COBIT-2019 COBIT 2019 Foundation Questions and Answers

The value that I&T delivers should be aligned directly with the values on which the business is focused. This is based on the principle of alignment, which states that “governance of enterprise I&T should ensure that I&T-enabled investments are aligned with the enterprise strategy and deliver the expected benefits” . Value delivery is not only about maintaining or increasing value from existing I&T investments, but also about ensuring that new investments support the strategic objectives and stakeholder needs of the enterprise.

The high-level program plan is a document that describes the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT implementation program is a program that involves designing and implementing a governance system for an enterprise using COBIT 2019. The high-level program plan provides the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. The high-level program plan is an output of the “what needs to be done” phase. The “what needs to be done” phase is the fourth phase of the governance implementation roadmap, which involves defining the target state of information and technology governance in an enterprise that is aligned with its strategy, objectives, and stakeholder needs. This phase also involves identifying the gaps and issues that need to be addressed to achieve the target state, setting the improvement targets and priorities, developing a detailed business case and a high-level program plan for implementing a governance system using COBIT 2019. By developing a high-level program plan as an output of the “what needs to be done” phase, an enterprise can ensure that it has a clear and realistic roadmap for designing and implementing a governance system using COBIT 2019, that it has defined the expected outcomes, benefits, value, etc., from doing so, that it has considered the relevant risks, costs, resources, etc., involved in doing so, that it has obtained stakeholder buy-in and commitment for doing so, etc.

The CIO and the program steering committee are responsible for performing a stakeholder satisfaction survey and gathering feedback on lessons learned from the implementation of an EGIT program plan. According to the COBIT 2019 Implementation Guide, the CIO is the executive sponsor of the EGIT program, who provides strategic direction, leadership, and oversight for the program. The program steering committee is a group of senior stakeholders who support the CIO in governing and monitoring the program. One of their responsibilities is to conduct regular reviews of the program performance and outcomes, including stakeholder satisfaction and lessons learned. These reviews help to evaluate the effectiveness and efficiency of the EGIT program plan and identify areas for improvement. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 23 1 : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 45 1

The internal audit function is an independent and objective assurance and consulting activity that evaluates and improves the effectiveness of governance, risk management, and control processes in an enterprise. The internal audit function has a role in defining the EGIT target state, which is the desired state of information and technology governance in an enterprise that is aligned with its strategy, objectives, and stakeholder needs. The role of the internal audit function in this process is to provide advice and assist with target-state positioning and gap priorities. This means that the internal audit function can help to identify the current state of information and technology governance in an enterprise, assess the gaps and issues that need to be addressed, determine the target state of information and technology governance that is optimal for the enterprise, and prioritize the actions and initiatives that are required to achieve the target state. The internal audit function can also provide assurance on the design and implementation of the EGIT target state by evaluating its adequacy, effectiveness, efficiency, and compliance.

The Goals Cascade model illustrates how enterprise goals cascade to alignment goals and then to governance and management objectives. Each governance or management objective supports the achievement of one or more alignment goals that are related to larger enterprise goals. The alignment goals are derived from the balanced scorecard (BSC) dimensions of financial, customer, internal, and learning and growth1, p. 16. References: 1: COBIT 2019 Framework: Governance and Management Objectives

The EGIT implementation program plan is a document that describes the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT implementation program plan provides the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. The best time to acquire or develop solutions for implementing process improvement projects defined by the EGIT implementation program plan is when developing the EGIT implementation program plan. This means that before finalizing and submitting the EGIT implementation program plan for approval, the enterprise should identify or create the solutions that will enable it to achieve its process improvement goals and objectives. These solutions could include tools, methods, frameworks, standards, guidelines, best practices, etc., that will help to design and implement the desired processes in accordance with stakeholder requirements and expectations. By acquiring or developing solutions during the development of the EGIT implementation program plan, the enterprise can ensure that the solutions are aligned with the program scope and approach, that they are realistic and achievable within the program budget and timeline, that they are integrated with other program components such as change management and communication plans, and that they are approved by relevant stakeholders before execution5 References: 5: COBIT 2019 Implementation Guide: page 39-40 : COBIT 2019 Implementation Guide: page 49-50QUESTION NO: 24

When defining a governance implementation roadmap. what is the NEXT step after planning the program?

A. Initiate the

B. Realize benefits.

C. Review effectiveness.

D. Execute the plan.

Answer: D

 The governance implementation roadmap is a document that outlines the steps and activities involved in designing and implementing a governance system for an enterprise using COBIT 2019. The governance implementation roadmap consists of seven phases: what are the drivers; where are we now; where do we want to be; what needs to be done; how do we get there; did we get there; how do we keep up momentum. The next step after planning the program is to execute the plan. This means that after developing a detailed business case and high-level program plan for implementing a governance system in phase four (what needs to be done), the enterprise should proceed to phase five (how do we get there), which involves executing the program plan according to the defined scope, approach, benefits, costs, risks, and timeline. This phase also involves managing the program resources, deliverables, quality, performance, and stakeholder expectations, as well as monitoring and controlling the program progress and outcomes.

 Risk management focuses on the preservation of value, while value delivery focuses on the creation of value. Value is the benefit that an enterprise derives from using information and technology. Value can be measured in terms of effectiveness, efficiency, quality, innovation, etc. Value delivery is the process of ensuring that information and technology investments and services contribute to the achievement of enterprise goals and objectives. Value delivery focuses on the creation of value by aligning I&T with business requirements, optimizing costs and resources, enhancing performance and outcomes, etc. Risk management is the process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks that affect the achievement of enterprise objectives. Risk management focuses on the preservation of value by ensuring that risks are within acceptable levels, that opportunities are exploited, that uncertainties are reduced, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. There are four IT implementation methods defined in COBIT 2019: traditional, agile, DevOps, and hybrid. Each method has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. The IT implementation method that requires the highest level of participation by users at multiple stages of software development is agile. Agile is an IT implementation method that emphasizes flexibility, adaptability, collaboration, customer satisfaction, and value delivery. One of the characteristics of agile is that it involves frequent and direct interaction with users throughout the software development life cycle, from requirements gathering to testing to deployment. Users are considered as key stakeholders who provide feedback, input, validation, verification, acceptance, and evaluation of the IT solutions. Users are also involved in prioritizing the features and functionalities of the IT solutions based on their needs and expectations. Agile aims to deliver IT solutions that meet user requirements and expectations in a timely and cost-effective manner.

Phase 1 of the COBIT implementation approach focuses on recognizing the need for change and initiating the program. A critical component of this phase is articulating executive management's desire and rationale for change within the enterprise. The most effective tool for this purpose is the development of a "Business case."

Business Case:This document serves as a formal justification for undertaking a change initiative. It outlines the strategic alignment of the proposed change with enterprise goals, the expected benefits, costs, potential risks, and the overall impact on the organization. By presenting a well-structured business case, executive management can communicate the necessity and anticipated value of the change, securing stakeholder buy-in and guiding decision-making processes.

Option A, "Balanced scorecard," is a strategic planning and management tool used to monitor organizational performance against strategic goals. While valuable for performance measurement, it is not specifically designed to convey the impetus for change.

Option B, "Risk assessment," involves identifying and evaluating potential risks that could impact the organization. Although understanding risks is essential, a risk assessment does not comprehensively capture the executive management's motivation and justification for change.

Therefore, in Phase 1 of the COBIT implementation approach, a "Business case" is the appropriate instrument to outline executive management's desire for change within the enterprise.

 IT governance implementation risk is best managed throughout the life cycle of the implementation. IT governance implementation risk is the possibility of negative consequences or outcomes that may arise from the design, execution, evaluation, or improvement of the IT governance system. The life cycle of IT governance implementation is a continuous process that involves four phases: what are the drivers, where are we now, where do we want to be, and how do we get there. IT governance implementation risk should be managed throughout the life cycle by identifying, analyzing, evaluating, treating, monitoring, and communicating the risksthat may affect the success of the implementation.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

 The percent of stakeholders satisfied with program/project quality would be an appropriate metric to align with a goal of “Delivery of programs on time, on budget, and meeting requirements and quality standards”. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. A goal is a specific target or outcome that an enterprise sets to achieve its vision and mission. Delivery of programs on time, on budget, and meeting requirements and quality standards is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of ensuring that IT-enabled investments are delivered successfully. The percent of stakeholders satisfied with program/project quality is a metric that reflects how well this goal is achieved.13 References: COBIT 2019Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The IT governance implementation approach that should be utilized in order to achieve maximum enterprise benefits is treating implementation as a program. A program is a coordinated set of projects and activities that are designed to achieve a specific set of objectives within a defined scope, time frame, and budget. Treating implementation as a program helps to ensure that IT governance is planned, executed, monitored, controlled, and evaluated in a systematic and consistent manner, following best practices and standards. The approach is based on the COBIT 2019 Implementation Guide5, page 29. References: 5: COBIT 2019 Implementation Guide | Digital | English

 The COBIT principle that addresses the need to consider how changes in technology or strategy impact the enterprise governance system as a whole is that a governance system should be dynamic. This principle states that “a governance system should be responsive to changing stakeholder needs, conditions and options; adaptable to changing circumstances; able to learn from experience; and innovative in supporting continual improvement” 4. A dynamic governance system can anticipate and respond to changes in the internal and external environment, such as new technologies, business models, risks, or opportunities5. References: 4: COBIT 2019 Framework: Introduction and Methodology, page 23 5: COBIT 2019 Framework: Governance and Management Objectives, page 20

The desired outcome of an EGIT implementation program plan is to ensure that the EGIT projects are aligned with the enterprise’s strategy, objectives, and stakeholder needs, and that they deliver value and benefits to the enterprise. One of the key steps in achieving this outcome is to transition the EGIT projects into the enterprise’s normal development life cycle, which involves ensuring that the projects are integrated with the existing processes, systems, and governance structures, and that they are monitored and controlled for quality, performance, and risk. This will also facilitate the continuous improvement and adaptation of the EGIT projects to changing business needs and environment12 References: 1: COBIT 2019 Implementation Guide, page 49-50 2: COBIT 2019 Design Guide, page 67-68

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The targeted capability levels are the desired levels of performance that an enterprise wants to achieve for its information and technology governance and management processes, based on its strategy, objectives, needs, and expectations. The targeted capability levels provide a basis for defining the improvement goals and objectives for the processes. The capability-level gap analysis is a process that involves comparing the current capability levels of an enterprise’s information and technology governance and management processes with the targeted capability levels, and identifying the gaps or differences between them. The capability-level gap analysis helps to determine the improvement actions and initiatives that are required to close the gaps and achieve the targeted capability levels. The primary benefit or output derived from setting targeted capability levels and performing a capability-level gap analysis for selected processes is identification of process improvement opportunities. This means that by setting targeted capability levels and performing a capability-level gap analysis for selected processes, an enterprise can identify the areas of weakness or inefficiency in its information and technology governance and management processes, and determine the potential solutions or enhancements that can improve its process performance, quality, value, etc. This will also help to align the information and technology governance system with the enterprise’s strategy and objectives.

 A key consideration when finalizing a governance system design with competing priorities is that the enterprise should be prepared to deviate from previously identified priorities with justified reasons. According to the COBIT 2019 Design Guide, competing priorities are one of the common challenges that enterprises face when designing a governance system. Competing priorities may arise from different stakeholder expectations, requirements, preferences, perspectives, or interests. The COBIT 2019 Design Guide recommends that enterprises use a structured approach to resolve competing priorities, such as the COBIT 2019 Governance System Design Workflow. The workflow helps enterprises to identify and prioritize their improvement opportunities based on a gap analysis between their current and desired states of governance. However, the workflow also allows enterprises to adjust their priorities as needed during the design process, as long as they provide clear and rational reasons for doing so. For example, enterprises may deviate from their initial priorities due to changes in the business environment, stakeholder feedback, new insights, or emerging issues. The deviation from previously identified priorities should be documented and communicated to all relevant stakeholders to ensure transparency and alignment. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 32 2 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 34

Selecting an implementation method is the final action before completing the design of an IT governance system. An IT governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. The design of an IT governance system involves several steps or actions that help to customize and tailor the system to the specific needs and context of the enterprise. These steps or actions include defining design factors, defining focus areas, defining current state, defining target state, identifying gaps and improvement opportunities, defining roadmap and priorities, etc. Selecting an implementation method is the final action before completing the design of an IT governance system because it helps to determine how the system will be put into practice, what resources and activities are needed, what challenges and risks are expected, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

Time-to-market is a market factor that is directly related to the enterprise goal of portfolio of competitive products and services. Time-to-market is the measure of how quickly an enterprise can deliver new or improved products or services to its customers. It affects the competitiveness, profitability, and customer satisfaction of the enterprise. Portfolio of competitive products and services is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of providingproducts or services that meet customer needs and expectations, and that are superior to those offered by competitors.13 References: COBIT 2019 Framework:Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 People, skills and competencies are essential for effective decision making within a governance system. People are the individuals or groups who perform or are accountable for the governance activities and tasks. Skills and competencies are the abilities and knowledge that people need to perform their roles and responsibilities. People, skills and competencies are one of the seven enablers of a governance system, as defined by COBIT.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The enterprise’s risk profile is the most important enterprise risk management concept to fully understand prior to finalizing the design of an IT governance system. Enterprise risk management is the process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks that affect the achievement of enterprise objectives. Enterprise risk management concepts include risk appetite (the amount and type of risk that an enterprise is willing to accept), risk tolerance (the acceptable variation in outcomes related to specific performance measures), risk profile (the overall exposure or level of risk that an enterprise faces), etc. The enterprise’s risk profile is the most important concept to fully understand prior to finalizing the design of an IT governance system because it helps to determine the appropriate level of risk optimization for each governance objective.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The capability levels are most likely to increase as a result of identifying specific design factors that increase the importance of certain governance and management objectives. The design factors are the characteristics or conditions that influence how an enterprise designs and implements its information and technology governance system using COBIT 2019. The design factors include aspects such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc. By identifying specific design factors that increase the importance of certain governance and management objectives, an enterprise can tailor its information and technology governance system to suit its context and needs. This will also help to improve its capability levels for those governance and management objectives that are prioritized by the design factors. For example, if an enterprise identifies that its IT deployment design factor is cloud-based or hybrid-based, it may increase the importance of certain governance and management objectives such as managed availability and capacity (BAI04), managed service agreements (APO09), managed security services (DSS05), etc., which are relevant for managing cloud-based or hybrid-based IT solutions. By tailoring its information and technology governance system to address those governance and management objectives more effectively, the enterprise can also increase its capability levels for those processes.

A focus area describes a specific governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. A focus area provides guidance on how to apply COBIT to a specific business driver or pain point, such as digital transformation, cybersecurity, privacy, or business continuity. A focus area can also provide guidance on how to align COBIT with other standards, frameworks or regulations. A focus area is based on the COBIT 2019 Design Guide3, page 19. References: 3: COBIT 2019 Design Guide | Digital | English

 The Build, Acquire and Implement (BAI) domain deals with the definition of IT solutions and their integration in business processes. This domain covers the activities related to identifying, developing, acquiring, implementing, testing, integrating, and deploying IT solutions that meet business requirements. The BAI domain consists of 10 management objectives that describe the desired outcomes of these activities.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 Sharing the return on investment (ROI) analysis is the best way to address the concern of business line managers who perceive the cost of governance-required improvements as too expensive. ROI is a financial metric that measures the profitability or efficiency of an investment by comparing its benefits and costs. ROI analysis is a process of calculating and presenting the ROI of a project or program, as well as its assumptions, risks, and uncertainties. Sharing the ROI analysis with business line managers can help to address their concern by showing them how the governance-required improvements will generate value for the enterprise in terms of increased revenue, reduced costs, enhanced performance, improved quality, etc., as well as how they will outweigh their initial and ongoing costs.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

COBIT 2019 provides a comprehensive framework to support the decision-making process rather than prescribing specific solutions. It guides the structuring of governance and management objectives across different domains, such as EDM, APO, and BAI, enabling stakeholders to understand the components and decision levels required for efficient IT governance. This aligns with COBIT's goals to establish clear responsibilities and decision-making criteria for various roles, ensuring alignment with enterprise objectives and stakeholder needs​.

Enterprise strategy cascades to enterprise goals within the COBIT goals cascade. The COBIT goals cascade is a mechanism that helps enterprises to align their governance objectives with their stakeholder needs. It consists of four levels: stakeholder drivers, enterprise goals, alignment goals, and governance and management objectives. Enterprise strategy is the high-level direction and guidance that defines how the enterprise will achieve its vision and mission. Enterprise goals are the specific targets or outcomes that the enterprise sets to achieve its vision and mission. Enterprise strategy cascades to enterprise goals through a process of analysis, prioritization, and validation.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The best way to enable an enterprise to show and prove the benefits realized from the implementation of an EGIT program plan is to communicate the results and benefits in business impact terms. The EGIT program plan is a document that describes the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT implementation program is a program that involves designing and implementing a governance system for an enterprise using COBIT 2019. Communicating the results and benefits in business impact terms means using appropriate tools, methods, formats, frequencies, etc., to report on the progress and outcomes of the EGIT implementation program to relevant stakeholders such as the board, executives, business managers, IT managers, etc., using language and metrics that demonstrate how the program has contributed to achieving the enterprise’s strategy, objectives, performance, value, etc. By communicating the results and benefits in business impact terms, an enterprise can ensure that it has a clear and compelling evidence of the value and benefits delivered by the EGIT implementation program, that it has met stakeholder requirements and expectations, that it has obtained stakeholder feedback and recognition, that it has enhanced stakeholder trust and confidence, etc12 References: 1: COBIT 2019 Implementation Guide: page 51-52 2: COBIT 2019 Framework: Governance and Management Objectives: page 19-20

The primary purpose of implementing an enterprise governance of information and technology (EGIT) system is to deliver stakeholder value from I&T-enabled investments. An EGIT system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. An I&T-enabled investment is any initiative or project that involves the use of information and technology to create value for the enterprise. A stakeholder is a person or group that has an interest or concern in an enterprise’s activities or outcomes. The primary purpose of implementing an EGIT system is to deliver stakeholder value from I&T-enabled investments by ensuring that they align with the enterprise strategy and objectives, optimize risks and resources, achieve expected benefits and outcomes, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

An example of a governance system component is the compliance regulations applicable to the enterprise. The governance system components are the elements that constitute a governance system for an enterprise using COBIT 2019. The governance system components include principles enablers goals processes practices roles structures metrics etc., that enable an enterprise to govern and manage its information and technology activities effectively efficiently reliably securely etc. The compliance regulations are the laws regulations standards guidelines contracts or agreements that govern the information and technology activities of an enterprise. The compliance regulations influence the level of control and assurance that an enterprise needs to demonstrate its adherence to the applicable rules and obligations. By considering the compliance regulations as a governance system component an enterprise can ensure that its governance system is appropriate for itscontext and objectives that it can effectively manage the potential impacts of non-compliance on its reputation performance value stakeholder trust etc., that it can align its information and technology activities with the relevant standards guidelines regulations best practices etc., that it can meet stakeholder requirements expectations etc., 5 References: 5: COBIT 2019 Design Guide: page 47-48 : COBIT 2019 Framework: Governance System Components: page 27-28

 The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. DevOps is an IT implementation method that emphasizes collaboration, automation, integration, and feedback between the development and operations teams throughout the software development life cycle. One of the management objectives that should be prioritized when using DevOps is managed solution identification and build (BAI03), which involves defining, designing, building, testing, and deploying IT solutions that meet stakeholder requirements and expectations. This management objective supports the DevOps principles of continuous delivery, continuous integration, continuous testing, and continuous deployment, which aim to deliver high-quality IT solutions faster and more reliably.

 The objectives of the Evaluate, Direct and Monitor (EDM) domain are best described by assessing strategic options and guiding senior management on the options chosen. This domain covers the governance activities related to setting direction, monitoring performance, ensuring compliance, and providing feedback to stakeholders. The domain consists of five governance objectives: EDM01 Ensure Governance Framework Setting and Maintenance, EDM02 Ensure Benefits Delivery, EDM03 Ensure Risk Optimization, EDM04 Ensure Resource Optimization, and EDM05 Ensure Stakeholder Transparency. The domain is based on the COBIT 2019 Framework2, page 30. References: 2: COBIT 2019 Framework | Digital | English

 The accountable (A) role drives a given task or process within an organizational structure chart (RACI chart). A RACI chart is a tool that assigns different levels of responsibility, accountability, consultation, and information to roles and organizational structures for each governance and management objective. The accountable (A) role means being answerable for the outcome or result of a task or process. There should be only one accountable role for each task or process, as having more than one can lead to confusion or conflict. The accountable role drives a given task or process by ensuring that it is performed effectively and efficiently, by providing direction and guidance, by resolving issues or conflicts, by approving changes or exceptions, etc.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The people, skills and competencies component of governance identifies the human resource needs that must be met to achieve governance and management objectives. People are the individuals or groups who perform or are accountable for the governance activities and tasks. Skills and competencies are the abilities and knowledge that people need to perform their roles and responsibilities. The people,skills and competencies component of governance defines the required roles andorganizational structures for each governance and management objective, as well as the skills and competencies that are needed for each role.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

 A principle of a proper governance framework is that it should be based on a conceptual model. A conceptual model is “a representation of a system that uses concepts and ideas to form said representation” 8. A conceptual model helps to define the scope, purpose, structure, and content of a governance framework. It also helps to communicate the key concepts and relationships of a governance system to stakeholders. COBIT is based on a conceptual model that consists of three maincomponents: the governance system, the governance components, and the design factors9. References: 8: https://en.wikipedia.org/wiki/Conceptual_model  9: COBIT 2019 Framework: Introduction and Methodology, page 26

The focus of an enterprise that has a cost leadership strategy design factor is short-term cost minimization. A cost leadership strategy is a competitive strategy that aims to achieve lower costs than competitors by offering standardized products or services at low prices. A cost leadership strategy design factor affects how an enterprise designs its governance system, as it implies a focus on operational efficiency, process automation, economies of scale, outsourcing, etc. An enterprise that has a cost leadership strategy design factor would prioritize short-term cost minimization over long-term cost optimization or medium-term cost equalization.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

The final step in governance system design is to define target capability levels for the most critical objectives. The governance system design is the process of designing and implementing a governance system for an enterprise using COBIT 2019. The governance system design involves tailoring the COBIT 2019 components such as principles, enablers, goals, processes, practices, roles, structures, metrics, etc., according to the enterprise’s context and needs. The governance system design also involves considering various design factors such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc., that influence how an enterprise designs and implements its governance system using COBIT 2019. The final step in governance system design is to define target capability levels for the most critical objectives. The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization, etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The critical objectives are the governance and management objectives that have been prioritized based on the design factors and the stakeholder needs. The governance and management objectives are the statements of what an enterprise wants to achieve in terms of its information and technology governance. The governance and management objectives are derived from the enterprise goals, which are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, strategy, etc. By defining target capability levels for the most critical objectives as the final step in governance system design, an enterprise can ensure that it has set realistic and achievable goals for its information and technology governance and management processes that support its strategy and objectives. This will also help to identify the gaps or issues that need to be addressed to enhance the capability levels of the selected processes.

The Deliver, Service and Support (DSS) domain incorporates managed business process controls as one of its management objectives. The DSS domain covers the activities related to delivering IT services to internal and external customers, supporting IT operations and users, managing service requests, incidents, problems, continuity, security, availability, capacity, etc. The DSS domain consists of 6 management objectives that describe the desired outcomes of these activities.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 A primary consideration when addressing new issues within a flexible and open framework is maintaining integrity and consistency. This means that “the framework should be internally consistent; not contain contradictions or ambiguities; be complete in covering all relevant aspects of enterprise governance of I&T; and be coherent in its structure, terminology and presentation” 6. Maintaining integrity and consistency ensures that the framework is reliable, clear, and easy to use for all stakeholders7. References: 6: COBIT 2019 Framework: Introduction and Methodology, page 25 7: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, page 13

Conducting a capabilities assessment must be done before an enterprise can determine performance measures for a process improvement initiative. A capabilities assessment is a method of measuring and evaluating how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A capabilities assessment can be done using different models or frameworks, such as CMMI or ISO/IEC 15504. A capabilities assessment helps an enterprise to determine performance measures for a process improvement initiative by providing a baseline or benchmark for the current state of a process, as well as identifying its strengths, weaknesses, gaps, and improvement opportunities.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT Process Assessment Model (PAM): Using COBIT 5

 The transition from traditional waterfall to a more agile approach would impact the implementation method step in the design phase the most. The implementation method is the approach or strategy that is used to put the IT governance system into practice. The design phase is the stage in the IT governance life cycle that involves customizing and tailoring the IT governance system to the specific needs and context of the enterprise. The transition from traditional waterfall to a more agile approachwould affect the implementation method step in the design phase because it would require a different way of planning, executing, monitoring, and controlling the IT governance system, as well as a different set of skills, tools, techniques, and practices.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The Align, Plan and Organize (APO) domain incorporates managed risk as one of its management objectives. The APO domain covers the activities related to aligning IT strategy with business strategy, planning IT resources and capabilities, organizing IT governance structures and processes, managing IT performance, innovation, risk, quality, human resources, security, information, services, etc. The APO domain consists of 13 management objectives that describe the desired outcomes of these activities.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 The COBIT framework is designed to meet the I&T goals for the entire enterprise. The COBIT framework is a comprehensive governance and management framework for information and technology that helps enterprises to achieve their goals and create value. The COBIT framework consists of four core publications: COBIT 2019 Framework: Introduction and Methodology; COBIT 2019 Framework: Governance System; COBIT 2019 Framework: Governance and Management Objectives; COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution. The COBIT framework is designed to meet the I&T goals for the entire enterprise by providing a holistic approach that covers all aspects of I&T governance and management, as well as by enabling customization and tailoring to suit different contexts, needs, priorities, etc.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

In the COBIT® 2019 Framework, it is stated that the information flows and items component includes relevant inputs and outputs with their source and destination. This is essential for mapping documentation for governance and management practices within an enterprise.

 Processes are key components of a governance system. Processes are the structured sets of activities that produce outputs or outcomes for achieving specific objectives. Processes define what needs to be done, by whom, when, how, and why. Processes are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

According to the COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution, one of the most significant drivers to be considered when refining the scope of a new IT governance system during the design phase is cloud versus on-premises services. This driver reflects the different delivery models of I&T services, such as software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS) or on-premises solutions. The choice of delivery model has implications for governance objectives, roles, responsibilities, policies, processes, controls, risks and performance measures.5, p. 40-41 References: 5: COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

People, skills and competencies are required for successful completion of all activities within a governance system. People are the individuals or groups who perform or are accountable for the governance activities and tasks. Skills and competencies are the abilities and knowledge that people need to perform their roles and responsibilities. People, skills and competencies are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 According to the COBIT 2019 Framework: Introduction and Methodology, a maturity level is a performance measure that is used to assess a specific focus area. A focus area is a topic that is relevant for governance and management of enterprise information and technology (I&T), such as cybersecurity, privacy or digital transformation. A maturity level indicates the extent to which a focus area is implemented and integrated in the enterprise’s governance system. There are six maturity levels defined in COBIT 2019, ranging from 0 (incomplete) to 5 (optimized).3, p. 77-78 References: 3: COBIT 2019 Framework: Introduction and Methodology

 As explained in the previous question, the success metrics for the EGIT continual improvement program are identified and defined in the third stage of the EGIT implementation life cycle, which is developing the EGIT implementation program plan. Therefore, the correct answer is D. The other options are incorrect because they refer to different stages of the EGIT implementation life cycle that do not involve defining the success metrics. Option A refers to the second stage, which is defining the EGIT implementation road map. This stage involves identifying and prioritizing the improvement opportunities based on a gap analysis between the current and desired states of EGIT. Option B refers to the fourth stage, which is executing the EGIT implementation program plan. This stage involves implementing the improvement actions according to the plan, monitoring and controlling the progress and outcomes, and reporting on the results. Option C refers to the first stage, which is initiating an EGIT program. This stage involves establishing a clear vision and scope for the EGIT program, obtaining senior management commitment and sponsorship, and setting up a governance structure for the program. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 28 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 43 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 24 

 The key question that should be asked and evaluated one year after IT governance is implemented is whether the enterprise has achieved expected benefits. Benefits are the positive outcomes or value that are derived from a project or program. Benefits can be tangible (such as increased revenue, reduced costs, improved efficiency, etc.) or intangible (such as enhanced reputation, customer satisfaction, employee engagement, etc.). Benefits realization is the process of planning, managing, measuring, and reporting the benefits that are delivered by a project or program. Asking and evaluating whether the enterprise has achieved expected benefits one year after IT governance is implemented is important because it helps to determine whether the IT governance system is effective in creating value for the enterprise and its stakeholders.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

Using the COBIT 2019 Governance System Design Workflow allows enterprises to realize a governance system that is tailored to their needs. The COBIT 2019 Governance System Design Workflow is a set of steps that guide enterprises in designing a customized governance system based on their specific context, goals, issues, and priorities. The workflow helps enterprises to identify their current state, desired state, gaps, improvement opportunities, design factors, governance components, roles, responsibilities, practices, activities, inputs, outputs, goals, metrics, and road map for implementing their governance system. The workflow also helps enterprises to balance competing requirements and resolve conflicts among stakeholders. By following the workflow, enterprises can design a governance system that fits their unique needs and delivers value to their business. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 29 2 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 31

 In most cases, management of the enterprise is the responsibility of the executive management team. The executive management team consists of senior managers who are accountable for implementing the strategies and policies set by the board or other governing body. They are also responsible for planning, organizing, directing, controlling, and reporting on the enterprise’s operations3. The executive management team may delegate some of their management responsibilities to other managers or staff, but they remain ultimately accountable for the outcomes4. References: 3: COBIT 2019 Framework: Introduction and Methodology, page 28 4: COBIT 2019 Framework: Governance and Management Objectives, page 21

The organizational structures component of the governance system are the key decision-making entities in an enterprise. Organizational structures are the arrangements of roles and responsibilities that enable the enterprise to achieve its objectives. Organizational structures can be formal or informal, hierarchical or flat, centralized or decentralized, etc. Organizational structures can include entities such as board, executive management, committees, forums, teams, units, etc. The organizational structures component of the governance system are the key decision-making entities in an enterprise by providing authority, accountability, direction, oversight, evaluation, etc., for information and technology.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

According to the COBIT 2019 Design Guide, a service manager is responsible for managing the development, implementation, evaluation and ongoing maintenance of new and existing products and services. A service manager ensures that the products and services meet the needs and expectations of the customers and stakeholders, and that they are aligned with the enterprise strategy and objectives. A service manager also monitors and reports on the performance and quality of the products and services, and initiates improvement actions when necessary.1, p. 64 References: 1: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The figure in option C best illustrates the context of an enterprise governance of information and technology (EGIT) system because it shows how the EGIT system is influenced by the enterprise’s internal and external environment, and how it influences the enterprise’s governance system and IT-related goals. The figure also shows the four EGIT domains: Evaluate, Direct and Monitor (EDM), Align, Plan and Organize (APO), Build, Acquire and Implement (BAI), and Deliver, Service and Support (DSS). The figure is based on the COBIT 2019 Framework1, page 23. References: 1: COBIT 2019 Framework | Digital | English

The alignment goal titled “Knowledge, expertise and initiatives for business innovation” is aligned to the Learning and Growth dimension of the IT balanced scorecard (BSC). The IT BSC is a tool that translates the IT-related goals into a set of performance indicators that can be measured and monitored. The Learning and Growth dimension focuses on the capabilities and skills of the IT staff, as well as the culture and climate that foster innovation and learning. The alignment goal is based on the COBIT 2019 Framework5, page 38. References: 5: COBIT 2019 Framework | Digital | English