COBIT 5 for SMEs?

Previous Tuesday, April 10, 2012 ISACA launched COBIT 5, the newest evolution of her well known framework, that has his roots in Belgium! Yes its true, one of the founding fathers of Cobit, Erik Guldentops, professor at University of Antwerp Management School conceived the concepts of CobiT (Control Objectives for Information and related Technology) from his early experiences as an IT auditor in SWIFT (Brussels) and later on as member of the boards of the IT Governance Institute and the Information Systems Audit and Control Association (ISACA).  Many years from now.

Today I am looking at COBIT 5 and according to ISACA this is the most significant evolution in the framework’s 16-years history. In 2004 and 2005 I was a member of the expert developers group and a reviewer of Cobit 4.0  and at that time the new version was also considered as a mayor update of the model. In IT land we are counting of course in light years so am I willing to believe that COBIT 5 is the next step ahead.

As an IS researcher with a strong focus on small and medium-sized enterprises (SMEs) I am keen on finding new insights, methods and principles to deal with IT in these organizations. I always use Cobit in my courses as a formal method to confront graduate engineering students with the real world of information systems (not computer science) for the most part in SMEs. Cobit offers me a very well synthesized overview of the overall IS function, with links to audit and governance. However, there are some drawbacks when focussing on SMEs. I know that a lot of my colleagues are not convinced that SMEs constitute a different environment when it comes to adopting and using IT, but they are of course wrong. Sure that SMEs are confronted with the same challenges of all other companies like IT alignment, IT failures, third party management, IT assurance, business orientation of IT,  and to some degree even IT Governance. But through my research and experience as an IT practitioner I dear to say that SMEs constitute a different behaviour towards IT adoption and use. SMEs have limited resources and are therefore differently governed as compared to large organisations. Within SMEs, the CEO often assumes the role of owner and manager. Owner/manager needs to allocate the resources and devote significant time and effort to manage the adoption process often in the absence of the necessary ICT managerial and technical capabilities.

So what can COBIT 5 bring us when we look through the lens of an SME?

First of all COBIT 5 adheres to the principle of striving for efficiency in organizations. This is already subject to a large debate in the scholar community. Do information systems attribute to the efficiency (and maybe to a larger scale also to the effectiveness) of organisations?  This is of course an academic question and not so interesting for practitioners. However the principles of efficiency are very well understood in SMEs. In that sense SMEs make no difference with large organisations. So if IT is used in SMEs it will have to contribute to the efficiency of the organisation. COBIT 5 has definitely a value proposition for SMEs.

As expected, the approach of COBIT 5 still reigns in the paradigm of control and the agency setting. The title of the framework emphasizes that view: a Business Framework for the Governance and Management of Enterprise IT. There is, at least in the title, the very promising separation between governance and management. COBIT 5 is based on five key principles and the fifth one is Separating Governance From Management. Try to explain the concept of IT Governance to an SME entrepreneur and you will get nowhere. In most SMEs there is no segregation of management (control) and governance (ownership). Students will accept the separation between governance and management from a theoretical perspective, but both concepts are intertwined in reality even in large organisations. This is where COBIT 5 strongly moves away from the world of SMEs.

I noticed that separation of governance and management was the fifth principle of COBIT 5. The four other principles however are equally valid in SMEs. Principle 1: Meeting Stakeholders Needs. The concept of a stakeholder is universal in information systems and thus also for SMEs. Principle 2: Covering the Enterprise End-to-end. This is something where SMEs can outperform large organisations. The personal commitment of the CEO, working with his own capital, his feel for responsibility and his devotion to make money will keep the focus on the business. The failure to make business processes end-to-end seems to be a characteristic typical for large companies with less personal commitment of the management and where the anxiety of opportunistic behaviour due to agency problems looms largely throughout all business silos. Principle 3: Applying a Single, Integrated Framework. SMEs are overwhelmed by consultants preaching all kinds of methodologies and frameworks borrowed from environments unreceptive to SMEs. We talk about ITIL, Prince2, PMboK, ISOxxxxx, CMMi, … Only one integrated, broad and flexible framework is needed for SMEs, if possible with theoretical foundations grounded in the business soil of SMEs. I strongly believe COBIT 5 does offers that! Principle 4: Enabling a Holistic Approach. Running a business and not focussing on a holistic approach is one of the reasons that our well educated but highly specialized IT engineers tend to forget. This is probably also the motive why the industry is asking for more business skills as compared to computer science skills for their new incoming IT professionals. This holistic principle is gold in SMEs where jobs tend to have a more generalist nature than in large organisations.

According to COBIT 5 information is a key resource for all enterprises and this is probably an understatement. Information has become the input of the production function and SMEs are also recognizing the need to invest in information capital. CEOs of SMEs see that information has the power the transform economic sectors, markets and business models. SMEs often compete in niches and sometimes solely on information thereby helping in breaking existing business models. To be in control is to be in control of the information and not of IT.

The goals cascade of COBIT 5 tend to focus solely on a top down approach, but according to Charles Pertrie (2010) there is plenty of room outside the company. Pertrie is referring to the so-called Emergent Collectives, coming from beneath, without a central control mechanism but offering a lot of scalability and value to the users (customers) while still be more or less durable. Examples are the upcoming open source communities around ERP, CRM and BI competing now with the vested information systems in large enterprises. Other examples are the large number of social media platforms (Facebook, Twitter, FourSquare, …) that enter the organisation through devices not under control of the organisation. The phenomenon of BYOD is the next nightmare for the CIO. These collectives do not behave in nice predictable ways, because they are in no way under control of central governing mechanism.

Anyway, some critical thoughts maybe but I will still keep on using Cobit in my lectures and I will even adapt my slides to the newest version, because I believe there is no framework that encompasses IT, information, and their functions in organisations better than Cobit, even for SMEs!

jan devos

%d bloggers like this: