The correct approach is toagree on target maturity levels in response to need—this ensures that the maturity level supports enterprise objectives, risk appetite, and strategic priorities. The maturity should be fit-for-purpose, rather than arbitrarily benchmarked or driven solely by cost or strengths.
While competitor benchmarks and cost considerations can provide insight, they are secondary to ensuring that the governance processes meetspecific business and governance needs.
[Reference:, CGEIT Review Manual: Domain 1 – Governance of Enterprise IT: "Target capability levels should be based on enterprise strategy, goals, and risk appetite, and not only on industry averages or cost.", COBIT 2019 Design Guide: Tailoring Governance System Design – "Target capability levels should be derived from governance and management objectives prioritized based on enterprise needs.", , , , ]
Submit