“COBIT® 5 Only As Good As the

People Who Use It.”

Date: March 2014
Prepared by: Gary Hardy, COBIT Lead Author and Owner
of IT Winners
Content
Seven TIPS for COBIT 5 Implementation:

Tip #1 – Get Business Buy-In

Tip #2 – Change Mindsets and Attitudes
Tip #3 – Initiate a Transformation Program
Tip #4 – No Big Bang — Continual Improvement in Steps
Tip #5 – Focus on Business Benefits
Tip #6 – Deliver Outcomes Instead of Outputs
Tip #7 – Learn from Best Practices

1
Learn from the Expert

Gary Hardy is the architect of the ITpreneurs IT governance training portfolio and
one of the originators of the COBIT framework. He’s been a lead developer of all
the COBIT versions, including COBIT 5. He also has the distinction of being the
lead author of all the versions of the COBIT Implementation Guide. His core
business activities include consulting, training, and running his own bureau,
IT Winners in South Africa.

Recognized globally as a thought leader and implementation expert with over 30

years’ experience, Gary has guided numerous public and private enterprises in
implementing IT performance improvements and governance and management
practices. He’s also an expert advisor to one of the world’s largest and most
significant COBIT-based IT governance improvement programs.

2
 Seven TIPS for COBIT 5
Implementation
Over the past decade, the term “governance” has moved to the forefront of business
thinking. The pressing need to deliver more value from IT, and a growing number of risk
and compliance challenges, are the primary factors for this evolution. COBIT 5 is a
business-driven framework, which guides good IT-related practices for all stakeholders
of an enterprise, with a focus on delivering value from IT. The COBIT 5 Implementation
guide provides the latest thinking and best practices for improving IT governance.

Building on the principles and concepts learned in the COBIT 5 Foundation Course, the
COBIT 5 Implementation Course uses a combination of practical, hands-on exercises
and presentations to enable participants to apply these methods in practice.

IT governance and COBIT expert, Gary Hardy, shares his implementation tips below.
These are based on his many years of real world experiences and those of others in his
network around the world. Learn how do apply these tips by attending the COBIT 5
Implementation Course.

Tip #1 Get Business Buy-In

The increased focus on IT by executive management has highlighted the need for better governance and
management of IT. The concept—and actual practice of IT governance—have gained significant momentum
and acceptance in recent years. This is driving the need for IT best practices to be aligned to business and
governance requirements. It has shifted management’s attention away from just technology solutions
towards defining the beneficial outcomes desired from the use of IT.

Executive management is increasingly paying special attention to the use of IT, given that IT is now so
intrinsic to the execution of business strategy and operations. IT accounts for a very significant proportion of
an enterprise's costs, yet many fail to optimize these costs and obtain a good return from their IT-related
investments. Enterprises are also dealing with an increasing amount of regulation, especially those operating
globally. Getting executive management involved and buying in to IT governance implementation is critical.

Analysts have often reported that as many as three out of four IT projects fail. This is usually because they
are not initiated with a sound business case, sponsored by senior management, and then managed properly
as programs, to ensure that benefits are realized. Implementing IT governance is no different and, in fact,
even more important to drive properly from a business-benefit perspective as they are not typical “IT
projects”.

COBIT-based implementation and improvement initiatives, therefore, need to be sponsored by executive

management and be based on agreed business benefits. The practice of using a business case, defining
measurable business outcomes and benefits, makes sure that the improvements are based on real business
needs and that good governance disciplines are followed to monitor the return on investment to ensure
successful delivery of the improvement objectives. This is one of the most significant areas where the use of
COBIT will add value. Why? Because COBIT tends to involve business and senior management and
encourages adoption of good governance practices, structures and activities that drive benefits from IT-
related activities.

3
The objective is to provide sufficient commitment, direction and control of activities so that there is alignment
with enterprise objectives and appropriate implementation support from the board, executive management
and key management committees.

COBIT 5 Implementation training will help you learn how to connect with executives
and develop business cases.

Tip #2 Change Mindsets and Attitudes

Many executives and business users regard anything related to IT as mysterious, technical and risky. As a
result, they have not been sufficiently involved in the application of proven techniques to ensure that the use
of IT is governed and managed effectively as an integral part of doing business and governing the
enterprise.

IT is a topic that can no longer be avoided, as using IT has become a part of everyone’s working
environment.

From a business perspective, the financial consequences of poorly managed IT services can be very
significant, either failing to enable real business benefits, or because of costly losses due to failed projects or
unreliable service delivery. IT is often the largest category of expenditure after staffing costs; and it can be a
difficult task to acquire a clear and complete picture of exactly how much is being spent, on what types of
technology assets and processes, and where in the enterprise. In far too many cases, IT costs are not
understood and budgets are spread across business units and functions with no overall oversight resulting in
unnecessarily high IT costs.

The most common indicators of poor oversight of IT are:

• Board members or senior managers reluctant to engage with IT.
• Potential senior-level sponsors failing to take ownership for the IT aspects of business initiatives.
• Business executives and IT executives not communicating amongst themselves, nor trusting
one another.
• IT leaders and experts not understanding the business requirements.
• Business leaders not understanding the potential for IT-enabled innovation.
• IT service providers slow to respond to add value.
• IT services not aligned or prioritized based on business needs.
• IT risks are not understood or managed effectively in conjunction with business risks.
• Metrics to measure IT service performance not relevant to the business users.

Experience has shown that changing mindsets is probably the biggest challenge when implementing IT
Governance using COBIT. The Implementation approach focuses on the needs of stakeholders and the
enablement of change.

Implementing change works best when the affected role-players are empowered to drive and develop the
improved practices themselves. Use of consultants and advisors is most effective when they act as enabling
facilitators transferring skills, experiences and proven approaches to the affected role-players and
stakeholders, rather than taking over the task.

COBIT 5 Implementation training will help you learn how to deal with stakeholders,
role-players, and enable change with COBIT 5.

4
Tip #3 Initiate a Transformation
Program
While the goal is to make continual improvement an on-going natural “business as usual” way of working, it
will require a change of attitude and mindset and become a transformation program. Improvement initiatives
will generate improvement actions that should then be managed as a program based on a business case
with defined business objectives. For these reasons, the implementation approach is based on empowering
business and IT stakeholders and role-players, to take ownership of IT governance-related initiatives. The
implementation program will be closed when the initiative is generating a measurable benefit and the new
way of working has become embedded in on-going business activity.

The COBIT 5 implementation approach emphasizes the importance of program management when driving
value from continual improvement. Executive management should allocate clear roles and responsibilities for
directing the improvement program. One of the best ways to formalize oversight and direction of the IT
governance program and all IT-related activities is to establish an IT executive committee. This committee
acts on behalf of the board (to which it is accountable) and is responsible for how IT is used within the
enterprise and for making key IT-related decisions affecting the enterprise. It should have a clearly defined
mandate, and is best chaired by a business executive (ideally a board member) and staffed by senior
business executives representing the major business units, as well as the chief information officer (CIO),
and, if required, other senior IT managers. Internal audit and risk functions should provide an advisory role.

Information systems have now become pervasive in the sense that they are built into the strategy of the
business. IT is strategic because:
• Success with IT demands a change in culture and mindset.
• IT is enterprise-wide. Not just for the “IT function”.
• Information is a strategic asset.
• No such thing as an “IT project”. Let’s consider these “IT-enabled business initiatives”.

Delivering IT solutions and services and IT governance is not just about technology; it’s about
business processes and organizational changes enabled by IT.

COBIT 5 Implementation training will help you learn how to apply program
management.

Tip #4 No Big Bang — Continual

Improvements in Steps
Optimal value can be realized from leveraging COBIT, only, if it is effectively adopted and adapted to suit the
unique environment of an enterprise. Each implementation approach will need to address specific
challenges, including managing changes to culture and behaviour.

COBIT 5 Implementation is based on a continual improvement lifecycle similar to the ITIL approach, but with
a much greater emphasis on business drivers. The COBIT approach is not intended to be a prescriptive
approach nor a complete solution, but rather a guide to avoid commonly encountered pitfalls, leverage best
practices; and assist in the creation of successful business outcomes and deliver business benefits to
enterprises.

Improvement happens progressively, a step at a time, to avoid approaches that are complex. The big bang
approach definitely will not work. COBIT 5 Implementation helps leverage the COBIT components and other
best practices and standards, when analyzing gaps and designing solutions and prioritizing improvements to
deliver quick wins and benefits progressively. COBIT 5 Implementation also guides change enablement so
that there is a clear vision of the improvement target, supported by stakeholders with the willingness and

5
involvement of the affected role players. The vision usually has to be implemented progressively in
manageable steps. An Improvement Register is a good vehicle for recording and maintaining the status of
improvements.

Improvement will only occur if there is a management commitment to invest in continual improvement.
Management should also encourage and reward process owners to make improvements, and then provide
the necessary resources to sustain the new way of working.

COBIT 5 Implementation training will help you learn how to apply the COBIT 5
Continual Improvement Lifecycle.

Tip #5 Focus on Business Benefits

Proven practices in realizing value from IT, reducing risk and delivering reliable and secure IT services are
embodied in COBIT 5—and adopting them does not have to be complex or expensive. Opportunity, cost and
risk make IT operationally critical and strategic to enterprise success, so implementing good professional
management practices should be an enterprise initiative driven by business need and by executive
management, rather than a lower level activity that can easily suffer from lack of commitment or
misalignment with strategic objectives.

IT governance-related activities across the enterprise should be managed just like the rest of the business.

The best way to achieve this is to focus on:

• Executive and business engagement.
• Clear vision, policies and objectives.
• The basics—applying good management practices.
• Transparency—plain language communications and metrics.
• Collaborative positive team work—“all on the same page”.

Every enterprise needs to tailor the use of COBIT to suit its individual requirements, and experience has
shown that adoption of these potentially helpful best practices can be costly and unfocused, if they are not
driven by business priorities and requirements. Applying the COBIT 5 value management processes—and
use of a value management office for the program—will drive and monitor delivery of benefits from the
continual improvement. It will also demonstrate how these practices can be adopted for all IT-related
investments.

COBIT 5 Implementation training will help you learn how to connect with the
business and identify business benefits.

Tip #6 Deliver Outcomes Instead of

Outputs
By using pain points or trigger events to initiate IT governance initiatives, the business case for improvement
will be related to issues being experienced, and will clarify the desired business outcomes (such as reduction
in incidents, improved service reliability, lower costs, etc.) from the investment in improvement of governance
and management practices guided by COBIT. This is an essential step to make sure the requirement for IT
governance is properly understood as desired outcomes. The initiative then focuses on delivery of these
outcomes, rather than a COBIT implementation approach that is driven by COBIT as the solution. This being
a classic weakness in IT-related activities and a trap many enthusiastically fall into. Too often, IT governance
implementation projects focus on outputs and gravitate too quickly towards delivery of policies and process
documents, which have no value unless they are adopted and work effectively to deliver value-adding
outcomes, such as faster and more reliable changes.

6
Focusing on business outcomes also enhances the likelihood of business involvement, business alignment
and, thus, delivery of real business benefits.

Executives are faced with risky and challenging IT decisions that are key to delivering successful outcomes,
for example:

• Business and IT alignment—who is accountable for defining business needs?

• Agility—can we react in time to new opportunities?
• Service levels—acceptable quality, reliability and availability?
• Outsourcing, off-shoring cloud—beneficial or risky?
• Network security—are we protected?
• Portable data devices—are we losing data?
• Regulations—do we comply?
• Budgets—why are IT costs so high?
• Investments—do we have a business case and ROI?

Poor IT governance can result in many of the following damaging consequences affecting performance and
reputation, such as:

• Failed IT initiatives
• Rising costs
• Late project deliveries
• Low business benefit from IT
• Significant IT incidents
• Poor service delivery
• Ineffective IT HR practices
• Regulatory or contractual issues
• Audit findings

COBIT 5 Implementation training will help you learn how to recognize pain points,
trigger events and desired improvement outcomes.

Tip #7 Learn from Best Practices

The adoption of proven best practices help guide professional behaviour, increase effectiveness and
efficiency, and result in reliable and trusted activities. They avoid “re-inventing wheels” and disagreements
between business, IT, risk and assurance stakeholders and save time in developing approaches. However,
every enterprise is different and there is no “one-size-fits-all”.

COBIT 5 and other best practices will help to realize value from IT investments and IT services by identifying
benefits, such as:

• Improving the achievability, predictability and repeatability of successful business outcomes.

• Aligning the allocation of resources with business and stakeholders’ needs.
• Gaining the confidence and increased involvement of business sponsors and users.
• Improving the quality, responsiveness and reliability of IT solutions and services.
• Reducing risks, incidents and project failures.
• Improving the business’s ability to manage and monitor IT benefit realization.

The enterprise will also benefit from increased efficiencies and reduced costs by:

• Avoiding the reinvention of proven practices.

• Reducing dependency on technology experts.
• Increasing the potential to utilize less experienced, but properly trained, staff.
• Overcoming IT experts working in isolation and not following agreed processes.
• Increasing standardization leading to cost reduction.
• Making it easier to leverage external assistance through the use of industry-standard processes.
• In a climate of increasing regulation and concern about IT-related risks, adopting best practices will
help to minimize compliance issues by:

7
 § Making compliance and the application of internal controls “normal business practice”.
§ Demonstrating processes aligned with proven industry best practices.
§ Improving trust and confidence from management and partners.
§ Creating respect from organizations and individuals outside of the business.

Adherence to best practices also helps strengthen supplier/customer relations, make contractual obligations
easier to monitor and enforce, and harmonize multi-supplier outsourcing contracts. They can also help to
improve the market position of those service providers seen to be compliant with accepted global standards
such as ISO/IEC 20000, ISO/IEC 27002 and ISAE 3402.

While implementation should be guided by COBIT5 and other standards and best practices, specific
solutions must be developed that are suitable for adoption and use within the enterprise. Where tools are
used, it is best to choose proven tools aligned with best practices and then adapt working practices to align
with the tools. Modifying toolsets will create future maintenance headaches, increase costs and diminish the
benefits of the tool design.

Best practices exist to save time, avoid re-inventing wheels and to learn from successful experience and
expert guidance. From these experiences, they have been shown to deliver superior results.

COBIT is one of the most popular frameworks for helping enterprises deliver superior results from the use of
IT. COBIT and other best practices such as ITIL, however, need to be understood to be applied effectively,
and are only as good as the people who use them. Business and IT professionals need to understand how to
use COBIT to deliver value to the enterprises they serve. Only then is the value of their personal contribution
recognized and the value of COBIT demonstrated, when measurable business benefits have resulted from
the contribution of role-players and their use of COBIT.

Education is therefore essential. A lack of skills or a culture that doesn’t understand the value of best
practices can be the biggest obstacles to COBIT adoption. The comprehensive ITpreneurs training schemes,
that support the understanding and application of COBIT and other relevant best practices such as ITIL, are
critical to support implementation activity.

Mixing business and IT professionals in COBIT classes, especially when run in-house, has been proven to
greatly increase the mutual understanding of issues and potential solutions, break down cultural barriers,
and encourage a holistic team approach to implementing improvements.

COBIT 5 Implementation training will help you learn how to avoid reinventing the
wheel and personally improve your performance.

8
Acknowledgements
ITpreneurs is pleased to share with you a deeper knowledge of various frameworks and domains—
connecting their usage and application for the betterment of the IT profession. Our appreciation goes to the
industry experts who generously share their invaluable knowledge and experience with us.

Our special thanks goes to Gary Hardy for his work on this white paper

Contacts
Gary Hardy
Lead Author of COBIT and Owner of IT Winners

Tel: +27 (0) 21 794 4324 | +27 (0) 82 857 0727

[email protected]
www.itwinners.com

7 Fern Close - Constantia

7806 Cape Town
RSA

May Sau
Marketing Manager, ITpreneurs

Tel: +31 (0) 10 71 10 260

[email protected]
www.itpreneurs.com

Weena 324-326
3012 NJ Rotterdam
The Netherlands

Copyright and Trademark Information

Copyright © 2014 ITpreneurs. All rights reserved.
COBIT® is a trademark of ISACA® registered in the United States and other countries.