CobiT 5

CobiT 5 expands the topics related to governance over IT to obtain more value from IT. An important step in CobiT 5 is the integration of Val IT guidelines for benefits realization.

Secondly, it appears that the need for a more integrative approach and the need of a common framework (a kind of Esperanto for IT governance) has been another reason to create a new CobiT. CobiT 5, ISACA integrates many frameworks into one such as BMIS, ITAF, RISK IT; and, additionally, takes a multiple stakeholder perspective. In figure 8, CobiT 5 processes are shown.

Figure 1: CobiT 5 Governance and Management Processes (CobiT 5 2012)

One of CobiT 5's new features is the addition of new management practices for information systems: "For each CobiT process, the management practices provide a complete set of high level requirements for effective and practical management (governance) of organization IT".  Moreover, CobiT 5 states that more detailed guidance for practices and activities will be developed in the future (CobiT 5 2012). This signalizes that more guidance for the management of costs and benefits in a more profound way could be introduced in the future.

Goals in CobiT 5:

CobiT 5 recognizes different goals that are represented in a more detailed and dynamic way comparing to its predecessor. Firstly, common business goals (the so called Enterprise Goals) can be related to governance objectives with primary (strong) and secondary (less strong) relationships. Secondly, IT related goals which deal with IT related outcomes for the realization of organization goals can be combined with a certain numbers of CobiT 5 enablers to achieve the desired outcome (CobiT 5 2012).

Both types of goals are represented with a Balanced Score Card (BSC) in which it is possible to visualize their corresponding dimension in regard to financial, customer, internal, and learning and growth topics (Ibid.).

It is important to underline that the framework has been considerably reorganized from being an IT process model that into a framework with more governance practices for IT, management and a process model.  Many components such as the balance scorecard, maturity models, goals and metrics, and roles and responsibilities (RACI) charts are present in CobiT 5. However, many changes has been made and some elements has been even removed; such as the CobiT 4.1 Diamond (governance focus areas), and some processes and control objectives. For example, CobiT 4.1's control objective PO 4.8 "Responsibility for Risk, Security and Compliance" has been deleted. However, risk, security and compliance control aspects are found in other elements of the new framework.

CobiT 5 distinguishes five principles. The first principle is "Integrator framework" which means that CobiT 5 integrates existing ISACA guidelines on governance and management of organization IT. Moreover, it incorporates other standards and frameworks such as Val IT in one architecture for structuring guidance (CobiT 5 2012). According to the CobiT 5, the new architecture is a "simple" one. However, the author of this thesis disagree on that and considers CobiT 5 as integrative framework of high complexity with topics and focus areas that in the practice interact with each other. To obtain an overview of the whole state of governance requires in CobiT the application of a large number of processes and metrics, which in some cases overlap which each other.

Figure 2: CobiT 5 Principles (CobiT 5 2012)

The second principle is "Stakeholder Value Driven". Internal and external stakeholders are integrated in the CobiT 5 framework. Topics on stakeholder needs and conflicting expectations are translated into three generic governance: benefits, realisation, risk balancing and cost optimisation. According to CobiT 5 "Stakeholder needs are influenced by a number of drivers, e.g., strategy changes, a changing business and regulatory environment, and (use of) technology evolutions". RACI charts show the expected involvement of stakeholders in each process (Ibid.).

Figure 3: RACI Charts (CobiT 5 2012)

The third principle is "Business and Context Focussed" and is closely associated with the principle "Stakeholder Value Driven". To start with, stakeholder needs can be connected to different governance objectives. Afterwards, those governance objectives can be translated into organization goals and into IT-related goals. Finally, processes, organizational structures and information can be defined in support of the IT-related goals. For example, an important goal could be to "align IT with the business strategy" in order to cultivate a more business focused IT unit. In an organization, in which customer satisfaction is an important part of the business strategy, the goal could be to create a more customer oriented IT function (Ibid.).

The fourth principle is "Enabler Based" and it refers to the Enablers assistance necessary to implement robust governance and management systems. The word "enablers" refers to governance and management processes, principles and policies, organizational structures, skills and competences, culture and behaviour, as well as services capabilities and information (Ibid.).   

The fifth principle is "Governance and Management Structured". CobiT 5 distinguishes between governance processes and management processes. Governance processes include objectives such as value delivery, risk management and resource balancing and practices related to the evaluation of strategic decisions, while the management processes cover areas of planning, building, running and monitoring of organization for end-to-end IT issues. To continue, interactions between governance and management can be found in the figure below (CobiT 5 2012).

Similar to its predecessor, CobiT 5 is not a dogmatic book of instructions and it represents a reference for the convenience of organizations and auditors. The process reference model in CobiT 5 is divided in governance and management domains. The governance domain deals with governance processes (evaluate, direct, monitor) and the management domain deals with the areas of plan, build, run and monitor (four domains similar to CobiT 4.1.1) (CobiT 5 2012). CobiT 5 separates the processes into governance and management, however, it is important to remark that both areas are highly interconnected.

CobiT 5 expands the number of governance related processes. In CobiT 4.1.1, there is only one process covering IT governance topics which is the ME4 Provide IT governance and it states:  "ME4 covers the process of governance oversight over IT, in keeping with COBIT's purpose as an IT governance framework." (CobiT 4.1 2007).

Differently to CobiT 4.1.1, the IT governance Model in CobiT 5 is based on the tasks evaluate, direct and monitor from the ISO/IEC 38500. CobiT 5's governance part has also been expanded by new processes: EDM1/EDM2/EDM3/EDM4 (CobiT 5 2012). For example EDM1 includes aspects from Val IT key management practices such as "Develop an understanding of the significance of IT and the role of governance." Other examples are EDM2 which covers Val IT practice "Define value for the organization" and EDM3.1 which is related to IT risk assessment topics covered by RISK IT (Ibid.). Figure 10 gives a helicopter overview of CobiT 5 governance and management processes.