This lesson covers the third and fourth enablers of COBIT® 5, which are ‘organizational structures’ and ‘culture, ethics, and behavior’ respectively. The lesson is a part of COBIT® 5 Foundation Certification Course. Let us begin with the objectives of this lesson.
By the end of COBIT 5 Enablers 3 and 4 lesson, you will be able to:
Explain enabler 3 of COBIT® 5
Identify the different roles in the organizational structures
Describe enabler 4 of COBIT® 5
Explain the relationship between enabler 4 and others
Let us move on to the next section to discuss the organizational structures enabler of COBIT® 5.
The image below depicts the ‘organizational structures’ enabler.
An organizational structure is an enabler as it can show all the stakeholders and entities. Their varied roles, decision making, influencing and advising abilities will emerge from the organizational structures. An organizational structure gives a clear picture of the flow of direction from the governance to the management.
The flow of direction is further extended from the management to the operations team who will be completing the execution. After the execution, the operations team will report to the management. The management will then provide accountability to the governance.
In the next section, we will understand the constituents of good practices in enterprises.
Nervous about your interview? Enroll in our COBIT 5 course and walk into your next interview with confidence.
The constituents of good practice in enterprises are:
Operating principles - They are the practical arrangements regarding how the structure will operate, such as meeting frequency documentation and other rules.
Span of control - They are the boundaries of the organization structure’s decision rights.
Level of authority - They are the decisions that the structure is authorized to take.
Delegation of responsibility - The structure can delegate a subset of its decision rights to other structures reporting to it.
Escalation procedures - The escalation path for a structure describes the required actions in case of problems in making decisions.
In the next section, we will look into the different roles in the organizational structures.
The table shown below depicts the roles of the board, Chief Executive Officer (CEO), (Chief Operating Officer) COO, (Chief Risk Officer) CRO, and (Chief Information Officer) CIO:
Roles/Structure |
Description |
Board |
A board is a group of the most senior executives and non-executive directors. |
Chief Executive Officer (CEO) |
The CEO is the most senior official of the enterprise. |
Chief Operating Officer (COO) |
The COO is the most senior official accountable for organization’s operation. |
Chief Risk Officer (CRO) |
The CRO is the most senior official accountable for the risk management across the enterprise. |
Chief Information Officer (CIO) |
The CIO is the most senior official responsible for aligning the IT and business strategies. |
The table shown below depicts the roles of the Chief Information Security Officer (CISO), Business Executive, Business Process Owner, and Strategy Committee:
Roles/Structure |
Description |
Chief Information Security Officer (CISO) |
The CISO is the most senior official accountable for the security of the enterprise information in all its forms. |
Business Executive |
The business executive is the senior management individual accountable for the operation of a specific business unit or subsidiary. |
Business Process Owner |
The business process owner is the individual, who is accountable for the performance of a process in realizing its objectives, driving process improvement and approving process changes. |
Strategy Committee— IT Executive |
The strategic committee is a group of senior executives appointed by the board and chaired by a board member. |
The following table explains the roles of the project and programme steering committees,
architecture board and enterprise risk committee in the organizational structures:
Roles/Structure |
Description |
Project and Programme Steering Committees |
The project and programme steering committees include a group of stakeholders and experts. |
Architecture Board |
The architecture board is a group of stakeholders and experts. |
Enterprise Risk Committee |
The enterprise risk committee includes a group of executives who are accountable for the enterprise-level collaboration and consensus required to support the Enterprise Risk Management or ERM (read as E-R-M) activities and decisions. |
What are you waiting for? Interested in taking up a COBIT® 5 Course? Check out our Course Preview!
The following table describes the roles of the Head of Human Resource (HR), compliance, audit, Head of Architecture and Head of Development as mentioned in the organizational structures:
Roles/Structure |
Description |
Head of Human Resource (HR) |
The head of HR is the most senior official of the enterprise, who is accountable for planning and creating policies with respect to all the human resources in the enterprise. |
Compliance |
The compliance function is responsible for the guidance on legal, regulatory and contractual compliance. |
Audit |
The audit function is responsible for the provision of internal audits |
Head of Architecture |
The head of architecture is the senior individual, who is accountable for the enterprise architecture process. |
Head of Development |
The head of development is the senior individual, who is accountable for the IT-related solution development process. |
The roles of the head of IT operations, PMO, VMO, and Service Manager are mentioned below:
Roles/Structure |
Description |
Head of Information Technology (IT) operations |
The head of IT operations is the senior individual, who is accountable for the IT operational environments and infrastructure. |
Programme and Project Management Office (PMO) |
The PMO function is responsible for supporting the programme and project managers and gathering, assessing and reporting information on the conduct of their programmes and constituent projects. |
Value Management Office (VMO) |
The VMO function acts as the secretariat for managing the investment and service portfolios. |
Service Manager |
The service manager is an individual who manages the development, implementation, evaluation and ongoing management of new and existing products and services for a specific customer or a group of customers. |
Let us understand the concept of organization structures with the help of an example in the next section.
A start-up IT company, which created a niche product for broadcasting companies, grew rapidly from five employees to fifty in a span of three years as the demand for the product grew. However, the organization began witnessing employee attrition affecting the organization's growth and stakeholder’s confidence.
A large percentage of the new recruits had resigned from their jobs after the third month, citing that they lacked confidence in the organizational direction and management. The employees' concerns included a need for clarity in roles and an overall sense of accountability. The absence of a clear escalation matrix in case of issues or whom to approach to discuss concerns also affected the employee morale.
How could the company have ensured employee satisfaction and external stakeholder confidence?
Let us find out the possible solution in the next section.
The situation mentioned indicates a lack of organizational structure for employees and key stakeholders. New employees are not given sufficient orientation or training, and the staff is not clearly aligned with the managers or verticals.
An organizational structure clearly defines the roles and responsibilities and reassures the employees that there is a clear delineation of responsibilities and well-defined reporting structure. Accountability is also clearly assigned so that the employees know whom to approach in case of queries or issues.
In the next section, we will focus on the fourth enabler of COBIT® 5.
The image below depicts the ‘culture, ethics, and behavior’ enabler.
The good practices for creating, encouraging and maintaining the desired behavior throughout the enterprise include:
communication of desired behaviors and corporate values throughout the enterprise. This can be done through a code of ethics.
awareness of the desired behavior, strengthened by the example of senior management. This is one of the keys to a good governance environment when the senior management and the executives communicate on what is expected. It is also a difficult area that can lead to poor governance. The awareness can be brought as a part of training and awareness sessions based on a code of ethics.
incentives and rewards to encourage and deterrents to enforce desired behavior. There is a clear link to HR payment and reward schemes.
rules and norms which provide more guidance. This is typically found in the code of ethics.
In the next section, we will discuss ‘culture, ethics, and behavior’ and organizational goals.
‘Culture, ethics, and behavior’ is related to goals in the following ways:
Organizational ethics determine the values by which the enterprise wants to exist. An example of this is behavior towards risk-taking.
Individual ethics are determined by each individual’s personal values and depend on the external factors. An example of this is behavior towards the enterprise’s principles and policies.
Individual behaviors collectively determine the culture of the enterprise and are dependent on both organizational and individual ethics. An example of this is behavior towards negative outcomes such as loss events.
In the next section, we will understand the relationship between the ‘culture ethics and behavior’ enabler and other enablers.
The ‘culture, ethics, and behavior’ enabler has links to:
Many organizations include their code of ethics with their policies.
Let us understand the concept of ‘culture, ethics, and behavior’ with the help of an example in the next section.
How about investing your time in COBIT 5 certification? Check out our Course Preview now!
An IT firm is frequently facing serious quality issues with the new applications. Despite a sound software development methodology being in place, software issues often cause operational problems in the day-to-day business.
An investigation showed that the development team members and management are evaluated and rewarded based on the timely delivery within the budget for their projects. They are not measured against quality criteria or business benefits criteria.
As a result, they focus diligently on reducing the delivery time and cost during the development. For example, the employees save the time and cost by reducing or eliminating the testing time.
The investigation also showed that compliance with the established methodology and procedures is virtually non-existent as it would require additional development time.
The organizational structure is such that the official involvement of development team is over when the developed application is handed over to the operations. Further, the development team’s involvement is only indirect through the established incident management processes.
What can be the lessons learned from this scenario?
In the next section, let us find out the solution.
The culture, ethics, and behavior followed in the enterprise is reflected in the products or services. It is evident that the culture of the enterprise was primarily focused on the cost, time, and scope in the delivery of the applications.
It is evident that the focus of being quality-conscious and the drive to make superior products are lacking. Other important focus areas which are not a part of the company’s culture are compliance adherence, and risk management.
Lastly, it can be seen that there is a critical integration issue between development and operations teams. The operations team does not seem to be involved during the user acceptance testing phase before the final handover of the product from the development team. The development team depending solely on the incident management reflects a fire-fighting approach while preventing issues or minimizing them should be the goal.
Better incentives must be used for the development management and teams to encourage quality work. Quality, compliance adherence, and integration should be embedded into the organizational culture and behavior.
Let us summarise what we have learned in this lesson:
An organizational structure gives a clear picture of the flow of direction from the governance to the management.
A board is a group of the most senior executives and non-executive directors. They are accountable for the governance of the enterprise and have overall control of the latter’s resources.
The fourth enabler is ‘culture, ethics, and behavior’.
Good practices for creating, encouraging and maintaining the desired behavior throughout the enterprise include incentives and rewards as well as rules and norms that provide more guidance.
The ‘culture, ethics, and behavior’ enabler has links to the ‘processes’ enabler for the execution of process activities.
The next lesson will help you learn COBIT® 5 Enabler 5.
A Simplilearn representative will get back to you in one business day.