COBIT-2019 COBIT 2019 Foundation Questions and Answers

COBIT 2019 highlights the importance of detailed documentation of process activities to support governance and management practices. By mapping these activities, organizations can clearly understand how procedures align with governance objectives and regulatory requirements. Detailed process mapping aids in ensuring consistent performance, compliance, and alignment with enterprise goals, specifically within the framework’s governance system components​.

 Sharing the return on investment (ROI) analysis is the best way to address the concern of business line managers who perceive the cost of governance-required improvements as too expensive. ROI is a financial metric that measures the profitability or efficiency of an investment by comparing its benefits and costs. ROI analysis is a process of calculating and presenting the ROI of a project or program, as well as its assumptions, risks, and uncertainties. Sharing the ROI analysis with business line managers can help to address their concern by showing them how the governance-required improvements will generate value for the enterprise in terms of increased revenue, reduced costs, enhanced performance, improved quality, etc., as well as how they will outweigh their initial and ongoing costs.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

According to the COBIT 2019 Framework: Introduction and Methodology, one of the imperative factors to the successful implementation of IT governance is that IT governance is sponsored by executives. Executive sponsorship ensures that IT governance has sufficient authority, resources and support from the top management of the organization. Executive sponsorship also demonstrates commitment and leadership for IT governance, and fosters a culture of accountability and collaboration among stakeholders.3, p. 33-34 References: 3: COBIT 2019 Framework: Introduction and Methodology

Stakeholder drivers and needs must be defined before determining alignment goals. Stakeholder drivers and needs are the requirements or expectations of the internal or external stakeholders of the enterprise, such as customers, employees, shareholders, regulators, etc. Alignment goals are the intermediate goals that link the enterprise goals with the governance and management objectives. Alignment goals are derived from the stakeholder drivers and needs, and they reflect how information and technology can support the enterprise strategy and objectives. Therefore, stakeholder drivers and needs must be defined before alignment goals can be determined.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The transition from traditional waterfall to a more agile approach would impact the implementation method step in the design phase the most. The implementation method is the approach or strategy that is used to put the IT governance system into practice. The design phase is the stage in the IT governance life cycle that involves customizing and tailoring the IT governance system to the specific needs and context of the enterprise. The transition from traditional waterfall to a more agile approach would affect the implementation method step in the design phase because it would require a different way of planning, executing, monitoring, and controlling the IT governance system, as well as a different set of skills, tools, techniques, and practices.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 An actionable strategy and governance system enables an enterprise to maximize value from the use of I&T by providing direction, alignment, oversight, and performance measurement. A strategy defines the enterprise’s vision, mission, goals, and objectives, and how I&T can support them. A governance system ensures that the strategy is implemented effectively and efficiently, and that the outcomes are monitored and evaluated. COBIT provides a comprehensive governance system for enterprise I&T that covers all aspects of governance, management, and enablers.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 A principle of a proper governance framework is that it should be based on a conceptual model. A conceptual model is “a representation of a system that uses concepts and ideas to form said representation” 8. A conceptual model helps to define the scope, purpose, structure, and content of a governance framework. It also helps to communicate the key concepts and relationships of a governance system to stakeholders. COBIT is based on a conceptual model that consists of three main components: the governance system, the governance components, and the design factors9. References: 8: https://en.wikipedia.org/wiki/Conceptual_model  9: COBIT 2019 Framework: Introduction and Methodology, page 26

 A managed system of internal controls is most important to providing trust in operations, confidence in the achievement of enterprise objectives, and an adequate understanding of residual risk. A system of internal controls is a set of policies, procedures, practices, tools, techniques, etc., that are designed to provide reasonable assurance that an enterprise will achieve its objectives, prevent or detect errors or fraud, comply with laws and regulations, safeguard assets, etc. A managed system of internal controls means that the system is regularly monitored, evaluated, updated, and improved to ensure its effectiveness and efficiency.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 A key consideration when finalizing a governance system design with competing priorities is that the enterprise should be prepared to deviate from previously identified priorities with justified reasons. According to the COBIT 2019 Design Guide, competing priorities are one of the common challenges that enterprises face when designing a governance system. Competing priorities may arise from different stakeholder expectations, requirements, preferences, perspectives, or interests. The COBIT 2019 Design Guide recommends that enterprises use a structured approach to resolve competing priorities, such as the COBIT 2019 Governance System Design Workflow. The workflow helps enterprises to identify and prioritize their improvement opportunities based on a gap analysis between their current and desired states of governance. However, the workflow also allows enterprises to adjust their priorities as needed during the design process, as long as they provide clear and rational reasons for doing so. For example, enterprises may deviate from their initial priorities due to changes in the business environment, stakeholder feedback, new insights, or emerging issues. The deviation from previously identified priorities should be documented and communicated to all relevant stakeholders to ensure transparency and alignment. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 32 2 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 34

The information flow and items component of COBIT includes a list of artifacts with links to relevant governance and management practices. An artifact is a tangible or intangible object that is produced, modified, or used by a process or activity. An artifact can be a document, a report, a record, a plan, a policy, a procedure, a service, a product, etc. The information flow and items component of COBIT provides a comprehensive list of artifacts that are relevant for each governance and management objective, as well as links to the practices that produce, modify, or use them.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The chief information officer (CIO) ensures the board is kept informed of major decisions related to value delivery of I&T deployment in accordance with the enterprise strategy. The CIO is the senior executive responsible for leading, directing, and managing the information and technology function of the enterprise. The CIO has a strategic role in aligning I&T with business requirements, ensuring I&T performance, managing I&T risks, fostering innovation, etc. The CIO ensures the board is kept informed of major decisions related to value delivery of I&T deployment by providing regular reports, updates, feedback, recommendations, etc., as well as by participating in board meetings or committees.1 References: COBIT 2019 Framework: Introduction and Methodology, [COBIT 2019 Framework: Roles, Responsibilities & RACI Charts]

 The design factor associated with a highly regulated enterprise is likely to attribute more importance to documented work products and policies. A design factor is a characteristic or aspect of an enterprise that influences the design and implementation of a governance system. They include factors such as enterprise size, industry sector, risk profile, regulatory environment, sourcing model, etc. A highly regulated enterprise is one that operates in an industry or market that is subject to strict laws, rules, standards, or guidelines that affect its business processes, products, services, etc. A highly regulated enterprise would need to ensure compliance with these requirements by documenting its work products and policies, as well as by providing evidence of their implementation and effectiveness.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. DevOps is an IT implementation method that emphasizes collaboration, automation, integration, and feedback between the development and operations teams throughout the software development life cycle. One of the management objectives that should be prioritized when using DevOps is managed solution identification and build (BAI03), which involves defining, designing, building, testing, and deploying IT solutions that meet stakeholder requirements and expectations. This management objective supports the DevOps principles of continuous delivery, continuous integration, continuous testing, and continuous deployment, which aim to deliver high-quality IT solutions faster and more reliably.References: : COBIT 2019 Design Guide, page 43-45 : COBIT 2019 Process Reference Guide, page 67-69

 Business service continuity and availability is one of the 17 enterprise goals defined in COBIT 2019, which describe the outcomes that an enterprise wants to achieve from its use of information and technology. This goal relates to ensuring that critical business processes and information are available at a level acceptable to the enterprise in the event of a disruption or disaster, and that recovery plans are in place to restore normal operations as soon as possible. The goal is based on the COBIT 2019 Framework3, page 36. References: 3: COBIT 2019 Framework | Digital | English

The Goals Cascade model illustrates how enterprise goals cascade to alignment goals and then to governance and management objectives. Each governance or management objective supports the achievement of one or more alignment goals that are related to larger enterprise goals. The alignment goals are derived from the balanced scorecard (BSC) dimensions of financial, customer, internal, and learning and growth1, p. 16. References: 1: COBIT 2019 Framework: Governance and Management Objectives

 The enterprise strategy archetype is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six enterprise strategy archetypes defined in COBIT 2019: growth/acquisition; operational excellence; customer intimacy; product leadership; data-driven; innovation-driven. Each archetype has different implications for the governance and management of information and technology in terms of focus areas processes practices roles structures,and metrics. The enterprise strategy archetype that is focused on increasing revenues is growth/acquisition. Growth/acquisition is a strategy archetype that emphasizes expanding market share revenue customer base or product range through organic growth or acquisition of other businesses or assets. This strategy archetype requires effective portfolio management of information and technology investmentsand initiatives that support business growth or acquisition objectives. Portfolio management involves selecting prioritizing balancing monitoring evaluating,and optimizing informationand technology investmentsand initiatives based on their alignment with business strategy value delivery potential risk exposure resource availability interdependencies etc.Portfolio management also involves ensuring that informationand technology investmentsand initiatives are integrated with business processes systems structures culture etc especially in case of mergers or acquisitions.5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 59-61

The initiatives that should be scheduled for completion first when prioritizing improvement initiatives are the ones that are easiest to achieve and will garner business benefits. This approach helps to create quick wins and demonstrate value to the stakeholders, as well as to build momentum and confidence for further improvement efforts. The initiatives should also be aligned with the enterprise’s strategic objectives, risk appetite, and resource constraints. The approach is based on the COBIT 2019 Implementation Guide2, page 37. References: 2: COBIT 2019 Implementation Guide | Digital | English

The chief information officer (CIO) is the best suited role to meet with the consultant to identify alignment goals. The CIO is the senior executive responsible for leading, directing, and managing the information and technology function of the enterprise. The CIO has a strategic role in aligning I&T with business requirements, ensuring I&T performance, managing I&T risks, fostering innovation, etc. The CIO has a deep understanding of both business and I&T domains, as well as their interdependencies. The CIO can collaborate with the consultant to identify alignment goals that reflect how I&T can support the enterprise goals.1 References: COBIT 2019 Framework: Introduction and Methodology, [COBIT 2019 Framework: Roles, Responsibilities & RACI Charts]

 The most critical factor to ensuring the objective of managed availability and capacity is to predict future IT resource requirements based on current and projected business needs, service levels, and performance targets. This factor enables the enterprise to plan, provision, and optimize IT resources in a timely and cost-effective manner, while ensuring that IT services are delivered with sufficient availability and capacity to meet business demands. The factor is based on the COBIT 2019 Design Guide2, page 77. References: 2: COBIT 2019 Design Guide | Digital | English

 The management objective APO09 Managed Service Agreements involves ensuring that IT services are delivered in accordance with agreed-upon service levels and costs. This management objective covers the activities of defining, negotiating, establishing, monitoring, reporting, and reviewing service agreements between service providers and service consumers. This management objective is most relevant for an enterprise that plans to outsource all of its noncore IT operations but wants to ensure the proper level of governance, risk and compliance (GRC) controls. By applying this management objective, the enterprise can improve its service governance and management capabilities, ensure alignment of IT services with business strategy and objectives, enhance service performance and outcomes, and increase service consumer satisfaction and value realization. This management objective also involves ensuring that the outsourced IT services comply with the applicable laws, regulations, standards, guidelines, contracts, or agreements that govern the information and technology activities of the enterprise, as well as with the enterprise’s policies, procedures, processes, practices, etc. This management objective also involves managing the risks associated with outsourcing IT services such as loss of control, vendor lock-in, quality issues, security breaches, etc.References: : COBIT 2019 Process Reference Guide: Governance and Management Objectives: page 63-65 : COBIT 2019 Implementation Guide: page 49-50

 As explained in the previous question, the success metrics for the EGIT continual improvement program are identified and defined in the third stage of the EGIT implementation life cycle, which is developing the EGIT implementation program plan. Therefore, the correct answer is D. The other options are incorrect because they refer to different stages of the EGIT implementation life cycle that do not involve defining the success metrics. Option A refers to the second stage, which is defining the EGIT implementation road map. This stage involves identifying and prioritizing the improvement opportunities based on a gap analysis between the current and desired states of EGIT. Option B refers to the fourth stage, which is executing the EGIT implementation program plan. This stage involves implementing the improvement actions according to the plan, monitoring and controlling the progress and outcomes, and reporting on the results. Option C refers to the first stage, which is initiating an EGIT program. This stage involves establishing a clear vision and scope for the EGIT program, obtaining senior management commitment and sponsorship, and setting up a governance structure for the program. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 28 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 43 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 24 

The primary role of business leadership when defining the future state in a business case is to assess proposed solutions against goals. The business case is a document that defines the objectives, benefits, costs, risks, and success factors of IT governance implementation, and proposes one or more solutions that can deliver the desired outcomes. Business leadership is responsible for evaluating the feasibility, viability, and desirability of each solution, as well as ensuring alignment with the enterprise’s strategic direction and stakeholder expectations. The role is based on the COBIT 2019 Implementation Guide4, page 31. References: 4: COBIT 2019 Implementation Guide | Digital | English

A guiding principle in the development of COBIT is that COBIT aligns with other related and relevant I&T standards, frameworks and regulations. This is based on the principle of integration, which states that “governance of enterprise I&T should ensure integration into enterprise governance; alignment with other related standards, frameworks and regulations; and provision of a common language for all stakeholders” . COBIT does not include or replace other standards, frameworks or regulations, but rather complements them by providing a holistic and comprehensive approach to governance of enterprise I&T. 

The alignment goal titled “Security of information, processing infrastructure and privacy” is part of the internal dimension of the IT BSC, as it relates to the protection of IT assets and information from unauthorized access, use, disclosure, modification, or destruction2, p. 20. References: 2: COBIT 2019 Framework: Governance and Management Objectives

 According to the COBIT 2019 Framework: Governance and Management Objectives, one of the good practices with regard to performance management of organizational structures is to ensure that organizational meeting reports/minutes are available and meaningful to ensure transparency. This means that the outcomes and decisions of the meetings are documented and communicated to relevant stakeholders in a timely manner, and that they provide sufficient information to support accountability and learning. Transparency is one of the key principles of effective governance of enterprise I&T.4, p. 32-33 References: 4: COBIT 2019 Framework: Governance and Management Objectives

 Processes are key components of a governance system. Processes are the structured sets of activities that produce outputs or outcomes for achieving specific objectives. Processes define what needs to be done, by whom, when, how, and why. Processes are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

A focus area describes a specific governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. A focus area provides guidance on how to apply COBIT to a specific business driver or pain point, such as digital transformation, cybersecurity, privacy, or business continuity. A focus area can also provide guidance on how to align COBIT with other standards, frameworks or regulations. A focus area is based on the COBIT 2019 Design Guide3, page 19. References: 3: COBIT 2019 Design Guide | Digital | English

The desired outcome of an EGIT implementation program plan is to ensure that the EGIT projects are aligned with the enterprise’s strategy, objectives, and stakeholder needs, and that they deliver value and benefits to the enterprise. One of the key steps in achieving this outcome is to transition the EGIT projects into the enterprise’s normal development life cycle, which involves ensuring that the projects are integrated with the existing processes, systems, and governance structures, and that they are monitored and controlled for quality, performance, and risk. This will also facilitate the continuous improvement and adaptation of the EGIT projects to changing business needs and environment12 References: 1: COBIT 2019 Implementation Guide, page 49-50 2: COBIT 2019 Design Guide, page 67-68

The high involvement of IT-related roles in organizational structures is a critical requirement when the IT function is strategic and crucial to the success of the business. The IT function is the part of the enterprise that is responsible for planning, delivering, operating, and supporting information and technology services. The IT function can have different levels of strategic importance for the business, depending on the nature, scope, and objectives of the enterprise. When the IT function is strategic and crucial to the success of the business, it means that information and technology are essential for creating value, achieving competitive advantage, enabling innovation, etc. In this case, it is critical to have high involvement of IT-related roles in organizational structures, such as having IT representation at the board level, having clear IT leadership roles and responsibilities, having effective IT governance committees or forums, etc.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

According to the COBIT 2019 Design Guide, before designing an enterprise IT governance system, an organization should first review and understand the enterprise’s strategy. The enterprise’s strategy defines the vision, mission, goals and objectives of the organization, and provides the direction and context for IT governance. The enterprise’s strategy also identifies the key stakeholders, their needs and expectations, and the value proposition of IT to the business.1, p. 16-17 References: 1: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

When assessing organizational structures, it is most helpful when subcriteria for each criterion are defined and linked to capability levels. Organizational structures are the arrangements of roles and responsibilities that enable the enterprise to achieve its objectives. Organizational structures can be assessed using six criteria: clarity, comprehensiveness, integration, alignment, authority, and accountability. Each criterion can be further divided into subcriteria that describe the specific aspects or attributes of the criterion. Capability levels are the measures of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. Capability levels can range from 0 (incomplete) to 5 (optimizing). Defining and linking subcriteria to capability levels helps to evaluate the current and desired state of organizational structures, as well as to identify gaps and improvement opportunities.123 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The targeted capability levels are the desired levels of performance that an enterprise wants to achieve for its information and technology governance and management processes, based on its strategy, objectives, needs, and expectations. The targeted capability levels provide a basis for defining the improvement goals and objectives for the processes. The capability-level gap analysis is a process that involves comparing the current capability levels of an enterprise’s information and technology governance and management processes with the targeted capability levels, and identifying the gaps or differences between them. The capability-level gap analysis helps to determine the improvement actions and initiatives that are required to close the gaps and achieve the targeted capability levels. The primary benefit or output derived from setting targeted capability levels and performing a capability-level gap analysis for selected processes is identification of process improvement opportunities. This means that by setting targeted capability levels and performing a capability-level gap analysis for selected processes, an enterprise can identify the areas of weakness or inefficiency in its information and technology governance and management processes, and determine the potential solutions or enhancements that can improve its process performance, quality, value, etc. This will also help to align the information and technology governance system with the enterprise’s strategy and objectives.References: : COBIT 2019 Design Guide: page 53-54 : COBIT 2019 Process Assessment Model: page 11-13

 The most likely underlying cause for an enterprise not having success implementing IT governance because key staff are not participating in planning meetings is lack of senior leadership commitment. Senior leadership commitment is essential for ensuring that IT governance is aligned with the enterprise’s vision, mission, values, and goals, and that it receives adequate resources, support, and oversight. Without senior leadership commitment, IT governance may face resistance, confusion, or indifference from key stakeholders, resulting in poor implementation outcomes. The cause is based on the COBIT 2019 Implementation Guide4, page 25. References: 4: COBIT 2019 Implementation Guide | Digital | English

 The threat landscape is a design factor that describes the types and levels of threats that an enterprise faces from internal and external sources that could compromise its information and technology assets. The threat landscape helps to determine the level of security and resilience that an enterprise needs to protect its information and technology assets from unauthorized access, use, disclosure, modification, destruction, or disruption. When tailoring a governance system for an enterprise, one of the most important factors to consider for an operating environment with a high compliance requirement is the threat landscape. The compliance requirement is another design factor that describes the extent and nature of laws, regulations, standards, guidelines, contracts, or agreements that an enterprise must comply with regarding its information and technology activities. The compliance requirement influences the level of control and assurance that an enterprise needs to demonstrate its adherence to the applicable rules and obligations. By considering the threat landscape in relation to the compliance requirement, an enterprise can ensure that its governance system is appropriate for its risk profile and context, and that it can effectively manage the potential impacts of threats on its compliance status34 References: 3: COBIT 2019 Design Guide: page 41-43 4: COBIT 2019 Design Guide: page 47-48

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The capability levels are most likely to increase as a result of identifying specific design factors that increase the importance of certain governance and management objectives. The design factors are the characteristics or conditions that influence how an enterprise designs and implements its information and technology governance system using COBIT 2019. The design factors include aspects such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc. By identifying specific design factors that increase the importance of certain governance and management objectives, an enterprise can tailor its information and technology governance system to suit its context and needs. This will also help to improve its capability levels for those governance and management objectives that are prioritized by the design factors. For example, if an enterprise identifies that its IT deployment design factor is cloud-based or hybrid-based, it may increase the importance of certain governance and management objectives such as managed availability and capacity (BAI04), managed service agreements (APO09), managed security services (DSS05), etc., which are relevant for managing cloud-based or hybrid-based IT solutions. By tailoring its information and technology governance system to address those governance and management objectives more effectively, the enterprise can also increase its capability levels for those processes.References: : COBIT 2019 Design Guide: page 33-48 : COBIT 2019 Process Assessment Model: page 11-13

The primary purpose of implementing an enterprise governance of information and technology (EGIT) system is to deliver stakeholder value from I&T-enabled investments. An EGIT system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. An I&T-enabled investment is any initiative or project that involves the use of information and technology to create value for the enterprise. A stakeholder is a person or group that has an interest or concern in an enterprise’s activities or outcomes. The primary purpose of implementing an EGIT system is to deliver stakeholder value from I&T-enabled investments by ensuring that they align with the enterprise strategy and objectives, optimize risks and resources, achieve expected benefits and outcomes, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The management objective that would be given higher priority in an enterprise’s governance system when the enterprise is very risk-averse is managed portfolio. This objective relates to ensuring that IT-enabled investments are aligned with the enterprise’s risk appetite and tolerance levels, and that they deliver optimal value and benefits. This objective also involves managing the portfolio of IT-enabled investments throughout their life cycle, from initiation to retirement. The objective is based on the COBIT 2019 Design Guide3, page 71. References: 3: COBIT 2019 Design Guide | Digital | English

A well-developed business case is essential to help ensure that a project’s benefits are identified and continually monitored. A business case is a document that provides the rationale and evidence for initiating, continuing, or terminating a project or program. A business case typically consists of several elements, such as problem statement, objectives, scope, benefits, costs, risks, assumptions, etc. A well-developed business case helps to ensure that a project’s benefits are identified and continually monitored by defining the expected outcomes or value that will be delivered by the project, as well as the metrics and indicators that will be used to measure and track them.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

The governance system design workflow is a workflow that describes how an enterprise can design and implement a governance system using COBIT 2019. The governance system design workflow consists of six steps: determine initial scope; identify relevant design factors; prioritize governance and management objectives; define target capability levels; identify gaps; finalize scope. The governance system design workflow allows for consideration of all design factors in order to develop a customized governance system. The design factors are the characteristics or conditions that influence how an enterprise designs and implements its governance system using COBIT 2019. The design factors include aspects such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc. By considering all design factors in the governance system design workflow, an enterprise can ensure that its governance system is appropriate for its context and needs, that it delivers value and benefits to the enterprise and its stakeholders, that it aligns with the relevant standards, guidelines, regulations, best practices, etc., that it meets stakeholder requirements and expectations, etc.References: : COBIT 2019 Design Guide: page 33-48

According to the COBIT 2019 Process Assessment Model, one of the prerequisites for determining performance measures for a process improvement initiative is to perform a process risk assessment. A process risk assessment identifies and evaluates the potential threats and opportunities that may affect the achievement of process objectives. A process risk assessment also helps to prioritize improvement actions based on their impact and likelihood.4, p. 11-12 References: 4: COBIT 2019 Process Assessment Model: Using COBIT 2019

The enterprise goal of compliance with external laws and regulations is aligned to the financial dimension of the balanced scorecard (BSC). The BSC is a strategic performance management tool that helps enterprises to translate their vision and strategy into operational objectives and measures. The BSC consists of four dimensions: financial, customer, internal, and growth. The financial dimension focuses on the financial performance and value creation of the enterprise. Compliance with external laws and regulations is one of the 17 generic enterprise goals defined by COBIT that supports the financial dimension.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The threat landscape is a design factor that describes the types and levels of threats that an enterprise faces from internal and external sources that could compromise its information and technology assets. The threat landscape helps to determine the level of security and resilience that an enterprise needs to protect its information and technology assets from unauthorized access use disclosure modification destruction or disruption. When tailoring a governance system for an enterprise what would be the most appropriate level of threat landscape for an enterprise in the health care sector is high. The health care sector is a sector that provides health care services such as diagnosis treatment prevention rehabilitation etc., to individuals or populations. The health care sector has a high level of threat landscape compared to other sectors such as manufacturing or retail which have lower levels of threat landscape. This is because the health care sector handles sensitive personal data such as medical records health insurance information patient identifiers etc., that are subject to strict privacy and security regulations such as HIPAA GDPR etc., as well as ethical and legal obligations. The health care sector also relies on critical information and technology systems such as electronic health records telemedicine devices medical devices etc., that are essential for delivering quality health care services to patients. The health care sector faces various types of threats such as cyberattacks data breaches identity theft ransomware malware phishing social engineering natural disasters human errors etc., that could compromise its information and technology assets resulting in financial losses reputational damage legal liabilities regulatory penalties patient harm etc. Therefore when tailoring a governance system for an enterprise in the health care sector it is important to consider a high level of threat landscape and design a governance system that can effectively manage the potential impacts of threats on its information and technology assets5 References: 5: COBIT 2019 Design Guide: page 41-43 : COBIT 2019 Design Guide: page 47-48

 The key question that should be asked and evaluated one year after IT governance is implemented is whether the enterprise has achieved expected benefits. Benefits are the positive outcomes or value that are derived from a project or program. Benefits can be tangible (such as increased revenue, reduced costs, improved efficiency, etc.) or intangible (such as enhanced reputation, customer satisfaction, employee engagement, etc.). Benefits realization is the process of planning, managing, measuring, and reporting the benefits that are delivered by a project or program. Asking and evaluating whether the enterprise has achieved expected benefits one year after IT governance is implemented is important because it helps to determine whether the IT governance system is effective in creating value for the enterprise and its stakeholders.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

People, skills and competencies are required for successful completion of all activities within a governance system. People are the individuals or groups who perform or are accountable for the governance activities and tasks. Skills and competencies are the abilities and knowledge that people need to perform their roles and responsibilities. People, skills and competencies are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 COBIT addresses governance issues by grouping relevant governance components into objectives that can be managed to a required capability level. This is based on the principle of performance, which states that “governance of enterprise I&T should ensure that I&T performance is measured using relevant metrics; transparently communicated to stakeholders; evaluated against targets; and leads to appropriate management actions” . COBIT does not provide a full description of the entire IT environment or define specific governance strategies and processes, but rather provides a generic and flexible framework that can be adapted to different contexts and situations. 

The primary target audience for COBIT is business and IT management responsible for building and deploying I&T solutions. COBIT is designed to help these managers address the challenges of aligning I&T with business goals, delivering value from I&T, managing I&T risks, optimizing I&T resources, and measuring I&T performance5. COBIT provides a comprehensive and flexible framework that can be adapted to different contexts and situations. COBIT also helps to establish a common language and understanding among business and IT stakeholders6. References: 5: COBIT 2019 Framework: Introduction and Methodology, page 15 6: COBIT 2019 Framework: Introduction and Methodology, page 25

 A primary consideration when addressing new issues within a flexible and open framework is maintaining integrity and consistency. This means that “the framework should be internally consistent; not contain contradictions or ambiguities; be complete in covering all relevant aspects of enterprise governance of I&T; and be coherent in its structure, terminology and presentation” 6. Maintaining integrity and consistency ensures that the framework is reliable, clear, and easy to use for all stakeholders7. References: 6: COBIT 2019 Framework: Introduction and Methodology, page 25 7: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, page 13

 The IT design factor is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six IT design factors defined in COBIT 2019: strategic; operational; data-driven; compliance-driven; innovation-driven; customer intimacy-driven. Each design factor has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. When considering the role of IT design factor, and the design factor value is strategic, one of the management objectives that should be a priority is managed innovation (APO04), which involves identifying new opportunities for using information and technology to create value for the enterprise. This management objective supports the strategic role of IT in enabling business transformation, differentiation, competitiveness, growth, and sustainability. This management objective also involves establishing an innovation culture and process that encourages creativity, experimentation, collaboration, learning, and improvement5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 57-59

The process ‘Ensured Stakeholder Engagement’ (EDM04) is one of the governance processes in COBIT 2019 that involves establishing transparent communication with stakeholders about their needs and expectations from information and technology governance. This process also involves ensuring stakeholder involvement in governance decision making and monitoring stakeholder satisfaction with governance outcomes. One of the roles that is best suited for this responsibility is the board and executive management, who are the highest-level governance body and decision makers in an enterprise. The board and executive management have a duty to ensure that they understand the needs and expectations of various stakeholders such as shareholders, regulators, customers, employees, suppliers, etc., and that they communicate effectively with them about the enterprise’s strategy, objectives, performance, risks, issues, opportunities, etc., related to information and technology governance. The board and executive management also have a responsibility to involve stakeholders in governance decision making by soliciting their input, feedback, opinions, suggestions, etc., and by considering their interests and perspectives when making governance choices. The board and executive management also have a role in monitoring stakeholder satisfaction with governance outcomes by measuring stakeholder value realization from information and technology investments and initiatives.References: : COBIT 2019 Process Reference Guide: Governance and Management Objectives, page 25-27 : COBIT 2019 Framework: Governance and Management Objectives, page 19-20

The responsibility for overseeing EGIT structures lies with the board, according to COBIT 2019. The board ensures that the enterprise’s IT governance aligns with strategic objectives, monitors compliance, and oversees risk management. This aligns with the Evaluate, Direct, and Monitor (EDM) domain, which assigns the board the role of setting direction, making high-level decisions, and assessing IT governance effectiveness to align with overall enterprise strategy​.

 An enterprise will often fail to realize implementation commitments during the execution of an EGIT implementation program plan if it focuses on enabling IT value over business value. IT value is the contribution of IT to achieving enterprise objectives, while business value is the overall benefit that the enterprise derives from its use of information and technology. Focusing on IT value over business value may result in a disconnect between IT and business stakeholders, a lack of alignment between IT goals and business strategy, or a failure to deliver expected benefits or outcomes. Therefore, it is important to balance both IT value and business value when implementing a governance system. The answer is based on the COBIT 2019 Implementation Guide3, page 38. References: 3: COBIT 2019 Implementation Guide | Digital | English

 The number of confidentiality incidents causing financial loss, business disruption or public embarrassment would be the best metric to enable an enterprise to evaluate an alignment goal specifically related to security of information and privacy. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. An alignment goal is an intermediate goal that links the enterprise goals with the governance and management objectives. Security of information and privacy is one of the 17 generic alignment goals defined by COBIT that describes how information and technology can support the protection of sensitive information and personal data. The number of confidentiality incidents causing financial loss, business disruption or public embarrassment is a metric that reflects how well this alignment goal is achieved.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The oversight of technology and innovation processes by the board is critical to ensuring I&T-related decisions are aligned with the enterprise’s strategies and objectives. The board is the highest governing body of the enterprise that provides direction, oversight, and accountability for the enterprise’s performance. Technology and innovation processes are the activities that enable the enterprise to leverage information and technology to create value, achieve strategic goals, and respond to changing business needs. The oversight of technology and innovation processes by the board ensures that I&T-related decisions are consistent with the enterprise’s vision, mission, values, policies, and risk appetite.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The Skills Framework for the Information Age (SFIA) has been used as a basis for developing guidance for the COBIT governance component of people, skills and competencies. SFIA is a globally recognized framework that describes the skills required by professionals who work with information and technology2, p. 36. References: 2: COBIT 2019 Framework: Introduction and Methodology