COBIT 5: muddying governance and management
Execution always falls short of expectation. I'm still pondering my impressions of COBIT5 - more on that later - but one thing is clear: they haven't fully fixed the governance/management thing. [Update: I didn't get this right, see comments below]
When reviewing the COBIT 5 draft, I was delighted to see the adoption of the ISO38500 direct/monitor/evaluate model. COBIT has gone some way to meet the design paper's commitment to correct the usage of the word "governance":
COBIT 5 will clarify the distinction between governance and management with a revised process model that distinguishes between these domains while also showing how they relate to each other
But not all the way. I was building a picture of what made me uncomfortable, when "The Infonomics Letter on Leadership and Governance of IT for July 2011" arrived. Everyone in IT management should read the Infonomics newsletter. Mark Toomey is THE MAN on IT governance. And Mark has laid out the case so much better than I could for why COBIT5 fails the governance test.
The governance tasks are used to frame the next level of detail in the five governance processes, while the management tasks are used to divide the overall set of management processes into four management domains, each of which contains a number of processes. This is quite confusing, and limits the concept of “evaluate, direct and monitor” to the internal structure of some high level processes, which is not what is intended by ISO 38500 at all... the Framework‟s earlier explanation of governance is very clear that governance involves setting direction, yet the process reference model contains no process in the governance space for setting direction, and in fact places the task of defining strategy (APO2) clearly and firmly in the space of management... it would seem that a great deal more work is required before COBIT 5 can articulate the distinction between governance and management in a way that is clear, unambiguous, and applicable in all jurisdictions, around the world... the words of Robert Tricker could be used to explain the situation: “Management runs the business; the board ensures that it is being run well and run in the right direction”.
The newsletter crystalised something else for me: the USA doesn't get governance because they don't do it (my words not Mark's).
In many parts of Europe... there are often two-tiered board structures, where there is a higher level supervisory board that is composed of entirely non-executive directors, and a management board composed entirely of executives who have day by day responsibility for the organisation... in Britain and Australia, governance is usually the task of a board comprising several non-executive directors and one (or perhaps more) executive directors who are also part of the management structure of the organisation, with one of the non-executive directors also taking the role of chair. In the United States, the prevailing model seems to be one in which the board has a substantial proportion of executive directors, with the CEO often also taking the role of chair.
The spectacular failures of governance in the USA are legend, including my previous employer where the chairman-and-CEO ended up in jail. No wonder ISACA muddy governance and management when the whole ethos of corporate America is to muddy it.
My impression is that one faction within the COBIT 5 initiative tried to drive ISO38500 principles into COBIT and met with resistance from a conservative faction retaining the muddled US-centric view of governors managing the organisation. The fine words went at the front and the process model went on as before.