COBIT-2019 COBIT 2019 Foundation Questions and Answers

 The component that should be considered for inclusion when considering the threat landscape design factor is information security focus areas. The threat landscape is one of the 11 design factors defined in COBIT 2019, and it refers to the current and emerging threats that may affect the enterprise’s information and technology assets, such as cyberattacks, natural disasters, human errors, etc. Information security focus areas are the specific domains or topics that need to be addressed by the governance system to ensure adequate protection of information and technology assets from potential threats, such as identity and access management, data protection, incident response, etc. The answer is based on the COBIT 2019 Design Guide4, page 17. References: 4: COBIT 2019 Design Guide | Digital | English

 Risk management focuses on the preservation of value, while value delivery focuses on the creation of value. Value is the benefit that an enterprise derives from using information and technology. Value can be measured in terms of effectiveness, efficiency, quality, innovation, etc. Value delivery is the process of ensuring that information and technology investments and services contribute to the achievement of enterprise goals and objectives. Value delivery focuses on the creation of value by aligning I&T with business requirements, optimizing costs and resources, enhancing performance and outcomes, etc. Risk management is the process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks that affect the achievement of enterprise objectives. Risk management focuses on the preservation of value by ensuring that risks are within acceptable levels, that opportunities are exploited, that uncertainties are reduced, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The level achieved when all processes of a focus area achieve a particular capability level is referred to as the maturity level. A focus area is a topic or issue that can be addressed by governance objectives, such as digital transformation, cybersecurity, privacy, etc. A focus area consists of a set of processes that are relevant and applicable for the topic or issue. A capability level is a measure of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A capability level can range from 0 (incomplete) to 5 (optimizing). A maturity level is the level achieved when all processes of a focus area achieve a particular capability level. A maturity level can range from 0 (non-existent) to 5 (optimized).12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The final step in governance system design is to define target capability levels for the most critical objectives. The governance system design is the process of designing and implementing a governance system for an enterprise using COBIT 2019. The governance system design involves tailoring the COBIT 2019 components such as principles, enablers, goals, processes, practices, roles, structures, metrics, etc., according to the enterprise’s context and needs. The governance system design also involves considering various design factors such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc., that influence how an enterprise designs and implements its governance system using COBIT 2019. The final step in governance system design is to define target capability levels for the most critical objectives. The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization, etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The critical objectives are the governance and management objectives that have been prioritized based on the design factors and the stakeholder needs. The governance and management objectives are the statements of what an enterprise wants to achieve in terms of its information and technology governance. The governance and management objectives are derived from the enterprise goals, which are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, strategy, etc. By defining target capability levels for the most critical objectives as the final step in governance system design, an enterprise can ensure that it has set realistic and achievable goals for its information and technology governance and management processes that support its strategy and objectives. This will also help to identify the gaps or issues that need to be addressed to enhance the capability levels of the selected processes.References: : COBIT 2019 Design Guide: page 53-54 : COBIT 2019 Process Assessment Model: page 11-13

The enterprise goal of compliance with external laws and regulations is aligned to the financial dimension of the balanced scorecard (BSC). The BSC is a strategic performance management tool that helps enterprises to translate their vision and strategy into operational objectives and measures. The BSC consists of four dimensions: financial, customer, internal, and growth. The financial dimension focuses on the financial performance and value creation of the enterprise. Compliance with external laws and regulations is one of the 17 generic enterprise goals defined by COBIT that supports the financial dimension.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The process practices that include inputs and outputs comprise the information flow component of a governance system. A governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. A governance system consists of seven components: governance components (such as structures, processes, principles, policies, etc.), governance enablers (such as people, skills, culture, information, services, etc.), governance outcomes (such as value creation, risk optimization, resource optimization, etc.), information flow (the exchange of information among components), culture (the shared values, beliefs, norms, and attitudes), ethical behavior (the conduct that conforms to moral principles), stakeholder needs (the requirements or expectations of internal or external stakeholders). The information flow component comprises the process practices that include inputs and outputs that enable the exchange of information among components.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The EGIT business case outline and details are documents that describe the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT business case outline and details provide the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. The responsibility for developing an EGIT business case outline and details resides with the CIO and program steering committee. The CIO is the senior executive responsible for leading and managing the information and technology function in an enterprise. The CIO has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are aligned with the enterprise’s strategy, objectives, needs, and expectations. The CIO also has a role in communicating and presenting the EGIT business case outline and details to other stakeholders such as the board, executives, business managers, IT managers, etc., and obtaining their buy-in and commitment for the program. The program steering committee is a group of senior stakeholders who provide strategic direction, oversight, guidance, and approval for the EGIT implementation program. The program steering committee has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are consistent with the enterprise’s vision, mission, values, strategy goals,and objectives. The program steering committee also has a role in monitoring and controlling the execution of the EGIT implementation program plan against the EGIT business case outline and details34 References: 3: COBIT 2019 Implementation Guide: page 37-38 4: COBIT 2019 Implementation Guide: page 39-40

When assessing organizational structures, it is most helpful when subcriteria for each criterion are defined and linked to capability levels. Organizational structures are the arrangements of roles and responsibilities that enable the enterprise to achieve its objectives. Organizational structures can be assessed using six criteria: clarity, comprehensiveness, integration, alignment, authority, and accountability. Each criterion can be further divided into subcriteria that describe the specific aspects or attributes of the criterion. Capability levels are the measures of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. Capability levels can range from 0 (incomplete) to 5 (optimizing). Defining and linking subcriteria to capability levels helps to evaluate the current and desired state of organizational structures, as well as to identify gaps and improvement opportunities.123 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The initial scope of a governance system is the extent and boundaries of the governance system that an enterprise intends to design and implement using COBIT 2019. The initial scope helps to define the focus and direction of the governance system design process, as well as the resources and efforts required for its implementation. One of the key considerations when determining the initial scope of a governance system is the compliance requirements faced by the enterprise. The compliance requirements are the laws, regulations, standards, guidelines, contracts, or agreements that an enterprise must comply with regarding its information and technology activities. The compliance requirements influence the level of control and assurance that an enterprise needs to demonstrate its adherence to the applicable rules and obligations. By considering the compliance requirements when determining the initial scope of a governance system, an enterprise can ensure that its governance system is appropriate for its context and objectives, and that it can effectively manage the potential impacts of non-compliance on its reputation, performance, value, and stakeholder trust.References: : COBIT 2019 Design Guide: page 47-48 : COBIT 2019 Design Guide: page 53-54

The board is responsible for the oversight of structures and mechanisms that drive enterprise governance of information and technology (EGIT). According to the ISACA Journal article, “the board is ultimately accountable for EGIT and should oversee its establishment and monitor its effectiveness” . The board should also ensure that EGIT aligns with the enterprise governance framework and supports the achievement of enterprise objectives. 

 The key program roles are the roles that are responsible for leading, directing, managing, supporting, and executing the EGIT implementation program. The nomination of these roles is a critical step in creating the appropriate governance environment for the program. One of the roles that should be involved in this nomination process is the board and executives, who are the highest-level governance body and decision makers in an enterprise. The board and executives provide strategic direction, oversight, guidance, and approval for the EGIT implementation program. They also ensure that the program is aligned with the enterprise’s vision, mission, values, strategy, goals, and objectives. The board and executives also appoint or endorse other key program roles such as the program sponsor, program manager, program steering committee, change champion network, etc.References: : COBIT 2019 Implementation Guide, page 37-38 : COBIT 2019 Framework: Governance and Management Objectives, page 19-20

The primary target audience for COBIT is business and IT management responsible for building and deploying I&T solutions. COBIT is designed to help these managers address the challenges of aligning I&T with business goals, delivering value from I&T, managing I&T risks, optimizing I&T resources, and measuring I&T performance5. COBIT provides a comprehensive and flexible framework that can be adapted to different contexts and situations. COBIT also helps to establish a common language and understanding among business and IT stakeholders6. References: 5: COBIT 2019 Framework: Introduction and Methodology, page 15 6: COBIT 2019 Framework: Introduction and Methodology, page 25

 A quantitative approach involves numeric mapping tables created for each of the design factors. According to the COBIT 2019 Design Guide, a quantitative approach is one of the four possible approaches for designing a governance system based on the design factors. A design factor is a characteristic of the enterprise that influences how the governance system should be designed. A quantitative approach uses numeric values to represent the impact of each design factor on the governance components, such as processes, organizational structures, roles, and practices. The numeric values are derived from mapping tables that show how each design factor affects each governance component. The mapping tables are based on empirical data, expert judgment, or best practices. The quantitative approach helps to provide a more objective and consistent way of designing a governance system that is tailored to the enterprise context and needs. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 54 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 56

 The COBIT performance model is integrated into the COBIT core model. The COBIT core model consists of two main elements: the governance and management objectives (which define what needs to be achieved) and the performance model (which defines how well it needs to be achieved). The performance model is based on existing maturity and capability models (such as ISO/IEC 15504) and provides a common language to measure and communicate performance. The performance model consists of six levels (from 0 to 5) that describe the increasing degree of capability for each governance or management objective.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The best way to enable an enterprise to show and prove the benefits realized from the implementation of an EGIT program plan is to communicate the results and benefits in business impact terms. The EGIT program plan is a document that describes the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT implementation program is a program that involves designing and implementing a governance system for an enterprise using COBIT 2019. Communicating the results and benefits in business impact terms means using appropriate tools, methods, formats, frequencies, etc., to report on the progress and outcomes of the EGIT implementation program to relevant stakeholders such as the board, executives, business managers, IT managers, etc., using language and metrics that demonstrate how the program has contributed to achieving the enterprise’s strategy, objectives, performance, value, etc. By communicating the results and benefits in business impact terms, an enterprise can ensure that it has a clear and compelling evidence of the value and benefits delivered by the EGIT implementation program, that it has met stakeholder requirements and expectations, that it has obtained stakeholder feedback and recognition, that it has enhanced stakeholder trust and confidence, etc12 References: 1: COBIT 2019 Implementation Guide: page 51-52 2: COBIT 2019 Framework: Governance and Management Objectives: page 19-20

 A managed system of internal controls is most important to providing trust in operations, confidence in the achievement of enterprise objectives, and an adequate understanding of residual risk. A system of internal controls is a set of policies, procedures, practices, tools, techniques, etc., that are designed to provide reasonable assurance that an enterprise will achieve its objectives, prevent or detect errors or fraud, comply with laws and regulations, safeguard assets, etc. A managed system of internal controls means that the system is regularly monitored, evaluated, updated, and improved to ensure its effectiveness and efficiency.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The responsible ® role fulfills the practice and creates the intended outcome within an organizational structure chart (RACI chart). A RACI chart is a tool that assigns different levels of responsibility, accountability, consultation, and information to roles and organizational structures for each governance and management objective. The responsible ® role means performing or overseeing a task or process. There can be more than one responsible role for each task or process, but they must be coordinated by the accountable role. The responsible role fulfills the practice and creates the intended outcome by executing or supervising the process activities.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The EGIT implementation life cycle consists of four stages: initiating an EGIT program, defining the EGIT implementation road map, developing the EGIT implementation program plan, and executing the EGIT implementation program plan. The third stage, developing the EGIT implementation program plan, involves identifying and defining the success metrics for the EGIT continual improvement program. These metrics should be aligned with the enterprise goals and objectives, and should measure the performance and outcomes of the EGIT processes and practices. The success metrics should also be SMART (specific, measurable, achievable, relevant, and time-bound), and should be communicated to all stakeholders involved in the EGIT program. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 26 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 41 

The process ‘Ensured Stakeholder Engagement’ (EDM04) is one of the governance processes in COBIT 2019 that involves establishing transparent communication with stakeholders about their needs and expectations from information and technology governance. This process also involves ensuring stakeholder involvement in governance decision making and monitoring stakeholder satisfaction with governance outcomes. One of the roles that is best suited for this responsibility is the board and executive management, who are the highest-level governance body and decision makers in an enterprise. The board and executive management have a duty to ensure that they understand the needs and expectations of various stakeholders such as shareholders, regulators, customers, employees, suppliers, etc., and that they communicate effectively with them about the enterprise’s strategy, objectives, performance, risks, issues, opportunities, etc., related to information and technology governance. The board and executive management also have a responsibility to involve stakeholders in governance decision making by soliciting their input, feedback, opinions, suggestions, etc., and by considering their interests and perspectives when making governance choices. The board and executive management also have a role in monitoring stakeholder satisfaction with governance outcomes by measuring stakeholder value realization from information and technology investments and initiatives.References: : COBIT 2019 Process Reference Guide: Governance and Management Objectives, page 25-27 : COBIT 2019 Framework: Governance and Management Objectives, page 19-20

 In most cases, management of the enterprise is the responsibility of the executive management team. The executive management team consists of senior managers who are accountable for implementing the strategies and policies set by the board or other governing body. They are also responsible for planning, organizing, directing, controlling, and reporting on the enterprise’s operations3. The executive management team may delegate some of their management responsibilities to other managers or staff, but they remain ultimately accountable for the outcomes4. References: 3: COBIT 2019 Framework: Introduction and Methodology, page 28 4: COBIT 2019 Framework: Governance and Management Objectives, page 21

The initiatives that should be scheduled for completion first when prioritizing improvement initiatives are the ones that are easiest to achieve and will garner business benefits. This approach helps to create quick wins and demonstrate value to the stakeholders, as well as to build momentum and confidence for further improvement efforts. The initiatives should also be aligned with the enterprise’s strategic objectives, risk appetite, and resource constraints. The approach is based on the COBIT 2019 Implementation Guide2, page 37. References: 2: COBIT 2019 Implementation Guide | Digital | English

 According to Capability Maturity Model Integration (CMMI), Level 2 within the five maturity levels for processes best describes the outcome of the process achieving its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed. CMMI is a process improvement approach that provides organizations with the essential elements of effective processes. CMMI defines five maturity levels for processes, from 1 (initial) to 5 (optimizing). Level 2 (managed) means that the process is planned and executed in accordance with policy; employs skilled people who have adequate resources to produce controlled outputs; involves relevant stakeholders; is monitored, controlled, and reviewed; and is evaluated for adherence to its process description.12 References: CMMI for Development, Version 1.3, CMMI Institute - Capability Maturity Model Integration

Ensuring the program team knows and understands the enterprise goals is a part of the “Where do we want to be?” phase of the implementation. The implementation of a governance system is divided into seven phases, each with a set of activities and outputs. The “Where do we want to be?” phase involves defining the desired outcomes and target state of the governance system, based on the enterprise’s vision, mission, values, and goals. One of the activities in this phase is to ensure that the program team is aware of and aligned with the enterprise goals, as well as their roles and responsibilities in achieving them. The answer is based on the COBIT 2019 Implementation Guide2, page 34. References: 2: COBIT 2019 Implementation Guide | Digital | English

 A governance or management objective always relates to a single process. A governance or management objective is a desired outcome or result of a governance or management activity for information and technology. A process is a set of interrelated or interacting activities that transform inputs into outputs. A process can be described by its purpose, goals, practices, activities, inputs, outputs, roles, metrics, etc. A governance or management objective always relates to a single process by defining its purpose and goals, as well as providing guidance on how to perform it effectively and efficiently.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

According to the COBIT 2019 Framework: Introduction and Methodology, one of the imperative factors to the successful implementation of IT governance is that IT governance is sponsored by executives. Executive sponsorship ensures that IT governance has sufficient authority, resources and support from the top management of the organization. Executive sponsorship also demonstrates commitment and leadership for IT governance, and fosters a culture of accountability and collaboration among stakeholders.3, p. 33-34 References: 3: COBIT 2019 Framework: Introduction and Methodology

 The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. DevOps is an IT implementation method that emphasizes collaboration, automation, integration, and feedback between the development and operations teams throughout the software development life cycle. One of the management objectives that should be prioritized when using DevOps is managed solution identification and build (BAI03), which involves defining, designing, building, testing, and deploying IT solutions that meet stakeholder requirements and expectations. This management objective supports the DevOps principles of continuous delivery, continuous integration, continuous testing, and continuous deployment, which aim to deliver high-quality IT solutions faster and more reliably.References: : COBIT 2019 Design Guide, page 43-45 : COBIT 2019 Process Reference Guide, page 67-69

A tailored enterprise governance system is a governance system that is customized to suit the specific needs and context of an enterprise. A sourcing model for information and technology is one of the design factors that influence the design and implementation of a tailored governance system. A sourcing model describes how the enterprise obtains and delivers I&T services, such as in-house, outsourced, cloud-based, etc. The sourcing model affects the governance objectives, components, and enablers that are relevant and applicable for the enterprise.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The focus areas are specific governance topics that are relevant for an enterprise based on its context, needs, and objectives. The focus areas provide guidance on how to apply the COBIT 2019 framework to address specific issues or challenges related to information and technology governance. The focus areas also help to tailor the COBIT 2019 framework to suit the enterprise’s specific governance system design. Therefore, when an enterprise is designing a specific governance system that is using diverse technology deployments with multiple domains of business operations, the expected deliverable when tailoring the COBIT 2019 framework is the focus area guidance. The focus area guidance will help the enterprise to select and prioritize the relevant focus areas that match its governance needs and objectives, and to customize the COBIT 2019 components such as principles, enablers, goals, processes, practices, etc., according to the focus area requirements12 References: 1: COBIT 2019 Design Guide, page 51-52 2: COBIT 2019 Framework: Introduction and Methodology, page 27-28

 Culture, ethics and behavior are the most likely components of a governance system to be underestimated as factors in the success of governance and management activities. Culture, ethics and behavior are the shared values, beliefs, norms, and attitudes that influence how people behave and interact within an enterprise. They affect the motivation, commitment, collaboration, and performance of people, as well as the trust and reputation of the enterprise. Culture, ethics and behavior are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The number of business processing hours lost due to unplanned service interruptions would be an appropriate metric associated with an enterprise goal of business service continuity and availability. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. Business service continuity and availability is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of ensuring that critical business services are delivered at agreed levels and are resilient to disruptions. The number of business processing hours lost due to unplanned service interruptions is a metric that reflects how well this outcome is achieved.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The principles, policies and frameworks component of a governance system translates desired behavior into practical guidance. Principles are the fundamental norms or rules that guide decision-making and actions. Policies are the statements of intent or direction that define what is expected or required. Frameworks are the conceptual models or structures that define the key elements, relationships, and principles of a system. The principles, policies and frameworks component of a governance system translates desired behavior into practical guidance by providing a consistent and coherent basis for information and technology governance and management.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 A principle associated with the key components of a governance framework is that key components should function independently to maintain integrity. Key components include governance components (such as structures, processes, principles, policies, etc.), governance enablers (such as people, skills, culture, information, services, etc.), and governance outcomes (such as value creation, risk optimization, resource optimization, etc.). These components should operate independently from each other to avoid conflicts of interest, bias, or undue influence. They should also have clear roles, responsibilities, authorities, and accountabilities. COBIT ensures the independence of key components by defining their relationships and interactions in a transparent and consistent manner.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The size of the enterprise is a design factor that describes the scale or magnitude of an enterprise’s information and technology activities in terms of aspects such as number of employees, customers, locations, products, services, processes, systems, data, etc. The size of the enterprise influences the governance and management of information and technology in terms of the level of complexity, diversity, variability, standardization, centralization, decentralization, etc., that are required for its information and technology activities. The key benefit of considering the size of the enterprise when designing governance is targeting capability levels of governance and management objectives. The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization, etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The governance and management objectives are the statements of what an enterprise wants to achieve in terms of its information and technology governance. The governance and management objectives are derived from the enterprise goals, which are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, strategy, etc. By considering the size of the enterprise when designing governance, an enterprise can target capability levels of governance and management objectives that are appropriate for its scale and magnitude of information and technology activities. This will also help to optimize its information and technology performance and value delivery12 References: 1: COBIT 2019 Design Guide: page 47-48 2: COBIT 2019 Process Assessment Model: page 11-13

 The COBIT framework is designed to meet the I&T goals for the entire enterprise. The COBIT framework is a comprehensive governance and management framework for information and technology that helps enterprises to achieve their goals and create value. The COBIT framework consists of four core publications: COBIT 2019 Framework: Introduction and Methodology; COBIT 2019 Framework: Governance System; COBIT 2019 Framework: Governance and Management Objectives; COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution. The COBIT framework is designed to meet the I&T goals for the entire enterprise by providing a holistic approach that covers all aspects of I&T governance and management, as well as by enabling customization and tailoring to suit different contexts, needs, priorities, etc.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The COBIT 2019 publication that includes a workflow for planning a tailored governance system for the enterprise is COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution. This publication provides guidance on how to design a customized governance system for information and technology using COBIT as a reference framework. It includes a workflow for planning a tailored governance system for the enterprise that consists of seven steps: define design factors; define focus areas; define current state; define target state; identify gaps; define roadmap; select implementation method.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

To gain the greatest benefit from the COBIT framework, a stakeholder should have a certain level of experience and a thorough understanding of the entire enterprise. A stakeholder is a person or group that has an interest or concern in an enterprise’s activities or outcomes. Examples of stakeholders are board members, executives, managers, employees, customers, suppliers, regulators, etc. To gain the greatest benefit from the COBIT framework, a stakeholder should have a certain level of experience in I&T governance or management practices, as well as a thorough understanding of the entire enterprise’s vision, mission, values, goals, objectives, strategies, processes, culture, etc. This would help them to apply the COBIT framework effectively and efficiently to their specific context and needs.1 References: COBIT 2019 Framework: Introduction and Methodology, [COBIT 2019 Framework: Stakeholder Needs]

The primary objective of reviewing the effectiveness of a new IT governance system that has been operational for 6 months is to identify further governance requirements. An IT governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. The effectiveness of an IT governance system can be reviewed using different methods or tools, such as audits, assessments, surveys, feedbacks, etc. The primary objective of reviewing the effectiveness of a new IT governance system that has been operational for 6 months is to identify further governance requirements that may arise from changes in the internal or external environment, stakeholder needs, business objectives, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

The risk profile of an enterprise is a design factor that describes how an enterprise identifies, assesses, responds to, monitors, and reports on information and technology risks. The risk profile helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. When reviewing the risk profile of an enterprise during the governance design phase, one of the prerequisites that must be established prior to conducting a high-level risk analysis is the enterprise’s risk appetite. The risk appetite is the amount and type of risk that an enterprise is willing to accept in pursuit of its objectives. The risk appetite provides a basis for defining the risk criteria, thresholds, indicators, and responses that will be used in the risk analysis process. The risk appetite also helps to align the governance framework with the enterprise’s strategy and objectives.References: : COBIT 2019 Design Guide, page 41-43 : COBIT 2019 Framework: Introduction and Methodology, page 28-29

Using the COBIT 2019 Governance System Design Workflow allows enterprises to realize a governance system that is tailored to their needs. The COBIT 2019 Governance System Design Workflow is a set of steps that guide enterprises in designing a customized governance system based on their specific context, goals, issues, and priorities. The workflow helps enterprises to identify their current state, desired state, gaps, improvement opportunities, design factors, governance components, roles, responsibilities, practices, activities, inputs, outputs, goals, metrics, and road map for implementing their governance system. The workflow also helps enterprises to balance competing requirements and resolve conflicts among stakeholders. By following the workflow, enterprises can design a governance system that fits their unique needs and delivers value to their business. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 29 2 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 31

The change enablement tasks are the tasks that involve preparing for managing and sustaining the changes that are required for implementing a governance system for an enterprise using COBIT 2019. The change enablement tasks help to ensure that the changes are aligned with the enterprise’s strategy objectives needs expectations etc., that they deliver value and benefits to the enterprise and its stakeholders that they overcome resistance and barriers to change that they create a culture of continuous improvement etc. One of the key change enablement tasks that must be completed during the driver identification phase of an IT initiative is identify the business and governance drivers. The driver identification phase is the first phase of the governance implementation roadmap which involves identifying and analyzing the internal and external factors that trigger or influence the need for designing and implementing a governance system for an enterprise using COBIT 2019. The business drivers are the factors that relate to the enterprise’s business strategy objectives performance risks issues opportunities etc., such as market conditions customer demands competitive pressures regulatory requirements etc. The governance drivers are the factors that relate to the enterprise’s information and technology governance strategy objectives performance risks issues opportunities etc., such as IT alignment IT value delivery IT risk management IT resource management IT performance measurement etc. By identifying the business and governance drivers during the driver identification phase an enterprise can establish a clear understanding of why it needs to design and implement a governance system using COBIT 2019 what are the expected outcomes benefits value etc., from doing so who are the relevant stakeholders their roles responsibilities requirements expectations etc., how to communicate engage involve them in the change process etc.

The risk profile is a design factor that describes how an enterprise identifies, assesses, responds to, monitors, and reports on information and technology risks. The risk profile helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. When tailoring COBIT 2019 to enterprise requirements, the primary objective of preparing a risk profile is to identify areas of risk that exceed risk appetite. The risk appetite is the amount and type of risk that an enterprise is willing to accept in pursuit of its objectives. The risk appetite provides a basis for defining the risk criteria, thresholds, indicators, and responses that will be used in the risk profile process. By identifying areas of risk that exceed risk appetite, an enterprise can prioritize its governance objectives, processes, practices, roles, structures, and metrics according to the level of risk exposure and impact. This will also help to align the governance framework with the enterprise’s strategy and objectives.References: : COBIT 2019 Design Guide: page 41-43 : COBIT 2019 Framework: Introduction and Methodology: page 28-29

 The Align, Plan and Organize (APO) domain incorporates managed risk as one of its management objectives. The APO domain covers the activities related to aligning IT strategy with business strategy, planning IT resources and capabilities, organizing IT governance structures and processes, managing IT performance, innovation, risk, quality, human resources, security, information, services, etc. The APO domain consists of 13 management objectives that describe the desired outcomes of these activities.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

Recognizing and rewarding EGIT implementation program performance is most beneficial when measuring realized program benefits. According to the COBIT 2019 Implementation Guide, recognizing and rewarding program performance is one of the key success factors for implementing and optimizing an EGIT program. Recognizing and rewarding program performance involves acknowledging and appreciating the achievements and contributions of the program team and stakeholders, as well as providing incentives and motivation for further improvement. Recognizing and rewarding program performance is most beneficial when measuring realized program benefits, because this is the stage where the actual outcomes and value of the program are evaluated against the expected goals and metrics. By recognizing and rewarding program performance at this stage, the enterprise can reinforce the positive impact of the program, celebrate the success of the program team and stakeholders, and encourage continuous learning and improvement. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 17 : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 46

The governance system design workflow is a workflow that describes how an enterprise can design and implement a governance system using COBIT 2019. The governance system design workflow consists of six steps: determine initial scope; identify relevant design factors; prioritize governance and management objectives; define target capability levels; identify gaps; finalize scope. The governance system design workflow allows for consideration of all design factors in order to develop a customized governance system. The design factors are the characteristics or conditions that influence how an enterprise designs and implements its governance system using COBIT 2019. The design factors include aspects such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc. By considering all design factors in the governance system design workflow, an enterprise can ensure that its governance system is appropriate for its context and needs, that it delivers value and benefits to the enterprise and its stakeholders, that it aligns with the relevant standards, guidelines, regulations, best practices, etc., that it meets stakeholder requirements and expectations, etc.References: : COBIT 2019 Design Guide: page 33-48

 The management objective “managed strategy” belongs to the governance domain “align, plan and organize (APO)”, which covers the use of information and technology in achieving enterprise objectives. A primary benefit associated with this management objective is that desired value is delivered through a roadmap of incremental changes, which ensures that IT initiatives are aligned with enterprise strategy, prioritized based on value creation, and monitored for performance2, p. 25. References: 2: COBIT 2019 Framework: Governance and Management Objectives

 The legal office is a function that provides legal advice and support to an enterprise on various matters related to its information and technology activities. The legal office also ensures that the enterprise complies with the applicable laws, regulations, standards, guidelines, contracts, or agreements that govern its information and technology activities. One of the responsibilities of the legal office is to execute contracts that retain independent legal consultants to review the level of regulatory compliance of a proposed IT solution. This means that the legal office is responsible for negotiating, drafting, signing, and enforcing contracts with external legal experts who can provide independent and objective assessment of the compliance status of an IT solution that an enterprise intends to implement or use. The legal office also ensures that the contracts are aligned with the enterprise’s strategy, objectives, needs, and expectations, as well as with the relevant compliance requirements34 References: 3: COBIT 2019 Framework: Governance and Management Objectives: page 20-21 4: COBIT 2019 Design Guide: page 47-48

The management objective that would be given higher priority in an enterprise’s governance system when the enterprise is very risk-averse is managed portfolio. This objective relates to ensuring that IT-enabled investments are aligned with the enterprise’s risk appetite and tolerance levels, and that they deliver optimal value and benefits. This objective also involves managing the portfolio of IT-enabled investments throughout their life cycle, from initiation to retirement. The objective is based on the COBIT 2019 Design Guide3, page 71. References: 3: COBIT 2019 Design Guide | Digital | English

 A process can meet a higher capability level if all activities of that level are successfully performed, in addition to the activities of lower levels. The capability levels range from 0 (incomplete) to 5 (optimizing), and each level has a set of generic attributes that describe the expected performance of the process activities2, p. 30. References: 2: COBIT 2019 Framework: Introduction and Methodology

 An actionable strategy and governance system enables an enterprise to maximize value from the use of I&T by providing direction, alignment, oversight, and performance measurement. A strategy defines the enterprise’s vision, mission, goals, and objectives, and how I&T can support them. A governance system ensures that the strategy is implemented effectively and efficiently, and that the outcomes are monitored and evaluated. COBIT provides a comprehensive governance system for enterprise I&T that covers all aspects of governance, management, and enablers.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The Goals Cascade model illustrates how enterprise goals cascade to alignment goals and then to governance and management objectives. Each governance or management objective supports the achievement of one or more alignment goals that are related to larger enterprise goals. The alignment goals are derived from the balanced scorecard (BSC) dimensions of financial, customer, internal, and learning and growth1, p. 16. References: 1: COBIT 2019 Framework: Governance and Management Objectives

 The chief information officer (CIO) ensures the board is kept informed of major decisions related to value delivery of I&T deployment in accordance with the enterprise strategy. The CIO is the senior executive responsible for leading, directing, and managing the information and technology function of the enterprise. The CIO has a strategic role in aligning I&T with business requirements, ensuring I&T performance, managing I&T risks, fostering innovation, etc. The CIO ensures the board is kept informed of major decisions related to value delivery of I&T deployment by providing regular reports, updates, feedback, recommendations, etc., as well as by participating in board meetings or committees.1 References: COBIT 2019 Framework: Introduction and Methodology, [COBIT 2019 Framework: Roles, Responsibilities & RACI Charts]

The primary purpose for aligning role descriptions to the enterprise’s business context, organization and operating environment when tailoring the COBIT organizational structure is to assign levels of accountability and responsibility for governance and management activities. This purpose helps to ensure that roles are clearly defined, communicated, understood, and accepted by all stakeholders, and that there are no gaps or overlaps in roles. The purpose is based on the COBIT 2019 Implementation Guide5, page 45. References: 5: COBIT 2019 Implementation Guide | Digital | English