We are currently trying to revamp our IT governance framework using COBIT 5. One major hurdle our team is facing is the actual practical application of the Goals Cascade to define meaningful performance metrics. How do you ensure that the technical KPIs we track in the DSS or BAI domains actually translate into value for the board of directors? I'm looking for real-world advice on avoiding "vanity metrics" that look good on paper but don't drive any strategic business alignment.
3 answers
To truly align COBIT 5 metrics with business goals, you must master the "Goals Cascade" mechanism. Start by identifying the 17 generic enterprise goals categorized under the Balanced Scorecard (BSC) dimensions: Financial, Customer, Internal, and Learning and Growth. From there, map these to the 17 IT-related goals. The secret is moving from Lag Indicators (which tell you what happened) to Lead Indicators (which predict success). For the DSS domain, don’t just track "uptime"; track "percentage of business process downtime caused by IT incidents." This shifts the focus from a technical stat to a direct impact on business operations and stakeholder value.
That’s a solid breakdown of the cascade, but how do you handle the initial resistance from technical teams who feel these business-centric metrics don't capture their daily workload?
Focus on the EDM (Evaluate, Direct, and Monitor) domain to ensure the board sees the value. Metrics should be presented in a dashboard that speaks their language: risk, cost, and benefit
Exactly, Linda. As mentioned in the original question about vanity metrics, using the EDM domain prevents IT from reporting in a vacuum. I agree that a dashboard is the best way to visualize this alignment.
Robert, that is a common friction point. The key is to involve them in the "mapping" phase. Explain that by linking their technical tasks to a business outcome, they are proving their department's worth to the CFO. For example, show a sysadmin how "patching frequency" (a technical KPI) directly reduces the "residual risk of data breaches" (a business goal). When they see their work as risk mitigation rather than just a checklist, the cultural shift begins. It turns "boring compliance" into "strategic protection."