In COBIT® 2019, the threat landscape design factor evaluates the severity and likelihood of external and internal threats that could materially impact enterprise objectives. A high threat landscape is characterized by factors that increase uncertainty, instability, or exposure to disruptive events beyond normal operational risks.
Geopolitical situations—such as regional conflicts, sanctions, trade restrictions, political instability, or cross-border regulatory changes—are explicitly recognized as high-impact external threats. These conditions can affect data sovereignty, supply chains, system availability, and regulatory compliance simultaneously, making them a strong indicator of a high threat landscape.
By contrast, IT trends represent opportunities, not threats. New competitors reflect market dynamics rather than direct threat exposure. Service delivery problems from outsourcers are operational issues already captured under I&T-related issues, not threat landscape classification.
The Design Guide stresses that when the threat landscape is high, enterprises should emphasize resilience, security, assurance, and risk-focused governance design. Geopolitical risk is therefore a clear and valid reason to classify the threat landscape as high.
