See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/333828520

Lessons Learned in Designing a COBIT 2019 Framework for a Brazilian Financial

Organization

Technical Report · June 2019

DOI: 10.13140/RG.2.2.36820.45440

CITATIONS READS
0 886

3 authors, including:

Joao Souza Neto Rafael Almeida

Universidade Católica de Brasília Technical University of Lisbon
92 PUBLICATIONS   181 CITATIONS    23 PUBLICATIONS   74 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

EEG Research View project

All content following this page was uploaded by Joao Souza Neto on 17 June 2019.

The user has requested enhancement of the downloaded file.

Lessons Learned in Designing a
COBIT 2019 Framework for a
Brazilian Financial Organization
By Joao Souza Neto, Paulo Fernando Curvelo Lamellas, Fernando Cavalcante, Thiago Luiz Rosa
Savio Costa, Fernando Moura Cavalcante, and Rafael Almeida.

At the beginning of 2019, we performed the design of a COBIT 2019 Framework for a Brazilian savings
and loan association. It operates throughout the Brazilian national territory with funds raised in a savings
account, with the following permanent objectives: capture, encourage and disseminate savings, facilitating
the acquisition and construction of home to its members; and promote housing projects under the best
conditions of price, quality, and security, in order to meet the needs of its members. Currently, the
association has more than 1.6 million savers throughout the country. According to the September 2018
survey performed by the Brazilian Central Bank, it ranks top ten in terms of fundraising, among the
institutions that make up the Brazilian Savings and Loan System. Since its inception, it has carried out
more than 128,000 real estate financing in Brazil and holds top ten places (2018) in the ranking of the
financial agents that most grant real estate financing.

The unit of analysis was the organization as a whole. As the organization needed a broad, holistic, and
comprehensive view of its governance system, the full workflow of the design method, Figure 1, was
applied.

Figure 1 — Governance System Design Workflow

Source: Figure 4.1, page 31, Designing an Information and Technology Governance Solution, ISACA,
2018.

In this case, we started with a meeting with the organization’s managers to understand the enterprise
context and strategy. At this meeting, the strategic plan and the IT strategic plan were presented and
discussed. Next, we examined Design Factors 1 to 4 to determine the initial scope of the governance
system. At the end of this step, we analyzed the prioritized Governance/Management objectives. Finally,
we concluded the governance system design with a discussion with a broader audience, that included

1|Page
managers who did not participate in the first steps of the design.

To present the lessons learned in the design process, we organized them by Design Factors. This structure
simplified the presentation of the lessons learned.

Design Factor 1
In Design Factor 1, we had to consider four options of strategy archetypes, as shown in Figure 2. This
stage has generated many discussions because the managers were not familiar with the concepts of the
archetypes. Moreover, we read the theoretical reference, but, still, we were not sure about the meanings
of the archetypes. That made it difficult to ponder them. After a while, we decided to move to Design
Factor 2, which deals with an aspect that we know better, the enterprise goals.

Figure 2 — Strategy Archetypes

Source: Figure 2.5, page 22, Designing an Information and Technology Governance Solution, ISACA,
2018.

After discussing Design Factor 2, we returned to Design Factor 1, and we set the importance values
required.

Design Factor 1
Scope Enterprise
Interviewees Board Members, Senior Executives
Level of difficulty High
Time to complete Long
Opportunities for Improvement ISACA could propose a set of archetypes with a clearer meaning
Lessons learned - Analyze this Design Factor after Design Factor 2
- Translate the text to your native language
- Prepare 4 or 5 PowerPoint slides to clarify the concepts

Design Factor 2
In practical terms, this was the first Design Factor that we actually defined. We experienced some
difficulty here because, in COBIT 5, one could build a tailored Goals Cascade with the specific sets of
enterprise and IT goals of the organization under analysis. In the spreadsheet provided by ISACA for
COBIT 2019, there is no option of inserting new enterprise objectives. It is a kind of black-box goals
cascade! This is a limitation because it prevents organizations from adequately representing its strategic
reality. Figure 3 shows the mapping obtained.
Besides, in section 4.3.3 of the Design Guide, one reads: “The enterprise must interpret results with care,
or adapt the mapping tables based on its own experience and context.” However, if we make this
adaptation, we no longer can make use of the spreadsheet.

Figure 3 — Mapping of the Enterprise Goals

2|Page
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

Design Factor 2
Scope Enterprise
Interviewees Board Members, Senior Executives
Level of difficulty Low
Time to complete Medium
Opportunities for It should be possible to include the specific Enterprise Goals of the
Improvement organization under design into the spreadsheet.
Lessons learned - Analyze this Design Factor first
- Translate the text to your native language
- Prepare 4 or 5 PowerPoint slides to remind the Enterprise Goals
of the organization

Design Factor 3
This Design Factor deals with IT Risk categories, and the manager has to define the probability and impact
of every category. This is not straightforward, because each category involves a collection of related risks,
each with its probability and impact (see Risk Scenarios – Using COBIT 5 for Risk, ISACA, 2018). Our
understanding is that ISACA wants a risk assessment of these collections. We were not sure of how to do
that.
In Design Factor 3, you have to select the right audience to assess the risks. Figure 4 shows the mapping
obtained.

Figure 4 — Resulting Governance/Management Objectives Importance

Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

3|Page
Moreover, we noticed that ISACA has already defined the coloring of the Risk Matrix. Table 1 shows it.

Table 1 — ISACA’s Risk Matrix

Impact
1
2
3
4
5
1 2 3 4 5
Probability
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

An important point to consider is that the coloring of the Risk Map is an expression of the Risk Appetite of
the organization, as can be seen in Figure 5.

Figure 5 — Risk Matrix and Risk Appetite

Source: Understanding and Communicating Risk Appetite, COSO, 2012.

When ISACA decides to define the risk rating for every square in the matrix, it is setting the risk appetite
for the organization. In the organization under design, the Board of Directors is accountable for this
definition, and the Risk Appetite Statement has a different appetite definition for the IT Risk category.
To use this Design Factor, we followed the risk appetite defined by ISACA.

Design Factor 3
Scope IT
Interviewees CIO, IT Managers, Information Security Managers, Risk Managers
Level of difficulty High
Time to complete High
Opportunities for It should be possible to define the probability and impact of every
Improvement relevant IT risk in the organization.
It should be possible to define the coloring of the risk map that
expresses the risk appetite of the organization.
Lessons learned - Explain the concept of IT Risk categories
- Draw the 5x5 Risk Matrix with the coloring defined by ISACA and
discuss it with your audience.

Design Factor 4
The topic is concerned with the importance of generic I&T-related issues. This list of issues was based on
4|Page
the list of Pain Points of the Implementation Guide of COBIT 5. Figure 6 shows the resulting
Governance/Management Objectives importance for this Design Factor.

Figure 6 — Resulting Governance/Management Objectives Importance

Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

Design Factor 4
Scope IT
Interviewees CIO, IT Managers, Business Managers
Level of difficulty Low
Time to complete Medium
Opportunities for It should be possible to include different issues in the spreadsheet.
Improvement
Lessons learned - Pay attention to the Business Managers. Carefully explain the IT-
related issues to them.

Design Factor 5
This Design Factor deals with the importance of the threat landscape of the organization. The options are
only Normal and High. The Information Security managers found it too simple to be representative of the
threat landscape of the organization. They gave us an explanation of this complex landscape, and we did
our best to set the weights of the options. Figure 7 shows the resulting Governance/Management
Objectives importance for this Design Factor.

Figure 7 — Resulting Governance/Management Objectives Importance

5|Page
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

Design Factor 5
Scope Enterprise
Interviewees Senior Executives, Information Security Managers, Business Managers
Level of difficulty Low
Time to complete Low
Opportunities for The number of options should be increased
Improvement
Lessons learned - Ask the Information Security Managers to explain the concept of
the threat landscape to the audience

Design Factor 6
This Design Factor deals with the importance of compliance requirements for the organization. There are
just a few options, but they allowed us to represent reasonably the importance of compliance
requirements for the organization. Figure 8 shows the weights for Compliance requirements.

Figure 8 — Importance of Compliance Requirements

Importance
Value Baseline
(100%)
High 80% 0%
Normal 20% 100%
Low 0% 0%
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

Figure 9 shows the resulting Governance/Management Objectives importance for this Design Factor.

Figure 9 — Resulting Governance/Management Objectives Importance

6|Page
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

Design Factor 6
Scope Enterprise
Interviewees Board Members, Senior Executives
Level of difficulty Low
Time to complete Low
Opportunities for None
Improvement
Lessons learned - Remember the audience that the scope involves internal and
external compliance requirements

Design Factor 7
In this Design Factor, we had to consider four roles of IT options: support, factory, turnaround, and
strategic. After the experience we had with Design Factor 1, we started with a full explanation of every
one of these roles. This was very helpful, and the Design Factor was done easily. Figure 10 shows the
resulting Governance/Management Objectives importance for this Design Factor.

Figure 10 — Resulting Governance/Management Objectives Importance

Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

Design Factor 7
Scope IT
Interviewees CIO, IT Managers

7|Page
 Level of difficulty Low
Time to complete Short
Opportunities for Improvement None
Lessons learned - Translate the text to your native language
- Prepare 4 or 5 PowerPoint slides to clarify the concepts

Design Factor 8
In this Design Factor, we had to consider four options for sourcing model for IT: outsourcing, cloud,
insourced, and hybrid (COBIT 2019 Design Guide – Designing an Information and Technology Governance
Solution, page 39, figure 4.6). Nevertheless, in the spreadsheet, the Hybrid option was not displayed. We
had some difficulties with the cloud option. Large companies may insource with a private cloud, and a
company may outsource with or without cloud. There was a lively discussion about that. Figure 11 shows
the resulting Governance/Management Objectives importance for this Design Factor.

Figure 11 — Resulting Governance/Management Objectives Importance

Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

Design Factor 8
Scope IT
Interviewees CIO, IT Managers
Level of difficulty Medium
Time to complete Short
Opportunities for Improvement ISACA should evaluate if cloud can be considered a sourcing model
Lessons learned - Translate the text to your native language
- Prepare 4 or 5 PowerPoint slides to clarify the concepts

Design Factor 9
Design Factor 9 deals with IT implementation methods: Agile, DevOps, and Traditional. Figure 10 shows
the pie chart for the options. As the IT managers were quite acquainted with these concepts, the work was
done easily. Figure 12 shows the pie chart for IT implementation methods.

Figure 12 — Pie chart for IT Implementation Methods for the Organization under Design

8|Page
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

Design Factor 9
Scope IT
Interviewees CIO, IT Managers
Level of difficulty Low
Time to complete Short
Opportunities for Improvement None
Lessons learned - None

Design Factor 10
The subject of this Design Factor is the Technology Adoption Strategy of the organization. The options are
First Mover, Follower, and Slow Adopter. The team was quite acquainted with these concepts, and the
work was done easily. Figure 13 shows the resulting Governance/Management Objectives importance for
this Design Factor.

Figure 13 — Resulting Governance/Management Objectives Importance

Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

Design Factor 10
Scope IT
Interviewees CIO, IT Managers
Level of difficulty Low
Time to complete Short
Opportunities for Improvement None
9|Page
 Lessons learned - None

Prioritized Governance/Management Objectives

Finally, the spreadsheet generated a list with the importance of every Governance/Management Objective
for the organization. Figure 14 shows this list.

Figure 14 — List of Governance/Management Objectives Importance

Governance and Management Objectives
Importance (All Design Factors)
-100 -50 0 50 100

EDM01 5
EDM02 20
EDM03 75
EDM04
-30
EDM05 20
APO01 15
APO02-20
APO03 15
APO04 20
APO05
-35
-40APO06
APO07
-25
APO08 45
APO09 5
APO10-20
APO11 75
APO12 60
APO13 45
APO14 0
BAI01 60
BAI02 90
BAI03 100
BAI04 60
BAI05 60
BAI06 15
BAI07 20
BAI08 15
-75 BAI09
BAI10 -5
BAI11 35
DSS01
-35
DSS02 35
DSS03 60
DSS04 30
DSS05 65
DSS06 10
MEA01-20
MEA02 -5
MEA03 75
MEA04 45

10 | P a g e
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.

The Objectives with the highest importance (above 75) were EDM03 – Ensured Risk Optimization, APO11
– Managed Quality, BAI02 – Managed Requirements Definition, BAI03 – Managed Solutions Identification
and Build, and MEA03 – Managed Compliance with External Requirements.
This list came as a surprise to the management team. Another set of objectives was expected.

Final Considerations
To simplify the design procedure, we did not resort to the Design Factor weight setting available in the
Canvas tab. We intend to do this in our next application of the method.
Also, the baseline values were not clear to us. How did ISACA set these baselines? A survey was
performed to support it? Besides, we did not know what to do with the information in the step 2 summary
tab. What early conclusions can we draw from that?
As the last contribution, we would like to suggest the following grouping of stakeholders for analyzing the
different Design Factors:

Interviewees Design Factor

Board Members 1, 2, 6
Senior Executives 1, 2, 5, 6
CIO, IT Managers 3, 4, 7, 8, 9, and 10
Information Security
3, 5
Managers, Risk Managers
Business Managers 4, 5

Conclusion
This paper aims to contribute to the ever-lasting improvement of COBIT 2019. The design method
proposed by ISACA is very useful for organizations who need guidance in selecting the most important
objectives to fulfill its strategy. Naturally, there is some room for improvement in the design method,
particularly in the spreadsheet provided by ISACA. Nevertheless, this is natural when complex tools like
this one are released in the market.

Joao Souza Neto, Ph.D., CGEIT, CRISC, PMP

Has more than 15 years of experience in IT governance, applying the COBIT® framework in the Brazil
Post. He is also responsible for the IT governance research area at the Universidade Catolica de Brasilia
(Brazil). He is founder and vice-president of the ISACA® Brasilia Chapter.

Paulo Fernando Curvelo Lamellas

CIO of the organization under design. He holds a degree in Military Sciences from the Military Academy of
Agulhas Negras and a Master's degree in Military Sciences from the School of Officers Improvement.

Thiago Luiz Rosa Sávio Costa

Responsible for implementation of IT Governance in the organization under design. He has more than
eight years of experience in Project Management and Organizational Change Management. He is also a
Master Degree student at Universidade Catolica de Brasilia.

Fernando Moura Cavalcante

Responsible for the management of IT services and compliance in the organization under design.

Rafael Almeida
IT governance researcher at INOV—Inesc Inovação. He is also a Ph.D. student at Instituto Superior
Técnico, University (Lisbon, Portugal).

11 | P a g e

View publication stats