Using COBIT for IT Organizational Design

COBIT For IT Organizational Design | ISACA
Author: By Azhar Zia-ur-Rehman, CISA, CRISC, CISM, ISO 27001 LA
Date Published: 14 December 2016

The organizational structure of an IT department is usually the result of a series of changes, trials, experiments and political manipulations. It is often adjusted to suit or accommodate individuals. As a result, the organization is sometimes cumbersome and the cause of problems, inefficiency and excess cost.

The process described herein has been developed from experience gained by participating in numerous efforts to redesign and transform IT organizations.

Step 1: Select the Standards

The primary objective is to deliver value to stakeholders from IT-enabled investments. The organizational design should follow standards and good practices so that the resulting design is easy to defend and noncontroversial. Start by selecting from the following set of frameworks, standards and good practices:

  • COBIT 5—Ensures that all aspects of IT are covered in terms of processes as well as tasks. COBIT 5 also provides the structure needed to ensure that alignment exists from stakeholder requirements through the enterprise and IT-related goals to all enablers.
  • Skills Framework for the Information Age (SFIA V6)—Ensures that all skills that are required have been included and are reflected in the design of job descriptions
  • ISO/IEC 38500:2015—Covers the IT governance aspects in detail
  • ISO/IEC 20000:2011—Covers the service management aspects in detail
  • ISO/IEC 27001:2013—Covers the information security aspects in detail

Some organizations may prefer to add more standards, good practices or local regulations, codes or laws. One of the very helpful codes in this regard is King III (soon to be King IV), which is the corporate governance code from South Africa. It can be used anywhere to design a robust IT governance system.

Of the 5 previously listed frameworks, standards and good practices, the first 2 cannot be neglected. Senior management may decide not to consider the remaining 3.

Step 2: The First Iteration

The first iteration of the functional organization comes straight from COBIT 5 and consists of the following functional elements:

  • Board of directors (BoD)
  • Strategy executive committee of the BoD
  • Steering committee (reporting to the chief executive officer [CEO])
  • CEO
  • Chief information officer (CIO)
  • Evaluate, Direct and Monitor (EDM) domain
  • Align, Plan and Organize (APO) domain
  • Build, Acquire and Implement (BAI) domain
  • Deliver, Service and Support (DSS) domain
  • Monitor, Evaluate and Assess (MEA) domain

The outputs from each of these are listed in figure 1.

Figure 1—Outputs of COBIT 5 Processes
Figure 1
Source: ISACA, COBIT 5: Enabling Processes, figure 11, USA, 2012

The accountabilities and responsibilities of these are listed in the various responsible, accountable, consulted and informed (RACI) charts in COBIT 5: Enabling Processes. The accountabilities and responsibilities of the BoD, the strategy committee, the steering committee and all the chief officers (CxOs) can be compiled at this stage from the various RACI charts. The "Activities" listed under the respective processes in the EDM domain spell out the activities in which these entities have to be involved.

SFIA V6 can then be used to ensure that all skills needed by these entities have been accounted for and are possessed by various stakeholders.

At the conclusion of this step, the accountabilities, responsibilities and activities of the BoD, the strategy committee, the steering committee and the CxOs have been decided and documented.

Step 3: Design the APO, BAI and DSS Sections

The APO, BAI and DSS domains consists of many subdomains (called processes in COBIT 5) and, ideally, may form sections as described in figures 2, 3 and 4.

Figure 2—Align, Plan and Organize Domain
Figure 2
Source: ISACA, COBIT 5, USA, 2012

These COBIT 5 processes may need to be grouped to reduce the number of sections and, therefore, the head count. However, in large organizations, each process may be a section by itself. The following are just logical suggestions for possible groupings:

  • APO01 and APO02 may be combined to form a section titled “IT Strategy.”
  • APO03 and APO04 can be combined in a section titled “IT Innovation.”
  • APO05, APO06 and APO07 can, ideally, form the “IT Project Management Office (PMO)” section.
  • APO08, APO09 and APO10 can be combined to form the “Service Level Management” section.
  • APO11 and APO12 can be grouped under the “IT Assurance” section.
  • APO13 forms the “Information Security” (not “IT Security”) section.

Figure 3—Build, Acquire and Implement Domain
Figure 3
Source: ISACA, COBIT 5, USA, 2012

  • BAI01 joins the “IT PMO” section, along with APO05, APO06 and APO07 in a medium-sized IT setup. However, it may be a separate section where in-house development is done on a large scale.
  • BAI02, BAI03 and BAI04 should ideally join under a section possibly titled “Application Design.”
  • BAI05, BAI06 and BAI07 form the “IT Change Management” section.
  • BAI08, BAI09 and BAI10 go under the “Asset and Configuration Management” section.

Figure 4—Deliver, Service and Support Domain
Figure 4
Source: ISACA, COBIT 5, USA, 2012

  • DSS01 forms the very important “IT Operations” section.
  • DSS02 and DSS03 combine in the “Incident and Problem Management” section.
  • DSS04 becomes the “Continuity Management” section.
  • DSS05 becomes the “IT Security” (not “Information Security”) section.
  • DSS06 forms the “Controls Management” section.

In small IT organizations, these processes may be combined further, taking care that some segregation is maintained and all listed activities and all related metrics have been assigned.

Step 4: Design the MEA Section

Medium-sized and large IT setups should preferably have an IT assurance section that ensures that IT governance is being done within the IT setup. It should coordinate with internal audit in the planning and conduct of technology audits. It should also coordinate with the corporate compliance department in the planning, implementation and monitoring of laws, codes, standards and good practices.

In small IT shops, the MEA section can be either part of internal audit or split between internal audit and corporate compliance.

However, in any case, the activities and the related metrics need to be assigned completely.

Step 5: Design the Job Descriptions

Having designed the organization structure, it is necessary to design the respective job descriptions. Job descriptions can be created as a combination of the activities and the related metrics given by COBIT 5 and the activities listed in SFIA V6.

The following has to be ensured to finalize the job descriptions:

  • All activities in COBIT 5 have been assigned.
  • All related metrics in COBIT 5 have been assigned.
  • All skills at all levels of responsibility listed in SFIA V6 have been assigned.

Any activities, related metrics and skills (at any level of responsibility) that have not been assigned should be listed and their nonassignment justified.

Step 6: Revise the IT Processes

The job descriptions should be synchronized with the IT processes. Therefore, it is necessary that all IT processes are reviewed and the responsibilities therein reassigned to conform to the new job descriptions.

IT organization design and maintenance is best done using proper tools. The capabilities required include:

  • Process management
  • Enterprise architecture
  • Risk management

Many governance, risk management and compliance (GRC) tools have been assessed and analyzed from the perspective of using them for organization design. A GRC tool that has strong process management capabilities integrated with risk management and enterprise architecture is a must. It is ideal if, in addition, that suite of tools supports a maturity assessment.

The 6-step process described in this article has been used in designing the organization structures in many organizations, big and small, and it works. The activity may take weeks in large organizations and can be as short as a week in small ones. In using this methodology, there is a need for synchronization between the activities listed in COBIT 5 and the skills described in SFIA V6 at different levels of responsibility.

Any reorganization deals directly with humans and there is a human factor that may, at times, oppose the recommendations of this methodology. This factor needs to be considered only to the extent that it does not interfere with the requirements of segregation of duties.

The final recommendation is that the organization design be done as per theory and then fine-tuned to accommodate the politics.

Azhar Zia-ur-Rehman, CISA, CRISC, CISM, ISO 27001 LA

Is an experienced auditor and consultant offering services in the domains of corporate governance, IT governance, information security management and enterprise transformation. He specializes in the automation of corporate governance. He is presently writing a book on technology governance. He has used COBIT in numerous projects for auditing IT governance, designing and implementing IT governance structures and processes, and transforming IT. He has worked in many verticals including telecommunications, petroleum, manufacturing, heavy engineering, construction, real estate, health care and government. He can be contacted through his LinkedIn profile.