Getting security right is vital but to recognize where to invest requires more than security expertise, it comprises good IT governance to “improve performance with a stable framework for creating value and reducing risk.
This is what all firms aim to do yet why do they often flop to secure or minimize adverse impacts? Because collectively we underrate the impact of risk crystallization whilst believing that investment in security and controls is expensive. This is typical in firms that have three elements missing from the assurance framework:
1. IT governance integrated within corporate governance,
2. an appropriate enterprise assurance tool, and
3. carrying out risk assessment and assurance properly.
Corporate governance is key. Official definitions of what corporate governance is are long (for one of a number of good choices see the Applied Corporate Governance website). Mine is “doing the right thing in the right way with equitable treatment of all stakeholders”. Within that is the strategic and risk management element, “identifying the intended outputs and outcomes, and how to achieve them” and the assurance component, “checking that these are being achieved without harmful impact”.
Good governance is a strategic priority in its own right, needing to combine technical excellence – those skills and experiences required to produce the right outputs and outcomes – with institutional excellence – having the capability to direct individual behaviors in a way that many (from chairman to doorman) act as one (the firm). COBIT 5 is the framework that addresses all the italicised aspects.
We need to dispel some myths:
• COBIT 5 is not just for IT or auditors. It is a comprehensive framework to assess governance and identify enhancements.
• COBIT 5 is not a prescriptive tool that you can implement. The framework guides business leaders through the governance process.
• Good governance is not a one-time fix. It is ongoing and must evolve as the business and its environment evolves.
• Achieving good governance takes time and effort. It is the ultimate business control and cannot be skimped. Just look at Volkswagen and remember BP, Enron, and Arthur Anderson.
Understand the reality, too:
• Every organization is now an IT firm as well as producing goods and services.
• Each organization needs two, inter-dependent strategies covering business and IT.
• COBIT 5 provides a sound framework, focusing primarily but not exclusively on the IT elements. As IT underpins everything we do, by default it addresses many corporate governance issues too.
• Do not be put off by language that appears to exclude business issues. The read-across to a broader business approach is easy because IT will be the key tool for performing each aspect of the business.
There are five principles that cover the institutional aspects:
1. Meeting stakeholder needs.
2. Covering the enterprise end-to-end.
3. Applying a single, integrated framework.
4. Enabling a holistic approach.
5. Separating governance from management.
Looking at each of the aspects, technical excellence can be attained by understanding stakeholder needs (Principle 1) of customers, clients, staff, management, the board, the supply chain, the regulators, and legislature. Anything that is obligatory can be seamlessly incorporated within business needs, for example collecting management information that is of use to both the board in determining progress, profit, risk, and strategy and to the regulator as demonstrable evidence that the firm is compliant.
The right outputs and outcomes become more likely if there is a stronger separation between governance and management (Principle 5) and applying them consistently across the organization (Principle 3).
There is no hard-dividing line between governance and management. They are two halves of the same coin. Governance sets the firm’s strategic urgencies and risk appetite, enabling boards to direct managers in achieving strategic and business objectives. Management implements the strategy through plans and operations, and by monitoring performance and results. Management is accountable to the board, the board to all stakeholders. The same people can do both so long as both are done. If the governance aspects are interpreted as an opportunity cost – too much ‘thinking’, not enough ‘doing’ – then vital stepping stones to success are missed, such as clearly communicated business priorities, the level of risk the company is willing to accept, and the necessary contingencies to minimize risk impacts.
The COBIT 5 framework helps firms achieve institutional excellence by providing an all-inclusive approach to good governance (Principle 4). Institutional Excellence, as opposed to technical excellence, trusts on the firm’s moral tone – the desire to add value to society – by providing goods and services as promised. So, no deceiving customers or regulators as per Volkswagen. No applying unfair treatment to stakeholders, as per FIFA. The holistic approach checks that these extremes do not occur by examining the firm’s own principles and practices.
As all firms are ‘IT shops’ too, fragmentation between IT and corporate governance must be avoided. This must be lead from the top, else governance and management over the business and IT will be as good as the most senior person interested in doing both well. The lower down the hierarchy this occurs, the greater the fragmentation. COBIT 5’s guidance on end-to-end governance covering both IT and the organization (Principle 2) helps solve these problems by encouraging the whole organization to be part of the solution.
An objective assessment of the firm, using COBIT 5, really helps firms achieve good governance for the whole enterprise, covering both IT and non-IT. The five principles will permit firms to optimize individuals’ strengths and lessen individuals’ weaknesses so that many can act as one.