MODULE 7

DESIGNING A TAILORED GOVERNANCE SYSTEM

218
 MODULE 7 TOPICS AND OBJECTIVES

Topics
• Introduction to designing a tailored governance system
• Impact of design factors
• Designing a tailored system
• Module summary

Objectives
• Discover how to design a tailored governance system using COBIT
• Prepare for the COBIT 2019 Foundation exam

219
 INTRODUCTION TO DESIGNING A TAILORED GOVERNANCE
SYSTEM
Governance over a complex matter like information and technology requires a multitude
of components, including processes, organizational structures, information flows,
behaviors, etc.

All of these need to work together in a systemic way.

For that reason we will refer to the tailored governance solution every enterprise should
build as the ‘governance system for enterprise information & technology’, or ‘governance
system’ in short.

221 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 THE NEED FOR TAILORING

Each enterprise is distinct in many various aspects: size, sector, regulatory landscape, threat
landscape, role of IT for the organization, tactical technology related choices and others.

COBIT collectively refer to these as ‘design factors’ – covered in Module 4.

Organizations should tailor their governance system to gain the most value out of their use of
Information and Technology.

There is no unique governance system for enterprise Information and Technology that fits all.

Tailoring means that an enterprise starts from the COBIT Core model and applies changes to this
generic framework based on the relevance and importance of a series of design factors.

This process is called ‘designing the governance system for enterprise information and technology’.

222 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 DESIGN FACTORS Design factors
include any
combination of the
Design factors are factors that can influence the design of an following:
enterprise’s governance system and position it for success in Enterprise strategy
the use of I&T. Enterprise goals
• The design factors are listed here and the potential impacts they Risk profile
can have on the governance system are noted in Module 7, IT-related issues
Designing a Tailored Governance System. Threat landscape
• More information and detailed guidance on how to use the design Compliance requirements
factors for designing a governance system can be found in the Role of IT
COBIT® 2019 Design Guide publication. Sourcing model for IT
IT implementation methods
Technology adoption
strategy
Enterprise size
Future factors

91 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 DESIGN FACTORS

92 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 DESIGN FACTOR 1: ENTERPRISE STRATEGY

Enterprises can have different strategies, which can be expressed as (a combination of)
the archetypes shown below. Organizations typically have a primary strategy and, at
most, one secondary strategy.

Figure 4.5—Enterprise Strategy Design Factor

Strategy Archetype Explanation
Growth/Acquisition The enterprise has a focus on growing (revenues).
Innovation/Differentiation The enterprise has a focus on offering different and/or innovative products
and services to their clients.
Cost Leadership The enterprise has a focus on short-term cost minimization.
Client Service/Stability The enterprise has a focus on providing stable and client-oriented service.

93 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 DESIGN FACTOR 2: ENTERPRISE GOALS

Figure 4.6—Enterprise Goals Design Factor

Reference Balanced Enterprise Goal
Scorecard (BSC)
Dimension
Enterprise strategy is EG01 Financial Portfolio of competitive products and services
realized by the achievement EG02 Financial Managed business risk

of (a set of) enterprise goals. EG03 Financial Compliance with external laws and regulations

These goals are defined in EG04 Financial Quality of financial information

EG05 Customer Customer-oriented service culture
the COBIT framework,
EG06 Customer Business-service continuity and availability
structured along the
EG07 Customer Quality of management information
balanced scorecard (BSC)
EG08 Internal Optimization of internal business process functionality
dimensions.
EG09 Internal Optimization of business process costs
EG10 Internal Staff skills, motivation and productivity
EG11 Internal Compliance with internal policies
EG12 Growth Managed digital transformation programs
EG13 Growth Product and business innovation

94 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 A balanced scorecard (BSC)

- A balanced scorecard (BSC) is defined as a management system that provides

feedback on both internal business processes and external outcomes to
continuously improve strategic performance and results.

- A balanced scorecard is a strategy performance management tool – a well-

structured report, that can be used by managers to keep track of the execution of
activities by the staff within their control and to monitor the consequences arising
from these actions.[1]

- The four perspectives of a traditional balanced scorecard are Financial,

Customer, Internal Process, and Learning and Growth.
 DESIGN FACTOR 3: RISK PROFILE

The risk profile identifies the sort of I&T-

related risk to which the enterprise is
currently exposed and indicates which
areas of risk are exceeding the risk
appetite.

95 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 DESIGN FACTOR 3: RISK PROFILE

IT-investment
Program and
decision making, IT cost and Enterprise/IT IT expertise, skills
projects lifecycle
portfolio definition oversight architecture and behavior
management
and maintenance

IT operational Software
Unauthorized Hardware
infrastructure adoption/usage Software failures
actions incidents
incidents problems

Logical attacks Third-

Geopolitical
(hacking, party/supplier Noncompliance Industrial action
issues
malware, etc.) incidents

Data and
Technology-
Acts of nature information Environmental
based innovation
management

39 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.7

 CHAPTER 2
BASIC CONCEPTS: GOVERNANCE SYSTEM AND COMPONENTS

Figure 2.6—Enterprise Goals Design Factor (cont.)

EG05 Customer Customer-oriented service culture
EG06 Customer Business service continuity and availability
EG07 Customer Quality of management information
EG08 Internal Optimization of internal business process functionality
EG09 Internal Optimization of business process costs
EG10 Internal Staff skills, motivation and productivity
EG11 Internal Compliance with internal policies
EG12 Growth Managed digital transformation programs
EG13 Growth Product and business innovation

3. Risk profile of the enterprise and current issues in relation to I&T—The risk profile identifies the sort of IT-
related risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk
appetite.

The risk categories listed in figure 2.7 merit consideration.6 6

Figure 2.7—Risk Profile Design Factor (IT Risk Categories)

Reference Risk Category Example Risk Scenarios
1 IT-investment decision A. Programs selected for implementation misaligned with corporate strategy and
making, portfolio priorities
definition and B. Failure of IT-related Investments to support digital strategy of the enterprise
maintenance C. Selection of wrong software (in terms of cost, performance, features, compatibility,
redundancy, etc.) for acquisition and implementation
D. Selection of wrong infrastructure (in terms of cost, performance, features,
compatibility, etc.) for implementation
E. Duplication or important overlaps between different investment initiatives
F. Long-term incompatibility between new investment programs and enterprise
architecture
G. Misallocation, inefficient management and/or competition for resources without
alignment to business priorities
2 Program and projects A. Failure of senior management to terminate failing projects (due to cost explosion,
lifecycle management excessive delays, scope creep, changed business priorities)
B. Budget overruns for I&T projects
C. Lack of quality of I&T projects
D. Late delivery of I&T projects
E. Failure of third-party outsourcers to deliver projects as per contractual agreements
(any combination of exceeded budgets, quality problems, missing functionality,
late delivery)
3 IT cost and oversight A. Extensive dependency on, and use of, user-created, user-defined, user-maintained
applications and ad hoc solutions
B. Excess cost and/or ineffectiveness of I&T-related purchases outside of the I&T
procurement process
C. Inadequate requirements leading to ineffective Service Level Agreements (SLAs)
D. Lack of funds for I&T related investments
4 IT expertise, skills and A. Lack or mismatch of IT-related skills within IT (e.g., due to new technologies or
behavior working methods)
B. Lack of business understanding by IT staff that affects service delivery/project quality
C. Inability to recruit and retain IT staff
D. Recruitment of unsuitable profiles because of lack of due diligence in the recruitment
process
E. Lack of I&T training
F. Overreliance for I&T services on key staff

6
6
Modified from ISACA, The Risk IT Practitioner Guide, USA, 2009

23

Personal Copy of Ludmila Vrazelova (ISACA ID: 916352)

COBIT® 2019 DESIGN GUIDE

Figure 2.7—Risk Profile Design Factor (IT Risk Categories) (cont.)

Reference Risk Category Example Risk Scenarios
5 Enterprise/IT A. Complex, inflexible enterprise architecture (EA), obstructing further evolution and
architecture expansion, and leading to missed business opportunities
B. Failure to timely adopt and exploit new infrastructure or abandon obsolete
infrastructure
C. Failure to timely adopt and exploit new software (functionality, optimization, etc.)
or to abandon obsolete applications
D. Undocumented EA leading to inefficiencies and duplications
E. Excessive number of exceptions on enterprise architecture standards
6 IT operational A. Accidental damaging of IT equipment
infrastructure incidents B. Errors by IT staff (during backup, during upgrades of systems, during maintenance
of systems, etc.)
C. Incorrect information input by IT staff or system users
D. Destruction of data center (sabotage, etc.) by staff
E. Theft of device with sensitive data
F. Theft of a key infrastructure component
G. Erroneous configuration of hardware components
H. Intentional tampering with hardware (security devices, etc.)
I. Abuse of access rights from prior roles to access IT infrastructure
J. Loss of backup media or backups not checked for effectiveness
K. Loss of data by cloud provider
L. Operational-service interruption by cloud providers
7 Unauthorized actions A. Tampering with software
B. Intentional modification or manipulation of software leading to incorrect data
C. Intentional modification or manipulation of software leading to fraudulent actions
D. Unintentional modification of software leading to inaccurate results
E. Unintentional configuration and change-management errors
8 Software adoption/ A. Nonadoption of new application software by users
usage problems B. Inefficient use of new software by users
9 Hardware incidents A. System instability in wake of installing new infrastructure, leading to operational
incidents (e.g., BYOD program)
B. Inability of systems to handle transaction volumes when user volumes increase
C. Inability of systems to handle load when new applications or initiatives are deployed
D. Utilities failure (telecom, electricity)
E. Hardware failure due to overheating and/or other environmental conditions like
humidity
F. Damaging of hardware components leading to destruction of data by internal staff
G. Loss/disclosure of portable media containing sensitive data (CD, USB-drives,
portable disks, etc.)
H. Extended resolution time or support delays in case of hardware incidents
10 Software failures A. Inability to use the software to realize desired outcomes (e.g., failure to make
required business model or organizational changes)
B. Implementation of immature software (early adopters, bugs, etc.)
C. Operational glitches when new software is made operational
D. Regular software malfunctioning of critical application software
E. Obsolete application software (outdated, poorly documented, expensive to
maintain, difficult to extend, not integrated in current architecture, etc.)
F. Inability to revert back to former versions in case of operational issues with a new
version
G. Software-induced corrupted data(base) leading to inaccessible data

24

Personal Copy of Ludmila Vrazelova (ISACA ID: 916352)

 CHAPTER 2
BASIC CONCEPTS: GOVERNANCE SYSTEM AND COMPONENTS

Figure 2.7—Risk Profile Design Factor (IT Risk Categories) (cont.)

Reference Risk Category Example Risk Scenarios
11 Logical attacks A. Unauthorized (internal) users trying to break into systems
(hacking, malware, B. Service interruption due to denial-of-service (DoS) attack
etc.) C. Website defacement
D. Malware attack
E. Industrial espionage
F. Hacktivism
G. Disgruntled employee implements a time bomb which leads to data loss
H. Company data stolen through unauthorized access gained by a phishing attack
I. Foreign government attacks on critical systems
12 Third-party/supplier A. Inadequate performance of outsourcer in large-scale, long-term outsourcing
incidents arrangement (e.g., through lack of supplier due diligence regarding financial
viability, delivery capability and sustainability of supplier’s service)
B. Accepting unreasonable terms of business from IT suppliers
C. Inadequate support and services delivered by vendors, not in line with SLA
D. Noncompliance with software license agreements (use and/or distribution of
unlicensed software)
E. Inability to transfer to alternative suppliers due to overreliance or overdependence
on current supplier
F. Purchase of IT services (especially cloud services) by the business without
consultation /involvement of IT, resulting in inability to integrate the service with in-
house services.
G. Inadequate or unenforced SLA to obtain agreed services and penalties in case of
noncompliance
13 Noncompliance A. Noncompliance with national or international regulations (e.g., privacy, accounting,
manufacturing, environmental, etc.)
B. Lack of awareness of potential regulatory changes that may have a business
impact
C. Operational obstacles caused by regulations
D. Failure to comply with internal procedures
14 Geopolitical issues A. Lack of access due to disruptive incident in other premises
B. Government interference and national policies impacting the business
C. Targeted action from government-sponsored groups or agencies
15 Industrial action A. Facilities and building inaccessible because of labor union strike
B. Third-party providers unable to provide services because of strike
C. Key staff unavailable through industrial action (e.g., transportation or utilities strike)
16 Acts of nature A. Earthquake destroying or damaging important IT infrastructure
B. Tsunami destroying critical premises
C. Major storms and tropical cyclone or tornado damaging critical infrastructure
D. Major wildfire
E. Flooding
F. Rising water table leaving critical location unusable
G. Rising temperature rendering critical locations uneconomical to operate
17 Technology-based A. Failure to identify new and important technology trends
innovation B. Failure to appreciate the value and potential of new technologies
C. Failure to adopt and exploit new technologies in a timely manner (functionality,
process optimization, etc.)
D. Failure to provide technology support new business models
18 Environmental A. Environmentally unfriendly equipment (e.g., power consumption, packaging)
19 Data and information A. Discovery of sensitive information by unauthorized persons due to inefficient
management retaining/archiving/disposing of information
B. Intentional illicit or malicious modification of data
C. Unauthorized disclosure of sensitive information through email or social media
D. Loss of IP and/or leakage of competitive information

25

Personal Copy of Ludmila Vrazelova (ISACA ID: 916352)

 DESIGN FACTOR 4: I&T RELATED ISSUES
A related method for an I&T risk assessment is for the enterprise is to consider which I&T-related
issues it currently faces, or, in other words, what I&T-related risk has materialized. These are the
most common of such issues:
Figure 2.8–I&T Related Issues Design Factor
Reference Description
Frustration between different IT entities across the organization because of a perception of
A
low contribution to business value.
Frustration between business departments (i.e., the IT customer) and the IT department
B
because of failed initiatives or a perception of low contribution to business value.
Significant IT related incidents, such as data loss, security breaches, project failure,
C
application errors, etc. linked to IT.
D Service delivery problems by the IT outsourcer(s).
E Failures to meet IT related regulatory or contractual requirements.
Regular audit findings or other assessment reports about poor IT performance or reported
F
IT quality or service problems.

40 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.8

 DESIGN FACTOR 4: I&T RELATED ISSUES (CONTINUED)
Figure 2.8–I&T Related Issues Design Factor
Reference Description
Substantial hidden and rogue IT spending, that is, IT spending by user departments outside
G
the control of the normal IT investment decision mechanisms and approved budgets.
H Duplications or overlaps between various initiatives or other forms of wasting resources.
I Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction.
IT-enabled changes or projects frequently failing to meet business needs and delivered late
J
or over budget.
Reluctance by board members, executives or senior management to engage with IT, or lack
K
of committed business sponsors for IT.
L Complex IT operating model and/or unclear decision mechanisms for IT-related decisions.

M Excessively high cost of IT.

Obstructed or failed implementations of new initiatives or innovations caused by the current
N
IT architecture and system.

41 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.8

 DESIGN FACTOR 4: I&T RELATED ISSUES (CONTINUED)
Figure 2.8–I&T Related Issues Design Factor
Reference Description
O Gap between business and technical knowledge which leads to business users and IT
and/or technology specialists speaking different languages.
P Regular issues with data quality and integration of data across various sources.

Q High level of end-user computing, creating (among other problems) a lack of oversight and
quality control over the applications that are being developed and put in operation.
R Business departments implementing their own information solutions with little or no
involvement of the enterprise IT department.
S Ignorance and/or noncompliance with security and privacy regulations.

T Inability to exploit new technologies or to innovate using I&T.

42 Reference: COBIT 2019 Design Guide, Chapter 2, figure 2.8

 DESIGN FACTOR 5: THREAT LANDSCAPE

The threat landscape under which the enterprise operates can be classified as shown
below.

Figure 4.9 – Threat Landscape Design Factor

Threat Landscape Explanation
Normal The enterprise is operating under what are considered normal threat
levels.

High Due to its geopolitical situation, industry sector or particular profile, the
enterprise is operating in a high-threat environment.

97 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 DESIGN FACTOR 6: COMPLIANCE REQUIREMENTS

The compliance requirements to which the enterprise is subject can be classified

according to the categories below.

Figure 4.10—Compliance Requirements Design Factor

Regulatory Environment Explanation
Low compliance The enterprise is subject to a minimal set of regular compliance
requirements requirements that are lower than average.

Normal compliance The enterprise is subject to a set of regular compliance requirements that
requirements are common across different industries.

High compliance The enterprise is subject to higher-than-average compliance

requirements requirements, most often related to industry sector or geopolitical
conditions.

98 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 DESIGN FACTOR 7: ROLE OF IT

The role of IT for the enterprise can be classified as shown below.

Figure 4.11—Role of IT Design Factor

Role of IT Explanation
Support IT is not crucial for the running and continuity of the business process
and services, nor for their innovation.
Factory When IT fails, there is an immediate impact on the running and continuity
of the business processes and services. However, IT is not seen as a
driver for innovating business processes and services.
Turnaround IT is seen as a driver for innovating business processes and services. At
this moment, however, there is not a critical dependency on IT for the
current running and continuity of the business processes and services.
Strategic IT is critical for both running and innovating the organization’s business
processes and services.

99 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 DESIGN FACTOR 8: SOURCING MODEL FOR IT

The sourcing model for IT the enterprise adopts can be classified as shown below.

Figure 4.12—Sourcing Model for IT Design Factor

Sourcing Model Explanation
Outsourcing The enterprise calls upon the services of a third party to provide IT
services.
Cloud The enterprise maximizes the use of the cloud for providing IT services
to its users.
Insourced The enterprise provides for its own IT staff and services.

Hybrid A mixed model is applied, combining the other three models in varying
degrees.

100 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 DESIGN FACTOR 9: IT IMPLEMENTATION METHODS

The IT implementation methods the enterprise adopts can be classified as shown below.

Figure 4.13—IT Implementation Methods Design Factor

IT Implementation Explanation
Agile The enterprise uses Agile development working methods for its
software development.
DevOps The enterprise uses DevOps working methods for software building,
deployment and operations.
Traditional The enterprise uses a more classic approach to software development
(waterfall) and separates software development from operations.
Hybrid The enterprise uses a mix of traditional and modern IT implementation,
often referred to as “bimodal IT.”

101 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 DESIGN FACTOR 10: TECHNOLOGY ADOPTION STRATEGY

The technology adoption strategy can be classified as shown below.

Figure 4.14—Technology Adoption Strategy Design Factor

Technology Adoption Standards Explanation

First mover The enterprise generally adopts new technologies as early

as possible and tries to gain first-mover advantage.

Follower The enterprise typically waits for new technologies to

become mainstream and proven before adopting them.

Slow adopter The enterprise is very late with adoption of new technologies.

102 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 DESIGN FACTOR 11: ENTERPRISE SIZE

Two categories are identified for the design of an enterprise’s governance system. Micro-
enterprises, i.e., enterprises with fewer than 50 staff members, are not considered in this
view.

Figure 4.15—Enterprise Size Design Factor

Enterprise Size Explanation
Large enterprise (Default) Enterprise with more than 250 full-time employees (FTEs)

Small and medium enterprise Enterprise with 50 to 250 FTEs

103 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 INDUSTRY DIMENSION (OPTION 1)

Why is there no industry sector design factor?

Every industry sector has its own unique set of
requirements regarding expectations from the use of
I&T.

However, it is possible to capture the key

characteristics of an industry sector by a
combination of the design factors listed in the
preceding tables.

For example:
• Financial sector
• Healthcare providers
• Nonprofit enterprises
• Public sector agencies

50 Reference: COBIT 2019 Design Guide, Chapter 2, page 28

 IMPACT OF DESIGN FACTORS
Management
Objective Priority
and Target
Capability Levels

Design factors influence in different ways

the tailoring of the governance system of
Design
an enterprise. There are three different Factors
types of impacts.

Specific Focus Component

Areas Variations

225 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 IMPACT OF DESIGN FACTORS

Management
Objective
Priority and
Target
Capability
Levels Management Objective Priority and
Target Capability Levels
Design factor influence can make some governance
and management objectives more important than
Design others. In practice, this higher importance translates
Factors into setting higher target capability levels.

Specific Focus Component

Areas Variations

226 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 IMPACT OF DESIGN FACTORS

Management Objective Priority and Target Capability Levels - EXAMPLES

When an enterprise identifies the most relevant enterprise goal(s) from the enterprise goal list and applies the
goals cascade, this will lead to a selection of priority management objectives. For example, when EG01
Portfolio of competitive products and services is ranked as very high by an enterprise, this will make
management objective APO05 Managed portfolio an important part of this enterprise’s governance system.

An enterprise that is very risk averse will give more priority to management objectives that aspire to govern and
manage risk and security. Governance and management objectives EDM03 Ensured risk optimization, APO12
Managed risk, APO13 Managed security and DSS05 Managed security services will become important parts of
that enterprise’s governance system and will have higher target capability levels defined for them.

An enterprise operating within a high threat landscape will require highly capable security-related processes:
APO13 Managed security and DSS05 Managed security services.

An enterprise in which the role of IT is strategic and crucial to the success of the business will require high
involvement of IT-related roles in organizational structures, a thorough understanding of business by IT
professionals (and vice versa), and a focus on strategic processes such as APO02 Managed strategy and
APO08 Managed relationships.

227 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 IMPACT OF DESIGN FACTORS

Management Objective Priority and Target Capability Levels – EXAMPLES

Appendix A and B of COBIT 2019 Framework: Governance and Management Objectives show the
mappings from enterprise goals to alignment goals, and then from alignment goals to governance
and management objectives.

Identify the most relevant

enterprise goal(s) from Selection of priority
Apply the goals cascade. management objectives.
the enterprise goal list.

Enterprise profile: Goals:

Fill in
Risk-avoidant

59 Reference: COBIT 2019 Design Guide, Chapter 3, page 29

 GOALS CASCADE

Alignment goals emphasize the

alignment of all IT efforts with
business objectives
• There is a frequent misunderstanding
that these goals indicate purely internal
objectives of the IT department within an
enterprise.
• The goals cascade is covered in more
detail in Module 5, Governance and
Management Objectives.

105 Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
 IMPACT OF DESIGN FACTORS

Management Objective Priority and Target Capability Levels - EXAMPLES

Enterprise profile: Goal: Objective:

Diversify offerings • EG01 Portfolio of • APO05 Managed
increasing profit and growth competitive products portfolio
and services

Enterprise profile: Goals: Objective:

Risk-avoidant • EG02 Managed • EDM03 Ensured risk
business risk optimization
• APO12 Managed risk
• APO13 Managed security
• DSS05 Managed security
services

60 Reference: COBIT 2019 Design Guide, Chapter 3, page 29

 IMPACT OF DESIGN FACTORS

Management Objective Priority and Target Capability Levels - EXAMPLES

Enterprise profile: Goal: Objective:

Operating in a high-threat • EG02 Managed business • APO13 Managed
landscape risk security
• EG06 Business service • DSS05 Managed
continuity and availability security services

Enterprise profile: Goals: Objective:

Role of IT is strategic and • EG01 Portfolio of • APO02 Managed
crucial to the success of competitive products strategy
the business and services • APO08 Managed
• EG05 Customer relationships
oriented service
culture

61 Reference: COBIT 2019 Design Guide, Chapter 3, page 29

 IMPACT OF DESIGN FACTORS

Management
Objective
Priority and
Target
Capability
Levels

Component Variations
Components are required to achieve governance and
management objectives. Some design factors can
Design influence the importance of one or more components or
Factors can require specific variations.

Specific Focus Component

Areas Variations

228 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 IMPACT OF DESIGN FACTORS

Components Variation - EXAMPLES

Small and medium-sized enterprises might not need the full set of roles and organizational
structures as laid out in the COBIT core model, but may use a reduced set instead. This reduced set
of governance and management objectives and the included components is defined in the Small and
Medium Enterprise focus area (in development).

An enterprise which operates in a highly regulated environment will attribute more importance to
documented work products and policies and procedures and to some roles, e.g. the compliance
officer function.

An enterprise that uses DevOps in solution development and operations will require specific
activities, organizational structures, culture, etc., focused on BAI03 Managed solutions identification
and build and DSS01 Managed operations.

229 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 IMPACT OF DESIGN FACTORS

Components Variation - EXAMPLES

Small and medium-sized enterprises might not need the

full set of roles and organizational structures as laid out in
the COBIT core model but may use a reduced set instead.

DevOps in solution development and operations example:

• BAI03 Managed solutions identification
• DSS01 Managed operations

64 Reference: COBIT 2019 Design Guide, Chapter 3, page 30

 IMPACT OF DESIGN FACTORS

Management
Objective
Priority and
Target
Capability
Levels

Specific Focus Areas

Some design factors, such as threat landscape, specific
risk, target development methods and infrastructure set-
Design up, will drive the need for variation of the core COBIT
Factors model content to a specific context.

Specific Focus Component

Areas Variations

230 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 IMPACT OF DESIGN FACTORS

Specific Focus Areas - EXAMPLES

Enterprises adopting a DevOps approach will require a governance system that has a variant of
several generic COBIT processes, described in the DevOps focus area guidance (in development) for
COBIT.

Small and medium enterprises have less staff, fewer IT resources, and shorter and more direct
reporting lines, and differ in many more aspects from large enterprises. For that reason, their
governance system for I&T will have to be less onerous, compared to large enterprises. This is
described in the SME focus area guidance of COBIT (in development).

231 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 IMPACT OF DESIGN FACTORS

Specific Focus Areas - EXAMPLES

Enterprises adopting a DevOps approach will require a

governance system that has a variant of several generic
COBIT processes, described in the DevOps focus area
guidance (in development) for COBIT.

Small and medium enterprises differ from large

enterprises in that they:
• Have less staff
• Fewer IT resources
• Shorter and more direct reporting lines
• Many more aspects

67 Reference: COBIT 2019 Design Guide, Chapter 3, page 30

 DESIGNING A TAILORED SYSTEM

233 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 MODULE 7 SUMMARY

• Impact of design factors

• Designing a tailored system

235 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
 SAMPLE QUESTION

Designing a tailored governance system will result in recommendations

for prioritizing governance and management objectives or related
governance system components, for ____________, or for adopting
specific variants of a governance system component.
A. target capability levels
B. documenting the four enabler dimensions
C. documenting the most appropriate accountabilities and responsibilities

236
236 References: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System COBIT 2019 Design Guide
 SAMPLE QUESTION

Which of the following is the correct set of steps in the governance

system design workflow?
A. Understand the enterprise context and strategy; Determine the initial
scope of the governance system; Refine the scope of the governance
system; Conclude the governance system design.
B. What are the drivers; Where are we now; Where to we want to be; What
needs to be done; How do we get there; Did we get there; How do we
keep the momentum going.
C. Direct the governance system; Plan the governance system; Build the
governance system; Run the governance system; Monitor the governance
system.

237
237 References: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System COBIT 2019 Design Guide
 SAMPLE QUESTION

In which stage of the Governance System Design Workflow would an

enterprise consider the current I&T-related issues?
A. Understand enterprise strategy
B. Determine the initial scope of the governance system
C. Plan program

238
238 Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT