Designing a Governance System with COBIT 2019: Tailoring Frameworks for Real-World Enterprises
Nov 3
In today’s complex digital environment, no two organizations are alike. Each enterprise has its own goals, challenges, and regulatory pressures. This diversity makes one-size-fits-all governance frameworks impractical. COBIT 2019 solves this problem with a powerful concept — Designing a Governance System Tailored to Enterprise Needs.
This article explores how organizations can use COBIT 2019 to build a customized governance system that aligns business strategy with technology goals while ensuring control, performance, and value delivery.
1. The Need for Tailored Governance
Traditional IT governance models often fail because they are either too generic or too rigid. COBIT 2019 recognizes that governance should reflect an enterprise’s unique context, priorities, and risk appetite.
A small fintech startup, a national bank, and a government ministry cannot be governed using the same structure. Each has different objectives, compliance demands, and levels of digital maturity.
The COBIT Design Guide provides a structured approach for tailoring governance to fit these variations, making the framework flexible and relevant to every enterprise type.
2. Understanding the COBIT 2019 Design Factors
COBIT 2019 introduces 11 design factors that influence how an organization should design its governance system. These factors help determine which governance and management objectives are most critical for the enterprise.
The key design factors are:
1. Enterprise Strategy – Growth, innovation, cost leadership, or customer intimacy all affect IT priorities.
2. Enterprise Goals – The organization’s strategic outcomes, aligned with COBIT’s predefined goal cascade.
3. Risk Profile – The organization’s exposure to cybersecurity, compliance, or operational risks.
4. I&T-Related Issues – Current IT challenges such as shadow IT, legacy systems, or skill shortages.
5. Threat Landscape – The external environment, including new cyber threats or industry disruption.
6. Compliance Requirements – Applicable laws, standards, and regulators (e.g., NCA, SAMA, GDPR).
7. Role of IT – Whether IT is a support, strategic, or transformational driver.
8. Sourcing Model – In-house, outsourced, or hybrid service delivery models.
9. IT Implementation Methods – Agile, DevOps, waterfall, or mixed approaches.
10. Technology Adoption Strategy – Early adopter vs. cautious follower.
11. Enterprise Size – Scale affects governance complexity, reporting lines, and oversight needs.
By evaluating these design factors, an enterprise can prioritize governance components that truly matter and avoid wasting effort on irrelevant controls.
3. Steps to Design a Governance System Using COBIT 2019
COBIT 2019 outlines a systematic approach for design. The process can be visualized in five major steps:
Step 1: Understand the Enterprise Context
Start by mapping business strategy, pain points, and regulatory drivers. Interview key executives to clarify expectations from IT. This ensures alignment between governance goals and business direction.
Step 2: Identify and Analyze Design Factors
Collect data for each of the 11 design factors. For example, a financial institution with high compliance obligations and a moderate risk appetite will focus on strong control mechanisms, while a startup emphasizing innovation will prioritize agility and speed.
Step 3: Select Relevant Governance and Management Objectives
COBIT 2019 defines 40 objectives across domains (EDM, APO, BAI, DSS, MEA). Use the design factors to select those most relevant to your enterprise. For example:
• EDM03 – Ensure Risk Optimization for high-risk environments
• BAI02 – Manage Requirements Definition for digital transformation programs
• MEA03 – Monitor, Evaluate, and Assess Compliance for regulated sectors
Step 4: Determine Governance System Components
Each selected objective consists of seven governance components:
1. Processes
2. Organizational structures
3. Principles, policies, and frameworks
4. Information
5. Culture, ethics, and behavior
6. People, skills, and competencies
7. Services, infrastructure, and applications
Tailoring involves choosing or designing these components to fit the enterprise’s needs and resources.
Step 5: Build the Governance System Blueprint
Combine the prioritized objectives and tailored components into a coherent system — your governance blueprint. This blueprint defines roles, reporting, policies, and metrics that guide IT decisions and performance management.
4. Applying Tailoring in Practice
To see COBIT 2019 in action, imagine three scenarios:
• Banking Sector (High Regulation):
Design focuses on EDM03 (Risk Optimization), MEA03 (Compliance), and APO12 (Managed Risk). Controls are strict, with strong segregation of duties and regular external audits.
• Manufacturing Company (Operational Efficiency):
Emphasis on APO09 (Service Agreements), DSS01 (Operations Management), and BAI06 (Changes). The governance model promotes automation and performance KPIs.
• Tech Startup (Agility & Innovation):
Focus on BAI03 (Solutions Identification and Build), APO04 (Innovation), and EDM02 (Value Delivery). Governance is lightweight but ensures traceability and accountability.
This flexibility is what makes COBIT 2019 unique — it empowers each organization to create a system that’s both effective and achievable.
5. Assessing Maturity and Continuous Improvement
Once the governance system is designed, COBIT encourages performance management through maturity and capability levels.
Each objective can be evaluated on a scale from 0 to 5, from incomplete to optimized.
Organizations can regularly measure progress, identify gaps, and implement improvement initiatives. This continuous feedback loop ensures governance remains aligned with business evolution.
6. Integrating with Other Frameworks
COBIT 2019 doesn’t work in isolation. It integrates smoothly with standards and frameworks such as:
• ISO 27001 (Information Security)
• NIST CSF (Cybersecurity)
• ITIL 4 (Service Management)
• PMBOK / Agile (Project Delivery)
• SAMA CSF / NCA ECC (for Saudi Arabia)
By positioning COBIT as an umbrella framework, enterprises can harmonize multiple methodologies under a single governance architecture.
7. The Business Value of Design Tailoring
When properly implemented, a tailored COBIT 2019 governance system delivers measurable benefits:
• Strategic Alignment: IT directly supports business goals.
• Risk Optimization: Controls are balanced with innovation.
• Resource Efficiency: Focus only on relevant processes and controls.
• Regulatory Confidence: Compliance evidence is easier to demonstrate.
• Performance Visibility: KPIs and dashboards track IT contribution.
The result? A governance system that creates value rather than bureaucracy.
8. Key Takeaways
• COBIT 2019 replaces generic governance checklists with a context-driven design approach.
• Understanding and analyzing the 11 design factors is the foundation of effective tailoring.
• Governance should be living and adaptive, evolving with business strategy and technology change.
• Integration with ITIL, ISO, NIST, and local regulatory frameworks maximizes consistency and control.
Final Thought
A governance system should serve the enterprise, not constrain it.
COBIT 2019 gives leaders a blueprint to craft governance that fits their reality — structured enough to assure control, yet flexible enough to enable growth.
Copyright © StrategyConsult for IT - 2026
Created with
