The Time for Sustainable Business Is Now: Leveraging COBIT 5 in Sustainable Businesses

Stakeholders expect that businesses create value, but at what cost? In the end, stakeholders and businesses are looking for the same thing: to protect their future.

COBIT 5 can be used to help enterprises create value for their stakeholders, including the sustainable development concept in their goals and in the governance and management of enterprise IT (GEIT).

Sustainable Development and Why Now

The most common definition of sustainable development is from Our Common Future, also known as the Brundtland Report.¹ It states that “sustainable development is development that meets the needs of the present without compromising the ability of future generations to meet their own needs.”²

According to the main findings of the United Nations’ Sustainable Development in the 21^st Century project, at the global level, “the impact of human activity on the environment, the environmental footprint, and carbon emissions and resource consumption from urbanization have been increasing. Many resources on which humanity depends for survival are at risk. Examples of efficiency gains have increased, but, historically, the environmental benefits of improved technology have been insufficient to counterbalance impacts linked with increases in population and affluence.”³

Technology should and must be an enabler of promoting sustainable development and achieving a “balance among the economic, social and environmental needs of present and future generations…, changing unsustainable practices, and promoting sustainable patterns of consumption and production.”⁴

To accomplish these goals, the sustainable use of technology will depend on a global partnership for sustainable development with the active engagement of governments, businesses, civil society and other international organizations, such as the United Nations (UN) or the Organisation for Economic Co-operation and Development (OECD).⁵ UN Secretary-General Ban Ki-moon named sustainable development a priority for 2015 at a UN briefing in early January.⁶

What COBIT 5 Can Do for Sustainability

One major driver for the development of COBIT 5 includes the need to “provide more stakeholders a say in determining what they expect from information technology (what benefits at what acceptable risk and cost) and what stakeholder priorities are in ensuring that expected value is actually being delivered. Some will want short-term returns and others will want long-term sustainability.”⁷

Before determining these priorities, it helps to reconcile statements about progress, gaps and perspectives for sustainable development identified by the main findings of the United Nations’ Sustainable Development in the 21^st Century⁸ project. Its goals and strategies can be adapted as follows:⁹

• Develop integrated national and international strategies and strong institutions that can guide all actors, including the enterprise and its external and internal stakeholders, toward global sustainability.
• Include sustainability into the continuing professional education policy to ensure that sustainability will be considered and put at the center of the decision-making process.
• Reorient IT investment to facilitate sustainable choices and behaviors and to achieve enterprise sustainability goals and IT-related goals.
• Put participation at the heart of decision making at all relevant levels to ensure that all stakeholders’ needs are satisfied.
• Monitor, evaluate and assess performance to modify decisions, as needed.

COBIT 5 has embedded the four cross-cutting principles of the UN’s sustainable development project to building institutional frameworks that are fit for the challenges of sustainable development:¹⁰

1. Improve governance. COBIT 5 ensures that all stakeholders are identified and their needs are evaluated in order to determine the enterprise’s sustainability goals and its associated IT-related goals.
2. Improve measurement, monitoring and evaluation systems. COBIT 5 uses indicators and can adopt the existing sustainable development indicators as management tools at various levels and in various sectors in order to improve environmental monitoring and information systems at different scales.
3. Assess the roles of public and private actors. COBIT 5 recognizes different stakeholders with different needs and obligations.
4. Increase the resilience of human and natural systems. COBIT 5 suggests stakeholder needs related to sustainability and, thus, allows the use of its goals cascade to ensure the identification of enterprise goals and the evaluation of possible risk that can hurt its achievement. So, the implemented IT process will be capable of delivering outcomes even if the risk factors are materialized and the conditions are not the best.

Application of the COBIT 5 Principles

COBIT 5 is based on the assumption that companies exist to create value for their stakeholders, so the governance objective of any company (commercial or otherwise) is the creation of value.

To apply the first of COBIT 5’s principles, Meeting Stakeholder Needs, it is necessary to define the stakeholders and their needs:

• Stakeholders:
  • External—Government, regulators, society in general, shareholders, business partners, customers, suppliers, consultants and external auditors
  • Internal—Board, c-suite executives, business executives, business processes owners, IT managers and users, compliance managers, human resources managers, internal auditors, and personnel
• Stakeholder needs, focusing on five enterprise goals:¹¹
  • Stakeholders’ value of business investments, especially for the stakeholders’ society
  • Compliance with external laws and regulations focusing on environmental laws and laws dealing with labor regulations in outsourcing arrangements
  • Agile response to changing business environment
  • Skilled and motivated people, recognizing that the success of the enterprise depends on its people
  • Product and business innovation culture, focusing on longer-term innovations

The second COBIT 5 principle, Covering the Enterprise End-to-end, is reflected in the definition of sustainability: needs of present and future generations.

COBIT 5 is aligned at a high level with other relevant standards and frameworks and, therefore, can be the main framework for IT governance and management in an enterprise. This is reflected in principle 3, Applying a Single, Integrated Framework.

Principle 4, Enabling a Holistic Approach, defines seven enabler categories to support the implementation of a global IT governance and management:

1. Principles, policies and frameworks—According to OECD Guidelines for Multinational Enterprises, “they (enterprises) should take fully into account established policies in the countries in which they operate, and consider the views of other stakeholders.”¹²
   
   In comparing OECD policies requirements and COBIT 5 IT-related goals, it can be assumed that policies have to take into account and influence decisions related to:
   • Alignment of IT and business strategy to achieving sustainable development. This is important to set and maintain a governance framework that considers sustainability as a core principle.
   • IT compliance and support for business compliance with external laws and regulations and with internal policies and security of information, processing infrastructure and applications. Enterprises should comply with human rights; environmental and social responsibility; natural resources management; information security management; and health, safety and labor regulations. Their own policies must recognize these and strongly avoid exceptions while stipulating the consequences. It is important that educational, awareness and training activities include sustainability compliance issues. This will increase the confidence of stakeholders in the enterprise.
   • Managed IT-related business risk and delivery of IT services in-line with business requirements. Sustainability requires identifying risk factors that could limit the possibility of future generations to satisfy their needs and put in place countermeasures to prevent negative impacts. It also requires satisfying business requirements. Important subjects to evaluate are external laws and regulations, best practices and international standards, internal policies, and IT and business performance goals.
   • IT agility to respond in a timely and efficient manner to a changing business environment
   • Competent and motivated. If personnel understand their responsibility regarding sustainability and respect future generations’ rights in the current decision making or performance process, reaching sustainability objectives is most likely.
   • Knowledge, expertise and initiatives for business innovation. Innovation allows for sustainability; knowledge, expertise and new initiatives focused on sustainability are critical to innovation in order to discover new and more efficient methods to protect the business environment and IT personnel.
2. Necessary processes to manage IT activities—COBIT 5 defines detailed mapping between enterprise goals, IT-related goals and processes. If sustainable businesses require the satisfaction of their needs while considering future needs, enterprises have to ensure that their processes consider good sustainability practices and activities in accordance with laws, regulations and internal policies. Metrics have to include the measurement of this achievement.
3. Organizational structures—The hierarchy that defines the responsibilities of each of the business and IT roles. These responsibilities have to consider sustainability issues.
4. Culture, ethics and behavior of individuals and the company—These behaviors provide the necessary basis for the company to consider and respect the needs of future generations and the importance of long-term innovation.
5. Useful information—This information can be used to make decisions for all stakeholders and demonstrate regulatory compliance to parties, including in legal situations.
6. Services, infrastructure and applications—Global Reporting presents a very useful list of relevant sustainability issues for software and services, technology and semiconductors, and telecommunications services.^{13, 14, 15} It can be a guide to considering sustainability issues in service-level definition and in the life cycle of services capabilities. Some examples are the energy footprint of data centers, energy efficiency of operations, water consumption, electronic waste (e-waste), end-of-life of products, eco-efficiency and recycling, occupational health and safety risk, and customer privacy.
7. People, skills and competencies—Both in business and IT, people and their skills are needed to carry out activities and for decision making and corrective actions, recognizing that the success of the enterprise depends on its people.

The COBIT 5 framework establishes a clear distinction between governance and management (principle 5, Separating Governance From Management). These two disciplines cover different types of activities, require different organizational structures and serve different purposes. Both are necessary to establish and improve sustainable businesses.¹⁶

Conclusion

Sustainability is a stakeholder need and business requirement. But more than anything, it is a human responsibility.

IT plays an important role. It can be a solution or part of the problem, depending on how it is governed and managed.

For business to be sustainable, it has to consider sustainability as a strategic priority; manage risk factors; comply with external laws and regulations; be agile to respond in a timely and efficient manner to a changing business environment; focus innovation on long-term sustainability aspects; plan, build, run and monitor IT as a priority; and invest in business and IT personnel training.

COBIT 5 assists enterprises in achieving this goal.

Endnotes

¹ World Commission on Environment and Development (WCED), Our Common Future, Oxford University Press, UK, 1987, p. 43, http://www.iisd.org/sd/
² Bioenergy Promotion, “Paper providing input to the programming of the CENTRAL EUROPE Programme 2014-2020,” 23 January 2014, http://bioenergypromotion.org/bsr/publications/input-paper-central-europe-programme-2014-2020/?searchterm=central%20europe#.VNDglmjF9yw
³ United Nations, “Back to Our Common Future. Sustainable Development in the 21^st century (SD21) Project. Summary for Policy Makers,” 2012
⁴ Ibid.
⁵ OECD, “The Organisation for Economic Co-operation and Development Guidelines for Multinational Enterprises,” 2011
⁶ UN News Centre, “‘2015 Can and Must Be Time for Global Action,’ Ban Declares, Briefing UN Assembly on Year’s Priorities,” 8 January 2015, www.un.org/apps/news/story.asp?NewsID=49752#.VNDhq2jF9yw
⁷ ISACA, COBIT 5, USA, 2012, 4crt.rf518.com/cobit
⁸ Op cit, United Nations
⁹ Ibid.
¹⁰ Ibid.
¹¹ Op cit, ISACA
¹² Op cit, OECD
¹³ Global Reporting, “Software and Services”
¹⁴ Global Reporting, “Technology and Semiconductors”
¹⁵ Global Reporting, “Telecommunication and Services”
¹⁶ Op cit, ISACA

Graciela Braga, CGEIT, COBIT 5 Foundation, CPA, is vice president of the Commission for the Study of Record Systems of the Buenos Aires Institute of CPAs in the city of Buenos Aires, Argentina. She is also a researcher at the Instituto Autónomo de Derecho Contable (Autonomous Accountancy Law Institute), Argentina. She has worked on audits and internal control reviews for public and private entities using international frameworks such as COBIT, COSO and the ISO 27000 series. She has participated in the preparation and review of ISACA products and research related to COBIT, privacy and big data. She is the author of the COBIT Focus case study “COBIT 5 Applied to the Argentine Digital Accounting System,” published in January 2015 (4crt.rf518.com/COBIT/Focus).