In Summer’18, I worked at PayPal and had the first-hand experience of working with COBIT 51 . Though it’s been ~7 years that I have been working in the GRC space and worked on numerous projects that involved COBIT 5 guidance and principles, never once I had the opportunity to initiate a project, understand what each of the processes meant and how COBIT can be combined with other frameworks.
I was tasked to complete a Technology Risk Management project wherein the ask was to:
- identify all the technology functions of the organization,
- map all the functions with each of the ITIL V32 processes and formalize them by developing policies, and
- draw control objectives for each of the functions from COBIT 5.
Following are the top 3 lessons I learnt in the process of combining best practices from ITIL and COBIT 5:
- COBIT 5 or ITIL. I believed that as both the frameworks are designed by different organizations and serve different purposes, they do not overlap. How wrong I was! As I researched and learnt more about the frameworks, I had come to realize that both the frameworks complement each other. As COBIT helps in identifying what IT should be doing, ITIL prescribes how it should be done to maximize the resource utilization and cover much of the enterprise under IT purview. Even though both the frameworks are different, they have a common ground (BAI06 Manage Changes ≈ Change Management, BAI10 Manage Configuration ≈ Configuration Management etc.) which states the number of processes that should be established by a well-run enterprise and become more mature.
- Focus on common goals. As seen in (1), even though COBIT 5 and ITIL overlap on some aspects and are responsible for making sure that the IT enables Business, the focus of both the frameworks is not the same. The primary focus of ITIL is on IT, whereas the primary focus of COBIT 5 is Enterprise. The guidance provided by ITIL is focused entirely on IT and how it should be managed; however, COBIT 5 arches the entire enterprise as its concern. COBIT 5 does deal with IT but that is not the sole focus, and equally emphasizes other aspects such as People, Information, Organizational Structure, Culture, etc.
- Guidance and not Implementation guides. Though both COBIT 5 & ITIL provide detailed guidance on how organizations should implement IT, none of them provide the exact blueprint of how to implement the processes. This enables organizations to draw solutions appropriate to their unique requirements and further constructs the frameworks suitable for all organizations – large or small, commercial, not for profit, government, or multinational. All can draw conclusions from the guidance and develop own implementation plans based on these industry-recognized standards. This innate quality of frameworks further encourages organizations to take the processes that they deem important for them and not worry about following the exact steps of implementation. And as Harvard Business Review puts it, this empowers organizations to overcome the #1 challenge, Fear of failure, by removing the nonessential processes, encourage towards change and adopt best practices3.
Conclusion
While the above lessons came naturally with the role I was performing, the conclusion was a generalized observation that an organization need not have to be compliant to all the processes of COBIT 5. The goal should be to draw references and inferences from the framework as per the requirement of the organization, not try to overdo the implementation, and get one-step closer to a better risk posture.
References:
[1] ISACA; COBIT 5
http://www.isaca.org/COBIT/Pages/COBIT-5.aspx
[2] AXELOS; ITIL V3
https://www.axelos.com/best-practice-solutions/itil
[3] Gino, Francesca, & Staats, Bradley; Why Organizations Don’t Learn; Nov 2015
https://hbr.org/2015/11/why-organizations-dont-learn