Design Factors and Focus Areas

COBIT 2019 introduces mechanisms for organizational customization that transform the framework from a generic reference into a tailored governance system. Design factors enable context-appropriate prioritization while focus areas provide deep guidance for specific topics.

Design Factors Explained

COBIT identifies eleven design factors that together characterize an organization's specific circumstances. These factors influence which governance objectives matter most and how intensively they should be implemented.

Enterprise strategy represents the first factor, distinguishing organizations focused on growth and innovation from those prioritizing cost optimization and efficiency. Different strategies demand different governance emphases.

Enterprise goals translate strategy into specific objectives that governance should support. Risk profile describes the organization's appetite for risk and current exposure levels. Organizations with low risk tolerance require more intensive governance than those comfortable with higher risk.

Information and technology related issues identify current challenges that governance should address. An organization struggling with project delivery requires different focus than one concerned with security breaches. Threat landscape characterizes the external threat environment facing the organization.

Compliance requirements catalog the regulatory obligations that governance must satisfy. Role of IT positions information technology on the spectrum from basic support function to strategic business driver. This positioning profoundly affects governance priority and intensity.

Sourcing model describes the mix of internal delivery, outsourcing, and cloud services. IT implementation methods distinguish agile and DevOps approaches from traditional waterfall methods. Technology adoption strategy differentiates early adopters from conservative followers. Enterprise size affects governance formality and resource availability.

Customization Process

Organizations should systematically assess each design factor and document how it applies to their circumstances. This assessment produces a profile that guides governance prioritization. High-priority governance objectives receive more resources and more intensive implementation than lower priorities.

Focus areas provide supplementary guidance for specific topics. The Information Security focus area elaborates how COBIT addresses security governance. The DevOps focus area explains governance in continuous delivery environments. Cloud Computing and Small Enterprise focus areas address those specific contexts.