Ever since COBIT 5 was released, I have had the honor of both leading the ISACA Istanbul Chapter’s COBIT 5 translation team as well as supporting hundreds of COBIT practitioners with training and implementation professional support services. My clients serve the financial services, telecommunications, software, automotive production and retail industries. During the course of these engagements, I have found that most of my clients quickly and easily adapt some aspects of the framework while other aspects are perceived as more challenging and are generally omitted from the implementation process. My goal is to describe both these “quick wins” (slow fat rabbits) as well as the hard sells.
The new Process Reference Model with particular focus on the “Applying a Single Integrated Framework” principle has been a pleasure to implement as clients often asked me whether they should implement previous COBIT versions or some other framework like ITIL, ISO 20000 or 27001. I can answer with complete confidence that COBIT is integrated with all of them and that if they implement COBIT, they will have implemented the bulk of every other relevant framework and standard. For example, the Project Management Body of Knowledge (PMBOK) has some very detailed financial metrics, reporting and modeling approaches that are not present in COBIT 5. While they may be relevant to very large projects (billions of dollars), they are a bit too detailed to add significant value to projects at the size that most of my clients run (10s to 100s of thousands). That they are not a part of COBIT 5 is thus not relevant. The new “APO05 Manage Portfolio” process is a wonderful addition to COBIT in that it brings the framework into alignment with PMBOK in an area that I often found myself having to go outside of previous COBIT versions (often to Val IT).
APO03 Manage Enterprise Architecture is another new process that takes its inspiration from TOGAF. IT architecture and its critical strategic focus on selecting and supporting the “right” technologies for the business were very challenging to address with previous versions of COBIT. Describing the best way to select the enterprise’s IT building blocks required concurrently referring to TOGAF so that we could adequately address their control and management. Now, COBIT 5 includes this big-money area.
The new capability model has generally been a hard sell. My clients find the present capability attributes challenging to understand and miss the previous maturity model’s clarity, prescriptive approach and best practice content. The one aspect of the new capability model that is universally loved is that partially achieved process attributes can satisfy process capability. This new approach saves me from having to answer, “The framework says ‘no,’ but I will make an exception for you,” each time a client asked me, “Since we satisfy most of the next level maturity requirements, why can’t we be rated a 2.5?” I believe that most COBIT users would welcome a fleshed out version of the present capability model, provided that it included more detail about how to implement the attributes for each process. Even something as simple as mapping each processes practices and activities to specific attributes would help COBIT users understand how to easily implement the capability model.
Kaya Kazmirci, CISA, CISM, CISSP
Managing Director, Kazmirci Associates