With smart agriculture using soil and crop data gaining traction around the world, the importance of data management is also being increasingly recognized. As in any other business, the products produced (in this case, crops in agriculture) need to be safe and environmentally and socially friendly. In addition to a traditional security perspective, it is important to focus on the perspectives of accuracy and validity when actively using data in agriculture, as the detailed conditions of soil and crops are digitized by sensors. Furthermore, when using artificial intelligence (AI), it is necessary to consider the characteristics of unpredictability and black boxes. To address these new perspectives, COBIT’s comprehensive information and technology (I&T) governance management framework can be implemented.
What Is Smart Agriculture?
Smart agriculture combines traditional agriculture with emerging technologies such as robotics, AI and the Internet of Things (IoT) to help improve the quality, added value and productivity of agricultural products. In smart agriculture, the research and development of support services using data analysis and AI is booming. These services use sensors to collect data on crops, soil and surrounding environments, which are then analyzed or processed by AI to help producers make decisions and take actions (e.g., production planning, tillage, sowing, fertilization, harvesting, shipping). This indicates that digital technology can support some of the advanced decisions and actions that have been made by skilled producers based on their know-how and intuition, making it easier to aim for higher quality, higher added value and higher productivity of agricultural products.
In Japan, the Ministry of Agriculture, Forestry and Fisheries (MAFF) is promoting the use of Wide Area Generalized Agricultural Data Infrastructure (WAGRI) as part of its smart agriculture promotion project, with the policy goal of having “almost all of the leaders in agriculture practice data-driven agriculture” by 2025 (figure 1).1
Source: Japan Ministry of Agriculture, Forestry and Fisheries (MAFF), About the Agricultural Data Collaboration Platform, January 2021. Abridged translation by Alexander Vinson. Reprinted with permission.
Risk Associated With the Use of Data and AI in Agriculture
Risk arises from the unpredictability and opacity of AI (e.g., the black box effect)2 and the suboptimal decisions that can be made due to diminished data authenticity and validity, which are considered particularly important for people who work in the agriculture business on a regular basis to address.
In addition to these risk factors, there are also security (confidentiality, integrity and availability [CIA]), data rights and contractual risk scenarios to consider. For example, for crops that are rare and difficult to grow, there is high value in data sets that can be used to analyze how soil, sunlight, temperature, watering and fertilization conditions affect crop quality. Guidelines on information security (including COBIT®) are helpful in ensuring the confidentiality of these data sets and how to protect them from leakage due to internal fraud, accident or cyberattacks.
Use of COBIT
The COBIT framework can be used to successfully govern and manage smart agriculture processes that use data and AI.
The basic concepts of COBIT include:3
- For information and technology to contribute to the achievement of enterprise goals, several governance and management objectives should be achieved.
- To achieve governance and management objectives, organizations need to establish, coordinate and maintain a governance system that is built from several components.
- The components can be of various types. The most familiar are processes. However, components of a governance system can also be organizational structures, policies and procedures; information items, culture and behavior; skills and competencies; services; infrastructure and applications.
The COBIT core model presents 40 governance and management objectives (figure 3).
Source: ISACA®, COBIT® 2019 Framework: Governance and Management, USA, 2018. Reprinted with permission.
To satisfy these governance and management objectives, an organization needs to establish, tailor and sustain a governance system built from a number of components. (figure 4).
Source: ISACA®, COBIT® 2019 Framework: Governance and Management, USA, 2018. Reprinted with permission.
Each objective has a detailed description of its components. For example, process components include practices, activities, sample metrics and related guidelines (figure 5).
Source: ISACA®, COBIT® 2019 Framework: Governance and Management, USA, 2018. Reprinted with permission.
There are several components of process, organizational structure and culture that correlate with selected management objectives that correspond to the examples of risk (figure 2) that are important to address on the frontlines of smart agriculture.
Management Objectives
There are multiple objectives that address the risk examples in figure 2: data accuracy, data validity, AI unpredictability and AI opacity. However, when going beyond one objective for data and one objective for AI, Align, Plan and Organize (APO) APO14 Managed Data (figure 6) and Deliver, Service and Support (DSS) DSS06 Managed Business Process Controls (figure 7) can be selected.
Source: ISACA®, COBIT® 2019 Framework: Governance and Management, USA, 2018. Reprinted with permission.
The reasons for these choices are clear from the process component of APO14 Managed Data and DSS06 Managed Business Process Controls.
The Process
The COBIT process consists of several practices. The risk examples in figure 2 mainly correspond to the practices listed in figure 8.
Source: ISACA®, COBIT® 2019 Framework: Governance and Management, USA, 2018. Reprinted with permission.
It is possible to consider specific measures to be taken in agricultural operations using data and AI by referring to the description of each practice.
Organizational Structure
In addition to management objectives and process, COBIT provides an organizational structure for each practice as shown in figure 9.
Note: R=Responsibility and A=Accountability. Source: ISACA®, COBIT® 2019 Framework: Governance and Management, USA, 2018. Reprinted with permission.
Large-scale agricultural enterprises often have the option of having more than one person as a management team or administrator and also be in line with the organizational structure shown in figure 9. On the other hand, in family farms and small-scale agricultural enterprises, these roles are performed by a single individual. When using advanced data analysis and AI, there are many cases where external experts and solution providers are relied on, but it is important to recognize that the responsibility for implementing the measures lies with the business owner and that the management representative or business process owner (in this case, the person in charge of crop selection) is accountable.
Culture
There are also key cultural elements corresponding to the two aforementioned management objectives and the desired state corresponding to the risk examples in figure 2.
For data and AI-driven agriculture, the importance of forming the desired states shown in figure 10 is clear. This may also apply to other industries that actively utilize data and AI. Few guidelines mention culture, but in addition to implementing processes and organizational structures, fostering a culture in conjunction with them will ensure more effective governance and management.
Source: ISACA®, COBIT® 2019 Framework: Governance and Management, USA, 2018. Reprinted with permission.
Conclusion
Digital transformation is progressing in the smart agriculture space—and across all industries and business categories. Such change presents new sources of risk, which must be taken into account when bringing a service or product idea from the concept validation stage to market. However, it is often difficult to respond to new risk in a timely manner, especially for new products and services that have not yet become available. As COBIT® has evolved over the past 25 years, incorporating insights from academia and practice, it has become clear that the management objectives and components of COBIT are also very powerful tools for dealing with risk in new business domains that utilize data and AI.
Author’s Note
The content of this article is based on the author’s personal opinion and does not reflect an official position by PricewaterhouseCoopers Aarata LLC or PwC Consulting LLC.
Endnotes
1 Ministry of Agriculture, Forestry and Fisheries (MAFF), FY2021 Budget Estimate Request (23 Smart Agriculture Comprehensive Promotion Measures Project), Japan, 2021, http://www.maff.go.jp/j/budget/pdf/r3yokyu_pr23.pdf
2 European Commission, White Paper on Artificial Intelligence: A European Approach to Excellence and Trust, Brussels, Belgium, 19 February 2020, http://ec.europa.eu/info/publications/white-paper-artificial-intelligence-europeanapproach-excellence-and-trust_en
3 ISACA®, COBIT®, 2019 Framework: Introduction and Methodology, USA, 2018, http://uokr.regaloteas.com/resources/cobit
Mitsuhiko Maruyama, CISA
Is a partner at PricewaterhouseCoopers (PwC) Consulting LLC. For 25 years, Maruyama has been involved in auditing and consulting for cybersecurity and IT risk in a wide range of industries, including manufacturing, service, finance and government. He was on secondment to the Japanese Cabinet Secretariat, where he was involved in the establishment of the Cabinet Secretariat Cyber Security Center, the development and revision of the government’s unified standards, and the establishment and promotion of its information security management system. He has been a member of many expert committees of the Cabinet Secretariat, Ministry of Internal Affairs and Communications, and Ministry of Economy, Trade and Industry. He has also served as a board member of ISACA® Tokyo (Japan) Chapter.
Taiji Ayabe, CISA
Is a partner at PwC Aarata LLC. Ayabe is responsible for cybersecurity, project assurance, IT governance and system risk management–related services for a number of clients. He specializes in reviewing governance in cybersecurity. He also has extensive experience in assessing the effectiveness of measures aimed to prevent the recurrence of cyberincidents. He became a cybersecurity co-leader of PwC Japan Group in July 2019.
Yotaro Sato, CISA, CGEIT
Is a senior manager at PwC Aarata LLC. Sato has been involved in advisory services such as IT governance enhancement support, project assurance, system risk management and internal audit support for enterprises in a wide range of industries, including finance, manufacturing and service. Recently, he has been providing advisory services to organizations adopting modern processes such as agile development and DevOps. He is a member of the standards committee of the ISACA Tokyo Chapter and is currently working on the translation of COBIT® materials into Japanese to help advocate for the use of COBIT in Japan.
Alexander Vinson
Is an associate at PwC Aarata LLC. Vinson has been engaged in system reviews and security advisory for a wide range of industries, including manufacturing and finance.