Design and

Implementation Course
Participant Guide
COBIT Design and Implementation
Course
CONTENTS

Module 1: Course Overview 4

Course Delivery ........................................................................................................................ 4
Course Description ................................................................................................................... 4
Target Audience ....................................................................................................................... 4
Training and Certification Scheme ........................................................................................... 4
Exam Requirements ................................................................................................................. 5
Course Learning Objectives ..................................................................................................... 5

Module 2: COBIT 2019 Basic Concepts 6

Topics and Objectives .............................................................................................................. 6

Module 3: Design Factors for a Governance System 6

Topics and Objectives .............................................................................................................. 6
Nameco Case Study Background ............................................................................................ 7
Summary ................................................................................................................................ 17

Module 4: Impact of Design Factors 18

Topics and Objectives ............................................................................................................ 18

Module 5: The Governance System Design Workflow 18

Topics and Objectives ............................................................................................................ 18
Steps 1 and 2: Exercise and Group Discussion ..................................................................... 19
Steps 3 and 4: Exercise and Group Discission ...................................................................... 24
Summary ................................................................................................................................ 27

Module 6: The Governance Design Toolkit 28

Topics and Objectives ............................................................................................................ 28
Example ................................................................................................................................. 28
Exercise .................................................................................................................................. 28

Module 7: Implementing and Optimizing I&T Governance 28

Topics and Learning Objectives ............................................................................................. 28
Module 8: Governance Implementation Lifecycle 29
Topics and Learning Objectives ............................................................................................. 29
Group Exercise ....................................................................................................................... 29
Exercise .................................................................................................................................. 35

Module 9: Key Topics Decision Matrix 39

Topics and Objectives ............................................................................................................ 39
Group Discussion ................................................................................................................... 39

Module 10: Course Summary 39

Course Learning Objective Review ........................................................................................ 39

Appendix A: COBIT Design Toolkit 40

Toolkit Introduction ................................................................................................................. 40
Module 1: Course Overview
COURSE DELIVERY
This is a two-day instructor led course.

COURSE DESCRIPTION
COBIT© 2019 is a framework for the governance and management of enterprise information and
technology that supports enterprise goal achievement.

This course is intended for more experienced users who are interested in advanced use of the framework
(i.e. designing governance systems and running governance improvement programs). This two-day
course is structured around the COBIT 2019 Design Guide and the COBIT 2019 Implementation Guide.

Pre-requisites are the successful completion of the COBIT 2019 Foundation exam.

TARGET AUDIENCE
Current COBIT 5 Foundation Certificate holders who are interested a more in-depth understanding of
COBIT 2019 and/or interested in achieving the COBIT 2019 Design/Implementation Certificate.

Individuals who have successfully completed the COBIT 2019 Foundation exam.

TRAINING AND CERTIFICATION SCHEME

As shown on there are three different paths:

1. The first path is the 2019 Bridge Course which is intended to transition current COBIT 5
accredited training organizations and trainers or COBIT 5 certificate holders seeking to
understand the key differences between COBIT 2019 and COBIT 5.
2. The second path, 2019 COBIT Foundation course and exam is intended for those new to COBIT
or those who wish to gain a deeper understanding of the COBIT 2019 Framework and or prepare
for the COBIT 2019 foundation exam.
3. The third path is the COBIT 2019 Design and Implementation course which is designed to help
learners understand how to design and implement a governance system using COBIT 2019 –
prior to taking the COBIT 2019 design and implementation certificate exam, candidates must first
successfully pass the COBIT 2019 Foundation course.
EXAM REQUIREMENTS
Passing grade is 60% or 36 points.

COURSE LEARNING OBJECTIVES

Upon completion of this course you will be able to:
1. Describe the key concepts of COBIT 2019 as taught in the COBIT Foundation course.
2. Describe the benefits of the COBIT 2019 Design Guide for its target audience.
3. Describe the current design factors in COBIT 2019.
4. Apply the design factor concept to identify relevant values.
5. Describe the impact design factors can have on the design of a governance system.
6. Describe the design workflow of a governance system.
7. Use the steps in the design workflow for governance systems.
8. Apply the design workflow to a concrete situation in order to obtain a governance system design.
9. Describe and use the design guide toolkit in a concrete situation.
10. Use the mapping tables between design factors and governance/management objectives
pragmatically.
11. Describe purpose and scope of the COBIT 2019 Implementation Guide.
12. Apply the implementation methodology and approach for a governance implementation program.
13. Combine the concepts from both the COBIT 2019 Implementation Guide and the COBIT 2019 Design
Guide together efficiently.
14. Apply the objectives, descriptions and tasks of the seven implementation phases in concrete
situations.
15. Apply the challenges, root causes and critical success factors of the seven implementation phases to
concrete situations.
16. Apply the key decision topics and related responsibilities for governance implementation to concrete
situations.
Module 2: COBIT 2019 Basic Concepts
In this module, we will discuss (insert summary here)

TOPICS AND OBJECTIVES

Topics:
• COBIT 2019 Architecture and Products
• Governance & Management Objectives
• Components of the Governance System
• Design Factors
• Focus Areas
• Performance Management
Learning Objectives:
1. Describe the key concepts of COBIT 2019 as taught in the COBIT Foundation course.

Module 2 will comprise of approximately N% of the Design and Implementation Exam questions.

Module 3: Design Factors for a Governance

System
In this module, we will discuss (insert summary here)

TOPICS AND OBJECTIVES

Topics:
• Definition and Overview • Role of IT
• Enterprise Strategy • Sourcing Model for IT
• Enterprise Goals • Implementation Methods
• Risk Profile • Technology Adoption
• I&T Related Issues • Enterprise Size
• Threat Landscape • Industry Dimension
• Compliance Requirements • Case Study Exercise
Learning Objectives:
1. Describe the key concepts of COBIT 2019 as taught in the COBIT Foundation course.
2. Describe the benefits of the COBIT 2019 Design Guide for its target audience.
3. Describe the current design factors in COBIT 2019.
4. Apply the design factor concept to identify relevant values.

Module 3 will comprise of approximately N% of the Design and Implementation Exam questions.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

NAMECO CASE STUDY BACKGROUND

NAMECO is an IT Managed Service Provider in North America. They are an aggressive, for profit
organization that strives to aggressively grow revenues while providing a stable client base. NAMECO is
considered one of the top five MSPs in the industry and operates in a high threat environment with
multiple competitors who are constantly attempting to challenge their position in the market.

With over 400 clients and 15,000 end users, each one has a very unique set of compliance requirements:
1. 30% of their clients are publicly traded entities.
2. 7% are heath care related,
3. 87% process credit cards, and
4. 6% have private information regarding EU citizens.

The enterprise risk management group has identified multiple risk scenarios that have the potential of
inhibiting the aggressive growth goals identified by the governing body. These include:
1. Recruiting and maintaining qualified and skilled staff.
2. The threat of competitors.
3. Complex compliance requirements from multiple requirements (NAMECO has private information
from users across the globe, including EU citizens).
4. The unknown risks of vendors who provide critical services to NAMECO.

The IT organization also supports the company’s staff of 300 FTEs and is currently considered a
“necessity” which has caused some issues. Due to the nature of its business, NAMECO cannot continue
with its strategy unless IT is seen as a key success factor. Most of the services provided by IT are a mix
of insourced, cloud, and outsourced services and IT generally adopts new technologies once they have
been proven in the market. Although the organization is primarily a waterfall model for delivery, there are
two full time agile teams that support the core applications of the business. This model has worked up to
this point, but there are pressures from the business to deploy services faster.

With the aggressive growth of the company, the IT organization has experienced multiple issues that
have resulted in unsatisfactory client reviews. The key concerns include:
1. Failure to meet Service Level Agreements (many of these failures are due to suppliers).
2. Multiple audit findings of non-compliance of data privacy.
3. Insufficient IT resources/knowledge required to support the goals of the enterprise.

Other key observations include:

1. There are no documented or well-understood decision matrices in the organization
2. Policies exist, but have not been updated in the last 3 years
3. The leadership of the organization endorse a ‘risk taking’ culture, but do not support risky
decisions that fail
4. No skills matrix exists that identifies the skills and competencies required to support IT services
5. An IT service catalog exists, but is not acknowledged or followed
6. There is no formal recognition of IT processes, they are ad hoc and not well documented
7. There is no real understanding of the data/information architectures or flows and there is an
absence of information classification.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise
Using information from the NAMECO scenario, identify which design factors are relevant and why.

Enterprise Strategy
Options Applicable to the scenario?

Growth/Acquisition

Innovation/Differentiation

Cost leadership

Client service/Stability
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Enterprise Goals
Options Applicable to the scenario?

EG01—Portfolio of
competitive products and
services

EG02—Managed
business risk

EG03—Compliance with
external laws and
regulations

EG04—Quality of
financial information
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Enterprise Goals
Options Applicable to the scenario?

EG05—Customer-
oriented service culture

EG06—Business-service
continuity and availability

EG07—Quality of
management information

EG08—Optimization of
internal business process
functionality
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Enterprise Goals

Options Applicable to the scenario?

EG09—Optimization of
business process costs

EG10—Staff skills,
motivation and
productivity

EG11—Compliance with
internal policies

EG12—Managed digital
transformation programs

EG13—Product and
business innovation

Risk Profile

Options Applicable to the scenario?

IT investment decision
making, portfolio
definition & maintenance

Program & projects life

cycle management

IT cost & oversight

IT expertise, skills &

behavior
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Risk Profile (continued)

Options Applicable to the scenario?

Enterprise/IT architecture

IT operational
infrastructure incidents

Unauthorized actions

Software adoption/usage
problems

Hardware incidents

Software failures

Logical attacks (hacking,

malware, etc.)

Third-party/supplier
incidents

Noncompliance

Geopolitical Issues

Industrial action
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Risk Profile (continued)

Options Applicable to the scenario?

Acts of nature

Technology-based
innovation

Environmental

Data & information

management

I&T Related Issues

Options Applicable to the Scenario?

Frustration between different IT entities across

the organization because of a perception of low
contribution to business value

Frustration between business departments (i.e.,

the IT customer) and the IT department because
of failed initiatives or a perception of low
contribution to business value

Significant I&T-related incidents, such as data

loss, security breaches, project failure and
application errors, linked to IT

Service delivery problems by the IT

outsourcer(s)

Failures to meet IT-related regulatory or

contractual requirements
 COBIT 2019 Design & Implementation Course
Facilitator Guide

I&T Related Issues (continued)

Options Applicable to the Scenario?

Regular audit findings or other assessment

reports about poor IT performance or reported
IT quality or service problems

Substantial hidden and rogue IT spending, that

is, I&T spending by user departments outside
the control of the normal I&T investment
decision mechanisms and approved budgets

Duplications or overlaps between various

initiatives, or other forms of wasted resources

Insufficient IT resources, staff with inadequate

skills or staff burnout/ dissatisfaction

IT-enabled changes or projects frequently failing

to meet business needs and delivered late or
over budget

Reluctance by board members, executives or

senior management to engage with IT, or a lack
of committed business sponsorship for IT

Complex IT operating model and/or unclear

decision mechanisms for IT-related decisions

Excessively high cost of IT

Obstructed or failed implementation of new

initiatives or innovations caused by the current
IT architecture and systems

Gap between business and technical

knowledge, which leads to business users and
information and/or technology specialists
speaking different languages
 COBIT 2019 Design & Implementation Course
Facilitator Guide

I&T Related Issues (continued)

Options Applicable to the Scenario?

Regular issues with data quality and integration

of data across various sources

High level of end-user computing, creating

(among other problems) a lack of oversight and
quality control over the applications that are
being developed and put in operation

Business departments implementing their own

information solutions with little or no involvement
of the enterprise IT department (related to end-
user computing, which often stems from
dissatisfaction with IT solutions and services)

Ignorance of and/or noncompliance with privacy

regulations

Inability to exploit new technologies or innovate

using I&T

Threat Landscape
Options Applicable to the Scenario?

High

Normal
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Compliance Requirements
Options Applicable to the Scenario?

High

Normal

Low

Role of IT
Options Applicable to the Scenario?

Support

Factory

Turnaround

Strategic

Sourcing Model for IT

Options Applicable to the Scenario?

Outsourcing

Cloud

Insourced
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Implementation Methods

Options Applicable to the Scenario?

Agile

DevOps

Traditional

Adoption Strategy
Options Applicable to the Scenario?

First Mover

Follower

Slow Adopter

SUMMARY
Topics:
• Definition and overview • Role of IT
• Enterprise strategy • Sourcing model for IT
• Enterprise goals • Implementation methods
• Risk profile • Technology adoption
• I&T related issues • Enterprise size
• Threat landscape • Industry dimension
• Compliance requirements
Module 3 will comprise of approximately N% of the Design and Implementation Exam questions.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Module 4: Impact of Design Factors

In this module, we will be discussing (insert summary here)

TOPICS AND OBJECTIVES

Topics:
• Introduction
• Management Objective Selection
• Component Variations
• Specific Focus Areas
Learning Objectives:
5. Describe the impact design factors can have on the design of a governance systems.

Module 4 will comprise of approximately N% of the Design and Implementation Exam questions.

Module 5: The Governance System Design

Workflow
In this module, we will discuss (insert summary here)

TOPICS AND OBJECTIVES

Topics:
• Introduction
• Step 1: Understand Enterprise Context and Strategy
• Step 2: Determine Initial Scope
• Step 3: Refine the Scope
• Step 4: Resolve Conflicts and Conclude
• Translating Design Factors into Governance/Management Objectives for Each Step)
• Exercises
Learning Objectives:
6. Describe design workflow of a governance system.
7. Use the steps in the design workflow for governance systems.
8. Apply the design workflow to a concrete situation in order to obtain a governance system design.

Module 5 will comprise of approximately N% of the Design and Implementation Exam questions.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

STEPS 1 AND 2: EXERCISE AND GROUP DISCUSSION

Exercise: NAMECO Scenario

NAMECO is an IT Managed Service Provider in North America. They are an aggressive, for profit
organization that strives to aggressively grow revenues while providing a stable client base. NAMECO is
considered one of the top five MSPs in the industry and operates in a high threat environment with
multiple competitors who are constantly attempting to challenge their position in the market.

With over 400 clients and 15,000 end users, each one has a very unique set of compliance requirements:
1. 30% of their clients are publicly traded entities.
2. 7% are heath care related,
3. 87% process credit cards, and
4. 6% have private information regarding EU citizens.

The enterprise risk management group has identified multiple risk scenarios that have the potential of
inhibiting the aggressive growth goals identified by the governing body. These include:
1. Recruiting and maintaining qualified and skilled staff.
2. The threat of competitors.
3. Complex compliance requirements from multiple requirements (NAMECO has private information
from users across the globe, including EU citizens).
4. The unknown risks of vendors who provide critical services to NAMECO.

The IT organization also supports the company’s staff of 300 FTEs and is currently considered a
“necessity” which has caused some issues. Due to the nature of its business, NAMECO cannot continue
with its strategy unless IT is seen as a key success factor. Most of the services provided by IT are a mix
of insourced, cloud, and outsourced services and IT generally adopts new technologies once they have
been proven in the market. Although the organization is primarily a waterfall model for delivery, there are
two full time agile teams that support the core applications of the business. This model has worked up to
this point, but there are pressures from the business to deploy services faster.

With the aggressive growth of the company, the IT organization has experienced multiple issues that
have resulted in unsatisfactory client reviews. The key concerns include:
1. failure to meet Service Level Agreements (many of these failures are due to suppliers).
2. Multiple audit findings of non-compliance of data privacy.
3. Insufficient IT resources/knowledge required to support the goals of the enterprise.

Other key observations include:

1. There are no documented or well-understood decision matrices in the organization
2. Policies exist, but have not been updated in the last 3 years
3. The leadership of the organization endorse a ‘risk taking’ culture, but do not support risky
decisions that fail
4. No skills matrix exists that identifies the skills and competencies required to support IT services
5. An IT service catalog exists, but is not acknowledged or followed
6. There is no formal recognition of IT processes, they are ad hoc and not well documented
7. There is no real understanding of the data/information architectures or flows and there is an
absence of information classification.

Note: You will refer to this business case throughout the exercises in this workshop.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Group Exercise
Using information from the NAMECO scenario from this guide and additional information on the following
text, identify which design factors are relevant and why.

The NAMECO board of directors has recognized that EGIT is a critical success factor to the success of
the company and has directed that management create a tailored governance system to support and
enable the company’s aggressive goals. The board recognizes its accountability over EGIT, and has
initiated a program to adopt industry consistent governance practices and has chartered a team to
determine the initial scope of a tailored governance system using COBIT. Information has been provided
with appropriate priorities on the following slides.

Note: the results created from this exercise will be used in an upcoming exercise where data and
information will be inputted into the design tool.

Exercise – Enterprise Strategy Guidance

Enterprise Strategy Priorities
1. Continue to aggressively grow market share.
• NAMECO is in a favorable cash position and is willing to invest in governance initiatives to
increase revenues.
• Though the digital transformation initiative, increase new and innovative products and
services to clients that enhance user experiences.
2. Maintain the current client base by providing stable and exceptional client-oriented services.

Based on this information, what are the applicable Based on this information, what are the
governance and management objectives? applicable components?
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise – Enterprise Goals Guidance

Refer to the chart to view the enterprise goals priorities.
Priority Reference Balanced Scorecard Enterprise Goal
Dimension
HIGH EG01 Financial Portfolio of competitive products and services
HIGH EG02 Financial Managed business risk
HIGH EG03 Financial Compliance with external laws and regulations

MEDIUM EG04 Financial Quality of financial information

HIGH EG05 Customer Customer-oriented service culture
LOW EG06 Customer Business-service continuity and availability
LOW EG07 Customer Quality of management information
MEDIUM EG08 Internal Optimization of internal business process functionality
LOW EG09 Internal Optimization of business process costs

HIGH EG10 Internal Staff skills, motivation and productivity

LOW EG11 Internal Compliance with internal policies

HIGH EG12 Growth Managed digital transformation programs

HIGH EG13 Growth Product and business innovation

Based on this information, what are the applicable governance and management objectives?

Hint: To translate enterprise goals into a relative rating of importance of governance and management
objectives (see the goals cascade, Section 4.3.3), one should make clear choices when selecting
enterprise strategy archetypes.
It is recommended to identify only a few primary enterprise goals and a limited number of secondary
enterprise goals.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise – Risk Profile Guidance

Risk scenario priorities in order of ranking
1. IT-investment decision making, portfolio 10. IT operational infrastructure incidents
definition and maintenance 11. Unauthorized actions
2. IT expertise, skills and behavior 12. Software adoption/usage strategies
3. Technology-based innovation 13. Software failures
4. Non compliance 14. Hardware incidents
5. Third party/supplier incidents 15. Acts of nature
6. Enterprise/IT architecture 16. IT cost and oversight
7. Data and information management 17. Industrial actions
8. Program and projects lifecycle 18. Environmental
management 19. Geopolitical issues
9. Logical attacks (hacking, malware)

Based on this information, what are the applicable governance and management objectives?

Hint: Appendix D contains a mapping between the 19 IT risk categories and the governance and
management objectives, expressing the extent to which each governance and management objective can
be considered as a control for each risk scenario.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise – I&T Related Issues Guidance

Top identified I&T related issues in order of criticality
1. Frustration between different IT entities across the organization because of a perception of low
contribution to business value.
2. Inability to exploit new technologies or to innovate using I&T.
3. Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction.
4. Service delivery problems by the IT outsourcer(s)
5. Failures to meet IT related regulatory or contractual requirements
6. Regular audit findings or other assessment reports about poor IT performance or reported IT
quality or service problems.
7. Ignorance and/or noncompliance with security and privacy regulations.
Based on this information, what are the applicable governance and management objectives?

Hint: Appendix E contains a mapping table between I&T issues and governance and management
objectives. As Appendix E shows, each I&T-related issue is associated to one or more governance or
management objective that can influence the I&T-related issue.

Exercise – Determine the Initial Scope of the Governance System

Determine the initial scope of the governance system derived for enterprise strategy, enterprise goals,
risk profile and I&T-related issues are translated into a set of prioritized governance components to yield
the initial tailored governance system for the enterprise.

Based on this information, what are the applicable governance and management objectives?

Note: At this point no prioritization is required. This will be completed once we cover the toolkit in the next
module.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

STEPS 3 AND 4: EXERCISE AND GROUP DISCISSION

Group Exercise
Using information from the NAMECO scenario in this guide and additional information on the following
pages, identify which design factors are relevant and why. Following the initial scope of the governance
system, the board and executive management have unanimously agreed with the results and has
directed the team to refine the scope and conclude the design. Note: the results created from this
exercise will be used in an upcoming exercise where data and information will be inputted into the
design tool.

Exercise – Threat Landscape Guidance

Threat Landscape Results
Although the key stakeholders often disagree on the threat landscape, the board of directors has
determined that the threat landscape is a normal and expected environment in this industry.

Based on this information, what are the Based on this information, what are the
applicable governance and management applicable components?
objectives?

Hint: See Figure 4.3—Governance and Management Objectives Priority Mapped to Threat Landscape
Design Factor and the appropriate slide in this presentation.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise – Compliance Requirements Guidance

Compliance requirements results

With over 400 clients and 15,000 end users, each one has a very unique set of compliance requirements:
1. 30% of their clients are publicly traded entities
2. 7% are heath care related
3. 87% process credit cards
4. 6% have private information regarding EU citizens
Considering the multitude of compliance requirements across all customers, determine the regulatory
environment: Low, Normal or High.

Based on this information, what are the Based on this information, what are the
applicable governance and management applicable components?
objectives?

Hint: See Figure 4.4—Governance and Management Objectives Priority Mapped to Compliance
Requirements Design Factor and the appropriate slide in this presentation.

Exercise – Role of IT Guidance

Role of IT results

The IT organization also supports the company’s staff of 300 FTEs and is currently considered a
“necessity” which has caused some issues. Due to the nature of its business, NAMECO cannot continue
with its strategy unless IT is seen as a key success factor. Considering the current role of IT, determine if
the organization is in a support, factory, turnaround or strategic role.

Hint: See Figure 4.5—Governance and Management Objectives Priority Mapped to Role of IT Design
Factor and the appropriate slide in this presentation.
Based on this information, what are the applicable Based on this information, what are the
governance and management objectives? applicable components?
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise – Sourcing Model for IT Guidance

Sourcing model for IT results
Most of the services provided by IT are a mix of insourced, cloud, and outsourced services. Core services
are developed and managed internally, while non-core services are deployed through cloud service
providers. There are some business processes that are completely outsourced.

Considering the current sourcing model for IT, determine if the organization is in an outsourcing, cloud,
insourced or hybrid model.
Based on this information, what are the applicable Based on this information, what are the
governance and management objectives? applicable components?

Hint: See Figure 4.6—Governance and Management Objectives Priority Mapped to Sourcing Model for IT
Design Factor and the appropriate slide in this presentation.

Exercise – IT Implementation Methods Guidance

IT implementation methods results
The organization is primarily a waterfall model for delivery, there are two full time agile teams that support
the core applications of the business. This model has worked up to this point, but there are pressures
from the business to deploy services faster. Considering the current implementation methods for IT,
determine if the organization is an agile, DevOps, traditional or hybrid approach

Based on this information, what are the applicable Based on this information, what are the
governance and management objectives? applicable components?

Hint: See Figure 4.7—Governance and Management Objectives Priority Mapped to IT Implementation
Methods Design Factor and the appropriate slide in this presentation.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise – Refine the Scope of the Governance System and Conclude the Governance
System Design
At the end of Step 3, the enterprise will have identified a series of potential refinements for the initial
governance system and put them all on the canvas for consolidation during Step 4 of the design
workflow. The previous exercise steps should be done in conjunction with the Design Guide tool.
The information in this exercise will be a basis for using the Design Guide tool in the next module.

The conclusion of this phase must result in one design for the governance system for enterprise I&T.
This includes prioritized governance and management objectives, target capability levels, governance
components requiring attention and focus area guidance.

SUMMARY
Topics:
• Introduction
• Step 1: Understand enterprise context and strategy
• Step 2: Determine initial scope
• Step 3: Refine the scope
• Step 4: Resolve conflicts and conclude
• Translating design factors into governance/management objectives
(for each step)
• Exercises
Module 5 will comprise of approximately N% of the Design and Implementation Exam questions.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Module 6: The Governance Design Toolkit

In this module, we will discuss (insert summary here)

TOPICS AND OBJECTIVES

Topics:
• Toolkit Introduction
• Example
• Exercise
Learning Objectives:
9. Describe and use the design guide toolkit in a concrete situation.
10. Use the mapping tables between design factors and governance/management objectives
pragmatically.

Module 6 will comprise of approximately N% of the Design and Implementation Exam questions.

EXAMPLE
Refer to COBIT Design Guide chapter 7 which starts on page 67.
The course instructor will select an example from this chapter and input the example data into the Design
Toolkit. Use student input to fill in the appropriate fields in the toolkit. Instructors may choose to do one or
more of the examples or use one of their own.

See Appendix A for a brief explanation of each tab in the Design Toolkit.

EXERCISE
Using information from the NAMECO scenario and information from the previous exercises regarding the
design factors, input the appropriate data into the design tool to determine a tailored governance system.
• Assign one individual from your team to input the appropriate design factor data into the tool.
• Some assumptions may have to be made by the team in order to agree on the appropriate inputs.
• Be prepared to discuss your results and impressions.

Module 7: Implementing and Optimizing I&T

Governance
In this module, we will discuss (insert summary here)

TOPICS AND LEARNING OBJECTIVES

Topics:
• COBIT 2019 Implementation Guide • Governance Implementation Roadmap
• Positioning I&T Governance • Trigger Events for Governance Improvement
• Creating the Appropriate Environment • Stakeholder Stakes and Roles
Learning Objectives:
11. Describe purpose and scope of the COBIT 2019 Implementation Guide.
12. Apply the implementation methodology and approach for a governance implementation program.
13. Combine the concepts from both the COBIT 2019 Implementation Guide and the COBIT 2019
Design Guide together efficiently.

Module 7 will comprise of approximately N% of the Design and Implementation Exam questions.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Module 8: Governance Implementation

Lifecycle
In this module we will discuss implementing enterprise governance over IT.
NOTE: You may recognize a few of these concepts from COBIT 5

TOPICS AND LEARNING OBJECTIVES

Topics: • Phase 5: How Do We Get There?
• Phase 1: What Are the Drivers? • Phase 6: Did We Get There?
• Phase 2: Where Are We Now? • Phase 7: How Do We Keep the Momentum
• Phase 3: Where Do We Want to Be? Going?
• Phase 4: What Needs to Be Done? • Exercise
Learning Objectives:
14. Apply the objectives, descriptions and tasks of the seven implementation phases in concrete
situations.
15. Apply the challenges, root causes and critical success factors of the seven implementation phases to
concrete situations.

Module 8 will comprise of approximately N% of the Design and Implementation Exam questions.

GROUP EXERCISE

Group Exercise Background

Note: the results created from this exercise will be used in an upcoming exercise where data and
information will be inputted into the design tool.

Your previous efforts at designing a tailored governance system were presented to the NAMECO
executive steering committee and received extremely positive feedback.

The steering committee has asked your team to create a formal implementation program that uses the
information from the previous exercises. The committee has also directed that the COBIT publications be
used as guides to conduct the implementation.

At this point, you have been asked to provide your input related to the first three steps of the
implementation lifecycle.

Group Exercise Assignment

The purpose of this exercise is to use information from previous exercises and your assumptions from the
case study to understand how to use the Implementation and Design Guides to create an implementation
program.

Complete the following pages with your team’s findings from the first three steps focusing on CI tasks
only. For any areas that were not determined earlier, your team should determine the appropriate
responses based on your assumptions and the various tasks required. Use the following information to
complete this exercise:
• Information from the NAMECO company background
• Results from previous exercises
• Implementation Guide
• Design Guide (focusing on figure 5.2)
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise Phase 1 – What Are the Drivers?

Phase 1 of the Implementation Guide includes 7 CI tasks and aligns with Step one in the Design Guide.
Using the mapping on Figure 5.2 and the results of the previous design exercises, document the drivers
that have been identified to this point: If more space is needed, groups can use additional paper.

Implementation Guide Your team’s results from previous exercises or assumptions.

(CI tasks)
1.1 Understand enterprise
strategy.

1.2 Understand enterprise goals.

1.3 Understand risk profile.

1.4 Understand current I&T

related issues.

Hint: use figure 5.2 from the Design Guide as a reference

 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise Phase 2 – Where Are We Now?

During Phase 2, the NAMECO created a program with the charter of designing and implementing the
tailored governance system. The charter identifies the following artifacts. Which of these would be
applicable to this phase and how? If more space is needed, groups can use additional paper.

Not applicable to this

Output

phase
Input
Outline business case

IT process descriptions, policies, standards, procedures, technical

specifications

Implemented Improvements
Artifacts

Current performance levels of selected governance and management

objectives

Agreed alignment goals and impact

Project definitions, plans, change strategy and response plans

Evaluated outline business case

 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise Phase 3 – Where Do We Want to Be?

At the conclusion of the previous phase a list of governance and management objectives were
determined and were assigned current capability levels based on the design tool inputs. What would be
reasonable target capability levels for these chosen objectives? If more space is needed, groups can use
additional paper.

Current Desired
Objective Capability Capability Reason/Rationale
2

APO02—Managed
Strategy

APO04—Managed
Innovation

APO08—Managed
Relationships

APO12—Managed
Risk
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise Phase 3 – Where Do We Want to Be? (continued)

Current Desired
Objective
Capability Capability Reason/Rationale
1

APO13—Managed
Security

DSS05—Managed
Security Services

MEA03—Managed
Compliance with
External
Requirements

MEA04—Managed
Assurance
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise Phase 3 – Where Do We Want to Be? (continued)

What other governance or management objectives should be included that your team feels is
significant?
 COBIT 2019 Design & Implementation Course
Facilitator Guide

EXERCISE

Group Exercise Background

Following your completion of the first three steps of the implementation lifecycle, you presented a
summary of the results to the steering committee.

Based on the results of this meeting your team has approved funding to move forward with the remaining
steps of the cycle, with the intent of doing this on a regular basis to continually implement governance of
enterprise I&T.

Note: the results created from this exercise will be used in an upcoming exercise where data and
information will be inputted into the design tool.

Group Exercise Assignment

The purpose of this exercise is to use information from previous exercises and your assumptions from the
case study to understand how to complete a cycle of the implementation lifecycle.

Complete the following pages with your team’s findings for the last four steps focusing on CI tasks only.

Your team should determine the appropriate responses based on your assumptions and the various tasks
required.

Use the following information to complete this exercise:

• Information from the NAMECO company background
• Results from previous exercises
• Information from training slides
• Implementation Guide
• Design Guide
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise Phase 4 – What Needs to be Done?

Phase 4 CI Tasks
1. Consider potential benefit and ease of implementation for each improvement.
2. Plot improvements onto an opportunity grid to identify priority actions (based on benefit and ease of
implementation).
3. Focus on alternatives showing high benefit/high ease of implementation.
4. Consider alternatives showing high benefit/low ease of implementation for possible scaled-down
improvements. Decompose them into smaller improvements and look again at benefits and ease of
implementation.
If more space is needed, groups can use additional paper.

Exercise Phase 5 – How Do We Get There?

It appears that due to the haste in which the organization embarked on this effort, there are two
challenges that have emerged that are impeding your progress:
• Trying to do too much at once; tackling overly complex, overly difficult or simply too many problems
• Lack of required skills and competencies, such as understanding governance, management, business,
processes, soft skills

The steering committee has asked your team to research this issue and provide them information on the
potential root causes. More importantly, they have asked you for your suggested actions to help with this.
If more space is needed, groups can use additional paper.
Hint: use figure 5.2 from the Design Guide as a reference

Exercise Phase 6 – Did We Get There?

In the RACI chart for phase 6, the CIO is accountable for monitoring the performance of this initiative. The
CIO is concerned that the team is using the appropriate metrics and has asked your team to provide a list
of metrics that you feel are the most applicable and valuable to the initiative.
The CIO also indicates that in her report to the I&T Governance Board, she will be using the management
objective “BAI01 Managed Programs” as a basis for her metrics, since the initiative is being handled as a
funded program. Using the available resources from COBIT, what are some of the metrics you would use
and why? If more space is needed, groups can use additional paper.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Suggested Metrics:
Metrics that support enterprise goals
EG12 Managed digital transformation programs was identified as an important enterprise
goal for NAMECO, therefore, the following metrics could be most applicable:
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Exercise Phase 7 – How Do We Keep the Momentum Going?

The first iteration of the implementation lifecycle is complete, and your program has entered the last
phase. The I&T governance board has asked for help regarding the roles in this phase in order to
continue the momentum. They have asked who would be responsible for the following? If more space is
needed, groups can use additional paper.

Phase 7 Activities Role

Creating new or updating

governance objectives for future
iterations of the implementation
cycle.

Confirming that the initiative is

conformant with NAMECO’s
objectives and requirements.

Identification of lessons learned and

sharing of those lessons.

Provide support and commitment by

continuing to work positively with IT
to improve EGIT and make it
business as usual.

Measure and report actual results

against originally established project
measures

Continue to set the tone at the top,

develop organizational structures,
and encourage a culture of good
governance and accountability for
I&T among business and IT
executives.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Module 9: Key Topics Decision Matrix

TOPICS AND OBJECTIVES
In this module, we will discuss (insert summary here)
Topics:
• Decision Matrix
• Group Discussion
Learning Objectives:
16. Apply the key decision topics and related responsibilities for governance implementation to concrete
situations.

Module 7 will comprise of approximately N% of the Design and Implementation Exam questions.

GROUP DISCUSSION
Group discussion on the completeness
of the governance decision topics.
Group discussion on the assignment of responsibilities for decision topics.
Group discussion on comparison with candidate’s own experience and organizations.

Module 10: Course Summary

COURSE LEARNING OBJECTIVE REVIEW
Here is a summary of what we have learned:
1. Describe the key concepts of COBIT 2019 as taught in the COBIT Foundation course.
2. Describe the benefits of the COBIT 2019 Design Guide for its target audience.
3. Describe the current design factors in COBIT 2019.
4. Apply the design factor concept to identify relevant values.
5. Describe the impact design factors can have on the design of a governance system.
6. Describe the design workflow of a governance system.
7. Use the steps in the design workflow for governance systems.
8. Apply the design workflow to a concrete situation in order to obtain a governance system design.
9. Describe and use the design guide toolkit in a concrete situation.
10. Use the mapping tables between design factors and governance/management objectives
pragmatically.
11. Describe purpose and scope of the COBIT 2019 Implementation Guide.
12. Apply the implementation methodology and approach for a governance implementation program.
13. Combine the process from both the COBIT 2019 Implementation Guide and the COBIT 2019
Design Guide to use in concrete situations.
14. Apply the objectives, descriptions and tasks of the seven implementation phases in concrete
situations.
15. Apply the challenges, root causes and critical success factors of the seven implementation phases to
concrete situations.
16. Apply the key decision topics and related responsibilities for governance implementation to concrete
situations.
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Appendix A: COBIT Design Toolkit

TOOLKIT INTRODUCTION
The COBIT Design Guide companion toolkit is an Excel®
spreadsheet-based tool that facilitates the application of the
governance system design workflow explained in Module 5.
This module offers a basic understanding of the toolkit and an
understanding of how the results are generated.

The toolkit as downloaded shows the values illustrated in this

module.
To use the tool, change the values to fit the enterprise context.
A governance or management objective always relates to one
process and a series of related components of other types to
help achieve the objective.

Toolkit Basics

Introductions and
This tab provides basic information about how to use the toolkit.
instructions tab

Canvas tab This tab consolidates all results of the governance system design workflow.

There is one tab for each design factor, where:

Design factor • Values can be entered and graphically represented.
tabs • Priority scores for governance and management objectives are calculated
and presented in table format and graphically in two diagrams.

There are two summary tabs:

• One after Step 2 and another after Step 3 of the governance system
Summary tabs design workflow
• These graphically represent the outcomes of each completed step

Mapping tables for design factors have input values used by other tabs
Mapping Tables (these tables are hidden to increase the readability of the spreadsheet).
 COBIT 2019 Design & Implementation Course
Facilitator Guide

Mapping Tables Output

Mapping tables (with the exception of Design Factor 2 Enterprise goals) contain values between zero (0)
and four (4), indicating the relevance of each governance/management objective for each respective
value of the design factor, risk scenario or I&T-related issue.
• A value of 4 means maximal relevance, while a value of 0 means no relevance.
• Values reflect averages that were established by an expert panel. The values cannot, and do not,
model every given individual situation, and should therefore be used with caution. They can, however,
give good, representative indications, and can be considered as directional guidance.

The mapping table for Design Factor 2 Enterprise goals is slightly different, in that it contains two
mapping tables. One table maps from enterprise goals to alignment goals, and the other table maps from
alignment goals to governance and management objectives (see Appendices B and C).