Philip Hung Cao

Stay Hungry. Stay Foolish.

Developing Business Capabilities Using COBIT 5

11 min read


“You can’t do today’s job with yesterday’s methods and be in business tomorrow.”


To execute your strategy, you need to build business capabilities. In order to ensure a business will be successful in the future, an organization must understand how it defines success and must know if it has the capability today to do better or to do more to achieve this success.

What Is Business Capability?

A business capability (or, simply, capabilities) describes a unique, collective ability that can be applied to achieve a specific outcome. A capability model describes the complete set of capabilities an organization requires to execute its business model or fulfill its mission. An easy way to grasp the concept is to think about capabilities as organization-level skills embedded in people, process and/or technology.
Business capability defines an organization’s capability to successfully perform a unique business activity. Business capability is used for managing units of strategic business change and providing the mandate for programs and project portfolios.
Capabilities typically:

  • Form the building blocks of the business but do not have an independent purpose of their own
  • Represent stable business functions
  • Are unique and independent from each other
  • Are abstracted from the organizational model and can be defined for any organizational unit
  • Capture the business’s best interests

Since a business capability model describes the complete set of capabilities an organization requires to execute its business mission, vision and objectives, skills associated with various areas within the business are considered capability components (figure 1).

Figure 1—Examples of Capability Components

Name Recruitment Management
Roles User


Processes Evaluation of new hire requisitions

Recruitment/sourcing of candidates

Screening and selection of candidates

Hiring of candidate

Information Candidate/applicant details

Position description

Recruitment agency data

Industry standard role definitions

Tools/Technologies Recruitment management application

Human resources application

Social media applications

Source: Oluwaseyi Ojo. Reprinted with permission.                          

These include:

  • People
  • Processes
  • Information
  • Tools/technologies
  • Organization units
  • Functions/roles
  • Business services
  • Information and data
  • Application services
  • Applications
  • Infrastructure
  • Infrastructure services

Why Assess Business Capability?

Organizations face many questions such as:

  • How should we organize ourselves?
  • We have many outsourced capabilities. How do we support cooperation with our partners?
  • How do we adopt new technology and integrate it into our existing landscape?
  • How do we make sure that security standards are implemented in a consistent way?
  • What is the impact of this new acquisition on our business processes?
  • Who is the authoritative source for customer products, etc.?
  • How do we align our technology portfolios with our strategy road map?

To address these questions, businesses develop a business capability model to describe the rationale of how an organization creates, delivers and captures value (figure 2).

Figure 2—Mapping Capability to the Organization

Source: Oluwaseyi Ojo. Reprinted with permission.

Business capabilities should be mapped to the respective functions or organizational units that provide or utilize these skills. Once a capability is identified as being used across multiple business units within the organization, it is important to consider that changes to that capability will impact multiple organizational areas involved. Often, when transformation maps for new technologies are created, it is important to understand that changes in a solution or service a business provides internally or externally can have a significant downstream impact on other parts of the organization.
Figure 3 is the starting point for a business capability model. This matrix represents all the business capabilities that an organization performs. Each cell is a business capability.

Figure 3—Example of a Capability Model

Source: United Kingdom Government Reference Architecture (UKRA) v1.0

The columns (functional management) reflect the high-level value chain for the organization or are major groupings of business capabilities that are meaningful to the business. The rows (capability management) reflect the fundamental purpose of a business capability, and there are normally 3 rows, namely:

  • Strategy
  • Management
  • Operations

Using the COBIT 5 Framework to Develop Business Capability

Enterprise architecture recognizes that the organization is a system and the cross-cutting concerns must first be addressed at the overall level, i.e., the enterprise. It recognizes that one cannot solve every detailed problem at once. Effective ways to deconstruct the problem must be found. Focusing on business capabilities that support business strategy first, then delving into the design of those capabilities, forms an effective way to consider people, process and technology together.
Mapping business capabilities to business strategy is key. Business strategy elaborates on the business vision (enterprise goals), sets the direction for the business and determines where to focus executive attention. It identifies high-level initiatives in support of strategic themes expressed in strategic business objectives.
At this point, there is a need to create a capability map.

Business Capability Map

“Business-capability mapping is the process of modeling what a business does to reach its objectives (its capabilities), instead of how it does it (its business processes).”

–Denise Cook1

The first step is to identify the highest-level capabilities of the business and add these as elements to the capability map. For example, the highest-level capabilities for the whole organization might be:

  • Service/Product Development
  • Service/product delivery
  • Business operations, etc.

The next step is to deconstruct these high-level capabilities into lower-level capabilities and add these lower-level capabilities as subcapabilities in the map. One way to figure out how to deconstruct the business into capabilities is to identify the key services or products that the business offers and list the high-level activities that enable the business to offer these things. For example, if a company builds software applications, it would need to perform market analysis, product development, advertising and sales, distribution, and so on. These are all capabilities that support the business.
It is advisable to continue deconstructing the capabilities until the desired level of detail is achieved. For each capability that is added to the map, a description of that capability can be included in the details view. In addition, the attributes can be defined and related material such as text documents, spreadsheets or presentations can be attached.
After a network of capabilities has been mapped, business groups can group together capabilities that share a common attribute (i.e., an organizational unit, a business goal). For example, all the capabilities related to strategic planning in one business group can be grouped together and all the capabilities related to business operations in another. The next step is to create references to the processes that implement the capability.

How COBIT 5 Develops Business Capability

COBIT 5 is a framework rather than a standard and, as a result, it is designed to be adapted by adopting organizations. A core principle of the design of COBIT 5 is to align systematically with cognate frameworks and standards. COBIT provides best practice guidance for the complete life cycle of IT investment. It comes with a suite of management tools with supporting guidance.

Evaluate, Direct and Monitor Domain

The Evaluate, Direct and Monitor (EDM) domain covers governance. Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and processes against agreed-on direction and objectives.
To develop business capabilities, the following COBIT 5 processes must be considered under the governance layer of COBIT 5:

  • EDM01 Ensure Governance Framework Setting and Maintenance
  • EDM02 Ensure Benefits Delivery
  • EDM03 Ensure Risk Optimization
  • EDM04 Ensure Resource Optimization

These processes address the objective of business capabilities.
Name of COBIT process: EDM01 Ensure Governance Framework Setting and Maintenance.
Brief description of process: This process focuses on providing governance of enterprise, prepare and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals and objectives.

How to use it for developing business capabilities: To develop business capabilities, a strong governance system must be prepared, implemented and effectively maintained, this will help the organization to continually identify and engage with the enterprise’s stakeholders, understand their requirements, document these requirements, obtain their support, buy-in and commitment; this will also help to drive the development of business capabilities that will achieve the enterprise’s goals and objectives.
Name of COBIT process: EDM02 Ensure Benefits Delivery.2
Brief description of process: This process focuses on optimizing the value contribution to the business from the business processes.

How to use it for developing business capabilities: Developing business capabilities is an investment; this helps to continually evaluate the investment and strategic alignment to determine the likelihood of achieving enterprise objectives and delivering value at a reasonable cost. It also helps to identify and make judgments on any changes in direction that need to be given to management to optimize value creation and realization. With a defined balanced set of performance objectives, metrics, targets and benchmarks, monitoring the key business goals and metrics to determine the extent to which the business capabilities are generating the expected value and benefits to the enterprise is crucial.
Name of COBIT process: EDM03 Ensure Risk Optimization.
Brief description of process: This process focuses on ensuring that the enterprise’s risk management framework is established and monitored.

How to use it for developing business capabilities: While developing business capabilities, a new risk can be introduced or an existing risk which was once low can be triggered and this becomes high or critical; this helps to define the enterprise’s risk appetite and tolerance and also ensures these are understood, articulated and communicated. To develop sustainable business capabilities, organizations must proactively evaluate risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made. This helps to determine the level of risk that the enterprise is willing to take when developing business capabilities in order to meet its objectives (risk appetite).
Name of COBIT process: EDM04 Ensure Resource Optimization.
Brief description of process: This process ensures adequate and sufficient capabilities (people, process and technology) are available to support enterprise objectives effectively.

How to use it for developing business capabilities: To develop business capabilities, resources need to be optimized; this focuses on establishing and maintaining resources (people, process and technology) needed to develop business capabilities. Resources are key to develop and sustain business capabilities. The resource needs of the enterprise must be met in the optimal manner that will increase likelihood of benefit realization and readiness for future change. Resources must be allocated to best meet enterprise priorities within budget constraints and overall enterprise goals and objectives.

Align, Plan and Organize Domain

The Align, Plan and Organize (APO) domain covers the use of information and technology and how best it can be used in an enterprise to help achieve enterprise goals and objectives. It also highlights the organizational and infrastructural form IT is to take to achieve the optimal results and to generate the most benefits from the use of IT.
To develop business capabilities, the following COBIT 5 processes must be considered under the management layer of COBIT 5:

  • APO02 Manage Strategy
  • APO03 Manage Enterprise Architecture
  • APO05 Manage Portfolio
  • DSS06.01 Align control activities embedded in business process with enterprise objectives.

These processes address the objective of business capabilities.
Name of COBIT process: APO02 Manage Strategy.
Brief description of process: This process focuses on setting business goals and objectives.

How to use it for developing business capabilities: To execute your strategy, you need to build your business capabilities. The primary reason for developing business capabilities is to support and achieve the business goals and objectives. To develop business capabilities, the enterprise direction must be clearly defined; understood and strategic plans aligned with business goals and objectives. This helps ascertain priorities in order to develop the right business capabilities.
Name of COBIT process: APO03 Manage Enterprise Architecture.
Brief description of process: This process focuses on establishing a common architecture for effectively and efficiently realizing enterprise strategies.

How to use it for developing business capabilities: Enterprise architecture is a conceptual tool that helps organizations get a deeper understanding of their own structure and the way they work. It provides a map of the enterprise, and it is a “route planner” for business and technology change. To develop business capabilities, organizations must connect strategy to execution; enterprise architecture enables flexibility and adaptability, so that business capabilities can keep pace with changes in strategy. Enterprise architecture provides a balanced approach to the selection, design, development and deployment of all the solutions (business capabilities) to support the enterprise.
Name of COBIT process: APO05 Manage Portfolio.
Brief description of process: This process focuses on evaluating, prioritizing and balancing programs and services, managing demand within resource and funding constraints, based on their alignment with strategic objectives, enterprise worth and risk.

How to use it for developing business capabilities: This process establishes the portfolio strategy, defines portfolio governance and monitors and controls the portfolio. The objective of this process is to identify projects and initiatives that the organization will focus on to develop business capabilities and align them with strategic goals, objectives and business needs. In addition, a budget is secured and allocated to ensure that projects are prioritized, organized and staffed. Monitoring the status and performance of projects and initiatives is used to build, deliver and improve products and services.
Name of COBIT practice: DSS06.01 Align control activities embedded in business processes with enterprise objectives.
Brief description of practice: This practice in the Deliver, Service and Support (DSS) domain focuses on assessing and monitoring the execution of the business process activities and related controls, based on enterprise risk, to ensure that the processing controls are aligned with business needs.

How to use it for developing business capabilities: This practice helps to identify and document control activities of key business capabilities to satisfy control requirements for strategic, operational, reporting and compliance objectives; prioritize control activities based on the inherent risk to the business and identify key controls and continually monitor control activities on an end-to-end basis to identify opportunities for improvement.
The continual assessment and monitoring are important to ensure that the right business capabilities are properly developed and improved.
These COBIT 5 practices, if properly and painstakingly implemented will help achieve the desired business capabilities.


Capabilities are purely business views of the business, whether the capability is automated or not. It is a capability if the business can and does have this ability—even if it is weak. Capabilities can provide both strategic and operational investment guidance. Capabilities can be easily and subjectively assessed. Once assessed, capability analysis can be applied to a wide variety of organizational problems.

Oluwaseyi Ojo, CEng, CRISC, CISM, CGEIT, COBIT 5 Certified Assessor, CISSP, TOGAF 9

Is an experienced enterprise and security architect. He has assisted several organizations in developing and improving their business capabilities using best practice standards and frameworks to translate their business vision, goals and strategies into effective road maps that described the enterprises’ present and future states that enabled them to evolve in order to gain and maintain their competitive advantages. He is an ISACA exam writer for CRISC and CISM exams. He can be contacted through his LinkedIn profile.


1 Cook, D.; “Business-Capability Mapping: Staying Ahead of the Joneses,” Microsoft, March 2007
2 This, all subsequent COBIT content, is from ISACA, COBIT 5: Enabling Processes , USA, 2012

Leave a Reply

Copyright © 2006-2022 Philip Hung Cao. All rights reserved