Resources Corporate Training Government Higher Education

COBIT® 5 Enablers 3 and 4 Tutorial

This lesson covers the third and fourth enablers of COBIT® 5, which are ‘organizational structures’ and ‘culture, ethics, and behavior’ respectively. The lesson is a part of COBIT® 5 Foundation Certification Course. Let us begin with the objectives of this lesson.

Objectives

By the end of COBIT 5 Enablers 3 and 4 lesson, you will be able to:

  • Explain enabler 3 of COBIT® 5 

  • Identify the different roles in the organizational structures 

  • Describe enabler 4 of COBIT® 5 

  • Explain the relationship between enabler 4 and others 

Let us move on to the next section to discuss the organizational structures enabler of COBIT® 5.

Enabler 3— Organizational Structure

The image below depicts the ‘organizational structures’ enabler. 
Enabler 3
An organizational structure is an enabler as it can show all the stakeholders and entities. Their varied roles, decision making, influencing and advising abilities will emerge from the organizational structures. An organizational structure gives a clear picture of the flow of direction from the governance to the management.

The flow of direction is further extended from the management to the operations team who will be completing the execution. After the execution, the operations team will report to the management. The management will then provide accountability to the governance. 

In the next section, we will understand the constituents of good practices in enterprises.

Constituents of Good Practices in Enterprises

The constituents of good practice in enterprises are:

  • Operating principles - They are the practical arrangements regarding how the structure will operate, such as meeting frequency documentation and other rules.

  • Span of control - They are the boundaries of the organization structure’s decision rights. 

  • Level of authority - They are the decisions that the structure is authorized to take. 

  • Delegation of responsibility - The structure can delegate a subset of its decision rights to other structures reporting to it. 

  • Escalation procedures - The escalation path for a structure describes the required actions in case of problems in making decisions. 

In the next section, we will look into the different roles in the organizational structures.


Roles in  the Organizational Structures

The table shown below depicts the roles of the board, Chief Executive Officer (CEO), (Chief Operating Officer) COO, (Chief Risk Officer) CRO, and (Chief Information Officer) CIO:

Roles/Structure

Description

Board

A board is a group of the most senior executives and non-executive directors.

They are accountable for the governance of the enterprise and have overall control on the latter’s resources.

Chief Executive Officer (CEO)

The CEO is the most senior official of the enterprise.

They are accountable for the financial management, including financial risk and controls and its reliable and accurate methods.

Chief Operating Officer (COO)

The COO is the most senior official accountable for organization’s operation.

Chief Risk Officer (CRO)

The CRO is the most senior official accountable for the risk management across the enterprise.

An IT risk officer may be appointed to oversee the IT-related risk.

Chief Information Officer (CIO)

The CIO is the most senior official responsible for aligning the IT and business strategies.

They are also accountable for planning, resourcing and managing the delivery of IT services and solutions to support the enterprise objectives.


The table shown below depicts the roles of the Chief Information Security Officer (CISO), Business Executive, Business Process Owner, and Strategy Committee:

Roles/Structure

Description

Chief Information Security Officer (CISO)

The CISO is the most senior official accountable for the security of the enterprise information in all its forms.

Business Executive

The business executive is the senior management individual accountable for the operation of a specific business unit or subsidiary.

Business Process Owner

The business process owner is the individual, who is accountable for the performance of a process in realizing its objectives, driving process improvement and approving process changes.

Strategy Committee— IT Executive

The strategic committee is a group of senior executives appointed by the board and chaired by a board member.

The purpose of this committee is to ensure that the board is involved in, and kept informed of the major IT-related decisions.

They are accountable for managing IT-enabled investments, IT services, and IT assets portfolios. They also ensure that value is delivered and risk is managed.


The following table explains the roles of the project and programme steering committees,
architecture board and enterprise risk committee in the organizational structures:

Roles/Structure

Description

Project and Programme Steering Committees

The project and programme steering committees include a group of stakeholders and experts.

They are accountable for the guidance of programme and projects including management and monitoring of plans, allocation of resources, delivery of benefits and value, and project and programme risk management.

Architecture Board

The architecture board is a group of stakeholders and experts.

They are accountable for the guidance on enterprise architecture related matters and decisions, and for setting up architectural policies and standards.

Enterprise Risk Committee

The enterprise risk committee includes a group of executives who are accountable for the enterprise-level collaboration and consensus required to support the Enterprise Risk Management or ERM (read as E-R-M) activities and decisions.

An IT risk council may be established to consider IT risk in detail and advise the enterprise risk committee.

What are you waiting for? Interested in taking up a COBIT® 5 Course? Check out our Course Preview!

The following table describes the roles of the Head of Human Resource (HR), compliance, audit, Head of Architecture and Head of Development as mentioned in the organizational structures: 

Roles/Structure

Description

Head of Human Resource (HR)

The head of HR is the most senior official of the enterprise, who is accountable for planning and creating policies with respect to all the human resources in the enterprise.

Compliance

The compliance function is responsible for the guidance on legal, regulatory and contractual compliance.

Audit

The audit function is responsible for the provision of internal audits

Head of Architecture

The head of architecture is the senior individual, who is accountable for the enterprise architecture process.

Head of Development

The head of development is the senior individual, who is accountable for the IT-related solution development process.


The roles of the head of IT operations, PMO, VMO, and Service Manager are mentioned below:

Roles/Structure

Description

Head of Information Technology (IT) operations

The head of IT operations is the senior individual, who is accountable for the IT operational environments and infrastructure.

Programme and Project Management Office (PMO)

The PMO function is responsible for supporting the programme and project managers and gathering, assessing and reporting information on the conduct of their programmes and constituent projects.

Value Management Office (VMO)

The VMO function acts as the secretariat for managing the investment and service portfolios.

Their responsibilities include assessing and advising on investment opportunities and business cases, recommending value governance or management methods and controls as well as reporting progress on sustaining and creating value from investments and services.

Service Manager

The service manager is an individual who manages the development, implementation, evaluation and ongoing management of new and existing products and services for a specific customer or a group of customers.


Let us understand the concept of organization structures with the help of an example in the next section.

Organizational Structures—Problem Statement

A start-up IT company, which created a niche product for broadcasting companies, grew rapidly from five employees to fifty in a span of three years as the demand for the product grew. However, the organization began witnessing employee attrition affecting the organization's growth and stakeholder’s confidence.

A large percentage of the new recruits had resigned from their jobs after the third month, citing that they lacked confidence in the organizational direction and management. The employees' concerns included a need for clarity in roles and an overall sense of accountability. The absence of a clear escalation matrix in case of issues or whom to approach to discuss concerns also affected the employee morale. 

How could the company have ensured employee satisfaction and external stakeholder confidence?

Let us find out the possible solution in the next section.

Solution

The situation mentioned indicates a lack of organizational structure for employees and key stakeholders. New employees are not given sufficient orientation or training, and the staff is not clearly aligned with the managers or verticals.
An organizational structure clearly defines the roles and responsibilities and reassures the employees that there is a clear delineation of responsibilities and well-defined reporting structure. Accountability is also clearly assigned so that the employees know whom to approach in case of queries or issues.
In the next section, we will focus on the fourth enabler of COBIT® 5.

Enabler 4—Culture, Ethics, and Behavior

The image below depicts the ‘culture, ethics, and behavior’ enabler. 
Enabler 4
The good practices for creating, encouraging and maintaining the desired behavior throughout the enterprise include: 

  • communication of desired behaviors and corporate values throughout the enterprise. This can be done through a code of ethics. 

  • awareness of the desired behavior, strengthened by the example of senior management. This is one of the keys to a good governance environment when the senior management and the executives communicate on what is expected. It is also a difficult area that can lead to poor governance. The awareness can be brought as a part of training and awareness sessions based on a code of ethics. 

  • incentives and rewards to encourage and deterrents to enforce desired behavior. There is a clear link to HR payment and reward schemes. 

  • rules and norms which provide more guidance. This is typically found in the code of ethics. 

In the next section, we will discuss ‘culture, ethics, and behavior’ and organizational goals.

Culture Ethics and behavior and Organizational Goals

‘Culture, ethics, and behavior’ is related to goals in the following ways: 

  • Organizational ethics determine the values by which the enterprise wants to exist. An example of this is behavior towards risk-taking. 

  • Individual ethics are determined by each individual’s personal values and depend on the external factors. An example of this is behavior towards the enterprise’s principles and policies. 

  • Individual behaviors collectively determine the culture of the enterprise and are dependent on both organizational and individual ethics. An example of this is behavior towards negative outcomes such as loss events. 

In the next section, we will understand the relationship between the ‘culture ethics and behavior’ enabler and other enablers.

What is the relationship between the Fourth Enabler and Other Enablers?

The ‘culture, ethics, and behavior’ enabler has links to: 

  • processes for the execution of process activities, 
  • organizational structures for the implementation of decisions and 
  • principles and policies to be able to communicate the corporate values.

Many organizations include their code of ethics with their policies. 

Let us understand the concept of ‘culture, ethics, and behavior’ with the help of an example in the next section.

How about investing your time in COBIT 5 certification? Check out our Course Preview now!

Culture, Ethics, and Behavior—Problem Statement

An IT firm is frequently facing serious quality issues with the new applications. Despite a sound software development methodology being in place, software issues often cause operational problems in the day-to-day business. 

An investigation showed that the development team members and management are evaluated and rewarded based on the timely delivery within the budget for their projects. They are not measured against quality criteria or business benefits criteria.

As a result, they focus diligently on reducing the delivery time and cost during the development. For example, the employees save the time and cost by reducing or eliminating the testing time. 
The investigation also showed that compliance with the established methodology and procedures is virtually non-existent as it would require additional development time.

The organizational structure is such that the official involvement of development team is over when the developed application is handed over to the operations. Further, the development team’s involvement is only indirect through the established incident management processes.

What can be the lessons learned from this scenario?

In the next section, let us find out the solution.

Solution

The culture, ethics, and behavior followed in the enterprise is reflected in the products or services. It is evident that the culture of the enterprise was primarily focused on the cost, time, and scope in the delivery of the applications. 

It is evident that the focus of being quality-conscious and the drive to make superior products are lacking. Other important focus areas which are not a part of the company’s culture are compliance adherence, and risk management.

Lastly, it can be seen that there is a critical integration issue between development and operations teams. The operations team does not seem to be involved during the user acceptance testing phase before the final handover of the product from the development team. The development team depending solely on the incident management reflects a fire-fighting approach while preventing issues or minimizing them should be the goal. 

Better incentives must be used for the development management and teams to encourage quality work. Quality, compliance adherence, and integration should be embedded into the organizational culture and behavior.

Summary

Let us summarise what we have learned in this lesson: 

  • An organizational structure gives a clear picture of the flow of direction from the governance to the management. 

  • A board is a group of the most senior executives and non-executive directors. They are accountable for the governance of the enterprise and have overall control of the latter’s resources. 

  • The fourth enabler is ‘culture, ethics, and behavior’. 

  • Good practices for creating, encouraging and maintaining the desired behavior throughout the enterprise include incentives and rewards as well as rules and norms that provide more guidance. 

  • The ‘culture, ethics, and behavior’ enabler has links to the ‘processes’ enabler for the execution of process activities.

The next lesson will help you learn COBIT® 5 Enabler 5.

Related Courses
Learner Reviews
Related Articles
  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.
Help and Support

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*