COBIT-2019 COBIT 2019 Foundation Questions and Answers

The EGIT business case outline and details are documents that describe the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT business case outline and details provide the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. The responsibility for developing an EGIT business case outline and details resides with the CIO and program steering committee. The CIO is the senior executive responsible for leading and managing the information and technology function in an enterprise. The CIO has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are aligned with the enterprise’s strategy, objectives, needs, and expectations. The CIO also has a role in communicating and presenting the EGIT business case outline and details to other stakeholders such as the board, executives, business managers, IT managers, etc., and obtaining their buy-in and commitment for the program. The program steering committee is a group of senior stakeholders who provide strategic direction, oversight, guidance, and approval for the EGIT implementation program. The program steering committee has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are consistent with the enterprise’s vision, mission, values, strategy goals,and objectives. The program steering committee also has a role in monitoring and controlling the execution of the EGIT implementation program plan against the EGIT business case outline and details34 References: 3: COBIT 2019 Implementation Guide: page 37-38 4: COBIT 2019 Implementation Guide: page 39-40

The organizational structures component of the governance system are the key decision-making entities in an enterprise. Organizational structures are the arrangements of roles and responsibilities that enable the enterprise to achieve its objectives. Organizational structures can be formal or informal, hierarchical or flat, centralized or decentralized, etc. Organizational structures can include entities such as board, executive management, committees, forums, teams, units, etc. The organizational structures component of the governance system are the key decision-making entities in an enterprise by providing authority, accountability, direction, oversight, evaluation, etc., for information and technology.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The enterprise goal of compliance with external laws and regulations is aligned to the financial dimension of the balanced scorecard (BSC). The BSC is a strategic performance management tool that helps enterprises to translate their vision and strategy into operational objectives and measures. The BSC consists of four dimensions: financial, customer, internal, and growth. The financial dimension focuses on the financial performance and value creation of the enterprise. Compliance with external laws and regulations is one of the 17 generic enterprise goals defined by COBIT that supports the financial dimension.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The board of directors is the highest-level governance body in an enterprise that provides strategic direction, oversight, guidance, and approval for information and technology governance. The board of directors is accountable for monitoring the performance of the execution of an EGIT implementation program plan against success metrics and adjusting long-term targets when necessary. This means that the board of directors is responsible for ensuring that the EGIT implementation program plan is aligned with the enterprise’s vision, mission, values, strategy, goals, and objectives, and that it delivers the expected value and benefits to the enterprise and its stakeholders. The board of directors is also responsible for reviewing the progress and outcomes of the EGIT implementation program plan on a regular basis, using predefined success metrics such as key performance indicators (KPIs), key goal indicators (KGIs), key risk indicators (KRIs), etc., to measure the achievement of the program objectives and goals. The board of directors is also responsible for adjusting the long-term targets of the EGIT implementation program plan when necessary, based on the changing business needs, environment, risks, opportunities, etc., and ensuring that the program remains relevant and effective.

The primary objective of reviewing the effectiveness of a new IT governance system that has been operational for 6 months is to identify further governance requirements. An IT governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. The effectiveness of an IT governance system can be reviewed using different methods or tools, such as audits, assessments, surveys, feedbacks, etc. The primary objective of reviewing the effectiveness of a new IT governance system that has been operational for 6 months is to identify further governance requirements that may arise from changes in the internal or external environment, stakeholder needs, business objectives, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

People, skills and competencies are required for good decisions, execution of corrective actions, and successful completion of all activities. This component acts as a primary driver for corrective actions, making it essential for achieving governance or management objectives.

 Processes are key components of a governance system. Processes are the structured sets of activities that produce outputs or outcomes for achieving specific objectives. Processes define what needs to be done, by whom, when, how, and why. Processes are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The initiatives that should be scheduled for completion first when prioritizing improvement initiatives are the ones that are easiest to achieve and will garner business benefits. This approach helps to create quick wins and demonstrate value to the stakeholders, as well as to build momentum and confidence for further improvement efforts. The initiatives should also be aligned with the enterprise’s strategic objectives, risk appetite, and resource constraints. The approach is based on the COBIT 2019 Implementation Guide2, page 37. References: 2: COBIT 2019 Implementation Guide | Digital | English

The final step in governance system design is to define target capability levels for the most critical objectives. The governance system design is the process of designing and implementing a governance system for an enterprise using COBIT 2019. The governance system design involves tailoring the COBIT 2019 components such as principles, enablers, goals, processes, practices, roles, structures, metrics, etc., according to the enterprise’s context and needs. The governance system design also involves considering various design factors such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc., that influence how an enterprise designs and implements its governance system using COBIT 2019. The final step in governance system design is to define target capability levels for the most critical objectives. The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization, etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The critical objectives are the governance and management objectives that have been prioritized based on the design factors and the stakeholder needs. The governance and management objectives are the statements of what an enterprise wants to achieve in terms of its information and technology governance. The governance and management objectives are derived from the enterprise goals, which are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, strategy, etc. By defining target capability levels for the most critical objectives as the final step in governance system design, an enterprise can ensure that it has set realistic and achievable goals for its information and technology governance and management processes that support its strategy and objectives. This will also help to identify the gaps or issues that need to be addressed to enhance the capability levels of the selected processes.

Stakeholder drivers and needs must be defined before determining alignment goals. Stakeholder drivers and needs are the requirements or expectations of the internal or external stakeholders of the enterprise, such as customers, employees, shareholders, regulators, etc. Alignment goals are the intermediate goals that link the enterprise goals with the governance and management objectives. Alignment goals are derived from the stakeholder drivers and needs, and they reflect how information and technology can support the enterprise strategy and objectives. Therefore, stakeholder drivers and needs must be defined before alignment goals can be determined.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The investment justification element of a business case best enables senior leadership to assess the future success of the IT governance program. A business case is a document that provides the rationale and evidence for initiating, continuing, or terminating a project or program. A business case typically consists of several elements, such as problem statement, objectives, scope, benefits, costs, risks, assumptions, etc. The investment justification element of a business case describes how the project or program aligns with the enterprise strategy and objectives, how it supports the value creation process, how it compares with alternative options, and how it provides a positive return on investment (ROI). The investment justification element enables senior leadership to assess the future success of the IT governance program by showing how it contributes to the enterprise goals and delivers value to the stakeholders.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

Enterprise strategy cascades to enterprise goals within the COBIT goals cascade. The COBIT goals cascade is a mechanism that helps enterprises to align their governance objectives with their stakeholder needs. It consists of four levels: stakeholder drivers, enterprise goals, alignment goals, and governance and management objectives. Enterprise strategy is the high-level direction and guidance that defines how the enterprise will achieve its vision and mission. Enterprise goals are the specific targets or outcomes that the enterprise sets to achieve its vision and mission. Enterprise strategy cascades to enterprise goals through a process of analysis, prioritization, and validation.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 As explained in the previous question, the success metrics for the EGIT continual improvement program are identified and defined in the third stage of the EGIT implementation life cycle, which is developing the EGIT implementation program plan. Therefore, the correct answer is D. The other options are incorrect because they refer to different stages of the EGIT implementation life cycle that do not involve defining the success metrics. Option A refers to the second stage, which is defining the EGIT implementation road map. This stage involves identifying and prioritizing the improvement opportunities based on a gap analysis between the current and desired states of EGIT. Option B refers to the fourth stage, which is executing the EGIT implementation program plan. This stage involves implementing the improvement actions according to the plan, monitoring and controlling the progress and outcomes, and reporting on the results. Option C refers to the first stage, which is initiating an EGIT program. This stage involves establishing a clear vision and scope for the EGIT program, obtaining senior management commitment and sponsorship, and setting up a governance structure for the program. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 28 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 43 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 24 

 The accountable (A) role drives a given task or process within an organizational structure chart (RACI chart). A RACI chart is a tool that assigns different levels of responsibility, accountability, consultation, and information to roles and organizational structures for each governance and management objective. The accountable (A) role means being answerable for the outcome or result of a task or process. There should be only one accountable role for each task or process, as having more than one can lead to confusion or conflict. The accountable role drives a given task or process by ensuring that it is performed effectively and efficiently, by providing direction and guidance, by resolving issues or conflicts, by approving changes or exceptions, etc.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

 Sharing the return on investment (ROI) analysis is the best way to address the concern of business line managers who perceive the cost of governance-required improvements as too expensive. ROI is a financial metric that measures the profitability or efficiency of an investment by comparing its benefits and costs. ROI analysis is a process of calculating and presenting the ROI of a project or program, as well as its assumptions, risks, and uncertainties. Sharing the ROI analysis with business line managers can help to address their concern by showing them how the governance-required improvements will generate value for the enterprise in terms of increased revenue, reduced costs, enhanced performance, improved quality, etc., as well as how they will outweigh their initial and ongoing costs.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

The governance system in COBIT 2019 includes various components that support the effective management and control of enterprise IT. "Services, infrastructure, and applications" is one such component, encompassing the physical and virtual tools required for IT operations. This component ensures that the technology systems align with the enterprise's strategic objectives, as outlined in the COBIT core model (specifically in the framework sections on governance components). This is part of delivering and supporting IT services to meet business needs effectively​.

 The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. DevOps is an IT implementation method that emphasizes collaboration, automation, integration, and feedback between the development and operations teams throughout the software development life cycle. One of the management objectives that should be prioritized when using DevOps is managed solution identification and build (BAI03), which involves defining, designing, building, testing, and deploying IT solutions that meet stakeholder requirements and expectations. This management objective supports the DevOps principles of continuous delivery, continuous integration, continuous testing, and continuous deployment, which aim to deliver high-quality IT solutions faster and more reliably.

A key principle of an enterprise governance system is that it should focus on all technology and information processing, regardless of where processing takes place. This means that the governance system should cover not only the IT function, but also the business processes, functions, and units that use or rely on I&T. It also means that the governance system should address the external entities that provide or consume I&T services or data, such as customers, suppliers, partners, regulators, etc. COBIT adopts a holistic view of enterprise I&T that encompasses all internal and external stakeholders.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The size of the enterprise is a design factor that describes the scale or magnitude of an enterprise’s information and technology activities in terms of aspects such as number of employees, customers, locations, products, services, processes, systems, data, etc. The size of the enterprise influences the governance and management of information and technology in terms of the level of complexity, diversity, variability, standardization, centralization, decentralization, etc., that are required for its information and technology activities. The key benefit of considering the size of the enterprise when designing governance is targeting capability levels of governance and management objectives. The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization, etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The governance and management objectives are the statements of what an enterprise wants to achieve in terms of its information and technology governance. The governance and management objectives are derived from the enterprise goals, which are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, strategy, etc. By considering the size of the enterprise when designing governance, an enterprise can target capability levels of governance and management objectives that are appropriate for its scale and magnitude of information and technology activities. This will also help to optimize its information and technology performance and value delivery12 References: 1: COBIT 2019 Design Guide: page 47-48 2: COBIT 2019 Process Assessment Model: page 11-13

The value generated from the use of I&T reflects a balance among benefits, risk and resources. This is based on the principle of balance, which states that “governance of enterprise I&T should ensure that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives” 1. Value generation is not only about maximizing financial benefits or minimizing costs or risks, but also about optimizing them in relation to the expected outcomes7. References: 1: COBIT 2019 Framework: Introduction and Methodology, page 23 7: COBIT 2019 Framework: Governance and Management Objectives, page 19

The focus of an enterprise that has a cost leadership strategy design factor is short-term cost minimization. A cost leadership strategy is a competitive strategy that aims to achieve lower costs than competitors by offering standardized products or services at low prices. A cost leadership strategy design factor affects how an enterprise designs its governance system, as it implies a focus on operational efficiency, process automation, economies of scale, outsourcing, etc. An enterprise that has a cost leadership strategy design factor would prioritize short-term cost minimization over long-term cost optimization or medium-term cost equalization.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The figure in option C best illustrates the context of an enterprise governance of information and technology (EGIT) system because it shows how the EGIT system is influenced by the enterprise’s internal and external environment, and how it influences the enterprise’s governance system and IT-related goals. The figure also shows the four EGIT domains: Evaluate, Direct and Monitor (EDM), Align, Plan and Organize (APO), Build, Acquire and Implement (BAI), and Deliver, Service and Support (DSS). The figure is based on the COBIT 2019 Framework1, page 23. References: 1: COBIT 2019 Framework | Digital | English

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The targeted capability levels are the desired levels of performance that an enterprise wants to achieve for its information and technology governance and management processes, based on its strategy, objectives, needs, and expectations. The targeted capability levels provide a basis for defining the improvement goals and objectives for the processes. The capability-level gap analysis is a process that involves comparing the current capability levels of an enterprise’s information and technology governance and management processes with the targeted capability levels, and identifying the gaps or differences between them. The capability-level gap analysis helps to determine the improvement actions and initiatives that are required to close the gaps and achieve the targeted capability levels. The primary benefit or output derived from setting targeted capability levels and performing a capability-level gap analysis for selected processes is identification of process improvement opportunities. This means that by setting targeted capability levels and performing a capability-level gap analysis for selected processes, an enterprise can identify the areas of weakness or inefficiency in its information and technology governance and management processes, and determine the potential solutions or enhancements that can improve its process performance, quality, value, etc. This will also help to align the information and technology governance system with the enterprise’s strategy and objectives.

A guiding principle in the development of COBIT is that COBIT aligns with other related and relevant I&T standards, frameworks and regulations. This is based on the principle of integration, which states that “governance of enterprise I&T should ensure integration into enterprise governance; alignment with other related standards, frameworks and regulations; and provision of a common language for all stakeholders” . COBIT does not include or replace other standards, frameworks or regulations, but rather complements them by providing a holistic and comprehensive approach to governance of enterprise I&T. 

A focus area describes a specific governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. A focus area provides guidance on how to apply COBIT to a specific business driver or pain point, such as digital transformation, cybersecurity, privacy, or business continuity. A focus area can also provide guidance on how to align COBIT with other standards, frameworks or regulations. A focus area is based on the COBIT 2019 Design Guide3, page 19. References: 3: COBIT 2019 Design Guide | Digital | English

The primary target audience for COBIT is business and IT management responsible for building and deploying I&T solutions. COBIT is designed to help these managersaddress the challenges of aligning I&T with business goals, delivering value from I&T, managing I&T risks, optimizing I&T resources, and measuring I&T performance5. COBIT provides a comprehensive and flexible framework that can be adapted to different contexts and situations. COBIT also helps to establish a common language and understanding among business and IT stakeholders6. References: 5: COBIT 2019 Framework: Introduction and Methodology, page 15 6: COBIT 2019 Framework: Introduction and Methodology, page 25

 A primary consideration when addressing new issues within a flexible and open framework is maintaining integrity and consistency. This means that “the framework should be internally consistent; not contain contradictions or ambiguities; be complete in covering all relevant aspects of enterprise governance of I&T; and be coherent in its structure, terminology and presentation” 6. Maintaining integrity and consistency ensures that the framework is reliable, clear, and easy to use for all stakeholders7. References: 6: COBIT 2019 Framework: Introduction and Methodology, page 25 7: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, page 13

 The focus areas are specific governance topics that are relevant for an enterprise based on its context, needs, and objectives. The focus areas provide guidance on how to apply the COBIT 2019 framework to address specific issues or challenges related to information and technology governance. The focus areas also help to tailor the COBIT 2019 framework to suit the enterprise’s specific governance system design. Therefore, when an enterprise is designing a specific governance system that is using diverse technology deployments with multiple domains of business operations, the expected deliverable when tailoring the COBIT 2019 framework is the focus area guidance. The focus area guidance will help the enterprise to select and prioritize the relevant focus areas that match its governance needs and objectives, and to customize the COBIT 2019 components such as principles, enablers, goals, processes, practices, etc., according to the focus area requirements12 References: 1: COBIT 2019 Design Guide, page 51-52 2: COBIT 2019 Framework: Introduction and Methodology, page 27-28

The primary purpose of reexamining the IT strategic plan after IT governance has been operating for three years and is satisfactorily achieving desired outcomes is to assess improvement opportunities. The IT strategic plan is a document that defines the vision, mission, goals, objectives, strategies, and tactics for IT governance and management, as well as the alignment with the enterprise’s business strategy. By reexamining the plan periodically, the enterprise can identify any changes in the internal or external environment that may affect IT governance, as well as any areas for enhancement or optimization. The purpose is based on the COBIT 2019 Implementation Guide3, page 26. References: 3: COBIT 2019 Implementation Guide | Digital | English

 A managed system of internal controls is most important to providing trust in operations, confidence in the achievement of enterprise objectives, and an adequate understanding of residual risk. A system of internal controls is a set of policies, procedures, practices, tools, techniques, etc., that are designed to provide reasonable assurance that an enterprise will achieve its objectives, prevent or detect errors or fraud, comply with laws and regulations, safeguard assets, etc. A managed system of internal controls means that the system is regularly monitored, evaluated, updated, and improved to ensure its effectiveness and efficiency.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 An element of governance is evaluating stakeholder needs to determine enterprise objectives. This is based on the principle of stakeholder value, which states that “governance of enterprise I&T should ensure that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives” 1. Evaluating stakeholder needs involves identifying who the stakeholders are, what their interests and expectations are, and how they can influence or be influenced by the enterprise’s activities2. References: 1: COBIT 2019 Framework: Introduction and Methodology, page 23 2: COBIT 2019 Framework: Governance and Management Objectives, page 18

The process activities component of governance and management objectives includes the expected capability level. A process activity is a specific task or action that contributes to achieving a process outcome or objective. A capability level is a measure of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A capability level can range from 0 (incomplete) to 5 (optimizing). Each governance and management objective in COBIT defines a set of process activities that are required to achieve it, as well as an expected capability level for each activity.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The management objective that would be given higher priority in an enterprise’s governance system when the enterprise is very risk-averse is managed portfolio. This objective relates to ensuring that IT-enabled investments are aligned with the enterprise’s risk appetite and tolerance levels, and that they deliver optimal value and benefits. This objective also involves managing the portfolio of IT-enabled investments throughout their life cycle, from initiation to retirement. The objective is based on the COBIT 2019 Design Guide3, page 71. References: 3: COBIT 2019 Design Guide | Digital | English

The best way to determine whether IT governance is achieving intended outcomes one year after implementation is to evaluate performance measurements identified in the business case. The business case is a document that defines the objectives, benefits, costs, risks, and success factors of IT governance implementation, and specifies the key performance indicators (KPIs) and target values that will be used to measure and monitor the outcomes. By comparing the actual performance results with the expected results, the enterprise can assess the effectiveness and efficiency of IT governance and identify any gaps or issues that need to be addressed. The way is based on the COBIT 2019 Implementation Guide1, page 32. References: 1: COBIT 2019 Implementation Guide | Digital | English

 A key consideration when finalizing a governance system design with competing priorities is that the enterprise should be prepared to deviate from previously identified priorities with justified reasons. According to the COBIT 2019 Design Guide, competing priorities are one of the common challenges that enterprises face when designing a governance system. Competing priorities may arise from different stakeholder expectations, requirements, preferences, perspectives, or interests. The COBIT 2019 Design Guide recommends that enterprises use a structured approach to resolve competing priorities, such as the COBIT 2019 Governance System Design Workflow. The workflow helps enterprises to identify and prioritize their improvement opportunities based on a gap analysis between their current and desired states of governance. However, the workflow also allows enterprises to adjust their priorities as needed during the design process, as long as they provide clear and rational reasons for doing so. For example, enterprises may deviate from their initial priorities due to changes in the business environment, stakeholder feedback, new insights, or emerging issues. The deviation from previously identified priorities should be documented and communicated to all relevant stakeholders to ensure transparency and alignment. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 32 2 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 34

 The Align, Plan and Organize (APO) domain incorporates managed risk as one of its management objectives. The APO domain covers the activities related to aligning IT strategy with business strategy, planning IT resources and capabilities, organizing IT governance structures and processes, managing IT performance, innovation, risk, quality, human resources, security, information, services, etc. The APO domain consists of 13 management objectives that describe the desired outcomes of these activities.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The number of business processing hours lost due to unplanned service interruptions would be an appropriate metric associated with an enterprise goal of business service continuity and availability. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. Business service continuity and availability is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of ensuring that critical business services are delivered at agreed levels and are resilient to disruptions. The number of business processing hours lost due to unplanned service interruptions is a metric that reflects how well this outcome is achieved.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

An enterprise that has been consistently growing over the years and has decided to adapt the COBIT framework from the growth perspective of the balanced scorecard dimensions should select product and business innovation as one of its most relevant enterprise goals. The balanced scorecard is a tool that translates strategic objectives into four dimensions: financial, customer, internal, and growth. The growth dimension focuses on how the enterprise can create new products or services, enter new markets, or improve its processes or capabilities to achieve long-term success. Product and business innovation is one of the 17 enterprise goals defined in COBIT 2019, which describe the outcomes that an enterprise wants to achieve from its use of information and technology. This goal relates to enhancing customer satisfaction and loyalty by providing innovative solutions that meet their needs and expectations. The answer is based on the COBIT 2019 Framework5, page 38. References: 5: COBIT 2019 Framework | Digital | English

 A due diligence review is a process that involves conducting a comprehensive analysis and assessment of an enterprise’s information and technology assets, capabilities, risks, issues, opportunities, etc., before making a significant decision or transaction. A due diligence review helps to ensure that an enterprise has a clear understanding of the current state and potential impacts of its information and technology activities on its strategy, objectives, performance, value, etc., as well as on its compliance with relevant laws, regulations, standards, guidelines, contracts, or agreements. It is critical to perform a due diligence review following a merger, acquisition, or divestiture event. A merger is an event that involves combining two or more enterprises into one entity. An acquisition is an event that involves one enterprise purchasing another enterprise or its assets. A divestiture is an event that involves one enterprise selling or transferring part of its business or assets to another enterprise. By performing a due diligence review following a merger acquisition or divestiture event an enterprise can ensure that it has identified and addressed any information and technology related risks issues gaps etc., that may arise from theintegration or separation of information and technology assets capabilities processes systems structures culture etc., that it has aligned its information and technology governance and management with its new strategy objectives needs expectations etc., that it has optimized its information and technology performance and value delivery etc34 References: 3: COBIT 2019 Framework: Governance and Management Objectives: page 20-21 4: COBIT 2019 Design Guide: page 47-48

The primary purpose for aligning role descriptions to the enterprise’s business context, organization and operating environment when tailoring the COBIT organizational structure is to assign levels of accountability and responsibility for governance and management activities. This purpose helps to ensure that roles are clearly defined, communicated, understood, and accepted by all stakeholders, and that there are no gaps or overlaps in roles. The purpose is based on the COBIT 2019 Implementation Guide5, page 45. References: 5: COBIT 2019 Implementation Guide | Digital | English

 The COBIT principle that addresses the need to consider how changes in technology or strategy impact the enterprise governance system as a whole is that a governance system should be dynamic. This principle states that “a governance system should be responsive to changing stakeholder needs, conditions and options; adaptable to changing circumstances; able to learn from experience; and innovative in supporting continual improvement” 4. A dynamic governance system can anticipate and respond to changes in the internal and external environment, such as new technologies, business models, risks, or opportunities5. References: 4: COBIT 2019 Framework: Introduction and Methodology, page 23 5: COBIT 2019 Framework: Governance and Management Objectives, page 20

The IT governance implementation approach that should be utilized in order to achieve maximum enterprise benefits is treating implementation as a program. A program is a coordinated set of projects and activities that are designed to achieve a specific set of objectives within a defined scope, time frame, and budget. Treating implementation as a program helps to ensure that IT governance is planned, executed, monitored, controlled, and evaluated in a systematic and consistent manner, following best practices and standards. The approach is based on the COBIT 2019 Implementation Guide5, page 29. References: 5: COBIT 2019 Implementation Guide | Digital | English

 A principle associated with the key components of a governance framework is that key components should function independently to maintain integrity. Key components include governance components (such as structures, processes, principles, policies, etc.), governance enablers (such as people, skills, culture, information, services, etc.), and governance outcomes (such as value creation, risk optimization, resource optimization, etc.). These components should operate independently from each other to avoid conflicts of interest, bias, or undue influence. They should also have clear roles, responsibilities, authorities, and accountabilities. COBIT ensures the independence of key components by defining their relationships and interactions in a transparent and consistent manner.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The initial scope of a governance system is the extent and boundaries of the governance system that an enterprise intends to design and implement using COBIT 2019. The initial scope helps to define the focus and direction of the governance system design process, as well as the resources and efforts required for its implementation. One of the key considerations when determining the initial scope of a governance system is the compliance requirements faced by the enterprise. The compliance requirements are the laws, regulations, standards, guidelines, contracts, or agreements that an enterprise must comply with regarding its information and technology activities. The compliance requirements influence the level of control and assurance that an enterprise needs to demonstrate its adherence to the applicable rules and obligations. By considering the compliance requirements when determining the initial scope of a governance system, an enterprise can ensure that its governance system is appropriate for its context and objectives, and that it can effectively manage the potential impacts of non-compliance on its reputation, performance, value, and stakeholder trust.

The performance measurements are the indicators that measure the progress and outcomes of the EGIT implementation program plan against the predefined success criteria such as key performance indicators (KPIs), key goal indicators (KGIs), key risk indicators (KRIs), etc. The performance measurements help to evaluate the effectiveness, efficiency, and value of the EGIT implementation program plan, as well as to identify and address any issues, risks, or gaps that may arise during the execution of the program. The projects that should be included when reporting on performance measurements related to an EGIT implementation program plan are all projects deemed appropriate by IT management. IT management is the function that is responsible for planning, organizing, directing, controlling, and monitoring the information and technology activities in an enterprise. IT management is also responsible for selecting, prioritizing, balancing, monitoring, evaluating, and optimizing information and technology investments and initiatives that support business strategy and objectives. IT management has the authority and discretion to decide which projects are relevant and important for reporting on performance measurements related to an EGIT implementation program plan, based on factors such as project scope, size, complexity, duration, cost, risk, interdependencies, alignment, value, etc. By including all projects deemed appropriate by IT management when reporting on performance measurements related to an EGIT implementation program plan, the enterprise can ensure that the report covers the most significant and critical aspects of the program, and that it provides a comprehensive and accurate picture of the program status and performance12 References: 1: COBIT 2019 Implementation Guide: page 51-52 2: COBIT 2019 Framework: Governance and Management Objectives: page 20-21

The planning for a new governance framework requires defining the inputs that will guide the design and implementation of the framework. One of the most important inputs is the enterprise goals, which are the high-level statements of what the enterprise wants to achieve in terms of its mission, vision, values, and strategy. The enterprise goals provide the direction and purpose for the governance framework, and help to align the governance objectives, enablers, principles, and practices with the enterprise’s needs and expectations. The enterprise goals also help to identify the relevant stakeholders, their roles and responsibilities, and their requirements and expectations from the governance framework34 References: 3: COBIT 2019 Framework: Introduction and Methodology, page 25-26 4: COBIT 2019 Design Guide, page 23-24

The process practices that include inputs and outputs comprise the information flow component of a governance system. A governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. A governance system consists of seven components: governance components (such as structures, processes, principles, policies, etc.), governance enablers (such as people, skills, culture, information, services, etc.), governance outcomes (such as value creation, risk optimization, resource optimization, etc.), information flow (the exchange of information among components), culture (the shared values, beliefs, norms, and attitudes), ethical behavior (the conduct that conforms to moral principles), stakeholder needs (the requirements or expectations of internal or external stakeholders). The information flow component comprises the process practices that include inputs and outputs thatenable the exchange of information among components.14 References: COBIT 2019Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The information security function within the IT corporate structure is responsible for classifying information using an agreed-upon classification scheme for a new data collection system. According to the COBIT 2019 Implementation Guide, information security is one of the key enablers of IT governance and management, and it includes the processes and practices for ensuring the confidentiality, integrity, and availability of information assets. One of the activities of information security is to define and implement an information classification scheme that categorizes information based on its sensitivity, criticality, and value to the enterprise. This scheme helps to determine the appropriate level of protection and controls for different types of information, especially for new data collection systems that may involve personal or sensitive data. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 15 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 62 .

 The key question that should be asked and evaluated one year after IT governance is implemented is whether the enterprise has achieved expected benefits. Benefits are the positive outcomes or value that are derived from a project or program. Benefits can be tangible (such as increased revenue, reduced costs, improved efficiency, etc.) or intangible (such as enhanced reputation, customer satisfaction, employee engagement, etc.). Benefits realization is the process of planning, managing, measuring, and reporting the benefits that are delivered by a project or program. Asking and evaluating whether the enterprise has achieved expected benefits one year after IT governance is implemented is important because it helps to determine whether the IT governance system is effective in creating value for the enterprise and its stakeholders.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

The role or structure formed by a group of stakeholders and experts accountable for guiding IT-related matters and decisions is the executive committee. This committee is responsible for setting the direction, policies, and objectives for IT governance and management, as well as overseeing the performance, risk, and compliance of IT. The committee is composed of senior executives from both business and IT functions, and may also include external advisors or experts. The committee is based on the COBIT 2019 Implementation Guide1, page 43. References: 1: COBIT 2019 Implementation Guide | Digital | English

The primary objective of implementing the process of managed innovation is to improve customer experience by identifying and realizing new opportunities for business value creation from information and technology. This process involves scanning the external environment for emerging trends and technologies, engaging with stakeholders to understand their needs and expectations, evaluating and prioritizing innovative ideas, and executing and monitoring innovation initiatives. The process is based on the COBIT 2019 Design Guide1, page 75. References: 1: COBIT 2019 Design Guide | Digital | English

The enterprise strategy archetype is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six enterprise strategy archetypes defined in COBIT 2019: growth/acquisition; operational excellence; customer intimacy; product leadership; data-driven; innovation-driven. Each archetype has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. One of the important components for an enterprise strategy archetype of growth/acquisition is support for the portfolio management role with an investment office. Growth/acquisition is a strategy archetype that emphasizes expanding market share, revenue, customer base, or product range through organic growth or acquisition of other businesses or assets. This strategy archetype requires effective portfolio management of information and technology investments and initiatives that support business growth or acquisition objectives. Portfolio management involves selecting, prioritizing, balancing, monitoring, evaluating, and optimizing information and technology investments and initiatives based on their alignment with business strategy, value delivery potential, risk exposure, resource availability, interdependencies, etc. Portfolio management also involves ensuring that information and technology investments and initiatives are integrated with business processes, systems, structures, culture, etc., especially in case of mergers or acquisitions. Support for the portfolio management role with an investment office means providing a dedicated function or unit that assists the portfolio manager in performing portfolio management activities such as planning, analysis, decision making, reporting, etc., as well as providing guidance, tools, methods, frameworks, standards, best practices etc., for portfolio management5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 59-61

 The component that should be considered for inclusion when considering the threat landscape design factor is information security focus areas. The threat landscape is one of the 11 design factors defined in COBIT 2019, and it refers to the current and emerging threats that may affect the enterprise’s information and technology assets, such as cyberattacks, natural disasters, human errors, etc. Information security focus areas are the specific domains or topics that need to be addressed by the governance system to ensure adequate protection of information and technology assets from potential threats, such as identity and access management, data protection, incident response, etc. The answer is based on the COBIT 2019 Design Guide4, page 17. References: 4: COBIT 2019 Design Guide | Digital | English

 After IT department goals have been aligned with enterprise goals, the next step is to link the alignment goals with governance and management objectives. Alignment goals are the intermediate goals that link the enterprise goals with the governance and management objectives. Governance and management objectives are the desired outcomes of the governance system for information and technology. Alignment goals are derived from the enterprise goals, which reflect the stakeholder drivers and needs. Governance and management objectives are derived from the alignment goals, which reflect how information and technology can support the enterprise strategy and objectives.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 People, skills and competencies are essential for effective decision making within a governance system. People are the individuals or groups who perform or are accountable for the governance activities and tasks. Skills and competencies are the abilities and knowledge that people need to perform their roles and responsibilities. People, skills and competencies are one of the seven enablers of a governance system, as defined by COBIT.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System