COBIT5 is a very very important development for the IT industry. It deserves more attention. It may even be The Next Big Thing.

I went off half-cocked over COBIT5, so I've been reluctant to try again, but it is high time we talked about COBIT5 on this blog.

Getting attention

I'm always puzzled by the lack of attention given to COBIT. I guess that reflects badly on ISACA. ISACA try hard to promote COBIT, but they (we, I'm a member) don't seem able to shake the image of being an audit and security thing. Despite the fact that the majority of ISACA members are now more general IT practitioners, and ISACA has expressed a desire to re-brand as a more general organisation, ISACA talk and thinking is still heavy on audit and security. Take the fact that the first add-on book to COBIT5 is the security one, not the service manager's. In fact there are not even plans for a service manager's guide for COBIT5 as far as I can determine.

One Ring To Rule Them All

Back when COBIT5 was still gestating, Jan van Bon suggested

the fact that COBIT will be mixed with Val-IT, Risk-IT, ITAF and BMIS wil most likely make COBIT much more complex than it already is - which is exactly what we do NOT need....

I'm not at all concerned by the "complexity" of COBIT. We philosophers of process may understand all the nuances of all the different frameworks - maybe none better than Jan - but the market doesn't. Process is but one aspect of dozens that the people doing the real work have to juggle to get the job done: process, organisation, HR, money, growth, technology...

[I'm going to stop right here and substitute the word "practice" for "process" here on in. I hate "process".]

They want one IT framework: One Ring To Rule Them All. They want someone else to hang it all together for them. And as much as possible they want The Answer: templates, formulas, checklists, rules, guidance.

Of course no one framework will be one total Body Of Knowledge (BOK). We will always use a framework to hang other guidance off. But IT managers and governors want a framework that covers all of IT; and they want as much guidance as possible from that primary framework, a single source. I'm sure there is a demand, even amongst those who don't realise it yet.

COBIT5 will bring us far closer to that one framework than we are today. Compared to having to concoct something myself out of COBIT4+ISO38500+RiskIT+ValIT+..+..+.., to me COBIT5 doesn't look complex, it looks simpler.

General purpose

Jan also said

COBIT is not an implementation method but an assessment framework. Many people make the mistake of mixing up synthesis elements with analysis elements.

I strongly disagree that COBIT is purely analytical, solely for assessment and audit. It includes practices, activities, roles, RACI, inputs and outputs, goals and metrics... To me it is a very effective blueprint against which to plan what should be. It is as much a planning and design tool as a measurement one. Then all the other BOKs come in as elaboration (ITIL, ISO2700x, ASL, BiSL, OBASHI, USMBOK ...), fleshing out the skeleton, creating that total BOK.

Next Big Thing

Not only do I think there is latent demand for COBIT5, it has the potential to be The Next Big Thing, IT's next silver bullet as disillusionment with ITIL sets in, which it most certainly has. If COBIT does get over-hyped into another fad/cult, the IT Skeptic will be here with the fire hose as I was for ITIL.

Not perfect

Of course COBIT5 isn't perfect. There will be plenty of material for reality checks, and plenty of scope for debate. I am looking forward to it.

One concern I have already is that the maturity model in COBIT4 was an execution maturity model, whereas in COBIT5 they've adopted the CMM approach of assessing the maturity of managing the practices not executing them. This to me is a backward step. The solution is to release a Process Assessment Model (PAM) which plugs into ISO15504 to asses execution not just management. ISACA recently released a PAM for COBIT4 and there are rumours of a PAM for COBIT5. We need it badly.


But overall I'm excited about COBIT5. I see it as the clear choice for primary framework in most organisations, certainly if the alternative is ITIL. I hope it lives up to its potential. The fact that COBIT comes from a credible and fairly non-commercial organisation with a clear commitment to open content and community involvement means I'm optimistic. Oh sure the money engine may seize on COBIT and hype it like ITIL, but the foundations will be stronger to keep it sounder than ITIL has become. The COBIT movement/industry has good governance, ITIL doesn't.

Syndicate content