COBIT-2019 Questions and Answers

 According to the COBIT 2019 Framework: Introduction and Methodology, a maturity level is a performance measure that is used to assess a specific focus area. A focus area is a topic that is relevant for governance and management of enterprise information and technology (I&T), such as cybersecurity, privacy or digital transformation. A maturity level indicates the extent to which a focus area is implemented and integrated in the enterprise’s governance system. There are six maturity levels defined in COBIT 2019, ranging from 0 (incomplete) to 5 (optimized).3, p. 77-78 References: 3: COBIT 2019 Framework: Introduction and Methodology

The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. There are four IT implementation methods defined in COBIT 2019: traditional, agile, DevOps, and hybrid. Each method has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. The IT implementation method that requires the highest level of participation by users at multiple stages of software development is agile. Agile is an IT implementation method that emphasizes flexibility, adaptability, collaboration, customer satisfaction, and value delivery. One of the characteristics of agile is that it involves frequent and direct interaction with users throughout the software development life cycle, from requirements gathering to testing to deployment. Users are considered as key stakeholders who provide feedback, input, validation, verification, acceptance, and evaluation of the IT solutions. Users are also involved in prioritizing the features and functionalities of the IT solutions based on their needs and expectations. Agile aims to deliver IT solutions that meet user requirements and expectations in a timely and cost-effective manner.References: : COBIT 2019 Design Guide, page 43-45 : COBIT 2019 Process Reference Guide: Governance and Management Objectives, page 67-69

The alignment goal titled “Knowledge, expertise and initiatives for business innovation” is aligned to the Learning and Growth dimension of the IT balanced scorecard (BSC). The IT BSC is a tool that translates the IT-related goals into a set of performance indicators that can be measured and monitored. The Learning and Growth dimension focuses on the capabilities and skills of the IT staff, as well as the culture and climate that foster innovation and learning. The alignment goal is based on the COBIT 2019 Framework5, page 38. References: 5: COBIT 2019 Framework | Digital | English

The alignment goal titled “Security of information, processing infrastructure and privacy” is part of the internal dimension of the IT BSC, as it relates to the protection of IT assets and information from unauthorized access, use, disclosure, modification, or destruction2, p. 20. References: 2: COBIT 2019 Framework: Governance and Management Objectives

 A due diligence review is a process that involves conducting a comprehensive analysis and assessment of an enterprise’s information and technology assets, capabilities, risks, issues, opportunities, etc., before making a significant decision or transaction. A due diligence review helps to ensure that an enterprise has a clear understanding of the current state and potential impacts of its information and technology activities on its strategy, objectives, performance, value, etc., as well as on its compliance with relevant laws, regulations, standards, guidelines, contracts, or agreements. It is critical to perform a due diligence review following a merger, acquisition, or divestiture event. A merger is an event that involves combining two or more enterprises into one entity. An acquisition is an event that involves one enterprise purchasing another enterprise or its assets. A divestiture is an event that involves one enterprise selling or transferring part of its business or assets to another enterprise. By performing a due diligence review following a merger acquisition or divestiture event an enterprise can ensure that it has identified and addressed any information and technology related risks issues gaps etc., that may arise from the integration or separation of information and technology assets capabilities processes systems structures culture etc., that it has aligned its information and technology governance and management with its new strategy objectives needs expectations etc., that it has optimized its information and technology performance and value delivery etc34 References: 3: COBIT 2019 Framework: Governance and Management Objectives: page 20-21 4: COBIT 2019 Design Guide: page 47-48

 According to Capability Maturity Model Integration (CMMI), Level 2 within the five maturity levels for processes best describes the outcome of the process achieving its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed. CMMI is a process improvement approach that provides organizations with the essential elements of effective processes. CMMI defines five maturity levels for processes, from 1 (initial) to 5 (optimizing). Level 2 (managed) means that the process is planned and executed in accordance with policy; employs skilled people who have adequate resources to produce controlled outputs; involves relevant stakeholders; is monitored, controlled, and reviewed; and is evaluated for adherence to its process description.12 References: CMMI for Development, Version 1.3, CMMI Institute - Capability Maturity Model Integration

 An actionable strategy and governance system enables an enterprise to maximize value from the use of I&T by providing direction, alignment, oversight, and performance measurement. A strategy defines the enterprise’s vision, mission, goals, and objectives, and how I&T can support them. A governance system ensures that the strategy is implemented effectively and efficiently, and that the outcomes are monitored and evaluated. COBIT provides a comprehensive governance system for enterprise I&T that covers all aspects of governance, management, and enablers.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The primary purpose of implementing an enterprise governance of information and technology (EGIT) system is to deliver stakeholder value from I&T-enabled investments. An EGIT system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. An I&T-enabled investment is any initiative or project that involves the use of information and technology to create value for the enterprise. A stakeholder is a person or group that has an interest or concern in an enterprise’s activities or outcomes. The primary purpose of implementing an EGIT system is to deliver stakeholder value from I&T-enabled investments by ensuring that they align with the enterprise strategy and objectives, optimize risks and resources, achieve expected benefits and outcomes, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 An element of governance is evaluating stakeholder needs to determine enterprise objectives. This is based on the principle of stakeholder value, which states that “governance of enterprise I&T should ensure that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives” 1. Evaluating stakeholder needs involves identifying who the stakeholders are, what their interests and expectations are, and how they can influence or be influenced by the enterprise’s activities2. References: 1: COBIT 2019 Framework: Introduction and Methodology, page 23 2: COBIT 2019 Framework: Governance and Management Objectives, page 18

The final step in governance system design is to define target capability levels for the most critical objectives. The governance system design is the process of designing and implementing a governance system for an enterprise using COBIT 2019. The governance system design involves tailoring the COBIT 2019 components such as principles, enablers, goals, processes, practices, roles, structures, metrics, etc., according to the enterprise’s context and needs. The governance system design also involves considering various design factors such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc., that influence how an enterprise designs and implements its governance system using COBIT 2019. The final step in governance system design is to define target capability levels for the most critical objectives. The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization, etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The critical objectives are the governance and management objectives that have been prioritized based on the design factors and the stakeholder needs. The governance and management objectives are the statements of what an enterprise wants to achieve in terms of its information and technology governance. The governance and management objectives are derived from the enterprise goals, which are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, strategy, etc. By defining target capability levels for the most critical objectives as the final step in governance system design, an enterprise can ensure that it has set realistic and achievable goals for its information and technology governance and management processes that support its strategy and objectives. This will also help to identify the gaps or issues that need to be addressed to enhance the capability levels of the selected processes.References: : COBIT 2019 Design Guide: page 53-54 : COBIT 2019 Process Assessment Model: page 11-13

The principles, policies and frameworks component of a governance system translates desired behavior into practical guidance. Principles are the fundamental norms or rules that guide decision-making and actions. Policies are the statements of intent or direction that define what is expected or required. Frameworks are the conceptual models or structures that define the key elements, relationships, and principles of a system. The principles, policies and frameworks component of a governance system translates desired behavior into practical guidance by providing a consistent and coherent basis for information and technology governance and management.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The Skills Framework for the Information Age (SFIA) has been used as a basis for developing guidance for the COBIT governance component of people, skills and competencies. SFIA is a globally recognized framework that describes the skills required by professionals who work with information and technology2, p. 36. References: 2: COBIT 2019 Framework: Introduction and Methodology

 An enterprise will often fail to realize implementation commitments during the execution of an EGIT implementation program plan if it focuses on enabling IT value over business value. IT value is the contribution of IT to achieving enterprise objectives, while business value is the overall benefit that the enterprise derives from its use of information and technology. Focusing on IT value over business value may result in a disconnect between IT and business stakeholders, a lack of alignment between IT goals and business strategy, or a failure to deliver expected benefits or outcomes. Therefore, it is important to balance both IT value and business value when implementing a governance system. The answer is based on the COBIT 2019 Implementation Guide3, page 38. References: 3: COBIT 2019 Implementation Guide | Digital | English

 IT governance implementation risk is best managed throughout the life cycle of the implementation. IT governance implementation risk is the possibility of negative consequences or outcomes that may arise from the design, execution, evaluation, or improvement of the IT governance system. The life cycle of IT governance implementation is a continuous process that involves four phases: what are the drivers, where are we now, where do we want to be, and how do we get there. IT governance implementation risk should be managed throughout the life cycle by identifying, analyzing, evaluating, treating, monitoring, and communicating the risks that may affect the success of the implementation.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

The EGIT business case outline and details are documents that describe the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT business case outline and details provide the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. The responsibility for developing an EGIT business case outline and details resides with the CIO and program steering committee. The CIO is the senior executive responsible for leading and managing the information and technology function in an enterprise. The CIO has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are aligned with the enterprise’s strategy, objectives, needs, and expectations. The CIO also has a role in communicating and presenting the EGIT business case outline and details to other stakeholders such as the board, executives, business managers, IT managers, etc., and obtaining their buy-in and commitment for the program. The program steering committee is a group of senior stakeholders who provide strategic direction, oversight, guidance, and approval for the EGIT implementation program. The program steering committee has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are consistent with the enterprise’s vision, mission, values, strategy goals,and objectives. The program steering committee also has a role in monitoring and controlling the execution of the EGIT implementation program plan against the EGIT business case outline and details34 References: 3: COBIT 2019 Implementation Guide: page 37-38 4: COBIT 2019 Implementation Guide: page 39-40

The benefit derived from the use of COBIT that provides insight on how to derive value from the use of I&T is primarily associated with an internal stakeholder. An internal stakeholder is a person or group within an enterprise that has an interest or concern in its activities or outcomes. Examples of internal stakeholders are board members, executives, managers, employees, etc. An internal stakeholder would benefit from using COBIT by gaining insight on how to derive value from the use of I&T because it would help them to align I&T with business requirements, optimize costs and resources, enhance performance and outcomes, etc.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Stakeholder Needs

 A capability maturity model is a tool that assesses how well a process is implemented and performing at a given level, ranging from 0 (non-existent) to 5 (optimized). Each level defines a set of attributes that describe the characteristics of the process at that level, such as process performance, process documentation, process control, process measurement, etc. The model is based on the COBIT 2019 Process Assessment Model4, page 11. References: 4: COBIT 2019 Process Assessment Model | Digital | English

An important component for an enterprise strategy archetype of cost leadership as defined by COBIT 2019 is support for the portfolio management role with an investment office. According to the COBIT 2019 Design Guide, cost leadership is one of the four generic enterprise strategy archetypes that describe how enterprises compete in their markets. Cost leadership means that an enterprise aims to offer the lowest prices for its products or services by minimizing its costs and maximizing its efficiency. One of the design factors that influence the governance system for a cost leadership strategy is the organizational structures. The COBIT 2019 Design Guide suggests that a cost leadership strategy requires a centralized and standardized organizational structure that supports the portfolio management role with an investment office. The portfolio management role is responsible for selecting, prioritizing, and balancing the IT investments that align with the enterprise strategy and objectives. The investment office is a function that assists the portfolio management role by providing financial analysis, reporting, and decision support. The support for the portfolio management role with an investment office helps to ensure that the IT investments are optimized for cost and value. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 48 2 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 51 

The EGIT implementation life cycle consists of four stages: initiating an EGIT program, defining the EGIT implementation road map, developing the EGIT implementation program plan, and executing the EGIT implementation program plan. The third stage, developing the EGIT implementation program plan, involves identifying and defining the success metrics for the EGIT continual improvement program. These metrics should be aligned with the enterprise goals and objectives, and should measure the performance and outcomes of the EGIT processes and practices. The success metrics should also be SMART (specific, measurable, achievable, relevant, and time-bound), and should be communicated to all stakeholders involved in the EGIT program. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 26 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 41 

According to the COBIT 2019 Design Guide, before designing an enterprise IT governance system, an organization should first review and understand the enterprise’s strategy. The enterprise’s strategy defines the vision, mission, goals and objectives of the organization, and provides the direction and context for IT governance. The enterprise’s strategy also identifies the key stakeholders, their needs and expectations, and the value proposition of IT to the business.1, p. 16-17 References: 1: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

The Goals Cascade model illustrates how enterprise goals cascade to alignment goals and then to governance and management objectives. Each governance or management objective supports the achievement of one or more alignment goals that are related to larger enterprise goals. The alignment goals are derived from the balanced scorecard (BSC) dimensions of financial, customer, internal, and learning and growth1, p. 16. References: 1: COBIT 2019 Framework: Governance and Management Objectives

A focus area describes a specific governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. A focus area provides guidance on how to apply COBIT to a specific business driver or pain point, such as digital transformation, cybersecurity, privacy, or business continuity. A focus area can also provide guidance on how to align COBIT with other standards, frameworks or regulations. A focus area is based on the COBIT 2019 Design Guide3, page 19. References: 3: COBIT 2019 Design Guide | Digital | English

 Risk management focuses on the preservation of value, while value delivery focuses on the creation of value. Value is the benefit that an enterprise derives from using information and technology. Value can be measured in terms of effectiveness, efficiency, quality, innovation, etc. Value delivery is the process of ensuring that information and technology investments and services contribute to the achievement of enterprise goals and objectives. Value delivery focuses on the creation of value by aligning I&T with business requirements, optimizing costs and resources, enhancing performance and outcomes, etc. Risk management is the process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks that affect the achievement of enterprise objectives. Risk management focuses on the preservation of value by ensuring that risks are within acceptable levels, that opportunities are exploited, that uncertainties are reduced, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

According to the COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution, one of the most significant drivers to be considered when refining the scope of a new IT governance system during the design phase is cloud versus on-premises services. This driver reflects the different delivery models of I&T services, such as software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS) or on-premises solutions. The choice of delivery model has implications for governance objectives, roles, responsibilities, policies, processes, controls, risks and performance measures.5, p. 40-41 References: 5: COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

An enterprise that has been consistently growing over the years and has decided to adapt the COBIT framework from the growth perspective of the balanced scorecard dimensions should select product and business innovation as one of its most relevant enterprise goals. The balanced scorecard is a tool that translates strategic objectives into four dimensions: financial, customer, internal, and growth. The growth dimension focuses on how the enterprise can create new products or services, enter new markets, or improve its processes or capabilities to achieve long-term success. Product and business innovation is one of the 17 enterprise goals defined in COBIT 2019, which describe the outcomes that an enterprise wants to achieve from its use of information and technology. This goal relates to enhancing customer satisfaction and loyalty by providing innovative solutions that meet their needs and expectations. The answer is based on the COBIT 2019 Framework5, page 38. References: 5: COBIT 2019 Framework | Digital | English

 The IT design factor is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six IT design factors defined in COBIT 2019: strategic; operational; data-driven; compliance-driven; innovation-driven; customer intimacy-driven. Each design factor has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. When considering the role of IT design factor, and the design factor value is strategic, one of the management objectives that should be a priority is managed innovation (APO04), which involves identifying new opportunities for using information and technology to create value for the enterprise. This management objective supports the strategic role of IT in enabling business transformation, differentiation, competitiveness, growth, and sustainability. This management objective also involves establishing an innovation culture and process that encourages creativity, experimentation, collaboration, learning, and improvement5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 57-59

To gain the greatest benefit from the COBIT framework, a stakeholder should have a certain level of experience and a thorough understanding of the entire enterprise. A stakeholder is a person or group that has an interest or concern in an enterprise’s activities or outcomes. Examples of stakeholders are board members, executives, managers, employees, customers, suppliers, regulators, etc. To gain the greatest benefit from the COBIT framework, a stakeholder should have a certain level of experience in I&T governance or management practices, as well as a thorough understanding of the entire enterprise’s vision, mission, values, goals, objectives, strategies, processes, culture, etc. This would help them to apply the COBIT framework effectively and efficiently to their specific context and needs.1 References: COBIT 2019 Framework: Introduction and Methodology, [COBIT 2019 Framework: Stakeholder Needs]

 In most cases, management of the enterprise is the responsibility of the executive management team. The executive management team consists of senior managers who are accountable for implementing the strategies and policies set by the board or other governing body. They are also responsible for planning, organizing, directing, controlling, and reporting on the enterprise’s operations3. The executive management team may delegate some of their management responsibilities to other managers or staff, but they remain ultimately accountable for the outcomes4. References: 3: COBIT 2019 Framework: Introduction and Methodology, page 28 4: COBIT 2019 Framework: Governance and Management Objectives, page 21

 A principle associated with the key components of a governance framework is that key components should function independently to maintain integrity. Key components include governance components (such as structures, processes, principles, policies, etc.), governance enablers (such as people, skills, culture, information, services, etc.), and governance outcomes (such as value creation, risk optimization, resource optimization, etc.). These components should operate independently from each other to avoid conflicts of interest, bias, or undue influence. They should also have clear roles, responsibilities, authorities, and accountabilities. COBIT ensures the independence of key components by defining their relationships and interactions in a transparent and consistent manner.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The management objective APO09 Managed Service Agreements involves ensuring that IT services are delivered in accordance with agreed-upon service levels and costs. This management objective covers the activities of defining, negotiating, establishing, monitoring, reporting, and reviewing service agreements between service providers and service consumers. This management objective is most relevant for an enterprise that plans to outsource all of its noncore IT operations but wants to ensure the proper level of governance, risk and compliance (GRC) controls. By applying this management objective, the enterprise can improve its service governance and management capabilities, ensure alignment of IT services with business strategy and objectives, enhance service performance and outcomes, and increase service consumer satisfaction and value realization. This management objective also involves ensuring that the outsourced IT services comply with the applicable laws, regulations, standards, guidelines, contracts, or agreements that govern the information and technology activities of the enterprise, as well as with the enterprise’s policies, procedures, processes, practices, etc. This management objective also involves managing the risks associated with outsourcing IT services such as loss of control, vendor lock-in, quality issues, security breaches, etc.References: : COBIT 2019 Process Reference Guide: Governance and Management Objectives: page 63-65 : COBIT 2019 Implementation Guide: page 49-50

The process activities component of governance and management objectives includes the expected capability level. A process activity is a specific task or action that contributes to achieving a process outcome or objective. A capability level is a measure of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A capability level can range from 0 (incomplete) to 5 (optimizing). Each governance and management objective in COBIT defines a set of process activities that are required to achieve it, as well as an expected capability level for each activity.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The strategy archetype is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six strategy archetypes defined in COBIT 2019: customer intimacy, product leadership, operational excellence, compliance-driven, data-driven, and innovation-driven. Each archetype has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. The best approach when determining which strategy archetype most closely aligns with an enterprise’s own strategy is to select the one that reflects the enterprise’s information and technology risk profile, which is another design factor that describes how an enterprise identifies, assesses, responds to, monitors, and reports on information and technology risks. The risk profile helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. By selecting the strategy archetype that matches the risk profile, an enterprise can ensure that its governance framework is appropriate for its context and objectives5 References: 5: COBIT 2019 Design Guide, page 35-39 : COBIT 2019 Design Guide, page 41-43

The management objective related to optimization of system performance is managed availability and capacity. A management objective is a desired outcome of the management processes for information and technology. Managed availability and capacity is one of the 40 management objectives defined by COBIT that describes how to ensure that I&T services are delivered at agreed levels, as well as optimized for current and future needs.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 The component that should be considered for inclusion when considering the threat landscape design factor is information security focus areas. The threat landscape is one of the 11 design factors defined in COBIT 2019, and it refers to the current and emerging threats that may affect the enterprise’s information and technology assets, such as cyberattacks, natural disasters, human errors, etc. Information security focus areas are the specific domains or topics that need to be addressed by the governance system to ensure adequate protection of information and technology assets from potential threats, such as identity and access management, data protection, incident response, etc. The answer is based on the COBIT 2019 Design Guide4, page 17. References: 4: COBIT 2019 Design Guide | Digital | English

The principle that the governance framework should allow for flexibility in addressing new issues is an important principle of a proper governance framework. A governance framework is a conceptual model or structure that defines the key elements, relationships, and principles of a governance system. A proper governance framework should follow certain principles or guidelines that ensure its effectiveness, efficiency, and alignment with the enterprise goals and objectives. The principle that the governance framework should allow for flexibility in addressing new issues is an important principle of a proper governance framework because it helps to ensure that the governance system can adapt to changes in the internal or external environment, stakeholder needs, business objectives, etc.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 After IT department goals have been aligned with enterprise goals, the next step is to link the alignment goals with governance and management objectives. Alignment goals are the intermediate goals that link the enterprise goals with the governance and management objectives. Governance and management objectives are the desired outcomes of the governance system for information and technology. Alignment goals are derived from the enterprise goals, which reflect the stakeholder drivers and needs. Governance and management objectives are derived from the alignment goals, which reflect how information and technology can support the enterprise strategy and objectives.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

Ensuring the program team knows and understands the enterprise goals is a part of the “Where do we want to be?” phase of the implementation. The implementation of a governance system is divided into seven phases, each with a set of activities and outputs. The “Where do we want to be?” phase involves defining the desired outcomes and target state of the governance system, based on the enterprise’s vision, mission, values, and goals. One of the activities in this phase is to ensure that the program team is aware of and aligned with the enterprise goals, as well as their roles and responsibilities in achieving them. The answer is based on the COBIT 2019 Implementation Guide2, page 34. References: 2: COBIT 2019 Implementation Guide | Digital | English

 One of the benefits derived from the use of COBIT is that it helps to ensure compliance with applicable rules and regulations. This benefit is primarily associated with an external stakeholder, such as a regulator, auditor, customer, or partner, who expects the enterprise to adhere to certain standards and requirements. COBIT provides guidance on how to align the governance and management of enterprise IT with relevant laws, regulations, and contractual obligations12. COBIT also helps to establish and maintain a compliance culture and program within the enterprise3. References: 1: COBIT 2019 Framework: Introduction and Methodology, page 17 2: COBIT 2019 Framework: Governance and Management Objectives, page 19 3: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, page 77

The primary target audience for COBIT is business and IT management responsible for building and deploying I&T solutions. COBIT is designed to help these managers address the challenges of aligning I&T with business goals, delivering value from I&T, managing I&T risks, optimizing I&T resources, and measuring I&T performance5. COBIT provides a comprehensive and flexible framework that can be adapted to different contexts and situations. COBIT also helps to establish a common language and understanding among business and IT stakeholders6. References: 5: COBIT 2019 Framework: Introduction and Methodology, page 15 6: COBIT 2019 Framework: Introduction and Methodology, page 25

The governance system in COBIT 2019 includes various components that support the effective management and control of enterprise IT. "Services, infrastructure, and applications" is one such component, encompassing the physical and virtual tools required for IT operations. This component ensures that the technology systems align with the enterprise's strategic objectives, as outlined in the COBIT core model (specifically in the framework sections on governance components). This is part of delivering and supporting IT services to meet business needs effectively​.

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The targeted capability levels are the desired levels of performance that an enterprise wants to achieve for its information and technology governance and management processes, based on its strategy, objectives, needs, and expectations. The targeted capability levels provide a basis for defining the improvement goals and objectives for the processes. The capability-level gap analysis is a process that involves comparing the current capability levels of an enterprise’s information and technology governance and management processes with the targeted capability levels, and identifying the gaps or differences between them. The capability-level gap analysis helps to determine the improvement actions and initiatives that are required to close the gaps and achieve the targeted capability levels. The primary benefit or output derived from setting targeted capability levels and performing a capability-level gap analysis for selected processes is identification of process improvement opportunities. This means that by setting targeted capability levels and performing a capability-level gap analysis for selected processes, an enterprise can identify the areas of weakness or inefficiency in its information and technology governance and management processes, and determine the potential solutions or enhancements that can improve its process performance, quality, value, etc. This will also help to align the information and technology governance system with the enterprise’s strategy and objectives.References: : COBIT 2019 Design Guide: page 53-54 : COBIT 2019 Process Assessment Model: page 11-13

When assessing organizational structures, it is most helpful when subcriteria for each criterion are defined and linked to capability levels. Organizational structures are the arrangements of roles and responsibilities that enable the enterprise to achieve its objectives. Organizational structures can be assessed using six criteria: clarity, comprehensiveness, integration, alignment, authority, and accountability. Each criterion can be further divided into subcriteria that describe the specific aspects or attributes of the criterion. Capability levels are the measures of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. Capability levels can range from 0 (incomplete) to 5 (optimizing). Defining and linking subcriteria to capability levels helps to evaluate the current and desired state of organizational structures, as well as to identify gaps and improvement opportunities.123 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

 The responsible ® role fulfills the practice and creates the intended outcome within an organizational structure chart (RACI chart). A RACI chart is a tool that assigns different levels of responsibility, accountability, consultation, and information to roles and organizational structures for each governance and management objective. The responsible ® role means performing or overseeing a task or process. There can be more than one responsible role for each task or process, but they must be coordinated by the accountable role. The responsible role fulfills the practice and creates the intended outcome by executing or supervising the process activities.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The people, skills and competencies component of governance identifies the human resource needs that must be met to achieve governance and management objectives. People are the individuals or groups who perform or are accountable for the governance activities and tasks. Skills and competencies are the abilities and knowledge that people need to perform their roles and responsibilities. The people, skills and competencies component of governance defines the required roles and organizational structures for each governance and management objective, as well as the skills and competencies that are needed for each role.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

 People, skills and competencies are essential for effective decision making within a governance system. People are the individuals or groups who perform or are accountable for the governance activities and tasks. Skills and competencies are the abilities and knowledge that people need to perform their roles and responsibilities. People, skills and competencies are one of the seven enablers of a governance system, as defined by COBIT.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The enterprise goal titled “Optimization of Business Process Costs” is aligned to the internal dimension of the balanced scorecard (BSC). The internal dimension focuses on the efficiency and effectiveness of the business processes that deliver value to customers and stakeholders. Optimization of business process costs is one of the 17 generic enterprise goals defined by COBIT that supports the internal dimension.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 A quantitative approach involves numeric mapping tables created for each of the design factors. According to the COBIT 2019 Design Guide, a quantitative approach is one of the four possible approaches for designing a governance system based on the design factors. A design factor is a characteristic of the enterprise that influences how the governance system should be designed. A quantitative approach uses numeric values to represent the impact of each design factor on the governance components, such as processes, organizational structures, roles, and practices. The numeric values are derived from mapping tables that show how each design factor affects each governance component. The mapping tables are based on empirical data, expert judgment, or best practices. The quantitative approach helps to provide a more objective and consistent way of designing a governance system that is tailored to the enterprise context and needs. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 54 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 56

 The primary reason for management to conduct a process capability assessment is to better understand the current state as compared to the target state. A process capability assessment is a method of measuring and evaluating how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A process capability assessment can be done using different models or frameworks, such as CMMI or ISO/IEC 15504. A process capability assessment helps management to better understand the current state of a process by identifying its strengths, weaknesses, gaps, and improvement opportunities. A process capability assessment also helps management to compare the current state with the target state, which is the desired level of performance or outcome for a process.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT Process Assessment Model (PAM): Using COBIT 5

 Culture, ethics and behavior are the most likely components of a governance system to be underestimated as factors in the success of governance and management activities. Culture, ethics and behavior are the shared values, beliefs, norms, and attitudes that influence how people behave and interact within an enterprise. They affect the motivation, commitment, collaboration, and performance of people, as well as the trust and reputation of the enterprise. Culture, ethics and behavior are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The COBIT performance model is integrated into the COBIT core model. The COBIT core model consists of two main elements: the governance and management objectives (which define what needs to be achieved) and the performance model (which defines how well it needs to be achieved). The performance model is based on existing maturity and capability models (such as ISO/IEC 15504) and provides a common language to measure and communicate performance. The performance model consists of six levels (from 0 to 5) that describe the increasing degree of capability for each governance or management objective.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The flexibility of COBIT design factors benefits an enterprise by allowing users to tailor the framework to align with specific enterprise needs. COBIT is a comprehensive governance and management framework for information and technology that helps enterprises to achieve their goals and create value. COBIT design factors are characteristics or aspects of an enterprise that influence the design and implementation of a governance system. They include factors such as enterprise size, industry sector, risk profile, regulatory environment, sourcing model, etc. The flexibility of COBIT design factors benefits an enterprise by allowing users to tailor the framework to align with specific enterprise needs by providing guidance on how to customize and adapt the COBIT components (such as processes, practices, goals, metrics, etc.) based on the design factors.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

The board of directors is the highest-level governance body in an enterprise that provides strategic direction, oversight, guidance, and approval for information and technology governance. The board of directors is accountable for monitoring the performance of the execution of an EGIT implementation program plan against success metrics and adjusting long-term targets when necessary. This means that the board of directors is responsible for ensuring that the EGIT implementation program plan is aligned with the enterprise’s vision, mission, values, strategy, goals, and objectives, and that it delivers the expected value and benefits to the enterprise and its stakeholders. The board of directors is also responsible for reviewing the progress and outcomes of the EGIT implementation program plan on a regular basis, using predefined success metrics such as key performance indicators (KPIs), key goal indicators (KGIs), key risk indicators (KRIs), etc., to measure the achievement of the program objectives and goals. The board of directors is also responsible for adjusting the long-term targets of the EGIT implementation program plan when necessary, based on the changing business needs, environment, risks, opportunities, etc., and ensuring that the program remains relevant and effective.References: : COBIT 2019 Implementation Guide: page 37-38 : COBIT 2019 Framework: Governance and Management Objectives: page 19-20