Governance123

We're committed to quality software

Home

Products

Services

Employees

ABCo USA

Governance 1-2-3

COBIT 5 SELF LEARNING STEP BY STEP GUIDE

FOR IT GOVERNANCE

This advice is based on my experience after going through a self learning tour of IT Governance with COBIT 5. I got interested in this framework and spent over a month on self reading. After getting a reasonable confidence, I implemented this framework in a small school environment (both for IT and Non-IT related governance).

I am governing the same school environment for last 15 years. I knew from beginning that I had to create best school and for that Students and Parents were my customers. I also understood that a successful run required fine financial control, needed an Internal System – based on policies, processes, org structure, positive culture, information, applications and skills - to sustain progress. I was aware from start that in addition to customer happiness, financial control, and sound Internal System, I would also need to maintain a steady growth through innovative ideas and approaches. COBIT 5 put these things that I had in mind in highly structured fashion but, honestly, it was not new and too exciting. What really triggered my interest was separation of Governance (Evaluation, Direction and Monitoring) from Management (Work Alignment, Planning, Organization, solution development, third party solutions, Implementation/Delivery, Service, and Support) which, I admit, I did not understand in the beginning, but it had enough newness that kept driving my self study.

UML, Agile, PMBOK, SCRUM, and Development Methodologies were already my playground. This study took me to overview of COSO, ITIL, BSM, ITSM, ISO 27000, CMM, ISO/IEC 15504, SAP EAF, TOGAF, and BSS/OSS. With that overview I delved deeper into COBIT 5 basic 5 Principles, 7 Enablers, and 37 Processes. The study work behind me, I started implementing these concepts in my school system mainly to have a practical and hands-on knowledge.

COBIT 5 Implementation Guide is very helpful in understanding incremental approach to implementing The Framework in 7 phases. It however is heavy duty consultancy oriented implementation approach not useful if you intend to take some quick benefits and then learn the whole framework along the way. For me, The Framework document was critical to form a holistic view and really get my head around the best way to implement in my school environment. So I jot down some immediate goals, looked at my current status reports, understood metrics (it was not easy) given at different levels, cascaded goals to 7 enablers, and ended up converting my status report to a set of Daily, Weekly, Monthly and Yearly Monitoring Reports and applied to the specific environment I had. Implementation of these reports through my Org Structure was a bit challenge but I stood by metrics and monitoring and results started showing in first week. My team felt empowered and accountable and slowly I got:

40% improvement in benefits realization.

20% improvement in risk optimization.

20% improvement in Resource Optimization.

70% improvement in effective monitoring giving me time to evaluate and direct and leave management to “Enablers”.

I learned through this experience that, before this COBIT 5 exposure, I always started with a pledge to stay at highest level but then slowly fell into improving something particular consuming all my time and gradually taking focus away from the “holistic view”. Once I implemented one improved thing, got sucked into another losing a slice of my previous gains and allowing me time to high level review only at end of year or when I faced an incident.

Initially my monitoring took longer and it was a bit difficult but I took it seriously to ensure accountability at all levels, starting with me. So here I am happy with COBIT 5 and ready to share.

In order to save readers time, I decided to give a step by step but “Hello Governance” approach. Which means get something done quickly, learn more, and improve. Once again, if you want ISACA approach, ready COBIT 5 Implementation document and follow that.

Disclaimer: It is clear from my story above that what I am sharing is my own view and understanding. Adopt this approach carefully and responsibly but at you own risk.

Allowed use: Don’t please copy/paste, its just a story. Ready, enjoy and use for your benefit.

Level A, Hello Governance

You should be able to jump from Status Reports and briefings full of veiled warnings to Monitoring, Evaluating and Directing cycle and say “Hello Governance”.

Step 1: Find out your existing set of goals that apply to unit you are responsible for, or whatever you have the closest just list it down.

Step 2: Find out existing set of Enterprise Goals. Now, this can be very difficult as goals vary sometimes frequently. Here you find the latest and it should cover entire enterprise, if possible. If not, then just discuss with your immediate supervisor and see what you get. If you are at highest level (CEO), then it is the Stakeholder Needs and goals given to you by Board of Directors. If you are a CIO then you need Enterprise Goals from CEO and Board of Directors.

Step 3: Align your goals with what you got as Enterprise Goals. Remove any discrepancies. You should have this refinement already but no harm in having a fresh look when you are jumping into a new Framework.

Step 4: Get a copy of most recent status report(s) that you received (not that you send to your superiors). One you send up cannot change enough as you do not have full control. If no one sends status report to the position you hold then you are either a single person operation or work for someone who is responsible for Governance. In both cases, you might not have a lot of benefits from COBIT 5 Framework; however, there is no harm in learning this exciting product and finding new and creative ways of implementation. Everybody is responsible to govern something in some capacity.

Understanding COBIT 5: Steps 5 to 7 are about quick overview

Step 5: Quickly go through this introduction to COBIT 5.

Step 6: COBIT 5 Framework is free to download from this page. Just look at table of contents in this document. That should be enough for this Level A, “Hello Governance”. If you have more time and already excited, feel free to read as much as you like.

Step 7: You cannot view COBIT 5 Enabling Processes document without buying it first. No need to do that at this Level A (Hello Governance). It is a necessary step for Level B (I like Governance). Just look at “COBIT 5 Process Reference Model” (figure 15 and 16 on page 32 and 33 respectively in COBIT 5 Framework documented). In figure 15, observe how Governance (EDM – Evaluate, Direct, and Monitor) is separated from Management (Plan, Build, Run and Moniotr). In figure 16, develop some good understanding of 5 processes under EDM followed by whatever you can make of rest of 29 processes distributed under APO, BAI and DSS headings. In the end give some more thinking on three Monitor, Evaluate and Assess tasks (MEA01,MEA02, MEA03). I hope my point is clear. Pay more attention to 5 EDM and 3 MEA processes for now in order to move forward quickly and leave APO, BAI and DSS processes to Level B (I like Governance).

Step 8: Reformat your goals to that in COBIT 5 style…….see figures 5 and 6 on Framework document page 19. Also have a look at section “Using the COBIT 5 Goals Cascade” on page 20, in order to understand limitations of provided set of goals.

Step 9: Reformat your status report(s) to a single set of questions and measures. This is a step where you have to use your right judgment to define correct metrics to measure progress on your goals. Right step would be to buy COBIT 5 Enabling Processes document. However, we promised a zero expense in this Hello Governance (Level A). Keeping that promise, have a look back at Step 6, the five EDM processes and three MEA ones. Then define your metrics so that you stay within the EDM and MEA processes and avoid getting into any of APO, BAI and DSS processes. You should be able to get significant advantage. If you are already excited, then buy COBIT Enabling Processes document (with or without ISACA membership). This document lists metrics against each of COBIT 5 goals.

Step 10: Brief your Enablers about changes in report format. It is highly recommended to introduce this process as if it is same as they were doing before and slowly and incrementally modify for changes and bring more governance.

Step 11: Respond promptly to the reported issues in the report. Culture of Governance will start from your own actions. Focus on aligning yourself and your team with COBIT 5 framework and avoid implementing big changes. Big changes will automatically come, once you start on this journey. Also prepare yourself for more work in the beginning.

Spend more time on the following:

Keeping direction right

Avoiding risks

Resource Optimization

More measures, metrics, and monitoring.More measures, metrics, and monitoring.More measures, metrics, and monitoring.

Avoid time on following:

Improving and correcting detail reports yourself. Keep yourself to the final outcome of the reports. For example, if goal is to ensure on-time recovery then avoid getting into receivable reports and stay at the question like, “how many receivables are in RED, Yellow and Green” and leave reports fixing to those managing Receivables.

Allocating resources yourself to new tasks or incidents but ask questions only if you doubt optimal use of a particular resource. Show an attitude of help and fairness with objective to gain maximum value rather than a maximum control. Your successful control is in having all metrics within risk tolerance range.

Giving too many verbal directions. Spend time, sit and go through reported metrics and give written directions. Repeat same direction until it is followed.

Forgetting a metric once it shows on track. In Level B (I like Governance), we will go through COBIT 5 Implementation approach that focuses on incremental implement and hold approach.

Ignoring the holistic view even if it is for a short time. Go through all metrics in a daily/weekly review even if you give little direction on some of them. If there are too many metrics to go through then it is a separate issue of capacity. Keep in mind; if your Enablers are able to keep up with the target then you have to be able to give directions to all of them.

Level B, I like Governance

Complete Level A (Hello Governance).

Buy COBIT Enabling Processes (with or without ISACA Membership).

Repeat Step 6 in Level A with more reading on process level details. Take an overview of each process in EDM, APO, BAI, DSS and obviously the three MEAs. Develop a deeper understanding of EDM and MEA and an overview of APO, BAI and DSS. Pay special attention to Goal Alignment with processes and their metrics. COBIT 5 has beautifully put together the process relationships by specifying input and output linkages.

Repeat Step 7 with additional process level knowledge but it is not going to change a lot on your goals. They should largely stay the same with some refinement.

Repeat Step 8 in Level A. This should be a major change after in depth understanding of Enabling processes and metrics both at goals and process levels. This should bring significant benefits to your COBIT 5 Framework investment.

Repeat step 9 of implementing improvements at Enabler level. I recommend again a seamless implementation but leave it to you.

Repeat Step 10, as is with same increased level of attention to direction and monitoring.

Level C, I love Governance

Complete Level A

Complete Level B

Repeat step 6 with full details of EDM, MEA and deeper understanding of APO, BAI, and DSS processes.

Implement APO, BAI, and DSS at Enablers level.

Repeat steps 6 to 10 with refinements.

Level D, Governance Rocks

Pass COBIT 5 exam

Get certification

Rock on with Governance 123.

Sky is the limit.

Need more information, send email to "asifmalik2@gmail.com".