COBIT Case Study: Kuwait Turk Participation Bank Uses COBIT for Compliance and Reaps
Additional Benefits
ABSTRACT
Kuwait Turk is a participation bank established in Turkey in 1989. Its objectives are to
bring diligence to the interest-free banking system; research fields of investment; and
introduce contemporary, reliable, rapid and high-quality services to its customers. Kuwait
Turk, which started its operations with a head office and one branch, now has 78
branches throughout Turkey. It has more than 1,350 employees who serve more than
810,000 customers. In accordance with its vision of becoming an international finance
house, Kuwait Turk currently has a branch in Bahrain and a representative office in
Germany.
Kuwait Turk began using Control Objectives for Information and related Technology
(COBIT), developed by the IT Governance Institute (ITGI), to comply with rules and
requirements set by the Banking Regulation and Supervision Agency of Turkey (BRSA),
but soon realized that the use of COBIT provided many additional benefits, including
more controlled IT processes that are integrated with business processes.
BACKGROUND
In May 2006, BRSA passed legislation requiring all banks operating in Turkey to adopt
COBIT’s best practices when managing IT-related processes. Article 30 of the legislation
specifically required all banks to comply with auditing requirements based on COBIT’s
control objectives. As BRSA noted in the legislation, COBIT was selected as the
framework with which to comply because its control objectives are internationally
recognized and considered to be effective at controlling IT-related processes.
Kuwait Turk also recognized a need to restructure IT processes for better control and
measurability—which COBIT could help accomplish.
PROCESS
The initial phase of the COBIT implementation project was the formation of a project
team consisting of four members from the security, operations, business consulting, and
application development and support units in the IT department. The project team
received assistance from consultants from the Enterprise Risk Services division of
Deloitte-Touche Turkey.
The COBIT implementation project started by identifying the tangible and intangible IT
assets and their owners. After the identification of IT assets and owners, the control
owners and the responsible employees of IT processes included in COBIT were
determined. Then, a COBIT gap analysis was performed by documenting the existing
controls and control deficiencies. After reviewing the COBIT control objectives and
analyzing the applicability of each COBIT control to the Kuwait Turk environment, the
bank documented the additional controls it needed to develop to meet COBIT control
requirements.
Finally, an action plan was prepared to address control deficiencies identified by COBIT,
delete redundant controls and redesign some existing controls to be compliant with
COBIT control objectives. These controls were prioritized according to their risk level.
Study groups were formed to work on processes such as systems development life cycle
(SDLC), project management, information security policies and change management, to
develop new controls and ensure that existing controls were aligned with the desired
COBIT controls. Controls such as standards, policies and procedures were approved by IT
and business senior management and published on the corporate intranet.
Kuwait Turk’s board of directors empowered two board members, who are also members
of the IT Steering Committee, for the implementation of COBIT. Upon reaching every
milestone of the project, the results were presented to the IT Steering Committee.
Kuwait Turk’s goals for COBIT were to help the organization:
Comply with BRSA requirements
Ensure that IT processes are designed to support the business processes and
objectives
Ensure that long-term IT strategy and plans are consistent with business strategy
and plans
Implement a process-centric environment where IT activities are grouped and
organized in processes
Develop controls such as policies, procedures and standards to reduce risk to an
acceptable level
Establish an IT quality function to monitor process improvement and compliance
to COBIT controls
Redesign/implement critical IT processes, such as project management, SDLC,
change management, security management, configuration management, risk
management, quality management, application management, service level
management, third-party management, backup management and IT value management
CONCLUSION
Goals Achieved
Kuwait Turk’s goals for COBIT were achieved as follows:
Comply with BRSA requirements.
Kuwait Turk developed COBIT controls and started implementing these controls to IT
processes. The COBIT project team and IT quality assurance personnel continue to help
promote awareness of COBIT controls for the bank’s personnel.
Ensure that IT processes are designed to support the business processes and objectives.
Throughout the implementation of COBIT, the project team worked with IT senior
management to prepare IT strategic and tactical planning frameworks aligned with the
business strategic plan to support business objectives. The IT Steering Committee later
reviewed and approved the IT strategic and tactical plans.
Implement a process-centric environment where IT activities are grouped and
organized in processes.
Prior to the implementation of COBIT controls, IT activities were grouped into units and
job positions. Since the roles and responsibilities of IT activities were not clear, the
Kuwait Turk IT department faced a challenge. After the implementation, IT activities
were grouped and organized successfully into COBIT processes.
Develop controls such as policies, procedures and standards to reduce risk to an
acceptable level.
The COBIT project team realized that the IT department did not have sufficient policies,
procedures and standards. IT personnel rarely documented IT activities they performed
and there were few internal controls with which they complied, which increased the level
of IT risk. Once the COBIT project team began to develop new COBIT controls, most of
the IT risks were minimized in critical processes and they were able to quantify risk
exposure.
Establish an IT quality function to monitor process improvement and compliance with
COBIT controls.
During the COBIT implementation, the need to establish an IT quality function was
realized. One of the responsibilities assigned to IT quality assurance personnel was to
consistently attempt to improve the key IT processes and increase the overall
performance of services delivered to all users. Another responsibility was to ensure that
business and IT users comply with COBIT controls.
An IT customer survey was conducted to measure the satisfaction level of business users
with IT services, and an action plan was prepared to resolve issues reported through the
survey.
Redesign/implement critical IT processes.
When establishing a process-based environment in IT, Kuwait Turk had the challenge of
redesigning and implementing the IT processes. To overcome the challenge, the
organization communicated with study groups/teams formed in the department.
Additional Benefits
Additional benefits Kuwait Turk has realized as a result of implementing COBIT include:
Changes on the systems supporting business processes are being handled in a
more controlled and effective manner.
Through service level agreements, business users were informed about the
services the IT department provides, and service level performance is provided to the
business and IT senior management team.
Customer satisfaction is being measured, and response plans have been generated.
Notification of stakeholders and the visibility of IT processes have improved.
Problem management is more timely and efficient.
The business has greater involvement in IT processes where possible (system
ownership in SDLC, stakeholder management in project management, etc.).
Future Plans
In the future, the Kuwait Turk IT Department will use COBIT to measure the performance
of IT processes, as performance measurement is vital for effective IT governance. The IT
department’s goal is to develop a process performance model, enabling the organization
to keep track of performance of IT goals based on how they deliver and what they need to
deliver. Key performance indicators (KPIs) and key goal indicators (KGIs) will be
decided for each IT process. With the cooperation of IT and business senior management,
standard performance targets and metrics of IT processes will be determined. The results
of IT process performance will be reported periodically to the IT Steering Committee.
After evaluating and analyzing the results of performance, continuous improvement will
be further discussed. Kuwait Turk’s target is to approach the “managed and measured”
level in the maturity model of each IT process.
When introducing new controls, goals, processes and standards, Kuwait Turk’s IT
department examines them on a level to which new IT personnel are not accustomed.
Awareness of COBIT controls and cultural change in IT department will continue to be
promoted through training sessions and periodic compliance audits.
Despite beginning the COBIT project to comply with the BRSA requirement, Kuwait
Turk quickly realized that IT governance helps critical IT processes become more
controlled and integrated with business processes. Implementation of COBIT at Kuwait
Turk also proved that senior IT management was innovative and forward-thinking about
bringing IT services to a level where the IT department become one of the core
competencies of Kuwait Turk Participation Bank.
Questions :
•
•
•
•
Please summarize the case
What’s generating all of the extra project requests?
What problems arise from over-commitment?
What’s your assessment of company’s IT Governance?
Sumber :
http://www.itgi.org/Template_ITGI.cfm?Section=Case_Studies1&CONTENTID=50161
&TEMPLATE=/ContentManagement/ContentDisplay.cfm