COBIT is described by its creators, ISACA, as a “Framework for IT Governance and Control.” Celebrating it’s 15-year anniversary, COBIT provides an excellent framework for helping bring IT under control. In ISACA’s own words:
COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.”
With Version 5 being released this year, COBIT 5 will consolidate and integrate IT value delivery and IT risk management into the COBIT 4.1 framework.
So, You Want to Increase IT Maturity?
For IT shops of relatively low maturity, COBIT provides an effective framework and body of intellectual capital for implementing or improving IT processes and controls. It can help avoid a great deal of ‘reinventing the wheel’ that so many IT shops get into, developing IT processes from scratch, or living with processes that do not integrate properly and propagate IT organizational silos. The danger here, though, is that simply licensing a set of process descriptions is by no means equivalent to adopting them. If people don’t really understand the processes they are supposed to be following, or if they aren’t completely bought into the need for and value of those processes, then having scads of process descriptions and related documents is not going to ensure a controlled IT environment.
Oh, You Want to Reach High IT Maturity?
I have blogged at length about Business-IT Maturity and have described a simple 3-stage model of both Business Demand Maturity – the business ‘appetite’ for IT, if you will, and IT Supply Maturity – the necessary IT capabilities to satisfy business demand (at lower maturity) and to shape and stimulate business demand (to reach higher maturity). I’ve also written several posts on what I refer to as ‘sticking points‘ or traps that IT organizations fall into when they are in the middle levels of business-IT maturity. (I’m reminded of the proverbial ‘gumption traps‘ that Robert Pirsig so eloquently describes in his exploration of the metaphysics of quality, Zen and the Art of Motorcycle Maintenance.)
Unfortunately, I’ve found that COBIT can easily create one such trap. While it can be an effective way to get from Level 1 to Level 2 maturity (on the 3-stage model), it will not take you from Level 2 to Level 3, and can, in fact, inhibit movement towards high business-IT maturity.
Let me try an analogy. Imagine a car driver who is taught how to drive around a city and diligently follow all the rules and regulations of the road, including speed limits. Then put that driver into a racing car and expect them to keep up with other racing car drivers on a race track. Not only will they be unable to keep up, they will likely wreck the car and hurt themselves, unaccustomed as they are to the finer points of fast driving, and unskilled in high speed steering techniques. Note, the racing car driver is still perfectly able to drive in the city and be compliant with the rules of the road, she has learned additional skills to win races and avoid high speed crashes. Our novice, city-trained driver has not learned these skills.
This is the COBIT trap – it will take you so far, but, absent further skills and enhanced processes, will not take you further.
I’m expecting this post to be controversial, and the COBIT bigots to attack my heresy, so please, bring it on!