COBIT-2019 Exam Dumps - COBIT 2019 Foundation

The enterprise’s risk profile is the most important enterprise risk management concept to fully understand prior to finalizing the design of an IT governance system. Enterprise risk management is the process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks that affect the achievement of enterprise objectives. Enterprise risk management concepts include risk appetite (the amount and type of risk that an enterprise is willing to accept), risk tolerance (the acceptable variation in outcomes related to specific performance measures), risk profile (the overall exposure or level of risk that an enterprise faces), etc. The enterprise’s risk profile is the most important concept to fully understand prior to finalizing the design of an IT governance system because it helps to determine the appropriate level of risk optimization for each governance objective.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The primary role of business leadership when defining the future state in a business case is to assess proposed solutions against goals. The business case is a document that defines the objectives, benefits, costs, risks, and success factors of IT governance implementation, and proposes one or more solutions that can deliver the desired outcomes. Business leadership is responsible for evaluating the feasibility, viability, and desirability of each solution, as well as ensuring alignment with the enterprise’s strategic direction and stakeholder expectations. The role is based on the COBIT 2019 Implementation Guide4, page 31. References: 4: COBIT 2019 Implementation Guide | Digital | English

 Processes are key components of a governance system. Processes are the structured sets of activities that produce outputs or outcomes for achieving specific objectives. Processes define what needs to be done, by whom, when, how, and why. Processes are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The business case outline is a document that provides a high-level overview of the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT implementation program is a program that involves designing and implementing a governance system for an enterprise using COBIT 2019. The business case outline provides the basis for obtaining approval in principle from the stakeholders for initiating the EGIT implementation program. The business case outline is a key input to be considered when defining drivers for a COBIT implementation. The drivers are the internal and external factors that trigger or influence the need for designing and implementing a governance system for an enterprise using COBIT 2019. The drivers include aspects such as business strategy objectives performance risks issues opportunities etc., information and technology strategy objectives performance risks issues opportunities etc., stakeholder needs expectations requirements etc., standards guidelines regulations best practices etc., market conditions competitive pressures customer demands etc., etc. By considering the business case outline when defining drivers for a COBIT implementation an enterprise can ensure that it has a clear understanding of why it needs to design and implement a governance system using COBIT 2019 what are the expected outcomes benefits value etc.,

The industry sector is a design factor that describes the type of business or economic activity that an enterprise engages in. The industry sector influences the governance and management of information and technology in terms of the specific standards, guidelines, regulations, best practices, challenges, opportunities, etc., that are applicable or relevant for that sector. The industry sector that can be characterized by a low level of regulation and a high level of focus on cost is nonprofit enterprises. Nonprofit enterprises are organizations that operate for a social or environmental purpose rather than for profit. Nonprofit enterprises typically have a low level of regulation compared to other sectors such as financial, health care, public, etc., which have more stringent and complex compliance requirements regarding their information and technology activities. Nonprofit enterprises also have a high level of focus on cost, as they have limited resources and funding, and they need to optimize their spending and demonstrate their accountability and transparency to their donors, beneficiaries, partners, etc. Therefore, nonprofit enterprises need to ensure that their information and technology governance system is efficient, effective, and value-driven.References: : COBIT 2019 Design Guide: page 45-46 : COBIT 2019 Framework: Introduction and Methodology: page 33-34

 The Align, Plan and Organize (APO) domain incorporates managed risk as one of its management objectives. The APO domain covers the activities related to aligning IT strategy with business strategy, planning IT resources and capabilities, organizing IT governance structures and processes, managing IT performance, innovation, risk, quality, human resources, security, information, services, etc. The APO domain consists of 13 management objectives that describe the desired outcomes of these activities.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The business case and program plan are essential documents that describe the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The business case and program plan provide the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. Therefore, it is important that these documents are realistic and achievable, reflecting the current state and target state of information and technology governance in the enterprise. One of the roles that ensures the business case and program plan are realistic and achievable is the chief information officer (CIO), who is the senior executive responsible for leading and managing the information and technology function in the enterprise. The CIO has a role in developing, reviewing, validating, and approving the business case and program plan, ensuring that they are aligned with the enterprise’s strategy, objectives, needs, and expectations. The CIO also has a role in communicating and presenting the business case and program plan to other stakeholders such as the board, executives, business managers, IT managers, etc., and obtaining their buy-in and commitment for the program34 References: 3: COBIT 2019 Implementation Guide, page 39-40 4: COBIT 2019 Framework: Governance and Management Objectives, page 20-21

 The threat landscape is a design factor that describes the types and levels of threats that an enterprise faces from internal and external sources that could compromise its information and technology assets. The threat landscape helps to determine the level of security and resilience that an enterprise needs to protect its information and technology assets from unauthorized access, use, disclosure, modification, destruction, or disruption. When tailoring a governance system for an enterprise, one of the most important factors to consider for an operating environment with a high compliance requirement is the threat landscape. The compliance requirement is another design factor that describes the extent and nature of laws, regulations, standards, guidelines, contracts, or agreements that an enterprise must comply with regarding its information and technology activities. The compliance requirement influences the level of control and assurance that an enterprise needs to demonstrate its adherence to the applicable rules and obligations. By considering the threat landscape in relation to the compliance requirement, an enterprise can ensure that its governance system is appropriate for its risk profile and context, and that it can effectively manage the potential impacts of threats on its compliance status34 References: 3: COBIT 2019 Design Guide: page 41-43 4: COBIT 2019 Design Guide: page 47-48

The Goals Cascade model illustrates how enterprise goals cascade to alignment goals and then to governance and management objectives. Each governance or management objective supports the achievement of one or more alignment goals that are related to larger enterprise goals. The alignment goals are derived from the balanced scorecard (BSC) dimensions of financial, customer, internal, and learning and growth1, p. 16. References: 1: COBIT 2019 Framework: Governance and Management Objectives

Providing clear definition of the processes and required activities facilitates the achievement of different capability levels in COBIT core model. Processes are structured sets of activities that produce outputs or outcomes for achieving specific objectives. Activities are specific tasks or actions that contribute to achieving a process outcome or objective. Processes and activities are defined by their inputs, outputs, roles, responsibilities, controls, etc. Providing clear definition of processes and activities helps to ensure that they are performed consistently, effectively, efficiently, and reliably, which leads to higher capability levels.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 The management objective APO09 Managed Service Agreements involves ensuring that IT services are delivered in accordance with agreed-upon service levels and costs. This management objective covers the activities of defining, negotiating, establishing, monitoring, reporting, and reviewing service agreements between service providers and service consumers. This management objective is most relevant for an enterprise that plans to outsource all of its noncore IT operations but wants to ensure the proper level of governance, risk and compliance (GRC) controls. By applying this management objective, the enterprise can improve its service governance and management capabilities, ensure alignment of IT services with business strategy and objectives, enhance service performance and outcomes, and increase service consumer satisfaction and value realization. This management objective also involves ensuring that the outsourced IT services comply with the applicable laws, regulations, standards, guidelines, contracts, or agreements that govern the information and technology activities of the enterprise, as well as with the enterprise’s policies, procedures, processes, practices, etc. This management objective also involves managing the risks associated with outsourcing IT services such as loss of control, vendor lock-in, quality issues, security breaches, etc.References: : COBIT 2019 Process Reference Guide: Governance and Management Objectives: page 63-65 : COBIT 2019 Implementation Guide: page 49-50

The pursuit of continuous improvement is the most essential attribute of the highest process capability level (Level 5). A process capability level is a measure of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A process capability level can range from 0 (incomplete) to 5 (optimizing). Level 5 (optimizing) means that the process continuously improves its performance through both incremental and innovative improvements. The pursuit of continuous improvement is the most essential attribute of Level 5, as it implies that the process is constantly monitored, evaluated, learned from, and enhanced.14 References: CMMI for Development, Version 1.3, CMMI Institute - Capability Maturity Model Integration

The primary purpose of implementing an enterprise governance of information and technology (EGIT) system is to deliver stakeholder value from I&T-enabled investments. An EGIT system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. An I&T-enabled investment is any initiative or project that involves the use of information and technology to create value for the enterprise. A stakeholder is a person or group that has an interest or concern in an enterprise’s activities or outcomes. The primary purpose of implementing an EGIT system is to deliver stakeholder value from I&T-enabled investments by ensuring that they align with the enterprise strategy and objectives, optimize risks and resources, achieve expected benefits and outcomes, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. DevOps is an IT implementation method that emphasizes collaboration, automation, integration, and feedback between the development and operations teams throughout the software development life cycle. One of the management objectives that should be prioritized when using DevOps is managed solution identification and build (BAI03), which involves defining, designing, building, testing, and deploying IT solutions that meet stakeholder requirements and expectations. This management objective supports the DevOps principles of continuous delivery, continuous integration, continuous testing, and continuous deployment, which aim to deliver high-quality IT solutions faster and more reliably.References: : COBIT 2019 Design Guide, page 43-45 : COBIT 2019 Process Reference Guide, page 67-69

The focus of an enterprise that has a cost leadership strategy design factor is short-term cost minimization. A cost leadership strategy is a competitive strategy that aims to achieve lower costs than competitors by offering standardized products or services at low prices. A cost leadership strategy design factor affects how an enterprise designs its governance system, as it implies a focus on operational efficiency, process automation, economies of scale, outsourcing, etc. An enterprise that has a cost leadership strategy design factor would prioritize short-term cost minimization over long-term cost optimization or medium-term cost equalization.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The enterprise goal titled “Optimization of Business Process Costs” is aligned to the internal dimension of the balanced scorecard (BSC). The internal dimension focuses on the efficiency and effectiveness of the business processes that deliver value to customers and stakeholders. Optimization of business process costs is one of the 17 generic enterprise goals defined by COBIT that supports the internal dimension.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 The focus areas are specific governance topics that are relevant for an enterprise based on its context, needs, and objectives. The focus areas provide guidance on how to apply the COBIT 2019 framework to address specific issues or challenges related to information and technology governance. The focus areas also help to tailor the COBIT 2019 framework to suit the enterprise’s specific governance system design. Therefore, when an enterprise is designing a specific governance system that is using diverse technology deployments with multiple domains of business operations, the expected deliverable when tailoring the COBIT 2019 framework is the focus area guidance. The focus area guidance will help the enterprise to select and prioritize the relevant focus areas that match its governance needs and objectives, and to customize the COBIT 2019 components such as principles, enablers, goals, processes, practices, etc., according to the focus area requirements12 References: 1: COBIT 2019 Design Guide, page 51-52 2: COBIT 2019 Framework: Introduction and Methodology, page 27-28

 The responsible ® role fulfills the practice and creates the intended outcome within an organizational structure chart (RACI chart). A RACI chart is a tool that assigns different levels of responsibility, accountability, consultation, and information to roles and organizational structures for each governance and management objective. The responsible ® role means performing or overseeing a task or process. There can be more than one responsible role for each task or process, but they must be coordinated by the accountable role. The responsible role fulfills the practice and creates the intended outcome by executing or supervising the process activities.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The management objective that would be given higher priority in an enterprise’s governance system when the enterprise is very risk-averse is managed portfolio. This objective relates to ensuring that IT-enabled investments are aligned with the enterprise’s risk appetite and tolerance levels, and that they deliver optimal value and benefits. This objective also involves managing the portfolio of IT-enabled investments throughout their life cycle, from initiation to retirement. The objective is based on the COBIT 2019 Design Guide3, page 71. References: 3: COBIT 2019 Design Guide | Digital | English

 After IT department goals have been aligned with enterprise goals, the next step is to link the alignment goals with governance and management objectives. Alignment goals are the intermediate goals that link the enterprise goals with the governance and management objectives. Governance and management objectives are the desired outcomes of the governance system for information and technology. Alignment goals are derived from the enterprise goals, which reflect the stakeholder drivers and needs. Governance and management objectives are derived from the alignment goals, which reflect how information and technology can support the enterprise strategy and objectives.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The capability levels are most likely to increase as a result of identifying specific design factors that increase the importance of certain governance and management objectives. The design factors are the characteristics or conditions that influence how an enterprise designs and implements its information and technology governance system using COBIT 2019. The design factors include aspects such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc. By identifying specific design factors that increase the importance of certain governance and management objectives, an enterprise can tailor its information and technology governance system to suit its context and needs. This will also help to improve its capability levels for those governance and management objectives that are prioritized by the design factors. For example, if an enterprise identifies that its IT deployment design factor is cloud-based or hybrid-based, it may increase the importance of certain governance and management objectives such as managed availability and capacity (BAI04), managed service agreements (APO09), managed security services (DSS05), etc., which are relevant for managing cloud-based or hybrid-based IT solutions. By tailoring its information and technology governance system to address those governance and management objectives more effectively, the enterprise can also increase its capability levels for those processes.References: : COBIT 2019 Design Guide: page 33-48 : COBIT 2019 Process Assessment Model: page 11-13

 The COBIT performance model is integrated into the COBIT core model. The COBIT core model consists of two main elements: the governance and management objectives (which define what needs to be achieved) and the performance model (which defines how well it needs to be achieved). The performance model is based on existing maturity and capability models (such as ISO/IEC 15504) and provides a common language to measure and communicate performance. The performance model consists of six levels (from 0 to 5) that describe the increasing degree of capability for each governance or management objective.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

According to the COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution, one of the most significant drivers to be considered when refining the scope of a new IT governance system during the design phase is cloud versus on-premises services. This driver reflects the different delivery models of I&T services, such as software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS) or on-premises solutions. The choice of delivery model has implications for governance objectives, roles, responsibilities, policies, processes, controls, risks and performance measures.5, p. 40-41 References: 5: COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

 A due diligence review is a process that involves conducting a comprehensive analysis and assessment of an enterprise’s information and technology assets, capabilities, risks, issues, opportunities, etc., before making a significant decision or transaction. A due diligence review helps to ensure that an enterprise has a clear understanding of the current state and potential impacts of its information and technology activities on its strategy, objectives, performance, value, etc., as well as on its compliance with relevant laws, regulations, standards, guidelines, contracts, or agreements. It is critical to perform a due diligence review following a merger, acquisition, or divestiture event. A merger is an event that involves combining two or more enterprises into one entity. An acquisition is an event that involves one enterprise purchasing another enterprise or its assets. A divestiture is an event that involves one enterprise selling or transferring part of its business or assets to another enterprise. By performing a due diligence review following a merger acquisition or divestiture event an enterprise can ensure that it has identified and addressed any information and technology related risks issues gaps etc., that may arise from the integration or separation of information and technology assets capabilities processes systems structures culture etc., that it has aligned its information and technology governance and management with its new strategy objectives needs expectations etc., that it has optimized its information and technology performance and value delivery etc34 References: 3: COBIT 2019 Framework: Governance and Management Objectives: page 20-21 4: COBIT 2019 Design Guide: page 47-48

According to the COBIT 2019 Process Assessment Model, one of the prerequisites for determining performance measures for a process improvement initiative is to perform a process risk assessment. A process risk assessment identifies and evaluates the potential threats and opportunities that may affect the achievement of process objectives. A process risk assessment also helps to prioritize improvement actions based on their impact and likelihood.4, p. 11-12 References: 4: COBIT 2019 Process Assessment Model: Using COBIT 2019

According to the COBIT 2019 Implementation Guide, the best way for senior leadership to communicate its expectations for IT governance prior to commencing a governance implementation plan is to include a scope statement in the business case. The scope statement defines the boundaries and objectives of the IT governance system, as well as the roles and responsibilities of the stakeholders involved. The scope statement also provides clarity and alignment on what is expected from IT governance and how it will support the enterprise strategy.2, p. 25-26 References: 2: COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

 COBIT defines stakeholder value creation as the realization of benefits at an optimal resource cost while optimizing risk. This is based on the principle of balance, which states that “governance of enterprise I&T should ensure that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives” . Value creation is not only about reducing costs or mitigating risks, but also about optimizing them in relation to the expected benefits. 

The information flow and items component of COBIT includes a list of artifacts with links to relevant governance and management practices. An artifact is a tangible or intangible object that is produced, modified, or used by a process or activity. An artifact can be a document, a report, a record, a plan, a policy, a procedure, a service, a product, etc. The information flow and items component of COBIT provides a comprehensive list of artifacts that are relevant for each governance and management objective, as well as links to the practices that produce, modify, or use them.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

According to the COBIT 2019 Design Guide, before designing an enterprise IT governance system, an organization should first review and understand the enterprise’s strategy. The enterprise’s strategy defines the vision, mission, goals and objectives of the organization, and provides the direction and context for IT governance. The enterprise’s strategy also identifies the key stakeholders, their needs and expectations, and the value proposition of IT to the business.1, p. 16-17 References: 1: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The percent of stakeholders satisfied with program/project quality would be an appropriate metric to align with a goal of “Delivery of programs on time, on budget, and meeting requirements and quality standards”. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. A goal is a specific target or outcome that an enterprise sets to achieve its vision and mission. Delivery of programs on time, on budget, and meeting requirements and quality standards is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of ensuring that IT-enabled investments are delivered successfully. The percent of stakeholders satisfied with program/project quality is a metric that reflects how well this goal is achieved.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

A key principle of an enterprise governance system is that it should focus on all technology and information processing, regardless of where processing takes place. This means that the governance system should cover not only the IT function, but also the business processes, functions, and units that use or rely on I&T. It also means that the governance system should address the external entities that provide or consume I&T services or data, such as customers, suppliers, partners, regulators, etc. COBIT adopts a holistic view of enterprise I&T that encompasses all internal and external stakeholders.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 COBIT addresses governance issues by grouping relevant governance components into objectives that can be managed to a required capability level. This is based on the principle of performance, which states that “governance of enterprise I&T should ensure that I&T performance is measured using relevant metrics; transparently communicated to stakeholders; evaluated against targets; and leads to appropriate management actions” . COBIT does not provide a full description of the entire IT environment or define specific governance strategies and processes, but rather provides a generic and flexible framework that can be adapted to different contexts and situations. 

 A governance or management objective always relates to a single process. A governance or management objective is a desired outcome or result of a governance or management activity for information and technology. A process is a set of interrelated or interacting activities that transform inputs into outputs. A process can be described by its purpose, goals, practices, activities, inputs, outputs, roles, metrics, etc. A governance or management objective always relates to a single process by defining its purpose and goals, as well as providing guidance on how to perform it effectively and efficiently.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The initial scope of a governance system is the extent and boundaries of the governance system that an enterprise intends to design and implement using COBIT 2019. The initial scope helps to define the focus and direction of the governance system design process, as well as the resources and efforts required for its implementation. One of the key considerations when determining the initial scope of a governance system is the compliance requirements faced by the enterprise. The compliance requirements are the laws, regulations, standards, guidelines, contracts, or agreements that an enterprise must comply with regarding its information and technology activities. The compliance requirements influence the level of control and assurance that an enterprise needs to demonstrate its adherence to the applicable rules and obligations. By considering the compliance requirements when determining the initial scope of a governance system, an enterprise can ensure that its governance system is appropriate for its context and objectives, and that it can effectively manage the potential impacts of non-compliance on its reputation, performance, value, and stakeholder trust.References: : COBIT 2019 Design Guide: page 47-48 : COBIT 2019 Design Guide: page 53-54

The flexibility of COBIT design factors benefits an enterprise by allowing users to tailor the framework to align with specific enterprise needs. COBIT is a comprehensive governance and management framework for information and technology that helps enterprises to achieve their goals and create value. COBIT design factors are characteristics or aspects of an enterprise that influence the design and implementation of a governance system. They include factors such as enterprise size, industry sector, risk profile, regulatory environment, sourcing model, etc. The flexibility of COBIT design factors benefits an enterprise by allowing users to tailor the framework to align with specific enterprise needs by providing guidance on how to customize and adapt the COBIT components (such as processes, practices, goals, metrics, etc.) based on the design factors.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

The role or structure formed by a group of stakeholders and experts accountable for guiding IT-related matters and decisions is the executive committee. This committee is responsible for setting the direction, policies, and objectives for IT governance and management, as well as overseeing the performance, risk, and compliance of IT. The committee is composed of senior executives from both business and IT functions, and may also include external advisors or experts. The committee is based on the COBIT 2019 Implementation Guide1, page 43. References: 1: COBIT 2019 Implementation Guide | Digital | English

An example of a governance system component is the compliance regulations applicable to the enterprise. The governance system components are the elements that constitute a governance system for an enterprise using COBIT 2019. The governance system components include principles enablers goals processes practices roles structures metrics etc., that enable an enterprise to govern and manage its information and technology activities effectively efficiently reliably securely etc. The compliance regulations are the laws regulations standards guidelines contracts or agreements that govern the information and technology activities of an enterprise. The compliance regulations influence the level of control and assurance that an enterprise needs to demonstrate its adherence to the applicable rules and obligations. By considering the compliance regulations as a governance system component an enterprise can ensure that its governance system is appropriate for its context and objectives that it can effectively manage the potential impacts of non-compliance on its reputation performance value stakeholder trust etc., that it can align its information and technology activities with the relevant standards guidelines regulations best practices etc., that it can meet stakeholder requirements expectations etc., 5 References: 5: COBIT 2019 Design Guide: page 47-48 : COBIT 2019 Framework: Governance System Components: page 27-28

The planning for a new governance framework requires defining the inputs that will guide the design and implementation of the framework. One of the most important inputs is the enterprise goals, which are the high-level statements of what the enterprise wants to achieve in terms of its mission, vision, values, and strategy. The enterprise goals provide the direction and purpose for the governance framework, and help to align the governance objectives, enablers, principles, and practices with the enterprise’s needs and expectations. The enterprise goals also help to identify the relevant stakeholders, their roles and responsibilities, and their requirements and expectations from the governance framework34 References: 3: COBIT 2019 Framework: Introduction and Methodology, page 25-26 4: COBIT 2019 Design Guide, page 23-24

 The “managed innovation” management objective of the COBIT core model best describes the outcome of achieving competitive advantage, improving customer experience and improving operational effectiveness. A management objective is a desired outcome of the management processes for information and technology. Managed innovation is one of the 40 management objectives defined by COBIT that describes how to identify, prioritize, and execute innovation initiatives that support the enterprise strategy and objectives. Achieving competitive advantage, improving customer experience and improving operational effectiveness are some of the benefits of managed innovation.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

The board is responsible for the oversight of structures and mechanisms that drive enterprise governance of information and technology (EGIT). According to the ISACA Journal article, “the board is ultimately accountable for EGIT and should oversee its establishment and monitor its effectiveness” . The board should also ensure that EGIT aligns with the enterprise governance framework and supports the achievement of enterprise objectives. 

 Within the COBIT goals cascade, stakeholder drivers are transformed into the enterprise’s actionable strategy. The COBIT goals cascade is a mechanism that helps enterprises to align their governance objectives with their stakeholder needs. It consists of four levels: stakeholder drivers, enterprise goals, alignment goals, and governance and management objectives. Stakeholder drivers are the needs or expectations of the internal or external stakeholders of the enterprise. Enterprise goals are the specific targets or outcomes that the enterprise sets to achieve its vision and mission. Alignment goals are the intermediate goals that link the enterprise goals with the governance and management objectives. Governance and management objectives are the desired outcomes of the governance system for information and technology. Stakeholder drivers are transformed into enterprise goals through a process of analysis, prioritization, and validation. Enterprise goals form the basis of the enterprise’s actionable strategy.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The oversight of technology and innovation processes by the board is critical to ensuring I&T-related decisions are aligned with the enterprise’s strategies and objectives. The board is the highest governing body of the enterprise that provides direction, oversight, and accountability for the enterprise’s performance. Technology and innovation processes are the activities that enable the enterprise to leverage information and technology to create value, achieve strategic goals, and respond to changing business needs. The oversight of technology and innovation processes by the board ensures that I&T-related decisions are consistent with the enterprise’s vision, mission, values, policies, and risk appetite.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The fact that the governance system includes many components that work together in a holistic way best enables a governance system to achieve governance and management objectives. A governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. A governance objective is a desired outcome of the governance system for information and technology. A management objective is a desired outcome of the management processes for information and technology. The fact that the governance system includes many components that work together in a holistic way best enables a governance system to achieve governance and management objectives by providing a comprehensive and integrated approach that covers all aspects of information and technology governance and management, as well as by enabling customization and tailoring to suit different contexts, needs, priorities, etc.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 An actionable strategy and governance system enables an enterprise to maximize value from the use of I&T by providing direction, alignment, oversight, and performance measurement. A strategy defines the enterprise’s vision, mission, goals, and objectives, and how I&T can support them. A governance system ensures that the strategy is implemented effectively and efficiently, and that the outcomes are monitored and evaluated. COBIT provides a comprehensive governance system for enterprise I&T that covers all aspects of governance, management, and enablers.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 The primary reason for management to conduct a process capability assessment is to better understand the current state as compared to the target state. A process capability assessment is a method of measuring and evaluating how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A process capability assessment can be done using different models or frameworks, such as CMMI or ISO/IEC 15504. A process capability assessment helps management to better understand the current state of a process by identifying its strengths, weaknesses, gaps, and improvement opportunities. A process capability assessment also helps management to compare the current state with the target state, which is the desired level of performance or outcome for a process.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT Process Assessment Model (PAM): Using COBIT 5

 The component that should be considered for inclusion when considering the threat landscape design factor is information security focus areas. The threat landscape is one of the 11 design factors defined in COBIT 2019, and it refers to the current and emerging threats that may affect the enterprise’s information and technology assets, such as cyberattacks, natural disasters, human errors, etc. Information security focus areas are the specific domains or topics that need to be addressed by the governance system to ensure adequate protection of information and technology assets from potential threats, such as identity and access management, data protection, incident response, etc. The answer is based on the COBIT 2019 Design Guide4, page 17. References: 4: COBIT 2019 Design Guide | Digital | English

The Skills Framework for the Information Age (SFIA) has been used as a basis for developing guidance for the COBIT governance component of people, skills and competencies. SFIA is a globally recognized framework that describes the skills required by professionals who work with information and technology2, p. 36. References: 2: COBIT 2019 Framework: Introduction and Methodology

According to the COBIT 2019 Framework: Introduction and Methodology, one of the imperative factors to the successful implementation of IT governance is that IT governance is sponsored by executives. Executive sponsorship ensures that IT governance has sufficient authority, resources and support from the top management of the organization. Executive sponsorship also demonstrates commitment and leadership for IT governance, and fosters a culture of accountability and collaboration among stakeholders.3, p. 33-34 References: 3: COBIT 2019 Framework: Introduction and Methodology

 The IT balanced scorecard (BSC) is a tool that helps to measure and communicate the achievement of IT goals in relation to enterprise goals, using four dimensions: financial, customer, internal, and learning and growth. The alignment goal titled “Enabling and supporting business processes by integrating applications and technology” is aligned to the internal dimension of the IT BSC, as it relates to the efficiency and effectiveness of IT processes that support business processes2, p. 20. References: 2: COBIT 2019 Framework: Governance and Management Objectives

 A principle of a proper governance framework is that it should be based on a conceptual model. A conceptual model is “a representation of a system that uses concepts and ideas to form said representation” 8. A conceptual model helps to define the scope, purpose, structure, and content of a governance framework. It also helps to communicate the key concepts and relationships of a governance system to stakeholders. COBIT is based on a conceptual model that consists of three main components: the governance system, the governance components, and the design factors9. References: 8: https://en.wikipedia.org/wiki/Conceptual_model  9: COBIT 2019 Framework: Introduction and Methodology, page 26

The function of a mapping table when determining the initial scope of a new governance system is to indicate the relevance of a governance or management objective with a particular design factor. A mapping table is a tool that helps to identify and prioritize the governance and management objectives that are most applicable and important for the enterprise, based on its specific characteristics and context. A design factor is one of the characteristics of the enterprise that influence the design and operation of a governance system, such as size, industry, culture, strategy, etc. A mapping table shows the degree of relevance of each governance and management objective with each design factor, using a scale from 0 (not relevant) to 5 (very relevant). The function is based on the COBIT 2019 Design Guide, page 23. References: : COBIT 2019 Design Guide | Digital | English

 The objectives of the Evaluate, Direct and Monitor (EDM) domain are best described by assessing strategic options and guiding senior management on the options chosen. This domain covers the governance activities related to setting direction, monitoring performance, ensuring compliance, and providing feedback to stakeholders. The domain consists of five governance objectives: EDM01 Ensure Governance Framework Setting and Maintenance, EDM02 Ensure Benefits Delivery, EDM03 Ensure Risk Optimization, EDM04 Ensure Resource Optimization, and EDM05 Ensure Stakeholder Transparency. The domain is based on the COBIT 2019 Framework2, page 30. References: 2: COBIT 2019 Framework | Digital | English