What constitutes true adoption of COBIT 5? Is it a minimum condition that at least one principle of COBIT 5 is adopted for true adoption of COBIT 5? To answer this question, one must look at COBIT 5’s principles, in other words, its raison d’être. The five principles of COBIT 5 are Meeting Stakeholder Needs, Covering the Enterprise End-to-end, Applying a Single Integrated Framework, Enabling a Holistic Approach, and Separating Governance From Management.1 This article focuses on the Covering the Enterprise End-to-end and the Separating Governance From Management principles, or more specifically, how to enhance alignment of business and IT embodying the concept described by figures 1, 2 and 3 to address the questions stated previously: Is it a true adoption of COBIT 5 to simply change the processes of COBIT 4 into those of COBIT 5 as the basis of controls?2
From COBIT 4 to COBIT 5
Since October 2012, members of the COBIT study group (the “group”) of the ISACA Tokyo (Japan) Chapter have been meeting to explore case studies on the adoption of COBIT in Japanese enterprises. As part of this effort, the group conducted a web-based survey of all members of the ISACA chapters in Japan (Tokyo, Osaka, Nagoya and Fukuoka) regarding adoption and usage of COBIT in general and the use of COBIT 5.
The results of the survey indicated:
- 48 percent of respondents’ enterprises have adopted COBIT. Eighty percent of those enterprises have adopted COBIT 4.1 or an earlier version, and 20 percent use COBIT 5.
- 61 percent of the enterprises have adopted COBIT for complying with domestic and/or overseas regulations such as the US Sarbanes-Oxley Act of 2002 (SOX) or Japan’s equivalent, the revision of the Financial Instruments and Exchange Act of 2006 (J-SOX).
- 52 percent of the enterprises that have adopted COBIT 4.1, COBIT 4 or a previous version replied “No” or “Don’t Know” when asked about upgrading to COBIT 5.3
How does one interpret these results? Do enterprises in Japan not understand the value of COBIT 5? The survey suggests that 65 percent of the respondents generally understand all or part of COBIT 5, and one of the most important factors contributing to the popularity of COBIT may be introducing lessons learned from the experiences of other organizations that have adopted and use COBIT.4 Yet, in Japan, there are very few cases of adoption and usage of COBIT 5, possibly because most Japanese COBIT users depend on the Japanese versions and not much time has passed since the issuing of the Japanese version of COBIT 5.5
However, there is another issue to be considered: the widespread adoption of COBIT 4.1 and COBIT 4 in Japan, mentioned previously. Quite a few Japanese public enterprises have adopted COBIT 4.1 or COBIT 4 for the establishment of IT general controls in order to comply with the US or Japanese SOX acts. Thus, if an enterprise simply changes COBIT 4.1 or 4 into COBIT 5 as the basis of its controls for complying with regulation, does this mean that it has truly adopted COBIT 5, which intentionally avoids the concept of control objectives? If an enterprise has adopted COBIT 5 without the core of its principles, has it truly adopted COBIT 5? A necessary condition for true adoption of COBIT 5 would be introducing at least one principle of COBIT 5.
Of the five COBIT 5 principles, Covering the Enterprise End-to-end and Separating Governance From Management can be more easily implemented into real organizational structures of enterprises than the others.
Relationship of Governance and Management
Three COBIT 5 figures illustrate the principles of Covering the Enterprise End-to-end and Separating Governance From Management (figures 1, 2 and 3).
The relationship between governance and management described in these figures is clear and provides a better understanding of the core elements of COBIT 5. So how can one adapt this concept to actual organizational functions? Especially for relationships among processes, figure 3 reminds users to utilize input/output (I/O) flows/networks. Since its legacy versions, COBIT has explained the relationships among activities in several processes systematically and organically, showing I/O flows/networks, which is one of the strongest points of difference from other frameworks, guidelines or standards. However, COBIT 5 has transformed its I/O flows/networks, changing the unit of I/O relationships from processes in COBIT 4.1 to management practices. Thus, I/O flows/networks to support the governance management cycle must be traced back to processes as outlined in the conceptual model of business case processes in the article “The Business Case as an Operational Management Instrument—A Process View”6 (the “article”) because:
- The business case processes discussed in the article can be used as a mechanism for improving IT-related investments in enterprises.7, 8 Through assessment of IT-related investments, business case processes are critical management mechanisms for the enhancement of alignment between business and IT, which has been the most important theme of COBIT since its legacy versions and continues in COBIT 5. This is repeatedly emphasized in its principle of Covering the Enterprise End-to-end, and it is elaborated within the goals cascade concept.9
- It is important to grasp the relationships between a business case and COBIT 5 mapping business case processes to COBIT 5: Enabling Processes. Indeed, COBIT 5 does not mention I/O flows/networks, but it presents a starting point for considering the flows/networks.10
- The difficulty of adoption and review of business cases and their accommodation in enterprises provides an opportunity to consider how to recognize to-be activities that promote and improve critical management mechanisms such as business case processes in the governance management cycle in COBIT 5.11
Furthermore, some elements offer double-loop learning, which is recommended for organizational learning in the plan-do-check-act (PDCA) cycle for the achievement of an organization’s objectives.12 Under the concept of double-loop learning, an organization should not only learn direct lessons from the results of its actions for achieving its objectives and take corrective actions for improving its tactics, but also reconsider the probabilities of changes of backgrounds or environments around it and the appropriateness of its strategies, which are the basis of its tactics. The organization should then modify its strategies, organizational structure and critical management mechanism if needed.
If enterprises only rotate the PDCA cycle for improving the individual investment program in which they develop, maintain and review the business cases for them, they are conducting single-loop learning. However, if they also rotate another PDCA cycle at a higher level, reconsider internal and external environments around them and their strategies, and accommodate business case processes, they are conducting double-loop learning.
COBIT 4 and 4.1 insist on a PDCA cycle for IT governance structures as a whole (the plan, build, run and monitor [PBRM] cycle); however, they do not definitively explain the definition of and difference between the two types of PDCA cycles, stated previously, as related to the concept of double-loop learning.
COBIT 5 APO05, which uses the words “business case” most out of all the processes, explains how enterprises accomplish effectiveness of investment programs using business cases. Here one can read a single-loop learning or single PDCA cycle for the assessment of an investment program; however, it may be hard to gain insight into the existence of the concept of double-loop learning with another PDCA cycle for improvement of business case processes for effectiveness of investment programs.
COBIT 5 has evolved the PBRM cycle of COBIT 4 and 4.1, deemed to be mainly applied to the IT division of enterprises, to the governance management cycle of COBIT 5 with more involvement of top management and business-side executives. Thus, the concept of double-loop learning, a PDCA cycle of monitoring backgrounds or environments around enterprises, evaluating their strategies, and directing improvement of critical management mechanisms, such as business case processes by a governing body, are more definitively recognized in COBIT 5’s governance management cycle.
Based on these considerations, COBIT 5: Enabling Processes and its governance management cycle can be used to promote and improve business case processes. And, in doing so, one takes COBIT guidance beyond its traditional use, from COBIT 4/4.1, as a basis of controls in enterprises, as follows:
- Trace I/O mappings from the management practices of COBIT 5 mapped from business case practices to relevant processes and management practices in the Evaluate, Direct and Monitor (EDM) domain. Because solving issues such as difficulties of implementation and promotion of a critical management mechanism (i.e., business cases) needs high-level decisions and actions, which are explained in the EDM domain, is one able to find any to-be activities or a PDCA cycle for solving these issues, elements of double-loop learning?
- Connect the results of the trial by completing the mapping for the governance management cycle, because mapping only management practices does not provide the meaning of a strong point of the governance management cycle—in other words, a principle of COBIT 5 itself. And, these can be considered to-be activities that promote and improve business case processes.
- Extract recommendations for establishing a governance management cycle using COBIT 5, i.e., adopting COBIT 5.
Tracing Input/Output Flows/Networks
The burden for tracing I/O flows/networks of COBIT 5 has been increased drastically. To avoid the burden, the following can be applied:
- Refer to the COBIT 5 management practices that are mapped from business case practices in the article as the “starting practices.”
- Trace I/O practices of the starting practices (trace level 1).
- Trace Input practices of the Input practices of the starting practices.
- Omit tracing Input practices of the Output practices of the starting practices.
- Trace Output practices of the Output practices of the starting practices.
- Omit tracing Output practices of the Input practices of the starting practices (trace level 2).
- If reaching columns of “From” for “Inputs” or “To” for “Outputs” in which content is blank or does not describe certain practices, such as “outside COBIT” or “internal,” stop tracing.
- Continue tracing until reaching any of the management practices in the EDM domain in one chain of tracing from one starting practice; stop tracing.
- If reaching the management practices that are included in the flows already traced to management practices in the EDM domain, stop tracing to avoid overlapping.
Hereafter, the result of tracing I/O flows/networks in this manner is described and interpreted in the context of improving the business case processes (for more details, see figures 4 and 5).
Completing Governance Management Cycle
As a result, one can find activities at the governance level for promotion and improvement of business case processes in the inputs of management practices of EDM03.03 Remedial actions to address risk management deviations and EDM04.03 Remedial actions to address resource management deviations by tracing I/O flows/networks from COBIT 5 management practices mapped from business case processes. The processes seem to include not only a PDCA cycle for improvement of activities for individual objectives using business cases, such as risk assessment and resource management for programs, but also a PDCA cycle for improvement of the business case as a critical management mechanism.
However, it is still unclear whether the latter PDCA cycle, or elements of double-loop learning in the governance management cycle, was developed by tracing I/O flows/networks. Nonetheless, there should be a closed governance management cycle where Output flows are connected with Input flows/networks via management practices in the EDM processes, which monitor and evaluate the effectiveness of a critical management mechanism and direct improvement of it.
Then, how should one connect management practices in processes in the EDM domain as destinations for the tracing of I/O flows/networks in the context of promoting critical management mechanisms such as business case processes?
There are several practices of business case process accommodation (BCPA)13 to accommodate or promote business case processes. However, most of those practices are not mapped to COBIT 5 management practices. Thus, one can map BCPA practices to relevant COBIT 5 management practices to search those that could connect Output and Input flows.
When examining the content of BCPA practices and comparing several management practices of COBIT 5, certain similarities are discovered between BCPA practices and management practices in APO01, including:
- BCPA01: APO01.01 Define the organizational structure
- BCPA02-05: APO01.03 Maintain the enablers of the management system
- BCPA06: APO01.07 Manage continual improvement of processes
- BCPA07: APO01.03 Maintain the enablers of the management system
- BCPA08: APO01.04 Communicate management objectives and direction
- BCPA09: APO01.07 Manage continual improvement of processes
This is illustrated in more detail in figure 6.
It is possible to properly map BCPA practices to management practices in APO01, and this is a primary process to be mapped to BCPA practices, although the scope or granularity of the management practices in APO01 may be more or less broad for the special purposes of business case processes. Once there is an understanding of business cases and the business case processes enabler, one can recognize APO01.03 as the core management practice in which issues in promoting business cases converge.
With additional tracing of Input flows from the mapped management practices for confirming the closest EDM process of APO01, it can be seen that EDM01 is the common Input process of APO01.01, APO01.03, APO01.04 and APO01.07 mapped from the BCPA activities noted. EDM01 should be regarded as the process superior to APO01.
As the results of the mapping trial and additional tracing of Input practices from the mapped practices show, one would choose EDM01.01 Evaluate the governance system, EDM01.02 Direct the governance system, EDM01.03 Monitor the governance system and APO01.03 Maintain the enablers of the management system as common pieces for connecting Input and Output flows and completing a closed governance management cycle, because the business case can be one of the enablers of the management system.
Adding to EDM01 and APO01 (APO01.03), one can customize a closed governance management cycle as follows (figures 7 and 8):
- EDM practices in Output flows (EDM02.01, EDM03.01 and EDM04.01) deliver their activities’ results regarding monitoring and evaluation of business case performance to EDM01.03 for monitoring the governance system regarding business cases.
- EDM01.03 delivers its monitoring results regarding the governance system for business cases to EDM01.01 for evaluating the governance system for business cases.
- EDM01.01 delivers its evaluating results regarding the governance system for business cases to EDM01.02 for directing the governance system for business cases.
- EDM01.02 delivers its directions regarding the governance system for business cases to APO01.03 for maintaining business cases as one of the enablers of the management system (transformation from governance into management system).
- APO01.03 delivers its activities and results regarding the enhancement of business cases to EDM practices in Input flows (EDM01.02, EDM02.01, EDM02.02, EDM02.03, EDM03.03 and EDM04.03) for their activities regarding business case usage.
Conclusion
COBIT 5 is intended to establish and promote governance of enterprise IT (GEIT), which is the evolution of IT governance—mainly applied only to the IT division of an enterprise—for closer alignment between business and IT. As a result, the enterprisewide PDCA cycle has also evolved to the governance management cycle in COBIT 5. Therefore, true adoption of COBIT 5 inevitably requires the establishment of the cycle in which a governing body should monitor backgrounds or environments around enterprises, evaluate their strategies and direct improvement of critical management mechanisms, such as business case processes, under the concept of double-loop learning.
For adoption of the cycle in practical use, COBIT 5 users need to explore the enabling processes and I/O flows/networks drastically expanded from those of COBIT 4.1 and COBIT 4 in order not to lose their way and to avoid too much burden.
To navigate the deep forest of I/O flows/networks and hunt for treasures in COBIT 5: Enabling Processes, the user should:
- Trace I/O flows/networks with the intention of determining objective policies and rules with rationales for solving certain issues that an enterprise is facing. I/O flows/networks are needed for transforming the abstract and conceptual flows/networks into practical value chains for users in the real world
- Customize the content of the relevant processes and I/O flows/networks (as simply as possible) for establishing a governance management cycle for promoting critical enablers of management systems, such as business case processes focusing on APO01.03 and other management practices in APO01
Endnotes
1 ISACA, COBIT 5, USA, 2012, p. 13-33
2 Ibid., p. 24, 32-33
3 The result of the survey on understanding the use of COBIT in Japan. ISACA Tokyo Chapter, September 2014
4 Ibid.
5 The Japanese version of COBIT 5 was released in January 2013.
6 Maes, K.; S. De Haes; W. Van Grembergen; “The Business Case as an Operational Management Instrument—A Process View,” ISACA Journal, vol. 4, 2014, http://h04.v6pu.com/resources/isaca-journal/issues
7 ISACA, Enterprise Value: Governance of IT Investment Business Case, USA, 2008 h04.v6pu.com
8 ISACA, The Business Case Guide: Using Val IT 2.0, USA, 2010, h04.v6pu.com
9 Op cit, Maes, et al.
10 Ibid.
11 Ibid.
12 Argyris, C.; D. Schon; Organizational Learning: A Theory of Action Perspective, Addison-Wesley, June 1978
13 Op cit, Maes, et al.
Makoto Miyazaki, CISA, CPA, is the manager of the internal audit office of Toukei Computer Company. He was previously an IT auditor at The Bank of Tokyo-Mitsubishi, UFJ.