ISACA COBIT 2019 – Business Case

1. The COBIT Business Case

Welcome to the business case section. By now you know what COBIT is and how it can help you with your governance system if you would like to apply it in your organization. It requires effort and investment. So you need to prepare a justification for your investment, which means write down the benefit that COBIT brings and compare it to the cost that you will need to pay for it. Such a justification is called a business case. Usually it has a form of more or less formal document within companies, and it is required for any larger investment.

Well, not only within a company. If you’re going to buy a car or a house, you need a business case too, right? You need to evaluate benefits that the car will bring you and compare it to the cost that you have to pay for it. So let’s see how to create a business case for COBIT. We will provide a generic guideline and an example since each organization has its own reasons for using COBIT. But before we start, I would like to share my opinion from my own experience. I don’t find this lecture about COBIT’s business case as useful as the previous lectures. The main reason is that this business case, as Cubits explains it, is very high level and strategic.

My opinion is that much more practical would be detailed business cases for individual parts of Cobbt implementation. Implementation of It governance should rather be part of a company strategy and executed as a part of each company’s strategic path or roadmap. Yes, such a high level business case can give some overview, but I don’t find it so beneficial. But let’s go and see how the authors define it. You can see for yourself and you can make your own opinion. Maybe you can disagree with me. Here you can see the content of each business case. Executive Summary Background business challenges, Alternatives Considered and Proposed Solution executive Summary is a good practice for any document addressed for top management. It summarizes the whole document, the reasons for the investment goals and what needs to be done.

Background describes how the It governance fits to the overall enterprise governance and how It will support its strategy and goals. I realize that this explanation is very generic and I will give you a link to a detailed example later. Business challenges are problems or pain points that the company faces. Not only It, but ideally the business challenges for which the It governance system needs to be implemented to solve them. In the section Alternatives Considered, we statewide Cobt was chosen as the suitable governance framework and what other alternatives were considered. Proposed Solution contains details about planned COBIT implementation and especially the cost benefit analysis why the benefits of implementing COBIT are compared to cost that it brings. You can find detailed example of a business case for a company in the COVID 2019 framework. Introduction and Methodology book that you have downloaded earlier page 53 to 61. It is not mandatory to read it and not required for the exam, but it will give you an idea about a business case. We will now go through that example together. Okay, I have opened the Introduction and Methodology book and I’m going to page 53, which is where the business case chapter starts. First thing that we need to do is get familiar with the scenario with the company who is building the business case.

It is ACMA Corporation, a large multinational enterprise with a mixture of traditional Well-established business units as well as new internet based business adopting the very latest technologies. Many of the business units have been acquired and exist in various countries with different local political, culture and economic environment. The Central Group’s executive management team has been influenced by the latest governance guidance, including COBIT, which they have used centrally for some time. So they do have some experience with COBIT already. They want to make sure that rapid expansion and adoption of advanced It will deliver the value expected.

They also intend to manage significant risk. They have therefore mandated enterprise wide adoption of a uniform Enterprise Governance for It approach. This approach includes involvement by the audit and risk functions and internal audio reporting by business unit management of the adequacy of controls in all entities. Next chapter is the executive summary, which I will skip for now and we’ll go back to it later because it contains all the topics just summarize.

So let’s go to the topics first. Let’s go to the other chapters and then we’ll go back. The next third chapter is the background. I will highlight the most important part, the key part of this chapter. And we can learn about, we can define them and discuss them. Egit is an integral part of overall enterprise governance. Brilliant. It should be like that. It is integrated into the operations of Acme Corporation businesses. Brilliant. This is great practice.

And also management of each subsidiary business unit is responsible for ensuring that the proper processes are implemented and relevant to enterprise governance of It. Great. The board of Directors, assisted by the Risk and Audit Committees, will ensure that the group’s Egit performance is assessed, monitored, reported and disclosed in an Egit statement as part of the Enterprise Integrated Alarm Report. So this is relevant to the background part.

So we gave some highlights from the background of where the governance will be implemented. Next chapter are business challenges. Business challenges? Sometimes we can call them pain points are the difficult things that the organization currently faces and it’s very important to put them into the business case. While for obvious reason it does give justification for why we need the governance. Because the governance will be covering will be likely covering these pain points. So let’s see some examples. Some examples of the challenges. Pain points so we can take the view from the top.

Complicated It assurance efforts due to entrepreneurial nature of many business units complex It operating models, because we were reading that they’re starting to be based on Internet or Internet based business models. Geographically dispersed entities, right? They have different cultures and languages and decentralized and largely autonomous business control model within the group.

So these are some of the pain points that we mentioned in this chapter. Business challenges, gap analysis and goal. Gap Analysis will tell us what we are missing, right? From the target state to have implemented Enterprise Governance for It and the goal, the goal of the whole initiative. Why do we need Enterprise Governance for it? So there is currently no group wide approach or framework for Enterprise Governance. They have variable levels within each branch or local business units of those practices for Enterprise Governance.

And the objective for the Enterprise Governance program is to increase the level of capability and adequacy of It related process controls appropriate to each business unit, and they will be prioritizing It. So, this is the Gap Analysis and Goal section of the Business case alternatives considered. There are many it frameworks for enterprise governance for It. There are for specific areas also. But as we said before, the Kama Corporation been already using COBIT, even if not in all subsidiaries. But they do have experience with It. So they choose to go for COBIT and spread It throughout all the subsidiaries on prioritized way. So, It was chosen as the preferred framework for the Enterprise Governance for It implementation.

Next part, proposed solution which was divided into two phases. Phase one pre planning. Let’s have a look at the steps which take part in this stage. In this phase, let’s choose just few of them. Key steps from this part. So, the core team is established, finalized of the implementation team and stakeholders. The stakeholders been identified together with their needs, current committee structures, roles, responsibilities, decision rules, reporting arrangement and so on. Clarified, defined as well. Communication plan is created, assessment and reporting tools prepared.

And the approach is tested on one local entity, something kind of a pilot here. So this is phase one out of those two phases. And let’s see the second one, which is program implementation. So, examples of steps here determine the current status and the desired state of the Governance. So what we have now and what we need to have. And another, for example, implement the identified and Agreed improvement project. So, the exact implementation happened in this step.

Program implementation in this phase. Next chapter program Scope so the implementation will cover all of the group entities. We said that all the subsidiaries will be included method for prioritization. So these subsidiaries will be choosing what will be most important, where to invest. So the criteria for decision will be size of the implementation part, earnings or contribution to the group.

So how useful this implementation or this part of what they will be implementing, these objectives or structures, how they will contribute to the group a risk profile from a group perspective again, so from the global perspective, how the risks will be handled by decision, by the decision, by the part that they will be implemented, so it will give them the priority. Or it could be the combination of these criteria’s, program methodology and alignment have to state how or how the program will be performed or what methods will be used to implement their enterprise Governance.

You can see it here that the program will use facilitated interactive workshop approach with all the entities. This approach will start with the business objectives and the objectives owners such as CIO, CEO, Chief Financial Officer or CFO. Once these business objectives have been covered, then we’ll move to It operations under the CTO and CIO. And at this operational level, further details of It related business risk and objectives will be considered.

So this is the method which will be used during implementation. Program Deliverables we mentioned earlier that the overall goal of the Enterprise Governance for It program is to embed good practices of Enterprise Governance in It into the continuous operation of the various group entities. Let’s see exact outcomes because this was the goal. But now what are the physical outcomes of this program? We’ll give few examples here. The program will facilitate internal or sharing via Internet platform.

It’s one of the outputs. Detailed reports on each facilitation with business units will be created. These reports will include the current prioritized business objectives, it related risks identified by the unit. Then also overall progress reports on the intended coverage of the Acme Corporation business units will be produced as well. And several other reports are as the outcome of the program. We just gave few examples here. Program Risk this is a business case, so we need to include all the information needed for the decision, right? It’s an investment decision tool, the business case. So it’s fair to give the management, whoever will be deciding about this investment for Enterprise Governance for It needs to know about the risks it will bring.

So we identify few and let’s read few examples. Management commitment and support for the program is a risk. Demonstrating actual value delivery and benefits for each local entity is a risk error. Here also, what could be a risk whether local management will be actively participating in the implementation of the program. So these are a few examples related to our program. Part of the business case are identified stakeholders.

So some example of stakeholders which mean the people who will be involved or are somehow affected by the program or can influence the program will be risk committee, It executive committee, governance, team compliance stuff, regional management, local entities, very important, right? They will be a big part of the implementation, especially the executive management, internal audit services. So these are identified stakeholders and cost benefit analysis. Very important part of each business case. Here we need to specify the benefits that the initiative brings and compare it to the cost that will need to pay for it.

So, examples of benefits, I will choose some or we can go through some maximization of realization of business opportunities through It. So basically it supports the business support of the business objectives by getting optimum returns on these investments meaning again aligning it directly with the business strategy, legislative, regulatory and contractual compliance we will achieve through this program.

Also, consistent approach for measuring, monitoring, progress, efficiency, effectiveness, improved quality of service delivery, lower cost of It operations. These are benefits and we need to compare them to the cost. So cost will include the time required for the group, program management, external advisory resources and trainings and specific project improvement initiatives for each business unit will be estimated in phase two. So we just have the initial budget or the initial cost and we are the last chapter which is Challenges and success factors which summarizes the challenges that could affect the program during the implementation period and also the critical success factors that should be addressed. So we achieve the success.

So the program runs successfully and Egit is implemented as we require it. So in this table summarize or in this table, we can find all the challenges identified together with critical success factors. We’ll just give a few examples again here. So let’s start from the beginning. So as a challenge was identified inability to gain and sustain support for improvement objectives. We’ve mentioned that as a risk as well if you remember. So it has a high probability and we can face this during our program. So we’ll try to mitigate this through committee structures within the group.

Communication gap between It and the business also can happen. So we need to involve all stakeholders, cost of improvement, outweighing the benefits, well that is also perceived as a challenge. So we need to properly clarify the benefits, lack of trust and good relationship between It and the enterprise and their civil solutions, critical success factors such as foster open and transporting communication about performance, focus on business interfaces and service mentality and so on.

So these were a few examples on challenges and critical success factors that needs to be covered and analyzed as well during the program. Okay, I have promised to COVID the first chapter which was executive summary at the end because we’ve gone through all the chapters and all the content of the business case and at the beginning we usually include executive summary to summarize the whole document. I will not go one sentence by one sentence, but I just highlight some of the key parts of the executive summary. For example scope it contains the scope of the program.

So the scope in terms of business entities that make up the Acme Corporation is all inclusive so it touch all the entities. We covered that within the business case. Also, what I will highlight from here is that the Egypt program will be achieved or the governance will be implemented by focusing on the capabilities of acme processes and other components that are defined in Cobbit. The relevant and prioritized governance and management objectives that will receive focus at each entity will be identified through workshops. Remember we were talking about the workshop approach. It’s also important to mention the objective of the program. So it is to ensure that adequate governance system, including governance structures is in place to increase the level of capability and adequacy of relevant It processes. I will also highlight this paragraph here.

The Egit program will be delivered in two phases. Remember we were discussing that the first phase is a development or preparation which will be where will be the approach developed and tested on one subsidiary. At the end of this first phase the result will be presented for approval. And once the approval has been obtained, then the Egit program will be rolled out in a Greek manner.

And that’s the phase two. And the last part I will emphasize from this Executive summary will be the budget. Important to mention that initial budget for the development phase has been prepared. It’s detailed in a separate chattel. And there will be another budget completed for the phase two and submitted for approval. So this was the Executive summary part, which doesn’t contain any new information. It’s just summarized the content of the document. This was a walkthrough through a sample business case for the Akme Corporation. As I mentioned before, since each organization has its own reasons for using COBIT to build their governance system, each business case will be different. And the question is how practical is to create the business case this way? I have shared my opinion previously and by now I believe you have your own. You may or may not find it useful and practical for your environment.