Isaca COBIT-2019 COBIT 2019 Foundation Exam Practice Test

The best way to determine whether IT governance is achieving intended outcomes one year after implementation is to evaluate performance measurements identified in the business case. The business case is a document that defines the objectives, benefits, costs, risks, and success factors of IT governance implementation, and specifies the key performance indicators (KPIs) and target values that will be used to measure and monitor the outcomes. By comparing the actual performance results with the expected results, the enterprise can assess the effectiveness and efficiency of IT governance and identify any gaps or issues that need to be addressed. The way is based on the COBIT 2019 Implementation Guide1, page 32. References: 1: COBIT 2019 Implementation Guide | Digital | English

The management objective that would be given higher priority in an enterprise’s governance system when the enterprise is very risk-averse is managed portfolio. This objective relates to ensuring that IT-enabled investments are aligned with the enterprise’s risk appetite and tolerance levels, and that they deliver optimal value and benefits. This objective also involves managing the portfolio of IT-enabled investments throughout their life cycle, from initiation to retirement. The objective is based on the COBIT 2019 Design Guide3, page 71. References: 3: COBIT 2019 Design Guide | Digital | English

The desired outcome of an EGIT implementation program plan is to ensure that the EGIT projects are aligned with the enterprise’s strategy, objectives, and stakeholder needs, and that they deliver value and benefits to the enterprise. One of the key steps in achieving this outcome is to transition the EGIT projects into the enterprise’s normal development life cycle, which involves ensuring that the projects are integrated with the existing processes, systems, and governance structures, and that they are monitored and controlled for quality, performance, and risk. This will also facilitate the continuous improvement and adaptation of the EGIT projects to changing business needs and environment12 References: 1: COBIT 2019 Implementation Guide, page 49-50 2: COBIT 2019 Design Guide, page 67-68

An example of a governance system component is the compliance regulations applicable to the enterprise. The governance system components are the elements that constitute a governance system for an enterprise using COBIT 2019. The governance system components include principles enablers goals processes practices roles structures metrics etc., that enable an enterprise to govern and manage its information and technology activities effectively efficiently reliably securely etc. The compliance regulations are the laws regulations standards guidelines contracts or agreements that govern the information and technology activities of an enterprise. The compliance regulations influence the level of control and assurance that an enterprise needs to demonstrate its adherence to the applicable rules and obligations. By considering the compliance regulations as a governance system component an enterprise can ensure that its governance system is appropriate for its context and objectives that it can effectively manage the potential impacts of non-compliance on its reputation performance value stakeholder trust etc., that it can align its information and technology activities with the relevant standards guidelines regulations best practices etc., that it can meet stakeholder requirements expectations etc., 5 References: 5: COBIT 2019 Design Guide: page 47-48 : COBIT 2019 Framework: Governance System Components: page 27-28

A focus area describes a specific governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. A focus area provides guidance on how to apply COBIT to a specific business driver or pain point, such as digital transformation, cybersecurity, privacy, or business continuity. A focus area can also provide guidance on how to align COBIT with other standards, frameworks or regulations. A focus area is based on the COBIT 2019 Design Guide3, page 19. References: 3: COBIT 2019 Design Guide | Digital | English

The EGIT business case outline and details are documents that describe the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT business case outline and details provide the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. The responsibility for developing an EGIT business case outline and details resides with the CIO and program steering committee. The CIO is the senior executive responsible for leading and managing the information and technology function in an enterprise. The CIO has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are aligned with the enterprise’s strategy, objectives, needs, and expectations. The CIO also has a role in communicating and presenting the EGIT business case outline and details to other stakeholders such as the board, executives, business managers, IT managers, etc., and obtaining their buy-in and commitment for the program. The program steering committee is a group of senior stakeholders who provide strategic direction, oversight, guidance, and approval for the EGIT implementation program. The program steering committee has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are consistent with the enterprise’s vision, mission, values, strategy goals,and objectives. The program steering committee also has a role in monitoring and controlling the execution of the EGIT implementation program plan against the EGIT business case outline and details34 References: 3: COBIT 2019 Implementation Guide: page 37-38 4: COBIT 2019 Implementation Guide: page 39-40

 A primary consideration when addressing new issues within a flexible and open framework is maintaining integrity and consistency. This means that “the framework should be internally consistent; not contain contradictions or ambiguities; be complete in covering all relevant aspects of enterprise governance of I&T; and be coherent in its structure, terminology and presentation” 6. Maintaining integrity and consistency ensures that the framework is reliable, clear, and easy to use for all stakeholders7. References: 6: COBIT 2019 Framework: Introduction and Methodology, page 25 7: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, page 13

The pursuit of continuous improvement is the most essential attribute of the highest process capability level (Level 5). A process capability level is a measure of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A process capability level can range from 0 (incomplete) to 5 (optimizing). Level 5 (optimizing) means that the process continuously improves its performance through both incremental and innovative improvements. The pursuit of continuous improvement is the most essential attribute of Level 5, as it implies that the process is constantly monitored, evaluated, learned from, and enhanced.14 References: CMMI for Development, Version 1.3, CMMI Institute - Capability Maturity Model Integration

The IT governance implementation approach that should be utilized in order to achieve maximum enterprise benefits is treating implementation as a program. A program is a coordinated set of projects and activities that are designed to achieve a specific set of objectives within a defined scope, time frame, and budget. Treating implementation as a program helps to ensure that IT governance is planned, executed, monitored, controlled, and evaluated in a systematic and consistent manner, following best practices and standards. The approach is based on the COBIT 2019 Implementation Guide5, page 29. References: 5: COBIT 2019 Implementation Guide | Digital | English

 In most cases, management of the enterprise is the responsibility of the executive management team. The executive management team consists of senior managers who are accountable for implementing the strategies and policies set by the board or other governing body. They are also responsible for planning, organizing, directing, controlling, and reporting on the enterprise’s operations3. The executive management team may delegate some of their management responsibilities to other managers or staff, but they remain ultimately accountable for the outcomes4. References: 3: COBIT 2019 Framework: Introduction and Methodology, page 28 4: COBIT 2019 Framework: Governance and Management Objectives, page 21

The Deliver, Service and Support (DSS) domain incorporates managed business process controls as one of its management objectives. The DSS domain covers the activities related to delivering IT services to internal and external customers, supporting IT operations and users, managing service requests, incidents, problems, continuity, security, availability, capacity, etc. The DSS domain consists of 6 management objectives that describe the desired outcomes of these activities.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. DevOps is an IT implementation method that emphasizes collaboration, automation, integration, and feedback between the development and operations teams throughout the software development life cycle. One of the management objectives that should be prioritized when using DevOps is managed solution identification and build (BAI03), which involves defining, designing, building, testing, and deploying IT solutions that meet stakeholder requirements and expectations. This management objective supports the DevOps principles of continuous delivery, continuous integration, continuous testing, and continuous deployment, which aim to deliver high-quality IT solutions faster and more reliably.References: : COBIT 2019 Design Guide, page 43-45 : COBIT 2019 Process Reference Guide, page 67-69

 The most likely underlying cause for an enterprise not having success implementing IT governance because key staff are not participating in planning meetings is lack of senior leadership commitment. Senior leadership commitment is essential for ensuring that IT governance is aligned with the enterprise’s vision, mission, values, and goals, and that it receives adequate resources, support, and oversight. Without senior leadership commitment, IT governance may face resistance, confusion, or indifference from key stakeholders, resulting in poor implementation outcomes. The cause is based on the COBIT 2019 Implementation Guide4, page 25. References: 4: COBIT 2019 Implementation Guide | Digital | English

Stakeholder drivers and needs must be defined before determining alignment goals. Stakeholder drivers and needs are the requirements or expectations of the internal or external stakeholders of the enterprise, such as customers, employees, shareholders, regulators, etc. Alignment goals are the intermediate goals that link the enterprise goals with the governance and management objectives. Alignment goals are derived from the stakeholder drivers and needs, and they reflect how information and technology can support the enterprise strategy and objectives. Therefore, stakeholder drivers and needs must be defined before alignment goals can be determined.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The threat landscape is a design factor that describes the types and levels of threats that an enterprise faces from internal and external sources that could compromise its information and technology assets. The threat landscape helps to determine the level of security and resilience that an enterprise needs to protect its information and technology assets from unauthorized access use disclosure modification destruction or disruption. When tailoring a governance system for an enterprise what would be the most appropriate level of threat landscape for an enterprise in the health care sector is high. The health care sector is a sector that provides health care services such as diagnosis treatment prevention rehabilitation etc., to individuals or populations. The health care sector has a high level of threat landscape compared to other sectors such as manufacturing or retail which have lower levels of threat landscape. This is because the health care sector handles sensitive personal data such as medical records health insurance information patient identifiers etc., that are subject to strict privacy and security regulations such as HIPAA GDPR etc., as well as ethical and legal obligations. The health care sector also relies on critical information and technology systems such as electronic health records telemedicine devices medical devices etc., that are essential for delivering quality health care services to patients. The health care sector faces various types of threats such as cyberattacks data breaches identity theft ransomware malware phishing social engineering natural disasters human errors etc., that could compromise its information and technology assets resulting in financial losses reputational damage legal liabilities regulatory penalties patient harm etc. Therefore when tailoring a governance system for an enterprise in the health care sector it is important to consider a high level of threat landscape and design a governance system that can effectively manage the potential impacts of threats on its information and technology assets5 References: 5: COBIT 2019 Design Guide: page 41-43 : COBIT 2019 Design Guide: page 47-48

The risk profile is a design factor that describes how an enterprise identifies, assesses, responds to, monitors, and reports on information and technology risks. The risk profile helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. When tailoring COBIT 2019 to enterprise requirements, the primary objective of preparing a risk profile is to identify areas of risk that exceed risk appetite. The risk appetite is the amount and type of risk that an enterprise is willing to accept in pursuit of its objectives. The risk appetite provides a basis for defining the risk criteria, thresholds, indicators, and responses that will be used in the risk profile process. By identifying areas of risk that exceed risk appetite, an enterprise can prioritize its governance objectives, processes, practices, roles, structures, and metrics according to the level of risk exposure and impact. This will also help to align the governance framework with the enterprise’s strategy and objectives.References: : COBIT 2019 Design Guide: page 41-43 : COBIT 2019 Framework: Introduction and Methodology: page 28-29

The internal audit function is an independent and objective assurance and consulting activity that evaluates and improves the effectiveness of governance, risk management, and control processes in an enterprise. The internal audit function has a role in defining the EGIT target state, which is the desired state of information and technology governance in an enterprise that is aligned with its strategy, objectives, and stakeholder needs. The role of the internal audit function in this process is to provide advice and assist with target-state positioning and gap priorities. This means that the internal audit function can help to identify the current state of information and technology governance in an enterprise, assess the gaps and issues that need to be addressed, determine the target state of information and technology governance that is optimal for the enterprise, and prioritize the actions and initiatives that are required to achieve the target state. The internal audit function can also provide assurance on the design and implementation of the EGIT target state by evaluating its adequacy, effectiveness, efficiency, and compliance.References: : COBIT 2019 Implementation Guide, page 51-52 : COBIT 2019 Framework: Introduction and Methodology, page 30-31

 The component that should be considered for inclusion when considering the threat landscape design factor is information security focus areas. The threat landscape is one of the 11 design factors defined in COBIT 2019, and it refers to the current and emerging threats that may affect the enterprise’s information and technology assets, such as cyberattacks, natural disasters, human errors, etc. Information security focus areas are the specific domains or topics that need to be addressed by the governance system to ensure adequate protection of information and technology assets from potential threats, such as identity and access management, data protection, incident response, etc. The answer is based on the COBIT 2019 Design Guide4, page 17. References: 4: COBIT 2019 Design Guide | Digital | English

The principle that the governance framework should allow for flexibility in addressing new issues is an important principle of a proper governance framework. A governance framework is a conceptual model or structure that defines the key elements, relationships, and principles of a governance system. A proper governance framework should follow certain principles or guidelines that ensure its effectiveness, efficiency, and alignment with the enterprise goals and objectives. The principle that the governance framework should allow for flexibility in addressing new issues is an important principle of a proper governance framework because it helps to ensure that the governance system can adapt to changes in the internal or external environment, stakeholder needs, business objectives, etc.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

The process ‘Ensured Stakeholder Engagement’ (EDM04) is one of the governance processes in COBIT 2019 that involves establishing transparent communication with stakeholders about their needs and expectations from information and technology governance. This process also involves ensuring stakeholder involvement in governance decision making and monitoring stakeholder satisfaction with governance outcomes. One of the roles that is best suited for this responsibility is the board and executive management, who are the highest-level governance body and decision makers in an enterprise. The board and executive management have a duty to ensure that they understand the needs and expectations of various stakeholders such as shareholders, regulators, customers, employees, suppliers, etc., and that they communicate effectively with them about the enterprise’s strategy, objectives, performance, risks, issues, opportunities, etc., related to information and technology governance. The board and executive management also have a responsibility to involve stakeholders in governance decision making by soliciting their input, feedback, opinions, suggestions, etc., and by considering their interests and perspectives when making governance choices. The board and executive management also have a role in monitoring stakeholder satisfaction with governance outcomes by measuring stakeholder value realization from information and technology investments and initiatives.References: : COBIT 2019 Process Reference Guide: Governance and Management Objectives, page 25-27 : COBIT 2019 Framework: Governance and Management Objectives, page 19-20

 The COBIT framework is designed to meet the I&T goals for the entire enterprise. The COBIT framework is a comprehensive governance and management framework for information and technology that helps enterprises to achieve their goals and create value. The COBIT framework consists of four core publications: COBIT 2019 Framework: Introduction and Methodology; COBIT 2019 Framework: Governance System; COBIT 2019 Framework: Governance and Management Objectives; COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution. The COBIT framework is designed to meet the I&T goals for the entire enterprise by providing a holistic approach that covers all aspects of I&T governance and management, as well as by enabling customization and tailoring to suit different contexts, needs, priorities, etc.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 Sharing the return on investment (ROI) analysis is the best way to address the concern of business line managers who perceive the cost of governance-required improvements as too expensive. ROI is a financial metric that measures the profitability or efficiency of an investment by comparing its benefits and costs. ROI analysis is a process of calculating and presenting the ROI of a project or program, as well as its assumptions, risks, and uncertainties. Sharing the ROI analysis with business line managers can help to address their concern by showing them how the governance-required improvements will generate value for the enterprise in terms of increased revenue, reduced costs, enhanced performance, improved quality, etc., as well as how they will outweigh their initial and ongoing costs.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

 The key question that should be asked and evaluated one year after IT governance is implemented is whether the enterprise has achieved expected benefits. Benefits are the positive outcomes or value that are derived from a project or program. Benefits can be tangible (such as increased revenue, reduced costs, improved efficiency, etc.) or intangible (such as enhanced reputation, customer satisfaction, employee engagement, etc.). Benefits realization is the process of planning, managing, measuring, and reporting the benefits that are delivered by a project or program. Asking and evaluating whether the enterprise has achieved expected benefits one year after IT governance is implemented is important because it helps to determine whether the IT governance system is effective in creating value for the enterprise and its stakeholders.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

 COBIT addresses governance issues by grouping relevant governance components into objectives that can be managed to a required capability level. This is based on the principle of performance, which states that “governance of enterprise I&T should ensure that I&T performance is measured using relevant metrics; transparently communicated to stakeholders; evaluated against targets; and leads to appropriate management actions” . COBIT does not provide a full description of the entire IT environment or define specific governance strategies and processes, but rather provides a generic and flexible framework that can be adapted to different contexts and situations. 

 The transition from traditional waterfall to a more agile approach would impact the implementation method step in the design phase the most. The implementation method is the approach or strategy that is used to put the IT governance system into practice. The design phase is the stage in the IT governance life cycle that involves customizing and tailoring the IT governance system to the specific needs and context of the enterprise. The transition from traditional waterfall to a more agile approach would affect the implementation method step in the design phase because it would require a different way of planning, executing, monitoring, and controlling the IT governance system, as well as a different set of skills, tools, techniques, and practices.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The COBIT principle that addresses the need to consider how changes in technology or strategy impact the enterprise governance system as a whole is that a governance system should be dynamic. This principle states that “a governance system should be responsive to changing stakeholder needs, conditions and options; adaptable to changing circumstances; able to learn from experience; and innovative in supporting continual improvement” 4. A dynamic governance system can anticipate and respond to changes in the internal and external environment, such as new technologies, business models, risks, or opportunities5. References: 4: COBIT 2019 Framework: Introduction and Methodology, page 23 5: COBIT 2019 Framework: Governance and Management Objectives, page 20

Providing clear definition of the processes and required activities facilitates the achievement of different capability levels in COBIT core model. Processes are structured sets of activities that produce outputs or outcomes for achieving specific objectives. Activities are specific tasks or actions that contribute to achieving a process outcome or objective. Processes and activities are defined by their inputs, outputs, roles, responsibilities, controls, etc. Providing clear definition of processes and activities helps to ensure that they are performed consistently, effectively, efficiently, and reliably, which leads to higher capability levels.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The organizational structures component of the governance system are the key decision-making entities in an enterprise. Organizational structures are the arrangements of roles and responsibilities that enable the enterprise to achieve its objectives. Organizational structures can be formal or informal, hierarchical or flat, centralized or decentralized, etc. Organizational structures can include entities such as board, executive management, committees, forums, teams, units, etc. The organizational structures component of the governance system are the key decision-making entities in an enterprise by providing authority, accountability, direction, oversight, evaluation, etc., for information and technology.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

 The percent of stakeholders satisfied with program/project quality would be an appropriate metric to align with a goal of “Delivery of programs on time, on budget, and meeting requirements and quality standards”. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. A goal is a specific target or outcome that an enterprise sets to achieve its vision and mission. Delivery of programs on time, on budget, and meeting requirements and quality standards is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of ensuring that IT-enabled investments are delivered successfully. The percent of stakeholders satisfied with program/project quality is a metric that reflects how well this goal is achieved.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The enterprise goal titled quality of management information is within the customer dimension of the IT balanced scorecard. The customer dimension focuses on how well the enterprise meets the needs and expectations of its customers and stakeholders. Quality of management information is one of the 17 generic enterprise goals defined by COBIT that supports the customer dimension. It describes the desired outcome of providing accurate, timely, relevant, and reliable information to support decision making and performance management.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The high involvement of IT-related roles in organizational structures is a critical requirement when the IT function is strategic and crucial to the success of the business. The IT function is the part of the enterprise that is responsible for planning, delivering, operating, and supporting information and technology services. The IT function can have different levels of strategic importance for the business, depending on the nature, scope, and objectives of the enterprise. When the IT function is strategic and crucial to the success of the business, it means that information and technology are essential for creating value, achieving competitive advantage, enabling innovation, etc. In this case, it is critical to have high involvement of IT-related roles in organizational structures, such as having IT representation at the board level, having clear IT leadership roles and responsibilities, having effective IT governance committees or forums, etc.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The high-level risk analysis is a process that involves identifying, assessing, and prioritizing the information and technology risks that an enterprise faces in relation to its governance system design. The high-level risk analysis helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. The primary benefit of conducting a high-level risk analysis during governance design is to prioritize governance and management objectives. The governance and management objectives are the statements of what an enterprise wants to achieve in terms of its information and technology governance. The governance and management objectives are derived from the enterprise goals, which are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, and strategy. By conducting a high-level risk analysis, an enterprise can identify the areas of risk that have the most impact on its enterprise goals, and therefore prioritize the governance and management objectives that address those risks. This will also help to align the governance framework with the enterprise’s strategy and objectives12 References: 1: COBIT 2019 Design Guide: page 41-43 2: COBIT 2019 Framework: Introduction and Methodology: page 25-26

 The key program roles are the roles that are responsible for leading, directing, managing, supporting, and executing the EGIT implementation program. The nomination of these roles is a critical step in creating the appropriate governance environment for the program. One of the roles that should be involved in this nomination process is the board and executives, who are the highest-level governance body and decision makers in an enterprise. The board and executives provide strategic direction, oversight, guidance, and approval for the EGIT implementation program. They also ensure that the program is aligned with the enterprise’s vision, mission, values, strategy, goals, and objectives. The board and executives also appoint or endorse other key program roles such as the program sponsor, program manager, program steering committee, change champion network, etc.References: : COBIT 2019 Implementation Guide, page 37-38 : COBIT 2019 Framework: Governance and Management Objectives, page 19-20

An important component for an enterprise strategy archetype of cost leadership as defined by COBIT 2019 is support for the portfolio management role with an investment office. According to the COBIT 2019 Design Guide, cost leadership is one of the four generic enterprise strategy archetypes that describe how enterprises compete in their markets. Cost leadership means that an enterprise aims to offer the lowest prices for its products or services by minimizing its costs and maximizing its efficiency. One of the design factors that influence the governance system for a cost leadership strategy is the organizational structures. The COBIT 2019 Design Guide suggests that a cost leadership strategy requires a centralized and standardized organizational structure that supports the portfolio management role with an investment office. The portfolio management role is responsible for selecting, prioritizing, and balancing the IT investments that align with the enterprise strategy and objectives. The investment office is a function that assists the portfolio management role by providing financial analysis, reporting, and decision support. The support for the portfolio management role with an investment office helps to ensure that the IT investments are optimized for cost and value. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 48 2 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 51 

 The enterprise strategy archetype is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six enterprise strategy archetypes defined in COBIT 2019: growth/acquisition; operational excellence; customer intimacy; product leadership; data-driven; innovation-driven. Each archetype has different implications for the governance and management of information and technology in terms of focus areas processes practices roles structures,and metrics. The enterprise strategy archetype that is focused on increasing revenues is growth/acquisition. Growth/acquisition is a strategy archetype that emphasizes expanding market share revenue customer base or product range through organic growth or acquisition of other businesses or assets. This strategy archetype requires effective portfolio management of information and technology investmentsand initiatives that support business growth or acquisition objectives. Portfolio management involves selecting prioritizing balancing monitoring evaluating,and optimizing informationand technology investmentsand initiatives based on their alignment with business strategy value delivery potential risk exposure resource availability interdependencies etc.Portfolio management also involves ensuring that informationand technology investmentsand initiatives are integrated with business processes systems structures culture etc especially in case of mergers or acquisitions.5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 59-61

The role of IT design factor describes how IT supports the enterprise strategy and objectives. Turnaround is a role of IT that is viewed as a driver for business process and service innovation, by enabling new ways of doing business, creating new sources of revenue, and enhancing customer satisfaction1, p. 29. References: 1: COBIT 2019 Framework: Introduction and Methodology

 Business service continuity and availability is one of the 17 enterprise goals defined in COBIT 2019, which describe the outcomes that an enterprise wants to achieve from its use of information and technology. This goal relates to ensuring that critical business processes and information are available at a level acceptable to the enterprise in the event of a disruption or disaster, and that recovery plans are in place to restore normal operations as soon as possible. The goal is based on the COBIT 2019 Framework3, page 36. References: 3: COBIT 2019 Framework | Digital | English

The change enablement tasks are the tasks that involve preparing for managing and sustaining the changes that are required for implementing a governance system for an enterprise using COBIT 2019. The change enablement tasks help to ensure that the changes are aligned with the enterprise’s strategy objectives needs expectations etc., that they deliver value and benefits to the enterprise and its stakeholders that they overcome resistance and barriers to change that they create a culture of continuous improvement etc. One of the key change enablement tasks that must be completed during the driver identification phase of an IT initiative is identify the business and governance drivers. The driver identification phase is the first phase of the governance implementation roadmap which involves identifying and analyzing the internal and external factors that trigger or influence the need for designing and implementing a governance system for an enterprise using COBIT 2019. The business drivers are the factors that relate to the enterprise’s business strategy objectives performance risks issues opportunities etc., such as market conditions customer demands competitive pressures regulatory requirements etc. The governance drivers are the factors that relate to the enterprise’s information and technology governance strategy objectives performance risks issues opportunities etc., such as IT alignment IT value delivery IT risk management IT resource management IT performance measurement etc. By identifying the business and governance drivers during the driver identification phase an enterprise can establish a clear understanding of why it needs to design and implement a governance system using COBIT 2019 what are the expected outcomes benefits value etc., from doing so who are the relevant stakeholders their roles responsibilities requirements expectations etc., how to communicate engage involve them in the change process etc.

The enterprise’s risk profile is the most important enterprise risk management concept to fully understand prior to finalizing the design of an IT governance system. Enterprise risk management is the process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks that affect the achievement of enterprise objectives. Enterprise risk management concepts include risk appetite (the amount and type of risk that an enterprise is willing to accept), risk tolerance (the acceptable variation in outcomes related to specific performance measures), risk profile (the overall exposure or level of risk that an enterprise faces), etc. The enterprise’s risk profile is the most important concept to fully understand prior to finalizing the design of an IT governance system because it helps to determine the appropriate level of risk optimization for each governance objective.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The best starting point when translating enterprise goals into actionable governance and management objectives is prioritized enterprise goals. The enterprise goals are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, strategy, etc. The enterprise goals are aligned with the stakeholder needs that reflect the expectations and requirements of various internal and external parties that have an interest or stake in the enterprise’s information and technology activities. The prioritized enterprise goals are the subset of enterprise goals that have been ranked according to their importance or urgency for the enterprise based on its context and needs. By starting with prioritized enterprise goals when translating them into actionable governance and management objectives, an enterprise can ensure that it focuses on the most critical aspects of its information and technology governance that support its strategy and objectives. This will also help to align its information and technology activities with its stakeholder needs34 References: 3: COBIT 2019 Framework: Introduction and Methodology: page 25-26 4: COBIT 2019 Design Guide: page 35-36

 The functional task area that is responsible for assessing the potential return on investment (ROI) during future state planning is program management. According to the COBIT 2019 Implementation Guide, program management is one of the key enablers of IT governance and management, and it includes the processes and practices for planning, executing, monitoring, controlling, and closing IT programs and projects. One of the activities of program management is to conduct a business case analysis for each proposed improvement initiative in the future state plan. This analysis involves estimating the costs, benefits, risks, dependencies, assumptions, constraints, success factors, and ROI of each initiative. The analysis helps to prioritize and justify the initiatives based on their expected value to the enterprise. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 15 1 : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 38 

 The chief information officer (CIO) ensures the board is kept informed of major decisions related to value delivery of I&T deployment in accordance with the enterprise strategy. The CIO is the senior executive responsible for leading, directing, and managing the information and technology function of the enterprise. The CIO has a strategic role in aligning I&T with business requirements, ensuring I&T performance, managing I&T risks, fostering innovation, etc. The CIO ensures the board is kept informed of major decisions related to value delivery of I&T deployment by providing regular reports, updates, feedback, recommendations, etc., as well as by participating in board meetings or committees.1 References: COBIT 2019 Framework: Introduction and Methodology, [COBIT 2019 Framework: Roles, Responsibilities & RACI Charts]

The high-level program plan is a document that describes the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT implementation program is a program that involves designing and implementing a governance system for an enterprise using COBIT 2019. The high-level program plan provides the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. The high-level program plan is an output of the “what needs to be done” phase. The “what needs to be done” phase is the fourth phase of the governance implementation roadmap, which involves defining the target state of information and technology governance in an enterprise that is aligned with its strategy, objectives, and stakeholder needs. This phase also involves identifying the gaps and issues that need to be addressed to achieve the target state, setting the improvement targets and priorities, developing a detailed business case and a high-level program plan for implementing a governance system using COBIT 2019. By developing a high-level program plan as an output of the “what needs to be done” phase, an enterprise can ensure that it has a clear and realistic roadmap for designing and implementing a governance system using COBIT 2019, that it has defined the expected outcomes, benefits, value, etc., from doing so, that it has considered the relevant risks, costs, resources, etc., involved in doing so, that it has obtained stakeholder buy-in and commitment for doing so, etc.References: : COBIT 2019 Implementation Guide: page 39-40 : COBIT 2019 Implementation Guide: page 41-42

 The figure in option C best illustrates the context of an enterprise governance of information and technology (EGIT) system because it shows how the EGIT system is influenced by the enterprise’s internal and external environment, and how it influences the enterprise’s governance system and IT-related goals. The figure also shows the four EGIT domains: Evaluate, Direct and Monitor (EDM), Align, Plan and Organize (APO), Build, Acquire and Implement (BAI), and Deliver, Service and Support (DSS). The figure is based on the COBIT 2019 Framework1, page 23. References: 1: COBIT 2019 Framework | Digital | English

Enterprise strategy cascades to enterprise goals within the COBIT goals cascade. The COBIT goals cascade is a mechanism that helps enterprises to align their governance objectives with their stakeholder needs. It consists of four levels: stakeholder drivers, enterprise goals, alignment goals, and governance and management objectives. Enterprise strategy is the high-level direction and guidance that defines how the enterprise will achieve its vision and mission. Enterprise goals are the specific targets or outcomes that the enterprise sets to achieve its vision and mission. Enterprise strategy cascades to enterprise goals through a process of analysis, prioritization, and validation.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

According to the COBIT 2019 Process Assessment Model, one of the prerequisites for determining performance measures for a process improvement initiative is to perform a process risk assessment. A process risk assessment identifies and evaluates the potential threats and opportunities that may affect the achievement of process objectives. A process risk assessment also helps to prioritize improvement actions based on their impact and likelihood.4, p. 11-12 References: 4: COBIT 2019 Process Assessment Model: Using COBIT 2019

The alignment goal titled “Security of information, processing infrastructure and privacy” is part of the internal dimension of the IT BSC, as it relates to the protection of IT assets and information from unauthorized access, use, disclosure, modification, or destruction2, p. 20. References: 2: COBIT 2019 Framework: Governance and Management Objectives

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The capability levels are most likely to increase as a result of identifying specific design factors that increase the importance of certain governance and management objectives. The design factors are the characteristics or conditions that influence how an enterprise designs and implements its information and technology governance system using COBIT 2019. The design factors include aspects such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc. By identifying specific design factors that increase the importance of certain governance and management objectives, an enterprise can tailor its information and technology governance system to suit its context and needs. This will also help to improve its capability levels for those governance and management objectives that are prioritized by the design factors. For example, if an enterprise identifies that its IT deployment design factor is cloud-based or hybrid-based, it may increase the importance of certain governance and management objectives such as managed availability and capacity (BAI04), managed service agreements (APO09), managed security services (DSS05), etc., which are relevant for managing cloud-based or hybrid-based IT solutions. By tailoring its information and technology governance system to address those governance and management objectives more effectively, the enterprise can also increase its capability levels for those processes.References: : COBIT 2019 Design Guide: page 33-48 : COBIT 2019 Process Assessment Model: page 11-13

The board of directors is the highest-level governance body in an enterprise that provides strategic direction, oversight, guidance, and approval for information and technology governance. The board of directors is accountable for monitoring the performance of the execution of an EGIT implementation program plan against success metrics and adjusting long-term targets when necessary. This means that the board of directors is responsible for ensuring that the EGIT implementation program plan is aligned with the enterprise’s vision, mission, values, strategy, goals, and objectives, and that it delivers the expected value and benefits to the enterprise and its stakeholders. The board of directors is also responsible for reviewing the progress and outcomes of the EGIT implementation program plan on a regular basis, using predefined success metrics such as key performance indicators (KPIs), key goal indicators (KGIs), key risk indicators (KRIs), etc., to measure the achievement of the program objectives and goals. The board of directors is also responsible for adjusting the long-term targets of the EGIT implementation program plan when necessary, based on the changing business needs, environment, risks, opportunities, etc., and ensuring that the program remains relevant and effective.References: : COBIT 2019 Implementation Guide: page 37-38 : COBIT 2019 Framework: Governance and Management Objectives: page 19-20

According to the COBIT 2019 Design Guide, before designing an enterprise IT governance system, an organization should first review and understand the enterprise’s strategy. The enterprise’s strategy defines the vision, mission, goals and objectives of the organization, and provides the direction and context for IT governance. The enterprise’s strategy also identifies the key stakeholders, their needs and expectations, and the value proposition of IT to the business.1, p. 16-17 References: 1: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The objectives of the Evaluate, Direct and Monitor (EDM) domain are best described by assessing strategic options and guiding senior management on the options chosen. This domain covers the governance activities related to setting direction, monitoring performance, ensuring compliance, and providing feedback to stakeholders. The domain consists of five governance objectives: EDM01 Ensure Governance Framework Setting and Maintenance, EDM02 Ensure Benefits Delivery, EDM03 Ensure Risk Optimization, EDM04 Ensure Resource Optimization, and EDM05 Ensure Stakeholder Transparency. The domain is based on the COBIT 2019 Framework2, page 30. References: 2: COBIT 2019 Framework | Digital | English

 The number of confidentiality incidents causing financial loss, business disruption or public embarrassment would be the best metric to enable an enterprise to evaluate an alignment goal specifically related to security of information and privacy. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. An alignment goal is an intermediate goal that links the enterprise goals with the governance and management objectives. Security of information and privacy is one of the 17 generic alignment goals defined by COBIT that describes how information and technology can support the protection of sensitive information and personal data. The number of confidentiality incidents causing financial loss, business disruption or public embarrassment is a metric that reflects how well this alignment goal is achieved.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. There are four IT implementation methods defined in COBIT 2019: traditional, agile, DevOps, and hybrid. Each method has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. The IT implementation method that requires the highest level of participation by users at multiple stages of software development is agile. Agile is an IT implementation method that emphasizes flexibility, adaptability, collaboration, customer satisfaction, and value delivery. One of the characteristics of agile is that it involves frequent and direct interaction with users throughout the software development life cycle, from requirements gathering to testing to deployment. Users are considered as key stakeholders who provide feedback, input, validation, verification, acceptance, and evaluation of the IT solutions. Users are also involved in prioritizing the features and functionalities of the IT solutions based on their needs and expectations. Agile aims to deliver IT solutions that meet user requirements and expectations in a timely and cost-effective manner.References: : COBIT 2019 Design Guide, page 43-45 : COBIT 2019 Process Reference Guide: Governance and Management Objectives, page 67-69

The fact that the governance system includes many components that work together in a holistic way best enables a governance system to achieve governance and management objectives. A governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. A governance objective is a desired outcome of the governance system for information and technology. A management objective is a desired outcome of the management processes for information and technology. The fact that the governance system includes many components that work together in a holistic way best enables a governance system to achieve governance and management objectives by providing a comprehensive and integrated approach that covers all aspects of information and technology governance and management, as well as by enabling customization and tailoring to suit different contexts, needs, priorities, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The value that I&T delivers should be aligned directly with the values on which the business is focused. This is based on the principle of alignment, which states that “governance of enterprise I&T should ensure that I&T-enabled investments are aligned with the enterprise strategy and deliver the expected benefits” . Value delivery is not only about maintaining or increasing value from existing I&T investments, but also about ensuring that new investments support the strategic objectives and stakeholder needs of the enterprise.