Nowadays, the dynamics of the external and internal effects on organizations demand a flexible and customized governance system adapted to the specific needs of the organization. There is no one-size-fits-it-all solution. To fill this gap, an organization's governance system can be designed using COBIT® by following the four phases shown in figure 1.
Figure 1—Designing an Information and Technology Governance Solution
Phase 1 consists of meetings with the organization’s senior managers to understand the internal and external contexts, understand the corporate strategy, identify the strategic risk and determine the pain points. The information from this phase directs discussions in the following phases.
Phase 2 begins with interviews with managers from various areas to collect detailed information about enterprise strategy, strategic objectives, the organization's risk profile and critical information and technology pain points.
In Phase 3, the levels of importance of the remaining design factors are defined: threat landscape, compliance requirements, the role of IT, sourcing model, IT implementation methods, IT adoption strategy and enterprise size.
[Phase 4] can be tricky because it can be affected by different perceptions and opinions and can lead to organizational cultural issues.
Finally, there is Phase 4: the conclusion phase. This phase is crucial because it is the negotiation phase. This is the phase where the COBIT practitioner should consider, with the help of the managers, all the variables involved in prioritization.
The ISACA COBIT Design Toolkit is a tool that organizations can use to support governance.1 The toolkit is made up of a spreadsheet with all the elements of all the design factors to be filled in by the COBIT practitioner. The toolkit helps structure and speeds up the design process.
To combine all the design factors and reach a list of prioritized objectives an algorithm was devised to compute the weight of every importance level to every objective of COBIT.
However, the algorithm embedded in the spreadsheet, with its fixed rules, cannot capture the specific organizational contexts, making it difficult to capture and consider the cultural aspects, perceptions and beliefs of an organization.
In Phase 4, several common situations that practitioners should be aware of include:
- Maintaining objectives—The maintenance of objectives selected by the algorithm is ideal because, in this case, the algorithm captures the needs and the organizational contexts. However, it is essential to estimate the effort necessary to implement the improvements. To this end, a capability assessment should be completed for each prioritized objective and managers should define the capability target levels. This information can be used to evaluate whether the organization can perform the improvements in the given period.
- Inclusion of objectives—This is a common situation because, often, at the beginning of the design, managers present a wish list of objectives that they deem essential. The important thing here is to retrieve the information collected in Phase 1—which clarifies the enterprise strategy, strategic risk, and main pain points—to discuss how this wish list adds value to the list of prioritized objectives. There are 2 options: include the additional objective or replace an existing objective with the new one, based on the resources available. If the decision is inclusion, then the available resources need to be reanalyzed. If the decision is a replacement, the COBIT practitioner needs to show managers how removing an objective from the list can impact the achievement of organizational objectives.
- Partial exclusion of objectives—If managers choose to exclude one of the objectives from the initial list, the COBIT practitioner should ensure that managers understand how removing the objective from the list can impact the achievement of organizational objectives.
- Total exclusion of the list of prioritized objectives—The complete rejection of the list of prioritized objectives by senior management also may occur. This happens when senior management is not consulted properly when managers fill out the levels of importance of the design factors and they are surprised by some scores that have been given. In this case, the whole design process should be repeated under the supervision of senior management.
In Phase 4, the ability to communicate and negotiate is essential skills of the COBIT practitioner. It is important to listen carefully to managers' arguments to be able to explain in simple and objective ways the trade-offs of the choices and make it clear that the design of a governance system is not a Boolean decision-making task, but a multivariate system.
Endnotes
1 ISACA®, COBIT 2019 Design Toolkit: Designing an Information & Technology Governance Solution, USA
Joao Souza Neto, Ph.D., CGEIT, CDPSE, COBIT 2019 Design & Implementation, COBIT Certified Assessor, CRUSC
Is a consultant in IT governance and management. He is the president and founder of the ISACA Brasilia Chapter.