummer to the sort of beats he can create.
References [1] [2]
[3]
[4] [5]
[6]
[7]
Arobas Musicals- Guitar Pro, www.guitarpro.com Elliott, R J, et al. (1994). Hidden Markov Model-Estimation and Control, Springer eBooks. Petrus M T Broersen (2006). Automatic Autocorrelation and Spectral Analysis, Springer eBooks. PowerTab-www.powertab.net Rao, K R, et al. (2010). Fast Fourier Transform Algorithms and Applications, Springer eBooks. Surhone, L M, et al. (2010). NyquistShannon Sampling Theorem, Betascript Publishing. U4SEEN Developments - Bass Audio Library, www.un4seen.com/bass n
CSI Communications | October 2012 | 27