Ensuring robust security is crucial, but identifying where to invest requires more than just security expertise – it demands strong IT governance to “improve performance with a stable framework for creating value and reducing risk”.

This is a common goal for all organisations, yet many struggle to secure or minimise adverse impacts. Why do these failures occur? Often, it’s because the impact of risk crystallisation is underestimated, while investment in security and controls is perceived as too costly. This is particularly true in organisations missing three critical elements from their assurance framework:

1. Integrated IT governance within corporate governance.
2. An appropriate enterprise assurance tool.
3. Proper execution of risk assessment and assurance.

The Role of Corporate Governance

Corporate governance is fundamental. While official definitions can be lengthy (for a comprehensive explanation, see the Applied Corporate Governance website), I define it as “doing the right thing in the right way with equitable treatment of all stakeholders.” This encompasses strategic and risk management- “identifying intended outputs and outcomes, and how to achieve them” – and the assurance component- “ensuring these goals are met without harmful impacts.”

Good governance is a strategic priority, requiring a combination of technical excellence—skills and experience necessary to achieve the right outputs and outcomes—and institutional excellence—aligning individual behaviours so that everyone, from chairman to doorman, acts cohesively as one entity. COBIT 5 is the framework that addresses all these aspects.

Dispelling Common Myths

• COBIT 5 is not just for IT or auditors. It’s a comprehensive framework for assessing governance and identifying enhancements.
• COBIT 5 is not a prescriptive tool to be implemented. It guides business leaders through the governance process.
• Good governance is not a one-time fix. It’s an ongoing process that must evolve with the business and its environment.
• Achieving good governance requires time and effort. It’s the ultimate business control and should not be underestimated. Just consider the cases of Volkswagen, BP, Enron, and Arthur Andersen.

Understanding the Reality

• Every organisation is now an IT firm, in addition to producing goods and services.
• Each organisation needs two interdependent strategies: one for business and one for IT.
• COBIT 5 provides a robust framework, primarily focusing on IT elements but also addressing broader corporate governance issues by default, as IT underpins everything we do.
• Don’t be discouraged by terminology that seems to exclude business concerns—the connections to a broader business approach are clear because IT is a key tool for every aspect of business.

COBIT 5’s Five Key Principles

COBIT 5 covers institutional aspects through five key principles:

1. Meeting stakeholder needs.
2. Covering the enterprise end-to-end.
3. Applying a single, integrated framework.
4. Enabling a holistic approach.
5. Separating governance from management.

Attaining Technical and Institutional Excellence

Technical excellence is achieved by understanding stakeholder needs (Principle 1), including customers, clients, staff, management, the board, the supply chain, regulators, and legislators. Obligatory requirements can be seamlessly integrated into business needs, such as collecting management information useful both to the board for assessing progress, profit, risk, and strategy, and to regulators as evidence of compliance.

The likelihood of achieving the right outputs and outcomes increases with a clear separation between governance and management (Principle 5) and consistent application across the organisation (Principle 3).

There is no strict dividing line between governance and management—they are two sides of the same coin. Governance sets the firm’s strategic priorities and risk appetite, allowing the board to direct managers in achieving strategic and business objectives. Management implements the strategy through planning and operations, and by monitoring performance and results. Management is accountable to the board, and the board to all stakeholders. The same individuals can perform both roles as long as both are effectively executed. If governance is viewed as an opportunity cost—too much ‘thinking,’ not enough ‘doing’—key steps to success may be missed, such as clearly communicated business priorities, the acceptable level of risk, and necessary contingencies to minimise risk impacts.

The COBIT 5 framework helps organisations achieve institutional excellence by providing a comprehensive approach to good governance (Principle 4). Unlike technical excellence, institutional excellence relies on the firm’s moral tone—its commitment to adding value to society by delivering promised goods and services. This ensures, for instance, no deception of customers or regulators, as seen in Volkswagen’s case, and no unfair treatment of stakeholders, as exemplified by FIFA. The holistic approach in COBIT 5 ensures these extremes are avoided by scrutinising the organisation’s principles and practices.

Avoiding Fragmentation in Governance

As all organisations are also ‘IT shops’, it is crucial to prevent fragmentation between IT and corporate governance. This must be driven from the top; otherwise, governance and management across the business and IT will only be as strong as the most senior person invested in both. The lower down the hierarchy this focus occurs, the greater the fragmentation. COBIT 5’s guidance on end-to-end governance covering both IT and the organisation (Principle 2) addresses these issues by promoting organisation-wide involvement in the governance process.

An objective assessment using COBIT 5 can significantly enhance governance across the entire enterprise, encompassing both IT and non-IT areas. The framework’s five principles enable organisations to optimise individual strengths and minimise weaknesses, ensuring that all members can act as a cohesive unit.