A CEO unveils a bold three-year digital transformation strategy at the annual board offsite. AI-enabled customer experience. Cloud-first infrastructure. A new data platform. An ambitious cyber posture. The board applauds. The press release writes itself.
Eighteen months later, the program is over budget. Two key vendors have underdelivered. The AI pilots are stalled in legal review. And when the audit committee asks a simple question — who owns what, and who decides what? — no one in the room can answer cleanly.
The strategy wasn’t wrong. The governance underneath it was assumed… not designed.
Strategy and governance are not the same thing — and confusing them is expensive. Strategy sets direction. Governance creates the conditions that make execution possible: accountability, decision rights, risk appetite, resource alignment, and performance measurement. Without governance, strategy becomes a slide deck of intentions. And as I’ve said before — hope is not a control.
This year marks COBIT’s 30th anniversary. Three decades of helping enterprises connect strategy to execution through the governance and management of information and technology. The anniversary is a useful moment to revisit a truth COBIT has reinforced from day one: governance is not bureaucracy. It is the operating system that makes strategy real.
The pattern is everywhere once you start looking for it. Consider two well-documented cases — different industries, same root failure.
The Boeing 737 MAX program had a defensible strategic ambition: compete aggressively with Airbus, accelerate time-to-market, preserve the existing type rating. The strategy itself wasn’t the problem. What failed was the governance around it. Accountability between engineering and program management blurred. Oversight of safety-critical decisions weakened. Incentives misaligned. The board was not positioned to challenge execution risk in any meaningful way. The result was tragic loss of life, billions in financial damage, and a decade of reputational repair that is still underway.
The Equifax breach of 2017 tells the same story in a different uniform. The strategy — aggressive data monetization, leveraging one of the largest consumer data sets in the world — was clear and approved. The governance to support it was not. A known vulnerability went unpatched for months. Asset inventories were incomplete. Accountability for security operations was diffuse. The breach exposed sensitive data of nearly 150 million people and ultimately cost the company well over a billion dollars in settlements, fines, and remediation. Equifax did not lack strategy. It lacked the governance system to execute one safely.
Two industries. Two crises. One pattern.
So where does this break down? In my work with executives and boards, the root causes are remarkably consistent:
- Governance is treated as a compliance afterthought rather than a strategic enabler.
- Decision rights are undefined — everyone is “involved,” no one is accountable.
- Risk appetite is unwritten or unread, so risk decisions default to the loudest voice in the room.
- There is no real alignment between enterprise goals, IT goals, and risk posture — the exact gap COBIT’s goals cascade was designed to close.
- Digital trust is assumed, not engineered. Leaders presume customers, regulators, and employees will trust the enterprise’s use of technology and data — without ever defining what trustworthy behavior actually looks like.
- The board is briefed on the strategy but not on the governance system underneath it.
Any one of these is a problem. In combination, they are the reason strategies fail at execution and the reason post-mortems sound eerily alike across industries.
The good news is that this is preventable — and it doesn’t require reinventing the wheel. Mature frameworks already exist. The discipline is in actually using them.
First, design the governance system alongside the strategy, not after it. Use COBIT’s governance and management objectives as a backbone to ensure stakeholder needs, decision rights, and performance metrics are explicit before execution begins. If you cannot describe how the strategy will be governed, you do not yet have a strategy you can execute.
Second, make digital trust an executive-level outcome, not an IT deliverable. ISACA’s Digital Trust Ecosystem Framework (DTEF) provides a practical structure — quality, security, integrity, transparency, privacy, and resilience — for translating strategic intent into trustworthy execution. Strategy without trust is strategy without takers. Customers, regulators, and employees are the ones who decide whether your strategy actually lands… and they decide based on whether they trust how you operate.
Third, define and document risk appetite at the strategy level, then cascade it down. If the board cannot clearly articulate what risk it is willing to accept, no executive below them can make confident decisions. Ambiguity at the top becomes paralysis — or recklessness — in the middle.
Fourth, establish clear accountability tied to strategic outcomes, not to org charts. A RACI is only useful if it reflects how decisions actually get made.
Fifth, brief the board on the governance system, not just the strategy. Boards should be asking “how will we govern this?” with the same rigor they ask “what will it return?” That single shift in board behavior would prevent more failures than any new framework ever will.
Final Thoughts
If there is a single message I want executives and boards to take from COBIT’s 30-year mark, it is this — governance frameworks exist precisely because hope keeps failing as a strategy. We have the tools. We have the evidence. What’s often missing is the discipline to use them before something goes wrong.
A few take-aways:
- Strategy declares ambition. Governance delivers it. Do not confuse the two.
- COBIT at 30 is a reminder that governance is not bureaucracy — it is the system that turns intent into outcomes.
- Digital trust is a governance outcome. Use the DTEF to make it tangible, measurable, and owned.
- If decision rights and risk appetite are not explicit, your strategy is running on assumptions — and assumptions are not controls.
- The board’s job is not only to approve the strategy. It is to govern it.
Strategy is the easy part. Governance is what separates the organizations that execute… from the ones that explain.