Summary
Highlights
This video is part of a series on COBIT 2019 fundamentals, specifically focusing on the 40 governance and management objectives within the framework. These objectives are structured into one governance domain and four management domains, as detailed in the COBIT 2019 guide on governance and management objectives.
The five governance objectives (EDM) are the responsibility of the organization's board of directors. EDM01 aims to ensure the establishment and maintenance of the governance framework, aligning IT governance with enterprise governance. EDM02 focuses on ensuring benefit realization from IT initiatives, services, and assets. EDM03 addresses risk optimization, ensuring IT-related business risk does not exceed the organization's risk appetite. EDM04 targets resource optimization for IT. Finally, EDM05 emphasizes stakeholder engagement to ensure support for IT strategy and roadmap, effective communication, and performance reporting.
The APO domain includes 14 management objectives. APO01 focuses on managing the IT management framework, enabling the achievement of enterprise governance requirements. APO02 deals with managing strategy, supporting digital transformation and providing value through an incremental roadmap. APO03 is about managing enterprise architecture, ensuring a standard, responsible, and efficient delivery of strategic and operational objectives. APO04 manages innovation to achieve competitive advantages and improved customer experience. APO05 manages the portfolio to optimize the overall performance of programs, products, and services. APO06 manages budget and costs, fostering partnership between IT and the business. APO07 manages human resources to optimize capabilities. APO08 manages relationships to facilitate knowledge and strong communication. APO09 manages service agreements to meet current and future business needs. APO10 manages suppliers to optimize IT capabilities and minimize risk. APO11 manages quality for consistent delivery of solutions. APO12 manages risk, integrating IT risk with overall enterprise risk management. APO13 manages security to maintain information security within risk appetite. APO14 manages data, ensuring effective use of critical data assets (a new objective in COBIT 2019).
The BAI domain focuses on building, acquiring, and implementing IT solutions. BAI01 manages programs to achieve desired business value and reduce risk. BAI02 manages requirements definition to create optimal solutions that meet business needs. BAI03 manages the identification and construction of solutions to ensure agile and scalable delivery of digital products. BAI04 manages availability and capacity to maintain service availability and optimize system performance. BAI05 manages organizational change to prepare and secure stakeholder commitment for business change. BAI06 manages IT changes to facilitate quick and reliable execution of changes. BAI07 manages IT change acceptance and transition to implement solutions securely. BAI08 manages knowledge, providing required information for informed decision-making. BAI09 manages assets to track IT assets and optimize their value. BAI10 manages configuration for sufficient information on service assets. BAI11 manages projects, aiming to achieve defined project results and reduce unexpected delays and costs.
The DSS domain covers delivering, servicing, and supporting IT. DSS01 manages operations to provide planned operational IT products and services. DSS02 manages service requests and incidents to minimize disruptions and quickly resolve user issues. DSS03 manages problems to increase availability, improve service levels, and reduce costs by identifying root causes. DSS04 manages continuity to rapidly adapt and maintain business operations during significant disruptions. DSS05 manages security services to minimize the business impact of information security vulnerabilities. DSS06 manages business process controls to maintain information integrity and security of assets.
The MEA domain focuses on monitoring, evaluating, and assessing IT. MEA01 manages performance and conformity monitoring, providing transparency and driving goal achievement. MEA02 manages the internal control system, providing transparent information on the adequacy of internal controls. MEA03 manages compliance with external requirements, ensuring adherence to all applicable external regulations. MEA04 manages assurance, facilitating the design and development of effective assurance initiatives (a new objective in COBIT 2019).
The COBIT guide for governance and management objectives structures information for each objective into several components. These include general information (domain, priority area, name, description, purpose), a cascade of goals (alignment and enterprise goals with example metrics), and details on the seven COBIT components (processes, organizational structures, information flows, people/skills/competencies, policies/procedures, culture/ethics/behavior, and services/infrastructure/applications). Related documentation is also provided for further information.
Using BAI06 'Manage IT Changes' as an example, the video demonstrates the content structure. General information includes its domain (BAI), priority area, objective name, a description of controlling all IT changes, and its purpose (facilitating quick and reliable change execution, mitigating risk). The cascade of goals shows its support for alignment goal AG06 (agility for converting business requirements into operational solutions) and enterprise goal EG01 (competitive products/services portfolio).
For the 'Processes' component, the BAI06 objective details practices (e.g., BAI06.01 evaluating, prioritizing, and authorizing change requests), including their descriptions, relevant metrics, and activities. Each activity is associated with a capability level (e.g., level 2 or 3). The 'Organizational Structures' component presents a RACI matrix that identifies roles and structures (e.g., general director, operations director) responsible for the practices within BAI06. COBIT 2019 focuses on 'Accountable' (A) and 'Responsible' (R), suggesting 'Consulted' and 'Informed' roles are context-dependent and to be completed by the organization.
The 'Information Flows' component for BAI06 illustrates input and output information for each practice, showing data flow between practices and other processes. The 'People, Skills, and Competencies' component lists necessary skills (e.g., change management, change support) and provides references to external frameworks like SFIA for more detailed information on these competencies.
The 'Policies and Procedures' component identifies relevant policies for the objective with brief descriptions. 'Culture, Ethics, and Behavior' highlights key cultural elements. 'Services, Infrastructure, and Applications' suggests generic tools and software (e.g., configuration management tools, change management tools) to support the objective, rather than specific product names. The video notes that the COBIT guide provides less abundant information for these last three components, expecting more detail in future focus area guides, such as the one on information security already released.