Organizational decision-makers are confronted with pervasive Information Technology. Investments in Information Technology form a large portion of total investments, requiring a focus on the governance of IT. One prevalent IT Governance Framework is COBIT 5. Despite its widespread use, there is a claimed lack of research on COBIT 5. To validate this claim, we have looked at academic literature and mapped the results along different criteria. Our key findings suggest that the peak of COBIT 5 publications already seems passed, that most publications deal with the contextual use of COBIT 5, that this context is still very security/risk and governance focussed, and that the new concepts introduced in COBIT 5, and COBIT 5 as an artefact itself, are hardly researched. We conclude that COBIT 5 needs more thorough academic research at the conceptual level, and that future work should start with the development of a conceptual model of COBIT 5, making COBIT 5 truly researchable as an artefact.
In an increasingly digitized economy, organizational decision-makers are more and
more confronted with the pervasiveness of Information Technology. Investments in
Information Technology form a large portion of total investments for many
contemporary organizations. For this reason, a focus on the governance and
management of IT is warranted, to ensure that the current and future investments in IT
are in line with business needs, and all of this at a level of IT-related risk that is
appropriate for the organization. Yet we observe that many organisations are still
struggling on how to obtain optimal value from information and information systems
or to protect adequately against information and IT related risks [
Information system failures of different types and magnitudes are reported almost daily, e.g. cyber-attacks, large project failures, operational incidents with highly visible impacts, privacy invasions.
To improve on this situation, many organisations or associations have created frameworks of good practice that aim to address this problem. Simultaneously, academic research has provided answers on how organizations can implement IT governance. The state-of-the-art view in academia is that IT governance should be implemented as a holistic set of structures, processes, and relational mechanisms. From the practitioner area, guidance has also surfaced. The leading practitioner framework for the governance and management of enterprise IT is developed by ISACA (Information Systems Audit and Control Association, Rolling Meadows, IL, USA). The framework is called COBIT (Control Objectives for Information and Related Technologies), and is currently in its fifth edition1.
Referring to Rescher’s methodological pragmatism [
This indicates that either the frameworks themselves are not complete or of sufficient quality yet, and/or that operationalising the guidance from these frameworks is not successful. Both potential sources of failure (inadequate frameworks and/or implementation failures) need to be better understood before improvements to the good practices and/or their implementation can be proposed.
Indeed, COBIT 5, and by extension other frameworks in the same space, have not
been the subject to extensive scientific research yet. De Haes et al. [
Within this context, section 2 introduces the objective of the research presented in this paper. Section 3 details our research methodology. Section 4 presents the findings which are subsequently discussed in section 5, where directions for further research are also provided. 2
The goal of this literature mapping paper is to understand the current state of the
research on COBIT 5. More in particular we would like to learn about:
a) the number of publications on COBIT 5;
b) to what extent and what purpose COBIT 5 is referenced in the publications;
c) how the current research relates to the observed problems with IT Governance
and the identified research gaps [
We used the following search strategy to identify research on COBIT 5 in the academic literature. 1. Search for references as of 2012, i.e. the publication date of COBIT 5, the most recent version of COBIT. The reason for this limitation is that COBIT 5 contains substantial differences compared to its predecessor COBIT 4.1, including an extended architecture (enabler-focus instead of process focus, a very different process capability mechanism, restructured and updated process guidance, an updated goals-based prioritisation mechanism, and more. For that reason, we believe that for the purpose of this research articles dating before 2012 and/or referring to earlier versions of COBIT are less relevant. 2. Search on Web of Science (WoS) academic articles for our literature mapping. The choice for WoS was made under the assumption that publications listed in WoS passed through a peer review process, hence guaranteeing a minimum level of research quality. For that purpose, we again searched for articles published in 2012 and later, and we included both journal articles and conference proceedings in our search. We performed three searches, i.e.
Search on “IT Governance” and a number of equivalent terms, in order to generally understand the number of IT Governance related publications A search on COBIT2, in order to obtain the set of articles for our review. COBIT 5 is marketed (and marked) as an IT Governance Framework. At the same time, it is not the only one such framework, and for that reason we expect the number of articles to be found here to be smaller than, but in the same order of magnitude as the number in a).
To further confirm the overall reasonableness of the found set of articles we performed a search on “COBIT” and “Governance” to ensure that the majority of the found set of articles on COBIT was also dealing with Governance. The expectation there was that the found number should be smaller but again in the same order of magnitude as the number found in b), the reason being that COBIT has other uses (or uses not necessarily described as Governance) also. 3. The WoS search results (search date 8 May 2017) as described above are as follows: • •
There are 317 articles on IT Governance and equivalent terms.
There are 133 articles on COBIT, including 81 which contain both terms COBIT and Governance. 2 The search term used is “COBIT” and not “COBIT 5”, because not all articles use the term COBIT 5 even when the article is about COBIT 5. Since we limit the search to articles published in or after 2012, this will not lead to ‘false trues’, or at least only a very few ones. Using the search term “COBIT 5” however resulted in a lot of missed articles.
WoS WoS WoS
Looking at the number of publications per year, we see a steady growth between 2012 and 2015, and a sharp decline since then. 3 For some diagrams percentage numbers may not add up exactly to 100% due to rounding errors. Conference Proceedings
Journal Articles
The number of publications, more in particular conference proceedings, seems to have surpassed its top; this is unfortunate since the continued existence and use of COBIT 5, and the importance of IT Governance and COBIT 5 as one of the preferred implementation methods. 4.2
We classified the publications based on how and for what purpose the COBIT Framework is referenced in an article, ranging from mere reference to the subject itself of the research.
For that reason, we defined the following taxonomy for coding the found literature: • Referenced (R) – COBIT is mentioned as an existing framework or referenced, but is not used to any meaningful extent in the paper. • Derived (D) – COBIT is mentioned as an existing framework, and it is used to build a new, related framework to deal with IT Governance related or other issues. • Applied (A) – COBIT is used as is, and it is applied to a certain context or with a certain purpose; this covers e.g. application of COBIT to measure process performance, or to map it against other standards. The difference with the previous category is that no new derived framework is constructed and COBIT is used in its current shape and form. • Subject (S1 and S2) – IT Governance arrangements (S1) and/or the COBIT Framework (S2) are the subject itself of the research. They are most of the time not applied to any specific context, but rather researched as an artefact itself. This is the most fundamental research on COBIT possible. • Other (O)
The results of coding the found literature set according to the taxonomy above, is described in the table below:
12 8 20 17% 37 8 45 37% 31 6 37 31% 8 2 10 8% 5 2 7 6% 2 0 2 2% • A significant part (17% + 37%=54%) of publications uses COBIT as a reference or as a source for designing a new (proprietary) framework; • Only a small proportion of publications researches COBIT or IT Governance as an artefact (8% + 6%=14%); closer analysis learns that 10 of those 17 publications did not deal with COBIT itself (S2), but rather dealt with IT governance models in general (S2). Hence only 7 (out of 121, representing less than 6%) articles are looking at COBIT 5 as an artefact in some ways; • There are differences in the role of COBIT in journal articles versus conference proceedings articles, i.e. a larger proportion of journal articles only refers to COBIT (8 out of 26, or 31% versus only 12 out of 95 or 13% for Conference Proceedings), and a smaller proportion of journal articles deals with Applying COBIT (6 out of 26 or 23% versus 31 out of 95 or 33% of Conference Proceedings)
When interpreting these observations, we can state that:
• The large number of articles where COBIT is used as source of inspiration to
create another framework sends mixed messages. On the one hand this observation
supports the perception that COBIT is a good framework from which one can
derive another framework. On the other hand, it also demonstrates that many
people think that the problems they are facing still require new frameworks derived
from existing ones, showing potential problems with generic frameworks (like
COBIT 5) in their current states. Further research will have to determine the nature
of these problems which could include frameworks that are too complex, too
highlevel, not specific for their particular context, etc.
• The absolute low number of publications researching COBIT as an artefact
represents a major research gap. There have been well substantiated calls for this
type of research by Dehaes et al. [
We then analysed the set of publications from a different angle. In the context of our research we propose to differentiate between two types of problems with IT Governance Frameworks. In this part of our review analysis we grouped the articles as to how they covered these two types of problems: • Problems at conceptual level, indicating inherent problems with the framework itself for a variety of reasons. This sort of problem requires research on the COBIT 5 framework as an artefact itself. Such research on the COBIT 5 framework can focus either on internal consistency (is there an overall model for COBIT 5 that is rigorously applied) and/or on external consistency (is the COBIT 5 Framework aligned to or consistent with other related and/or relevant established management theories). • Problems at the contextual level, indicating problems with the application of COBIT in a certain context; this would then require the study of COBIT 5 applied within a certain context and the results of such application.
We used those two categories to distinguish publication types, and added a third possibility, i.e. ‘hybrid’, which showed features of both approaches. The analysis of the full publication set produced the following result:
We observe that most of the publications (93%) deal with COBIT 5 fully or partially at the contextual level, i.e. COBIT applied in a certain context one way or another, and only 13% of the publications were dealing with COBIT fully or partially at the conceptual level.
Interpreting this finding we can conclude (again) that the call for more research on COBIT 5 as an artefact remains unanswered, leaving the inherent quality of COBIT an open question. When looking for potential reasons for this research gap we suspect that COBIT 5 is not researched as an artefact because it is un-researchable due to its apparent complexity and size – over 1400 pages of largely unstructured texts, over 400 diagrams and tables. One solution to this lack of research at the conceptual research is to create or formalise the COBIT 5 concept first, which would then facilitate further research. From here we could for now suggest that the remedy for the observed research gap could probably consist of building a good conceptual model of COBIT 5. Such a model would contain the key concepts or constructs of COBIT 5, their most important attributes as well as the relationships between the different key constructs.
Other knowledge areas have taken a similar approach – starting from unstructured
publications deducing a theory or conceptual model before being able to formulate
research questions [
Given the high number of publications at the contextual level (see 4.3) or investigating the application of COBIT (see 4.2), we were interested in which contexts COBIT was researched. Fig. 2 shows the results of this analysis: Process Performance Improvement 16 29 39 Governance / Alignment
Security & Risk
Outsourcing & Cloud Audit & Internbal Control
IT Service Management Software Development
Project Management Enterprise Architecture
Compliance
BCP/DRP HR & Skills e-readiness Modelling
Fraud Other 2 2 2 2 2 2 3 4 5 8 9 10 9
The context in which COBIT is researched in the literature is mainly Governance, which seems quite normal given COBIT’s claim to IT Governance. This was followed by the also expected – given the origins of COBIT 5 – topics of Risk and Security. Other aspects that COBIT 5 claims to address - benefit management, resource management – are hardly researched, which represents another potential research gap. 4 some papers were dealing with more than one subject, resulting in a total of more than 121 papers
Other Healthcare
Financial
Education Government Not Specified
5% 2% 4% 12% 13% 64%
The ‘other’ category contained articles which were not specific on context, or covered issues only mentioned once (IT effectiveness, innovation, quality, flood management, etc.) 4.5
Industry sector is a commonly mentioned contingency factor for IT Governance arrangements, or at least a non-negligible number of publications describe research in a specific industry sector. We analysed the found literature set for industry sector specificity, and the results are shown in Fig. 3: 0% 10% 20% 30% 40% 50% 60% 70% • A large majority of the articles found (64%) is not industry specific, in other words, governance arrangements or COBIT 5 are not so frequently researched with an industry contingency focus. • Government (13%) and Education (12%) sectors are most mentioned, when an industry specific focus is defined. • Other sectors, including financial sector, are almost negligible in their coverage.
Interpreting these results, we can state that the observed industry sector coverage is somewhat surprisingly low: • the majority of papers is not industry specific, despite the fact that industry sector is often mentioned as contingency factor in emerging research. • The financial sector, a known ‘heavy user’ of IT Governance frameworks and COBIT, is hardly mentioned in the research. So, we could conclude that we have another potential research gap at hand. 4.6
In COBIT 5, the term IT Governance is defined as the balance between three aspects: benefits realisation, risk optimisation and resource optimisation. We have analysed the found literature to see to what extent these three aspects are researched. We found the following: 0% 20% 30% 40% 50% 60% Not Specified
All
Risk Benefits Resource 2% 1% 10% 7% 70% 66%
Looking at which of the three governance aspects (as per COBIT 5 definition) is dealt with in articles, we see that either the authors do not specify any of the three aspects but rather are dealing with governance as a general concept. When an aspect is mentioned, it is predominantly Risk, which corresponds to the findings in section 4.4. Both other aspects of resource optimisation and benefits realisation are seriously under-researched, at least in these words. 4.7
One of the key innovations in COBIT 5 is the concept “enabler”. COBIT 5 defines seven enabler categories which together are required to work in a holistic manner for IT to generate value to the organisation. We think it is useful to analyse to what extent the COBIT 5 enabler concept is being covered in literature, and if so, which enablers are included in the research. The result of this analysis is shown in Fig. 5: 5: • the majority of publications are agnostic to the enabler concept (55%), i.e. the concept is not mentioned or none of the enabler categories are mentioned explicitly • When enablers are mentioned – explicitly or implicitly – it is still the process enabler that is mostly mentioned (16% in total, 35% of articles where at least one enabler is mentioned) • All other enabler categories are seldom mentioned. 5 several articles mentioned more than one enabler, resulting in a total higher than the total number of articles 25% Not Specified
Process Organisational Structures
Skills
Culture Infrastructure
Policies Information There has been an emerging interest recently to conduct research on contingency factors for IT Governance, e.g. strategic role of IT, IT strategy and others. Our literature mapping was focussed on COBIT (as opposed to ‘IT Governance’ and equivalent terms), and it rendered not many results that indicated research on contingency factors was happening. 5
In conclusion of our literature mapping we can state that the current literature hardly researches COBIT as an artefact. The underlying concepts or model of COBIT 5 are not researched or challenged, and we suspect this is mainly because of the absence of a decent, researchable conceptual model of COBIT 5. Current research at the conceptual level seems to be anecdotical, i.e. it takes some particular subjects (e.g. the goals cascade, processes) without looking at the overall model of COBIT. Similar literature reviews in other databases could further support this observation, and if confirmed, this is an important research gap, that can best be resolved by the creation of a conceptual model for the COBIT 5 Framework.
Related to the above, but also applicable when looking at the contextual research, we see that • much of the research deals with COBIT 5, but does so with a COBIT 4.1 lens, meaning that the newer concepts introduced in COBIT - the enabler concept, the new governance definition – are not researched. This is another important research gap. • The context itself also remains very classical, i.e.; IT governance(naturally), IT risk, IT security still seem to be the pet topics of researchers, leaving many other topics under-researched.
When looking at how COBIT 5 is used, and referring to our first point, we see a lot of research in which COBIT 5 is used as a source for deriving a new framework. This fact alone – creating a new framework to resolve a certain matter instead of using COBIT 5 itself, is probably an indication of a problem with COBIT 5. Such a problem could include the applicability and implementation difficulty of COBIT 5these frameworks – again a topic for further research. 6