Ken & Co

Practically using COBIT 2019 to mitigate the challenges of COVID-19

In my earlier article, titled Using COBIT 2019 to Proactively Mitigate the Impact of COVID-19, I had given a perspective on how one can use COBIT 2019 to mitigate the challenges of COVID-19. In this article, we shall explore more into how best one can practically adapt it.

Step 1- Identify changes to stakeholder needs

The first step in the adapting COBIT 2019 considering COVID-19 challenges is to understand the stakeholders needs clearly. Any enterprise today wants to ensure minimum business disruption and ensuring maximum enterprise resiliency, owing to the current challenges.

Step 2 – Identify the enterprise goals/alignment goals

 The next step would be to identify the Enterprise Goals and see how they align with the Alignment Goals. The below Figure gives the mapping as to how to navigate from Enterprise Goals to Alignment Goals.

In a COVID-19 situation, the focus is to ensure Business service continuity and availability and therefore the relevant Enterprise Goal would be EG06 – “Business service continuity and availability”.

Once the enterprise Goals have been identified, one has to see what are the relevant “Alignment Goals”. The following are the alignment Goals as per Fig 1 above:

Primary (denoted by way of “P” in the above Figure 1)

AG07 – Security of information, processing infrastructure and applications, and privacy

Secondary (denoted by way of “S” in the above Figure 1)

AG02 – Managed I&T related risk

AG05 – Delivery of I&T services in line with the Business requirements

 

Fig 1 – Mapping of Enterprise Goals to Alignment Goals from the COBIT 2019 Governance and Management Objectives Guide

Step 3 - Identify the governance and management objectives

One successfully identifying the “Alignment Goals” one has to now map the “Alignment Goals to the Governance and Management (G&M) Objectives”. Refer Figure 2.

The following are the corresponding Governance and Management Objectives applicable for AG07 – Security of information, processing infrastructure and applications, and privacy

Primary (denoted by way of “P” in the above Figure 2)

Evaluate, Direct and Monitor (EDM)

  • EDM03 Ensured risk optimization

Align, Plan and Organize (APO)

  • APO12 Managed risk
  • APO13 Managed security

Build, Acquire and Implement (BAI)

  • BAI10 Managed configuration

Deliver, Service and Support (DSS)

  • DSS04 Managed continuity
  • DSS05 Managed security services

Secondary (denoted by way of “S” in the above Figure 2)

Align, Plan and Organize (APO)

  • APO01 Managed I & T Framework
  • APO03 Managed Enterprise architecture
  • APO14 Managed Data

Build, Acquire and Implement (BAI)

  • BAI04 Managed availability and capacity

Deliver, Service and Support (DSS)

  • DSS02 Managed service requests and incidents
  • DSS05 Managed problems
  • DSS06 Managed business process controls

Monitory Evaluate Assess (MEA)

  • MEA02 Managed system of internal control
  • MEA 04 Managed assurance

Step 4 - Prioritize and select COBIT components to use

Based on review, the enterprise decides to implement/improve processes relating to DSS04 Managed continuity. From the identified G&M objectives, one should further drill down using the COBIT 2019 Framework: Governance and Management Objectives which is used to set metrics for enterprise goals and alignment goals as relevant.

Fig 3 below is an extract from the COBIT 2019 Framework: Governance and Management Objectives which helps one to navigate further with respect to DSS04 Managed Services

From the above it is clear that one can identify and set the metrics for enterprise goals and alignment goals as relevant. For instance, the enterprise under consideration could have an increase in customer service or business process interruptions, or the challenge could be loss of business processing hours due to unplanned service interruptions, or increasing number of availability incidents causing financial loss which it plans to improvise or mitigate.

 

 

Figure 3 – DSS04 – Managed Continuity – extracted from the COBIT 2019 Framework: Governance and Management Objectives
Fig 4 - DSS04 – Managed Continuity – A. Component: Process - extracted from the COBIT 2019 Framework: Governance and Management Objectives

Step 5 - Identify management practices and activities and other relevant components

COBIT provides guidance on 7 components of governance and management. The enterprise decides to use best practice guidance from management practices and activities as relevant. Drilling down DSS04 further, guidance in each of the 7 components is available.

a. Mapping relevant Component – Process

Fig 4 helps one identify the relevant Component, in this case the “Process”. Each of the G&M Objectives can be drilled down further to the Management Practice and each management practise has pre-defined activities. These help an organisation to ensure they approach each phase holistically. Further related guidance is also available in case of need.

It is to be noted that the above figure is only for DSS04.01 Define the business continuity policy, objectives and scope. G&M Objective DSS04 has a total of 8 Management Practises (refer Table 1) and each of these have activities further mapped to them

Practice IDPractice Name
DSS04.01Define the business continuity policy, objectives and scope.
DSS04.02Maintain business resilience.
DSS04.03Develop and implement a business continuity response.
DSS04.04Exercise, test and review the business continuity plan (BCP) and disaster response plan (DRP).
DSS04.05Review, maintain and improve the continuity plans.
DSS04.06Conduct continuity plan training.
DSS04.07Manage backup arrangements.
DSS04.08Conduct post-resumption review.
Table 1 – Practices relevant for DSS04 – Managed Continuity

An enterprise can also define or update the key metrices for each of the management practices based on the Fig 4 thus helping it to move from a mere qualitative yardstick to quantitative measurement approach. It is to be noted that the enterprise can stop its application of COBIT 2019 with the management practice or can further drill down to explore the Activities mapped to each of the Management Practice.

b. Mapping relevant Component – Organisation Structure

Fig 5 helps illustrates with a Responsibility and Accountability Matrix which is relevant from the identified G&M Objective. This helps an organisation to define the roles and responsibilities.

Fig 5 - DSS04 – Managed Continuity – B. Component: Organisation Structure - extracted from the COBIT 2019 Framework: Governance and Management Objectives
Fig 6 - DSS04 – Managed Continuity – C. Component: Information Flow and Items - extracted from the COBIT 2019 Framework: Governance and Management Objectives

c. Mapping relevant Component – Information Flows and Items

Fig 6 is used to improve documentation as required in terms of inputs and outputs and the contents from policies and procedures are used to map and update policies and procedures as applicable. This helps organisations update their existing documentation and also helps in cross referencing to other policies and procedures.

d. Mapping relevant Component – People, Skills and Competencies

Fig 7 gives guidance on the relevant People, Skills and Competencies along with the relevant guidance.

Fig 7 - DSS04 – Managed Continuity – D. Component: People, skills and Competencies - extracted from the COBIT 2019 Framework: Governance and Management Objectives
Fig 8 - DSS04 – Managed Continuity – E. Component: Polices and Procedures - extracted from the COBIT 2019 Framework: Governance and Management Objectives

e. Mapping relevant Component – Policies and Procedures

Fig 8 gives guidance on the relevant Policies and procedures and the relevant description applicable for the G&M Objective identified. This helps in defining the key policies and procedures required and the broad contents of each of them.

f. Mapping relevant Component – Culture Ethics Behaviour

Fig 9 gives guidance on Culture Ethics Behaviour which helps in setting the tone and managing the overall set up.

Fig 9 - DSS04 – Managed Continuity – F. Component: Culture Ethics Behaviour - extracted from the COBIT 2019 Framework: Governance and Management Objectives
Fig 10 - DSS04 – Managed Continuity – G. Component: Services, Infrastructure and Application - extracted from the COBIT 2019 Framework: Governance and Management Objectives

g. Mapping relevant Component – Services, Infrastructure and Application

Fig 10 gives guidance on Services, Infrastructure and Application. The focus here is to understand the essential Services, Infrastructure and Application for meeting the relevant G&M objective

Note:

It is to be noted that depending upon the enterprise requirement, one can decide what is extent of utilisation and adaption he or she would like to undergo.

 

Step 6 – Identify and extract best practices from COBIT contents

The enterprise uses the relevant content extracted from COBIT and customizes and translates it into specific policies and procedures that are integrated into enterprise policies and procedures. These are added to job responsibilities and staff is trained to perform them as part of day-to-day work.

 

Step 7 – Implement performance and monitoring measures

The governing body is updated on the changes required. Approval is obtained to roll this out with approval of budget, and relevant performance measurement metrics are implemented for all key goal areas with relevant key goal indicators and key performance indicators.

 

Pro Tip:

It is to be noted that ISACA’s COBIT 2019 Toolkit has ready-to-use Templates which can help one navigate from:

  1. Enterprise Goals to Alignment goals
  2. Alignment Goals to G&M Objectives
  3. G&M Objectives to relevant Management Practise
  4. Management Practise to relevant Activities

This can be used further to simplify the navigation.

Author

The author CA Narasimhan Elangovan, is a practising CA and partner KEN & Co. He is a GRC Professional, a Digital transformation catalyst and an author. He believes in the power of technology to solve everyday problems. He can be reached at narasimhan@ken-co.in