Search 




 Home / Resources / News and Trends / Newsletters / COBIT Focus / 2019 /

Employing COBIT 2019 for Enterprise Governance Strategy

COBIT FOCUS

Employing COBIT 2019 for

Enterprise Governance
Strategy
Author: Christopher Anoruo, CISM, CGEIT, CRISC
Date Published: 28, October 2019

Strategy is a plan for achieving a set objective. COBIT 2019 is here to help
practitioners apply standard information and technology (I&T) controls to enterprise
governance strategy. Mapping control objectives from the International Organization
for Standardization (ISO)/International Electrotechnical Commission (IEC) standard
ISO/IEC 27001:2013 Information Security Management through COBIT 5 to the
COBIT 2019 framework is a useful exercise to help develop a governance strategy.
Mapping the relationships among ISO 27001:2013, ISO/IEC 38500:2015 Information
Technology—Governance of IT for the Organization, COBIT 5 and COBIT 2019
provides practitioners with performance data values, insights and results that aid in
strategic management consultations and decisions. Many of these relationships
have been explored in past articles published in COBIT Focus.1, 2 The balanced
scorecard (BSC)3, 4, 5 has also been applied successfully to these values to express
performance measurement for enterprise governance of I&T (EGIT).
What Is Driving the Need for This Mapping
Exercise?
The question “What can enterprise I&T deliver?” should be rephrased to ask “How
can enterprise I&T be used to add value?” Changing the question helps practitioners
focus on the business value of enterprise I&T, enterprise I&T cost-optimization
practices, investment prioritization, I&T project finance and sourcing options for
resources, project benefit realization, and innovation accounting.

The objectives driving the need for the mapping exercise discussed herein include:

• To measure performance and integrate I&T governance with overall business

governance and strategy through control objective mappings to COBIT processes

• To meet the need for knowledge innovation, effective deployment and overall
governance and management of enterprise I&T through EGIT

• To develop key performance indicators (KPIs) that can be applied to individuals in

an organization or business units for assessments and functional assignments

It is worth noting that optimal and innovative integration of enterprise I&T can lead
to digital disruption and, thus, drive society, industry and business forward. However,
there have not been any true technology disruptions in the recent past, but there has
been a great deal of innovation based on technology for related businesses.

Why Do Governance Systems Fail?

When governance system implementations fail, one of the common reasons is that
they are not initiated and then managed properly as programs to ensure that
benefits are realized. Governance programs must be initiated and sponsored by
executive management; they should be properly scoped and should always define
objectives that are attainable. These provisions enable the enterprise to absorb the
pace of change as planned.6

The governance and management of enterprise I&T should be implemented as part

of overall enterprise governance and culture, encompassing the full business and
enterprise I&T functional areas addressed in COBIT 2019.7

What Does I&T Governance Entail?

The IT Governance Institute (ITGI) states that, fundamentally, the governance of IT is
concerned with 2 goals: I&T’s delivery of value to the business and the mitigation of
I&T risk. These goals are driven by business enablers such as strategic alignment of
I&T with the business; IT accountability to the enterprise, backed by adequate
resources; measured outcomes to ensure that results are obtained with metrics for
strategic planning and setting of future performance goals.8 One cannot measure
what one cannot monitor. Performance monitoring aids in benchmarking.

The 5 main goals of enterprise I&T governance are all driven by stakeholder value as
outlined in COBIT 2019.9 It is worth noting that 2 of these drivers are outcomes:
value delivery and risk management. The other 3 focus areas or drivers are:

1. Strategic alignment

2. Performance management

3. Resource management (which encompasses them all)

The focus areas are internally driven, because EGIT and business strategy evolve
reciprocally in a continuous life cycle10 although EGIT is distinct from enterprise I&T
management, as governance determines who makes the decisions, and
management is assigned the responsibility of directing and implementing the
decisions.11

ISO/IEC 38500—The IT Governance

Framework
Essentially, ISO 38500:2015 consists of 6 guiding principles for good corporate
governance of IT:

1. Responsibility

2. Strategy

3. Acquisition

4. Performance

5. Conformance

6. Human behavior or culture of the enterprise12

I&T governance is driven to succeed when the enterprise internalizes it as a culture

based on the responsibility to deliver stated goals from strategic plans and to
achieve operational goals that can be performance driven.13 In working out each one
of the 6 principles, executives must perform all 3 of these essential tasks—such that
implementing the human-behavior principle would require Evaluating, Directing and
Monitoring (EDM) as expressed in COBIT 2019.

Governance and Management Objectives in

COBIT 2019
As mentioned, the overall aim here is to distill governance processes and provide a
road map to a sustainable business strategy. COBIT 2019 is a framework that helps
enterprises plan a strategy and also achieve their governance goals to deliver value
through effective governance and management of enterprise I&T. The governance
and management objectives in COBIT 2019 are grouped into 5 domains. The
domains have names with verbs that express the key purpose and areas of activity
of the objectives contained in them:14

1. Evaluate, Direct and Monitor (EDM)

2. Align, Plan and Organize (APO)

3. Build, Acquire and Implement (BAI)

4. Deliver, Service and Support (DSS)

5. Monitor, Evaluate and Assess (MEA)

Governance objectives are grouped under the EDM domain. In this domain, the
governing body evaluates strategic options, directs senior management on the
chosen strategic options and monitors achievement of the strategy as mentioned
previously in the 3 essential tasks. EDM encompasses the goal cascades and
determination of stakeholder drivers and needs.15

Management objectives are grouped in these 4 domains:

• APO—Addresses the overall organization, strategy and supporting activities for

enterprise I&T

• BAI—Treats the definition, acquisition and implementation of I&T solutions and

their integration into business processes

• DSS—Addresses operational delivery and support of I&T services, including

security

• MEA—Addresses performance monitoring and conformity of I&T to internal

performance targets, internal control objectives and external requirements16
COBIT 2019 Goals Cascade
The goals cascade supports translation of enterprise goals into priorities for
alignment goals. The goals cascade has been updated thoroughly in COBIT 2019;
enterprise goals and alignment goals have been consolidated, reduced, updated and
clarified where necessary.17

Figure 1—COBIT 2019 Goals Cascade

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018

The essence of the goals cascade remains that of aligning I&T strategy to enterprise
strategy for both COBIT 5 and COBIT 2019.

It is worth noting that the goals cascade in COBIT 5, as it relates to governance and
strategy, translates stakeholder needs into specific actionable and customized
enterprise goals, I&T-related goals and enabler goals,18 while in COBIT 2019, the
goals cascade supports prioritization of management objectives based on
prioritization of enterprise goals.

There are 13 enterprise goals and 13 alignment goals in COBIT 2019. There are no
additional IT-related goals in COBIT 2019. Both enterprise goals and alignment
goals have been updated and simplified.
COBIT 2019 Framework in Digital Disruption
and Privacy Concerns
The COBIT 2019 framework helps practitioners refine business and enterprise I&T
skills to discern the true essentials of the business and provide technology solutions
to fulfil those needs.

As things evolve with technology spurred on by knowledge and innovation, strategic

technology trends have shown significant disruptive potential and set the stage for
innovative digital disruption over the next 5 years.19 Enterprise I&T cannot afford to
ignore these trends. Organizations must examine the business impact of these
trends and adjust business models and operations appropriately or risk losing their
competitive advantage to those who do.20 In line with this evolution, it is imperative
to restore DS11 Manage Data from COBIT 4.1 as APO014 Managed Data in COBIT
2019, given the criticality of data in this age of the Internet of Things (IoT) and as
artificial intelligence (AI) more fully emerges with its heavy reliance on data. With the
IoT, augmented reality (AR) and AI, data are recognized as a core business asset,
valuable to enterprises and cybercriminals alike.21 Data management and security
are no longer costs of doing business but are core components of remaining in
business.22

Applied data risk increasingly encompasses the possibility of privacy concerns;

financial losses; business disruptions; loss or compromised assets and information;
failure to meet legal, regulatory or contractual requirements; and reputational
damage. Effective management of data can enhance the systems of engagement
and help mitigate risk and lower privacy concerns.23 Chief technology officers
(CTOs), chief information officers (CIOs) and enterprise architects (EAs) should
work with chief security officers (CSOs) and chief data officers (CDOs) to leverage
digital disruption strategically through the adoption and adaption of the COBIT 2019
framework.24 Governments, city planners and business leaders must heed the
warning signs of growing cybercrime and include cybersecurity experts at all stages
of technology implementation—from design and construction to infrastructure
management and beyond.

The most impactful disruptions happen in society, industry and business—not in

technology. Radio to video is a disruption. Uber is a disruption that has affected
society, industry and business, but not technology. Technology innovation,
transformation and disruption are all the same thing.25 Digital disruption has to be
sustained for a long time; any short-term disruption is a fad. Cloud computing does
not reflect technology disruption, so much as the relocation of technology resource
access.
Results and Application of Enterprise I&T
Controls Using COBIT 5
As mentioned, COBIT 2019 refines business and enterprise I&T skills to both
understand the true essentials of the business and provide the technology solutions
to fulfil those needs.

Instituting controls enables the enterprise to derive results that optimize I&T
investment and create value for the benefit of stakeholders through an on-the-
ground assessment using a BSC approach. The results also bring to the fore IT
governance pain points to be addressed. The data values of COBIT 4.1 control
objectives (using input data from ISO/IEC 27001:2013), mapped to COBIT 5
governance and management practices, show how each IT-related goal is supported
by a COBIT 5 IT-related process.26 This mapping is expressed using the following
primary (P) and secondary (S) relationships:

• The value “P” indicates there is an important relationship, i.e., the COBIT 5
process is a primary support for the achievement of an IT-related goal.

• The value “S” indicates there is still a strong, but less important, relationship, i.e.,
the COBIT 5 process is a secondary support for the IT-related goal.27

Figure 2—Results Showing Mapping (Input Data from ISO/IEC 27001:2013) to

COBIT 5 Governance and Management Processes
 Source: ISACA, COBIT 5, USA, 201228

Legend:

• Columns indicate 17 generic IT-related goals, grouped in IT BSC

dimensions

• Rows indicate 37 COBIT 5 processes, grouped by domain

The COBIT 5 results shown in figure 3 indicate that the framework does not
sufficiently account for the importance of project management principles in relation
to EGIT. The strengths center around management through a higher reliance on
Build, Acquire and Implement (BAI) and MEA. However, COBIT 2019 has addressed
these shortcomings and has made the framework easier to adapt and adopt as an
umbrella framework for EGIT.

Figure 3—Results Showing BSC Perspective Values as Mapped Data Values of

COBIT 4.1 Control Objectives (Using Input Data from ISO/IEC 27001:2013) to
COBIT 5 Domains

The Results and Application of Enterprise I&T

Controls Using COBIT 2019
The mapped data values of COBIT 5 governance and management practices (using
input data from ISO/IEC 27001:2013) to COBIT 2019 governance and management
objectives shows how Alignment goals are supported by a COBIT 2019 governance
and management objective. This mapping is expressed using the value scale:

• The value “P” indicates there is an important relationship (i.e., the COBIT 2019
Objective is a primary support for the achievement of an Alignment goal).

• The value “S” indicates there is still a strong, but less important, relationship (i.e.,
the COBIT 2019 governance and management objective is a secondary support
for the Alignment goal).29

The assessment results can be drilled down to the input values, and a backward
review of the mapping values can be used in determining the root cause of having
low scores from a set of mapped data in ISO/IEC 27001 control objectives and
questions; this will form a basis for developing an action plan as needed by the
organization.30
Assumptions and Observations Related to the
Primary Values
The updates highlighted in yellow (P and S) are as follows for figure 4:

• Mapping table—This maps Alignment goals to COBIT 2019 governance and

management objectives.

• AG09—Delivering programs in time, on budget and meeting requirements and

quality standards is a core definition of program management and is applicable
to EGIT.

With this in mind, AG09 should have a primary support for EDM02 Ensured benefits
delivery and DSS06 Managed business process controls as these are important
relationships with program management functions, while AG09 should have a
secondary relationship with BAI06 Managed IT changes as it relates to EGIT.

Figure 4—Results Showing Mapped Data Values to COBIT 2019 Governance and
Management Objectives
 Source: ISACA, COBIT 5, USA, 2012

Legend:

• In the columns, all 13 Alignment goals in COBIT 2019

• In the rows, all 40 Governance and Management Objectives by

Governance and Management of Information and Technology, grouped
by domain

Figure 5—Results Showing BSC Perspective Values of Mapped Data Values to

COBIT 2019 Core Domains

In COBIT 2019, the 3 new management objectives (processes) include:

• APO14 Managed data

• BAI11 Managed projects

• MEA04 Managed assurance

These were not present in COBIT 5, and these affected the results under COBIT 5 in
figure 2. With the introduction of these 3 objectives in the COBIT 2019 results as
shown in figures 4 and 5, there are no 0-score values in the figure 4 results as there
are in the figure 2 results (EDM05 and APO08). From the BSC tables in figure 5,
there is a higher score value for EDM as a result of the introduction of these
objectives. This outcome reflects the fact that the COBIT 2019 framework core of
EGIT is centered on governance and, when employed as a strategic framework,
COBIT 2019 helps organizations make a difference once it is adopted and adapted
to the organization’s culture.

Figure 6—Results Showing Mapped Data Values of COBIT 2019 Results from
Alignment Goals to Enterprise Goals
 Source: ISACA, COBIT 5, USA, 2012

The observations and updates highlighted in yellow (P and S) are introduced based
on the need to cascade down the derived values from figure 4 and are used in figure
6 to define the mapping that will produce a BSC in figures 7 and 8.

Mapping Table—Enterprise Goals to Alignment Goals are as follows: AG08 and EG06
should have a secondary support or relationship for business continuity
management for the enterprise. AG09 and EG06 for business and I&T program
management address enhancing and supporting business continuity management
as a primary function or have a primary relationship with each other in EGIT.

AG09 and EG09 reflect a key relationship and should be a primary function based on
the rules for program management and expressed under EGIT. This relationship for
AG09 and EG09 should be changed from secondary to primary as noted previously.

For an enterprise to achieve the goals set out in AG12 and EG08, there should be a
secondary relationship to sustain the activities of an EGIT framework.

EG08 and EG09 should have an important primary relationship with AG13. Staff
relationships are strategic in initiating and formulating innovative products with
knowledge based on such relationships as stated in AG13. The linkage of the P
values of AG13 is derived from COBIT 2019 core management objectives of APO04,
APO07, APO08 and BAI08. All these relate to learning and development/growth
(BSC perspective) and are managed in the organization through the human
resources (HR) function.
 Figure 7—Effect of Not Having a P Value for AG13 and EG08 From a BSC
Perspective

The mapping exercise takes into consideration a primary function of EG08 and
AG13. The assumption is built on the enterprise goals related to EG08, which should
have a primary relation, and is achieved by knowledge gained from the AG13. If the
P supporting relationship value for AG13 and EG08 is not achieved, the score
becomes 0 and this result tilts the balance scored on Internal Perspective to a value
of 64% (figure 7) instead of 85% (figure 8). It is important to note that EG08 is under
the Internal Perspective of the BSC, and AG13 is under the Learning and Growth
Perspective of the BSC.
Figure 8—Results Showing Mapped COBIT 2019 Data Values to Achieve Alignment
Goals and Enterprise Goals on BSC Perspective

COBIT 2019 Based on BSC as a Measure of

Strategic Performance
The authors of the BSC emphasized the shortcoming of traditional management
systems, which did not address or harmonize the short-term strategy of the
business with long-term financial goals. This is what precipitated the 4 BSC
perspectives described as Financial, Customer, Internal, and Learning and
Development to drive the business. These perspectives help the organization
educate staff, communicate strategy and measure outcomes through
improvements in financials and responses or growth of customers.31

The traditional measurements report on previous actions or events and do

not proffer solutions on how to move forward or how managers can
improve performance in the next phase based on the strategic outcomes,
the scorecard functions as the cornerstone of a company’s current and
future success.32
The information from the BSC 4 perspectives provides balance between external
measures (such as customer reactions and operating income) and internal
measures (i.e., new product development, knowledge, internal interactions and
innovation).33 Performance measurement systems (e.g., BSC, skills management
tools) are used to further distill the prerequisite data or information required for
strategic and governance discussions to move an enterprise forward.

The assumptions made for using the primary values related to the COBIT 2019
governance and management objectives and alignment goals are based on
information from COBIT 2019:

• The COBIT 2019 objectives are a primary support for the achievement of an
Alignment goal.

• It is primary when there is an important relationship between the COBIT 2019

objectives and Alignment goals, the same as with Alignment goals and Enterprise
goals.

• Achieving Alignment goals requires the successful application and use of a

number of enablers.

• There are relationships to the 3 main enterprise I&T governance focus

areas—value delivery, risk management (2 outcomes) and resource management
(1 driver, which overlays all the other focus areas).34

With this understanding from the BSC perspective and a focus on the primary
supporting values, practitioners can determine where the enterprise and its industry
face a significant risk of disruption to revenue or customer experience. Based on
this information, building skills and related capabilities can begin in these areas as
pointers within the enterprise I&T organization. The P values of AG13 is derived from
the combination of scores from COBIT 2019 core management objectives of
APO04, APO07, APO08 and BAI08.

Driving digital transformation in an enterprise is a tough process without EGIT

culture. Many enterprises have the right technology, but enterprises struggle to
deliver stakeholder needs because they retain conventional organizations, practices
and mind-sets that are no longer suited for the Internet of Things (IoT) and the
digital business age Industry Internet of Things (IIoT).

Many practitioners would agree that many business roles now require I&T skills and
most I&T roles require non-technical skills—from understanding human behaviors
(i.e., psychology, social sciences) to design thinking to agile teamwork and even
interactions between humans and AI/machine learning (ML). These help I&T
innovate for the future. The way to address this is by employing an EGIT framework
(COBIT 2019) for interactions/mappings to investigate where the enterprise and its
industry face a significant risk of disruption to revenue or customer experience then
start building skills and related capabilities in these areas within the enterprise I&T
organization. It also helps to revisit the enterprise’s digital business transformation
road map.

Stakeholders must also assess the reality of the speed and effectiveness of the
current road map against the ambition of corporate leaders. If there are gaps that
will inhibit progress, HR and the C-level should be involved in planning a digital
agility program to develop the workforce of the future. Digitally agile businesses
transcend the legacy boundaries of technology knowledge, skills and ideas. As one
author notes, “Disruption requires creating a new basis (in a competition), usually
parallel to any existing paradigm”.35

Conclusion
COBIT 2019 has addressed these shortcomings (i.e., adopting a governance
framework, facing the risk of disruption to revenue, lack of road maps) and has
made the framework easier to adapt and adopt for the enterprise as an umbrella
framework for EGIT. COBIT 2019 helps build relationships (strategic team bonding);
identify external strategic opportunities with executive sponsors; and, for the
practitioner, manage people, data and technology. The vision and strategy driver
scores are achieved from mapping36 ISO/IEC 27001 through COBIT 5 to COBIT
2019. The results from mapping the COBIT 2019 governance and management
objectives to alignment goals and then to enterprise goals shows that if used
correctly, a strategy can be formulated from COBIT 2019. The strategic learning,
which consists of gathering feedback, testing the assumptions on which a
governance strategy is based and making necessary adjustments, is what this
mapping exercise has helped bring out from the COBIT 2019 framework.37 The
assessment results with low scores for alignment and enterprise goals form the
basis for developing an action plan as needed by the organization to address the
input items from ISO/IEC 27001 control objectives and determine questions that
need to be answered for a planned developmental/corrective road map as part of
the enterprise strategy. It can be concluded that using COBIT 2019 in strategic
planning to achieve an objective is effective, and employing tactical actions to
implement the strategy is paramount in enterprise operations.

Christopher C. Anoruo, CRISC, CISM, CGEIT

Is the chief executive officer at TRAFTEC Ltd, a cybersecurity company he
cofounded. He was the executive director of technology and operations officer at
KATEC Consulting Ltd. He has also worked in various positions in the
telecommunication and banking industries in West Africa. Prior to cofounding
KATEC Consulting Ltd, he was an information security consultant with IBM Global
Business Services. Anoruo has contributed to the ISACA Certified Information
Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC)
and Certified in the Governance of Enterprise IT (CGEIT) examinations. He has also
participated in ISACA certification projects and has been part of the ISACA Test
Enhancement Committee since 2005, setting exam questions and reviewing exam
manuals.

Endnotes
1
Anoruo, C.; “ISO 27001 Process Mapping to COBIT 4.1 to Derive a Balanced
Scorecard for IT Governance,” COBIT Focus, 14 December 2015, figure 10
2 Anoruo, C.; “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy,”

COBIT Focus, 12 December 2016, figure 7

3 Kaplan, R.; D. Norton; “Using the Balanced Scorecard as a Strategic Management

System,” Harvard Business Review, January-February 1996, p. 75-85

4
Van Grembergen, W.; ”The Balanced Scorecard and IT Governance,” Information
Systems Control Journal, vol. 2, 2000
5 Op cit Anoruo, “ISO 27001 Process Mapping to COBIT 4.1 to Derive a Balanced

Scorecard for IT Governance”

6 Hamidovic, H.; “Fundamentals of IT Governance Based on ISO/IEC 38500,” ISACA

Journal, vol. 5, 2010

7
ISACA, COBIT 2019, USA, 2018
8 ITGI, Board Briefing on IT Governance, 2nd Edition, USA, 2003

9 Op cit ISACA

10 Op cit Hamidovic

11
Op cit ISACA
12
Op cit ITGI
13
Op cit ISACA
14
Zororo, T.; Exploring the Difference Between COBIT 5 and COBIT 2019, LinkedIn,
January 2019
15 Op cit ISACA

16 Ibid.

17 Ibid.

18
Steuperaert, D.; "Improving the Quality of the COBIT 5 Goals Cascade as an IT
Process Prioritisation Mechanism," International Journal of IT/Business Alignment
and Governance, vol. 7, iss. 2, July 2016
19 Op cit ISACA

20 Ibid.
21 Op cit ITGI
22
Ibid
23 Op cit Anoruo, “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy”
24
Op cit Zororo
25 Op cit Anoruo, “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy

26 Ibid.,

27 Ibid.

28 Ibid.

29 Ibid.

30 Ibid.

31
Lawrie, G.; I. Cobbold; J. Marshall; “Corporate Performance Management System
in a Devolved UK Governmental Organisation: A Case Study,” International Journal of
Productivity and Performance Management, vol. 53, no. 4, 2004, p. 353–370
32 Kaplan, R.; D. Norton; The Balanced Scorecard: Translating Vision Into Action,

Harvard Business School Press, USA, 1996

33 Ibid.

34 Op cit Hamidovic

35
Ekekwe, N.; “#AimHigher – Move Upstream,” Tekedia, 7 October 2019
36 Op cit Anoruo, “COBIT 5 Mapping Exercise for Establishing Enterprise IT Strategy”

37 Ibid.

Previous Article Next Article

QUICK LINKS

Resources

COBIT ISACA Journal Press Releases Resources FAQs

Insights and Expertise 

Audit Programs and Tools

Publications
     

Website Feedback | Contact Us | Terms | Privacy | California Privacy Policy

| ©2020 ISACA. All rights reserved.