Isaca COBIT-2019 COBIT 2019 Foundation Exam Practice Test

The high-level risk analysis is a process that involves identifying, assessing, and prioritizing the information and technology risks that an enterprise faces in relation to its governance system design. The high-level risk analysis helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. The primary benefit of conducting a high-level risk analysis during governance design is to prioritize governance and management objectives. The governance and management objectives are the statements of what an enterprise wants to achieve in terms of its information and technology governance. The governance and management objectives are derived from the enterprise goals, which are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, and strategy. By conducting a high-level risk analysis, an enterprise can identify the areas of risk that have the most impact on its enterprise goals, and therefore prioritize the governance and management objectives that address those risks. This will also help to align the governance framework with the enterprise’s strategy and objectives12 References: 1: COBIT 2019 Design Guide: page 41-43 2: COBIT 2019 Framework: Introduction and Methodology: page 25-26

 Sharing the return on investment (ROI) analysis is the best way to address the concern of business line managers who perceive the cost of governance-required improvements as too expensive. ROI is a financial metric that measures the profitability or efficiency of an investment by comparing its benefits and costs. ROI analysis is a process of calculating and presenting the ROI of a project or program, as well as its assumptions, risks, and uncertainties. Sharing the ROI analysis with business line managers can help to address their concern by showing them how the governance-required improvements will generate value for the enterprise in terms of increased revenue, reduced costs, enhanced performance, improved quality, etc., as well as how they will outweigh their initial and ongoing costs.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

 People, skills and competencies are essential for effective decision making within a governance system. People are the individuals or groups who perform or are accountable for the governance activities and tasks. Skills and competencies are the abilities and knowledge that people need to perform their roles and responsibilities. People, skills and competencies are one of the seven enablers of a governance system, as defined by COBIT.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The IT balanced scorecard (BSC) is a tool that helps to measure and communicate the achievement of IT goals in relation to enterprise goals, using four dimensions: financial, customer, internal, and learning and growth. The alignment goal titled “Enabling and supporting business processes by integrating applications and technology” is aligned to the internal dimension of the IT BSC, as it relates to the efficiency and effectiveness of IT processes that support business processes2, p. 20. References: 2: COBIT 2019 Framework: Governance and Management Objectives

The capability levels are a measure of how well an enterprise performs its information and technology governance and management processes in terms of process attributes such as process performance, process definition, process deployment, process measurement, process control, process optimization etc. The capability levels range from 0 (incomplete) to 5 (optimizing), indicating the degree of maturity and effectiveness of an enterprise’s information and technology governance and management processes. The capability levels are most likely to increase as a result of identifying specific design factors that increase the importance of certain governance and management objectives. The design factors are the characteristics or conditions that influence how an enterprise designs and implements its information and technology governance system using COBIT 2019. The design factors include aspects such as enterprise strategy archetype; enterprise goals; IT-related goals; risk profile; IT deployment; threat landscape; compliance requirement; operating environment; size of enterprise; culture; stakeholders; etc. By identifying specific design factors that increase the importance of certain governance and management objectives, an enterprise can tailor its information and technology governance system to suit its context and needs. This will also help to improve its capability levels for those governance and management objectives that are prioritized by the design factors. For example, if an enterprise identifies that its IT deployment design factor is cloud-based or hybrid-based, it may increase the importance of certain governance and management objectives such as managed availability and capacity (BAI04), managed service agreements (APO09), managed security services (DSS05), etc., which are relevant for managing cloud-based or hybrid-based IT solutions. By tailoring its information and technology governance system to address those governance and management objectives more effectively, the enterprise can also increase its capability levels for those processes.References: : COBIT 2019 Design Guide: page 33-48 : COBIT 2019 Process Assessment Model: page 11-13

A tailored enterprise governance system is a governance system that is customized to suit the specific needs and context of an enterprise. A sourcing model for information and technology is one of the design factors that influence the design and implementation of a tailored governance system. A sourcing model describes how the enterprise obtains and delivers I&T services, such as in-house, outsourced, cloud-based, etc. The sourcing model affects the governance objectives, components, and enablers that are relevant and applicable for the enterprise.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

 The key program roles are the roles that are responsible for leading, directing, managing, supporting, and executing the EGIT implementation program. The nomination of these roles is a critical step in creating the appropriate governance environment for the program. One of the roles that should be involved in this nomination process is the board and executives, who are the highest-level governance body and decision makers in an enterprise. The board and executives provide strategic direction, oversight, guidance, and approval for the EGIT implementation program. They also ensure that the program is aligned with the enterprise’s vision, mission, values, strategy, goals, and objectives. The board and executives also appoint or endorse other key program roles such as the program sponsor, program manager, program steering committee, change champion network, etc.References: : COBIT 2019 Implementation Guide, page 37-38 : COBIT 2019 Framework: Governance and Management Objectives, page 19-20

 According to the COBIT 2019 Design Guide, when designing an IT governance system, the next step after considering the enterprise’s strategic business objectives is to assess the enterprise’s risk profile. The enterprise’s risk profile reflects the level of risk exposure and appetite that the organization is willing to accept in pursuit of its objectives. The risk profile also influences the selection of governance objectives, components and practices that are appropriate for managing IT-related risks.1, p. 18-19 References: 1: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

Innovation and differentiation are examples of enterprise objectives design factors. Design factors are the characteristics or aspects of an enterprise that influence the design and implementation of a governance system. They include factors such as enterprise size, industry sector, risk profile, regulatory environment, sourcing model, etc. Enterprise objectives are the specific goals or targets that an enterprise sets to achieve its vision and mission. They are derived from the stakeholder drivers and needs, and are influenced by the design factors. Innovation and differentiation are two possible design factors that affect how an enterprise defines its objectives.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

The value that I&T delivers should be aligned directly with the values on which the business is focused. This is based on the principle of alignment, which states that “governance of enterprise I&T should ensure that I&T-enabled investments are aligned with the enterprise strategy and deliver the expected benefits” . Value delivery is not only about maintaining or increasing value from existing I&T investments, but also about ensuring that new investments support the strategic objectives and stakeholder needs of the enterprise.

In COBIT 2019, enterprise governance of IT (EGIT) is an essential responsibility of the board. The board holds ultimate accountability for governance by setting direction, monitoring performance, and ensuring compliance with the enterprise’s goals. This responsibility includes establishing structures and mechanisms to support EGIT, which falls under the Evaluate, Direct, and Monitor (EDM) domain, specifically addressed in governance objective EDM01. The framework specifies that governance is led by the board, with executive management supporting execution​.

 Measuring objectives is the next phase in the life cycle of governance after IT governance is implemented. The life cycle of governance is a continuous process that involves designing, implementing, evaluating, and improving the IT governance system. Measuring objectives is the phase that involves assessing and monitoring the performance and outcomes of the IT governance system against predefined metrics and targets. Measuring objectives is the next phase after IT governance is implemented because it helps to determine whether the IT governance system is effective, efficient, and aligned with the enterprise goals.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

The role of IT design factor describes how IT supports the enterprise strategy and objectives. Turnaround is a role of IT that is viewed as a driver for business process and service innovation, by enabling new ways of doing business, creating new sources of revenue, and enhancing customer satisfaction1, p. 29. References: 1: COBIT 2019 Framework: Introduction and Methodology

The process practices that include inputs and outputs comprise the information flow component of a governance system. A governance system is a set of components that provide direction, oversight, evaluation, monitoring, assurance, etc., for an enterprise’s information and technology. A governance system consists of seven components: governance components (such as structures, processes, principles, policies, etc.), governance enablers (such as people, skills, culture, information, services, etc.), governance outcomes (such as value creation, risk optimization, resource optimization, etc.), information flow (the exchange of information among components), culture (the shared values, beliefs, norms, and attitudes), ethical behavior (the conduct that conforms to moral principles), stakeholder needs (the requirements or expectations of internal or external stakeholders). The information flow component comprises the process practices that include inputs and outputs that enable the exchange of information among components.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The enterprise strategy archetype is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six enterprise strategy archetypes defined in COBIT 2019: growth/acquisition; operational excellence; customer intimacy; product leadership; data-driven; innovation-driven. Each archetype has different implications for the governance and management of information and technology in terms of focus areas processes practices roles structures,and metrics. The enterprise strategy archetype that is focused on increasing revenues is growth/acquisition. Growth/acquisition is a strategy archetype that emphasizes expanding market share revenue customer base or product range through organic growth or acquisition of other businesses or assets. This strategy archetype requires effective portfolio management of information and technology investmentsand initiatives that support business growth or acquisition objectives. Portfolio management involves selecting prioritizing balancing monitoring evaluating,and optimizing informationand technology investmentsand initiatives based on their alignment with business strategy value delivery potential risk exposure resource availability interdependencies etc.Portfolio management also involves ensuring that informationand technology investmentsand initiatives are integrated with business processes systems structures culture etc especially in case of mergers or acquisitions.5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 59-61

The value generated from the use of I&T reflects a balance among benefits, risk and resources. This is based on the principle of balance, which states that “governance of enterprise I&T should ensure that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives” 1. Value generation is not only about maximizing financial benefits or minimizing costs or risks, but also about optimizing them in relation to the expected outcomes7. References: 1: COBIT 2019 Framework: Introduction and Methodology, page 23 7: COBIT 2019 Framework: Governance and Management Objectives, page 19

 The chief information officer (CIO) ensures the board is kept informed of major decisions related to value delivery of I&T deployment in accordance with the enterprise strategy. The CIO is the senior executive responsible for leading, directing, and managing the information and technology function of the enterprise. The CIO has a strategic role in aligning I&T with business requirements, ensuring I&T performance, managing I&T risks, fostering innovation, etc. The CIO ensures the board is kept informed of major decisions related to value delivery of I&T deployment by providing regular reports, updates, feedback, recommendations, etc., as well as by participating in board meetings or committees.1 References: COBIT 2019 Framework: Introduction and Methodology, [COBIT 2019 Framework: Roles, Responsibilities & RACI Charts]

The benefit derived from the use of COBIT that provides insight on how to derive value from the use of I&T is primarily associated with an internal stakeholder. An internal stakeholder is a person or group within an enterprise that has an interest or concern in its activities or outcomes. Examples of internal stakeholders are board members, executives, managers, employees, etc. An internal stakeholder would benefit from using COBIT by gaining insight on how to derive value from the use of I&T because it would help them to align I&T with business requirements, optimize costs and resources, enhance performance and outcomes, etc.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Stakeholder Needs

The EGIT implementation life cycle consists of four stages: initiating an EGIT program, defining the EGIT implementation road map, developing the EGIT implementation program plan, and executing the EGIT implementation program plan. The third stage, developing the EGIT implementation program plan, involves identifying and defining the success metrics for the EGIT continual improvement program. These metrics should be aligned with the enterprise goals and objectives, and should measure the performance and outcomes of the EGIT processes and practices. The success metrics should also be SMART (specific, measurable, achievable, relevant, and time-bound), and should be communicated to all stakeholders involved in the EGIT program. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 26 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 41 

The business case and program plan are essential documents that describe the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The business case and program plan provide the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. Therefore, it is important that these documents are realistic and achievable, reflecting the current state and target state of information and technology governance in the enterprise. One of the roles that ensures the business case and program plan are realistic and achievable is the chief information officer (CIO), who is the senior executive responsible for leading and managing the information and technology function in the enterprise. The CIO has a role in developing, reviewing, validating, and approving the business case and program plan, ensuring that they are aligned with the enterprise’s strategy, objectives, needs, and expectations. The CIO also has a role in communicating and presenting the business case and program plan to other stakeholders such as the board, executives, business managers, IT managers, etc., and obtaining their buy-in and commitment for the program34 References: 3: COBIT 2019 Implementation Guide, page 39-40 4: COBIT 2019 Framework: Governance and Management Objectives, page 20-21

 The functional task area that is responsible for assessing the potential return on investment (ROI) during future state planning is program management. According to the COBIT 2019 Implementation Guide, program management is one of the key enablers of IT governance and management, and it includes the processes and practices for planning, executing, monitoring, controlling, and closing IT programs and projects. One of the activities of program management is to conduct a business case analysis for each proposed improvement initiative in the future state plan. This analysis involves estimating the costs, benefits, risks, dependencies, assumptions, constraints, success factors, and ROI of each initiative. The analysis helps to prioritize and justify the initiatives based on their expected value to the enterprise. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 15 1 : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 38 

The business case outline is a document that provides a high-level overview of the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT implementation program is a program that involves designing and implementing a governance system for an enterprise using COBIT 2019. The business case outline provides the basis for obtaining approval in principle from the stakeholders for initiating the EGIT implementation program. The business case outline is a key input to be considered when defining drivers for a COBIT implementation. The drivers are the internal and external factors that trigger or influence the need for designing and implementing a governance system for an enterprise using COBIT 2019. The drivers include aspects such as business strategy objectives performance risks issues opportunities etc., information and technology strategy objectives performance risks issues opportunities etc., stakeholder needs expectations requirements etc., standards guidelines regulations best practices etc., market conditions competitive pressures customer demands etc., etc. By considering the business case outline when defining drivers for a COBIT implementation an enterprise can ensure that it has a clear understanding of why it needs to design and implement a governance system using COBIT 2019 what are the expected outcomes benefits value etc.,

 IT governance implementation risk is best managed throughout the life cycle of the implementation. IT governance implementation risk is the possibility of negative consequences or outcomes that may arise from the design, execution, evaluation, or improvement of the IT governance system. The life cycle of IT governance implementation is a continuous process that involves four phases: what are the drivers, where are we now, where do we want to be, and how do we get there. IT governance implementation risk should be managed throughout the life cycle by identifying, analyzing, evaluating, treating, monitoring, and communicating the risks that may affect the success of the implementation.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

The information security function within the IT corporate structure is responsible for classifying information using an agreed-upon classification scheme for a new data collection system. According to the COBIT 2019 Implementation Guide, information security is one of the key enablers of IT governance and management, and it includes the processes and practices for ensuring the confidentiality, integrity, and availability of information assets. One of the activities of information security is to define and implement an information classification scheme that categorizes information based on its sensitivity, criticality, and value to the enterprise. This scheme helps to determine the appropriate level of protection and controls for different types of information, especially for new data collection systems that may involve personal or sensitive data. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 15 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 62 .

 An IT implementation method design factor is a characteristic that influences how an enterprise implements IT solutions and services. DevOps is an IT implementation method that focuses on software building, deployment and operations, by integrating development and operations teams to improve collaboration and productivity1, p. 31. References: 1: COBIT 2019 Framework: Introduction and Methodology

The alignment goal titled “Knowledge, expertise and initiatives for business innovation” is aligned to the Learning and Growth dimension of the IT balanced scorecard (BSC). The IT BSC is a tool that translates the IT-related goals into a set of performance indicators that can be measured and monitored. The Learning and Growth dimension focuses on the capabilities and skills of the IT staff, as well as the culture and climate that foster innovation and learning. The alignment goal is based on the COBIT 2019 Framework5, page 38. References: 5: COBIT 2019 Framework | Digital | English

The high-level program plan is a document that describes the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT implementation program is a program that involves designing and implementing a governance system for an enterprise using COBIT 2019. The high-level program plan provides the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. The high-level program plan is an output of the “what needs to be done” phase. The “what needs to be done” phase is the fourth phase of the governance implementation roadmap, which involves defining the target state of information and technology governance in an enterprise that is aligned with its strategy, objectives, and stakeholder needs. This phase also involves identifying the gaps and issues that need to be addressed to achieve the target state, setting the improvement targets and priorities, developing a detailed business case and a high-level program plan for implementing a governance system using COBIT 2019. By developing a high-level program plan as an output of the “what needs to be done” phase, an enterprise can ensure that it has a clear and realistic roadmap for designing and implementing a governance system using COBIT 2019, that it has defined the expected outcomes, benefits, value, etc., from doing so, that it has considered the relevant risks, costs, resources, etc., involved in doing so, that it has obtained stakeholder buy-in and commitment for doing so, etc.References: : COBIT 2019 Implementation Guide: page 39-40 : COBIT 2019 Implementation Guide: page 41-42

The function of a mapping table when determining the initial scope of a new governance system is to indicate the relevance of a governance or management objective with a particular design factor. A mapping table is a tool that helps to identify and prioritize the governance and management objectives that are most applicable and important for the enterprise, based on its specific characteristics and context. A design factor is one of the characteristics of the enterprise that influence the design and operation of a governance system, such as size, industry, culture, strategy, etc. A mapping table shows the degree of relevance of each governance and management objective with each design factor, using a scale from 0 (not relevant) to 5 (very relevant). The function is based on the COBIT 2019 Design Guide, page 23. References: : COBIT 2019 Design Guide | Digital | English

An example of a governance system component is the compliance regulations applicable to the enterprise. The governance system components are the elements that constitute a governance system for an enterprise using COBIT 2019. The governance system components include principles enablers goals processes practices roles structures metrics etc., that enable an enterprise to govern and manage its information and technology activities effectively efficiently reliably securely etc. The compliance regulations are the laws regulations standards guidelines contracts or agreements that govern the information and technology activities of an enterprise. The compliance regulations influence the level of control and assurance that an enterprise needs to demonstrate its adherence to the applicable rules and obligations. By considering the compliance regulations as a governance system component an enterprise can ensure that its governance system is appropriate for its context and objectives that it can effectively manage the potential impacts of non-compliance on its reputation performance value stakeholder trust etc., that it can align its information and technology activities with the relevant standards guidelines regulations best practices etc., that it can meet stakeholder requirements expectations etc., 5 References: 5: COBIT 2019 Design Guide: page 47-48 : COBIT 2019 Framework: Governance System Components: page 27-28

The best way to enable an enterprise to show and prove the benefits realized from the implementation of an EGIT program plan is to communicate the results and benefits in business impact terms. The EGIT program plan is a document that describes the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT implementation program is a program that involves designing and implementing a governance system for an enterprise using COBIT 2019. Communicating the results and benefits in business impact terms means using appropriate tools, methods, formats, frequencies, etc., to report on the progress and outcomes of the EGIT implementation program to relevant stakeholders such as the board, executives, business managers, IT managers, etc., using language and metrics that demonstrate how the program has contributed to achieving the enterprise’s strategy, objectives, performance, value, etc. By communicating the results and benefits in business impact terms, an enterprise can ensure that it has a clear and compelling evidence of the value and benefits delivered by the EGIT implementation program, that it has met stakeholder requirements and expectations, that it has obtained stakeholder feedback and recognition, that it has enhanced stakeholder trust and confidence, etc12 References: 1: COBIT 2019 Implementation Guide: page 51-52 2: COBIT 2019 Framework: Governance and Management Objectives: page 19-20

An important component for an enterprise strategy archetype of cost leadership as defined by COBIT 2019 is support for the portfolio management role with an investment office. According to the COBIT 2019 Design Guide, cost leadership is one of the four generic enterprise strategy archetypes that describe how enterprises compete in their markets. Cost leadership means that an enterprise aims to offer the lowest prices for its products or services by minimizing its costs and maximizing its efficiency. One of the design factors that influence the governance system for a cost leadership strategy is the organizational structures. The COBIT 2019 Design Guide suggests that a cost leadership strategy requires a centralized and standardized organizational structure that supports the portfolio management role with an investment office. The portfolio management role is responsible for selecting, prioritizing, and balancing the IT investments that align with the enterprise strategy and objectives. The investment office is a function that assists the portfolio management role by providing financial analysis, reporting, and decision support. The support for the portfolio management role with an investment office helps to ensure that the IT investments are optimized for cost and value. References: : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 48 2 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 51 

The number of business processing hours lost due to unplanned service interruptions would be an appropriate metric associated with an enterprise goal of business service continuity and availability. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. Business service continuity and availability is one of the 17 generic enterprise goals defined by COBIT that describes the desired outcome of ensuring that critical business services are delivered at agreed levels and are resilient to disruptions. The number of business processing hours lost due to unplanned service interruptions is a metric that reflects how well this outcome is achieved.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 The IT design factor is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six IT design factors defined in COBIT 2019: strategic; operational; data-driven; compliance-driven; innovation-driven; customer intimacy-driven. Each design factor has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. When considering the role of IT design factor, and the design factor value is strategic, one of the management objectives that should be a priority is managed innovation (APO04), which involves identifying new opportunities for using information and technology to create value for the enterprise. This management objective supports the strategic role of IT in enabling business transformation, differentiation, competitiveness, growth, and sustainability. This management objective also involves establishing an innovation culture and process that encourages creativity, experimentation, collaboration, learning, and improvement5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 57-59

The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. There are four IT implementation methods defined in COBIT 2019: traditional, agile, DevOps, and hybrid. Each method has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. The IT implementation method that requires the highest level of participation by users at multiple stages of software development is agile. Agile is an IT implementation method that emphasizes flexibility, adaptability, collaboration, customer satisfaction, and value delivery. One of the characteristics of agile is that it involves frequent and direct interaction with users throughout the software development life cycle, from requirements gathering to testing to deployment. Users are considered as key stakeholders who provide feedback, input, validation, verification, acceptance, and evaluation of the IT solutions. Users are also involved in prioritizing the features and functionalities of the IT solutions based on their needs and expectations. Agile aims to deliver IT solutions that meet user requirements and expectations in a timely and cost-effective manner.References: : COBIT 2019 Design Guide, page 43-45 : COBIT 2019 Process Reference Guide: Governance and Management Objectives, page 67-69

The CIO and the program steering committee are responsible for performing a stakeholder satisfaction survey and gathering feedback on lessons learned from the implementation of an EGIT program plan. According to the COBIT 2019 Implementation Guide, the CIO is the executive sponsor of the EGIT program, who provides strategic direction, leadership, and oversight for the program. The program steering committee is a group of senior stakeholders who support the CIO in governing and monitoring the program. One of their responsibilities is to conduct regular reviews of the program performance and outcomes, including stakeholder satisfaction and lessons learned. These reviews help to evaluate the effectiveness and efficiency of the EGIT program plan and identify areas for improvement. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 23 1 : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 45 1

 The COBIT performance model is integrated into the COBIT core model. The COBIT core model consists of two main elements: the governance and management objectives (which define what needs to be achieved) and the performance model (which defines how well it needs to be achieved). The performance model is based on existing maturity and capability models (such as ISO/IEC 15504) and provides a common language to measure and communicate performance. The performance model consists of six levels (from 0 to 5) that describe the increasing degree of capability for each governance or management objective.15 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 The “managed innovation” management objective of the COBIT core model best describes the outcome of achieving competitive advantage, improving customer experience and improving operational effectiveness. A management objective is a desired outcome of the management processes for information and technology. Managed innovation is one of the 40 management objectives defined by COBIT that describes how to identify, prioritize, and execute innovation initiatives that support the enterprise strategy and objectives. Achieving competitive advantage, improving customer experience and improving operational effectiveness are some of the benefits of managed innovation.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 A capability maturity model is a tool that assesses how well a process is implemented and performing at a given level, ranging from 0 (non-existent) to 5 (optimized). Each level defines a set of attributes that describe the characteristics of the process at that level, such as process performance, process documentation, process control, process measurement, etc. The model is based on the COBIT 2019 Process Assessment Model4, page 11. References: 4: COBIT 2019 Process Assessment Model | Digital | English

According to the COBIT 2019 Framework: Introduction and Methodology, one of the imperative factors to the successful implementation of IT governance is that IT governance is sponsored by executives. Executive sponsorship ensures that IT governance has sufficient authority, resources and support from the top management of the organization. Executive sponsorship also demonstrates commitment and leadership for IT governance, and fosters a culture of accountability and collaboration among stakeholders.3, p. 33-34 References: 3: COBIT 2019 Framework: Introduction and Methodology

People, skills and competencies are required for successful completion of all activities within a governance system. People are the individuals or groups who perform or are accountable for the governance activities and tasks. Skills and competencies are the abilities and knowledge that people need to perform their roles and responsibilities. People, skills and competencies are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The role or structure formed by a group of stakeholders and experts accountable for guiding IT-related matters and decisions is the executive committee. This committee is responsible for setting the direction, policies, and objectives for IT governance and management, as well as overseeing the performance, risk, and compliance of IT. The committee is composed of senior executives from both business and IT functions, and may also include external advisors or experts. The committee is based on the COBIT 2019 Implementation Guide1, page 43. References: 1: COBIT 2019 Implementation Guide | Digital | English

A focus area describes a specific governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. A focus area provides guidance on how to apply COBIT to a specific business driver or pain point, such as digital transformation, cybersecurity, privacy, or business continuity. A focus area can also provide guidance on how to align COBIT with other standards, frameworks or regulations. A focus area is based on the COBIT 2019 Design Guide3, page 19. References: 3: COBIT 2019 Design Guide | Digital | English

The EGIT business case outline and details are documents that describe the rationale, objectives, scope, approach, benefits, costs, risks, and timeline of the EGIT implementation program. The EGIT business case outline and details provide the basis for obtaining approval, funding, resources, and support for the program from the stakeholders. The responsibility for developing an EGIT business case outline and details resides with the CIO and program steering committee. The CIO is the senior executive responsible for leading and managing the information and technology function in an enterprise. The CIO has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are aligned with the enterprise’s strategy, objectives, needs, and expectations. The CIO also has a role in communicating and presenting the EGIT business case outline and details to other stakeholders such as the board, executives, business managers, IT managers, etc., and obtaining their buy-in and commitment for the program. The program steering committee is a group of senior stakeholders who provide strategic direction, oversight, guidance, and approval for the EGIT implementation program. The program steering committee has a role in developing, reviewing, validating, and approving the EGIT business case outline and details, ensuring that they are consistent with the enterprise’s vision, mission, values, strategy goals,and objectives. The program steering committee also has a role in monitoring and controlling the execution of the EGIT implementation program plan against the EGIT business case outline and details34 References: 3: COBIT 2019 Implementation Guide: page 37-38 4: COBIT 2019 Implementation Guide: page 39-40

The primary purpose of reexamining the IT strategic plan after IT governance has been operating for three years and is satisfactorily achieving desired outcomes is to assess improvement opportunities. The IT strategic plan is a document that defines the vision, mission, goals, objectives, strategies, and tactics for IT governance and management, as well as the alignment with the enterprise’s business strategy. By reexamining the plan periodically, the enterprise can identify any changes in the internal or external environment that may affect IT governance, as well as any areas for enhancement or optimization. The purpose is based on the COBIT 2019 Implementation Guide3, page 26. References: 3: COBIT 2019 Implementation Guide | Digital | English

The planning for a new governance framework requires defining the inputs that will guide the design and implementation of the framework. One of the most important inputs is the enterprise goals, which are the high-level statements of what the enterprise wants to achieve in terms of its mission, vision, values, and strategy. The enterprise goals provide the direction and purpose for the governance framework, and help to align the governance objectives, enablers, principles, and practices with the enterprise’s needs and expectations. The enterprise goals also help to identify the relevant stakeholders, their roles and responsibilities, and their requirements and expectations from the governance framework34 References: 3: COBIT 2019 Framework: Introduction and Methodology, page 25-26 4: COBIT 2019 Design Guide, page 23-24

 The key question that should be asked and evaluated one year after IT governance is implemented is whether the enterprise has achieved expected benefits. Benefits are the positive outcomes or value that are derived from a project or program. Benefits can be tangible (such as increased revenue, reduced costs, improved efficiency, etc.) or intangible (such as enhanced reputation, customer satisfaction, employee engagement, etc.). Benefits realization is the process of planning, managing, measuring, and reporting the benefits that are delivered by a project or program. Asking and evaluating whether the enterprise has achieved expected benefits one year after IT governance is implemented is important because it helps to determine whether the IT governance system is effective in creating value for the enterprise and its stakeholders.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Implementation Guide: Implementing an Information and Technology Governance Solution

 According to the COBIT 2019 Framework: Introduction and Methodology, a maturity level is a performance measure that is used to assess a specific focus area. A focus area is a topic that is relevant for governance and management of enterprise information and technology (I&T), such as cybersecurity, privacy or digital transformation. A maturity level indicates the extent to which a focus area is implemented and integrated in the enterprise’s governance system. There are six maturity levels defined in COBIT 2019, ranging from 0 (incomplete) to 5 (optimized).3, p. 77-78 References: 3: COBIT 2019 Framework: Introduction and Methodology

When assessing organizational structures, it is most helpful when subcriteria for each criterion are defined and linked to capability levels. Organizational structures are the arrangements of roles and responsibilities that enable the enterprise to achieve its objectives. Organizational structures can be assessed using six criteria: clarity, comprehensiveness, integration, alignment, authority, and accountability. Each criterion can be further divided into subcriteria that describe the specific aspects or attributes of the criterion. Capability levels are the measures of how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. Capability levels can range from 0 (incomplete) to 5 (optimizing). Defining and linking subcriteria to capability levels helps to evaluate the current and desired state of organizational structures, as well as to identify gaps and improvement opportunities.123 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

 The IT implementation methods design factor describes how an enterprise develops, delivers, and maintains its IT solutions. DevOps is an IT implementation method that emphasizes collaboration, automation, integration, and feedback between the development and operations teams throughout the software development life cycle. One of the management objectives that should be prioritized when using DevOps is managed solution identification and build (BAI03), which involves defining, designing, building, testing, and deploying IT solutions that meet stakeholder requirements and expectations. This management objective supports the DevOps principles of continuous delivery, continuous integration, continuous testing, and continuous deployment, which aim to deliver high-quality IT solutions faster and more reliably.References: : COBIT 2019 Design Guide, page 43-45 : COBIT 2019 Process Reference Guide, page 67-69

 An enterprise goal is a high-level statement of what the enterprise wants to achieve, aligned with the mission, vision and values of the enterprise. Portfolio of competitive services is an enterprise goal that would most likely be evaluated by using a metric “percent of services that meet or exceed targets in revenues and market share”, as it reflects the need to offer products and services that are attractive to customers and differentiate the enterprise from its competitors2, p. 17. References: 2: COBIT 2019 Framework: Governance and Management Objectives

The initiatives that should be scheduled for completion first when prioritizing improvement initiatives are the ones that are easiest to achieve and will garner business benefits. This approach helps to create quick wins and demonstrate value to the stakeholders, as well as to build momentum and confidence for further improvement efforts. The initiatives should also be aligned with the enterprise’s strategic objectives, risk appetite, and resource constraints. The approach is based on the COBIT 2019 Implementation Guide2, page 37. References: 2: COBIT 2019 Implementation Guide | Digital | English

The focus of an enterprise that has a cost leadership strategy design factor is short-term cost minimization. A cost leadership strategy is a competitive strategy that aims to achieve lower costs than competitors by offering standardized products or services at low prices. A cost leadership strategy design factor affects how an enterprise designs its governance system, as it implies a focus on operational efficiency, process automation, economies of scale, outsourcing, etc. An enterprise that has a cost leadership strategy design factor would prioritize short-term cost minimization over long-term cost optimization or medium-term cost equalization.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

Enterprise strategy cascades to enterprise goals within the COBIT goals cascade. The COBIT goals cascade is a mechanism that helps enterprises to align their governance objectives with their stakeholder needs. It consists of four levels: stakeholder drivers, enterprise goals, alignment goals, and governance and management objectives. Enterprise strategy is the high-level direction and guidance that defines how the enterprise will achieve its vision and mission. Enterprise goals are the specific targets or outcomes that the enterprise sets to achieve its vision and mission. Enterprise strategy cascades to enterprise goals through a process of analysis, prioritization, and validation.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

An enterprise that has been consistently growing over the years and has decided to adapt the COBIT framework from the growth perspective of the balanced scorecard dimensions should select product and business innovation as one of its most relevant enterprise goals. The balanced scorecard is a tool that translates strategic objectives into four dimensions: financial, customer, internal, and growth. The growth dimension focuses on how the enterprise can create new products or services, enter new markets, or improve its processes or capabilities to achieve long-term success. Product and business innovation is one of the 17 enterprise goals defined in COBIT 2019, which describe the outcomes that an enterprise wants to achieve from its use of information and technology. This goal relates to enhancing customer satisfaction and loyalty by providing innovative solutions that meet their needs and expectations. The answer is based on the COBIT 2019 Framework5, page 38. References: 5: COBIT 2019 Framework | Digital | English

 The component that should be considered for inclusion when considering the threat landscape design factor is information security focus areas. The threat landscape is one of the 11 design factors defined in COBIT 2019, and it refers to the current and emerging threats that may affect the enterprise’s information and technology assets, such as cyberattacks, natural disasters, human errors, etc. Information security focus areas are the specific domains or topics that need to be addressed by the governance system to ensure adequate protection of information and technology assets from potential threats, such as identity and access management, data protection, incident response, etc. The answer is based on the COBIT 2019 Design Guide4, page 17. References: 4: COBIT 2019 Design Guide | Digital | English

 The enterprise goal titled “Optimization of Business Process Costs” is aligned to the internal dimension of the balanced scorecard (BSC). The internal dimension focuses on the efficiency and effectiveness of the business processes that deliver value to customers and stakeholders. Optimization of business process costs is one of the 17 generic enterprise goals defined by COBIT that supports the internal dimension.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance and Management Objectives

 Processes are key components of a governance system. Processes are the structured sets of activities that produce outputs or outcomes for achieving specific objectives. Processes define what needs to be done, by whom, when, how, and why. Processes are one of the seven enablers of a governance system, as defined by COBIT.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System