Free Isaca COBIT-2019 Practice Exam with Questions & Answers | Set: 2

The organizational structures component of the governance system are the key decision-making entities in an enterprise. Organizational structures are the arrangements of roles and responsibilities that enable the enterprise to achieve its objectives. Organizational structures can be formal or informal, hierarchical or flat, centralized or decentralized, etc. Organizational structures can include entities such as board, executive management, committees, forums, teams, units, etc. The organizational structures component of the governance system are the key decision-making entities in an enterprise by providing authority, accountability, direction, oversight, evaluation, etc., for information and technology.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Roles, Responsibilities & RACI Charts

The CIO and the program steering committee are responsible for performing a stakeholder satisfaction survey and gathering feedback on lessons learned from the implementation of an EGIT program plan. According to the COBIT 2019 Implementation Guide, the CIO is the executive sponsor of the EGIT program, who provides strategic direction, leadership, and oversight for the program. The program steering committee is a group of senior stakeholders who support the CIO in governing and monitoring the program. One of their responsibilities is to conduct regular reviews of the program performance and outcomes, including stakeholder satisfaction and lessons learned. These reviews help to evaluate the effectiveness and efficiency of the EGIT program plan and identify areas for improvement. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 23 1 : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 45 1

 The most likely underlying cause for an enterprise not having success implementing IT governance because key staff are not participating in planning meetings is lack of senior leadership commitment. Senior leadership commitment is essential for ensuring that IT governance is aligned with the enterprise’s vision, mission, values, and goals, and that it receives adequate resources, support, and oversight. Without senior leadership commitment, IT governance may face resistance, confusion, or indifference from key stakeholders, resulting in poor implementation outcomes. The cause is based on the COBIT 2019 Implementation Guide4, page 25. References: 4: COBIT 2019 Implementation Guide | Digital | English

The enterprise’s risk profile is the most important enterprise risk management concept to fully understand prior to finalizing the design of an IT governance system. Enterprise risk management is the process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks that affect the achievement of enterprise objectives. Enterprise risk management concepts include risk appetite (the amount and type of risk that an enterprise is willing to accept), risk tolerance (the acceptable variation in outcomes related to specific performance measures), risk profile (the overall exposure or level of risk that an enterprise faces), etc. The enterprise’s risk profile is the most important concept to fully understand prior to finalizing the design of an IT governance system because it helps to determine the appropriate level of risk optimization for each governance objective.14 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The high-level risk analysis is a process that involves identifying, assessing, and prioritizing the information and technology risks that an enterprise faces in relation to its governance system design. The high-level risk analysis helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. The primary benefit of conducting a high-level risk analysis during governance design is to prioritize governance and management objectives. The governance and management objectives are the statements of what an enterprise wants to achieve in terms of its information and technology governance. The governance and management objectives are derived from the enterprise goals, which are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, and strategy. By conducting a high-level risk analysis, an enterprise can identify the areas of risk that have the most impact on its enterprise goals, and therefore prioritize the governance and management objectives that address those risks. This will also help to align the governanceframework with the enterprise’s strategy and objectives12 References: 1: COBIT 2019 Design Guide: page 41-43 2: COBIT 2019 Framework: Introduction and Methodology: page 25-26

The best way to determine whether IT governance is achieving intended outcomes one year after implementation is to evaluate performance measurements identified in the business case. The business case is a document that defines the objectives, benefits, costs, risks, and success factors of IT governance implementation, and specifies the key performance indicators (KPIs) and target values that will be used to measure and monitor the outcomes. By comparing the actual performance results with the expected results, the enterprise can assess the effectiveness and efficiency of IT governance and identify any gaps or issues that need to be addressed. The way is based on the COBIT 2019 Implementation Guide1, page 32. References: 1: COBIT 2019 Implementation Guide | Digital | English

The risk profile of an enterprise is a design factor that describes how an enterprise identifies, assesses, responds to, monitors, and reports on information and technology risks. The risk profile helps to determine the level of risk appetite and tolerance that an enterprise has for its information and technology activities, as well as the level of control and assurance that is required for its governance framework. When reviewing the risk profile of an enterprise during the governance design phase, one of the prerequisites that must be established prior to conducting a high-level risk analysis is the enterprise’s risk appetite. The risk appetite is the amount and type of risk that an enterprise is willing to accept in pursuit of its objectives. The risk appetite provides a basis for defining the risk criteria, thresholds, indicators, and responses that will be used in the risk analysis process. The risk appetite also helps to align the governance framework with the enterprise’s strategy and objectives.

Conducting a capabilities assessment must be done before an enterprise can determine performance measures for a process improvement initiative. A capabilities assessment is a method of measuring and evaluating how well a process or activity is performed in terms of effectiveness, efficiency, completeness, reliability, etc. A capabilities assessment can be done using different models or frameworks, such as CMMI or ISO/IEC 15504. A capabilities assessment helps an enterprise to determine performance measures for a process improvement initiative by providing a baseline or benchmark for the current state of a process, as well as identifying its strengths, weaknesses, gaps, and improvement opportunities.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT Process Assessment Model (PAM): Using COBIT 5

According to the COBIT 2019 Process Assessment Model, one of the prerequisites for determining performance measures for a process improvement initiative is to perform a process risk assessment. A process risk assessment identifies and evaluates the potential threats and opportunities that may affect the achievement of process objectives. A process risk assessment also helps to prioritize improvement actions based on their impact and likelihood.4, p. 11-12 References: 4: COBIT 2019 Process Assessment Model: Using COBIT 2019

The enterprise strategy archetype is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six enterprise strategy archetypes defined in COBIT 2019: growth/acquisition; operational excellence; customer intimacy; product leadership; data-driven; innovation-driven. Each archetype has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. One of the important components for an enterprise strategy archetype of growth/acquisition is support for the portfolio management role with an investment office. Growth/acquisition is a strategy archetype that emphasizes expanding market share, revenue, customer base, or product range through organic growth or acquisition of other businesses or assets. This strategy archetype requires effective portfolio management of information and technology investments and initiatives that support business growth or acquisition objectives. Portfolio management involves selecting, prioritizing, balancing, monitoring, evaluating, and optimizing information and technology investments and initiatives based on their alignment with business strategy, value delivery potential, risk exposure, resource availability, interdependencies, etc. Portfolio management also involves ensuring that information and technology investments and initiatives are integrated with business processes, systems, structures, culture, etc., especially in case of mergers or acquisitions. Support for the portfolio management role with an investment office means providing a dedicated function or unit that assists the portfolio manager in performing portfolio management activities such as planning, analysis, decision making, reporting, etc., as well as providing guidance, tools, methods, frameworks, standards, best practices etc., for portfolio management5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 59-61