Documente Academic
Documente Profesional
Documente Cultură
net/publication/333828520
CITATIONS READS
0 886
3 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Joao Souza Neto on 17 June 2019.
At the beginning of 2019, we performed the design of a COBIT 2019 Framework for a Brazilian savings
and loan association. It operates throughout the Brazilian national territory with funds raised in a savings
account, with the following permanent objectives: capture, encourage and disseminate savings, facilitating
the acquisition and construction of home to its members; and promote housing projects under the best
conditions of price, quality, and security, in order to meet the needs of its members. Currently, the
association has more than 1.6 million savers throughout the country. According to the September 2018
survey performed by the Brazilian Central Bank, it ranks top ten in terms of fundraising, among the
institutions that make up the Brazilian Savings and Loan System. Since its inception, it has carried out
more than 128,000 real estate financing in Brazil and holds top ten places (2018) in the ranking of the
financial agents that most grant real estate financing.
The unit of analysis was the organization as a whole. As the organization needed a broad, holistic, and
comprehensive view of its governance system, the full workflow of the design method, Figure 1, was
applied.
Source: Figure 4.1, page 31, Designing an Information and Technology Governance Solution, ISACA,
2018.
In this case, we started with a meeting with the organization’s managers to understand the enterprise
context and strategy. At this meeting, the strategic plan and the IT strategic plan were presented and
discussed. Next, we examined Design Factors 1 to 4 to determine the initial scope of the governance
system. At the end of this step, we analyzed the prioritized Governance/Management objectives. Finally,
we concluded the governance system design with a discussion with a broader audience, that included
1|Page
managers who did not participate in the first steps of the design.
To present the lessons learned in the design process, we organized them by Design Factors. This structure
simplified the presentation of the lessons learned.
Design Factor 1
In Design Factor 1, we had to consider four options of strategy archetypes, as shown in Figure 2. This
stage has generated many discussions because the managers were not familiar with the concepts of the
archetypes. Moreover, we read the theoretical reference, but, still, we were not sure about the meanings
of the archetypes. That made it difficult to ponder them. After a while, we decided to move to Design
Factor 2, which deals with an aspect that we know better, the enterprise goals.
Source: Figure 2.5, page 22, Designing an Information and Technology Governance Solution, ISACA,
2018.
After discussing Design Factor 2, we returned to Design Factor 1, and we set the importance values
required.
Design Factor 1
Scope Enterprise
Interviewees Board Members, Senior Executives
Level of difficulty High
Time to complete Long
Opportunities for Improvement ISACA could propose a set of archetypes with a clearer meaning
Lessons learned - Analyze this Design Factor after Design Factor 2
- Translate the text to your native language
- Prepare 4 or 5 PowerPoint slides to clarify the concepts
Design Factor 2
In practical terms, this was the first Design Factor that we actually defined. We experienced some
difficulty here because, in COBIT 5, one could build a tailored Goals Cascade with the specific sets of
enterprise and IT goals of the organization under analysis. In the spreadsheet provided by ISACA for
COBIT 2019, there is no option of inserting new enterprise objectives. It is a kind of black-box goals
cascade! This is a limitation because it prevents organizations from adequately representing its strategic
reality. Figure 3 shows the mapping obtained.
Besides, in section 4.3.3 of the Design Guide, one reads: “The enterprise must interpret results with care,
or adapt the mapping tables based on its own experience and context.” However, if we make this
adaptation, we no longer can make use of the spreadsheet.
2|Page
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.
Design Factor 2
Scope Enterprise
Interviewees Board Members, Senior Executives
Level of difficulty Low
Time to complete Medium
Opportunities for It should be possible to include the specific Enterprise Goals of the
Improvement organization under design into the spreadsheet.
Lessons learned - Analyze this Design Factor first
- Translate the text to your native language
- Prepare 4 or 5 PowerPoint slides to remind the Enterprise Goals
of the organization
Design Factor 3
This Design Factor deals with IT Risk categories, and the manager has to define the probability and impact
of every category. This is not straightforward, because each category involves a collection of related risks,
each with its probability and impact (see Risk Scenarios – Using COBIT 5 for Risk, ISACA, 2018). Our
understanding is that ISACA wants a risk assessment of these collections. We were not sure of how to do
that.
In Design Factor 3, you have to select the right audience to assess the risks. Figure 4 shows the mapping
obtained.
3|Page
Moreover, we noticed that ISACA has already defined the coloring of the Risk Matrix. Table 1 shows it.
An important point to consider is that the coloring of the Risk Map is an expression of the Risk Appetite of
the organization, as can be seen in Figure 5.
When ISACA decides to define the risk rating for every square in the matrix, it is setting the risk appetite
for the organization. In the organization under design, the Board of Directors is accountable for this
definition, and the Risk Appetite Statement has a different appetite definition for the IT Risk category.
To use this Design Factor, we followed the risk appetite defined by ISACA.
Design Factor 3
Scope IT
Interviewees CIO, IT Managers, Information Security Managers, Risk Managers
Level of difficulty High
Time to complete High
Opportunities for It should be possible to define the probability and impact of every
Improvement relevant IT risk in the organization.
It should be possible to define the coloring of the risk map that
expresses the risk appetite of the organization.
Lessons learned - Explain the concept of IT Risk categories
- Draw the 5x5 Risk Matrix with the coloring defined by ISACA and
discuss it with your audience.
Design Factor 4
The topic is concerned with the importance of generic I&T-related issues. This list of issues was based on
4|Page
the list of Pain Points of the Implementation Guide of COBIT 5. Figure 6 shows the resulting
Governance/Management Objectives importance for this Design Factor.
Design Factor 4
Scope IT
Interviewees CIO, IT Managers, Business Managers
Level of difficulty Low
Time to complete Medium
Opportunities for It should be possible to include different issues in the spreadsheet.
Improvement
Lessons learned - Pay attention to the Business Managers. Carefully explain the IT-
related issues to them.
Design Factor 5
This Design Factor deals with the importance of the threat landscape of the organization. The options are
only Normal and High. The Information Security managers found it too simple to be representative of the
threat landscape of the organization. They gave us an explanation of this complex landscape, and we did
our best to set the weights of the options. Figure 7 shows the resulting Governance/Management
Objectives importance for this Design Factor.
5|Page
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.
Design Factor 5
Scope Enterprise
Interviewees Senior Executives, Information Security Managers, Business Managers
Level of difficulty Low
Time to complete Low
Opportunities for The number of options should be increased
Improvement
Lessons learned - Ask the Information Security Managers to explain the concept of
the threat landscape to the audience
Design Factor 6
This Design Factor deals with the importance of compliance requirements for the organization. There are
just a few options, but they allowed us to represent reasonably the importance of compliance
requirements for the organization. Figure 8 shows the weights for Compliance requirements.
Figure 9 shows the resulting Governance/Management Objectives importance for this Design Factor.
6|Page
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.
Design Factor 6
Scope Enterprise
Interviewees Board Members, Senior Executives
Level of difficulty Low
Time to complete Low
Opportunities for None
Improvement
Lessons learned - Remember the audience that the scope involves internal and
external compliance requirements
Design Factor 7
In this Design Factor, we had to consider four roles of IT options: support, factory, turnaround, and
strategic. After the experience we had with Design Factor 1, we started with a full explanation of every
one of these roles. This was very helpful, and the Design Factor was done easily. Figure 10 shows the
resulting Governance/Management Objectives importance for this Design Factor.
Design Factor 7
Scope IT
Interviewees CIO, IT Managers
7|Page
Level of difficulty Low
Time to complete Short
Opportunities for Improvement None
Lessons learned - Translate the text to your native language
- Prepare 4 or 5 PowerPoint slides to clarify the concepts
Design Factor 8
In this Design Factor, we had to consider four options for sourcing model for IT: outsourcing, cloud,
insourced, and hybrid (COBIT 2019 Design Guide – Designing an Information and Technology Governance
Solution, page 39, figure 4.6). Nevertheless, in the spreadsheet, the Hybrid option was not displayed. We
had some difficulties with the cloud option. Large companies may insource with a private cloud, and a
company may outsource with or without cloud. There was a lively discussion about that. Figure 11 shows
the resulting Governance/Management Objectives importance for this Design Factor.
Design Factor 8
Scope IT
Interviewees CIO, IT Managers
Level of difficulty Medium
Time to complete Short
Opportunities for Improvement ISACA should evaluate if cloud can be considered a sourcing model
Lessons learned - Translate the text to your native language
- Prepare 4 or 5 PowerPoint slides to clarify the concepts
Design Factor 9
Design Factor 9 deals with IT implementation methods: Agile, DevOps, and Traditional. Figure 10 shows
the pie chart for the options. As the IT managers were quite acquainted with these concepts, the work was
done easily. Figure 12 shows the pie chart for IT implementation methods.
Figure 12 — Pie chart for IT Implementation Methods for the Organization under Design
8|Page
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.
Design Factor 9
Scope IT
Interviewees CIO, IT Managers
Level of difficulty Low
Time to complete Short
Opportunities for Improvement None
Lessons learned - None
Design Factor 10
The subject of this Design Factor is the Technology Adoption Strategy of the organization. The options are
First Mover, Follower, and Slow Adopter. The team was quite acquainted with these concepts, and the
work was done easily. Figure 13 shows the resulting Governance/Management Objectives importance for
this Design Factor.
Design Factor 10
Scope IT
Interviewees CIO, IT Managers
Level of difficulty Low
Time to complete Short
Opportunities for Improvement None
9|Page
Lessons learned - None
EDM01 5
EDM02 20
EDM03 75
EDM04
-30
EDM05 20
APO01 15
APO02-20
APO03 15
APO04 20
APO05
-35
-40APO06
APO07
-25
APO08 45
APO09 5
APO10-20
APO11 75
APO12 60
APO13 45
APO14 0
BAI01 60
BAI02 90
BAI03 100
BAI04 60
BAI05 60
BAI06 15
BAI07 20
BAI08 15
-75 BAI09
BAI10 -5
BAI11 35
DSS01
-35
DSS02 35
DSS03 60
DSS04 30
DSS05 65
DSS06 10
MEA01-20
MEA02 -5
MEA03 75
MEA04 45
10 | P a g e
Source: Toolkit available at www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx.
The Objectives with the highest importance (above 75) were EDM03 – Ensured Risk Optimization, APO11
– Managed Quality, BAI02 – Managed Requirements Definition, BAI03 – Managed Solutions Identification
and Build, and MEA03 – Managed Compliance with External Requirements.
This list came as a surprise to the management team. Another set of objectives was expected.
Final Considerations
To simplify the design procedure, we did not resort to the Design Factor weight setting available in the
Canvas tab. We intend to do this in our next application of the method.
Also, the baseline values were not clear to us. How did ISACA set these baselines? A survey was
performed to support it? Besides, we did not know what to do with the information in the step 2 summary
tab. What early conclusions can we draw from that?
As the last contribution, we would like to suggest the following grouping of stakeholders for analyzing the
different Design Factors:
Conclusion
This paper aims to contribute to the ever-lasting improvement of COBIT 2019. The design method
proposed by ISACA is very useful for organizations who need guidance in selecting the most important
objectives to fulfill its strategy. Naturally, there is some room for improvement in the design method,
particularly in the spreadsheet provided by ISACA. Nevertheless, this is natural when complex tools like
this one are released in the market.
Rafael Almeida
IT governance researcher at INOV—Inesc Inovação. He is also a Ph.D. student at Instituto Superior
Técnico, University (Lisbon, Portugal).
11 | P a g e