COBIT
®
2019 FRAMEWORK: INTRODUCTION & METHODOLOGY
12
and within budget, that generate the intended financial and nonfinancial benefits. The value that I&T delivers
should be aligned directly with the values on which the business is focused. IT value should also be measured in a
way that shows the impact and contributions of IT-enabled investments in the value creation process of the
enterprise.
Risk optimization—This entails addressing the business risk associated with the use, ownership, operation,
involvement, influence and adoption of I&T within an enterprise. I&T-related business risk consists of I&T-related
events that could potentially impact the business. While value delivery focuses on the creation of value, risk
management focuses on the preservation of value. The management of I&T-related risk should be integrated within
the enterprise risk management approach to ensure a focus on IT by the enterprise. It should also be measured in a
way that shows the impact and contributions of optimizing I&T-related business risk on preserving value.
Resource optimization—This ensures that the appropriate capabilities are in place to execute the strategic plan
and sufficient, appropriate and effective resources are provided. Resource optimization ensures that an integrated,
economical IT infrastructure is provided, new technology is introduced as required by the business, and obsolete
systems are updated or replaced. Because it recognizes the importance of people, in addition to hardware and
software, it focuses on providing training, promoting retention and ensuring competence of key IT personnel. An
important resource is data and information, and exploiting data and information to gain optimal value is another
key element of resource optimization.
Strategic alignment and performance measurement are of paramount importance and apply overall to all activities to
ensure that I&T-related objectives are aligned with the enterprise goals.
In a large case study of an international airline company, EGIT’s benefits were demonstrated to include: lower IT-
related continuity costs, increased IT-enabled innovation capacity, increased alignment between digital investments
and business goals and strategy, increased trust between business and IT, and a shift toward a “value mindset” around
digital assets.
2
2
Research has shown that enterprises with poorly designed or adopted approaches to EGIT perform worse in aligning
business and I&T strategies and processes. As a result, such enterprises are much less likely to achieve their
intended business strategies and realize the business value they expect from digital transformation.
3
3
From this, it is clear that governance has to be understood and implemented much beyond the often encountered (i.e.,
narrow) interpretation suggested by the governance, risk and compliance (GRC) acronym. The GRC acronym itself
implicitly suggests that compliance and related risk represent the spectrum of governance.
1.3 COBIT as an I&T Governance Framework
Over the years, best-practice frameworks have been developed and promoted to assist in the process of
understanding, designing and implementing EGIT. COBIT
®
2019 builds on and integrates more than 25 years of
development in this field, not only incorporating new insights from science, but also operationalizing these insights
as practices.
From its foundation in the IT audit community, COBIT
®
has developed into a broader and more comprehensive I&T
governance and management framework and continues to establish itself as a generally accepted framework for I&T
governance.
2
2
De Haes, S.; W. van Grembergen; Enterprise Governance of IT: Achieving Alignment and Value, Featuring COBIT 5, Springer International
Publishing, Switzerland, 2nd ed. 2015, https://www.springer.com/us/book/9783319145464
3
3
De Haes, Steven; A. Joshi; W. van Grembergen; “State and Impact of Governance of Enterprise IT in Organizations: Key Findings of an International
Study,” ISACA
®
Journal, vol. 4, 2015, https://www.isaca.org/Journal/archives/2015/Volume-4/Pages/state-and-impact-of-governance-of-enterprise-it-
in-organizations.aspx. See also op cit De Haes and van Grembergen.