现在, the dynamics of the external and internal effects on organizations demand a flexible and customized governance system adapted to the specific needs of the organization. 没有放之四海而皆准的解决方案. To fill this gap, an organization's governance system can be designed using COBIT® 通过遵循中所示的四个阶段 图1.
Figure 1—Designing an Information and 技术治理解决方案
Phase 1 consists of meetings with the organization’s senior managers to understand the internal and external contexts, 了解公司战略, identify the 战略风险 and determine the pain points. The information from this phase directs discussions in the following phases.
Phase 2 begins with interviews with managers from various areas to collect detailed information about enterprise strategy, 战略目标, the organization's risk profile and critical information and technology pain points.
在第三阶段, the levels of importance of the remaining design factors are defined: threat landscape, 法规遵循需求, 资讯科技的角色, 采购模式, IT实施方法, IT采用策略和澳门赌场官方下载规模.
[Phase 4] can be tricky because it can be affected by different perceptions and opinions and can lead to organizational cultural issues.
最后是第四阶段:结论阶段. This phase is crucial because it is the negotiation phase. This is the phase where the COBIT practitioner should consider, 在经理们的帮助下, 所有与优先级相关的变量.
ISACA的 COBIT设计工具箱 is a tool that organizations can use to support governance.1 The toolkit is made up of a spreadsheet with all the elements of all the design factors to be filled in by the COBIT practitioner. The toolkit helps structure and speeds up the design process.
To combine all the design factors and reach a list of prioritized objectives an algorithm was devised to compute the weight of every importance level to every objective of COBIT.
然而, 嵌入在电子表格中的算法, 有固定的规则, cannot capture the specific organizational contexts, making it difficult to capture and consider the cultural aspects, 对组织的认知和信念.
In Phase 4, several common situations that practitioners should be aware of include:
- 保持目标- - - - - -The maintenance of objectives selected by the algorithm is ideal because, 在这种情况下, the algorithm captures the needs and the organizational contexts. 然而, it is essential to estimate the effort necessary to implement the improvements. 为此目的, a capability assessment should be completed for each prioritized objective and managers should define the capability target levels. This information can be used to evaluate whether the organization can perform the improvements in the given period.
- 纳入目标-这是一个常见的情况,因为, 经常, 在设计之初, managers present a wish list of objectives that they deem essential. The important thing here is to retrieve the information collected in Phase 1—which clarifies the enterprise strategy, 战略风险, and main pain points—to discuss how this wish list adds value to the list of prioritized objectives. There are 2 options: include the additional objective or replace an existing objective with the new one, 根据可用的资源. If the decision is inclusion, then the available resources need to be reanalyzed. 如果决定是替换, the COBIT practitioner needs to show managers how removing an objective from the list can impact the achievement of organizational objectives.
- 部分排除目标If managers choose to exclude one of the objectives from the initial list, the COBIT practitioner should ensure that managers understand how removing the objective from the list can impact the achievement of organizational objectives.
- 总计 exclusion of the list of prioritized objectives—The complete rejection of the list of prioritized objectives by senior management also may occur. This happens when senior management is not consulted properly when managers fill out the levels of importance of the design factors and they are surprised by some scores that have been given. In this case, the whole design process should be repeated under the supervision of senior management.
In Phase 4, the ability to communicate and negotiate is essential skills of the COBIT practitioner. It is important to listen carefully to managers' arguments to be able to explain in simple and objective ways the trade-offs of the choices and make it clear that the design of a governance system is not a Boolean decision-making task, 而是一个多元系统.
尾注
1 ISACA®, COBIT 2019设计 Toolkit: Designing an Information & 技术治理解决方案美国
Joao Souza Neto博士.D., CGEIT, CDPSE, COBIT 2019设计 & 实施,COBIT认证评估员,CRUSC
是IT治理和管理方面的顾问吗. He is the president and founder of the ISACA Brasilia Chapter.