Founded in 1957, Al Rajhi Bank is one of the largest Islamic banks in the world with total assets of SR 288 billion (US $76.8 billion), a paid up capital of US $4.3 billion and an employee base of more than 8,400 associates. With more than 50 years of experience in banking and trading activities, the various individual establishments under the Al Rajhi name were merged into the umbrella Al Rajhi Trading and Exchange Corporation in 1978. In 1988, the bank was established as a Saudi shareholding company.
With an established base in Riyadh, Saudi Arabia, Al Rajhi Bank has a vast network of more than 500 branches, over 100 dedicated ladies’ branches, more than 4,030 automated teller machines (ATMs), 36,000 point-of-sale (POS) terminals installed with merchants and the largest customer base of any bank in the kingdom, in addition to 130 remittance centers across the kingdom.
The IT governance function of the bank was newly established in 2014, and the bank needed to comply with regulatory compliance requirements established by the Central Bank of Saudi Arabia. Additionally, audit findings indicated the need for an improved IT risk management framework and internal controls. The bank was using multiple frameworks and standards including ITIL, Project Management Office (PMO) and ISO/IEC 27001 to govern and manage IT.
Choosing a Framework
The bank recognized the need to use an integrated model to meet the various needs established, especially compliance and audit requirements. It was also considered essential that an integrated model introduce a common language of risk management to allow the bank to better measure the performance of IT. So the bank turned to COBIT, as it was deemed suitable to meet the bank’s needs. All of the bank’s identified requirements were able to map to COBIT processes and process practices. And COBIT 5’s wide range of guides, tools and training helped stakeholders at the bank to improve their knowledge of COBIT for more successful implementation.
Management Support
To gain the support of senior management, the bank’s pain points and business objectives were identified. The pain points included the fact that multiple frameworks and governance standards were being used to manage and govern IT and audit nonconformities from internal and external bodies.
The business objectives included meeting compliance and regulatory requirements, closing the audit gaps and integrating the IT governance with corporate governance.
The pain points and business objectives were mapped to COBIT practices using the goals cascade mechanism (figure 1). The COBIT Processes were mapped to the IT operating model of the bank.
Figure 1—COBIT 5 Goals Cascade
Source: Adapted from ISACA, COBIT 5, USA 2012
Bank management also explained the importance of a holistic approach, using COBIT 5’s 7 enablers (figure 2), toward building a sustainable IT governance and risk management model for the bank.
Figure 2—COBIT Enablers
Source: ISACA, COBIT 5, USA 2012
Achieving the Goals
A road map to meet the governance and compliance requirements was defined in a 3-phase project (figure 3).
Figure 3—Building Blocks of IT Governance
Source: Ibrahim Al-Rashid, Vaseem Nasiruddeen and Sreechith Radhakrishnan. Reprinted with permission.
The bank performed a process capability assessment based on COBIT 5 and ISO 15504 to identify the strengths and weaknesses of existing processes. It also performed a risk assessment based on the assessment result to prioritize the processes most in need of improvement. Once the team determined the most important processes to improve and focus on, priority was given to compliance requirements. The bank also developed a road map to improve the processes, which included short-term and long-term projects.
Moving Forward
The bank produced a model in which COBIT can be used to meet the IT performance, audit and compliance requirements within the bank. Creating such a model allows the bank to replicate the work already done and easily apply it to future IT performance, audit and compliance needs as they arise.
A risk management model has also been created as a 2-phase project (figure 4).
Figure 4—Risk Management Model
Source: Ibrahim Al-Rashid, Vaseem Nasiruddeen and Sreechith Radhakrishnan. Reprinted with permission.
Conclusion
COBIT can be used by organizations to improve IT performance and meet regulatory and compliance requirements. It starts with management buy-in and prioritizing the processes or process practices to be improved and/or implemented. The goals cascade is a great tool and it is also helpful in mapping pain points and trigger events to COBIT processes, as demonstrated in the COBIT 5 Implementation guide.
There are a few important points to remember:
- Do not try to do everything at one time. Practice continual improvement, take small steps and stabilize the improvements as you go.
- Assign roles and responsibilities that are clearly defined using the responsible, accountable, consulted and informed (RACI) model.
- Focus more on changing people’s behavior. The cultural aspect of implementing these improvements cannot be underestimated.
Ibrahim Al-Rashid
Is the chief information officer leading the IT department of the largest bank in the Middle East.
Vaseem Nasiruddeen, COBIT Foundation, ITIL Expert, PMP, CMQ/OE
Is the program manager of IT governance and the IT service management program at Al Rajhi Bank. He is an IT consultant and ITIL expert with more than 20 years of relevant experience. Nasiruddeen has extensive international experience in IT strategy, governance and service delivery in banking.
Sreechith Radhakrishnan, COBIT Certified Assessor, ISO/IEC 20000 LA, ISO/IEC 27001 LA, ISO22301 LA, ITIL Expert, PMP
Is lead trainer and principal consultant with Global Success Systems FZ LLC, United Arab Emirates, where he and his team help organizations improve their IT performance and reap maximum benefit from their IT investments. He is an accredited trainer for multiple disciplines including COBIT, ITIL, PMP and IT security. His more than 19 years of dynamic IT management experience includes network infrastructure management, project management, IT operations management and service management.