Every organization recognizes the importance of functional mechanisms for business risk management, good cyber security posture, well defined roles and responsibilities, decision making structures with measurement frameworks and accurate reports to support the application of digital technology.
It’s all part of governance of I & T which is a recognized necessity, despite this, many organizations struggle to achieve the right level of maturity and it’s certainly not for a lack of try. Often, the governance of IT in organizations is characterized as something that requires significant improvement if not a complete revamp. There could be several reasons for this, but from my perspective the major one is in its core: governance frameworks are not properly designed at the get go, as simple as that. Many governance frameworks are either grown in some “organic” way by adding pieces which often don’t fit to each other, designed to respond only to external audit requirements, or designed following the “cookie-cutter” approach. The truth is that everything above, and specifically the “cookie-cutter” approach will not work. The deliberate consistent design approach needs to be applied and various design factors need to be considered while implementing or improving governance of IT. As a Governance of IT professional and a CGEIT practitioner with over 10 years of experience, I was very pleased to finally have robust guidance in my toolkit on how to design the governance of IT with a framework from COBIT 2019 body of knowledge. There are many things that we need to consider such as the size of the organization wether it’s small or large, the role IT plays in it, the threat landscape in application to it, whether the organization outsources its IT functions, the enterprise strategy, etc. Read below a very complete overview from Abdul Rafeq, CISA, CGEIT, FCA in regards to COBIT 2019 design guide, design factors, and how to use them.