Are Today's Risk Management Frameworks Antiquated?

It has been 16 years since ISACA blazed a trail with its first incarnation of the COBIT IT governance framework, and a decade since Sarbanes Oxley catapulted it into the limelight as a reliable way to develop IT governance and management programs that could keep organizations compliant.

A lot has changed in the intervening years -- not just with the mounting number of regulations organizations seek to comply with, but also with how firmly enmeshed IT has become within everyday business processes. Though ISACA has shepherded COBIT through numerous refreshes in the past, the organization knows that the time has come: COBIT is due for a reboot.

[Whether it is through a framework or not, tying together compliance initiatives must be done to maintain your sanity and valuable dollars. See Unifying Compliance Initiatives To Make Budgets Last.]

According to Robert Stroud, member of ISACA's Strategic Advisory Council and of the ISACA Framework Committee, ISACA this week delivers on an overhaul of the framework that's two years in the making.

"What we've gone and done is basically not just refresh the framework, but we took a complete look at it again to make sure it is relevant and applicable to become a business framework for the governance and management of enterprise IT," says Stroud, who is also vice president of strategy and innovation and a service management and governance evangelist for CA Technologies. "So we've taken a top-down approach to the governance from the business right down through all the capability that IT will often need to deliver through technology, process, people, culture, and aspects like that."

In anticipation of the launch, Dark Reading spoke with Stroud, who discussed five main ways ISACA is rewriting the rules for the GRC rule-makers. According to him, the changes make COBIT 5 more robust, reliable, and repeatable as a process capability assessment method than its predecessors.

1. IT-Enabled Business Processes
The driving force behind the revamp of COBIT was to join IT governance and risk management with business governance and risk management, Stroud says.

"Instead of just being an IT governance framework, we've moved upscale in reflection to the industry," he explains. "It's now a business framework for the governance and management of the enterprise. That's the fundamental difference."

As a result, it better delineates business stakeholder involvement and responsibility in the use of IT. More importantly, it's designed to make it easier to fold in both business and IT activities for more holistic development of best practices that reflect the enterprise-wide nature of IT use.

In order to accomplish the goal of creating this business framework, ISACA merged three of its existing process reference models -- COBIT, ValIT, and RiskIT -- under the COBIT umbrella.

"We've effectively built this framework to help people understand what the right top-down business processes you want to put in place are so that you can govern your business and enable IT effectively," Stroud says.

2. Governance And Management Phases Split
ISACA further remodeled the foundation of COBIT by distinguishing between the governance and management of business and IT.

"Where we've differentiated from previous versions is really through separated governance and management so that COBIT recognizes them as different phases," Stroud says. "First there's the governance phase that will involve following an evaluate, direct, monitor model. And at the lower level there's a management framework so you can instrument management processes that are logical and practical."

According to Stroud, ISACA built the new COBIT like most organizations build their security policy or risk management policy: on principles rather than specific rules.

"We've become a principle-based framework rather than setting 'Thou shalt' rules," he says. "That's the way of practical management these days."

3. Value-Based Decisions
Not only is the new framework principle-based, it's also value-based.

"We acknowledge value up front. And I just don't mean return on investments. We're talking about a real value realization phase when any major enterprise initiative is developed," Stroud says. "You're going to understand and articulate what the value is, otherwise the organization wouldn't invest in it. We've driven that top-down linkage of business value so that IT can understand what it is and then use the management framework to represent that back."

COBIT 5 now does that by including requirements in the governance part of the framework that mandates organizations do benefits identification for new projects, whether they're designed for innovation, security, or compliance.

Taking compliance as an example, an organization would state one of the major benefits as the opportunity to experience a stretch without paying fines or penalties, Stroud says.

"If you articulate that upfront in a value-proposition, you can quickly do an estimation of the fines and penalties you are avoiding by effective execution of the framework. I think that's the thinking that IT and the business needs to inherit," he says. "If you logically do that analysis then you can get to a situation where you can actually do a risk assessment and say 'Well, if the fine is 10 cents, do I care?' The answer is yes if there's a billion of them."

4. New Process For Enterprise Architecture
Stroud says that as the ISACA committee worked on COBIT 5, one of the important items on the radar was continuing the commitment to helping organizations develop processes that would feed into their compliance objectives.

That meant not only including compliance framework components in the governance phase, but also reworking the management phase to mesh with the compliance processes of the future. This meant adding a new process for enterprise architecture.

"In forward-thinking enterprises now, compliance requirements are going to be part of their enterprise architecture. They're making them part of the company DNA. It becomes far more a part of business-as-usual rather than an exception to the process," he says. "We've now enshrined a process for going through and ensuring that you've got a lot of those metrics consistently being collected for the organization and alerted back up to management so they can make sound decisions and understand when compliance boundaries have been exceeded."

5. Collaborative And Customizable Content
Created in a time before Internet ubiquity, much less social mediam and blogs, COBIT is changing dramatically, not just with its content but also how it is delivered. According to Stroud, the release of materials this week is just the start of the effort to roll out COBIT and keep it fresh in the coming years. Enterprises with ISACA member should expect to be able to lean on a new COBIT online collaborative effort that will allow individuals to customize content for their needs and connect with their peers.

"It won't matter what your role is -- you'll be able to take a view of the online repository and effectively generate your own COBIT output based on your role, your function, and what business problem you're trying to solve," Stroud says. "We're getting modern. We've got this great community of over 100,000 ISACA members worldwide, and we absolutely want to leverage that community, to drive through not just the way they choose content, but really drive the development we do going forward."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.