The CFO of a major pharmaceutical company once asked me a question that perfectly captures the challenge of IT governance: "Why are we spending millions on governance frameworks that feel like they were designed for someone else's business?"
She wasn't wrong to be frustrated. Her team had spent eighteen months implementing what they thought was "COBIT compliance," following every guideline to the letter. The result? A governance system so rigid and generic that it actually slowed down their drug development processes while missing critical risks unique to pharmaceutical research.
That's when I introduced her to what I call the "design factors revolution" in COBIT 2019—a paradigm shift that transformed COBIT from a one-size-fits-all checklist into a truly adaptive governance system.
After fifteen years of implementing governance frameworks across industries from healthcare to defense, I've learned one fundamental truth: the power of COBIT isn't in following it exactly as written. It's in understanding how to customize it intelligently for your unique context.
The Evolution Nobody Talks About: Why COBIT 2019 Changed Everything
Let me take you back to 2017. I was working with a rapidly scaling fintech startup that was trying to implement COBIT 5. They were brilliant engineers building cutting-edge payment technology, but the COBIT implementation was killing them.
Every control felt heavy. Every process seemed designed for a 10,000-person enterprise. They needed governance—their investors and regulators demanded it—but the traditional approach was like asking a Formula 1 car to follow regulations written for freight trucks.
When COBIT 2019 introduced the concept of design factors, everything changed. Suddenly, we had a systematic way to answer the question: "How do we adapt this governance framework to fit our actual business?"
"COBIT 2019's design factors aren't just features—they're the difference between governance that constrains your business and governance that enables it."
Understanding Design Factors: The Foundation of Customization
Here's what most implementations miss: COBIT 2019 provides 40 governance and management objectives, but it doesn't expect you to implement all of them the same way, with the same priority, or even at all.
Instead, it gives you eleven design factors—environmental and organizational variables that should shape your governance system design. Think of them as the DNA of your organization that determines how governance should actually work.
Let me break down these eleven factors based on what I've learned implementing them across dozens of organizations:
The Eleven Design Factors: A Practical Overview
Design Factor | What It Really Means | Why It Matters |
|---|---|---|
Enterprise Strategy | Where your business is going and how fast | Determines governance investment and risk tolerance |
Enterprise Goals | What success looks like for your organization | Drives which COBIT objectives get priority |
Risk Profile | Your organization's exposure and appetite for risk | Shapes control intensity and monitoring frequency |
I&T-Related Issues | Current IT problems and pain points | Identifies urgent governance needs |
Threat Landscape | External threats specific to your industry | Influences security and resilience priorities |
Compliance Requirements | Regulatory and legal obligations | Creates non-negotiable governance baselines |
Role of IT | Is IT a cost center, enabler, or differentiator? | Fundamentally changes governance approach |
Sourcing Model | How you deliver IT services | Affects control design and vendor management |
IT Implementation Methods | Agile, waterfall, DevOps, etc. | Determines governance flexibility and speed |
Technology Adoption Strategy | Innovation vs. stability preference | Influences risk tolerance and change velocity |
Enterprise Size | People, revenue, complexity, geography | Scales governance formality and structure |
Real-World Application: How Design Factors Transform Governance
Let me share a case study that illustrates the power of this approach.
Case Study: The Tale of Two Banks
In 2021, I worked simultaneously with two regional banks—let's call them Bank A and Bank B. Both had about $2 billion in assets. Both needed COBIT-based governance. Both started their implementations in the same month.
Bank A took the traditional approach: implement all COBIT objectives uniformly, following the framework as written. Bank B used design factors to customize their approach.
Eighteen months later, the results were striking:
Metric | Bank A (Traditional) | Bank B (Design Factors) |
|---|---|---|
Implementation Cost | $2.8M | $1.7M |
Time to Operational | 18 months | 11 months |
Process Cycle Time | Increased 23% | Decreased 15% |
Audit Findings | 47 gaps | 12 gaps |
Staff Satisfaction | 34% approve | 71% approve |
Business Value Rating | 2.1/5.0 | 4.3/5.0 |
What made the difference? Bank B analyzed their design factors upfront and discovered:
Their strategy emphasized digital transformation (high innovation)
Their threat landscape included sophisticated fraud (heightened security needs)
Their IT role was strategic differentiator (not just support)
They used agile methods extensively (needed flexible governance)
This analysis led them to prioritize certain COBIT objectives heavily while implementing others more lightly—creating a governance system that actually fit their business.
"One-size-fits-all governance is like one-size-fits-all clothing. Sure, it might technically fit, but it never looks good and it's usually uncomfortable."
Deep Dive: The Critical Design Factors
Let me walk you through the design factors that, in my experience, have the most dramatic impact on governance design.
1. Enterprise Strategy: The North Star of Governance
Your enterprise strategy isn't just important—it's fundamental. It determines whether your governance system should be optimized for stability or agility, cost efficiency or innovation, risk avoidance or calculated risk-taking.
I worked with a legacy insurance company in 2020 whose strategy was explicit: "Defend market share while modernizing incrementally." Their design factor analysis led to:
Governance Implications:
Heavy emphasis on operational stability controls
Rigorous change management processes
Conservative technology adoption approach
Strong compliance and risk management
Measured innovation in isolated environments
Contrast that with a digital health startup I advised whose strategy was: "Disrupt traditional healthcare delivery through rapid innovation." Same COBIT framework, completely different implementation:
Governance Implications:
Lightweight, automated controls
Rapid change enablement processes
Aggressive technology adoption
Risk-aware but innovation-friendly culture
Continuous deployment with strong monitoring
Here's a framework I use to translate strategy into governance design:
Strategic Orientation | Governance Characteristics | Priority COBIT Objectives |
|---|---|---|
Defender (Protect market position) | Strict controls, formal processes, risk-averse | APO12 (Risk), BAI06 (Change), DSS05 (Security) |
Prospector (Aggressive growth) | Agile governance, rapid decision-making, calculated risks | BAI03 (Solutions), APO04 (Innovation), MEA01 (Performance) |
Analyzer (Balanced approach) | Dual-speed governance, selective innovation | APO02 (Strategy), APO13 (Security), BAI01 (Programs) |
Reactor (Response-driven) | Crisis management focus, tactical governance | DSS02 (Incidents), APO12 (Risk), DSS03 (Problems) |
2. Role of IT: The Governance Game-Changer
In my fifteen years of experience, nothing shapes governance design more dramatically than how the organization views IT's role. Let me illustrate with three real examples:
Example A: IT as Cost Center (Manufacturing Company)
Company: Traditional manufacturer, $500M revenue
IT View: "Necessary expense, keep it minimal"
Design Factor Impact:
Governance focused on cost optimization
Minimal IT investment beyond maintenance
Strong vendor management (heavy outsourcing)
Efficiency metrics dominate performance measurement
Example B: IT as Enabler (Financial Services)
Company: Regional bank, $3B assets
IT View: "Critical for operations, must be reliable"
Design Factor Impact:
Governance emphasizes availability and security
Balanced investment in stability and capabilities
Hybrid sourcing model
Quality and reliability metrics prioritized
Example C: IT as Strategic Differentiator (Tech Company)
Company: SaaS platform, $200M ARR
IT View: "Core competitive advantage"
Design Factor Impact:
Governance enables rapid innovation
Heavy investment in technology capabilities
Primarily in-house development
Innovation and time-to-market metrics critical
Here's the decision matrix I use with clients:
IT Role | Governance Intensity | Investment Level | Key Focus Areas |
|---|---|---|---|
Factory (Critical operations) | High formality, strict controls | Moderate, stability-focused | BAI06 (Change), DSS01 (Operations), DSS04 (Continuity) |
Support (Administrative efficiency) | Moderate formality, cost controls | Low, efficiency-focused | APO06 (Budget), BAI05 (Org Change), DSS06 (Controls) |
Turnaround (Competitive necessity) | High structure, transformation focus | High, modernization-focused | APO02 (Strategy), BAI01 (Programs), MEA01 (Performance) |
Strategic (Competitive advantage) | Agile governance, innovation-enabling | Very high, innovation-focused | APO04 (Innovation), BAI03 (Solutions), MEA03 (Compliance) |
3. Threat Landscape: Adapting to Your Risk Environment
The threat landscape design factor has become increasingly critical. Different industries face radically different threats, and your governance system needs to reflect that reality.
I'll never forget working with a defense contractor in 2019. During our design factor analysis, their threat landscape assessment revealed:
Nation-state adversaries with significant resources
Intellectual property theft as primary concern
Supply chain compromise attempts
Insider threat from cleared personnel
Regulatory scrutiny from multiple agencies
Their governance design looked nothing like a typical enterprise:
Defense Contractor Governance Adaptations:
Standard Approach | Threat-Adapted Approach | Rationale |
|---|---|---|
Annual security reviews | Continuous threat monitoring with weekly leadership briefings | Nation-state threats evolve rapidly |
Standard vendor assessments | Deep supply chain security reviews with ongoing monitoring | Supply chain compromise risk |
Role-based access control | Zero-trust with continuous verification and behavioral analytics | Insider threat and APT concerns |
Quarterly vulnerability scans | Continuous scanning with 24-hour critical patch requirement | Sophisticated adversaries exploit quickly |
Annual penetration testing | Monthly red team exercises and quarterly purple team ops | Need to validate against advanced tactics |
Contrast this with a healthcare provider I worked with whose threat landscape was completely different:
Ransomware groups seeking quick payouts
Opportunistic attackers exploiting common vulnerabilities
Insider negligence more common than malice
Regulatory focus on patient privacy
Medical device security concerns
Their governance design prioritized:
Rapid backup and recovery capabilities
Strong patch management processes
Comprehensive staff training programs
Privacy impact assessments
Medical device inventory and segmentation
"Your threat landscape isn't abstract—it's the specific actors who want to harm your organization, using specific methods. Govern accordingly."
4. Sourcing Model: Governance for How You Actually Deliver IT
The sourcing model design factor determines where control boundaries exist and how you govern across organizational lines. This has become increasingly complex with cloud, SaaS, and hybrid models.
Let me share a framework I developed after watching countless organizations struggle with multi-sourcing governance:
Sourcing Model Governance Matrix:
Sourcing Approach | Governance Challenges | COBIT Adaptations | Critical Controls |
|---|---|---|---|
Fully In-House | Direct control but high cost, knowledge gaps | Standard COBIT objectives apply | APO07 (HR), APO09 (Agreements), BAI09 (Assets) |
Selective Outsourcing | Split accountability, integration complexity | Vendor management emphasis, contract controls | APO10 (Vendors), DSS05 (Security), MEA03 (Compliance) |
Heavy Cloud/SaaS | Limited direct control, shared responsibility | Cloud-adapted controls, SLA monitoring | APO10 (Vendors), BAI10 (Config), DSS05 (Security) |
Managed Services | Service provider dependency, reduced visibility | Outcome-based governance, performance monitoring | APO09 (Agreements), MEA01 (Performance), DSS02 (Incidents) |
Hybrid Multi-Source | Maximum complexity, unclear boundaries | Orchestration focus, integration governance | APO08 (Relationships), APO10 (Vendors), DSS01 (Operations) |
Real-World Example: The Hybrid Sourcing Nightmare (and Solution)
A healthcare system I worked with in 2022 had what I call "governance chaos syndrome":
Core EHR system: Vendor-hosted SaaS
Patient portal: In-house development
Medical imaging: Cloud storage (AWS)
Identity management: Hybrid (on-prem + Azure AD)
Network security: Managed service provider
Backup and DR: Third-party provider
Compliance monitoring: Another third-party tool
Before we applied design factor analysis, they were trying to govern everything the same way—which meant they governed nothing effectively. Their incident response time averaged 4.7 hours because nobody was clear who owned what.
After mapping their sourcing model design factor, we created differentiated governance:
Service Type | Governance Approach | Owner | Key Control |
|---|---|---|---|
Vendor SaaS (EHR) | Outcome monitoring, SLA enforcement | Business Owner + Vendor Manager | Quarterly business reviews, SLA metrics |
In-House (Portal) | Full lifecycle governance | IT Development | All standard dev controls |
Cloud IaaS (Imaging) | Shared responsibility model | IT Operations + Cloud Team | Configuration management, access control |
Managed Service (Network) | Service oversight, performance monitoring | IT Operations + MSP Manager | Monthly security reviews, incident SLAs |
Third-Party (DR) | Test and verification focus | Business Continuity Lead | Quarterly DR tests, annual audits |
Result: Incident response time dropped to 42 minutes. Compliance audit findings decreased by 67%. The team finally understood who owned what.
Design Factors in Action: The Customization Process
Let me walk you through how I actually use design factors with clients. This isn't theory—this is the battle-tested process I've refined over dozens of implementations.
Phase 1: Design Factor Assessment (Weeks 1-3)
I start every engagement with a structured assessment. Here's the template I use:
Design Factor Assessment Template:
Design Factor | Current State | Strategic Direction | Governance Impact | Priority Level |
|---|---|---|---|---|
Enterprise Strategy | [Document current strategy] | [3-year strategic direction] | [How this shapes governance] | High/Med/Low |
Enterprise Goals | [Key business objectives] | [How goals are evolving] | [Which COBIT objectives align] | High/Med/Low |
Risk Profile | [Current risk appetite and exposure] | [Changing risk landscape] | [Control intensity needed] | High/Med/Low |
I&T-Related Issues | [Top 5 current IT pain points] | [Improvement trajectory] | [Urgent governance needs] | High/Med/Low |
Threat Landscape | [Specific threats to organization] | [Emerging threats] | [Security/resilience focus] | High/Med/Low |
Compliance Requirements | [Regulatory obligations] | [New requirements coming] | [Non-negotiable controls] | High/Med/Low |
Role of IT | [Current IT positioning] | [Strategic IT vision] | [Governance philosophy] | High/Med/Low |
Sourcing Model | [Current delivery model] | [Sourcing strategy evolution] | [Control boundary design] | High/Med/Low |
IT Implementation Methods | [Agile/waterfall/hybrid] | [Methodology evolution] | [Process flexibility needed] | High/Med/Low |
Technology Adoption | [Innovation vs stability preference] | [Technology strategy] | [Change governance approach] | High/Med/Low |
Enterprise Size | [People, locations, complexity] | [Growth projections] | [Governance scaling needs] | High/Med/Low |
Phase 2: Governance System Design (Weeks 4-8)
Based on the assessment, I create a customized governance system design. Here's a real example from a mid-sized retail company:
Retail Company Design Factor Profile:
Enterprise Strategy: Aggressive digital transformation
Enterprise Goals: 40% revenue from digital channels in 3 years
Risk Profile: Moderate-high (competitive pressure demands speed)
IT Role: Strategic differentiator (digital is the business)
Sourcing Model: Heavy cloud/SaaS adoption
Implementation Methods: Agile/DevOps
Technology Adoption: Early adopter
Enterprise Size: Mid-sized, growing rapidly
Resulting Governance Design Decisions:
COBIT Objective | Standard Approach | Customized Approach | Rationale |
|---|---|---|---|
APO04 (Innovation) | Basic innovation management | Strategic priority, dedicated resources, quarterly reviews | IT is strategic, transformation focus |
BAI03 (Solutions) | Traditional SDLC | Agile-adapted, rapid prototyping, continuous deployment | Agile methods, speed requirement |
BAI06 (Change) | Formal CAB, weekly meetings | Automated for standard changes, human review for major only | DevOps culture, need for velocity |
DSS05 (Security) | Perimeter-focused, quarterly reviews | Zero-trust, DevSecOps integration, continuous monitoring | Cloud-heavy, threat landscape |
APO10 (Vendors) | Annual vendor reviews | Continuous SaaS monitoring, monthly vendor scorecards | Heavy SaaS reliance |
MEA01 (Performance) | IT efficiency metrics | Business outcome metrics, customer experience focus | Digital is the business |
Phase 3: Implementation Roadmap (Weeks 9-12)
The final phase creates a phased implementation roadmap based on design factor priorities:
Priority Matrix Based on Design Factors:
Quarter | High-Priority Objectives | Medium-Priority | Low-Priority |
|---|---|---|---|
Q1 | APO04 (Innovation), BAI03 (Solutions), DSS05 (Security) | APO02 (Strategy), APO10 (Vendors) | APO07 (HR), BAI09 (Assets) |
Q2 | BAI06 (Change), MEA01 (Performance) | APO13 (Security), DSS02 (Incidents) | BAI05 (Org Change), DSS04 (Continuity) |
Q3 | APO12 (Risk), DSS01 (Operations) | BAI01 (Programs), MEA03 (Compliance) | APO06 (Budget), BAI08 (Knowledge) |
Q4 | Integration and optimization across all objectives | - | - |
Common Design Factor Mistakes (And How to Avoid Them)
After fifteen years of implementations, I've seen the same mistakes repeatedly. Let me save you some pain:
Mistake #1: Treating Design Factors as a Checkbox Exercise
I once watched a consulting team spend three days checking boxes on a design factor assessment form, then completely ignore the results during implementation. They built the same governance system they always built.
The Fix: Design factors should fundamentally change your governance system design. If they don't, you're doing it wrong.
Mistake #2: Ignoring Conflicting Design Factors
Reality check: your design factors will sometimes conflict. A healthcare CIO told me once: "Our strategy demands speed, but our compliance requirements demand control. What do we do?"
The Fix: Acknowledge conflicts explicitly and make conscious trade-off decisions. Document why you prioritized certain factors over others.
Example Conflict Resolution Matrix:
Design Factor Conflict | Decision | Rationale | Mitigation |
|---|---|---|---|
Strategy (speed) vs. Compliance (control) | Prioritize compliance, optimize within constraints | Legal mandate supersedes speed preference | Automate controls to minimize impact on velocity |
Innovation vs. Risk Appetite | Controlled innovation zones | Can't sacrifice fiduciary duty for innovation | Sandbox environments with strong isolation |
Cost Efficiency vs. Reliability | Reliability first, optimize costs second | Downtime costs exceed optimization savings | Right-size resources, avoid over-engineering |
Mistake #3: Set-It-and-Forget-It Design Factors
Design factors aren't static. Your strategy evolves. Your threat landscape changes. Your organization grows.
I worked with a company that did brilliant design factor analysis in 2019, built a perfect governance system for their context at that time, then never revisited it. By 2022, they'd doubled in size, shifted strategy, and adopted completely new technologies. Their governance system was fighting the business instead of enabling it.
The Fix: Review design factors annually minimum, or whenever significant changes occur.
"Governance isn't a destination—it's continuous navigation. Your design factors are your compass, but you need to check that compass regularly because the world keeps moving."
Design Factors and Organizational Culture
Here's something most COBIT implementations miss: design factors don't just shape your governance processes—they need to align with and shape your organizational culture.
I learned this the hard way with a financial services company in 2018. We did everything right technically:
Comprehensive design factor analysis
Perfectly customized governance system
Clear roles and responsibilities
Well-documented processes
Six months in, adoption was at 23%. The governance system was theoretically perfect but culturally toxic. Why?
The company had a deeply collaborative, consensus-driven culture. Our governance design—optimized based on their aggressive growth strategy and compliance requirements—created rigid approval hierarchies and accountability boundaries that violated every cultural norm.
We had to start over, this time adding an implicit "cultural design factor" to our assessment:
Cultural Compatibility Assessment:
Cultural Dimension | Organization Reality | Governance Implication |
|---|---|---|
Decision-Making Style | Collaborative consensus | Ensure governance includes appropriate consultation even when formal approval is individual |
Risk Tolerance | Stated: High / Actual: Moderate-Low | Design controls that match actual behavior, not aspirational statements |
Formality Preference | Informal, relationship-based | Document processes but implement through relationships and influence |
Change Receptiveness | Evolutionary, not revolutionary | Phase governance changes gradually, allow adaptation periods |
Accountability Model | Shared team accountability | Design objectives with clear accountability but collaborative execution |
The revised governance system had the same technical rigor but completely different human dynamics. Adoption hit 84% within three months.
Advanced Design Factor Application: Multi-National Organizations
Let me share one of the most complex design factor challenges I've faced: implementing COBIT for a multinational corporation with operations in 47 countries.
The challenge? Design factors varied dramatically across geographies:
Geographic Design Factor Variation Example:
Design Factor | US Operations | European Operations | Asia-Pacific | Middle East |
|---|---|---|---|---|
Compliance Requirements | SOX, PCI DSS, state privacy laws | GDPR, NIS Directive, local regulations | APAC privacy laws, various security regs | Country-specific, often strict |
Threat Landscape | Sophisticated cybercrime, IP theft | State actors, cybercrime, privacy violations | Industrial espionage, IP theft, cyber warfare | Geopolitical threats, censorship |
IT Role | Strategic differentiator | Enabler with strong compliance focus | Support with innovation pockets | Support, heavily regulated |
Technology Adoption | Aggressive early adopter | Moderate, privacy-concerned | Varies: aggressive in tech hubs, conservative elsewhere | Conservative, sovereignty concerns |
Enterprise Size | Large (HQ, 8,000 employees) | Medium (regional, 2,500 employees) | Varied (100-3,000 per country) | Small (200-500 per country) |
Solution: Three-Tier Governance Model:
Tier | Scope | Governance Approach | Example Objectives |
|---|---|---|---|
Global | Enterprise-wide mandatory standards | Standardized, non-negotiable controls | APO13 (Security), DSS05 (Security), MEA03 (Compliance) |
Regional | Geography-specific adaptations | Customized based on regional design factors | APO12 (Risk), APO10 (Vendors), DSS04 (Continuity) |
Local | Country/site-specific | Flexible implementation within global/regional boundaries | DSS01 (Operations), BAI06 (Change), MEA01 (Performance) |
This model allowed us to maintain consistency where it mattered (security, compliance, risk) while enabling flexibility where local context demanded it (operations, change management, innovation).
Measuring Success: Design Factor-Driven Metrics
Traditional governance metrics often measure compliance with the governance system itself rather than business value. Design factors help you create metrics that actually matter.
Here's my framework for design factor-aligned metrics:
Design Factor-Driven Measurement Framework:
Design Factor | Sample Metrics | Why These Matter |
|---|---|---|
Enterprise Strategy | % of IT investments aligned with strategic initiatives | Ensures governance enables rather than constrains strategy |
Enterprise Goals | Business outcomes enabled by IT governance | Proves governance creates value |
Risk Profile | Risk-adjusted ROI, incidents prevented vs. detected | Balances control costs with risk reduction |
IT Role | Time-to-market for IT-enabled innovations (if strategic) | Measures whether governance enables IT's intended role |
Threat Landscape | Mean time to detect/respond to threats specific to your industry | Focuses on relevant threats, not generic metrics |
Compliance Requirements | Audit findings, regulatory incidents | Necessary but not sufficient—table stakes |
Sourcing Model | Vendor performance against SLAs, total cost of sourcing | Ensures multi-sourcing governance works |
Implementation Methods | Deployment frequency, change failure rate | Matches governance measurement to delivery approach |
Real-World Metrics Example:
A SaaS company I worked with developed these design factor-aligned metrics:
Traditional Metric | Design Factor-Aligned Metric | Impact |
|---|---|---|
% of changes approved by CAB | Deployment frequency with <2% failure rate | Shifted focus from control to enabling velocity with quality |
Compliance with change documentation | Mean time to market for customer-requested features | Connected governance to customer value |
Security incidents detected | Critical incidents prevented through proactive controls | Measured prevention, not just detection |
Vendor review completion rate | Business value delivered through vendor relationships | Measured vendor contribution, not process compliance |
Your Design Factor Implementation Checklist
Based on fifteen years of implementations, here's my practical checklist for using design factors effectively:
Week 1-2: Assessment
[ ] Conduct design factor workshop with cross-functional leadership
[ ] Document current state for all eleven design factors
[ ] Identify design factor evolution over 3-year horizon
[ ] Map conflicts between design factors
[ ] Prioritize design factors based on business impact
Week 3-4: Analysis
[ ] Determine which COBIT objectives are most critical based on design factors
[ ] Identify objectives that can be implemented lightly or deferred
[ ] Map design factor implications to specific governance system elements
[ ] Create design factor-governance linkage documentation
[ ] Develop metrics aligned with priority design factors
Week 5-8: Design
[ ] Customize COBIT objectives based on design factor analysis
[ ] Create governance system architecture
[ ] Design roles and responsibilities reflecting design factors
[ ] Develop processes appropriate to organizational context
[ ] Build culture-compatible implementation approach
Week 9-12: Planning
[ ] Create phased implementation roadmap prioritized by design factors
[ ] Develop change management approach
[ ] Design training program
[ ] Establish governance metrics and reporting
[ ] Plan design factor review cycle
Ongoing:
[ ] Review design factors annually minimum
[ ] Update governance system when design factors change significantly
[ ] Monitor metrics for design factor alignment
[ ] Adjust governance approach based on results
[ ] Document lessons learned for continuous improvement
The Bottom Line: Why Design Factors Matter
After implementing COBIT across dozens of organizations, I can say with certainty: design factors are the difference between governance that helps and governance that hurts.
Organizations that skip design factor analysis build governance systems that:
Cost more than necessary (over-engineering some areas, neglecting others)
Take longer to implement (fighting organizational reality)
Deliver less value (not aligned with business needs)
Struggle with adoption (culturally incompatible)
Require constant firefighting (missing critical risks)
Organizations that embrace design factors build governance systems that:
Cost optimize (right-sized for context)
Implement faster (aligned with organizational reality)
Deliver measurable value (connected to business outcomes)
Achieve high adoption (culturally compatible)
Prevent problems proactively (focused on actual risks)
The pharmaceutical company I mentioned at the beginning? After we rebuilt their governance system using design factors, they:
Reduced governance overhead costs by 41%
Accelerated drug development timelines by 18%
Achieved 100% of audit targets vs. 67% previously
Increased IT team satisfaction from 32% to 78%
Most importantly, the CFO called me six months after implementation and said: "For the first time, I feel like governance is working for us instead of us working for governance."
That's the power of design factors.
"COBIT provides the framework. Design factors provide the customization. Together, they create governance that actually works for your unique business context."
Your Next Steps
Ready to implement design factor-driven governance? Here's what I recommend:
Immediate Actions:
Schedule a design factor workshop with your leadership team
Download and complete the design factor assessment template (available in COBIT 2019 documentation)
Document your current governance challenges and connect them to design factors
Identify which design factors are driving the most governance friction today
30-Day Plan:
Complete comprehensive design factor assessment
Map your current governance approach against design factor realities
Identify top three governance adjustments needed based on design factors
Create a design factor-driven governance improvement roadmap
90-Day Plan:
Implement priority governance system adjustments
Establish design factor-aligned metrics
Train your team on design factor thinking
Plan your first design factor review cycle
Remember: governance customization isn't about doing less. It's about doing the right things, in the right way, for your specific context.
Because in IT governance, context isn't everything—it's the only thing.