COBIT-2019 Questions and Answers

 The enterprise strategy archetype is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six enterprise strategy archetypes defined in COBIT 2019: growth/acquisition; operational excellence; customer intimacy; product leadership; data-driven; innovation-driven. Each archetype has different implications for the governance and management of information and technology in terms of focus areas processes practices roles structures,and metrics. The enterprise strategy archetype that is focused on increasing revenues is growth/acquisition. Growth/acquisition is a strategy archetype that emphasizes expanding market share revenue customer base or product range through organic growth or acquisition of other businesses or assets. This strategy archetype requires effective portfolio management of information and technology investmentsand initiatives that support business growth or acquisition objectives. Portfolio management involves selecting prioritizing balancing monitoring evaluating,and optimizing informationand technology investmentsand initiatives based on their alignment with business strategy value delivery potential risk exposure resource availability interdependencies etc.Portfolio management also involves ensuring that informationand technology investmentsand initiatives are integrated with business processes systems structures culture etc especially in case of mergers or acquisitions.5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 59-61

 According to the COBIT 2019 Framework: Governance and Management Objectives, one of the good practices with regard to performance management of organizational structures is to ensure that organizational meeting reports/minutes are available and meaningful to ensure transparency. This means that the outcomes and decisions of the meetings are documented and communicated to relevant stakeholders in a timely manner, and that they provide sufficient information to support accountability and learning. Transparency is one of the key principles of effective governance of enterprise I&T.4, p. 32-33 References: 4: COBIT 2019 Framework: Governance and Management Objectives

The threat landscape is a design factor that describes the types and levels of threats that an enterprise faces from internal and external sources that could compromise its information and technology assets. The threat landscape helps to determine the level of security and resilience that an enterprise needs to protect its information and technology assets from unauthorized access use disclosure modification destruction or disruption. When tailoring a governance system for an enterprise what would be the most appropriate level of threat landscape for an enterprise in the health care sector is high. The health care sector is a sector that provides health care services such as diagnosis treatment prevention rehabilitation etc., to individuals or populations. The health care sector has a high level of threat landscape compared to other sectors such as manufacturing or retail which have lower levels of threat landscape. This is because the health care sector handles sensitive personal data such as medical records health insurance information patient identifiers etc., that are subject to strict privacy and security regulations such as HIPAA GDPR etc., as well as ethical and legal obligations. The health care sector also relies on critical information and technology systems such as electronic health records telemedicine devices medical devices etc., that are essential for delivering quality health care services to patients. The health care sector faces various types of threats such as cyberattacks data breaches identity theft ransomware malware phishing social engineering natural disasters human errors etc., that could compromise its information and technology assets resulting in financial losses reputational damage legal liabilities regulatory penalties patient harm etc. Therefore when tailoring a governance system for an enterprise in the health care sector it is important to consider a high level of threat landscape and design a governance system that can effectively manage the potential impacts of threats on its information and technology assets5 References: 5: COBIT 2019 Design Guide: page 41-43 : COBIT 2019 Design Guide: page 47-48

A tailored enterprise governance system is a governance system that is customized to suit the specific needs and context of an enterprise. A sourcing model for information and technology is one of the design factors that influence the design and implementation of a tailored governance system. A sourcing model describes how the enterprise obtains and delivers I&T services, such as in-house, outsourced, cloud-based, etc. The sourcing model affects the governance objectives, components, and enablers that are relevant and applicable for the enterprise.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

To gain the greatest benefit from the COBIT framework, a stakeholder should have a certain level of experience and a thorough understanding of the entire enterprise. A stakeholder is a person or group that has an interest or concern in an enterprise’s activities or outcomes. Examples of stakeholders are board members, executives, managers, employees, customers, suppliers, regulators, etc. To gain the greatest benefit from the COBIT framework, a stakeholder should have a certain level of experience in I&T governance or management practices, as well as a thorough understanding of the entire enterprise’s vision, mission, values, goals, objectives, strategies, processes, culture, etc. This would help them to apply the COBIT framework effectively and efficiently to their specific context and needs.1 References: COBIT 2019 Framework: Introduction and Methodology, [COBIT 2019 Framework: Stakeholder Needs]

The value generated from the use of I&T reflects a balance among benefits, risk and resources. This is based on the principle of balance, which states that “governance of enterprise I&T should ensure that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives” 1. Value generation is not only about maximizing financial benefits or minimizing costs or risks, but also about optimizing them in relation to the expected outcomes7. References: 1: COBIT 2019 Framework: Introduction and Methodology, page 23 7: COBIT 2019 Framework: Governance and Management Objectives, page 19

 One of the benefits derived from the use of COBIT is that it helps to ensure compliance with applicable rules and regulations. This benefit is primarily associated with an external stakeholder, such as a regulator, auditor, customer, or partner, who expects the enterprise to adhere to certain standards and requirements. COBIT provides guidance on how to align the governance and management of enterprise IT with relevant laws, regulations, and contractual obligations12. COBIT also helps to establish and maintain a compliance culture and program within the enterprise3. References: 1: COBIT 2019 Framework: Introduction and Methodology, page 17 2: COBIT 2019 Framework: Governance and Management Objectives, page 19 3: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, page 77

 An enterprise will often fail to realize implementation commitments during the execution of an EGIT implementation program plan if it focuses on enabling IT value over business value. IT value is the contribution of IT to achieving enterprise objectives, while business value is the overall benefit that the enterprise derives from its use of information and technology. Focusing on IT value over business value may result in a disconnect between IT and business stakeholders, a lack of alignment between IT goals and business strategy, or a failure to deliver expected benefits or outcomes. Therefore, it is important to balance both IT value and business value when implementing a governance system. The answer is based on the COBIT 2019 Implementation Guide3, page 38. References: 3: COBIT 2019 Implementation Guide | Digital | English

 A key consideration when finalizing a governance system design with competing priorities is that the enterprise should be prepared to deviate from previously identified priorities with justified reasons. According to the COBIT 2019 Design Guide, competing priorities are one of the common challenges that enterprises face when designing a governance system. Competing priorities may arise from different stakeholder expectations, requirements, preferences, perspectives, or interests. The COBIT 2019 Design Guide recommends that enterprises use a structured approach to resolve competing priorities, such as the COBIT 2019 Governance System Design Workflow. The workflow helps enterprises to identify and prioritize their improvement opportunities based on a gap analysis between their current and desired states of governance. However, the workflow also allows enterprises to adjust their priorities as needed during the design process, as long as they provide clear and rational reasons for doing so. For example, enterprises may deviate from their initial priorities due to changes in the business environment, stakeholder feedback, new insights, or emerging issues. The deviation from previously identified priorities should be documented and communicated to all relevant stakeholders to ensure transparency and alignment. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 32 2 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 34

 According to the COBIT 2019 Framework: Introduction and Methodology, a maturity level is a performance measure that is used to assess a specific focus area. A focus area is a topic that is relevant for governance and management of enterprise information and technology (I&T), such as cybersecurity, privacy or digital transformation. A maturity level indicates the extent to which a focus area is implemented and integrated in the enterprise’s governance system. There are six maturity levels defined in COBIT 2019, ranging from 0 (incomplete) to 5 (optimized).3, p. 77-78 References: 3: COBIT 2019 Framework: Introduction and Methodology

An enterprise that has been consistently growing over the years and has decided to adapt the COBIT framework from the growth perspective of the balanced scorecard dimensions should select product and business innovation as one of its most relevant enterprise goals. The balanced scorecard is a tool that translates strategic objectives into four dimensions: financial, customer, internal, and growth. The growth dimension focuses on how the enterprise can create new products or services, enter new markets, or improve its processes or capabilities to achieve long-term success. Product and business innovation is one of the 17 enterprise goals defined in COBIT 2019, which describe the outcomes that an enterprise wants to achieve from its use of information and technology. This goal relates to enhancing customer satisfaction and loyalty by providing innovative solutions that meet their needs and expectations. The answer is based on the COBIT 2019 Framework5, page 38. References: 5: COBIT 2019 Framework | Digital | English

 As explained in the previous question, the success metrics for the EGIT continual improvement program are identified and defined in the third stage of the EGIT implementation life cycle, which is developing the EGIT implementation program plan. Therefore, the correct answer is D. The other options are incorrect because they refer to different stages of the EGIT implementation life cycle that do not involve defining the success metrics. Option A refers to the second stage, which is defining the EGIT implementation road map. This stage involves identifying and prioritizing the improvement opportunities based on a gap analysis between the current and desired states of EGIT. Option B refers to the fourth stage, which is executing the EGIT implementation program plan. This stage involves implementing the improvement actions according to the plan, monitoring and controlling the progress and outcomes, and reporting on the results. Option C refers to the first stage, which is initiating an EGIT program. This stage involves establishing a clear vision and scope for the EGIT program, obtaining senior management commitment and sponsorship, and setting up a governance structure for the program. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 28 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 43 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 24 

 In most cases, management of the enterprise is the responsibility of the executive management team. The executive management team consists of senior managers who are accountable for implementing the strategies and policies set by the board or other governing body. They are also responsible for planning, organizing, directing, controlling, and reporting on the enterprise’s operations3. The executive management team may delegate some of their management responsibilities to other managers or staff, but they remain ultimately accountable for the outcomes4. References: 3: COBIT 2019 Framework: Introduction and Methodology, page 28 4: COBIT 2019 Framework: Governance and Management Objectives, page 21

The function of a mapping table when determining the initial scope of a new governance system is to indicate the relevance of a governance or management objective with a particular design factor. A mapping table is a tool that helps to identify and prioritize the governance and management objectives that are most applicable and important for the enterprise, based on its specific characteristics and context. A design factor is one of the characteristics of the enterprise that influence the design and operation of a governance system, such as size, industry, culture, strategy, etc. A mapping table shows the degree of relevance of each governance and management objective with each design factor, using a scale from 0 (not relevant) to 5 (very relevant). The function is based on the COBIT 2019 Design Guide, page 23. References: : COBIT 2019 Design Guide | Digital | English

The enterprise goal of compliance with external laws and regulations is aligned to the financial dimension of the balanced scorecard (BSC). The BSC is a strategic performance management tool that helps enterprises to translate their vision and strategy into operational objectives and measures. The BSC consists of four dimensions: financial, customer, internal, and growth. The financial dimension focuses on the financial performance and value creation of the enterprise. Compliance with external laws and regulations is one of the 17 generic enterprise goals defined by COBIT that supports the financial dimension.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The process practices that include inputs and outputs comprise the information flow component of a governance system. A governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. A governance system consists of seven components: governance components (such as structures, processes, principles, policies, etc.), governance enablers (such as people, skills, culture, information, services, etc.), governance outcomes (such as value creation, risk optimization, resource optimization, etc.), information flow (the exchange of information among components), culture (the shared values, beliefs, norms, and attitudes), ethical behavior (the conduct that conforms to moral principles), stakeholder needs (the requirements or expectations of internal or external stakeholders). The information flow component comprises the process practices that include inputs and outputs thatenable the exchange of information among components.14 References: COBIT 2019Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The IT balanced scorecard (BSC) is a tool that helps to measure and communicate the achievement of IT goals in relation to enterprise goals, using four dimensions: financial, customer, internal, and learning and growth. The alignment goal titled “Enabling and supporting business processes by integrating applications and technology” is aligned to the internal dimension of the IT BSC, as it relates to the efficiency and effectiveness of IT processes that support business processes2, p. 20. References: 2: COBIT 2019 Framework: Governance and Management Objectives

The alignment goal titled “Security of information, processing infrastructure and privacy” is part of the internal dimension of the IT BSC, as it relates to the protection of IT assets and information from unauthorized access, use, disclosure, modification, or destruction2, p. 20. References: 2: COBIT 2019 Framework: Governance and Management Objectives

 An actionable strategy and governance system enables an enterprise to maximize value from the use of I&T by providing direction, alignment, oversight, and performance measurement. A strategy defines the enterprise’s vision, mission, goals, and objectives, and how I&T can support them. A governance system ensures that the strategy is implemented effectively and efficiently, and that the outcomes are monitored and evaluated. COBIT provides a comprehensive governance system for enterprise I&T that covers all aspects of governance, management, and enablers.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The process ‘Ensured Stakeholder Engagement’ (EDM04) is one of the governance processes in COBIT 2019 that involves establishing transparent communication with stakeholders about their needs and expectations from information and technology governance. This process also involves ensuring stakeholder involvement in governance decision making and monitoring stakeholder satisfaction with governance outcomes. One of the roles that is best suited for this responsibility is the board and executive management, who are the highest-level governance body and decision makers in an enterprise. The board and executive management have a duty to ensure that they understand the needs and expectations of various stakeholders such as shareholders, regulators, customers, employees, suppliers, etc., and that they communicate effectively with them about the enterprise’s strategy, objectives, performance, risks, issues, opportunities, etc., related to information and technology governance. The board and executive management also have a responsibility to involve stakeholders in governance decision making by soliciting their input, feedback, opinions, suggestions, etc., and by considering their interests and perspectives when making governance choices. The board and executive management also have a role in monitoring stakeholder satisfaction with governance outcomes by measuring stakeholder value realization from information and technology investments and initiatives.

 An IT implementation method design factor is a characteristic that influences how an enterprise implements IT solutions and services. DevOps is an IT implementation method that focuses on software building, deployment and operations, by integrating development and operations teams to improve collaboration and productivity1, p. 31. References: 1: COBIT 2019 Framework: Introduction and Methodology

The organizational structures component of the governance system are the key decision-making entities in an enterprise. Organizational structures are the arrangements of roles and responsibilities that enable the enterprise to achieve its objectives. Organizational structures can be formal or informal, hierarchical or flat, centralized or decentralized, etc. Organizational structures can include entities such as board, executive management, committees, forums, teams, units, etc. The organizational structures component of the governance system are the key decision-making entities in an enterprise by providing authority, accountability, direction, oversight, evaluation, etc., for information and technology.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The number of business processing hours lost due to unplanned service interruptions would be an appropriate metric associated with an enterprise goal of business service continuity and availability. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. Business service continuity and availability is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of ensuring that critical business services are delivered at agreed levels and are resilient to disruptions. The number of business processing hours lost due to unplanned service interruptions is a metric that reflects how well this outcome is achieved.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The role of IT design factor describes how IT supports the enterprise strategy and objectives. Turnaround is a role of IT that is viewed as a driver for business process and service innovation, by enabling new ways of doing business, creating new sources of revenue, and enhancing customer satisfaction1, p. 29. References: 1: COBIT 2019 Framework: Introduction and Methodology

 Sharing the return on investment (ROI) analysis is the best way to address the concern of business line managers who perceive the cost of governance-required improvements as too expensive. ROI is a financial metric that measures the profitability or efficiency of an investment by comparing its benefits and costs. ROI analysis is a process of calculating and presenting the ROI of a project or program, as well as its assumptions, risks, and uncertainties. Sharing the ROI analysis with business line managers can help to address their concern by showing them how the governance-required improvements will generate value for the enterprise in terms of increased revenue, reduced costs, enhanced performance, improved quality, etc., as well as how they will outweigh their initial and ongoing costs.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

The principle that the governance framework should allow for flexibility in addressing new issues is an important principle of a proper governance framework. A governance framework is a conceptual model or structure that defines the key elements, relationships, and principles of a governance system. A proper governance framework should follow certain principles or guidelines that ensure its effectiveness, efficiency, and alignment with the enterprise goals and objectives. The principle that the governance framework should allow for flexibility in addressing new issues is an important principle of a proper governance framework because it helps to ensure that the governance system can adapt to changes in the internal or external environment, stakeholder needs, business objectives, etc.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

Time-to-market is a market factor that is directly related to the enterprise goal of portfolio of competitive products and services. Time-to-market is the measure of how quickly an enterprise can deliver new or improved products or services to its customers. It affects the competitiveness, profitability, and customer satisfaction of the enterprise. Portfolio of competitive products and services is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of providingproducts or services that meet customer needs and expectations, and that are superior to those offered by competitors.13 References: COBIT 2019 Framework:Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The primary purpose of implementing an enterprise governance of information and technology (EGIT) system is to deliver stakeholder value from I&T-enabled investments. An EGIT system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. An I&T-enabled investment is any initiative or project that involves the use of information and technology to create value for the enterprise. A stakeholder is a person or group that has an interest or concern in an enterprise’s activities or outcomes. The primary purpose of implementing an EGIT system is to deliver stakeholder value from I&T-enabled investments by ensuring that they align with the enterprise strategy and objectives, optimize risks and resources, achieve expected benefits and outcomes, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The management of the IT function is the function that leads and manages the information and technology function in an enterprise, as well as supports and enables the information and technology governance. The management of the IT function includes roles such as CIO, IT managers, IT process owners, IT service owners, etc. The management of the IT function is responsible for resolving conflicting priorities in order to finalize the governance system design. The governance system design is the process of designing and implementing a governance system for an enterprise using COBIT 2019. The governance system design involves tailoring the COBIT 2019 components such as principles, enablers, goals, processes, practices, roles, structures, metrics etc., according to the enterprise’s context and needs. The governance system design also involves considering various design factors such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc., that influence how an enterprise designs and implements its governance system using COBIT 2019. By resolving conflicting priorities in order to finalize the governance system design, the management of the IT function ensures that the governance system is appropriate for the enterprise’s strategy objectives performance risks issues opportunities etc., that it delivers value and benefits to the enterprise and its stakeholders that it aligns with the relevant standards guidelines regulations best practices etc., that it meets stakeholder requirements and expectations etc34 References: 3: COBIT 2019 Framework: Governance and Management Objectives: page 20-21 4: COBIT 2019 Design Guide: page 33-48

 A process can meet a higher capability level if all activities of that level are successfully performed, in addition to the activities of lower levels. The capabilitylevels range from 0 (incomplete) to 5 (optimizing), and each level has a set of generic attributes that describe the expected performance of the process activities2, p. 30. References: 2: COBIT 2019 Framework: Introduction and Methodology

The risk profile is a design factor that describes how an enterprise identifies, assesses, responds to, monitors, and reports on information and technology risks. The risk profile helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. When tailoring COBIT 2019 to enterprise requirements, the primary objective of preparing a risk profile is to identify areas of risk that exceed risk appetite. The risk appetite is the amount and type of risk that an enterprise is willing to accept in pursuit of its objectives. The risk appetite provides a basis for defining the risk criteria, thresholds, indicators, and responses that will be used in the risk profile process. By identifying areas of risk that exceed risk appetite, an enterprise can prioritize its governance objectives, processes, practices, roles, structures, and metrics according to the level of risk exposure and impact. This will also help to align the governance framework with the enterprise’s strategy and objectives.

A focus area describes a specific governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. A focus area provides guidance on how to apply COBIT to a specific business driver or pain point, such as digital transformation, cybersecurity, privacy, or business continuity. A focus area can also provide guidance on how to align COBIT with other standards, frameworks or regulations. A focus area is based on the COBIT 2019 Design Guide3, page 19. References: 3: COBIT 2019 Design Guide | Digital | English

 When tailoring the COBIT organization structure to organizational context and priorities, the next step after mapping organizational structures with specific responsibility or accountability is to add two levels of involvement for consulted and informed. This step helps to identify the stakeholders who need to be involved in the decision-making process, either by providing input or feedback (consulted), or by being notified of the outcomes or actions (informed). This step is based on the COBIT 2019 Implementation Guide2, page 46. References: 2: COBIT 2019 Implementation Guide | Digital | English

The EGIT implementation life cycle consists of four stages: initiating an EGIT program, defining the EGIT implementation road map, developing the EGIT implementation program plan, and executing the EGIT implementation program plan. The third stage, developing the EGIT implementation program plan, involves identifying and defining the success metrics for the EGIT continual improvement program. These metrics should be aligned with the enterprise goals and objectives, and should measure the performance and outcomes of the EGIT processes and practices. The success metrics should also be SMART (specific, measurable, achievable, relevant, and time-bound), and should be communicated to all stakeholders involved in the EGIT program. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 26 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 41 

The different levels of involvement associated with roles and organizational structure are primarily divided into responsibility and accountability levels. Responsibility and accountability are two key concepts that define the degree of involvement and authority that a role has in performing a task or process. Responsibility means performing or overseeing a task or process, while accountability means being answerable for the outcome or result of a task or process. COBIT uses a RACI chart to assign different levels of responsibility and accountability to roles and organizational structures for each governance and management objective.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

 The responsible ® role fulfills the practice and creates the intended outcome within an organizational structure chart (RACI chart). A RACI chart is a tool that assigns different levels of responsibility, accountability, consultation, and information to roles and organizational structures for each governance and management objective. The responsible ® role means performing or overseeing a task or process. There can be more than one responsible role for each task or process, but they must be coordinated by the accountable role. The responsible role fulfills the practice and creates the intended outcome by executing or supervising the process activities.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

 The COBIT framework is designed to meet the I&T goals for the entire enterprise. The COBIT framework is a comprehensive governance and management framework for information and technology that helps enterprises to achieve their goals and create value. The COBIT framework consists of four core publications: COBIT 2019 Framework: Introduction and Methodology; COBIT 2019 Framework: Governance System; COBIT 2019 Framework: Governance and Management Objectives; COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution. The COBIT framework is designed to meet the I&T goals for the entire enterprise by providing a holistic approach that covers all aspects of I&T governance and management, as well as by enabling customization and tailoring to suit different contexts, needs, priorities, etc.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

IT-related issues should be considered as part of the design factors for a governance system in order to manage risks that have a high impact. Design factors are the characteristics of the enterprise that influence the design and operation of a governance system, such as size, industry, culture, strategy, etc. IT-related issues are one of the 11 design factors defined in COBIT 2019, and they refer to the specific challenges or opportunities that arise from the use of information and technology in the enterprise, such as cybersecurity, digital transformation, innovation, etc. These issues may pose significant risks to the enterprise’s objectives, performance, or reputation, and therefore need to be addressed by the governance system. The answer is based on the COBIT 2019 Design Guide1, page 15. References: 1: COBIT 2019 Design Guide | Digital | English.

 The Build, Acquire and Implement (BAI) domain deals with the definition of IT solutions and their integration in business processes. This domain covers the activities related to identifying, developing, acquiring, implementing, testing, integrating, and deploying IT solutions that meet business requirements. The BAI domain consists of 10 management objectives that describe the desired outcomes of these activities.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The investment justification element of a business case best enables senior leadership to assess the future success of the IT governance program. A business case is a document that provides the rationale and evidence for initiating, continuing, or terminating a project or program. A business case typically consists of several elements, such as problem statement, objectives, scope, benefits, costs, risks, assumptions, etc. The investment justification element of a business case describes how the project or program aligns with the enterprise strategy and objectives, how it supports the value creation process, how it compares with alternative options, and how it provides a positive return on investment (ROI). The investment justification element enables senior leadership to assess the future success of the IT governance program by showing how it contributes to the enterprise goals and delivers value to the stakeholders.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

 The focus areas are specific governance topics that are relevant for an enterprise based on its context, needs, and objectives. The focus areas provide guidance on how to apply the COBIT 2019 framework to address specific issues or challenges related to information and technology governance. The focus areas also help to tailor the COBIT 2019 framework to suit the enterprise’s specific governance system design. Therefore, when an enterprise is designing a specific governance system that is using diverse technology deployments with multiple domains of business operations, the expected deliverable when tailoring the COBIT 2019 framework is the focus area guidance. The focus area guidance will help the enterprise to select and prioritize the relevant focus areas that match its governance needs and objectives, and to customize the COBIT 2019 components such as principles, enablers, goals, processes, practices, etc., according to the focus area requirements12 References: 1: COBIT 2019 Design Guide, page 51-52 2: COBIT 2019 Framework: Introduction and Methodology, page 27-28

Selecting an implementation method is the final action before completing the design of an IT governance system. An IT governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. The design of an IT governance system involves several steps or actions that help to customize and tailor the system to the specific needs and context of the enterprise. These steps or actions include defining design factors, defining focus areas, defining current state, defining target state, identifying gaps and improvement opportunities, defining roadmap and priorities, etc. Selecting an implementation method is the final action before completing the design of an IT governance system because it helps to determine how the system will be put into practice, what resources and activities are needed, what challenges and risks are expected, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 A primary consideration when addressing new issues within a flexible and open framework is maintaining integrity and consistency. This means that “the framework should be internally consistent; not contain contradictions or ambiguities; be complete in covering all relevant aspects of enterprise governance of I&T; and be coherent in its structure, terminology and presentation” 6. Maintaining integrity and consistency ensures that the framework is reliable, clear, and easy to use for all stakeholders7. References: 6: COBIT 2019 Framework: Introduction and Methodology, page 25 7: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, page 13

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The capability levels are most likely to increase as a result of identifying specific design factors that increase the importance of certain governance and management objectives. The design factors are the characteristics or conditions that influence how an enterprise designs and implements its information and technology governance system using COBIT 2019. The design factors include aspects such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc. By identifying specific design factors that increase the importance of certain governance and management objectives, an enterprise can tailor its information and technology governance system to suit its context and needs. This will also help to improve its capability levels for those governance and management objectives that are prioritized by the design factors. For example, if an enterprise identifies that its IT deployment design factor is cloud-based or hybrid-based, it may increase the importance of certain governance and management objectives such as managed availability and capacity (BAI04), managed service agreements (APO09), managed security services (DSS05), etc., which are relevant for managing cloud-based or hybrid-based IT solutions. By tailoring its information and technology governance system to address those governance and management objectives more effectively, the enterprise can also increase its capability levels for those processes.

The initiatives that should be scheduled for completion first when prioritizing improvement initiatives are the ones that are easiest to achieve and will garner business benefits. This approach helps to create quick wins and demonstrate value to the stakeholders, as well as to build momentum and confidence for further improvement efforts. The initiatives should also be aligned with the enterprise’s strategic objectives, risk appetite, and resource constraints. The approach is based on the COBIT 2019 Implementation Guide2, page 37. References: 2: COBIT 2019 Implementation Guide | Digital | English

 After IT department goals have been aligned with enterprise goals, the next step is to link the alignment goals with governance and management objectives. Alignment goals are the intermediate goals that link the enterprise goals with the governance and management objectives. Governance and management objectives are the desired outcomes of the governance system for information and technology. Alignment goals are derived from the enterprise goals, which reflect the stakeholder drivers and needs. Governance and management objectives are derived from the alignment goals, which reflect how information and technology can support the enterprise strategy and objectives.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The IT design factor is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six IT design factors defined in COBIT 2019: strategic; operational; data-driven; compliance-driven; innovation-driven; customer intimacy-driven. Each design factor has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. When considering the role of IT design factor, and the design factor value is strategic, one of the management objectives that should be a priority is managed innovation (APO04), which involves identifying new opportunities for using information and technology to create value for the enterprise. This management objective supports the strategic role of IT in enabling business transformation, differentiation, competitiveness, growth, and sustainability. This management objective also involves establishing an innovation culture and process that encourages creativity, experimentation, collaboration, learning, and improvement5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 57-59

In the COBIT framework, adapting components with related documentation, including inputs and outputs, is primarily associated with "Process activities." Each governance and management objective within COBIT is supported by detailed processes that encompass specific activities. These activities are meticulously documented, outlining the necessary inputs required to execute them and the expected outputs resulting from their execution.

Process Activities:These are detailed tasks or actions within a process designed to achieve a specific purpose. For each activity, COBIT provides comprehensive documentation that includes:

Inputs:Resources, information, or prerequisites needed to perform the activity.

Outputs:The results, deliverables, or outcomes produced by the activity.

This structured documentation ensures that enterprises can effectively implement and tailor COBIT processes to align with their unique requirements. By referring to process activities, organizations gain access to the necessary guidance on what is needed to perform each task and what should be achieved upon its completion.

Option A, "Process practices," refers to broader guidelines or best practices for processes but does not provide the granular level of detail concerning specific inputs and outputs.

Option B, "Goals and metrics," pertains to the objectives and performance indicators used to measure success and effectiveness, rather than the detailed documentation of process execution.

Therefore, for enterprises aiming to adapt COBIT components with detailed documentation on inputs and outputs, "Process activities" serve as the most pertinent reference.

The flexibility of COBIT design factors benefits an enterprise by allowing users to tailor the framework to align with specific enterprise needs. COBIT is a comprehensive governance and management framework for information and technology that helps enterprises to achieve their goals and create value. COBIT design factors are characteristics or aspects of an enterprise that influence the design and implementation of a governance system. They include factors such as enterprise size, industry sector, risk profile, regulatory environment, sourcing model, etc. The flexibility of COBIT design factors benefits an enterprise by allowing users to tailor the framework to align with specific enterprise needs by providing guidance on how to customize and adapt the COBIT components (such as processes, practices, goals, metrics, etc.) based on the design factors.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

The strategy archetype is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six strategy archetypes defined in COBIT 2019: customer intimacy, product leadership, operational excellence, compliance-driven, data-driven, and innovation-driven. Each archetype has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. The best approach when determining which strategy archetype most closely aligns with an enterprise’s own strategy is to select the one that reflects the enterprise’s information and technology risk profile, which is another design factor that describes how an enterprise identifies, assesses, responds to, monitors, and reports on information and technology risks. The risk profile helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. By selecting the strategy archetype that matches the risk profile, an enterprise can ensure that its governance framework is appropriate for its context and objectives5 References: 5: COBIT 2019 Design Guide, page 35-39 : COBIT 2019 Design Guide, page 41-43

 The COBIT principle that addresses the need to consider how changes in technology or strategy impact the enterprise governance system as a whole is that a governance system should be dynamic. This principle states that “a governance system should be responsive to changing stakeholder needs, conditions and options; adaptable to changing circumstances; able to learn from experience; and innovative in supporting continual improvement” 4. A dynamic governance system can anticipate and respond to changes in the internal and external environment, such as new technologies, business models, risks, or opportunities5. References: 4: COBIT 2019 Framework: Introduction and Methodology, page 23 5: COBIT 2019 Framework: Governance and Management Objectives, page 20

Stakeholder drivers and needs must be defined before determining alignment goals. Stakeholder drivers and needs are the requirements or expectations of the internal or external stakeholders of the enterprise, such as customers, employees, shareholders, regulators, etc. Alignment goals are the intermediate goals that link the enterprise goals with the governance and management objectives. Alignment goals are derived from the stakeholder drivers and needs, and they reflect how information and technology can support the enterprise strategy and objectives. Therefore, stakeholder drivers and needs must be defined before alignment goals can be determined.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The alignment goal titled “Delivery of IT services in line with business requirements” is most likely to be associated with the metric “percent of IT services with defined operational costs and expected benefits”. This metric measures the extent to which IT services are aligned with business needs and expectations, and deliver value for money. The alignment goal is one of the 17 enterprise goals defined in COBIT 2019, which describe the outcomes that an enterprise wants to achieve from its use of information and technology. The alignment goal is based on the COBIT 2019 Framework4, page 36. References: 4: COBIT 2019 Framework | Digital | English