COBIT 5: muddying governance and management

Execution always falls short of expectation. I'm still pondering my impressions of COBIT5 - more on that later - but one thing is clear: they haven't fully fixed the governance/management thing. [Update: I didn't get this right, see comments below]

When reviewing the COBIT 5 draft, I was delighted to see the adoption of the ISO38500 direct/monitor/evaluate model. COBIT has gone some way to meet the design paper's commitment to correct the usage of the word "governance":

COBIT 5 will clarify the distinction between governance and management with a revised process model that distinguishes between these domains while also showing how they relate to each other

But not all the way. I was building a picture of what made me uncomfortable, when "The Infonomics Letter on Leadership and Governance of IT for July 2011" arrived. Everyone in IT management should read the Infonomics newsletter. Mark Toomey is THE MAN on IT governance. And Mark has laid out the case so much better than I could for why COBIT5 fails the governance test.

The governance tasks are used to frame the next level of detail in the five governance processes, while the management tasks are used to divide the overall set of management processes into four management domains, each of which contains a number of processes. This is quite confusing, and limits the concept of “evaluate, direct and monitor” to the internal structure of some high level processes, which is not what is intended by ISO 38500 at all... the Framework‟s earlier explanation of governance is very clear that governance involves setting direction, yet the process reference model contains no process in the governance space for setting direction, and in fact places the task of defining strategy (APO2) clearly and firmly in the space of management... it would seem that a great deal more work is required before COBIT 5 can articulate the distinction between governance and management in a way that is clear, unambiguous, and applicable in all jurisdictions, around the world... the words of Robert Tricker could be used to explain the situation: “Management runs the business; the board ensures that it is being run well and run in the right direction”.

The newsletter crystalised something else for me: the USA doesn't get governance because they don't do it (my words not Mark's).

In many parts of Europe... there are often two-tiered board structures, where there is a higher level supervisory board that is composed of entirely non-executive directors, and a management board composed entirely of executives who have day by day responsibility for the organisation... in Britain and Australia, governance is usually the task of a board comprising several non-executive directors and one (or perhaps more) executive directors who are also part of the management structure of the organisation, with one of the non-executive directors also taking the role of chair. In the United States, the prevailing model seems to be one in which the board has a substantial proportion of executive directors, with the CEO often also taking the role of chair.

The spectacular failures of governance in the USA are legend, including my previous employer where the chairman-and-CEO ended up in jail. No wonder ISACA muddy governance and management when the whole ethos of corporate America is to muddy it.

My impression is that one faction within the COBIT 5 initiative tried to drive ISO38500 principles into COBIT and met with resistance from a conservative faction retaining the muddled US-centric view of governors managing the organisation. The fine words went at the front and the process model went on as before.

Comments

Reply to Thread on Governance

Hi Rob,

In your post, you wrote and quoted:

START[The newsletter crystalised something else for me: the USA doesn't get governance because they don't do it (my words not Mark's).

In many parts of Europe... there are often two-tiered board structures, where there is a higher level supervisory board that is composed of entirely non-executive directors, and a management board composed entirely of executives who have day by day responsibility for the organisation... in Britain and Australia, governance is usually the task of a board comprising several non-executive directors and one (or perhaps more) executive directors who are also part of the management structure of the organisation, with one of the non-executive directors also taking the role of chair. In the United States, the prevailing model seems to be one in which the board has a substantial proportion of executive directors, with the CEO often also taking the role of chair.

The spectacular failures of governance in the USA are legend, including my previous employer where the chairman-and-CEO ended up in jail. No wonder ISACA muddy governance and management when the whole ethos of corporate America is to muddy it.]END

I usually agree with many of your perspectives but I have to say that I believe, in this case, your statement (and Mark Toomey's) are a bit inaccurate. The US is loaded with many companies which results in the largest density of companies, per country, in the world. To make a blanket statement that because of your experience with one company that all companies follow the same pattern is, in my own opinion and from my own many experiences, an inaccurate representation. There are many companies in the US that govern themselves extremely well and better than many other companies in many other countries. We all hear about those that don't govern themselves well because they often make the press in dramatic fashion. But, for every one that makes the press for poor governance, there are many that don't make the press because they quietly go about their business, without drawing attention to themselves. Not only have I personally dealt with companies that govern well, I also have experience with many companies that "over govern" and have the interesting problem of trying to release themselves from their own strangle-holds.

Also, to assume that non-US companies perform governance better is also inaccurate. Like in the US, there are non-US companies that do it well, those that don't do it well, and those that do their best, in the middle.

In short, Management is about the responsibilities and actions associated with making things happen (i.e. delivery of Services and/or Products). Governance is about the responsibilities and actions associated with ensuring that the things that happen (i.e. the delivery of Services and/or Products) do so under the appropriate constraints (policies, procedures, guidelines, etc.) To say that Governance should always be decoupled from Management is a blanket statement that does not always hold true. All Managers govern (at least to some extent). Not all Governors manage (they may or may not, depending on their responsibilities). Also, how governance is implemented, for example centralized vs. federated vs. a hybrid of the two, and what levels of governance are put in place vary greatly, from enterprise to enterprise.

Again, governance comes in many ways, shapes and forms. Making a blanket statement that all US enterprises govern poorly is, again and in my opinion, inaccurate. I would imagine this holds true, globally. Everywhere we go, there are many companies that govern themselves well, many that don't, and a wide range of those that operate between the two extremes of the spectrum.

I hope this adds value to the discussion.

My Best,

Frank

The International Foundation for Information Technology (IF4IT)
Open IT Best Practices

Governance and Management are very different

Not so quick Frank, your statement "Governance is about the responsibilities and actions associated with ensuring that the things that happen (i.e. the delivery of Services and/or Products) do so under the appropriate constraints (policies, procedures, guidelines, etc.) To say that Governance should always be decoupled from Management is a blanket statement that does not always hold true. All Managers govern (at least to some extent). Not all Governors manage (they may or may not, depending on their responsibilities)." is incorrect.

Governance is not about responsibilies and actions, and ensuring things happen. This is management. No is governance is are applying constraints like policies, procedures and guidelines. This is also management.

While Rob may have over generalised about governance in the US (and did not realise CobiT is driven by Europeans), he is not entirely wrong. I have seen many definitions of governance by organisations that show they think governance is only about the allocation of "roles and responsibilities" and therefore they publish an organogram. For example this mistake has been made by MIT, Accenture, numerous universities, etc.

It is very important that those who govern only focus on WHAT is to be achieved whilst those who manage focus on HOW to deliver WHAT is required. Those who govern hold those who manage accountable for the HOW succeeds in delivering WHAT is required.

When those who Govern get involved in the How, they lose their independence and this compromises their position in the organisation as they are supposed to be independent of management at all times. The problem often is that the board (i.e. the non-executives are not idendepent, they are shareholders, past managers, friends of the managers, past audit partners, etc.)

Governance fails because the board doesn't hold management accountable. Just look at the past and recurrent global financial crisis. A failure of governance by the boards of the respective companies is the reason. When the board is not made up of independent non-executives working to ensure all stakeholders benefit from the use of companies resources, only certain groups benefit at the expense of others. In many organisations those who govern (i.e. the shareholders) expect to benefit more so than any other group (e.g. customers and staff).

Poor governance structures enable senior managers and executives to appropriate more of the benefits for themselves. The global financial crisis came about because managers were left to govern themselves. It couldn't be wrong if what was done made money (and rewarded a handful of executives and specialist managers), regardless of who would lose value in the process (e.g. retrenched staff, communtities, customers, etc).

The problem is VERY FEW COMPANIES GOVERN THEMSELVES WELL, they are managed for the interests of just a small group of stakeholders who take all the benefits.Just look at the "hire and fire" mentality within many companies, and how often staff work overtime without additional pay.

Sarbanes Oxley was supposed to address poor corporate governance, and failed dismally. In short Governance is about ensuring all stakeholders share fairly in the rewards, when this doesn;t happen its because management is not been governed - all to often the norm for most companies today, including the US.

I like the phrase

I like the phrase "governance enablement" to refer to the management activity that Frank and so many others (including COBIT 4.1) call governance. Actually I don't like the phrase but I don't know a better one: "enforcing" comes close. I think COBIT 5 uses "steering".

The breakdown in the separation of duties is most obvious in owner-operated businesses, and some companies that have grown rapidly still behave as if they are one (e.g. Charles Wang at CA).

The only bit where I don't quite agree Peter is with "Governance fails because the board doesn't hold management accountable." Sometimes. At least as often governance fails because the board still don't realise or acknowledge that they are the ones ultimately accountable, and that therefore separation does not mean neglect.

You are however quite right and I suspect I'm going to have to retract this post as incorrect. I think my discomfort with COBIT 5's approach to the separation came from not understanding it properly. I wish I had the time to give it a proper read but Mammon calls.

CobiT 5 a disapointment.

I agree with Mark Toomey that CobiT 5 is a disappointment. It is overly complex, too theoretical and is moving out of the IT domain by introducing process as business continuity instead of IT continuity. As for myself, I will stick to CobiT 4.1. and use what I need out of CobiT 5.

I also think CobiT 5 tries to push ISO38500 as a tick box as opposed to putting in something that really has value. I also think their is huge confusion over IT Governance, Corporate Governance of IT, Enterprise IT and IT management and CobiT 5 makes it worse!

As for myself, I will be using CobiT 4.1. for IT Governance/IT management and use ISO38500 at Corporate Governance level.

Don't delay your move to CobiT 5

I have just completed a three day CobiT 5 workshop with a number of IT governance leaders and CIOs. The resounding conclusion was that CobiT 5 was a great step forward and everyone at the workshop would be adopting CobiT 5 with immediate effect (even if the current documentation is in draft).

Numerous improvements are contained in CobiT 5. Most significant is the governance framework and management system. For the first time CobiT can be described as an IT Governance framework.

leap forward

I agree. I don't doubt there are things wrong with COBIT 5 - and you can count on hearing about them here - but I also don't doubt it is a leap forward. It is better. There is no reason not to move up.

I feel the same way about ITIL 3.1

Is it realistic to have governance processes in CobiT 5?

Looking through the detail of CobiT 5 a question must be raised as to whether there should be governance processes. It is unusual for directors to follow processes. They meet four or five times a year, are expected to be independent of each other, and have very little time to spend on IT.

The CIOs at our recent CobiT 5 workshop pointed out that in their organisations their directors are involved in the governance of IT, but do not follow any predefined process.

Possibly CobiT 5 should described the work of the directors as best following good practices. Much of the process related work to govern and collect information happens below the CIO - at least for these CIOs.

There was no dispute regarding the three tiered IT governance framework, it was just a question as to whether it was realistic to try to define what directors do in predefine processes!

useful

It seems to me that directors could use some guidance. It will also come in useful when prosecuting directors for failing to perform their duties.

CobiT 5

While I agree CobiT 5 is a step forward, I have somes serious concerns about using it with my clients. My clients are usually IT directors or Heads Of IT. While in theory, IT Governance should be driven from the top, and I agree that it should be but in reality it is usually a process improvement initiative dealing with IT processes. In most cases, IT has no mandate over a business process such as business continuity or information security. They do have control over the IT process though e.g. IT Continuity or IT Security. Sure in an ideal world it has more value to implement the business process e.g. business continuity than IT continuity, I find that in practice it is simpler to focus on the IT processes and align these to or recommend that the business process is implemented. CobiT stands for Control Objectoves for Information and related technologies, thus it is focused on IT processes, not business processes. I think CobiT 5 has lost that and it is more in the domain of Six Sigma or CMMI with an IT slant.

Also there is the issue if migration from CobiT 4.1. to CobiT 5. I don't believe this is a simple migration as the entire scope of the process framework has now changed.

Maybe I'm living in a paradigm and hopefully the penny will drop with CobiT 5, but I find it simpler to use CobiT 4.1. for my IT process improvement and find that ISO38500 assists at board or director level.

a good thing

I'd have thought that if you are having 38500 conversations at Board level, then its incorporation into COBIT would be useful.

When speaking with IT directors it is as important that they manage up as much as down. They need to be educating and influencing their bosses (and peers) to understand that (a) IT governance happens outside of IT and is their responsibility and (b) continuity, security, change etc are only partially IT's responsibility.

So yes COBIT 5 is no longer solely for IT to use. COBIT 5 is about IT but intended for a wider audience. This is a good thing. (ITIL tried this with Service Strategy.)

I'm not sure why you are resisting this move. ISACA/ITGI have long tried to influence at Board level to get them to understand this. Having it integrated into a single framework can only help to join the dots. We can no longer continue to operate IT in isolation. "Alignment" and "integration" and "transparency" are hot buzzwords for a reason. The walls are coming down.

CobiT is first and foremost about Information

A fundamental principle of CobiT has always been that IT processes and resources provide business with information. CobiT has never been only about technology. The "iT" in the name CobiT stands for "information" and "related technology". The strength of CobiT is that it uses "information" as the link between an IT function's responsibilities and the "needs" of business to achieve strategic objectives.

All information assets, including business processes are very much part of the CobiT model.

IT Processes

Ok, so why does CobiT 5 specifically mention "IT Processes"? and not Information processes? For me, maybe because I am in IT and dealing with IT departments, it is still about IT processes and I agree these do support business processes, but business processes were not the scope of CobiT 4 as each process says "Control over the IT process of...." I don't believe CobiT should try to be all things and I believe it should still focus on IT processes like CobiT 4, but like I said earlier, maybe I'm stuck in a paradym and the penny will drop one of these days!!

Cobit 5

I'm going to keep this short. Although Cobit 4 had it's short comings Cobit 5 doesn't help. I agree with the responder who thinks it has lost focus with the key premise of Cobit which is Control Objectives. This is the area where IT management needs the most help.

bemused

I'm bemused that you can say COBIT5 has lost focus on control objectives. You must be an auditor. COBIT now serves a wider constituency where auditors are now in a minority. Control objectives need to be put into a context of business value and risk, driven by governance, and linked to the operational activities they control. I don't see that COBIT5 is much wider than COBIT4 - in fact I'd have liked to see more on the non-control aspects of implementing and executing.

Draft

To be fair though CobiT 5 is still in draft so hopefully there will be improvements in the actual version based on the reviews

Mark used the phrase

Mark used the phrase "prevailing model". I quoted my own experience only as an example. Neither of us said "all US companies". I stand by the assertion that in general the USA doesn't get the concept of separation of governance duties. Your comment only reinforces that. Having an executive chair the Board is bad practice. My understanding is that it is common in the USA and less so elsewhere.

The difference between governance and management

CobiT 5 had successful identified what is missing in most frameworks, the need for a management layer and it correctly implements IT governance (in accordance with ISO 38500) across three levels:
- governance (evaluate, direct, monitor)
- management (plan, build, run, monitor)
- operational (plan, do, check, act).

Very few organisations anywhere in the world have properly established management systems for IT (or Finance, HR, Engineering). More common is simply relying on people (with "power") to manage tasks that need to be done.

CobiT 5 also emphasises that the management of IT is to be driven by stakeholder expectations and not "best practice". It is more important to understand the strategic objectives and business goals of an organisation before knowing anything about references sources on "best practices" regarding HOW work should be done in the organisation.

The changes to the operational processes in CobiT 5 make for a more rigorous understanding of what is required to get work done. The previous narrative descriptions constrained thinking. Now there is a focus on base practices and related tasks. CobiT 5 has re-introduced attention to information management and corrected some failings introduced when CobiT evolved from 3 to 4.0 and 4.1.

Governance is performed by people who direct using a range of governance mechanisms. Typically people who govern (i.e. directors) don't follow processes. They are senior, independent and preferrably non-executives. Their focus is on WHAT needs to be achieved, not HOW. They meet infrequently to check on progress towards WHAT was agreed.

Management on the other hand do focus on the HOW and do need to ensure continuous improvement in the HOW, hence the need for a management system. Because most organisations lack management skills and lack organisational maturity, they rely on projects to bring about change rather than regular improvements through management interventions.

CobiT 5 is a significant step forward in recoginising the three levels of practices and for the first time can be described as a governance framework for IT. It is a powerful tool to assist with the implementation of ISO 38500.

However CobiT 5 will be a challenge for most organisations as few have actually implemented CobiT 4.1. Most organisations use CobiT to implement and test controls to manage risk, rather than govern the delivery of value from IT.

At last we have an IT management framework that looks like a set of integrated processes and practices, and which is aimed at delivering value to the business rather than simply designed for auditing controls or being a book about "best practices" for IT (because we don't know what the stakeholders actually need)!

CobiT 5 is firmaly designed for GVP rather than just GRC! (Governance of Value delivery through Performance management rather than Governance, Risk and Compliance).

Have I been hasty in my assessment?

I agree that COBIT 5 is a magnificent work. It will be my foundational reference for IT governance and management going forward (heck it already was with 4.1).

On reflection I don't agree with Mark Toomey that APO02 is governance: setting strategy is a management role, or at the very least it is on the overlap between governance and management. Toomey's own book, Waltzing with the Elephant, says "the essential elements of the governing body's role [in setting strategy] are in defining the overall goals and posture of the organisation" with the inference from the rest of the paragraph that most or all of the remainder of the strategy setting activity falls to management.

And I can see that EDM1-5 can be each understood in terms of the E-D-M cycle. I'm hoping that within it with further reading I will find the holy grail of a crisp definition of the governance-management interface within IT, the Plug-and-Socket as I call it.

Perhaps Mark and I have both been hasty in our assessment.

Syndicate content