Outsourcing decisions require a clear understanding of the financial and operational implications. The CGEIT Review Manual 8th Edition advises that conducting a cost-benefit analysis is the first step to evaluate whether outsourcing non-core IT processes aligns with enterprise objectives.
* Extract from CGEIT Review Manual 8th Edition (Domain 5: Benefits Realization):"Before outsourcing IT processes, the enterprise should conduct a cost-benefit analysis to assess the financial, operational, and strategic implications. This analysis determines whether outsourcing delivers value and supports business objectives." (Approximate reference: Domain 5, Section on Outsourcing Decisions) Conducting a cost-benefit analysis for outsourcing (option D) provides the data needed to make an informed decision, comparing costs, risks, and benefits of outsourcing versus in-house management.
* Why not the other options?
* A. Update resource allocation policies: Policy updates follow the decision to outsource, based on the analysis.
* B. Issue a formal request for proposal (RFP) to outsourcing vendors: Issuing an RFP is premature without confirming that outsourcing is viable.
* C. Establish service-level metrics for outsourced activities: Metrics are defined after deciding to outsource and selecting a vendor.
References:
ISACA CGEIT Review Manual 8th Edition, Domain 5: Benefits Realization, Section on Outsourcing and Value Delivery.
ISACA CGEIT Study Guide, Chapter on Outsourcing Decisions.

Quantitative criteria are measurable and objective indicators that can be used to assess the costs, benefits, risks, and value of IT projects1. By using quantitative criteria, an enterprise can compare and prioritize different IT project proposals, justify and secure the required funding and resources, monitor and control the project progress and performance, and evaluate the actual outcomes and impacts of the project after implementation1. Quantitative criteria can also help to demonstrate the alignment of IT projects with the enterprise's strategic objectives and goals, and to communicate the value proposition of IT projects to the stakeholders1.
The other options are not the primary reason for using quantitative criteria in developing business cases for IT projects, as they are either secondary or unrelated benefits. Benchmarking project success with similar enterprises may help to identify best practices and areas for improvement, but it is not the main purpose of using quantitative criteria. Learning lessons from errors made in past projects may help to avoid repeating mistakes and enhance project quality, but it is not the main purpose of using quantitative criteria. Applying other corporate standards to the development project may help to ensure consistency and compliance, but it is not the main purpose of using quantitative criteria.

Comprehensive and Detailed Explanation:
The CGEIT Review Manual 8th Edition, in its Risk Optimization domain, emphasizes that IT risk management policies and standards must support the enterprise's strategic objectives to ensure alignment with business priorities. Enterprise goals and objectives provide the foundation for IT risk management, ensuring that policies address risks that could hinder strategic outcomes (e.g., market expansion, regulatory compliance). For example, if an enterprise goal is to enhance customer trust, risk policies might prioritize cybersecurity. The manual likely references COBIT 2019's APO12-Managed Risk, which stresses aligning risk management with business objectives.
* Option A: Best practices are important but generic and may not reflect specific enterprise needs.
* Option B: Corporate risk culture influences risk management but is secondary to strategic goals.
* Option D: ERM framework is a broader structure that IT risk management should integrate with, but enterprise goals are the primary driver.
Double Verification: The answer aligns with COBIT's APO12 and the CGEIT domain's focus on business alignment. Enterprise goals are the primary focus for risk policy alignment in ISACA's frameworks.
ISACA CGEIT Review Manual 8th Edition, Domain 4: Risk Optimization (focus on risk policy alignment).
COBIT 2019, APO12-Managed Risk.
ISACA Glossary (for definitions of risk management), available at https://www.isaca.org/resources/glossary.

According to the CGEIT certification guide, the business sponsor is primarily accountable for delivering the benefits of an IT-enabled investment program to the enterprise. The business sponsor is the person who has the authority and responsibility to initiate, influence and approve the business objectives and requirements of the program. The business sponsor also ensures that the program aligns with the enterprise strategy and delivers value to the enterprise1. The program manager, the IT steering committee chair and the CIO are responsible for supporting the business sponsor in delivering the benefits, but they are not primarily accountable for them2. References := CGEIT certification guide, domain 4: Benefits Realization, section 4.1: Benefits Governance, page 137.
CGEIT certification guide, domain 4: Benefits Realization, section 4.2: Benefits Delivery Life Cycle, page
140.

An enterprise code of ethics is a set of principles and values that guide the behavior and decision-making of the organization and its members. It can help to incorporate desired organizational behaviors into the IT governance framework by establishing a common understanding and expectation of what is acceptable and unacceptable, and by promoting a culture of integrity, accountability, and responsibility. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 17.